50fc8c1cee9f8938d46ec37a0fb4d0896ea5ee6e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
2
3         Calling async arrow function which is in a class's member function will cause error
4         https://bugs.webkit.org/show_bug.cgi?id=166879
5
6         Reviewed by Saam Barati.
7
8         Current patch fixed loading 'super' in async arrow function. Errored appear becuase 
9         super was loaded always nevertherless if it used in async arrow function or not, but bytecompiler
10         put to arrow function context only if it used within arrow function. So to fix this issue we need to 
11         check if super was used in arrow function. 
12
13         * bytecompiler/BytecodeGenerator.h:
14         * bytecompiler/NodesCodegen.cpp:
15         (JSC::FunctionNode::emitBytecode):
16
17 2017-01-10  Commit Queue  <commit-queue@webkit.org>
18
19         Unreviewed, rolling out r210537.
20         https://bugs.webkit.org/show_bug.cgi?id=166903
21
22         This change introduced JSC test failures (Requested by
23         ryanhaddad on #webkit).
24
25         Reverted changeset:
26
27         "Implement JSSourceCode to propagate SourceCode in module
28         pipeline"
29         https://bugs.webkit.org/show_bug.cgi?id=166861
30         http://trac.webkit.org/changeset/210537
31
32 2017-01-10  Commit Queue  <commit-queue@webkit.org>
33
34         Unreviewed, rolling out r210540.
35         https://bugs.webkit.org/show_bug.cgi?id=166896
36
37         too crude for non-WebCore clients (Requested by kling on
38         #webkit).
39
40         Reverted changeset:
41
42         "Crash when GC heap grows way too large."
43         https://bugs.webkit.org/show_bug.cgi?id=166875
44         http://trac.webkit.org/changeset/210540
45
46 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
47
48         JSArray has some object scanning races
49         https://bugs.webkit.org/show_bug.cgi?id=166874
50
51         Reviewed by Mark Lam.
52         
53         This fixes two separate bugs, both of which I detected by running
54         array-splice-contiguous.js in extreme anger:
55         
56         1) Some of the paths of shifting and unshifting were not grabbing the internal cell
57            lock. This was causing the array storage scan to crash, even though it was well
58            synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
59            that memmoves the innards of the butterfly.
60         
61         2) Out of line property scanning was synchronized using double collect snapshot. Array
62            storage scanning was synchronized using locks. But what if array storage
63            transformations messed up the out of line properties? It turns out that we actually
64            need to hoist the array storage scanner's locking up into the double collect
65            snapshot.
66         
67         I don't know how to write a test that does any better of a job of catching this than
68         array-splice-contiguous.js.
69
70         * heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
71         * runtime/JSArray.cpp:
72         (JSC::JSArray::unshiftCountSlowCase):
73         (JSC::JSArray::shiftCountWithArrayStorage):
74         (JSC::JSArray::unshiftCountWithArrayStorage):
75         * runtime/JSObject.cpp:
76         (JSC::JSObject::visitButterflyImpl):
77
78 2017-01-10  Andreas Kling  <akling@apple.com>
79
80         Crash when GC heap grows way too large.
81         <https://webkit.org/b/166875>
82         <rdar://problem/27896585>
83
84         Reviewed by Mark Lam.
85
86         Hard cap the JavaScript heap at 4GB of live objects (determined post-GC.)
87         If we go past this limit, crash with a recognizable signature.
88
89         * heap/Heap.cpp:
90         (JSC::Heap::didExceedHeapSizeLimit):
91         (JSC::Heap::updateAllocationLimits):
92
93 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
94
95         Implement JSSourceCode to propagate SourceCode in module pipeline
96         https://bugs.webkit.org/show_bug.cgi?id=166861
97
98         Reviewed by Saam Barati.
99
100         Instead of propagating source code string, we propagate JSSourceCode
101         cell in the module pipeline. This allows us to attach a metadata
102         to the propagated source code string. In particular, it propagates
103         SourceOrigin through the module pipeline.
104
105         * CMakeLists.txt:
106         * JavaScriptCore.xcodeproj/project.pbxproj:
107         * builtins/ModuleLoaderPrototype.js:
108         (fulfillFetch):
109         (requestFetch):
110         * jsc.cpp:
111         (GlobalObject::moduleLoaderFetch):
112         * llint/LLIntData.cpp:
113         (JSC::LLInt::Data::performAssertions):
114         * llint/LowLevelInterpreter.asm:
115         * runtime/Completion.cpp:
116         (JSC::loadAndEvaluateModule):
117         (JSC::loadModule):
118         * runtime/JSModuleLoader.cpp:
119         (JSC::JSModuleLoader::provide):
120         * runtime/JSModuleLoader.h:
121         * runtime/JSSourceCode.cpp: Added.
122         (JSC::JSSourceCode::destroy):
123         * runtime/JSSourceCode.h: Added.
124         (JSC::JSSourceCode::createStructure):
125         (JSC::JSSourceCode::create):
126         (JSC::JSSourceCode::sourceCode):
127         (JSC::JSSourceCode::JSSourceCode):
128         * runtime/JSType.h:
129         * runtime/ModuleLoaderPrototype.cpp:
130         (JSC::moduleLoaderPrototypeParseModule):
131         * runtime/VM.cpp:
132         (JSC::VM::VM):
133         * runtime/VM.h:
134
135 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
136
137         REGRESSION (r210522): ASSERTION FAILED: divot.offset >= divotStart.offset seen with stress/import-basic.js and stress/import-from-eval.js
138         https://bugs.webkit.org/show_bug.cgi?id=166873
139
140         Reviewed by Saam Barati.
141
142         The divot should be the end of `import` token.
143
144         * parser/Parser.cpp:
145         (JSC::Parser<LexerType>::parseMemberExpression):
146
147 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
148
149         Unreviewed, fix cloop.
150
151         * dfg/DFGPlanInlines.h:
152
153 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
154
155         [JSC] Prototype dynamic-import
156         https://bugs.webkit.org/show_bug.cgi?id=165724
157
158         Reviewed by Saam Barati.
159
160         In this patch, we implement stage3 dynamic-import proposal[1].
161         This patch adds a new special operator `import`. And by using it, we can import
162         the module dynamically from modules and scripts. Before this feature, the module
163         is always imported statically and before executing the modules, importing the modules
164         needs to be done. And especially, the module can only be imported from the module.
165         So the classic script cannot import and use the modules. This dynamic-import relaxes
166         the above restrictions.
167
168         The typical dynamic-import form is the following.
169
170             import("...").then(function (namespace) { ... });
171
172         You can pass any AssignmentExpression for the import operator. So you can determine
173         the importing modules dynamically.
174
175             import(value).then(function (namespace) { ... });
176
177         And previously the module import declaration is only allowed in the top level statements.
178         But this import operator is just an expression. So you can use it in the function.
179         And you can use it conditionally.
180
181             async function go(cond)
182             {
183                 if (cond)
184                     return import("...");
185                 return undefined;
186             }
187             await go(true);
188
189         Currently, this patch just implements this feature only for the JSC shell.
190         JSC module loader requires a new hook, `importModule`. And the JSC shell implements
191         this hook. So, for now, this dynamic-import is not available in the browser side.
192         If you write this `import` call, it always returns the rejected promise.
193
194         import is implemented like a special operator similar to `super`.
195         This is because import is context-sensitive. If you call the `import`, the module
196         key resolution is done based on the caller's running context.
197
198         For example, if you are running the script which filename is "./ok/hello.js", the module
199         key for the call`import("./resource/syntax.js")` becomes `"./ok/resource/syntax.js"`.
200         But if you write the completely same import form in the script "./error/hello.js", the
201         key becomes "./error/resource/syntax.js". So exposing this feature as the `import`
202         function is misleading: this function becomes caller's context-sensitive. That's why
203         dynamic-import is specified as a special operator.
204
205         To resolve the module key, we need the caller's context information like the filename of
206         the caller. This is provided by the SourceOrigin implemented in r210149.
207         In the JSC shell implementation, this SourceOrigin holds the filename of the caller. So
208         based on this implementation, the module loader resolve the module key.
209         In the near future, we will extend this SourceOrigin to hold more information needed for
210         the browser-side import implementation.
211
212         [1]: https://tc39.github.io/proposal-dynamic-import/
213
214         * builtins/ModuleLoaderPrototype.js:
215         (importModule):
216         * bytecompiler/BytecodeGenerator.cpp:
217         (JSC::BytecodeGenerator::emitGetTemplateObject):
218         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
219         * bytecompiler/BytecodeGenerator.h:
220         * bytecompiler/NodesCodegen.cpp:
221         (JSC::ImportNode::emitBytecode):
222         * jsc.cpp:
223         (absolutePath):
224         (GlobalObject::moduleLoaderImportModule):
225         (functionRun):
226         (functionLoad):
227         (functionCheckSyntax):
228         (runWithScripts):
229         * parser/ASTBuilder.h:
230         (JSC::ASTBuilder::createImportExpr):
231         * parser/NodeConstructors.h:
232         (JSC::ImportNode::ImportNode):
233         * parser/Nodes.h:
234         (JSC::ExpressionNode::isImportNode):
235         * parser/Parser.cpp:
236         (JSC::Parser<LexerType>::parseMemberExpression):
237         * parser/SyntaxChecker.h:
238         (JSC::SyntaxChecker::createImportExpr):
239         * runtime/JSGlobalObject.cpp:
240         (JSC::JSGlobalObject::init):
241         * runtime/JSGlobalObject.h:
242         * runtime/JSGlobalObjectFunctions.cpp:
243         (JSC::globalFuncImportModule):
244         * runtime/JSGlobalObjectFunctions.h:
245         * runtime/JSModuleLoader.cpp:
246         (JSC::JSModuleLoader::importModule):
247         (JSC::JSModuleLoader::getModuleNamespaceObject):
248         * runtime/JSModuleLoader.h:
249         * runtime/ModuleLoaderPrototype.cpp:
250         (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):
251
252 2017-01-08  Filip Pizlo  <fpizlo@apple.com>
253
254         Make the collector's fixpoint smart about scheduling work
255         https://bugs.webkit.org/show_bug.cgi?id=165910
256
257         Reviewed by Keith Miller.
258         
259         Prior to this change, every time the GC would run any constraints in markToFixpoint, it
260         would run all of the constraints. It would always run them in the same order. That means
261         that so long as any one constraint was generating new work, we'd pay the price of all
262         constraints. This is usually OK because most constraints are cheap but it artificially
263         inflates the cost of slow constraints - especially ones that are expensive but usually
264         generate no new work.
265         
266         This patch redoes how the GC runs constraints by applying ideas from data flow analysis.
267         The GC now builds a MarkingConstraintSet when it boots up, and this contains all of the
268         constraints as well as some meta-data about them. Now, markToFixpoint just calls into
269         MarkingConstraintSet to execute constraints. Because constraint execution and scheduling
270         need to be aware of each other, I rewrote markToFixpoint in such a way that it's more
271         obvious how the GC goes between constraint solving, marking with stopped mutator, and
272         marking with resumed mutator. This also changes the scheduler API in such a way that a
273         synchronous stop-the-world collection no longer needs to do fake stop/resume - instead we
274         just swap the space-time scheduler for the stop-the-world scheduler.
275         
276         This is a big streamlining of the GC. This is a speed-up in GC-heavy tests because we
277         now execute most constraints exactly twice regardless of how many total fixpoint
278         iterations we do. Now, when we run out of marking work, the constraint solver will just
279         run the constraint that is most likely to generate new visiting work, and if it does
280         generate work, then the GC now goes back to marking. Before, it would run *all*
281         constraints and then go back to marking. The constraint solver is armed with three
282         information signals that it uses to sort the constraints in order of descending likelihood
283         to generate new marking work. Then it runs them in that order until it there is new
284         marking work. The signals are:
285         
286         1) Whether the constraint is greyed by marking or execution. We call this the volatility
287            of the constraint. For example, weak reference constraints have GreyedByMarking as
288            their volatility because they are most likely to have something to say after we've done
289            some marking. On the other hand, conservative roots have GreyedByExecution as their
290            volatility because they will give new information anytime we let the mutator run. The
291            constraint solver will only run GreyedByExecution constraints as roots and after the
292            GreyedByMarking constraints go silent. This ensures that we don't try to scan
293            conservative roots every time we need to re-run weak references and vice-versa.
294            
295            Another way to look at it is that the constraint solver tries to predict if the
296            wavefront is advancing or retreating. The wavefront is almost certainly advancing so
297            long as the mark stacks are non-empty or so long as at least one of the GreyedByMarking
298            constraints is still producing work. Otherwise the wavefront is almost certainly
299            retreating. It's most profitable to run GreyedByMarking constraints when the wavefront
300            is advancing, and most profitable to run GreyedByExecution constraints when the
301            wavefront is retreating.
302            
303            We use the predicted wavefront direction and the volatility of constraints as a
304            first-order signal of constraint profitability.
305         
306         2) How much visiting work was created the last time the constraint ran. The solver
307            remembers the lastVisitCount, and uses it to predict how much work the constraint will
308            generate next time. In practice this means we will keep re-running the one interesting
309            constraint until it shuts up.
310         
311         3) Optional work predictors for some constraints. The constraint that shuffles the mutator
312            mark stack into the main SlotVisitor's mutator mark stack always knows exactly how much
313            work it will create.
314            
315            The sum of (2) and (3) are used as a second-order signal of constraint profitability.
316         
317         The constraint solver will always run all of the GreyedByExecution constraints at GC
318         start, since these double as the GC's roots. The constraint solver will always run all of
319         the GreyedByMarking constraints the first time that marking stalls. Other than that, the
320         solver will keep running constraints, sorted according to their likelihood to create work,
321         until either work is created or we run out of constraints to run. GC termination happens
322         when we run out of constraints to run.
323         
324         This new infrastructure means that we have a much better chance of dealing with worst-case
325         DOM pathologies. If we can intelligently factor different evil DOM things into different
326         constraints with the right work predictions then this could reduce the cost of those DOM
327         things by a factor of N where N is the number of fixpoint iterations the GC typically
328         does. N is usually around 5-6 even for simple heaps.
329         
330         My perf measurements say:
331         
332         PLT3: 0.02% faster with 5.3% confidence.
333         JetStream: 0.15% faster with 17% confidence.
334         Speedometer: 0.58% faster with 82% confidence.
335         
336         Here are the details from JetStream:
337         
338         splay: 1.02173x faster with 0.996841 confidence
339         splay-latency: 1.0617x faster with 0.987462 confidence
340         towers.c: 1.01852x faster with 0.92128 confidence
341         crypto-md5: 1.06058x faster with 0.482363 confidence
342         score: 1.00152x faster with 0.16892 confidence
343         
344         I think that Speedometer is legitimately benefiting from this change based on looking at
345         --logGC=true output. We are now spending less time reexecuting expensive constraints. I
346         think that JetStream/splay is also benefiting, because although the constraints it sees
347         are cheap, it spends 30% of its time in GC so even small improvements matter.
348
349         * CMakeLists.txt:
350         * JavaScriptCore.xcodeproj/project.pbxproj:
351         * dfg/DFGPlan.cpp:
352         (JSC::DFG::Plan::markCodeBlocks): Deleted.
353         (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
354         * dfg/DFGPlan.h:
355         * dfg/DFGPlanInlines.h: Added.
356         (JSC::DFG::Plan::iterateCodeBlocksForGC):
357         * dfg/DFGWorklist.cpp:
358         (JSC::DFG::Worklist::markCodeBlocks): Deleted.
359         (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
360         (JSC::DFG::rememberCodeBlocks): Deleted.
361         * dfg/DFGWorklist.h:
362         * dfg/DFGWorklistInlines.h: Added.
363         (JSC::DFG::iterateCodeBlocksForGC):
364         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
365         * heap/CodeBlockSet.cpp:
366         (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting): Deleted.
367         * heap/CodeBlockSet.h:
368         (JSC::CodeBlockSet::iterate): Deleted.
369         * heap/CodeBlockSetInlines.h:
370         (JSC::CodeBlockSet::iterate):
371         (JSC::CodeBlockSet::iterateCurrentlyExecuting):
372         * heap/Heap.cpp:
373         (JSC::Heap::Heap):
374         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
375         (JSC::Heap::iterateExecutingAndCompilingCodeBlocksWithoutHoldingLocks):
376         (JSC::Heap::assertSharedMarkStacksEmpty):
377         (JSC::Heap::markToFixpoint):
378         (JSC::Heap::endMarking):
379         (JSC::Heap::collectInThread):
380         (JSC::Heap::stopIfNecessarySlow):
381         (JSC::Heap::acquireAccessSlow):
382         (JSC::Heap::collectIfNecessaryOrDefer):
383         (JSC::Heap::buildConstraintSet):
384         (JSC::Heap::notifyIsSafeToCollect):
385         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope): Deleted.
386         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope): Deleted.
387         (JSC::Heap::harvestWeakReferences): Deleted.
388         (JSC::Heap::visitConservativeRoots): Deleted.
389         (JSC::Heap::visitCompilerWorklistWeakReferences): Deleted.
390         * heap/Heap.h:
391         * heap/MarkingConstraint.cpp: Added.
392         (JSC::MarkingConstraint::MarkingConstraint):
393         (JSC::MarkingConstraint::~MarkingConstraint):
394         (JSC::MarkingConstraint::resetStats):
395         (JSC::MarkingConstraint::execute):
396         * heap/MarkingConstraint.h: Added.
397         (JSC::MarkingConstraint::index):
398         (JSC::MarkingConstraint::abbreviatedName):
399         (JSC::MarkingConstraint::name):
400         (JSC::MarkingConstraint::lastVisitCount):
401         (JSC::MarkingConstraint::quickWorkEstimate):
402         (JSC::MarkingConstraint::workEstimate):
403         (JSC::MarkingConstraint::volatility):
404         * heap/MarkingConstraintSet.cpp: Added.
405         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext):
406         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething):
407         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut):
408         (JSC::MarkingConstraintSet::ExecutionContext::drain):
409         (JSC::MarkingConstraintSet::ExecutionContext::didExecute):
410         (JSC::MarkingConstraintSet::ExecutionContext::execute):
411         (JSC::MarkingConstraintSet::MarkingConstraintSet):
412         (JSC::MarkingConstraintSet::~MarkingConstraintSet):
413         (JSC::MarkingConstraintSet::resetStats):
414         (JSC::MarkingConstraintSet::add):
415         (JSC::MarkingConstraintSet::executeBootstrap):
416         (JSC::MarkingConstraintSet::executeConvergence):
417         (JSC::MarkingConstraintSet::isWavefrontAdvancing):
418         (JSC::MarkingConstraintSet::executeConvergenceImpl):
419         (JSC::MarkingConstraintSet::executeAll):
420         * heap/MarkingConstraintSet.h: Added.
421         (JSC::MarkingConstraintSet::isWavefrontRetreating):
422         * heap/MutatorScheduler.cpp: Added.
423         (JSC::MutatorScheduler::MutatorScheduler):
424         (JSC::MutatorScheduler::~MutatorScheduler):
425         (JSC::MutatorScheduler::didStop):
426         (JSC::MutatorScheduler::willResume):
427         (JSC::MutatorScheduler::didExecuteConstraints):
428         (JSC::MutatorScheduler::log):
429         (JSC::MutatorScheduler::shouldStop):
430         (JSC::MutatorScheduler::shouldResume):
431         * heap/MutatorScheduler.h: Added.
432         * heap/OpaqueRootSet.h:
433         (JSC::OpaqueRootSet::add):
434         * heap/SlotVisitor.cpp:
435         (JSC::SlotVisitor::visitAsConstraint):
436         (JSC::SlotVisitor::drain):
437         (JSC::SlotVisitor::didReachTermination):
438         (JSC::SlotVisitor::hasWork):
439         (JSC::SlotVisitor::drainFromShared):
440         (JSC::SlotVisitor::drainInParallelPassively):
441         (JSC::SlotVisitor::addOpaqueRoot):
442         * heap/SlotVisitor.h:
443         (JSC::SlotVisitor::addToVisitCount):
444         * heap/SpaceTimeMutatorScheduler.cpp: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.cpp.
445         (JSC::SpaceTimeMutatorScheduler::Snapshot::Snapshot):
446         (JSC::SpaceTimeMutatorScheduler::Snapshot::now):
447         (JSC::SpaceTimeMutatorScheduler::Snapshot::bytesAllocatedThisCycle):
448         (JSC::SpaceTimeMutatorScheduler::SpaceTimeMutatorScheduler):
449         (JSC::SpaceTimeMutatorScheduler::~SpaceTimeMutatorScheduler):
450         (JSC::SpaceTimeMutatorScheduler::state):
451         (JSC::SpaceTimeMutatorScheduler::beginCollection):
452         (JSC::SpaceTimeMutatorScheduler::didStop):
453         (JSC::SpaceTimeMutatorScheduler::willResume):
454         (JSC::SpaceTimeMutatorScheduler::didExecuteConstraints):
455         (JSC::SpaceTimeMutatorScheduler::timeToStop):
456         (JSC::SpaceTimeMutatorScheduler::timeToResume):
457         (JSC::SpaceTimeMutatorScheduler::log):
458         (JSC::SpaceTimeMutatorScheduler::endCollection):
459         (JSC::SpaceTimeMutatorScheduler::bytesAllocatedThisCycleImpl):
460         (JSC::SpaceTimeMutatorScheduler::bytesSinceBeginningOfCycle):
461         (JSC::SpaceTimeMutatorScheduler::maxHeadroom):
462         (JSC::SpaceTimeMutatorScheduler::headroomFullness):
463         (JSC::SpaceTimeMutatorScheduler::mutatorUtilization):
464         (JSC::SpaceTimeMutatorScheduler::collectorUtilization):
465         (JSC::SpaceTimeMutatorScheduler::elapsedInPeriod):
466         (JSC::SpaceTimeMutatorScheduler::phase):
467         (JSC::SpaceTimeMutatorScheduler::shouldBeResumed):
468         (JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization): Deleted.
469         (JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization): Deleted.
470         (JSC::SpaceTimeScheduler::Decision::elapsedInPeriod): Deleted.
471         (JSC::SpaceTimeScheduler::Decision::phase): Deleted.
472         (JSC::SpaceTimeScheduler::Decision::shouldBeResumed): Deleted.
473         (JSC::SpaceTimeScheduler::Decision::timeToResume): Deleted.
474         (JSC::SpaceTimeScheduler::Decision::timeToStop): Deleted.
475         (JSC::SpaceTimeScheduler::SpaceTimeScheduler): Deleted.
476         (JSC::SpaceTimeScheduler::snapPhase): Deleted.
477         (JSC::SpaceTimeScheduler::currentDecision): Deleted.
478         * heap/SpaceTimeMutatorScheduler.h: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.h.
479         (JSC::SpaceTimeScheduler::Decision::operator bool): Deleted.
480         * heap/SpaceTimeScheduler.cpp: Removed.
481         * heap/SpaceTimeScheduler.h: Removed.
482         * heap/SynchronousStopTheWorldMutatorScheduler.cpp: Added.
483         (JSC::SynchronousStopTheWorldMutatorScheduler::SynchronousStopTheWorldMutatorScheduler):
484         (JSC::SynchronousStopTheWorldMutatorScheduler::~SynchronousStopTheWorldMutatorScheduler):
485         (JSC::SynchronousStopTheWorldMutatorScheduler::state):
486         (JSC::SynchronousStopTheWorldMutatorScheduler::beginCollection):
487         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToStop):
488         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToResume):
489         (JSC::SynchronousStopTheWorldMutatorScheduler::endCollection):
490         * heap/SynchronousStopTheWorldMutatorScheduler.h: Added.
491         * heap/VisitingTimeout.h: Added.
492         (JSC::VisitingTimeout::VisitingTimeout):
493         (JSC::VisitingTimeout::visitCount):
494         (JSC::VisitingTimeout::didVisitSomething):
495         (JSC::VisitingTimeout::shouldTimeOut):
496         * runtime/Options.h:
497
498 2017-01-09  Commit Queue  <commit-queue@webkit.org>
499
500         Unreviewed, rolling out r210476.
501         https://bugs.webkit.org/show_bug.cgi?id=166859
502
503         "4% JSBench regression" (Requested by keith_mi_ on #webkit).
504
505         Reverted changeset:
506
507         "Add a slice intrinsic to the DFG/FTL"
508         https://bugs.webkit.org/show_bug.cgi?id=166707
509         http://trac.webkit.org/changeset/210476
510
511 2017-01-08  Andreas Kling  <akling@apple.com>
512
513         Inject MarkedSpace size classes for a few more high-volume objects.
514         <https://webkit.org/b/166815>
515
516         Reviewed by Darin Adler.
517
518         Add the following classes to the list of manually injected size classes:
519
520             - JSString
521             - JSFunction
522             - PropertyTable
523             - Structure
524
525         Only Structure actually ends up with a new size class, the others already
526         can't get any tighter due to the current MarkedBlock::atomSize being 16.
527         I've put them in anyway to ensure that we have optimally carved-out cells
528         for them in the future, should they grow.
529
530         With this change, Structures get allocated in 128-byte cells instead of
531         160-byte cells, giving us 25% more Structures per MarkedBlock.
532
533         * heap/MarkedSpace.cpp:
534
535 2017-01-06  Saam Barati  <sbarati@apple.com>
536
537         Add a slice intrinsic to the DFG/FTL
538         https://bugs.webkit.org/show_bug.cgi?id=166707
539
540         Reviewed by Filip Pizlo.
541
542         The gist of this patch is to inline Array.prototype.slice
543         into the DFG/FTL. The implementation in the DFG-backend
544         and FTLLowerDFGToB3 is just a straight forward implementation
545         of what the C function is doing. The more interesting bits
546         of this patch are setting up the proper watchpoints and conditions
547         in the executing code to prove that its safe to skip all of the
548         observable JS actions that Array.prototype.slice normally does.
549         
550         We perform the following proofs:
551         1. Array.prototype.constructor has not changed (via a watchpoint).
552         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
553         3. The global object is not having a bad time.
554         3. The array that is being sliced has an original array structure.
555         5. Array.prototype/Object.prototype have not transitioned.
556         
557         Conditions 1, 2, and 3 are strictly required.
558         
559         4 is ensuring a couple things:
560         1. That a "constructor" property hasn't been added to the array
561         we're slicing since we're supposed to perform a Get(array, "constructor").
562         2. That we're not slicing an instance of a subclass of Array.
563         
564         We could relax 4.1 in the future if we find other ways to test if
565         the incoming array hasn't changed the "constructor" property.
566         
567         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
568         the total benchmark (the results are sometimes noisy).
569
570         * bytecode/ExitKind.cpp:
571         (JSC::exitKindToString):
572         * bytecode/ExitKind.h:
573         * dfg/DFGAbstractInterpreterInlines.h:
574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
575         * dfg/DFGByteCodeParser.cpp:
576         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
577         * dfg/DFGClobberize.h:
578         (JSC::DFG::clobberize):
579         * dfg/DFGDoesGC.cpp:
580         (JSC::DFG::doesGC):
581         * dfg/DFGFixupPhase.cpp:
582         (JSC::DFG::FixupPhase::fixupNode):
583         * dfg/DFGNode.h:
584         (JSC::DFG::Node::hasHeapPrediction):
585         (JSC::DFG::Node::hasArrayMode):
586         * dfg/DFGNodeType.h:
587         * dfg/DFGPredictionPropagationPhase.cpp:
588         * dfg/DFGSafeToExecute.h:
589         (JSC::DFG::safeToExecute):
590         * dfg/DFGSpeculativeJIT.cpp:
591         (JSC::DFG::SpeculativeJIT::compileArraySlice):
592         * dfg/DFGSpeculativeJIT.h:
593         * dfg/DFGSpeculativeJIT32_64.cpp:
594         (JSC::DFG::SpeculativeJIT::compile):
595         * dfg/DFGSpeculativeJIT64.cpp:
596         (JSC::DFG::SpeculativeJIT::compile):
597         * ftl/FTLCapabilities.cpp:
598         (JSC::FTL::canCompile):
599         * ftl/FTLLowerDFGToB3.cpp:
600         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
601         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
602         * jit/AssemblyHelpers.cpp:
603         (JSC::AssemblyHelpers::emitLoadStructure):
604         * runtime/ArrayPrototype.cpp:
605         (JSC::ArrayPrototype::finishCreation):
606         (JSC::speciesWatchpointIsValid):
607         (JSC::speciesConstructArray):
608         (JSC::arrayProtoFuncSlice):
609         (JSC::arrayProtoPrivateFuncConcatMemcpy):
610         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
611         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
612         (JSC::speciesWatchpointsValid): Deleted.
613         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
614         * runtime/ArrayPrototype.h:
615         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
616         (): Deleted.
617         * runtime/Intrinsic.h:
618         * runtime/JSGlobalObject.cpp:
619         (JSC::JSGlobalObject::JSGlobalObject):
620         (JSC::JSGlobalObject::init):
621         * runtime/JSGlobalObject.h:
622         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
623
624 2017-01-06  Mark Lam  <mark.lam@apple.com>
625
626         The ObjC API's JSVirtualMachine's map tables need to be guarded by a lock.
627         https://bugs.webkit.org/show_bug.cgi?id=166778
628         <rdar://problem/29761198>
629
630         Reviewed by Filip Pizlo.
631
632         Now that we have a concurrent GC, access to JSVirtualMachine's
633         m_externalObjectGraph and m_externalRememberedSet need to be guarded by a lock
634         since both the GC marker thread and the mutator thread may access them at the
635         same time.
636
637         * API/JSVirtualMachine.mm:
638         (-[JSVirtualMachine addExternalRememberedObject:]):
639         (-[JSVirtualMachine addManagedReference:withOwner:]):
640         (-[JSVirtualMachine removeManagedReference:withOwner:]):
641         (-[JSVirtualMachine externalDataMutex]):
642         (scanExternalObjectGraph):
643         (scanExternalRememberedSet):
644
645         * API/JSVirtualMachineInternal.h:
646         - Deleted externalObjectGraph method.  There's no need to expose this.
647
648 2017-01-06  Michael Saboff  <msaboff@apple.com>
649
650         @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
651         https://bugs.webkit.org/show_bug.cgi?id=153486
652
653         Reviewed by Saam Barati.
654
655         Moved read only check in putDirect() to all paths.
656
657         * runtime/SparseArrayValueMap.cpp:
658         (JSC::SparseArrayValueMap::putDirect):
659
660 2016-12-30  Filip Pizlo  <fpizlo@apple.com>
661
662         DeferGC::~DeferGC should be super cheap
663         https://bugs.webkit.org/show_bug.cgi?id=166626
664
665         Reviewed by Saam Barati.
666         
667         Right now, ~DeferGC requires running the collector's full collectIfNecessaryOrDefer()
668         hook, which is super big. Normally, that hook would only be called from GC slow paths,
669         so it ought to be possible to add complex logic to it. It benefits the GC algorithm to
670         make that code smart, not necessarily fast.
671
672         The right thing for it to do is to have ~DeferGC check a boolean to see if
673         collectIfNecessaryOrDefer() had previously deferred anything, and only call it if that
674         is true. That's what this patch does.
675         
676         Unfortunately, this means that we lose the collectAccordingToDeferGCProbability mode,
677         which we used for two tests. Since I could only see two tests that used this mode, I
678         felt that it was better to enhance the GC than to keep the tests. I filed bug 166627 to
679         bring back something like that mode.
680         
681         Although this patch does make some paths faster, its real goal is to ensure that bug
682         165963 can add more logic to collectIfNecessaryOrDefer() without introducing a big
683         regression. Until then, I wouldn't be surprised if this patch was a progression, but I'm
684         not betting on it.
685
686         * heap/Heap.cpp:
687         (JSC::Heap::collectIfNecessaryOrDefer):
688         (JSC::Heap::decrementDeferralDepthAndGCIfNeededSlow):
689         (JSC::Heap::canCollect): Deleted.
690         (JSC::Heap::shouldCollectHeuristic): Deleted.
691         (JSC::Heap::shouldCollect): Deleted.
692         (JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
693         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
694         * heap/Heap.h:
695         * heap/HeapInlines.h:
696         (JSC::Heap::incrementDeferralDepth):
697         (JSC::Heap::decrementDeferralDepth):
698         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
699         (JSC::Heap::mayNeedToStop):
700         (JSC::Heap::stopIfNecessary):
701         * runtime/Options.h:
702
703 2017-01-05  Filip Pizlo  <fpizlo@apple.com>
704
705         AutomaticThread timeout shutdown leaves a small window where notify() would think that the thread is still running
706         https://bugs.webkit.org/show_bug.cgi?id=166742
707
708         Reviewed by Geoffrey Garen.
709         
710         Update to new AutomaticThread API.
711
712         * dfg/DFGWorklist.cpp:
713
714 2017-01-05  Per Arne Vollan  <pvollan@apple.com>
715
716         [Win] Compile error.
717         https://bugs.webkit.org/show_bug.cgi?id=166726
718
719         Reviewed by Alex Christensen.
720
721         Add include folder.
722
723         * CMakeLists.txt:
724
725 2016-12-21  Brian Burg  <bburg@apple.com>
726
727         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
728         https://bugs.webkit.org/show_bug.cgi?id=166003
729         <rdar://problem/28718990>
730
731         Reviewed by Joseph Pecoraro.
732
733         This patch implements parser, model, and generator-side changes to account for
734         platform-specific types, events, and commands. The 'platform' property is parsed
735         for top-level definitions and assumed to be the 'generic' platform if none is specified.
736
737         Since the generator's platform setting acts to filter definitions with an incompatible platform,
738         all generators must be modified to consult a list of filtered types/commands/events for
739         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
740         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
741         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
742
743         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
744         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
745         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
746         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
747         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
748         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
749         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
750         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
751         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
752         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
753         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
754         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
755         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
756         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
757         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
758         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
759         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
760         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
761         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
762         (_generate_typedefs_for_domain):
763         (_generate_builders_for_domain):
764         (_generate_forward_declarations_for_binding_traits):
765         (_generate_declarations_for_enum_conversion_methods):
766         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
767         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
768         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
769         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
770         * inspector/scripts/codegen/generate_js_backend_commands.py:
771         (JSBackendCommandsGenerator.should_generate_domain):
772         (JSBackendCommandsGenerator.domains_to_generate):
773         (JSBackendCommandsGenerator.generate_domain):
774         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
775         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
776         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
777         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
778         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
779         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
780         (ObjCBackendDispatcherImplementationGenerator):
781         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
782         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
783         (ObjCConfigurationImplementationGenerator): Deleted.
784         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
785         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
786         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
787         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
788         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
789         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
790         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
791         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
792         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
793         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
794         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
795         * inspector/scripts/codegen/generate_objc_configuration_header.py:
796         (ObjCConfigurationHeaderGenerator.generate_output):
797         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
798         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
799         (ObjCConfigurationImplementationGenerator):
800         (ObjCConfigurationImplementationGenerator.generate_output):
801         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
802         (ObjCConfigurationImplementationGenerator._generate_ivars):
803         (ObjCConfigurationImplementationGenerator._generate_dealloc):
804         (ObjCBackendDispatcherImplementationGenerator): Deleted.
805         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
806         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
807         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
808         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
809         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
810         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
811         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
812         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
813         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
814         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
815         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
816         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
817         * inspector/scripts/codegen/generate_objc_header.py:
818         (ObjCHeaderGenerator.generate_output):
819         (ObjCHeaderGenerator._generate_forward_declarations):
820         (ObjCHeaderGenerator._generate_enums):
821         (ObjCHeaderGenerator._generate_types):
822         (ObjCHeaderGenerator._generate_command_protocols):
823         (ObjCHeaderGenerator._generate_event_interfaces):
824         * inspector/scripts/codegen/generate_objc_internal_header.py:
825         (ObjCInternalHeaderGenerator.generate_output):
826         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
827         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
828         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
829         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
830         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
831         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
832         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
833         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
834         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
835         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
836         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
837
838         * inspector/scripts/codegen/generator.py:
839         (Generator.can_generate_platform):
840         (Generator):
841         (Generator.type_declarations_for_domain):
842         (Generator.commands_for_domain):
843         (Generator.events_for_domain):
844         These are the core methods for computing whether a definition can be used given a target platform.
845
846         (Generator.calculate_types_requiring_shape_assertions):
847         (Generator._traverse_and_assign_enum_values):
848         * inspector/scripts/codegen/models.py:
849         (Protocol.parse_type_declaration):
850         (Protocol.parse_command):
851         (Protocol.parse_event):
852         (Protocol.resolve_types):
853
854         (Domain.__init__):
855         (Domain):
856         (Domain.all_type_declarations):
857         (Domain.all_commands):
858         (Domain.all_events):
859         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
860
861         (Domain.resolve_type_references):
862         (TypeDeclaration.__init__):
863         (Command.__init__):
864         (Event.__init__):
865         * inspector/scripts/codegen/objc_generator.py:
866         (ObjCGenerator.should_generate_types_for_domain):
867         (ObjCGenerator):
868         (ObjCGenerator.should_generate_commands_for_domain):
869         (ObjCGenerator.should_generate_events_for_domain):
870         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
871         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
872         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
873         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
874         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
875         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
876         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
877         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
878
879         The results above need rebaselining because the class names for two generators were swapped by accident.
880         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
881         generated file includes the same copyright block at the top.
882
883         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
884         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
885         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
886         * inspector/scripts/tests/generic/expected/enum-values.json-result:
887         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
888         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
889         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
890         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
891         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
892         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
893         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
894         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
895         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
896
897         * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Added.
898         * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Added.
899         * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Added.
900         * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Added.
901
902         Add error test cases for invalid platforms in commands, types, and events.
903
904         * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Added.
905         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Added.
906         * inspector/scripts/tests/all/definitions-with-mac-platform.json: Added.
907         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Added.
908         * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Added.
909         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Added.
910         * inspector/scripts/tests/mac/definitions-with-mac-platform.json: Added.
911         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Added.
912
913         Add a basic 4-way test that generates code for each platform from the same specification.
914         With 'macos' platform for each definition, only 'all' and 'mac' generate anything interesting.
915
916 2017-01-03  Brian Burg  <bburg@apple.com>
917
918         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
919         https://bugs.webkit.org/show_bug.cgi?id=166003
920         <rdar://problem/28718990>
921
922         Reviewed by Joseph Pecoraro.
923
924         This patch implements parser, model, and generator-side changes to account for
925         platform-specific types, events, and commands. The 'platform' property is parsed
926         for top-level definitions and assumed to be the 'generic' platform if none is specified.
927
928         Since the generator's platform setting acts to filter definitions with an incompatible platform,
929         all generators must be modified to consult a list of filtered types/commands/events for
930         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
931         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
932         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
933
934         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
935         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
936         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
937         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
938         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
939         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
940         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
941         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
942         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
943         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
944         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
945         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
946         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
947         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
948         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
949         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
950         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
951         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
952         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
953         (_generate_typedefs_for_domain):
954         (_generate_builders_for_domain):
955         (_generate_forward_declarations_for_binding_traits):
956         (_generate_declarations_for_enum_conversion_methods):
957         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
958         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
959         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
960         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
961         * inspector/scripts/codegen/generate_js_backend_commands.py:
962         (JSBackendCommandsGenerator.should_generate_domain):
963         (JSBackendCommandsGenerator.domains_to_generate):
964         (JSBackendCommandsGenerator.generate_domain):
965         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
966         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
967         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
968         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
969         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
970         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
971         (ObjCBackendDispatcherImplementationGenerator):
972         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
973         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
974         (ObjCConfigurationImplementationGenerator): Deleted.
975         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
976         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
977         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
978         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
979         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
980         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
981         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
982         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
983         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
984         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
985         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
986         * inspector/scripts/codegen/generate_objc_configuration_header.py:
987         (ObjCConfigurationHeaderGenerator.generate_output):
988         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
989         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
990         (ObjCConfigurationImplementationGenerator):
991         (ObjCConfigurationImplementationGenerator.generate_output):
992         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
993         (ObjCConfigurationImplementationGenerator._generate_ivars):
994         (ObjCConfigurationImplementationGenerator._generate_dealloc):
995         (ObjCBackendDispatcherImplementationGenerator): Deleted.
996         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
997         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
998         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
999         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
1000         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
1001         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
1002         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
1003         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
1004         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
1005         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1006         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
1007         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1008         * inspector/scripts/codegen/generate_objc_header.py:
1009         (ObjCHeaderGenerator.generate_output):
1010         (ObjCHeaderGenerator._generate_forward_declarations):
1011         (ObjCHeaderGenerator._generate_enums):
1012         (ObjCHeaderGenerator._generate_types):
1013         (ObjCHeaderGenerator._generate_command_protocols):
1014         (ObjCHeaderGenerator._generate_event_interfaces):
1015         * inspector/scripts/codegen/generate_objc_internal_header.py:
1016         (ObjCInternalHeaderGenerator.generate_output):
1017         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1018         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1019         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
1020         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
1021         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1022         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
1023         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1024         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1025         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1026         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
1027         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
1028
1029         * inspector/scripts/codegen/generator.py:
1030         (Generator.can_generate_platform):
1031         (Generator):
1032         (Generator.type_declarations_for_domain):
1033         (Generator.commands_for_domain):
1034         (Generator.events_for_domain):
1035         These are the core methods for computing whether a definition can be used given a target platform.
1036
1037         (Generator.calculate_types_requiring_shape_assertions):
1038         (Generator._traverse_and_assign_enum_values):
1039         * inspector/scripts/codegen/models.py:
1040         (Protocol.parse_type_declaration):
1041         (Protocol.parse_command):
1042         (Protocol.parse_event):
1043         (Protocol.resolve_types):
1044
1045         (Domain.__init__):
1046         (Domain):
1047         (Domain.all_type_declarations):
1048         (Domain.all_commands):
1049         (Domain.all_events):
1050         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
1051
1052         (Domain.resolve_type_references):
1053         (TypeDeclaration.__init__):
1054         (Command.__init__):
1055         (Event.__init__):
1056         * inspector/scripts/codegen/objc_generator.py:
1057         (ObjCGenerator.should_generate_types_for_domain):
1058         (ObjCGenerator):
1059         (ObjCGenerator.should_generate_commands_for_domain):
1060         (ObjCGenerator.should_generate_events_for_domain):
1061         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
1062         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
1063         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
1064         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
1065         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
1066         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
1067         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
1068         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
1069
1070         The following results need rebaselining because the class names for two generators were swapped by accident.
1071         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
1072         generated file includes the same copyright block at the top.
1073
1074         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1075         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1076         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1077         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1078         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1079         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1080         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1081         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1082         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1083         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1084         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1085         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1086         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1087
1088 2017-01-03  Brian Burg  <bburg@apple.com>
1089
1090         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
1091         https://bugs.webkit.org/show_bug.cgi?id=166003
1092         <rdar://problem/28718990>
1093
1094         Reviewed by Joseph Pecoraro.
1095
1096         Make it possible to test inspector protocol generator output for different platforms.
1097
1098         Move existing tests to the generic/ subdirectory, as they are to be generated
1099         without any specific platform. Later, platform-specific generator behavior will be
1100         tested by cloning the same test to multiple platform directories.
1101
1102         * inspector/scripts/tests{/ => /generic/}commands-with-async-attribute.json
1103         * inspector/scripts/tests{/ => /generic/}commands-with-optional-call-return-parameters.json
1104         * inspector/scripts/tests{/ => /generic/}domains-with-varying-command-sizes.json
1105         * inspector/scripts/tests{/ => /generic/}enum-values.json
1106         * inspector/scripts/tests{/ => /generic/}events-with-optional-parameters.json
1107         * inspector/scripts/tests{/ => /generic/}expected/commands-with-async-attribute.json-result
1108         * inspector/scripts/tests{/ => /generic/}expected/commands-with-optional-call-return-parameters.json-result
1109         * inspector/scripts/tests{/ => /generic/}expected/domains-with-varying-command-sizes.json-result
1110         * inspector/scripts/tests{/ => /generic/}expected/enum-values.json-result
1111         * inspector/scripts/tests{/ => /generic/}expected/events-with-optional-parameters.json-result
1112         * inspector/scripts/tests{/ => /generic/}expected/fail-on-domain-availability.json-error
1113         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-call-parameter-names.json-error
1114         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-return-parameter-names.json-error
1115         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-event-parameter-names.json-error
1116         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-declarations.json-error
1117         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-member-names.json-error
1118         * inspector/scripts/tests{/ => /generic/}expected/fail-on-enum-with-no-values.json-error
1119         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-parameter-flag.json-error
1120         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-type-member.json-error
1121         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-parameter-flag.json-error
1122         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-type-member.json-error
1123         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-declaration-using-type-reference.json-error
1124         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-reference-as-primitive-type.json-error
1125         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-with-lowercase-name.json-error
1126         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-declaration.json-error
1127         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-member.json-error
1128         * inspector/scripts/tests{/ => /generic/}expected/generate-domains-with-feature-guards.json-result
1129         * inspector/scripts/tests{/ => /generic/}expected/same-type-id-different-domain.json-result
1130         * inspector/scripts/tests{/ => /generic/}expected/shadowed-optional-type-setters.json-result
1131         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-aliased-primitive-type.json-result
1132         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-array-type.json-result
1133         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-enum-type.json-result
1134         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-object-type.json-result
1135         * inspector/scripts/tests{/ => /generic/}expected/type-requiring-runtime-casts.json-result
1136         * inspector/scripts/tests{/ => /generic/}fail-on-domain-availability.json
1137         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-call-parameter-names.json
1138         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-return-parameter-names.json
1139         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-event-parameter-names.json
1140         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-declarations.json
1141         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-member-names.json
1142         * inspector/scripts/tests{/ => /generic/}fail-on-enum-with-no-values.json
1143         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-parameter-flag.json
1144         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-type-member.json
1145         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-parameter-flag.json
1146         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-type-member.json
1147         * inspector/scripts/tests{/ => /generic/}fail-on-type-declaration-using-type-reference.json
1148         * inspector/scripts/tests{/ => /generic/}fail-on-type-reference-as-primitive-type.json
1149         * inspector/scripts/tests{/ => /generic/}fail-on-type-with-lowercase-name.json
1150         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-declaration.json
1151         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-member.json
1152         * inspector/scripts/tests{/ => /generic/}generate-domains-with-feature-guards.json
1153         * inspector/scripts/tests{/ => /generic/}same-type-id-different-domain.json
1154         * inspector/scripts/tests{/ => /generic/}shadowed-optional-type-setters.json
1155         * inspector/scripts/tests{/ => /generic/}type-declaration-aliased-primitive-type.json
1156         * inspector/scripts/tests{/ => /generic/}type-declaration-array-type.json
1157         * inspector/scripts/tests{/ => /generic/}type-declaration-enum-type.json
1158         * inspector/scripts/tests{/ => /generic/}type-declaration-object-type.json
1159         * inspector/scripts/tests{/ => /generic/}type-requiring-runtime-casts.json
1160
1161 2017-01-03  Brian Burg  <bburg@apple.com>
1162
1163         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
1164         https://bugs.webkit.org/show_bug.cgi?id=166003
1165         <rdar://problem/28718990>
1166
1167         Reviewed by Joseph Pecoraro.
1168
1169         Add a --platform argument to generate-inspector-protocol-bindings.py and propagate
1170         the specified platform to each generator. This will be used in the next few patches
1171         to exclude types, events, and commands that are unsupported by the backend platform.
1172
1173         Covert all subclasses of Generator to pass along their positional arguments so that we
1174         can easily change base class arguments without editing all generator constructors.
1175
1176         * inspector/scripts/codegen/cpp_generator.py:
1177         (CppGenerator.__init__):
1178         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
1179         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
1180         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1181         (CppBackendDispatcherHeaderGenerator.__init__):
1182         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1183         (CppBackendDispatcherImplementationGenerator.__init__):
1184         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1185         (CppFrontendDispatcherHeaderGenerator.__init__):
1186         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1187         (CppFrontendDispatcherImplementationGenerator.__init__):
1188         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1189         (CppProtocolTypesHeaderGenerator.__init__):
1190         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1191         (CppProtocolTypesImplementationGenerator.__init__):
1192         * inspector/scripts/codegen/generate_js_backend_commands.py:
1193         (JSBackendCommandsGenerator.__init__):
1194         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1195         (ObjCBackendDispatcherHeaderGenerator.__init__):
1196         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1197         (ObjCConfigurationImplementationGenerator.__init__):
1198         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1199         (ObjCConfigurationHeaderGenerator.__init__):
1200         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1201         (ObjCBackendDispatcherImplementationGenerator.__init__):
1202         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1203         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1204         * inspector/scripts/codegen/generate_objc_header.py:
1205         (ObjCHeaderGenerator.__init__):
1206         * inspector/scripts/codegen/generate_objc_internal_header.py:
1207         (ObjCInternalHeaderGenerator.__init__):
1208         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1209         (ObjCProtocolTypeConversionsHeaderGenerator.__init__):
1210         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1211         (ObjCProtocolTypeConversionsImplementationGenerator.__init__):
1212         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1213         (ObjCProtocolTypesImplementationGenerator.__init__):
1214         Pass along *args instead of single positional arguments.
1215
1216         * inspector/scripts/codegen/generator.py:
1217         (Generator.__init__):
1218         Save the target platform and add a getter.
1219
1220         * inspector/scripts/codegen/models.py:
1221         (Platform):
1222         (Platform.__init__):
1223         (Platform.fromString):
1224         (Platforms):
1225         Define the allowed Platform instances (iOS, macOS, and Any).
1226
1227         * inspector/scripts/codegen/objc_generator.py:
1228         (ObjCGenerator.and.__init__):
1229         * inspector/scripts/generate-inspector-protocol-bindings.py:
1230         (generate_from_specification):
1231         Pass along *args instead of single positional arguments.
1232
1233 2017-01-04  JF Bastien  <jfbastien@apple.com>
1234
1235         WebAssembly JS API: add Module.sections
1236         https://bugs.webkit.org/show_bug.cgi?id=165159
1237         <rdar://problem/29760326>
1238
1239         Reviewed by Mark Lam.
1240
1241         As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections
1242
1243         This was added for Emscripten, and is likely to be used soon.
1244
1245         * wasm/WasmFormat.h: custom sections are just name + bytes
1246         * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
1247         * wasm/WasmModuleParser.h:
1248         * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
1249         ArrayBuffer as described in the spec
1250         (JSC::webAssemblyModuleProtoCustomSections):
1251
1252 2017-01-04  Saam Barati  <sbarati@apple.com>
1253
1254         We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
1255         https://bugs.webkit.org/show_bug.cgi?id=163720
1256
1257         Reviewed by Mark Lam.
1258
1259         In the LLInt, we were incorrectly doing the exception check after the call.
1260         Before the exception check, we were unwinding to our caller's
1261         frame under the assumption that our caller was always a JS frame.
1262         This is incorrect, however, because our caller might be a C frame.
1263         One way that it can be a C frame is when C calls to JS, and JS tail
1264         calls to native. This patch fixes this bug by doing unwinding from
1265         the native callee's frame instead of its callers.
1266
1267         * llint/LowLevelInterpreter32_64.asm:
1268         * llint/LowLevelInterpreter64.asm:
1269
1270 2017-01-03  JF Bastien  <jfbastien@apple.com>
1271
1272         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
1273         https://bugs.webkit.org/show_bug.cgi?id=166669
1274         <rdar://problem/29856455>
1275
1276         Reviewed by Saam Barati.
1277
1278         Bug #165282 added wasm -> wasm calls, but caused crashes in
1279         release builds because the pinned registers are also callee-saved
1280         and were being clobbered. B3 didn't see itself clobbering them
1281         when no memory was used, and therefore omitted a restore.
1282
1283         This was causing the C++ code in callWebAssemblyFunction to crash
1284         because $r12 was 0, and it expected it to have its value prior to
1285         the call.
1286
1287         * wasm/WasmB3IRGenerator.cpp:
1288         (JSC::Wasm::createJSToWasmWrapper):
1289
1290 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
1291
1292         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
1293         https://bugs.webkit.org/show_bug.cgi?id=166300
1294
1295         Reviewed by Brian Burg.
1296
1297         * debugger/Debugger.cpp:
1298         (JSC::Debugger::continueProgram):
1299         When continuing, clear states that would have had us pause again.
1300
1301         * inspector/agents/InspectorDebuggerAgent.cpp:
1302         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
1303         When resuming after becoming idle, be sure to clear Debugger state.
1304
1305 2017-01-03  JF Bastien  <jfbastien@apple.com>
1306
1307         WebAssembly JS API: check and test in-call / out-call values
1308         https://bugs.webkit.org/show_bug.cgi?id=164876
1309         <rdar://problem/29844107>
1310
1311         Reviewed by Saam Barati.
1312
1313         * wasm/WasmBinding.cpp:
1314         (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
1315         f64 which the assotiated tests inadvertently tripped on: the
1316         previous code wasn't correctly performing JSValue boxing for
1317         "double" values. This change is slightly involved because it
1318         requires two scratch registers to materialize the
1319         `DoubleEncodeOffset` value. This change therefore reorganizes the
1320         code to first generate traps, then handle all integers (freeing
1321         all GPRs), and then all the floating-point values.
1322         * wasm/js/WebAssemblyFunction.cpp:
1323         (JSC::callWebAssemblyFunction): Implement the defined semantics
1324         for mismatched arities when JS calls wasm:
1325         https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
1326           - i32 is 0, f32 / f64 are NaN.
1327           - wasm functions which return "void" are "undefined" in JS.
1328
1329 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
1330
1331         [Win] jsc.exe sometimes never exits.
1332         https://bugs.webkit.org/show_bug.cgi?id=158073
1333
1334         Reviewed by Darin Adler.
1335
1336         On Windows the thread specific destructor is also called when the main thread is exiting.
1337         This may lead to the main thread waiting forever for the machine thread lock when exiting,
1338         if the sampling profiler thread was terminated by the system while holding the machine
1339         thread lock.
1340
1341         * heap/MachineStackMarker.cpp:
1342         (JSC::MachineThreads::removeThread):
1343
1344 2017-01-02  Julien Brianceau  <jbriance@cisco.com>
1345
1346         Remove sh4 specific code from JavaScriptCore
1347         https://bugs.webkit.org/show_bug.cgi?id=166640
1348
1349         Reviewed by Filip Pizlo.
1350
1351         sh4-specific code does not compile for a while (r189884 at least).
1352         As nobody seems to have interest in this architecture anymore, let's
1353         remove this dead code and thus ease the burden for JSC maintainers.
1354
1355         * CMakeLists.txt:
1356         * JavaScriptCore.xcodeproj/project.pbxproj:
1357         * assembler/AbstractMacroAssembler.h:
1358         (JSC::AbstractMacroAssembler::Jump::Jump):
1359         (JSC::AbstractMacroAssembler::Jump::link):
1360         * assembler/MacroAssembler.h:
1361         * assembler/MacroAssemblerSH4.h: Removed.
1362         * assembler/MaxFrameExtentForSlowPathCall.h:
1363         * assembler/SH4Assembler.h: Removed.
1364         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
1365         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1366         * dfg/DFGSpeculativeJIT.h:
1367         (JSC::DFG::SpeculativeJIT::callOperation):
1368         * jit/AssemblyHelpers.h:
1369         (JSC::AssemblyHelpers::debugCall):
1370         * jit/CCallHelpers.h:
1371         (JSC::CCallHelpers::setupArgumentsWithExecState):
1372         (JSC::CCallHelpers::prepareForTailCallSlow):
1373         * jit/CallFrameShuffler.cpp:
1374         (JSC::CallFrameShuffler::prepareForTailCall):
1375         * jit/ExecutableAllocator.h:
1376         * jit/FPRInfo.h:
1377         * jit/GPRInfo.h:
1378         * jit/JITInlines.h:
1379         (JSC::JIT::callOperation):
1380         * jit/JITOpcodes32_64.cpp:
1381         (JSC::JIT::privateCompileCTINativeCall):
1382         * jit/JITOperations.cpp:
1383         * jit/RegisterSet.cpp:
1384         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1385         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1386         * jit/ThunkGenerators.cpp:
1387         (JSC::nativeForGenerator):
1388         * llint/LLIntData.cpp:
1389         (JSC::LLInt::Data::performAssertions):
1390         * llint/LLIntOfflineAsmConfig.h:
1391         * llint/LowLevelInterpreter.asm:
1392         * llint/LowLevelInterpreter32_64.asm:
1393         * offlineasm/backends.rb:
1394         * offlineasm/instructions.rb:
1395         * offlineasm/sh4.rb: Removed.
1396         * yarr/YarrJIT.cpp:
1397         (JSC::Yarr::YarrGenerator::generateEnter):
1398         (JSC::Yarr::YarrGenerator::generateReturn):
1399
1400 2017-01-02  JF Bastien  <jfbastien@apple.com>
1401
1402         WebAssembly: handle and optimize wasm export → wasm import calls
1403         https://bugs.webkit.org/show_bug.cgi?id=165282
1404
1405         Reviewed by Saam Barati.
1406
1407           - Add a new JSType for WebAssemblyFunction, and use it when creating its
1408             structure. This will is used to quickly detect from wasm whether the import
1409             call is to another wasm module, or whether it's to JS.
1410           - Generate two stubs from the import stub generator: one for wasm->JS and one
1411             for wasm -> wasm. This is done at Module time. Which is called will only be
1412             known at Instance time, once we've received the import object. We want to
1413             avoid codegen at Instance time, so having both around is great.
1414           - Restore the WebAssembly global state (VM top Instance, and pinned registers)
1415             after call / call_indirect, and in the JS->wasm entry stub.
1416           - Pinned registers are now a global thing, not per-Memory, because the wasm ->
1417             wasm stubs are generated at Module time where we don't really have enough
1418             information to do the right thing (doing so would generate too much code).
1419
1420         * CMakeLists.txt:
1421         * JavaScriptCore.xcodeproj/project.pbxproj:
1422         * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
1423         * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
1424         could be external work, and how we save / restore global state:
1425         VM's top Instance, and pinned registers
1426         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1427         (JSC::Wasm::getMemoryBaseAndSize):
1428         (JSC::Wasm::restoreWebAssemblyGlobalState):
1429         (JSC::Wasm::createJSToWasmWrapper):
1430         (JSC::Wasm::parseAndCompile):
1431         * wasm/WasmB3IRGenerator.h:
1432         * wasm/WasmBinding.cpp:
1433         (JSC::Wasm::materializeImportJSCell):
1434         (JSC::Wasm::wasmToJS):
1435         (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
1436         (JSC::Wasm::exitStubGenerator):
1437         * wasm/WasmBinding.h:
1438         * wasm/WasmFormat.h: Get rid of much of the function index space:
1439         we already have all of its information elsewhere, and as-is it
1440         provides no extra efficiency.
1441         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
1442         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
1443         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
1444         * wasm/WasmFunctionParser.h:
1445         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
1446         * wasm/WasmMemory.cpp: Add some logging.
1447         (JSC::Wasm::Memory::dump): this was nice when debugging
1448         (JSC::Wasm::Memory::makeString):
1449         (JSC::Wasm::Memory::Memory):
1450         (JSC::Wasm::Memory::~Memory):
1451         (JSC::Wasm::Memory::grow):
1452         * wasm/WasmMemory.h: don't use extra indirection, it wasn't
1453         needed. Reorder some of the fields which are looked up at runtime
1454         so they're more cache-friendly.
1455         (JSC::Wasm::Memory::Memory):
1456         (JSC::Wasm::Memory::mode):
1457         (JSC::Wasm::Memory::offsetOfSize):
1458         * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
1459         global thing for all of JSC, not a per-Memory thing
1460         anymore. wasm->wasm calls are more complex otherwise: they have to
1461         figure out how to bridge between the caller and callee's
1462         special-snowflake pinning.
1463         (JSC::Wasm::PinnedRegisterInfo::get):
1464         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1465         (JSC::Wasm::MemoryInformation::MemoryInformation):
1466         * wasm/WasmMemoryInformation.h:
1467         * wasm/WasmModuleParser.cpp:
1468         * wasm/WasmModuleParser.h:
1469         * wasm/WasmPageCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
1470         (JSC::Wasm::PageCount::dump): nice for debugging
1471         * wasm/WasmPageCount.h:
1472         * wasm/WasmPlan.cpp:
1473         (JSC::Wasm::Plan::parseAndValidateModule):
1474         (JSC::Wasm::Plan::run):
1475         * wasm/WasmPlan.h:
1476         (JSC::Wasm::Plan::takeWasmExitStubs):
1477         * wasm/WasmSignature.cpp:
1478         (JSC::Wasm::Signature::toString):
1479         (JSC::Wasm::Signature::dump):
1480         * wasm/WasmSignature.h:
1481         * wasm/WasmValidate.cpp:
1482         (JSC::Wasm::validateFunction):
1483         * wasm/WasmValidate.h:
1484         * wasm/js/JSWebAssemblyInstance.h:
1485         (JSC::JSWebAssemblyInstance::offsetOfTable):
1486         (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
1487         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
1488         * wasm/js/JSWebAssemblyMemory.cpp:
1489         (JSC::JSWebAssemblyMemory::create):
1490         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
1491         (JSC::JSWebAssemblyMemory::buffer):
1492         (JSC::JSWebAssemblyMemory::grow):
1493         * wasm/js/JSWebAssemblyMemory.h:
1494         (JSC::JSWebAssemblyMemory::memory):
1495         (JSC::JSWebAssemblyMemory::offsetOfMemory):
1496         (JSC::JSWebAssemblyMemory::offsetOfSize):
1497         * wasm/js/JSWebAssemblyModule.cpp:
1498         (JSC::JSWebAssemblyModule::create):
1499         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
1500         * wasm/js/JSWebAssemblyModule.h:
1501         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
1502         (JSC::JSWebAssemblyModule::functionImportCount):
1503         * wasm/js/WebAssemblyFunction.cpp:
1504         (JSC::callWebAssemblyFunction):
1505         (JSC::WebAssemblyFunction::create):
1506         (JSC::WebAssemblyFunction::createStructure):
1507         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1508         (JSC::WebAssemblyFunction::finishCreation):
1509         * wasm/js/WebAssemblyFunction.h:
1510         (JSC::WebAssemblyFunction::wasmEntrypoint):
1511         (JSC::WebAssemblyFunction::offsetOfInstance):
1512         (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode):
1513         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1514         (JSC::constructJSWebAssemblyInstance): always start with a dummy
1515         memory, so wasm->wasm calls don't need to null-check
1516         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1517         (JSC::constructJSWebAssemblyMemory):
1518         * wasm/js/WebAssemblyModuleConstructor.cpp:
1519         (JSC::WebAssemblyModuleConstructor::createModule):
1520         * wasm/js/WebAssemblyModuleRecord.cpp:
1521         (JSC::WebAssemblyModuleRecord::link):
1522         (JSC::WebAssemblyModuleRecord::evaluate):
1523         * wasm/js/WebAssemblyModuleRecord.h:
1524
1525 2017-01-02  Saam Barati  <sbarati@apple.com>
1526
1527         WebAssembly: Some loads don't take into account the offset
1528         https://bugs.webkit.org/show_bug.cgi?id=166616
1529         <rdar://problem/29841541>
1530
1531         Reviewed by Keith Miller.
1532
1533         * wasm/WasmB3IRGenerator.cpp:
1534         (JSC::Wasm::B3IRGenerator::emitLoadOp):
1535
1536 2017-01-01  Jeff Miller  <jeffm@apple.com>
1537
1538         Update user-visible copyright strings to include 2017
1539         https://bugs.webkit.org/show_bug.cgi?id=166278
1540
1541         Reviewed by Dan Bernstein.
1542
1543         * Info.plist:
1544
1545 2016-12-28  Saam Barati  <sbarati@apple.com>
1546
1547         WebAssembly: Don't allow duplicate export names
1548         https://bugs.webkit.org/show_bug.cgi?id=166490
1549         <rdar://problem/29815000>
1550
1551         Reviewed by Keith Miller.
1552
1553         * wasm/WasmModuleParser.cpp:
1554
1555 2016-12-28  Saam Barati  <sbarati@apple.com>
1556
1557         Unreviewed. Fix jsc.cpp build error.
1558
1559         * jsc.cpp:
1560         (functionTestWasmModuleFunctions):
1561
1562 2016-12-28  Saam Barati  <sbarati@apple.com>
1563
1564         WebAssembly: Implement grow_memory and current_memory
1565         https://bugs.webkit.org/show_bug.cgi?id=166448
1566         <rdar://problem/29803676>
1567
1568         Reviewed by Keith Miller.
1569
1570         This patch implements grow_memory, current_memory, and WebAssembly.prototype.grow.
1571         See relevant spec texts here:
1572         
1573         https://github.com/WebAssembly/design/blob/master/Semantics.md#linear-memory-accesses
1574         https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymemoryprototypegrow
1575         
1576         I also fix a couple miscellaneous bugs:
1577         
1578         1. Data section now understands full init_exprs. 
1579         2. parseVarUint1 no longer has a bug where we allow values larger than 1 if
1580         their bottom 8 bits are zero.
1581         
1582         Since the JS API can now grow memory, we need to make calling an import
1583         and call_indirect refresh the base memory register and the size registers.
1584
1585         * jsc.cpp:
1586         (functionTestWasmModuleFunctions):
1587         * runtime/Options.h:
1588         * runtime/VM.h:
1589         * wasm/WasmB3IRGenerator.cpp:
1590         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1591         (JSC::Wasm::reloadPinnedRegisters):
1592         (JSC::Wasm::B3IRGenerator::emitReloadPinnedRegisters):
1593         (JSC::Wasm::createJSToWasmWrapper):
1594         (JSC::Wasm::parseAndCompile):
1595         * wasm/WasmFormat.cpp:
1596         (JSC::Wasm::Segment::create):
1597         * wasm/WasmFormat.h:
1598         (JSC::Wasm::I32InitExpr::I32InitExpr):
1599         (JSC::Wasm::I32InitExpr::globalImport):
1600         (JSC::Wasm::I32InitExpr::constValue):
1601         (JSC::Wasm::I32InitExpr::isConst):
1602         (JSC::Wasm::I32InitExpr::isGlobalImport):
1603         (JSC::Wasm::I32InitExpr::globalImportIndex):
1604         (JSC::Wasm::Segment::byte):
1605         (JSC::Wasm::ModuleInformation::importFunctionCount):
1606         (JSC::Wasm::ModuleInformation::hasMemory):
1607         * wasm/WasmFunctionParser.h:
1608         * wasm/WasmMemory.cpp:
1609         (JSC::Wasm::Memory::Memory):
1610         (JSC::Wasm::Memory::grow):
1611         * wasm/WasmMemory.h:
1612         (JSC::Wasm::Memory::size):
1613         (JSC::Wasm::Memory::sizeInPages):
1614         (JSC::Wasm::Memory::offsetOfMemory):
1615         (JSC::Wasm::Memory::isValid): Deleted.
1616         (JSC::Wasm::Memory::grow): Deleted.
1617         * wasm/WasmModuleParser.cpp:
1618         (JSC::Wasm::makeI32InitExpr):
1619         * wasm/WasmModuleParser.h:
1620         * wasm/WasmPageCount.h:
1621         (JSC::Wasm::PageCount::bytes):
1622         (JSC::Wasm::PageCount::pageCount):
1623         (JSC::Wasm::PageCount::fromBytes):
1624         (JSC::Wasm::PageCount::operator+):
1625         * wasm/WasmParser.h:
1626         (JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
1627         * wasm/WasmValidate.cpp:
1628         * wasm/js/JSWebAssemblyInstance.h:
1629         (JSC::JSWebAssemblyInstance::offsetOfMemory):
1630         * wasm/js/JSWebAssemblyMemory.cpp:
1631         (JSC::JSWebAssemblyMemory::~JSWebAssemblyMemory):
1632         (JSC::JSWebAssemblyMemory::grow):
1633         * wasm/js/JSWebAssemblyMemory.h:
1634         (JSC::JSWebAssemblyMemory::offsetOfMemory):
1635         * wasm/js/JSWebAssemblyModule.h:
1636         (JSC::JSWebAssemblyModule::functionImportCount):
1637         (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace):
1638         (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace):
1639         (JSC::JSWebAssemblyModule::importCount): Deleted.
1640         * wasm/js/WebAssemblyFunction.cpp:
1641         (JSC::callWebAssemblyFunction):
1642         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1643         (JSC::constructJSWebAssemblyInstance):
1644         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1645         (JSC::constructJSWebAssemblyMemory):
1646         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1647         (JSC::getMemory):
1648         (JSC::webAssemblyMemoryProtoFuncBuffer):
1649         (JSC::webAssemblyMemoryProtoFuncGrow):
1650         * wasm/js/WebAssemblyModuleRecord.cpp:
1651         (JSC::WebAssemblyModuleRecord::link):
1652         (JSC::dataSegmentFail):
1653         (JSC::WebAssemblyModuleRecord::evaluate):
1654         * wasm/wasm.json:
1655
1656 2016-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1657
1658         Use variadic templates in JSC Parser to clean up
1659         https://bugs.webkit.org/show_bug.cgi?id=166482
1660
1661         Reviewed by Saam Barati.
1662
1663         * parser/Parser.cpp:
1664         (JSC::Parser<LexerType>::logError):
1665         * parser/Parser.h:
1666
1667 2016-12-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1668
1669         Propagate the source origin as much as possible
1670         https://bugs.webkit.org/show_bug.cgi?id=166348
1671
1672         Reviewed by Darin Adler.
1673
1674         This patch introduces CallFrame::callerSourceOrigin, SourceOrigin class
1675         and SourceProvider::m_sourceOrigin. CallFrame::callerSourceOrigin returns
1676         an appropriate SourceOrigin if possible. If we cannot find the appropriate
1677         one, we just return null SourceOrigin.
1678
1679         This paves the way for implementing the module dynamic-import[1].
1680         When the import operator is evaluated, it will resolve the module
1681         specifier with this propagated source origin of the caller function.
1682
1683         To support import operator inside the dynamic code generation
1684         functions (like `eval`, `new Function`, indirect call to `eval`),
1685         we need to propagate the caller's source origin to the generated
1686         source code.
1687
1688         We do not use sourceURL for that purpose. This is because we
1689         would like to keep sourceURL for `eval` / `new Function` null.
1690         This sourceURL will be used for the stack dump for errors with line/column
1691         numbers. Dumping the caller's sourceURL with line/column numbers are
1692         meaningless. So we would like to keep it null while we would like
1693         to propagate SourceOrigin for dynamic imports.
1694
1695         [1]: https://github.com/tc39/proposal-dynamic-import
1696
1697         * API/JSBase.cpp:
1698         (JSEvaluateScript):
1699         (JSCheckScriptSyntax):
1700         * API/JSObjectRef.cpp:
1701         (JSObjectMakeFunction):
1702         * API/JSScriptRef.cpp:
1703         (OpaqueJSScript::create):
1704         (OpaqueJSScript::vm):
1705         (OpaqueJSScript::OpaqueJSScript):
1706         (parseScript):
1707         * JavaScriptCore.xcodeproj/project.pbxproj:
1708         * Scripts/builtins/builtins_templates.py:
1709         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1710         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1711         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1712         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1713         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1714         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1715         * builtins/BuiltinExecutables.cpp:
1716         (JSC::BuiltinExecutables::BuiltinExecutables):
1717         (JSC::BuiltinExecutables::createDefaultConstructor):
1718         * debugger/DebuggerCallFrame.cpp:
1719         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1720         * inspector/InjectedScriptManager.cpp:
1721         (Inspector::InjectedScriptManager::createInjectedScript):
1722         * inspector/JSInjectedScriptHost.cpp:
1723         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1724         * inspector/agents/InspectorRuntimeAgent.cpp:
1725         (Inspector::InspectorRuntimeAgent::parse):
1726         * interpreter/CallFrame.cpp:
1727         (JSC::CallFrame::callerSourceOrigin):
1728         * interpreter/CallFrame.h:
1729         * interpreter/Interpreter.cpp:
1730         (JSC::eval):
1731         * jsc.cpp:
1732         (jscSource):
1733         (GlobalObject::finishCreation):
1734         (extractDirectoryName):
1735         (currentWorkingDirectory):
1736         (GlobalObject::moduleLoaderResolve):
1737         (functionRunString):
1738         (functionLoadString):
1739         (functionCallerSourceOrigin):
1740         (functionCreateBuiltin):
1741         (functionCheckModuleSyntax):
1742         (runInteractive):
1743         * parser/SourceCode.h:
1744         (JSC::makeSource):
1745         * parser/SourceProvider.cpp:
1746         (JSC::SourceProvider::SourceProvider):
1747         * parser/SourceProvider.h:
1748         (JSC::SourceProvider::sourceOrigin):
1749         (JSC::StringSourceProvider::create):
1750         (JSC::StringSourceProvider::StringSourceProvider):
1751         (JSC::WebAssemblySourceProvider::create):
1752         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1753         * runtime/FunctionConstructor.cpp:
1754         (JSC::constructFunction):
1755         (JSC::constructFunctionSkippingEvalEnabledCheck):
1756         * runtime/FunctionConstructor.h:
1757         * runtime/JSGlobalObjectFunctions.cpp:
1758         (JSC::globalFuncEval):
1759         * runtime/ModuleLoaderPrototype.cpp:
1760         (JSC::moduleLoaderPrototypeParseModule):
1761         * runtime/ScriptExecutable.h:
1762         (JSC::ScriptExecutable::sourceOrigin):
1763         * runtime/SourceOrigin.h: Added.
1764         (JSC::SourceOrigin::SourceOrigin):
1765         (JSC::SourceOrigin::string):
1766         (JSC::SourceOrigin::isNull):
1767         * tools/FunctionOverrides.cpp:
1768         (JSC::initializeOverrideInfo):
1769
1770 2016-12-24  Caio Lima  <ticaiolima@gmail.com>
1771
1772         [test262] Fixing mapped arguments object property test case
1773         https://bugs.webkit.org/show_bug.cgi?id=159398
1774
1775         Reviewed by Saam Barati.
1776
1777         This patch changes GenericArguments' override mechanism to
1778         implement corret behavior on ECMAScript test262 suite test cases of
1779         mapped arguments object with non-configurable and non-writable
1780         property. Also it is ensuring that arguments[i]
1781         cannot be deleted when argument "i" is {configurable: false}.
1782         
1783         The previous implementation is against to the specification for 2 reasons:
1784
1785         1. Every argument in arguments object are {writable: true} by default
1786            (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject).
1787            It means that we have to stop mapping a defined property index
1788            if the new property descriptor contains writable (i.e writable is
1789            present) and its value is false (also check
1790            https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
1791            Previous implementation considers {writable: false} if writable is
1792            not present.
1793
1794         2. When a property is overriden, "delete" operation is always returning true. However
1795            delete operations should follow the specification.
1796
1797         We created an auxilary boolean array named m_modifiedArgumentsDescriptor
1798         to store which arguments[i] descriptor was changed from its default
1799         property descriptor. This modification was necessary because m_overrides
1800         was responsible to keep this information at the same time
1801         of keeping information about arguments mapping. The problem of this apporach was
1802         that we needed to call overridesArgument(i) as soon as the ith argument's property
1803         descriptor was changed and it stops the argument's mapping as sideffect, producing
1804         wrong behavior.
1805         To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
1806         DirectArguments::m_mappedArguments and now we it is responsible to manage if an
1807         argument[i] is mapped or not.
1808         With these 2 structures, now it is possible to an argument[i] have its property 
1809         descriptor modified and don't stop the mapping as soon as it happens. One example
1810         of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
1811         test case, that now is fixed by this new mechanism.
1812
1813         * bytecode/PolymorphicAccess.cpp:
1814         (JSC::AccessCase::generateWithGuard):
1815         * dfg/DFGSpeculativeJIT.cpp:
1816         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1817         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1818         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1819         * ftl/FTLAbstractHeapRepository.h:
1820         * ftl/FTLLowerDFGToB3.cpp:
1821         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1822         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1823         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1824         * jit/JITOperations.cpp:
1825         (JSC::canAccessArgumentIndexQuickly):
1826         * jit/JITPropertyAccess.cpp:
1827         (JSC::JIT::emitDirectArgumentsGetByVal):
1828         * runtime/DirectArguments.cpp:
1829         (JSC::DirectArguments::estimatedSize):
1830         (JSC::DirectArguments::visitChildren):
1831         (JSC::DirectArguments::overrideThings):
1832         (JSC::DirectArguments::overrideThingsIfNecessary):
1833         (JSC::DirectArguments::unmapArgument):
1834         (JSC::DirectArguments::copyToArguments):
1835         (JSC::DirectArguments::overridesSize):
1836         (JSC::DirectArguments::overrideArgument): Deleted.
1837         * runtime/DirectArguments.h:
1838         (JSC::DirectArguments::length):
1839         (JSC::DirectArguments::isMappedArgument):
1840         (JSC::DirectArguments::isMappedArgumentInDFG):
1841         (JSC::DirectArguments::getIndexQuickly):
1842         (JSC::DirectArguments::setIndexQuickly):
1843         (JSC::DirectArguments::overrodeThings):
1844         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
1845         (JSC::DirectArguments::setModifiedArgumentDescriptor):
1846         (JSC::DirectArguments::isModifiedArgumentDescriptor):
1847         (JSC::DirectArguments::offsetOfMappedArguments):
1848         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
1849         (JSC::DirectArguments::canAccessIndexQuickly): Deleted.
1850         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
1851         (JSC::DirectArguments::offsetOfOverrides): Deleted.
1852         * runtime/GenericArguments.h:
1853         * runtime/GenericArgumentsInlines.h:
1854         (JSC::GenericArguments<Type>::visitChildren):
1855         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1856         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1857         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1858         (JSC::GenericArguments<Type>::put):
1859         (JSC::GenericArguments<Type>::putByIndex):
1860         (JSC::GenericArguments<Type>::deleteProperty):
1861         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1862         (JSC::GenericArguments<Type>::defineOwnProperty):
1863         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1864         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
1865         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1866         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1867         (JSC::GenericArguments<Type>::copyToArguments):
1868         * runtime/ScopedArguments.cpp:
1869         (JSC::ScopedArguments::visitChildren):
1870         (JSC::ScopedArguments::unmapArgument):
1871         (JSC::ScopedArguments::overrideArgument): Deleted.
1872         * runtime/ScopedArguments.h:
1873         (JSC::ScopedArguments::isMappedArgument):
1874         (JSC::ScopedArguments::isMappedArgumentInDFG):
1875         (JSC::ScopedArguments::getIndexQuickly):
1876         (JSC::ScopedArguments::setIndexQuickly):
1877         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
1878         (JSC::ScopedArguments::setModifiedArgumentDescriptor):
1879         (JSC::ScopedArguments::isModifiedArgumentDescriptor):
1880         (JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
1881         (JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
1882
1883 2016-12-23  Mark Lam  <mark.lam@apple.com>
1884
1885         Using Option::breakOnThrow() shouldn't crash while printing a null CodeBlock.
1886         https://bugs.webkit.org/show_bug.cgi?id=166466
1887
1888         Reviewed by Keith Miller.
1889
1890         * runtime/VM.cpp:
1891         (JSC::VM::throwException):
1892
1893 2016-12-23  Mark Lam  <mark.lam@apple.com>
1894
1895         Enhance LLInt tracing to dump the codeBlock signature instead of just a pointer where appropriate.
1896         https://bugs.webkit.org/show_bug.cgi?id=166465
1897
1898         Reviewed by Keith Miller.
1899
1900         * llint/LLIntSlowPaths.cpp:
1901         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1902         (JSC::LLInt::traceFunctionPrologue):
1903
1904 2016-12-23  Keith Miller  <keith_miller@apple.com>
1905
1906         WebAssembly: trap on bad division.
1907         https://bugs.webkit.org/show_bug.cgi?id=164786
1908
1909         Reviewed by Mark Lam.
1910
1911         This patch adds traps for division / modulo by zero and for
1912         division by int_min / -1.
1913
1914         * wasm/WasmB3IRGenerator.cpp:
1915         (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
1916         * wasm/WasmExceptionType.h:
1917         * wasm/WasmPlan.cpp:
1918         (JSC::Wasm::Plan::run):
1919         * wasm/wasm.json:
1920
1921 2016-12-23  Mark Lam  <mark.lam@apple.com>
1922
1923         Fix broken LLINT_SLOW_PATH_TRACING build.
1924         https://bugs.webkit.org/show_bug.cgi?id=166463
1925
1926         Reviewed by Keith Miller.
1927
1928         * llint/LLIntExceptions.cpp:
1929         (JSC::LLInt::returnToThrow):
1930         (JSC::LLInt::callToThrow):
1931         * runtime/CommonSlowPathsExceptions.cpp:
1932         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1933
1934 2016-12-22  Keith Miller  <keith_miller@apple.com>
1935
1936         WebAssembly: Make spec-tests/f32.wast.js and spec-tests/f64.wast.js pass
1937         https://bugs.webkit.org/show_bug.cgi?id=166447
1938
1939         Reviewed by Saam Barati.
1940
1941         We needed to treat -0.0 < 0.0 for floating point min/max. For min,
1942         the algorithm works because if a == b then a and b are not NaNs so
1943         either they are the same or they are some zero. When we or a and b
1944         either we get the same number back or we get -0.0. Similarly for
1945         max we use an and and the sign bit gets dropped if one is 0.0 and
1946         the other is -0.0, otherwise, we get the same number back.
1947
1948         * wasm/wasm.json:
1949
1950 2016-12-22  Saam Barati  <sbarati@apple.com>
1951
1952         WebAssembly: Make calling Wasm functions that returns or takes an i64 as a parameter an early exception
1953         https://bugs.webkit.org/show_bug.cgi?id=166437
1954         <rdar://problem/29793949>
1955
1956         Reviewed by Keith Miller.
1957
1958         This patch makes it so that we throw an exception before we do
1959         anything else if we call a wasm function that either takes an
1960         i64 as an argument or returns an i64.
1961
1962         * wasm/js/WebAssemblyFunction.cpp:
1963         (JSC::callWebAssemblyFunction):
1964         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1965         (JSC::WebAssemblyFunction::call): Deleted.
1966         * wasm/js/WebAssemblyFunction.h:
1967         (JSC::WebAssemblyFunction::signatureIndex):
1968         (JSC::WebAssemblyFunction::jsEntrypoint):
1969
1970 2016-12-22  Keith Miller  <keith_miller@apple.com>
1971
1972         Add BitOr for floating points to B3
1973         https://bugs.webkit.org/show_bug.cgi?id=166446
1974
1975         Reviewed by Saam Barati.
1976
1977         This patch does some slight refactoring to the ARM assembler,
1978         which groups all the vector floating point instructions together.
1979
1980         * assembler/ARM64Assembler.h:
1981         (JSC::ARM64Assembler::vand):
1982         (JSC::ARM64Assembler::vorr):
1983         (JSC::ARM64Assembler::vectorDataProcessingLogical):
1984         (JSC::ARM64Assembler::vectorDataProcessing2Source): Deleted.
1985         * assembler/MacroAssemblerARM64.h:
1986         (JSC::MacroAssemblerARM64::orDouble):
1987         (JSC::MacroAssemblerARM64::orFloat):
1988         * assembler/MacroAssemblerX86Common.h:
1989         (JSC::MacroAssemblerX86Common::orDouble):
1990         (JSC::MacroAssemblerX86Common::orFloat):
1991         * assembler/X86Assembler.h:
1992         (JSC::X86Assembler::orps_rr):
1993         * b3/B3ConstDoubleValue.cpp:
1994         (JSC::B3::ConstDoubleValue::bitOrConstant):
1995         (JSC::B3::ConstDoubleValue::bitXorConstant):
1996         * b3/B3ConstDoubleValue.h:
1997         * b3/B3ConstFloatValue.cpp:
1998         (JSC::B3::ConstFloatValue::bitOrConstant):
1999         (JSC::B3::ConstFloatValue::bitXorConstant):
2000         * b3/B3ConstFloatValue.h:
2001         * b3/B3LowerToAir.cpp:
2002         (JSC::B3::Air::LowerToAir::lower):
2003         * b3/B3Validate.cpp:
2004         * b3/air/AirInstInlines.h:
2005         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2006         * b3/air/AirOpcode.opcodes:
2007         * b3/testb3.cpp:
2008         (JSC::B3::bitOrDouble):
2009         (JSC::B3::testBitOrArgDouble):
2010         (JSC::B3::testBitOrArgsDouble):
2011         (JSC::B3::testBitOrArgImmDouble):
2012         (JSC::B3::testBitOrImmsDouble):
2013         (JSC::B3::bitOrFloat):
2014         (JSC::B3::testBitOrArgFloat):
2015         (JSC::B3::testBitOrArgsFloat):
2016         (JSC::B3::testBitOrArgImmFloat):
2017         (JSC::B3::testBitOrImmsFloat):
2018         (JSC::B3::testBitOrArgsFloatWithUselessDoubleConversion):
2019         (JSC::B3::run):
2020
2021 2016-12-22  Mark Lam  <mark.lam@apple.com>
2022
2023         BytecodeGenerator::m_finallyDepth should be unsigned.
2024         https://bugs.webkit.org/show_bug.cgi?id=166438
2025
2026         Reviewed by Saam Barati.
2027
2028         Also removed FinallyContext::m_finallyDepth because it is not used.
2029
2030         * bytecompiler/BytecodeGenerator.cpp:
2031         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2032         (JSC::BytecodeGenerator::labelScopeDepth):
2033         * bytecompiler/BytecodeGenerator.h:
2034         (JSC::FinallyContext::FinallyContext):
2035         (JSC::FinallyContext::finallyLabel):
2036         (JSC::FinallyContext::depth): Deleted.
2037
2038 2016-12-22  Mark Lam  <mark.lam@apple.com>
2039
2040         De-duplicate finally blocks.
2041         https://bugs.webkit.org/show_bug.cgi?id=160168
2042
2043         Reviewed by Saam Barati.
2044
2045         JS execution can arrive at a finally block when there are abrupt completions from
2046         its try or catch block.  The abrupt completion types include Break,
2047         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
2048         (i.e. the case of a try block falling through to the finally block).
2049
2050         Previously, we enable each of these paths for abrupt completion (except for Throw)
2051         to run the finally block code by duplicating the finally block code at each of
2052         the sites that trigger those completions.  This patch fixes the implementation so
2053         that each of these abrupt completions will set a completionTypeRegister (plus a
2054         completionValueRegister for CompletionType::Return) and then jump to the
2055         relevant finally blocks, and continue to thread through subsequent outer finally
2056         blocks until execution reaches the outermost finally block that the completion
2057         type dictates.  We no longer duplicate the finally block code.
2058
2059         The implementation details:
2060         1. We allocate a pair of registers (completionTypeRegister and completionValueRegister)
2061            just before entering the outermost try-catch-finally scope.
2062
2063            On allocating the registers, we initialize the completionTypeRegister to
2064            CompletionType::Normal, and set the completionValueRegister to the empty
2065            JSValue.
2066
2067         2. The completionTypeRegister will hold a CompletionType value.  This is how we
2068            encode the CompletionType value to be set:
2069
2070            a. For Normal, Return, and Throw completion types: 
2071               - The completionTypeRegister is set to CompletionType::Normal,
2072                 CompletionType::Return, and CompletionType::Throw respectively.
2073
2074            b. For Break and Continue completion types:
2075               - The completionTypeRegister is set to a unique jumpID where the jumpID is
2076                 computed as:
2077
2078                 jumpID = CompletionType::NumberOfTypes + bytecodeOffset
2079
2080                 The bytecodeOffset used here is the bytecodeOffset of the break or continue
2081                 statement that triggered this completion.
2082
2083         3. Each finally block will have 2 entries:
2084            a. the catch entry.
2085            b. the normal entry.
2086
2087            The catch entry is recorded in the codeBlock's exception handler table,
2088            and can only be jumped to by the VM's exception handling mechanism.
2089
2090            The normal entry is recorded in a FinallyContext (at bytecode generation time
2091            only) and is jumped to when we want enter the finally block due any of the
2092            other CompletionTypes.
2093
2094         4. How each completion type works?
2095
2096            CompletionType::Normal
2097            ======================
2098            We normally encounter this when falling through from a try or catch block to
2099            the finally block.  
2100           
2101            For the try block case, since completionTypeRegister is set to Normal by default,
2102            there's nothing more that needs to be done.
2103
2104            For the catch block case, since we entered the catch block with an exception,
2105            completionTypeRegister may be set to Throw.  We'll need to set it to Normal
2106            before jumping to the finally block's normal entry.
2107
2108            CompletionType::Break
2109            =====================
2110            When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
2111            that we need to service before jumping to the breakTarget.  If we don't, then
2112            emit op_jump to the breakTarget as usual.  Otherwise:
2113
2114            a. we'll register a jumpID and the breakTarget with the FinallyContext for the
2115               outermost finally block that we're supposed to run through.
2116            b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
2117               from the innermost to the one for that outermost finally block.
2118            c. emit bytecode to set the completionTypeRegister to the jumpID.
2119            d. emit bytecode to jump to the normal entry of the innermost finally block.
2120
2121            Each finally block will take care of cascading to the next outer finally block
2122            as needed (see (5) below).
2123
2124            CompletionType::Continue
2125            ========================
2126            Since continues and breaks work the same way (i.e. with a jump), we handle this
2127            exactly the same way as CompletionType::Break, except that we use the
2128            continueTarget instead of the breakTarget.
2129
2130            CompletionType::Return
2131            ======================
2132            When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
2133            at all on the m_controlFlowScopeStack.  If we don't, then emit op_ret as usual.
2134            Otherwise:
2135
2136            a. emit bytecode to set the completionTypeRegister to CompletionType::Return.
2137            b. emit bytecode to move the return value into the completionValueRegister.
2138            c. emit bytecode to jump to the normal entry of the innermost finally block.
2139
2140            Each finally block will take care of cascading to the next outer finally block
2141            as needed (see (5) below).
2142
2143            CompletionType::Throw
2144            ======================
2145            At the catch entry a finally block, we:
2146            1. emit an op_catch that stores the caught Exception object in the
2147               completionValueRegister.
2148            2. emit bytecode to set the completionTypeRegister to CompletionType::Throw.
2149            3. Fall through or jump to the finally block's normal entry.
2150
2151         5. What happens in each finally block?
2152            ==================================
2153            For details on the finally block's catch entry, see "CompletionType::Throw" in
2154            (4) above.
2155
2156            The finally block's normal entry will:
2157            1. restore the scope of the finally block.
2158            2. save the completionTypeRegister in a savedCompletionTypeRegister.
2159            3. proceed to execute the body of the finally block.
2160
2161            At the end of the finally block, we will emit bytecode check the
2162            savedCompletionTypeRegister for each completion type see emitFinallyCompletion())
2163            in the following order:
2164           
2165            a. Check for CompletionType::Normal
2166               ================================
2167               If savedCompletionTypeRegister is CompletionType::Normal, jump to the
2168               designated normalCompletion label.  We only need this check this finally
2169               block also needs to check for Break, Continue, or Return.  If not, the
2170               completion type check for CompletionType::Throw below will make this check
2171               redundant.
2172
2173            b. Check for CompletionType::Break and Continue
2174               ============================================
2175               If the FinallyContext for this block has registered FinallyJumps, we'll
2176               check the jumpIDs against the savedCompletionTypeRegister.  If the jumpID
2177               matches, jump to the corresponding jumpTarget.
2178
2179               If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
2180               greater than the number of registered FinallyJumps, then this means that
2181               we have a Break or Continue that needs to be handled by an outer finally
2182               block.  In that case, jump to the next outer finally block's normal entry.
2183              
2184            c. Check for CompletionType::Return
2185               ================================
2186               If this finally block is not the outermost and the savedCompletionTypeRegister
2187               is set to CompletionType::Return, then jump to the next outer finally
2188               block's normal entry.
2189
2190               Otherwise, if this finally block is the outermost and the savedCompletionTypeRegister
2191               is set to CompletionType::Return, then execute op_ret and return the value
2192               in the completionValueRegister.
2193
2194            d. CompletionType::Throw
2195               =====================
2196               If savedCompletionTypeRegister is CompletionType::Throw, then just re-throw the
2197               Exception object in the completionValueRegister.
2198
2199            Detail 1: that we check the savedCompletionTypeRegister (and not the
2200            completionTypeRegister).  This is because the finally block may itself contain
2201            a try-finally, and this inner try-finally may have trashed the completionTypeRegister.
2202            Here's an example:
2203
2204                try {
2205                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
2206                } finally {
2207                    // completionTypeRegister is CompletionType::Return here.
2208
2209                    try {
2210                        ... // do stuff.
2211                    } finally {
2212                        ... // do more stuff.
2213                    }
2214
2215                    // completionTypeRegister may be anything here depending on what
2216                    // was executed in the inner try-finally block above.
2217
2218                    // Hence, finally completion here must be based on a saved copy of the
2219                    // completionTypeRegister when we entered this finally block.
2220                }
2221
2222            Detail 2: the finally completion for CompletionType::Throw must always explicitly
2223            check if the savedCompletionTypeRegister is CompletionType::Throw before throwing.
2224            We cannot imply that it is so from the Throw case being last.  Here's why:
2225
2226                // completionTypeRegister is CompletionType::Normal here.
2227                try {
2228                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
2229                } finally {
2230                    // completionTypeRegister is CompletionType::Return here.
2231
2232                    try {
2233                        ... // do stuff.  No abrupt completions.
2234                    } finally {
2235                        // completionTypeRegister is CompletionType::Return here (from the outer try-finally).
2236                        // savedCompletionTypeRegister is set to completionTypeRegister (i.e. CompletionType::Return) here.
2237
2238                        ... // do more stuff.  No abrupt completions.
2239
2240                        // Unless there's an abrupt completion since entering the outer
2241                        // finally block, the savedCompletionTypeRegister will remain set
2242                        // to CompletionType::Return.  If we don't explicitly check if the
2243                        // savedCompletionTypeRegister is CompletionType::Throw before
2244                        // throwing here, we'll end up erroneously throwing "r1".
2245                    }
2246
2247                    ...
2248                }
2249
2250         6. restoreScopeRegister()
2251        
2252            Since the needed scope objects are always stored in a local, we can restore
2253            the scope register by simply moving from that local instead of going through
2254            op_get_parent_scope.
2255
2256         7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
2257            This makes it easier to keep a pointer to the FinallyContext on that stack,
2258            and not have to worry about the vector being realloc'ed due to resizing. 
2259
2260         Performance appears to be neutral both on ES6SampleBench (run via cli) and the
2261         JSC benchmarks.
2262
2263         Relevant spec references:
2264         https://tc39.github.io/ecma262/#sec-completion-record-specification-type
2265         https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
2266
2267         * bytecode/HandlerInfo.h:
2268         (JSC::HandlerInfoBase::typeName):
2269         * bytecompiler/BytecodeGenerator.cpp:
2270         (JSC::BytecodeGenerator::generate):
2271         (JSC::BytecodeGenerator::BytecodeGenerator):
2272         (JSC::BytecodeGenerator::emitReturn):
2273         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2274         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
2275         (JSC::BytecodeGenerator::allocateAndEmitScope):
2276         (JSC::BytecodeGenerator::pushTry):
2277         (JSC::BytecodeGenerator::popTry):
2278         (JSC::BytecodeGenerator::emitCatch):
2279         (JSC::BytecodeGenerator::restoreScopeRegister):
2280         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
2281         (JSC::BytecodeGenerator::labelScopeDepth):
2282         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
2283         (JSC::BytecodeGenerator::popLocalControlFlowScope):
2284         (JSC::BytecodeGenerator::emitEnumeration):
2285         (JSC::BytecodeGenerator::emitIsNumber):
2286         (JSC::BytecodeGenerator::emitYield):
2287         (JSC::BytecodeGenerator::emitDelegateYield):
2288         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2289         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
2290         (JSC::BytecodeGenerator::emitFinallyCompletion):
2291         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
2292         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
2293         (JSC::BytecodeGenerator::emitJumpIf):
2294         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
2295         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
2296         (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
2297         (JSC::BytecodeGenerator::emitPopScopes): Deleted.
2298         (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
2299         * bytecompiler/BytecodeGenerator.h:
2300         (JSC::bytecodeOffsetToJumpID):
2301         (JSC::FinallyJump::FinallyJump):
2302         (JSC::FinallyContext::FinallyContext):
2303         (JSC::FinallyContext::outerContext):
2304         (JSC::FinallyContext::finallyLabel):
2305         (JSC::FinallyContext::depth):
2306         (JSC::FinallyContext::numberOfBreaksOrContinues):
2307         (JSC::FinallyContext::incNumberOfBreaksOrContinues):
2308         (JSC::FinallyContext::handlesReturns):
2309         (JSC::FinallyContext::setHandlesReturns):
2310         (JSC::FinallyContext::registerJump):
2311         (JSC::FinallyContext::numberOfJumps):
2312         (JSC::FinallyContext::jumps):
2313         (JSC::ControlFlowScope::ControlFlowScope):
2314         (JSC::ControlFlowScope::isLabelScope):
2315         (JSC::ControlFlowScope::isFinallyScope):
2316         (JSC::BytecodeGenerator::currentLexicalScopeIndex):
2317         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
2318         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
2319         (JSC::BytecodeGenerator::completionTypeRegister):
2320         (JSC::BytecodeGenerator::completionValueRegister):
2321         (JSC::BytecodeGenerator::emitSetCompletionType):
2322         (JSC::BytecodeGenerator::emitSetCompletionValue):
2323         (JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
2324         * bytecompiler/NodesCodegen.cpp:
2325         (JSC::ContinueNode::emitBytecode):
2326         (JSC::BreakNode::emitBytecode):
2327         (JSC::ReturnNode::emitBytecode):
2328         (JSC::TryNode::emitBytecode):
2329
2330 2016-12-22  Saam Barati  <sbarati@apple.com>
2331
2332         WebAssembly: Make the spec-tests/address.wast.js test pass
2333         https://bugs.webkit.org/show_bug.cgi?id=166429
2334         <rdar://problem/29793220>
2335
2336         Reviewed by Keith Miller.
2337
2338         Right now, provably out of bound loads/stores (given a load/store's constant
2339         offset) are not a validation error. However, we were failing to catch uint32_t
2340         overflows in release builds (we did have a debug assertion). To fix this,
2341         I now detect when uint32_t addition will overflow, and instead of emitting
2342         a normal load/store, I emit code that throws an out of bounds memory exception.
2343
2344         * wasm/WasmB3IRGenerator.cpp:
2345
2346 2016-12-22  Keith Miller  <keith_miller@apple.com>
2347
2348         WebAssembly: The validator should not allow unused stack entries at the end of a block
2349         https://bugs.webkit.org/show_bug.cgi?id=166411
2350
2351         Reviewed by Saam Barati.
2352
2353         This patch also cleans up some of the verbose mode logging.
2354
2355         * wasm/WasmB3IRGenerator.cpp:
2356         (JSC::Wasm::dumpExpressionStack):
2357         (JSC::Wasm::B3IRGenerator::dump):
2358         * wasm/WasmFunctionParser.h:
2359         * wasm/WasmValidate.cpp:
2360         (JSC::Wasm::dumpExpressionStack):
2361         (JSC::Wasm::Validate::dump):
2362
2363 2016-12-22  Saam Barati  <sbarati@apple.com>
2364
2365         WebAssembly: Make the spec-tests/start.wast.js test pass
2366         https://bugs.webkit.org/show_bug.cgi?id=166416
2367         <rdar://problem/29784532>
2368
2369         Reviewed by Yusuke Suzuki.
2370
2371         To make the test run, I had to fix two bugs:
2372         
2373         1. We weren't properly finding the start function. There was code
2374         that would try to find the start function from the list of *exported*
2375         functions. This is wrong; the start function is an index into the
2376         function index space, which is the space for *imports* and *local*
2377         functions. So the code was just wrong in this respect, and I've
2378         fixed it do the right thing. We weren't sure if this was originally
2379         allowed or not in the spec, but it has been decided that it is allowed
2380         and the spec-tests test for it: https://github.com/WebAssembly/design/issues/896
2381         
2382         2. We were emitting a breakpoint for Unreachable. Instead of crashing,
2383         this opcode needs to throw an exception when executing.
2384
2385         * wasm/WasmB3IRGenerator.cpp:
2386         * wasm/WasmExceptionType.h:
2387         * wasm/js/WebAssemblyModuleRecord.cpp:
2388         (JSC::WebAssemblyModuleRecord::link):
2389         (JSC::WebAssemblyModuleRecord::evaluate):
2390         * wasm/js/WebAssemblyModuleRecord.h:
2391
2392 2016-12-21  Keith Miller  <keith_miller@apple.com>
2393
2394         WebAssembly: Fix decode floating point constants in unreachable code
2395         https://bugs.webkit.org/show_bug.cgi?id=166400
2396
2397         Reviewed by Saam Barati.
2398
2399         We decoded these as variable length but they should be fixed length.
2400
2401         * wasm/WasmFunctionParser.h:
2402
2403 2016-12-21  Keith Miller  <keith_miller@apple.com>
2404
2405         WebAssembly: Allow br, br_if, and br_table to act as a return
2406         https://bugs.webkit.org/show_bug.cgi?id=166393
2407
2408         Reviewed by Saam Barati.
2409
2410         This patch allows br, br_if, and br_table to treat branching to
2411         the size of the control stack to act as a return. This change was
2412         made by adding a new block type to the wasm function parser,
2413         TopLevel. Adding this new block eliminates a lot of the special
2414         case code we had in the parser previously. The only special case
2415         we need is when the end opcode is parsed from the top level.  The
2416         B3 IR generator needs to automatically emit a return at that
2417         point.
2418
2419         Also, this patch adds the function number to validation errors
2420         in the function parser. The current error message is not helpful
2421         otherwise.
2422
2423         * wasm/WasmB3IRGenerator.cpp:
2424         (JSC::Wasm::B3IRGenerator::ControlData::dump):
2425         (JSC::Wasm::B3IRGenerator::addTopLevel):
2426         * wasm/WasmFunctionParser.h:
2427         * wasm/WasmPlan.cpp:
2428         (JSC::Wasm::Plan::parseAndValidateModule):
2429         (JSC::Wasm::Plan::run):
2430         * wasm/WasmValidate.cpp:
2431         (JSC::Wasm::Validate::ControlData::dump):
2432         (JSC::Wasm::Validate::Validate):
2433         (JSC::Wasm::Validate::addTopLevel):
2434         (JSC::Wasm::validateFunction):
2435
2436 2016-12-21  JF Bastien  <jfbastien@apple.com>
2437
2438         WebAssembly JS API: cleanup & pass VM around to {Compile/Runtime}Error
2439         https://bugs.webkit.org/show_bug.cgi?id=166295
2440         <rdar://problem/29762017>
2441
2442         Reviewed by Mark Lam.
2443
2444         Rename the create* functions, and pass VM around, as suggested for
2445         LinkError in #165805.
2446
2447         At the same time, use the default source appender when
2448         constructing these error types, which gives a nice map back to the
2449         original source as part of the error message. This is clearer when
2450         using the current frame, so add that as well.
2451
2452         * jit/ThunkGenerators.cpp:
2453         (JSC::throwExceptionFromWasmThunkGenerator):
2454         * wasm/js/JSWebAssemblyCompileError.cpp:
2455         (JSC::JSWebAssemblyCompileError::create):
2456         (JSC::createJSWebAssemblyCompileError):
2457         (JSC::createWebAssemblyCompileError): Deleted.
2458         * wasm/js/JSWebAssemblyCompileError.h:
2459         (JSC::JSWebAssemblyCompileError::create):
2460         * wasm/js/JSWebAssemblyRuntimeError.cpp:
2461         (JSC::JSWebAssemblyRuntimeError::create):
2462         * wasm/js/JSWebAssemblyRuntimeError.h:
2463         (JSC::JSWebAssemblyRuntimeError::create):
2464         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2465         (JSC::constructJSWebAssemblyCompileError):
2466         * wasm/js/WebAssemblyModuleConstructor.cpp:
2467         (JSC::WebAssemblyModuleConstructor::createModule):
2468         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2469         (JSC::constructJSWebAssemblyRuntimeError):
2470
2471 2016-12-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2472
2473         [ES6] Fix modules document in features.json
2474         https://bugs.webkit.org/show_bug.cgi?id=166313
2475
2476         Reviewed by Saam Barati.
2477
2478         * features.json:
2479
2480 2016-12-20  Taras Tsugrii  <ttsugrii@fb.com>
2481
2482         Fix undefined behavior caused by macro expansion producing 'defined'
2483         https://bugs.webkit.org/show_bug.cgi?id=166047
2484
2485         Reviewed by Darin Adler.
2486
2487         * API/JSBase.h:
2488
2489 2016-12-20  Keith Miller  <keith_miller@apple.com>
2490
2491         Add support for global
2492         https://bugs.webkit.org/show_bug.cgi?id=165171
2493
2494         Reviewed by Filip Pizlo.
2495
2496         This patch adds spport for the global property on the global object.
2497         The global property spec is in stage three and is quite simple.
2498         For reference: http://tc39.github.io/proposal-global/
2499
2500         * runtime/JSGlobalObject.cpp:
2501
2502 2016-12-20  Saam Barati  <sbarati@apple.com>
2503
2504         WebAssembly: We should compile wasm functions in parallel
2505         https://bugs.webkit.org/show_bug.cgi?id=165993
2506
2507         Reviewed by Keith Miller.
2508
2509         This patch adds a very simple parallel compiler for Wasm code.
2510         This patch speeds up compiling the Unity headless benchmark by
2511         slightly more than 4x on my MBP. To make this safe, I perform
2512         all linking on the main thread. I also had to change some code
2513         inside Wasmb3IRGenerator to be thread safe.
2514
2515         * b3/air/AirCustom.h:
2516         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
2517         * b3/air/AirGenerationContext.h:
2518         * wasm/WasmB3IRGenerator.cpp:
2519         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2520         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2521         (JSC::Wasm::createJSToWasmWrapper):
2522         (JSC::Wasm::parseAndCompile):
2523         * wasm/WasmB3IRGenerator.h:
2524         * wasm/WasmCallingConvention.h:
2525         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
2526         * wasm/WasmPlan.cpp:
2527         (JSC::Wasm::Plan::parseAndValidateModule):
2528         (JSC::Wasm::Plan::run):
2529         * wasm/WasmPlan.h:
2530
2531 2016-12-20  Brent Fulgham  <bfulgham@apple.com>
2532
2533         Address some style problems found by static analysis
2534         https://bugs.webkit.org/show_bug.cgi?id=165975
2535
2536         Reviewed by Alex Christensen.
2537
2538         Correct the const-correctness of functions that are implemented using stricter
2539         const declarations.
2540
2541         * inspector/agents/InspectorDebuggerAgent.h:
2542         * inspector/agents/InspectorHeapAgent.cpp:
2543         * inspector/agents/InspectorHeapAgent.h:
2544         * inspector/agents/InspectorRuntimeAgent.h:
2545         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2546         * inspector/agents/InspectorScriptProfilerAgent.h:
2547         * inspector/scripts/codegen/cpp_generator.py:
2548         (cpp_type_for_unchecked_formal_in_parameter): Update to match const declarations of
2549         implementation files.
2550         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2551         Rebaselined results for "const Ptr* const" syntax.
2552
2553 2016-12-20  JF Bastien  <jfbastien@apple.com>
2554
2555         WebAssembly: construct 32-bit encodedJSValue properly
2556         https://bugs.webkit.org/show_bug.cgi?id=166199
2557
2558         Reviewed by Mark Lam.
2559
2560         Constructing an encodedJSValue using `{ }` yields the wrong value
2561         on 32-bit platforms. WebAssembly doesn't currently target 32-bit
2562         platforms, but we may as well get it right.
2563
2564         * wasm/JSWebAssembly.cpp:
2565         (JSC::webAssemblyCompileFunc):
2566         (JSC::webAssemblyValidateFunc):
2567         * wasm/js/JSWebAssemblyHelpers.h:
2568         (JSC::toNonWrappingUint32):
2569         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2570         (JSC::constructJSWebAssemblyCompileError):
2571         * wasm/js/WebAssemblyFunction.cpp:
2572         (JSC::callWebAssemblyFunction):
2573         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2574         (JSC::constructJSWebAssemblyInstance):
2575         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2576         (JSC::constructJSWebAssemblyMemory):
2577         * wasm/js/WebAssemblyModuleConstructor.cpp:
2578         (JSC::constructJSWebAssemblyModule):
2579         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2580         (JSC::constructJSWebAssemblyRuntimeError):
2581         * wasm/js/WebAssemblyTableConstructor.cpp:
2582         (JSC::constructJSWebAssemblyTable):
2583         * wasm/js/WebAssemblyTablePrototype.cpp:
2584         (JSC::webAssemblyTableProtoFuncLength):
2585         (JSC::webAssemblyTableProtoFuncGrow):
2586         (JSC::webAssemblyTableProtoFuncGet):
2587         (JSC::webAssemblyTableProtoFuncSet):
2588
2589 2016-12-20  Dean Jackson  <dino@apple.com>
2590
2591         Remove INDIE_UI
2592         https://bugs.webkit.org/show_bug.cgi?id=165881
2593         <rdar://problem/29672532>
2594
2595         Reviewed by Simon Fraser.
2596
2597         The Indie UI work has been discontinued.
2598
2599         * Configurations/FeatureDefines.xcconfig:
2600
2601 2016-12-20  JF Bastien  <jfbastien@apple.com>
2602
2603         WebAssembly API: implement WebAssembly.LinkError
2604         https://bugs.webkit.org/show_bug.cgi?id=165805
2605         <rdar://problem/29747874>
2606
2607         Reviewed by Mark Lam.
2608
2609         As described here: https://github.com/WebAssembly/design/pull/901
2610         Some TypeError and RangeError are now converted to WebAssembly.LinkError.
2611
2612         * CMakeLists.txt: add files
2613         * DerivedSources.make: add autoget .lut.h files
2614         * JavaScriptCore.xcodeproj/project.pbxproj: add files
2615         * builtins/BuiltinNames.h: new name LinkError
2616         * runtime/JSGlobalObject.h: auto-register LinkError using existing macro magic
2617         * wasm/JSWebAssembly.h: make the new includes available
2618         * wasm/js/JSWebAssemblyLinkError.cpp: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.cpp.
2619         (JSC::JSWebAssemblyLinkError::create):
2620         (JSC::JSWebAssemblyLinkError::JSWebAssemblyLinkError):
2621         (JSC::createWebAssemblyLinkError):
2622         * wasm/js/JSWebAssemblyLinkError.h: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.h.
2623         (JSC::JSWebAssemblyLinkError::create):
2624         * wasm/js/WebAssemblyInstanceConstructor.cpp: update as per spec change
2625         (JSC::constructJSWebAssemblyInstance):
2626         * wasm/js/WebAssemblyLinkErrorConstructor.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.cpp.
2627         (JSC::constructJSWebAssemblyLinkError):
2628         (JSC::callJSWebAssemblyLinkError):
2629         (JSC::WebAssemblyLinkErrorConstructor::create):
2630         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
2631         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2632         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
2633         (JSC::WebAssemblyLinkErrorConstructor::getConstructData):
2634         (JSC::WebAssemblyLinkErrorConstructor::getCallData):
2635         * wasm/js/WebAssemblyLinkErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.h.
2636         * wasm/js/WebAssemblyLinkErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.cpp.
2637         (JSC::WebAssemblyLinkErrorPrototype::create):
2638         (JSC::WebAssemblyLinkErrorPrototype::createStructure):
2639         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
2640         (JSC::WebAssemblyLinkErrorPrototype::WebAssemblyLinkErrorPrototype):
2641         * wasm/js/WebAssemblyLinkErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.h.
2642         * wasm/js/WebAssemblyModuleRecord.cpp: update as per spec change
2643         (JSC::dataSegmentFail):
2644         (JSC::WebAssemblyModuleRecord::evaluate):
2645
2646 2016-12-20  JF Bastien  <jfbastien@apple.com>
2647
2648         WebAssembly: unique function signatures
2649         https://bugs.webkit.org/show_bug.cgi?id=165957
2650         <rdar://problem/29735737>
2651
2652         Reviewed by Saam Barati.
2653
2654         Signatures in a Module's Type section can be duplicated, we
2655         therefore need to unique them so that call_indirect only needs to
2656         do a single integer compare to check that a callee's Signature is
2657         the same as the Signature declared at the call site. Without
2658         uniquing we'd either trap when duplicate Signatures are used, or
2659         we'd need to do multiple comparisons. This patch makes that narrow
2660         usecase function correctly.
2661
2662         There's further complication when calling from wasm to
2663         wasm, in which case the Signatures must also match. Such
2664         cross-instance calls will be improved in bug #165282, but this
2665         patch sets the groundwork for it:
2666
2667         - Signatures are now owned by SignatureInformation which lives on
2668           VM, and is shared by all Modules.
2669         - When parsing a Module, a Signature is created for every Type
2670           entry, and then uniqued by SignatureInformation's adopt
2671           method. Duplicate Signatures are dropped and the previous
2672           SignatureIndex is returned, new Signatures are adopted and a new
2673           SignatureIndex is created.
2674         - The SignatureIndex values are monotonic. 0 is used to represent
2675           invalid indices, which trap. This can only occur through Table.
2676         - SignatureInformation is used while generating code to map a
2677           SignatureIndex back to the Signature* when return / argument
2678           information is needed. This is a simple lookup into a Vector. It
2679           isn't used at runtime.
2680         - These Signatures live forever on VM because the bookkeeping
2681           likely isn't worth it. We may want to empty things out if all
2682           Modules die, this is tracked in bug #166037.
2683         - We can further improve things by bit-packing SignatureIndex with
2684           Code*, which is tracked by bug #165511.
2685
2686         * CMakeLists.txt:
2687         * JavaScriptCore.xcodeproj/project.pbxproj:
2688         * runtime/VM.h: wasm signatures are uniqued here, but aren't accessed frequently (only during parsing) so indirection is fine
2689         * wasm/WasmB3IRGenerator.cpp: use SignatureIndex instead of Signature* when appropriate, and when still using Signature* do so with its new API
2690         (JSC::Wasm::createJSToWasmWrapper):
2691         (JSC::Wasm::parseAndCompile):
2692         * wasm/WasmBinding.cpp:
2693         (JSC::Wasm::importStubGenerator): use SignatureIndex
2694         * wasm/WasmBinding.h:
2695         * wasm/WasmCallingConvention.h:
2696         (JSC::Wasm::CallingConvention::loadArguments):
2697         * wasm/WasmFormat.cpp: drive-by move of alloc/free functions to the implementation file, allows the .h file to drop an FastMalloc.h
2698         (JSC::Wasm::Segment::create):
2699         (JSC::Wasm::Segment::destroy):
2700         (JSC::Wasm::Segment::createPtr):
2701         * wasm/WasmFormat.h: move Signature to its own file
2702         (JSC::Wasm::CallableFunction::CallableFunction):
2703         * wasm/WasmFunctionParser.h:
2704         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
2705         * wasm/WasmModuleParser.cpp:
2706         * wasm/WasmModuleParser.h:
2707         (JSC::Wasm::ModuleParser::ModuleParser):
2708         * wasm/WasmParser.h:
2709         (JSC::Wasm::Parser<SuccessType>::Parser):
2710         * wasm/WasmPlan.cpp:
2711         (JSC::Wasm::Plan::parseAndValidateModule):
2712         (JSC::Wasm::Plan::run):
2713         * wasm/WasmSignature.cpp: Added.
2714         (JSC::Wasm::Signature::dump):
2715         (JSC::Wasm::Signature::hash):
2716         (JSC::Wasm::Signature::create):
2717         (JSC::Wasm::Signature::createInvalid):
2718         (JSC::Wasm::Signature::destroy):
2719         (JSC::Wasm::SignatureInformation::~SignatureInformation):
2720         (JSC::Wasm::SignatureInformation::adopt):
2721         (JSC::Wasm::SignatureInformation::get):
2722         * wasm/WasmSignature.h: Added.
2723         (JSC::Wasm::Signature::Signature):
2724         (JSC::Wasm::Signature::storage):
2725         (JSC::Wasm::Signature::allocatedSize):
2726         (JSC::Wasm::Signature::returnType):
2727         (JSC::Wasm::Signature::returnCount):
2728         (JSC::Wasm::Signature::argumentCount):
2729         (JSC::Wasm::Signature::argument):
2730         (JSC::Wasm::Signature::operator==):
2731         (JSC::Wasm::SignatureHash::empty):
2732         (JSC::Wasm::SignatureHash::deleted):
2733         (JSC::Wasm::SignatureHash::SignatureHash):
2734         (JSC::Wasm::SignatureHash::operator==):
2735         (JSC::Wasm::SignatureHash::equal):
2736         (JSC::Wasm::SignatureHash::hash):
2737         (JSC::Wasm::SignatureHash::isHashTableDeletedValue):
2738         * wasm/WasmValidate.cpp:
2739         (JSC::Wasm::validateFunction):
2740         * wasm/WasmValidate.h:
2741         * wasm/js/JSWebAssemblyInstance.cpp:
2742         (JSC::JSWebAssemblyInstance::create):
2743         * wasm/js/JSWebAssemblyModule.h:
2744         (JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
2745         * wasm/js/JSWebAssemblyTable.cpp:
2746         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2747         (JSC::JSWebAssemblyTable::clearFunction):
2748         (JSC::JSWebAssemblyTable::setFunction):
2749         * wasm/js/WebAssemblyFunction.cpp:
2750         (JSC::callWebAssemblyFunction):
2751         (JSC::WebAssemblyFunction::call):
2752         (JSC::WebAssemblyFunction::create):
2753         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2754         (JSC::WebAssemblyFunction::finishCreation):
2755         * wasm/js/WebAssemblyFunction.h:
2756         (JSC::WebAssemblyFunction::signatureIndex):
2757         * wasm/js/WebAssemblyModuleRecord.cpp:
2758         (JSC::WebAssemblyModuleRecord::link):
2759         (JSC::WebAssemblyModuleRecord::evaluate):
2760
2761 2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>
2762
2763         Modernize for loops in JSC
2764         https://bugs.webkit.org/show_bug.cgi?id=166060
2765
2766         Reviewed by Yusuke Suzuki.
2767
2768         * API/JSCallbackObject.h:
2769         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
2770         * bytecode/CodeBlock.cpp:
2771         (JSC::CodeBlock::dumpBytecode):
2772         (JSC::CodeBlock::propagateTransitions):
2773         (JSC::CodeBlock::stronglyVisitStrongReferences):
2774         (JSC::CodeBlock::stronglyVisitWeakReferences):
2775         (JSC::CodeBlock::jettison):
2776         (JSC::CodeBlock::getArrayProfile):
2777         (JSC::CodeBlock::tallyFrequentExitSites):
2778         (JSC::CodeBlock::nameForRegister):
2779         * bytecompiler/BytecodeGenerator.cpp:
2780         (JSC::BytecodeGenerator::generate):
2781         (JSC::BytecodeGenerator::BytecodeGenerator):
2782         * bytecompiler/NodesCodegen.cpp:
2783         (JSC::ObjectPatternNode::bindValue):
2784         * debugger/Debugger.cpp:
2785         (JSC::Debugger::applyBreakpoints):
2786         * dfg/DFGCPSRethreadingPhase.cpp:
2787         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2788         * dfg/DFGClobberSet.cpp:
2789         (JSC::DFG::ClobberSet::setOf):
2790         * dfg/DFGDesiredIdentifiers.cpp:
2791         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2792         * dfg/DFGGraph.cpp:
2793         (JSC::DFG::Graph::visitChildren):
2794         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2795         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
2796         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2797         * dfg/DFGJITCompiler.cpp:
2798         (JSC::DFG::JITCompiler::link):
2799         * dfg/DFGLICMPhase.cpp:
2800         (JSC::DFG::LICMPhase::run):
2801         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2802         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2803         * dfg/DFGPutStackSinkingPhase.cpp:
2804         * dfg/DFGSpeculativeJIT.cpp:
2805         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2806         (JSC::DFG::SpeculativeJIT::linkBranches):
2807         * dfg/DFGStructureRegistrationPhase.cpp:
2808         (JSC::DFG::StructureRegistrationPhase::run):
2809         * dfg/DFGTypeCheckHoistingPhase.cpp:
2810         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2811         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2812         * dfg/DFGValidate.cpp:
2813         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2814         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2815         * heap/HeapVerifier.cpp:
2816         (JSC::trimDeadObjectsFromList):
2817         (JSC::HeapVerifier::trimDeadObjects):
2818         * heap/LiveObjectList.cpp:
2819         (JSC::LiveObjectList::findObject):
2820         * heap/MarkedAllocator.cpp:
2821         (JSC::MarkedAllocator::isPagedOut):
2822         * inspector/ScriptCallStack.cpp:
2823         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2824         * jit/JIT.cpp:
2825         (JSC::JIT::link):
2826         * parser/VariableEnvironment.cpp:
2827         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
2828         (JSC::VariableEnvironment::hasCapturedVariables):
2829         * runtime/FunctionHasExecutedCache.cpp:
2830         (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
2831         (JSC::FunctionHasExecutedCache::getFunctionRanges):
2832         * runtime/JSPropertyNameEnumerator.cpp:
2833         (JSC::JSPropertyNameEnumerator::visitChildren):
2834         * runtime/TypeProfiler.cpp:
2835         (JSC::TypeProfiler::findLocation):
2836         * runtime/TypeSet.cpp:
2837         (JSC::TypeSet::addTypeInformation):
2838         (JSC::TypeSet::dumpTypes):
2839         * runtime/VM.cpp:
2840         (JSC::VM::gatherConservativeRoots):
2841         * runtime/WeakMapData.cpp:
2842         (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
2843         (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
2844         * tools/ProfileTreeNode.h:
2845         (JSC::ProfileTreeNode::dumpInternal):
2846         * yarr/YarrInterpreter.cpp:
2847         (JSC::Yarr::ByteCompiler::emitDisjunction):
2848
2849 2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>
2850
2851         __cpuid() requires <intrin.h> to be included
2852         https://bugs.webkit.org/show_bug.cgi?id=166051
2853
2854         Reviewed by Yusuke Suzuki.
2855
2856         * assembler/MacroAssemblerX86Common.h:
2857
2858 2016-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2859
2860         [ES6] Enable ES6 Modules
2861         https://bugs.webkit.org/show_bug.cgi?id=165849
2862
2863         Reviewed by Geoffrey Garen.
2864
2865         * features.json:
2866
2867 2016-12-19  Mark Lam  <mark.lam@apple.com>
2868
2869         Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 2: Rollout r209952.
2870         https://bugs.webkit.org/show_bug.cgi?id=166049
2871
2872         Not reviewed.
2873
2874         * bytecode/HandlerInfo.h:
2875         (JSC::HandlerInfoBase::typeName):
2876         * bytecompiler/BytecodeGenerator.cpp:
2877         (JSC::BytecodeGenerator::generate):
2878         (JSC::BytecodeGenerator::BytecodeGenerator):
2879         (JSC::BytecodeGenerator::emitReturn):
2880         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2881         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope):
2882         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
2883         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope):
2884         (JSC::BytecodeGenerator::emitComplexPopScopes):
2885         (JSC::BytecodeGenerator::emitPopScopes):
2886         (JSC::BytecodeGenerator::pushTry):
2887         (JSC::BytecodeGenerator::popTryAndEmitCatch):
2888         (JSC::BytecodeGenerator::labelScopeDepth):
2889         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
2890         (JSC::BytecodeGenerator::popLocalControlFlowScope):
2891         (JSC::BytecodeGenerator::emitEnumeration):
2892         (JSC::BytecodeGenerator::emitYield):
2893         (JSC::BytecodeGenerator::emitDelegateYield):
2894         (JSC::BytecodeGenerator::popTry): Deleted.
2895         (JSC::BytecodeGenerator::emitCatch): Deleted.
2896         (JSC::BytecodeGenerator::restoreScopeRegister): Deleted.
2897         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex): Deleted.
2898         (JSC::BytecodeGenerator::emitIsNumber): Deleted.
2899         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded): Deleted.
2900         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded): Deleted.
2901         (JSC::BytecodeGenerator::emitFinallyCompletion): Deleted.
2902         (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
2903         (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
2904         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
2905         * bytecompiler/BytecodeGenerator.h:
2906         (JSC::BytecodeGenerator::isInFinallyBlock):
2907         (JSC::FinallyJump::FinallyJump): Deleted.
2908         (JSC::FinallyContext::FinallyContext): Deleted.
2909         (JSC::FinallyContext::outerContext): Deleted.
2910         (JSC::FinallyContext::finallyLabel): Deleted.
2911         (JSC::FinallyContext::depth): Deleted.
2912         (JSC::FinallyContext::numberOfBreaksOrContinues): Deleted.
2913         (JSC::FinallyContext::incNumberOfBreaksOrContinues): Deleted.
2914         (JSC::FinallyContext::handlesReturns): Deleted.
2915         (JSC::FinallyContext::setHandlesReturns): Deleted.
2916         (JSC::FinallyContext::registerJump): Deleted.
2917         (JSC::FinallyContext::numberOfJumps): Deleted.
2918         (JSC::FinallyContext::jumps): Deleted.
2919         (JSC::ControlFlowScope::ControlFlowScope): Deleted.
2920         (JSC::ControlFlowScope::isLabelScope): Deleted.
2921         (JSC::ControlFlowScope::isFinallyScope): Deleted.
2922         (JSC::BytecodeGenerator::currentLexicalScopeIndex): Deleted.
2923         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
2924         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
2925         (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
2926         (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
2927         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
2928         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
2929         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
2930         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
2931         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
2932         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
2933         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
2934         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
2935         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
2936         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
2937         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
2938         * bytecompiler/NodesCodegen.cpp:
2939         (JSC::ContinueNode::emitBytecode):
2940         (JSC::BreakNode::emitBytecode):
2941         (JSC::ReturnNode::emitBytecode):
2942         (JSC::TryNode::emitBytecode):
2943
2944 2016-12-19  Mark Lam  <mark.lam@apple.com>
2945
2946         Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 1: Rollout r209974.
2947         https://bugs.webkit.org/show_bug.cgi?id=166049
2948
2949         Not reviewed.
2950
2951         * bytecompiler/BytecodeGenerator.cpp:
2952         (JSC::BytecodeGenerator::emitEnumeration):
2953         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2954         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
2955         (JSC::BytecodeGenerator::emitFinallyCompletion):
2956         (JSC::BytecodeGenerator::allocateFinallyRegisters):
2957         (JSC::BytecodeGenerator::releaseFinallyRegisters):
2958         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
2959         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters): Deleted.
2960         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters): Deleted.
2961         (JSC::BytecodeGenerator::emitJumpIfCompletionType): Deleted.
2962         * bytecompiler/BytecodeGenerator.h:
2963         (JSC::FinallyJump::FinallyJump):
2964         (JSC::FinallyContext::registerJump):
2965         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
2966         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
2967         (JSC::BytecodeGenerator::finallyActionRegister):
2968         (JSC::BytecodeGenerator::finallyReturnValueRegister):
2969         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
2970         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
2971         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
2972         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
2973         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
2974         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
2975         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
2976         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
2977         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
2978         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
2979         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
2980         (JSC::bytecodeOffsetToJumpID): Deleted.
2981         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope): Deleted.
2982         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope): Deleted.
2983         (JSC::BytecodeGenerator::completionTypeRegister): Deleted.
2984         (JSC::BytecodeGenerator::completionValueRegister): Deleted.
2985         (JSC::BytecodeGenerator::emitSetCompletionType): Deleted.
2986         (JSC::BytecodeGenerator::emitSetCompletionValue): Deleted.
2987         * bytecompiler/NodesCodegen.cpp:
2988         (JSC::TryNode::emitBytecode):
2989
2990 2016-12-19  Joseph Pecoraro  <pecoraro@apple.com>
2991
2992         Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open
2993         https://bugs.webkit.org/show_bug.cgi?id=166034
2994         <rdar://problem/29554366>
2995
2996         Reviewed by Brian Burg.
2997
2998         * inspector/agents/InspectorDebuggerAgent.cpp:
2999         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
3000         Remove assertion. This assert can happen if the currently executing callback
3001         was just explicitly cancelled by script. Existing code already handles if
3002         no async data was found for the given identifier.
3003
3004 2016-12-18  Saam Barati  <sbarati@apple.com>
3005
3006         WebAssembly: Implement the WebAssembly.compile and WebAssembly.validate
3007         https://bugs.webkit.org/show_bug.cgi?id=165936
3008
3009         Reviewed by Mark Lam.
3010
3011         The APIs are documented here:
3012         - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblycompile
3013         - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyvalidate
3014
3015         * wasm/JSWebAssembly.cpp:
3016         (JSC::webAssemblyCompileFunc):
3017         (JSC::webAssemblyValidateFunc):
3018         (JSC::JSWebAssembly::finishCreation):
3019         * wasm/WasmPlan.cpp:
3020         (JSC::Wasm::Plan::parseAndValidateModule):
3021         (JSC::Wasm::Plan::run):
3022         * wasm/WasmPlan.h:
3023         * wasm/js/JSWebAssemblyHelpers.h:
3024         (JSC::getWasmBufferFromValue):
3025         * wasm/js/WebAssemblyModuleConstructor.cpp:
3026         (JSC::constructJSWebAssemblyModule):
3027         (JSC::callJSWebAssemblyModule):
3028         (JSC::WebAssemblyModuleConstructor::createModule):
3029         * wasm/js/WebAssemblyModuleConstructor.h:
3030
3031 2016-12-18  Mark Lam  <mark.lam@apple.com>
3032
3033         Rename finallyActionRegister to completionTypeRegister and only store int JSValues in it.
3034         https://bugs.webkit.org/show_bug.cgi?id=165979
3035
3036         Reviewed by Saam Barati.
3037
3038         This patch makes it so that we only store int JSValues in the finallyActionRegister
3039         thereby making type prediction on this register more successful for JITs.  In so
3040         doing, we are able to get some additional benefits:
3041
3042         1. Renamed the following:
3043            FinallyRegistersScope => CompletionRecordScope
3044            finallyActionRegister => completionTypeRegister
3045            finallyReturnValueRegister => completionValueRegister
3046
3047            These new names are more in line with the ES spec, which describes these
3048            values as the completion record and its type and value properties.
3049            https://tc39.github.io/ecma262/#sec-completion-record-specification-type
3050
3051         2. We now think of the Break and Continue jumpIDs as encodings of CompletionType
3052            (in our implementation of completion type).  As a result, we only need one of
3053            each of the emitter methods for getting, setting, and compare-and-jump on the
3054            completion type.  The code using these methods also reads much clearer now.  
3055
3056         3. Finally blocks' op_catch should now always pop the caught Exception object into
3057            the completionValueRegister instead of the completionTypeRegister (formerly
3058            finallyActionRegister). 
3059
3060         Also removed the restoreScopeRegister() call in the IteratorClose catch block
3061         because that is an implementation specific synthesized catch block, and we
3062         can guarantee that it never needs to resolve any symbols from the scope.  Hence,
3063         there is no need to restore the scope register.
3064
3065         * bytecompiler/BytecodeGenerator.cpp:
3066         (JSC::BytecodeGenerator::emitEnumeration):
3067         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3068         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3069         (JSC::BytecodeGenerator::emitFinallyCompletion):
3070         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
3071         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
3072         (JSC::BytecodeGenerator::emitJumpIfCompletionType):
3073         (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
3074         (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
3075         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
3076         * bytecompiler/BytecodeGenerator.h:
3077         (JSC::bytecodeOffsetToJumpID):
3078         (JSC::FinallyJump::FinallyJump):
3079         (JSC::FinallyContext::registerJump):
3080         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
3081         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
3082         (JSC::BytecodeGenerator::completionTypeRegister):
3083         (JSC::BytecodeGenerator::completionValueRegister):
3084         (JSC::BytecodeGenerator::emitSetCompletionType):
3085         (JSC::BytecodeGenerator::emitSetCompletionValue):
3086         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
3087         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
3088         (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
3089         (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
3090         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
3091         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
3092         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
3093         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
3094         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
3095         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
3096         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
3097         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
3098         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
3099         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
3100         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
3101         * bytecompiler/NodesCodegen.cpp:
3102         (JSC::TryNode::emitBytecode):
3103
3104 2016-12-17  Saam Barati  <sbarati@apple.com>
3105
3106         WebAssembly: WasmB3IRGenerator uses WarmAny as a ValueRep but expects the incoming value to be a register
3107         https://bugs.webkit.org/show_bug.cgi?id=165989
3108
3109         Reviewed by Mark Lam.
3110
3111         The input should be constrained to a register to match what
3112         the patchpoint code expects.
3113
3114         * wasm/WasmB3IRGenerator.cpp:
3115
3116 2016-12-17  Saam Barati  <sbarati@apple.com>
3117
3118         WebAssembly: Change a RELEASE_ASSERT_NOT_REACHED to a jit.breakpoint() for now to allow us to run some wasm benchmarks
3119         https://bugs.webkit.org/show_bug.cgi?id=165990
3120
3121         Reviewed by Mark Lam.
3122
3123         * wasm/WasmBinding.cpp:
3124         (JSC::Wasm::importStubGenerator):
3125
3126 2016-12-16  Joseph Pecoraro  <pecoraro@apple.com>
3127
3128         JSContext Inspector: Avoid some possible exceptions inspecting a JSContext
3129         https://bugs.webkit.org/show_bug.cgi?id=165986
3130         <rdar://problem/29551379>
3131
3132         Reviewed by Matt Baker.
3133
3134         * inspector/InjectedScriptSource.js:
3135         (InjectedScript.prototype.processProperties):
3136         Prefer String.prototype.endsWith now that it is available.
3137
3138         (InjectedScript.prototype._describe):
3139         Prefer Function.prototype.toString for converting functions to String.
3140         Previously we were doing String(f) which would to Symbol.toPrimitive
3141         conversion which seems unnecessary here.
3142
3143 2016-12-16  Michael Catanzaro  <mcatanzaro@igalia.com>
3144
3145         Unreviewed, fix GCC 6 build failure after r209952
3146
3147         Return false, not nullptr, in function returning bool.
3148
3149         * bytecompiler/BytecodeGenerator.cpp:
3150         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3151
3152 2016-12-16  Saam Barati  <sbarati@apple.com>
3153
3154         WebAssembly: We still have some incorrect parsing productions inside unreachable code
3155         https://bugs.webkit.org/show_bug.cgi?id=165981
3156
3157         Reviewed by Keith Miller.
3158
3159         This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.
3160         
3161         It also fixes a more nefarious bug in which we were decoding an extra varuint32
3162         for Br/BrIf inside unreachable code.
3163
3164         * wasm/WasmFunctionParser.h:
3165
3166 2016-12-16  Filip Pizlo  <fpizlo@apple.com>
3167
3168         CellState should have members with accurate names
3169         https://bugs.webkit.org/show_bug.cgi?id=165969
3170
3171         Reviewed by Mark Lam.
3172         
3173         This once again renames the members in CellState. I wanted to convey the following
3174         pieces of information in the names:
3175         
3176         - What does the state mean for Generational GC?
3177         - What does the state mean for Concurrent GC?
3178         - Does the state guarantee what it means, or is there some contingency?
3179         
3180         The names I came up with are:
3181         
3182         PossiblyOldOrBlack: An object in this state may be old, or may be black, depending on
3183             other things. If the mark bit is set then the object is either black or being
3184             blackened as we speak. It's going to survive the GC, so it will be old, but may be
3185             new now. In between GCs, objects in this state are definitely old. If the mark bit
3186             is not set, then the object is actually old and white.
3187         
3188         DefinitelyNewAndWhite: The object was just allocated so it is white (not marked) and
3189             new.
3190         
3191         DefinitelyGrey: The object is definitely grey - it will be rescanned in the future. It
3192             may be new or old depending on other things.
3193
3194         * heap/CellState.h:
3195         * heap/Heap.cpp:
3196         (JSC::Heap::addToRememberedSet):
3197         (JSC::Heap::writeBarrierSlowPath):
3198         * heap/SlotVisitor.cpp:
3199         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3200         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3201         (JSC::SlotVisitor::appendToMarkStack):
3202         (JSC::SlotVisitor::visitChildren):
3203         * runtime/JSCellInlines.h:
3204         (JSC::JSCell::JSCell):
3205         * runtime/StructureIDBlob.h:
3206         (JSC::StructureIDBlob::StructureIDBlob):
3207
3208 2016-12-16  Saam Barati  <sbarati@apple.com>
3209
3210         B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi)
3211         https://bugs.webkit.org/show_bug.cgi?id=165946
3212
3213         Reviewed by Keith Miller.
3214
3215         This was happening because the phase will convert some Phi nodes
3216         from Double to Float. However, one place that did this conversion
3217         forgot to first check if the Phi was already a Float. If it's already
3218         a Float, a later part of the phase will be buggy if the phase claims that it has
3219         converted it from Double->Float. The reason is that at the end of the
3220         phase, we'll look for all uses of former Double Phi nodes and make them
3221         be a use of ConvertFloatToDouble on the Phi, instead of a use of the Phi itself.
3222         This is clearly wrong if the Phi were Float to begin with (and
3223         therefore, the uses were Float uses to begin with).
3224
3225         * b3/B3ReduceDoubleToFloat.cpp:
3226         * b3/testb3.cpp:
3227         (JSC::B3::testReduceFloatToDoubleValidates):
3228         (JSC::B3::run):
3229
3230 2016-12-16  Mark Lam  <mark.lam@apple.com>
3231
3232         De-duplicate finally blocks.
3233         https://bugs.webkit.org/show_bug.cgi?id=160168
3234
3235         Reviewed by Keith Miller.
3236
3237         JS execution can arrive at a finally block when there are abrupt completions from
3238         its try or catch block.  The abrupt completion types include Break,
3239         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
3240         (i.e. the case of a try block falling through to the finally block).
3241
3242         Previously, we enable each of these paths for abrupt completion (except for Throw)
3243         to run the finally block code by duplicating the finally block code at each of
3244         the sites that trigger those completions.  This patch fixes the implementation so
3245         that each of these abrupt completions will set a finallyActionRegister (plus a
3246         finallyReturnValueRegister for CompletionType::Return) and then jump to the
3247         relevant finally blocks, and continue to thread through subsequent outer finally
3248         blocks until execution reaches the outermost finally block that the completion
3249         type dictates.  We no longer duplicate the finally block code.
3250
3251         The implementation details:
3252         1. We allocate a pair of finallyActionRegister and finallyReturnValueRegister
3253            just before entering the outermost try-catch-finally scope.
3254
3255            On allocating the registers, we set them to the empty JSValue.  This serves
3256            to set the completion type to CompletionType::Normal (see (2) below).
3257
3258         2. The finallyActionRegister serves 2 purpose:
3259            a. indicates the CompletionType that triggered entry into the finally block.
3260
3261               This is how we encode the completion type in the finallyActionRegister:
3262               1. CompletionType::Normal
3263                  - finallyActionRegister is set to the empty JSValue.
3264               2. CompletionType::Break
3265                  - finallyActionRegister is set to the int jumpID for the site of the break statement.
3266               3. CompletionType::Continue
3267                  - finallyActionRegister is set to the int jumpID for the site of the continue statement.
3268               4. CompletionType::Return
3269                  - finallyActionRegister is set to CompletionType::Return as an int JSValue.
3270                  - finallyReturnValueRegister is set to the value to be returned. 
3271               5. CompletionType::Throw
3272                  - finallyActionRegister is set to the exception object that was caught by the finally block.
3273
3274               Hence, if the finallyActionRegister can either be:
3275               1. empty i.e. we're handling CompletionType::Normal.
3276               2. an int JSValue i.e. we're handling CompletionType::Break, Continue, or Return.
3277               3. an object i.e. we're handling CompletionType::Throw.
3278
3279            b. stores the exception caught in the finally block if we're handing
3280               CompletionType::Throw.
3281
3282         3. Each finally block will have 2 entries:
3283            a. the entry via throw.
3284            b. the normal entry.
3285
3286            The entry via throw is recorded in the codeBlock's exception table, and can
3287            only be jumped to by the VM's exception handling mechanism.
3288
3289            The normal entry is recorded in a FinallyContext (at bytecode generation time
3290            only) and is jumped to when we want enter the finally block due any of the
3291            other CompletionTypes.
3292
3293         4. CompletionType::Normal
3294            ======================
3295            We encounter this when falling through from a try or catch block to the finally block.  
3296            
3297            For the try block case, since finallyActionRegister is set to Normal by default,
3298            there's nothing more that needs to be done.
3299
3300            For the catch block case, since we entered the catch block with an exception,
3301            finallyActionRegister may be set to Throw.  We'll need to set it to Normal
3302            before jumping to the finally block's normal entry.
3303
3304            CompletionType::Break
3305            =====================
3306            When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
3307            that we need to service before jumping to the breakTarget.  If we do, then:
3308            a. we'll register a jumpID along with the breakTarget with the outermost FinallyContext.
3309            b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
3310               from the innermost to the outermost.
3311            c. instead of emitting bytecode to jump to the breakTarget, we:
3312               1. emit bytecode to set finallyActionRegister to the jumpID.
3313               b. emit bytecode to jump to the normal entry of the innermost finally block.
3314
3315            Each finally block will take care of cascading to the next outer finally block
3316            as needed (see (5) below).
3317
3318            CompletionType::Continue
3319            ========================
3320            Since continues and breaks work the same way (i.e. with a jump), we handle this
3321            exactly the same way as CompletionType::Break, except that we use the
3322            continueTarget instead of the breakTarget.
3323
3324            CompletionType::Return
3325            ======================
3326            When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
3327            at all on the m_controlFlowScopeStack.
3328
3329            If so, then instead of emitting op_ret, we:
3330               1. emit bytecode to set finallyActionRegister to the CompletionType::Return.
3331               1. emit bytecode to move the return value into finallyReturnValueRegister.
3332               2. emit bytecode to jump to the normal entry of the innermost finally block.
3333
3334            Each finally block will take care of cascading to the next outer finally block
3335            as needed (see (5) below).
3336
3337            CompletionType::Throw
3338            ======================
3339            The op_catch of a finally block will always store the caught exception object
3340            in the finallyActionRegister.  This means we're handling CompletionType::Throw
3341            (see (2) above).
3342
3343         5. What happens in each finally block?
3344            ==================================
3345            Only the finally block's entry via throw will have an op_catch that catches the
3346            pending exception (and stores it in the finallyActionRegister).  This throw
3347            entry then falls through to the normal entry.
3348
3349            The finally block's normal entry will restore the scope of the finally block
3350            and proceed to execute its code.
3351
3352            At the end of the finally block (see emitFinallyCompletion()), the finally
3353            block will check the finallyActionRegister for each completion type in the
3354            following order:
3355            
3356            a. CompletionType::Normal: jump to the code after the finally block as
3357               designated by a normalCompletion label.
3358
3359            b. CompletionType::Break and Continue:
3360               If the FinallyContext for this block has registered FinallyJumps, we'll
3361               check for the jumpIDs against the finallyActionRegister.  If the jumpID
3362               matches, jump to the corresponding jumpTarget.
3363
3364               If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
3365               greater than the number of registered FinallyJumps, then this means that
3366               we have a Break or Continue that needs to be handled by an outer finally
3367               block.  In that case, jump to the outer finally block's normal entry.
3368               
3369            c. CompletionType::Return:
3370               If this finally block is not the outermost and finallyActionRegister contains
3371               CompletionType::Return, then jump to the outer finally block's normal entry.
3372
3373               Otherwise, if this finally block is the outermost and finallyActionRegister
3374               contains CompletionType::Return, then execute op_ret and return the value
3375               in finallyReturnValueRegister.
3376
3377            d. CompletionType::Throw:
3378               If we're not handling any of the above cases, then just throw the
3379               finallyActionRegister which contains the exception to re-throw.
3380
3381         6. restoreScopeRegister()
3382         
3383            Since the needed scope objects are always stored in a local, we can restore
3384            the scope register by simply moving from that local instead of going through
3385            op_get_parent_scope.
3386
3387         7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
3388            This makes it easier to keep a pointer to the FinallyContext on that stack,
3389            and not have to worry about the vector being realloc'ed due to resizing. 
3390
3391         Performance appears to be neutral both on ES6SampleBench (run via cli) and the
3392         JSC benchmarks.
3393
3394         Relevant spec references:
3395         https://tc39.github.io/ecma262/#sec-completion-record-specification-type
3396         https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
3397
3398         * bytecode/HandlerInfo.h:
3399         (JSC::HandlerInfoBase::typeName):
3400         * bytecompiler/BytecodeGenerator.cpp:
3401         (JSC::BytecodeGenerator::generate):
3402         (JSC::BytecodeGenerator::BytecodeGenerator):
3403         (JSC::BytecodeGenerator::emitReturn):
3404         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
3405         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
3406         (JSC::BytecodeGenerator::allocateAndEmitScope):
3407         (JSC::BytecodeGenerator::pushTry):
3408         (JSC::BytecodeGenerator::popTry):
3409         (JSC::BytecodeGenerator::emitCatch):
3410         (JSC::BytecodeGenerator::restoreScopeRegister):
3411         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
3412         (JSC::BytecodeGenerator::labelScopeDepth):
3413         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
3414         (JSC::BytecodeGenerator::popLocalControlFlowScope):
3415         (JSC::BytecodeGenerator::emitEnumeration):
3416         (JSC::BytecodeGenerator::emitIsNumber):
3417         (JSC::BytecodeGenerator::emitYield):
3418         (JSC::BytecodeGenerator::emitDelegateYield):
3419         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3420         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3421         (JSC::BytecodeGenerator::emitFinallyCompletion):
3422         (JSC::BytecodeGenerator::allocateFinallyRegisters):
3423         (JSC::BytecodeGenerator::releaseFinallyRegisters):
3424         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
3425         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
3426         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
3427         (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
3428         (JSC::BytecodeGenerator::emitPopScopes): Deleted.
3429         (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
3430         * bytecompiler/BytecodeGenerator.h:
3431         (JSC::FinallyJump::FinallyJump):
3432         (JSC::FinallyContext::FinallyContext):
3433         (JSC::FinallyContext::outerContext):
3434         (JSC::FinallyContext::finallyLabel):
3435         (JSC::FinallyContext::depth):
3436         (JSC::FinallyContext::numberOfBreaksOrContinues):
3437         (JSC::FinallyContext::incNumberOfBreaksOrContinues):
3438         (JSC::FinallyContext::handlesReturns):
3439         (JSC::FinallyContext::setHandlesReturns):
3440         (JSC::FinallyContext::registerJump):
3441         (JSC::FinallyContext::numberOfJumps):
3442         (JSC::FinallyContext::jumps):
3443         (JSC::ControlFlowScope::ControlFlowScope):
3444         (JSC::ControlFlowScope::isLabelScope):
3445         (JSC::ControlFlowScope::isFinallyScope):
3446         (JSC::BytecodeGenerator::currentLexicalScopeIndex):
3447         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
3448         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
3449         (JSC::BytecodeGenerator::finallyActionRegister):
3450         (JSC::BytecodeGenerator::finallyReturnValueRegister):
3451         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
3452         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
3453         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
3454         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
3455         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
3456         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
3457         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
3458         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
3459         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
3460         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
3461         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
3462         (JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
3463         * bytecompiler/NodesCodegen.cpp:
3464         (JSC::ContinueNode::emitBytecode):
3465         (JSC::BreakNode::emitBytecode):
3466         (JSC::ReturnNode::emitBytecode):
3467         (JSC::TryNode::emitBytecode):
3468
3469 2016-12-16  Keith Miller  <keith_miller@apple.com>
3470
3471         Add missing cases to parseUnreachableExpression and cleanup FunctionParser
3472         https://bugs.webkit.org/show_bug.cgi?id=165966
3473
3474         Reviewed by Saam Barati.
3475
3476         This patch adds a number of missing cases to the Wasm FunctionParser's unreachable
3477         code decoder. It also, removes unneeded OpType namespaces where they were not
3478         needed and has the unary / binary macros cover all the cases rather than
3479         just the simple cases.
3480
3481         * wasm/WasmFunctionParser.h:
3482
3483 2016-12-16  Mark Lam  <mark.lam@apple.com>
3484
3485         Add predecessor info to dumps from JSC_dumpBytecodeLivenessResults=true.
3486         https://bugs.webkit.org/show_bug.cgi?id=165958
3487
3488         Reviewed by Saam Barati.
3489
3490         Also:
3491         1. refactored the code to use a common lambda function to dump FastBitVectors.
3492         2. list successors by their block index instead of pointers.
3493
3494         * bytecode/BytecodeLivenessAnalysis.cpp:
3495         (JSC::BytecodeLivenessAnalysis::dumpResults):
3496
3497 2016-12-16  Saam Barati  <sbarati@apple.com>
3498
3499         WebAssembly: WasmB3IRGenerator should throw exceptions instead of crash
3500         https://bugs.webkit.org/show_bug.cgi?id=165834
3501
3502         Reviewed by Keith Miller.
3503
3504         This patch generalizes how we throw exceptions in the Wasm::B3IRGenerator.
3505         There are still places where we need to throw exceptions and we don't, but
3506         this patch removes most of those places inside the IR generator. There are
3507         still a few places we need to throw exceptions inside the IR generator, like
3508         div/mod by 0. Those will be done in a separate patch. Also, there are
3509         still some stubs we need to throw exceptions from; those will also be
3510         done in a separate patch.
3511
3512         All exceptions thrown from Wasm share a common stub. The ABI for the stub
3513         is to move the Wasm::ExceptionType into argGPR1 and jump to the stub.
3514         The stub will then throw an exception with an error message tailored
3515         to the particular Wasm::ExceptionType failure.
3516
3517         This patch also refactors B3::Compilation. Before, B3::Compilation(VM, Procedure)
3518         constructor would compile a B3 function. This patch makes B3::Compilation a simple 
3519         tuple that keeps the necessary bits of B3 function alive in order to be runnable.
3520         There is a new function that actually does the compilation for you. It is:
3521         Compilation B3::compile(VM&, Procedure&)
3522         The reason for this change is that I'm now using B3::Compilation(CodeRef, OpaqueByproducts)
3523         constructor in Wasm code. It is weird to have a class both have a
3524         constructor that instantiates the tuple, and another that performs the
3525         compilation and then instantiates the tuple. It's more straight
3526         forward if Compilation's job wasn't to actually do the compilation
3527         but just to hold the necessary bits to keep a compiled B3 alive.
3528
3529         * CMakeLists.txt:
3530         * JavaScriptCore.xcodeproj/project.pbxproj:
3531         * b3/B3Compilation.cpp:
3532         (JSC::B3::Compilation::Compilation):
3533         * b3/B3Compilation.h:
3534         * b3/B3Compile.cpp: Added.
3535         (JSC::B3::compile):
3536         * b3/B3Compile.h: Added.
3537         * b3/testb3.cpp:
3538         (JSC::B3::compile):
3539         * jit/ThunkGenerators.cpp:
3540         (JSC::throwExceptionFromWasmThunkGenerator):
3541         * jit/ThunkGenerators.h:
3542         * wasm/WasmB3IRGenerator.cpp:
3543         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3544         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
3545         (JSC::Wasm::createJSToWasmWrapper):
3546         (JSC::Wasm::parseAndCompile):
3547         * wasm/WasmExceptionType.h: Added.
3548         (JSC::Wasm::errorMessageForExceptionType):
3549
3550 2016-12-16  Keith Miller  <keith_miller@apple.com>
3551
3552         i64.eqz should use an Int64 zero
3553         https://bugs.webkit.org/show_bug.cgi?id=165942
3554
3555         Reviewed by Mark Lam.
3556
3557         This patch fixes i64.eqz, which was using an Int32 zero
3558         for the comparison previously. This patch also, adds
3559         printing opcodes names in verbose mode.
3560
3561         * wasm/WasmFunctionParser.h:
3562         * wasm/generateWasmOpsHeader.py:
3563         * wasm/wasm.json:
3564
3565 2016-12-15  Darin Adler  <darin@apple.com>
3566
3567         Use asString instead of toWTFString, toString, or getString when we already checked isString
3568         https://bugs.webkit.org/show_bug.cgi?id=165895
3569
3570         Reviewed by Yusuke Suzuki.
3571
3572         Once we have called isString, we should always use asString and value rather than using
3573         functions that have to deal with non-JSString objects. This leads to slightly fewer branches,
3574         slightly less reference count churn, since the string is stored right inside the JSString,
3575         and obviates the need for exception handling.
3576
3577         * bindings/ScriptValue.cpp:
3578         (Inspector::jsToInspectorValue): Use asString/value instead of getString.
3579         * dfg/DFGOperations.cpp:
3580         (JSC::DFG::operationMapHash): Call jsMapHash with its new arguments.
3581         * inspector/JSInjectedScriptHost.cpp:
3582         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): Use asString/value instead
3583         of toWTFString.
3584         * inspector/JSJavaScriptCallFrame.cpp:
3585         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): Ditto.
3586         * inspector/agents/InspectorHeapAgent.cpp:
3587         (Inspector::InspectorHeapAgent::getPreview): Use asString/tryGetValue, instead of the
3588         peculiar getString(nullptr) that was here before.
3589         * jsc.cpp:
3590         (functionGetGetterSetter): Use asString/toIdentifier instead of the much less efficient
3591         toWTFString/Identifier::fromString.
3592         (functionIsRope): Use asString instead of jsCast<JSString*>; same thing, but we should
3593         prefer the asString function, since it exists.
3594         (functionFindTypeForExpression): Use asString/value instead of getString.
3595         (functionHasBasicBlockExecuted): Ditto.
3596         (functionBasicBlockExecutionCount): Ditto.
3597         (functionCreateBuiltin): Use asString/value instead of toWTFString and removed
3598         unneeded RETURN_IF_EXCEPTION.
3599         (valueWithTypeOfWasmValue): Use asString instead of jsCast<String*>.
3600         (box): Ditto.
3601         * runtime/DateConstructor.cpp:
3602         (JSC::constructDate): Use asString/values instead of getString.
3603         * runtime/ExceptionHelpers.cpp:
3604         (JSC::errorDescriptionForValue): Tweaked formatting.
3605
3606         * runtime/HashMapImpl.h:
3607         (JSC::jsMapHash): Changed this function to use asString/value.
3608
3609         * runtime/JSCJSValue.cpp:
3610         (JSC::JSValue::dumpInContextAssumingStructure): Use asString instead of
3611         jsCast<JSString*>.
3612         (JSC::JSValue::dumpForBacktrace): Ditto.
3613         * runtime/JSCJSValueInlines.h:
3614         (JSC::toPreferredPrimitiveType): Ditto.
3615
3616         * runtime/JSGlobalObjectFunctions.cpp:
3617         (JSC::globalFuncEval): Use asString/value instead of toWTFString.
3618
3619         * runtime/JSString.cpp:
3620         (JSC::JSString::destroy): Streamlined by removing local variable.
3621         (JSC::JSString::estimatedSize): Use asString instead of jsCast<JSString*>.
3622         (JSC::JSString::visitChildren): Ditto.
3623         (JSC::JSString::toThis): Ditto.
3624         * runtime/JSString.h:
3625         (JSC::JSValue::toString): Ditto.
3626         (JSC::JSValue::toStringOrNull): Ditto.
3627         * runtime/NumberPrototype.cpp:
3628         (JSC::numberProtoFuncValueOf): Ditto.
3629         * runtime/ObjectPrototype.cpp:
3630         (JSC::objectProtoFuncToString): Ditto.
3631         * runtime/StringPrototype.cpp:
3632         (JSC::stringProtoFuncRepeatCharacter): Ditto.
3633         (JSC::stringProtoFuncSubstr): Ditto.
3634         (JSC::builtinStringSubstrInternal): Simplified assertion by removing local variable.
3635
3636 2016-12-15  Keith Miller  <keith_miller@apple.com>
3637
3638         Fix validation of non-void if blocks with no else
3639         https://bugs.webkit.org/show_bug.cgi?id=165938
3640
3641         Reviewed by Saam Barati.
3642
3643         We should not have been allowing non-void if-blocks that don't
3644         have an else. Since this causes a value to be placed on the
3645         stack that only appears under some control flow and not another.
3646
3647         * wasm/WasmValidate.cpp:
3648
3649 2016-12-15  Filip Pizlo  <fpizlo@apple.com>
3650
3651         Get rid of HeapRootVisitor and make SlotVisitor less painful to use
3652         https://bugs.webkit.org/show_bug.cgi?id=165911
3653
3654         Reviewed by Geoffrey Garen.
3655         
3656         Previously we had two ways of adding a raw pointer to the GC's mark stack:
3657         
3658         - SlotVisitor::appendUnbarrieredXYZ() methods
3659         - HeapRootVisitor::visit() methods
3660         
3661         HeapRootVisitor existed only to prevent you from calling its non-WriteBarrier<> methods
3662         unless you had permission. But SlotVisitor would let you do it anyway, because that was
3663         a lot more practical.
3664         
3665         I think that we should just have one way to do it. This removes HeapRootVisitor. It
3666         also renames appendUnbarrieredXYZ to appendUnbarriered, and it removes the use of extra
3667         indirection (so you now pass const WriteBarrier<>& instead of WriteBarrier<>*).
3668
3669         * API/JSCallbackObject.h:
3670         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
3671         * JavaScriptCore.xcodeproj/project.pbxproj:
3672         * Scripts/builtins/builtins_templates.py:
3673         * bytecode/CodeBlock.cpp:
3674         (JSC::CodeBlock::visitWeakly):
3675         (JSC::CodeBlock::visitChildren):
3676         (JSC::CodeBlock::propagateTransitions):
3677         (JSC::CodeBlock::determineLiveness):
3678         (JSC::CodeBlock::visitOSRExitTargets):
3679         (JSC::CodeBlock::stronglyVisitStrongReferences):
3680         (JSC::CodeBlock::stronglyVisitWeakReferences):
3681         * bytecode/DirectEvalCodeCache.cpp:
3682         (JSC::DirectEvalCodeCache::visitAggregate):
3683         * bytecode/InternalFunctionAllocationProfile.h:
3684         (JSC::InternalFunctionAllocationProfile::visitAggregate):
3685         * bytecode/ObjectAllocationProfile.h:
3686         (JSC::ObjectAllocationProfile::visitAggregate):
3687         * bytecode/PolymorphicAccess.cpp:
3688         (JSC::AccessCase::propagateTransitions):
3689         * bytecode/UnlinkedCodeBlock.cpp:
3690         (JSC::UnlinkedCodeBlock::visitChildren):
3691         * bytecode/UnlinkedFunctionExecutable.cpp:
3692         (JSC::UnlinkedFunctionExecutable::visitChildren):
3693         * debugger/DebuggerScope.cpp:
3694         (JSC::DebuggerScope::visitChildren):
3695         * dfg/DFGDesiredTransitions.cpp:
3696         (JSC::DFG::DesiredTransition::visitChildren):
3697         * dfg/DFGDesiredWeakReferences.cpp:
3698         (JSC::DFG::DesiredWeakReferences::visitChildren):
3699         * dfg/DFGGraph.cpp:
3700         (JSC::DFG::Graph::visitChildren):
3701         * dfg/DFGPlan.cpp:
3702         (JSC::DFG::Plan::markCodeBlocks):
3703         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3704         * heap/HandleSet.cpp:
3705         (JSC::HandleSet::visitStrongHandles):
3706         * heap/HandleSet.h:
3707         * heap/HandleStack.cpp:
3708         (JSC::HandleStack::visit):
3709         * heap/HandleStack.h:
3710         * heap/Heap.cpp:
3711         (JSC::Heap::markToFixpoint):
3712         * heap/Heap.h:
3713         * heap/HeapRootVisitor.h: Removed.
3714         * heap/LargeAllocation.cpp:
3715         (JSC::LargeAllocation::visitWeakSet):
3716         * heap/LargeAllocation.h:
3717         * heap/MarkedBlock.h:
3718         (JSC::MarkedBlock::Handle::visitWeakSet):
3719         * heap/MarkedSpace.cpp:
3720         (JSC::MarkedSpace::visitWeakSets):
3721         * heap/MarkedSpace.h:
3722         * heap/SlotVisitor.cpp:
3723         (JSC::SlotVisitor::appendUnbarriered):
3724         * heap/SlotVisitor.h:
3725         * heap/SlotVisitorInlines.h:
3726         (JSC::SlotVisitor::appendUnbarriered):
3727         (JSC::SlotVisitor::append):
3728         (JSC::SlotVisitor::appendHidden):
3729         (JSC::SlotVisitor::appendValues):
3730         (JSC::SlotVisitor::appendValuesHidden):
3731         (JSC::SlotVisitor::appendUnbarrieredPointer): Deleted.
3732         (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer): Deleted.
3733         (JSC::SlotVisitor::appendUnbarrieredValue): Deleted.
3734         (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue): Deleted.
3735         (JSC::SlotVisitor::appendUnbarrieredWeak): Deleted.
3736         * heap/WeakBlock.cpp:
3737         (JSC::WeakBlock::specializedVisit):
3738         (JSC::WeakBlock::visit):
3739         * heap/WeakBlock.h:
3740         * heap/WeakSet.h:
3741         (JSC::WeakSet::visit):
3742         * interpreter/ShadowChicken.cpp:
3743         (JSC::ShadowChicken::visitChildren):
3744         * jit/GCAwareJITStubRoutine.cpp:
3745         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
3746         * jit/PolymorphicCallStubRoutine.cpp:
3747         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
3748         * jsc.cpp:
3749         (WTF::Element::visitChildren):
3750         (WTF::ImpureGetter::visitChildren):
3751         (WTF::SimpleObject::visitChildren):
3752         * runtime/AbstractModuleRecord.cpp:
3753         (JSC::AbstractModuleRecord::visitChildren):
3754         * runtime/ArgList.cpp:
3755         (JSC::MarkedArgumentBuffer::markLists):
3756         * runtime/ArgList.h:
3757         * runtime/ClonedArguments.cpp:
3758         (JSC::ClonedArguments::visitChildren):
3759         * runtime/DirectArguments.cpp:
3760         (JSC::DirectArguments::visitChildren):
3761         * runtime/EvalExecutable.cpp:
3762     &nb