ValueRep(DoubleRep(@v)) can not simply convert to @v

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-06-22  Saam Barati  <sbarati@apple.com>

        ValueRep(DoubleRep(@v)) can not simply convert to @v
        https://bugs.webkit.org/show_bug.cgi?id=173687
        <rdar://problem/32855563>

        Reviewed by Mark Lam.

        Consider this IR:
         block#x
          p: Phi() // int32 and double flows into this phi from various control flow
          d: DoubleRep(@p)
          some uses of @d here
          v: ValueRep(DoubleRepUse:@d)
          a: NewArrayWithSize(Int32:@v)
          some more nodes here ...
        
        Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
        AI proves that the Int32 check will fail. Constant folding phase removes
        all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
        
        The IR then looks like this:
        block#x
          p: Phi() // int32 and double flows into this phi from various control flow
          d: DoubleRep(@p)
          some uses of @d here
          v: ValueRep(DoubleRepUse:@d)
          a: NewArrayWithSize(Int32:@v)
          Unreachable
        
        However, there was a strength reduction rule that tries eliminate redundant
        conversions. It used to convert the program to:
        block#x
          p: Phi() // int32 and double flows into this phi from various control flow
          d: DoubleRep(@p)
          some uses of @d here
          a: NewArrayWithSize(Int32:@p)
          Unreachable
        
        However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
        and we'll crash. This patch removes this strength reduction rule since it
        does not maintain what would have happened if we executed the program before
        the rule.
        
        This rule is also wrong for other types of programs (I'm not sure we'd
        actually emit this code, but if such IR were generated, we would previously
        optimize it incorrectly):
        @a: Constant(JSTrue)
        @b: DoubleRep(@a)
        @c: ValueRep(@b)
        @d: use(@c)
        
        However, the strength reduction rule would've transformed this into:
        @a: Constant(JSTrue)
        @d: use(@a)
        
        And this would be wrong because node @c before the transformation would
        have produced the JSValue jsNumber(1.0).
        
        This patch was neutral in the benchmark run I did.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2017-06-22  JF Bastien  <jfbastien@apple.com>

        ARM64: doubled executable memory limit from 32MiB to 64MiB
        https://bugs.webkit.org/show_bug.cgi?id=173734
        <rdar://problem/32932407>

        Reviewed by Oliver Hunt.

        Some WebAssembly programs stress the amount of memory we have
        available, especially when we consider tiering (BBQ never dies,
        and is bigger that OMG). Tiering to OMG just piles on more memory,
        and we're also competing with JavaScript.

        * jit/ExecutableAllocator.h:

2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
        https://bugs.webkit.org/show_bug.cgi?id=173698

        Reviewed by Matt Baker.

        When pausing in a deep call stack the majority of the time spent in JavaScriptCore
        when preparing Inspector pause information is spent generating object previews for
        the `thisObject` of each of the call frames. In some cases, this could be more
        than 95% of the time generating pause information. In the common case, only one of
        these (the top frame) will ever be seen by users. This change avoids eagerly
        generating object previews up front and let the frontend request previews if they
        are needed.

        This introduces the `Runtime.getPreview` protocol command. This can be used to:

            - Get a preview for a RemoteObject that did not have a preview but could.
            - Update a preview for a RemoteObject that had a preview.

        This patch only uses it for the first case, but the second is valid and may be
        something we want to do in the future.

        * inspector/protocol/Runtime.json:
        A new command to get an up to date preview for an object.

        * inspector/InjectedScript.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getPreview):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getPreview):
        * inspector/agents/InspectorRuntimeAgent.h:
        Plumbing for the new command.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.getPreview):
        Implementation just uses the existing helper.

        (InjectedScript.CallFrameProxy):
        Do not generate a preview for the this object as it may not be shown.
        Let the frontend request a preview if it wants or needs one.

2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
        https://bugs.webkit.org/show_bug.cgi?id=173686

        Reviewed by Mark Lam.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::functionDetails):
        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.functionDetails):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):

2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Object.values should be implemented in C++
        https://bugs.webkit.org/show_bug.cgi?id=173703

        Reviewed by Sam Weinig.

        As the same to Object.assign, Object.values() is also inherently polymorphic.
        And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
        result is costly.

        In this patch, we implement Object.values() in C++. It can avoid above allocations.
        Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
        non-observable JSObject::get() calls.

        This improves performance by 2.49x. And also now Object.values() beats
        Object.keys(object).map(key => object[key]) implementation.

                                             baseline                  patched

            object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
            object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?

        * builtins/ObjectConstructor.js:
        (values): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorValues):

2017-06-21  Saam Barati  <sbarati@apple.com>

        ArrayPrototype.map builtin declares a var it does not use
        https://bugs.webkit.org/show_bug.cgi?id=173685

        Reviewed by Keith Miller.

        * builtins/ArrayPrototype.js:
        (map):

2017-06-21  Saam Barati  <sbarati@apple.com>

        eval virtual call is incorrect in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=173587
        <rdar://problem/32867897>

        Reviewed by Michael Saboff.

        When making a virtual call for call_eval, e.g, when the thing
        we're calling isn't actually eval, we end up calling the caller
        instead of the callee. This is clearly wrong. The code ends up
        issuing a load for the Callee in the callers frame instead of
        the callee we're calling. The fix is simple, we just need to
        load the real callee. Only the 32-bit baseline JIT had this bug.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):

2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
        https://bugs.webkit.org/show_bug.cgi?id=172432
        <rdar://problem/29870873>

        Reviewed by Saam Barati.

        Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
        We will proceed to improve debugging of these cases in the follow-up bugs.

        * debugger/Debugger.cpp:
        (JSC::Debugger::exception):
        Ignore pausing on these errors.

        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::setStackOverflowError):
        (JSC::ErrorInstance::isStackOverflowError):
        (JSC::ErrorInstance::setOutOfMemoryError):
        (JSC::ErrorInstance::isOutOfMemoryError):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createStackOverflowError):
        * runtime/Error.cpp:
        (JSC::createOutOfMemoryError):
        Mark these kinds of errors.

2017-06-21  Saam Barati  <sbarati@apple.com>

        Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
        https://bugs.webkit.org/show_bug.cgi?id=173609

        Reviewed by Keith Miller.

        This patch makes many of the IC generating functions require a locker as
        a parameter. We do this in other places in JSC to indicate that
        a particular API is only valid while a particular lock is held.
        This is the case when generating ICs. This patch just makes it
        explicit in the IC generating interface.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::addCases):
        (JSC::PolymorphicAccess::addCase):
        (JSC::PolymorphicAccess::commit):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        (JSC::StructureStubInfo::initStub): Deleted.
        * bytecode/StructureStubInfo.h:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):

2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>

        Disable font variations on macOS Sierra and iOS 10
        https://bugs.webkit.org/show_bug.cgi?id=173618
        <rdar://problem/32879164>

        Reviewed by Jon Lee.

        * Configurations/FeatureDefines.xcconfig:

2017-06-20  Keith Miller  <keith_miller@apple.com>

        Fix leak of ModuleInformations in BBQPlan constructors.
        https://bugs.webkit.org/show_bug.cgi?id=173577

        Reviewed by Saam Barati.

        This patch fixes a leak in the BBQPlan constructiors. Previously,
        the plans were calling makeRef on the newly constructed objects.
        This patch fixes the issue and uses adoptRef instead. Additionally,
        an old, incorrect, attempt to fix the leak is removed.

        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Thread::Thread):
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::addPendingPromise):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::BBQPlan):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):

2017-06-20  Devin Rousso  <drousso@apple.com>

        Web Inspector: Send context attributes for tracked canvases
        https://bugs.webkit.org/show_bug.cgi?id=173327

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
        Add ContextAttributes object type that is optionally used for WebGL canvases.

2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>

        Remove excessive include directives from WTF
        https://bugs.webkit.org/show_bug.cgi?id=173553

        Reviewed by Saam Barati.

        * profiler/ProfilerDatabase.cpp: Added missing include directive.
        * runtime/SamplingProfiler.cpp: Ditto.

2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>

        Revert changes in bug#160417 about extending `null` not being a derived class
        https://bugs.webkit.org/show_bug.cgi?id=169293

        Reviewed by Saam Barati.

        Reverted changes in bug#160417 about extending `null` not being a derived class 
        according to changes in spec:
        https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2

        * builtins/BuiltinNames.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):

2017-06-20  Saam Barati  <sbarati@apple.com>

        repatchIn needs to lock the CodeBlock's lock
        https://bugs.webkit.org/show_bug.cgi?id=173573

        Reviewed by Yusuke Suzuki.

        CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
        lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
        an IC, we must hold the CodeBlock's to prevent the executing thread from racing
        with the marking thread. repatchIn was not grabbing the lock. I haven't been
        able to get it to crash, but this is needed for the same reasons that get and put IC
        regeneration grab the lock.

        * jit/Repatch.cpp:
        (JSC::repatchIn):

2017-06-19  Devin Rousso  <drousso@apple.com>

        Web Inspector: create canvas content view and details sidebar panel
        https://bugs.webkit.org/show_bug.cgi?id=138941
        <rdar://problem/19051672>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
         - Add an optional `nodeId` attribute to the `Canvas` type.
         - Add `requestNode` command for getting the node id of the backing canvas element.
         - Add `requestContent` command for getting the current image content of the canvas.

2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for ARM

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::internalCompare32):

2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] More ArrayIndexOf fixups for various types
        https://bugs.webkit.org/show_bug.cgi?id=173176

        Reviewed by Saam Barati.

        This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.

        1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
        never contains the given search value.

        2. We support Symbol and Other specialization additionally. Especially, Other is
        useful because null/undefined can be used as a sentinel value.

        One interesting thing is that Array.prototype.indexOf does not consider holes as
        undefineds. Thus,

            var array = [,,,,,,,];
            array.indexOf(undefined); // => -1

        This can be trivially achieved in JSC because Empty and Undefined are different values.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupArrayIndexOf):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
        (JSC::DFG::SpeculativeJIT::speculateOther):
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):

2017-06-19  Caio Lima  <ticaiolima@gmail.com>

        [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
        https://bugs.webkit.org/show_bug.cgi?id=172972

        Reviewed by Mark Lam.

        We are changing internalCompare32 implementation in ARM
        MacroAssembler to emit "cmp" when the "right.value" is 0.
        It is generating wrong comparison cases, since the
        semantics of cmn is opposite of cmp[1]. One case that it's breaking is
        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
        resulting in following assembly code:

        ```
        cmn $r0, #0
        bhi <address>
        ```

        However, as cmn is similar to "adds", it will never take the branch
        when $r0 > 0. In that case, the correct opcode is "cmp". With this
        patch we will fix current broken tests that uses
        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
        such as ForwardVarargs, Spread and GetRestLength.

        [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::internalCompare32):

2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>

        test262: Completion values for control flow do not match the spec
        https://bugs.webkit.org/show_bug.cgi?id=171265

        Reviewed by Saam Barati.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
        When we care about having proper completion values (global code
        in programs, modules, and eval) insert undefined results for
        control flow statements.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::SourceElements::emitBytecode):
        Reduce writing a default `undefined` value to the completion result to
        only once before the last statement we know will produce a value.

        (JSC::IfElseNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        Insert an undefined to handle cases where code may break out of an
        if/else or with statement (break/continue).

        (JSC::TryNode::emitBytecode):
        Same handling for break cases. Also, finally block statement completion
        values are always ignored for the try statement result.

        (JSC::ClassDeclNode::emitBytecode):
        Class declarations, like function declarations, produce an empty result.

        * parser/Nodes.cpp:
        (JSC::SourceElements::lastStatement):
        (JSC::SourceElements::hasCompletionValue):
        (JSC::SourceElements::hasEarlyBreakOrContinue):
        (JSC::BlockNode::lastStatement):
        (JSC::BlockNode::singleStatement):
        (JSC::BlockNode::hasCompletionValue):
        (JSC::BlockNode::hasEarlyBreakOrContinue):
        (JSC::ScopeNode::singleStatement):
        (JSC::ScopeNode::hasCompletionValue):
        (JSC::ScopeNode::hasEarlyBreakOrContinue):
        The only non-trivial cases need to loop through their list of statements
        to determine if this has a completion value or not. Likewise for
        determining if there is an early break / continue, meaning a break or
        continue statement with no preceding statement that has a completion value.

        * parser/Nodes.h:
        (JSC::StatementNode::next):
        (JSC::StatementNode::hasCompletionValue):
        Helper to check if a statement nodes produces a completion value or not.

2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>

        Missing <functional> includes make builds fail with GCC 7.x
        https://bugs.webkit.org/show_bug.cgi?id=173544

        Unreviewed gardening.

        Fix compilation with GCC 7.

        * API/tests/CompareAndSwapTest.cpp:
        * runtime/VMEntryScope.h:

2017-06-17  Keith Miller  <keith_miller@apple.com>

        ArrayBuffer constructor needs to create subclass structures before its buffer
        https://bugs.webkit.org/show_bug.cgi?id=173510

        Reviewed by Yusuke Suzuki.

        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):

2017-06-17  Keith Miller  <keith_miller@apple.com>

        ArrayPrototype methods should use JSValue::toLength for non-Arrays.
        https://bugs.webkit.org/show_bug.cgi?id=173506

        Reviewed by Ryosuke Niwa.

        This patch changes the result of unshift if old length +
        unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
        the getLength function, which was always incorrect to use, has
        been removed. Additionally, some cases where we were using a
        constant for (2 ** 53) - 1 have been replaced with
        maxSafeInteger()

        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        * runtime/JSArrayInlines.h:
        (JSC::getLength): Deleted.
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toLength):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorFuncIsSafeInteger):

2017-06-16  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
        https://bugs.webkit.org/show_bug.cgi?id=172623
        <rdar://problem/32415986>

        Reviewed by Devin Rousso and Joseph Pecoraro.

        This patch adds a basic Canvas protocol. It includes Canvas and related
        types and events for monitoring the lifetime of canvases in the page.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Canvas.json: Added.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Add special handling for Canvas.ContextType protocol enumeration,
        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.

2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>

        [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
        https://bugs.webkit.org/show_bug.cgi?id=173366
        <rdar://problem/32767014>

        Reviewed by Tim Horton.

        Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.

        * Configurations/FeatureDefines.xcconfig:

2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add fast path for Object.assign
        https://bugs.webkit.org/show_bug.cgi?id=173416

        Reviewed by Mark Lam.

        In Object.assign implementation, we need to ensure that given key is still enumerable own key.
        This seems duplicate look up. And we want to avoid this. However, we still need to perform this
        check in the face of Proxy. Proxy can observe that this check is done correctly.

        In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
        In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
        If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
        value by calling `slot.getValue()`.

        This further improves performance of Object.assign.

                                        baseline                  patched

            object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):

2017-06-16  Michael Saboff  <msaboff@apple.com>

        Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
        https://bugs.webkit.org/show_bug.cgi?id=173488

        Reviewed by Filip Pizlo.

        ClonedArguments lazily sets its callee and interator properties and it used its own inline
        code to initialize its butterfly.  This means that these lazily set properties can have
        bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
        to create the butterfly as it clears out of line properties.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):

2017-06-16  Mark Lam  <mark.lam@apple.com>

        Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
        https://bugs.webkit.org/show_bug.cgi?id=173491

        Reviewed by Keith Miller.

        The implementation are based on static data. There's no need to get the
        interpreter instance. Hence, we can make these methods static and avoid doing
        unnecessary work to compute the interpreter this pointer.

        Also removed the unused isCallBytecode method.

        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::BytecodeBasicBlock::computeImpl):
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printGetByIdOp):
        (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::BytecodeDumper<Block>::dumpBlock):
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
        * bytecode/BytecodeRewriter.cpp:
        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        (JSC::CodeBlock::usesOpcode):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::arithProfileForPC):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargetsInternal):
        (JSC::findJumpTargetsForBytecodeOffset):
        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::extractStoredJumpTargetsForBytecodeOffset):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::applyModification):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::isOpcode):
        (): Deleted.
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode): Deleted.
        (JSC::Interpreter::getOpcodeID): Deleted.
        (JSC::Interpreter::isCallBytecode): Deleted.
        * interpreter/InterpreterInlines.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitNewFuncCommon):
        (JSC::JIT::emitNewFuncExprCommon):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):

2017-06-16  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r218376.

        The patch cause multiple Layout Test Crashes.

        Reverted changeset:

        "Web Inspector: Instrument 2D/WebGL canvas contexts in the
        backend"
        https://bugs.webkit.org/show_bug.cgi?id=172623
        http://trac.webkit.org/changeset/218376

2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>

        REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
        https://bugs.webkit.org/show_bug.cgi?id=173470

        Reviewed by Joseph Pecoraro.

        ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
        const char* overload of StringBuilder::append() that assummes Latin1
        encoding, not UTF8.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):

2017-06-15  Mark Lam  <mark.lam@apple.com>

        Add a JSRunLoopTimer registry in VM.
        https://bugs.webkit.org/show_bug.cgi?id=173429
        <rdar://problem/31287961>

        Reviewed by Filip Pizlo.

        This way, we can be sure we've got every JSRunLoopTimer instance covered if we
        need to change their run loop (e.g. when setting to the WebThread's run loop).

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::setRunLoop): Deleted.
        * heap/Heap.h:
        (JSC::Heap::runLoop): Deleted.
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::JSRunLoopTimer):
        (JSC::JSRunLoopTimer::setRunLoop):
        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::registerRunLoopTimer):
        (JSC::VM::unregisterRunLoopTimer):
        (JSC::VM::setRunLoop):
        * runtime/VM.h:
        (JSC::VM::runLoop):

2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>

        [Cocoa] Modernize some internal initializers to use instancetype instead of id
        https://bugs.webkit.org/show_bug.cgi?id=173112

        Reviewed by Wenson Hsieh.

        * API/JSContextInternal.h:
        * API/JSWrapperMap.h:
        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo initForClass:]):
        (-[JSWrapperMap initWithGlobalContextRef:]):

2017-06-15  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
        https://bugs.webkit.org/show_bug.cgi?id=172623
        <rdar://problem/32415986>

        Reviewed by Devin Rousso.

        This patch adds a basic Canvas protocol. It includes Canvas and related
        types and events for monitoring the lifetime of canvases in the page.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Canvas.json: Added.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Add special handling for Canvas.ContextType protocol enumeration,
        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.

2017-06-15  Keith Miller  <keith_miller@apple.com>

        Add logging to MachineStackMarker to try to diagnose crashes in the wild
        https://bugs.webkit.org/show_bug.cgi?id=173427

        Reviewed by Mark Lam.

        This patch adds some logging to the MachineStackMarker constructor
        to help figure out where we are seeing crashes. Since macOS does
        not support os_log_info my hope is that if we set all the callee
        save registers before making any calls in the C++ code we can
        figure out which calls is the source of the crash. We also, set
        all the caller save registers before returning in case some
        weirdness is happening in the Heap constructor.

        This logging should not matter from a performance perspective. We
        only create MachineStackMarkers when we are creating a new VM,
        which is already expensive.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):

2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement Object.assign in C++
        https://bugs.webkit.org/show_bug.cgi?id=173414

        Reviewed by Saam Barati.

        Implementing Object.assign in JS is not so good compared to C++ version because,

        1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
        But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.

        2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
        So JS's type profile doesn't help well.

        3. We have a chance to introduce various fast path for Object.assign in C++.

        This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].

        We can see 1.65x improvement in SixSpeed object-assign.es6.

                                    baseline                  patched

        object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster

        [1]: https://bugs.webkit.org/show_bug.cgi?id=173416

        * builtins/ObjectConstructor.js:
        (entries):
        (assign): Deleted.
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::putInline):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::putInline):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putInlineForJSObject):
        (JSC::JSObject::putInline): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):

2017-06-14  Dan Bernstein  <mitz@apple.com>

        [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
        https://bugs.webkit.org/show_bug.cgi?id=168578

        Reviewed by Geoff Garen.

        * API/JSWrapperMap.mm:
        (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
        (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
          it defines conformance to a JSExport-derived protocol and if so, avoid using the
          superclass as a substitute as we’d normally do.

        * API/ObjcRuntimeExtras.h:
        (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
          bail out.

        * API/tests/JSExportTests.mm:
        (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
        (runJSExportTests): Run new test.

2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
        https://bugs.webkit.org/show_bug.cgi?id=172421

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):

2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>

        REGRESSION: 15 new jsc failures in WPE and GTK+
        https://bugs.webkit.org/show_bug.cgi?id=173349

        Reviewed by JF Bastien.

        Recent changes to generateWasm.py are not accounted for from
        CMake, which leads to WasmOps.h not being regenerated in partial
        builds. Make generateWasm.py an additional dependency.
        * CMakeLists.txt:

2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>

        Debugger has unexpected effect on program correctness
        https://bugs.webkit.org/show_bug.cgi?id=172683

        Reviewed by Saam Barati.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
        (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
        (BasicCommandLineAPI):
        Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
        We still use it for Set / Map iteration which we can eliminate when moving to builtins.

2017-06-13  JF Bastien  <jfbastien@apple.com>

        WebAssembly: fix erroneous signature comment
        https://bugs.webkit.org/show_bug.cgi?id=173334

        Reviewed by Keith Miller.

        * wasm/WasmSignature.h:

2017-06-13  Michael Saboff  <msaboff@apple.com>

        Refactor AbsenceOfSetter to AbsenceOfSetEffects
        https://bugs.webkit.org/show_bug.cgi?id=173322

        Reviewed by Filip Pizlo.

        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
        (JSC::ObjectPropertyCondition::absenceOfSetEffect):
        (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
        (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForPropertySetterMiss):
        (JSC::generateConditionsForPropertySetterMissConcurrently):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::dumpInContext):
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
        (JSC::PropertyCondition::isStillValid):
        (WTF::printInternal):
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
        (JSC::PropertyCondition::absenceOfSetEffect):
        (JSC::PropertyCondition::hasPrototype):
        (JSC::PropertyCondition::hash):
        (JSC::PropertyCondition::operator==):
        (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
        (JSC::PropertyCondition::absenceOfSetter): Deleted.

2017-06-13  JF Bastien  <jfbastien@apple.com>

        WebAssembly: import updated spec tests
        https://bugs.webkit.org/show_bug.cgi?id=173287
        <rdar://problem/32725975>

        Reviewed by Saam Barati.

        Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
        with a few modifications so things work.

        Fix a bunch of bugs found through this process, and punt a few tests (which I
        marked as blocked by this bug).

        Fixes:

        Fix load / store alignment: r216908 erroneously implemented it as bit alignment
        instead of byte alignment. It was also missing memory-alignment.js despite it
        being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
        pass.

        Tables can be imported or in a section. There can be only one, but sections can
        be empty. An Elements section can exist if there's no Table, as long as it is
        also empty.

        Memories can be imported or in a section. There can be only one, but sections
        can be empty. A Data section can exist if there's no Memory, as long as it is
        also empty.

        Prototypes: stringify without .prototype. in the string.

        WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
        not a final size, and throws a RangeError on failure, not a TypeError.

        Fix compile / instantiate so the reject the promise if given an argument of the
        wrong type (instead of failing instantly).

        Fix async on neuter test.

        Element section shouldn't affect any Table if any of the elements are out of
        bounds. We need to process it in two passes.

        Segment section shouldn't affect any Data if any of the segments are out of
        bounds. We need to process it in two passes.

        Empty data segments are valid, but only when there is no memory. Their index
        still gets validated, and has to be zero.

        Punts:

        Error messages with context, the test seems overly restrictive but this is
        minor.

        compile/instantiate/validate property descriptors.

        UTF-8 bugs.

        Temporarily disable NaN tests. We need to go back and implement the following
        semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
        much as getting all the other tests passing.

        Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
        no_fold_promote_demote (an interesting corner case which we get wrong). mul by
        one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
        0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
        to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
        (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
        why they're not allowed.

        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFunctionParser.h:
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
        * wasm/generateWasm.py:
        (memoryLog2Alignment):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::grow):
        * wasm/js/JSWebAssemblyTable.h:
        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        * wasm/js/WebAssemblyModulePrototype.cpp:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::webAssemblyInstantiateFunc):
        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncGrow):

2017-06-13  Michael Saboff  <msaboff@apple.com>

        DFG doesn't properly handle a property that is change to read only in a prototype
        https://bugs.webkit.org/show_bug.cgi?id=173321

        Reviewed by Filip Pizlo.

        We need to check for ReadOnly as well as a not being a Setter when checking
        an AbsenceOfSetter.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):

2017-06-13  Daniel Bates  <dabates@apple.com>

        Implement W3C Secure Contexts Draft Specification
        https://bugs.webkit.org/show_bug.cgi?id=158121
        <rdar://problem/26012994>

        Reviewed by Brent Fulgham.

        Part 4

        Adds isSecureContext to the list of common identifiers as needed to support
        toggling its exposure from a runtime enabled feature flag.

        * runtime/CommonIdentifiers.h:

2017-06-13  Don Olmstead  <don.olmstead@sony.com>

        [JSC] Remove redundant includes in config.h
        https://bugs.webkit.org/show_bug.cgi?id=173294

        Reviewed by Alex Christensen.

        * config.h:

2017-06-12  Saam Barati  <sbarati@apple.com>

        We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=172957
        <rdar://problem/32602704>

        Reviewed by Filip Pizlo.

        Consider this program:
        ```
        block#1:
        n: GetClosureVar(..., |this|) // this will load empty JSValue()
        SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
        Branch(#2, #3)
        
        Block#3:
        x: GetLocal(locFoo)
        y: CheckNotEmpty(@x)
        ```
        
        If we claim that a cell check filters out the empty value, we will
        incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
        FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
        
        On 64 bit platforms:
        - Cell use kind *now allows* the empty value to pass through.
        - CellOrOther use kind *now allows* for the empty value to pass through
        - NotCell use kind *no longer allows* the empty value to pass through.

        * assembler/CPU.h:
        (JSC::isARMv7IDIVSupported):
        (JSC::isARM64):
        (JSC::isX86):
        (JSC::isX86_64):
        (JSC::is64Bit):
        (JSC::is32Bit):
        (JSC::isMIPS):
        Make these functions constexpr so we can use them in static variable assignment.

        * bytecode/SpeculatedType.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
        (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::speculateCell):
        (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
        (JSC::DFG::SpeculativeJIT::speculateSymbol):
        (JSC::DFG::SpeculativeJIT::speculateNotCell):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
        (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
        (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
        (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
        (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
        (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
        (JSC::FTL::DFG::LowerDFGToB3::isCell):
        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateString):
        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):

2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, suppress invalid register alloation validation assertion in 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=172421

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):

2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>

        We incorrectly allow escaped characters in keyword tokens
        https://bugs.webkit.org/show_bug.cgi?id=171310

        Reviewed by Yusuke Suzuki.

        According spec it is not allow to use escaped characters in 
        keywords. https://tc39.github.io/ecma262/#sec-reserved-words
        Current patch implements this requirements.


        * parser/Lexer.cpp:
        (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/ParserTokens.h:

2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=172421

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::branchPtr):

2017-06-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r218093.
        https://bugs.webkit.org/show_bug.cgi?id=173259

        Break builds (Requested by yusukesuzuki on #webkit).

        Reverted changeset:

        "Unreviewed, build fix for ARM64"
        https://bugs.webkit.org/show_bug.cgi?id=172421
        http://trac.webkit.org/changeset/218093

2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=172421

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):

2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Add ArrayIndexOf intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=172421

        Reviewed by Saam Barati.

        This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
        We emit array check and go fast path if the array is Array::Int32, Array::Double
        or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
        we have inlined fast paths.

        With updated ARES-6 Babylon,

        Before
            firstIteration:     45.76 +- 3.87 ms
            averageWorstCase:   24.41 +- 2.17 ms
            steadyState:        8.01 +- 0.22 ms
        After
            firstIteration:     45.64 +- 4.23 ms
            averageWorstCase:   23.03 +- 3.34 ms
            steadyState:        7.33 +- 0.34 ms

        In SixSpeed.
                                         baseline                  patched

            map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
            map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
            map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::speculateInt32):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
        * jit/JITOperations.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:

2017-06-11  Keith Miller  <keith_miller@apple.com>

        TypedArray constructor with string shouldn't throw
        https://bugs.webkit.org/show_bug.cgi?id=173181

        Reviewed by JF Bastien.

        We should be coercing primitive arguments to numbers in the various
        TypedArray constructors.

        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):

2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Make ThreadMessage portable
        https://bugs.webkit.org/show_bug.cgi?id=172073

        Reviewed by Keith Miller.

        * runtime/MachineContext.h:
        (JSC::MachineContext::stackPointer):
        * tools/CodeProfiling.cpp:
        (JSC::profilingTimer):

2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Shrink Structure size
        https://bugs.webkit.org/show_bug.cgi?id=173239

        Reviewed by Mark Lam.

        We find that the size of our Structure is slightly enlarged due to paddings.
        By changing the order of members, we can reduce the size from 120 to 112.
        This is good because 120 and 112 are categorized into different size classes.
        For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
        We now save 16 bytes per Structure for free.

        * runtime/ConcurrentJSLock.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:

2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>

        Unreviewed, attempt to fix JSC tests on Win after r217771

        * jsc.cpp:
        (currentWorkingDirectory): buffer is not NULL-terminated

2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Add RegisteredSymbolImpl
        https://bugs.webkit.org/show_bug.cgi?id=173230

        Reviewed by Mark Lam.

        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):

2017-06-10  Dan Bernstein  <mitz@apple.com>

        Reverted r218056 because it made the IDE reindex constantly.

        * Configurations/DebugRelease.xcconfig:

2017-06-10  Dan Bernstein  <mitz@apple.com>

        [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
        https://bugs.webkit.org/show_bug.cgi?id=173223

        Reviewed by Sam Weinig.

        The rebuilds were happening due to a difference in the compiler options that the IDE and
        xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
        xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
        specify an appropriate path in CLANG_INDEX_STORE_PATH.

        * Configurations/DebugRelease.xcconfig:

2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
        https://bugs.webkit.org/show_bug.cgi?id=173227

        Reviewed by Mark Lam.

        The latest spec introduces slight change to RegExp.prototype.[@@search].
        This patch applies this change. Basically, this change is done in the slow path of
        the RegExp.prototype[@@search].
        https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search

        * builtins/RegExpPrototype.js:
        (search):

2017-06-09  Chris Dumez  <cdumez@apple.com>

        Update Thread::create() to take in a WTF::Function instead of a std::function
        https://bugs.webkit.org/show_bug.cgi?id=173175

        Reviewed by Mark Lam.

        * API/tests/CompareAndSwapTest.cpp:
        (testCompareAndSwap):

2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Add verboseDFGOSRExit
        https://bugs.webkit.org/show_bug.cgi?id=173156

        Reviewed by Saam Barati.

        This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.

        * dfg/DFGOSRExitCompiler.cpp:
        * runtime/Options.h:

2017-06-09  Guillaume Emont  <guijemont@igalia.com>

        [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
        https://bugs.webkit.org/show_bug.cgi?id=173170

        Reviewed by Yusuke Suzuki.

        MIPS does not build since r217711 because it is missing this
        implementation. This patch fixes the build.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::xor32):

2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] FTL does not require dlfcn
        https://bugs.webkit.org/show_bug.cgi?id=173143

        Reviewed by Darin Adler.

        We no longer use LLVM library. Thus, dlfcn.h is not necessary.
        Also, ProcessID is not used in FTLLowerDFGToB3.cpp.

        * ftl/FTLLowerDFGToB3.cpp:

2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Add --verboseDFGFailure
        https://bugs.webkit.org/show_bug.cgi?id=173155

        Reviewed by Sam Weinig.

        Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::verboseCapabilities):
        (JSC::DFG::debugFail):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
        https://bugs.webkit.org/show_bug.cgi?id=173147

        Reviewed by JF Bastien.

        Because this value becomes -1 in non-Darwin environments.
        Thus, we do not need to use OS(DARWIN) here.

        * wasm/WasmMemory.cpp:

2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>

        Reduce compiler warnings
        https://bugs.webkit.org/show_bug.cgi?id=172078

        Reviewed by Yusuke Suzuki.

        * runtime/IntlDateTimeFormat.h:

2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>

        [Cocoa] JSWrapperMap leaks for all JSContexts
        https://bugs.webkit.org/show_bug.cgi?id=173110
        <rdar://problem/32602198>

        Reviewed by Geoffrey Garen.

        * API/JSContext.mm:
        (-[JSContext ensureWrapperMap]):
        Ensure this allocation gets released.

2017-06-08  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
        https://bugs.webkit.org/show_bug.cgi?id=161156

        Reviewed by Saam Barati.
        
        Since LLInt does not register impure property watchpoints for self property accesses, it
        shouldn't try to cache accesses that require a watchpoint.
        
        This manifested as a flaky failure because the test would fire the watchpoint after we had
        usually already tiered up. Without concurrent JIT, we would have always tiered up before
        getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
        also adds a test that deterministically failed in LLInt without this change; it does so by just
        running a lot shorter.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2017-06-08  Keith Miller  <keith_miller@apple.com>

        WebAssembly: We should only create wrappers for functions that can be exported
        https://bugs.webkit.org/show_bug.cgi?id=173088

        Reviewed by Saam Barati.

        This patch makes it so we only create wrappers for WebAssembly functions that
        can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.

        This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
        Most of the tests were duplicates of ones in the spec-tests directory. The others I
        have converted to use the normal API.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (valueWithTypeOfWasmValue): Deleted.
        (box): Deleted.
        (callWasmFunction): Deleted.
        (functionTestWasmModuleFunctions): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::prepare):
        (JSC::Wasm::BBQPlan::compileFunctions):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmCodeBlock.cpp:
        (JSC::Wasm::CodeBlock::CodeBlock):
        * wasm/WasmCodeBlock.h:
        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
        * wasm/WasmFormat.h:
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):

2017-06-07  JF Bastien  <jfbastien@apple.com>

        WebAssembly: test imports and exports with 16-bit characters
        https://bugs.webkit.org/show_bug.cgi?id=165977
        <rdar://problem/29760130>

        Reviewed by Saam Barati.

        Add the missing UTF-8 conversions. Improve import failure error
        messages, otherwise it's hard to figure out which import is wrong.

        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::finishCreation):
        (JSC::WebAssemblyModuleRecord::link):

2017-06-07  Devin Rousso  <drousso@apple.com>

        Web Inspector: Add ContextMenu item to log WebSocket object to console
        https://bugs.webkit.org/show_bug.cgi?id=172878

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Network.json:
        Add resolveWebSocket command.

2017-06-07  Jon Davis  <jond@apple.com>

        Update feature status for features Supported In Preview
        https://bugs.webkit.org/show_bug.cgi?id=173071

        Reviewed by Darin Adler.

        Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
        User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.

        * features.json:

2017-06-07  Saam Barati  <sbarati@apple.com>

        Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
        https://bugs.webkit.org/show_bug.cgi?id=172673
        <rdar://problem/32250144>

        Reviewed by Mark Lam.

        This patch simply removes this assertion. It's faulty because it
        races with the main thread when doing concurrent compilation.
        
        Consider a program with:
        - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
        - Structure S2
        
        The DFG IR is like so:
          a: JSConstant(O) // FrozenValue {O, S1}
          b: CheckStructure(@a, S2)
          c: ToThis(@a)
          d: CheckEq(@c, nullConstant)
          Branch(@d)
        
        The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
        When running AI, we'll notice that node @b will OSR exit, so nodes after
        @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
        Now, when running AI, @a will have Top for its structure set. No longer will
        we think @b exits.
        
        The DFG backend asserts that under such a situation, we should have simplified
        the CheckEq to false. However, this is a racy thing to assert, since the
        transition from dfgWatchable() to !dfgWatchable() can happen right before we
        enter the backend. Hence, this assertion is not valid.
        
        (Note, the generated code for the above program will never actually execute.
        Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
        S1 not transitioning. S1 transitions, so we won't actually run the code that
        gets compiled.)

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):

2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] has_generic_property never accepts non-String
        https://bugs.webkit.org/show_bug.cgi?id=173057

        Reviewed by Darin Adler.

        We never pass non-String value to has_generic_property bytecode.

        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>

        [Win][x86-64] Some callee saved registers aren't preserved
        https://bugs.webkit.org/show_bug.cgi?id=171266

        Reviewed by Saam Barati.

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.

2017-06-06  Mark Lam  <mark.lam@apple.com>

        Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
        https://bugs.webkit.org/show_bug.cgi?id=173035
        <rdar://problem/32554593>

        Reviewed by Geoffrey Garen and Filip Pizlo.

        Also added and fixed up some assertions.

        * runtime/ArrayConventions.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::reallocateAndShrinkButterfly):
        * runtime/JSObject.h:
        (JSC::JSObject::ensureLength):
        * runtime/RegExpObject.cpp:
        (JSC::collectMatches):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncSplitFast):

2017-06-06  Saam Barati  <sbarati@apple.com>

        Make sure we restore SP when doing calls that could be to JS
        https://bugs.webkit.org/show_bug.cgi?id=172946
        <rdar://problem/32579026>

        Reviewed by JF Bastien.

        I was worried that there was a bug where we'd call JS, JS would tail call,
        and we'd end up with a bogus SP. However, this bug does not exist since wasm
        always calls to JS through a stub, and the stub treats SP as a callee save.
        
        I wrote a test for this, and also made a note that this is the needed ABI.

        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):

2017-06-06  Keith Miller  <keith_miller@apple.com>

        OMG tier up checks should be a patchpoint
        https://bugs.webkit.org/show_bug.cgi?id=172944

        Reviewed by Saam Barati.

        Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
        In order to reduce code generated out of line in each function. We generate a single stub
        that pushes all the callee-saves. This looks like a 5-10% compile time speedup.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
        (JSC::Wasm::B3IRGenerator::addLoop):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
        * wasm/WasmThunks.h:

2017-06-06  Darin Adler  <darin@apple.com>

        Cut down use of WTF_ARRAY_LENGTH
        https://bugs.webkit.org/show_bug.cgi?id=172997

        Reviewed by Chris Dumez.

        * parser/Lexer.cpp:
        (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.

        * runtime/NumberPrototype.cpp:
        (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.

2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>

        Add missing <functional> includes
        https://bugs.webkit.org/show_bug.cgi?id=173017

        Patch by Thiago Macieira <thiago.macieira@intel.com>
        Reviewed by Yusuke Suzuki.

        This patch fixes compilation with GCC 7.

        * inspector/InspectorBackendDispatcher.h:

2017-06-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix 32-bit build.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_unreachable):

2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rollout r217807. Caused a test to crash.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::buildSnapshot):
        (JSC::HeapSnapshotBuilder::json):
        (): Deleted.
        * heap/HeapSnapshotBuilder.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):

2017-06-06  Filip Pizlo  <fpizlo@apple.com>

        index out of bound in bytecodebasicblock
        https://bugs.webkit.org/show_bug.cgi?id=172963

        Reviewed by Saam Barati and Mark Lam.
        
        We were leaving an unterminated basic block when generating CodeForCall for a class
        constructor. This was mostly benign since that unterminated block was not reachable, but it
        does cause an ASSERT.
        
        This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
        this really is the cleanest and most idiomatic way to solve this problem, so even though it
        makes the change bigger it's probabably worth it.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/Opcode.h:
        (JSC::isTerminal):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::emitUnreachable):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_unreachable):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r217812.

        This change caused test failures on arm64.

        Reverted changeset:

        "OMG tier up checks should be a patchpoint"
        https://bugs.webkit.org/show_bug.cgi?id=172944
        http://trac.webkit.org/changeset/217812

2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>

        [WPE] Enable remote inspector
        https://bugs.webkit.org/show_bug.cgi?id=172971

        Reviewed by Žan Doberšek.

        We can just build the current glib remote inspector, without adding a frontend implementation and using a
        WebKitGTK+ browser as frontend for now.

        * PlatformWPE.cmake: Add remote inspector files to compilation.
        * inspector/remote/glib/RemoteInspectorUtils.cpp:
        (Inspector::backendCommands): Load the inspector resources library.

2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Make remote inspector DBus protocol common to all glib based ports
        https://bugs.webkit.org/show_bug.cgi?id=172970

        Reviewed by Žan Doberšek.

        We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
        idea that other ports could use their own names. However, the protocol is the same, so we could use the same
        names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
        debug WPE, without having to implement the frontend part in WPE yet.

        * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
        * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.

2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Web Process deadlock when closing the remote inspector frontend
        https://bugs.webkit.org/show_bug.cgi?id=172973

        Reviewed by Žan Doberšek.

        We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
        takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
        PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
        inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().

        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::receivedCloseMessage):

2017-06-05  Saam Barati  <sbarati@apple.com>

        Try to fix features.json by adding an ESNext section.

        Unreviewed.

        * features.json:

2017-06-05  David Kilzer  <ddkilzer@apple.com>

        Follow-up: Update JSC's features.json
        https://bugs.webkit.org/show_bug.cgi?id=172942

        Rubber-stamped by Jon Davis.

        * features.json: Change "Supported in preview" to
        "Supported" to try to fix <https://webkit.org/status/>.

2017-06-05  Saam Barati  <sbarati@apple.com>

        We don't properly parse init_expr when the opcode is an unexpected opcode
        https://bugs.webkit.org/show_bug.cgi?id=172945

        Reviewed by JF Bastien.

        The bug is a simple typo. It should use the constant
        `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
        macro. This failure is already caught by spec tests that fail
        on arm64 devices.

        * wasm/WasmModuleParser.cpp:

2017-06-05  Keith Miller  <keith_miller@apple.com>

        OMG tier up checks should be a patchpoint
        https://bugs.webkit.org/show_bug.cgi?id=172944

        Reviewed by Saam Barati.

        Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
        In order to reduce code generated out of line in each function. We generate a single stub
        that pushes all the callee-saves. This looks like a 5-10% compile time speedup.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
        (JSC::Wasm::B3IRGenerator::addLoop):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
        * wasm/WasmThunks.h:

2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>

        Remove unused VM members
        https://bugs.webkit.org/show_bug.cgi?id=172941

        Reviewed by Mark Lam.

        * runtime/HashMapImpl.h:
        (JSC::HashMapImpl::selectStructure): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
        https://bugs.webkit.org/show_bug.cgi?id=172848
        <rdar://problem/25709212>

        Reviewed by Saam Barati.

        * heap/HeapSnapshotBuilder.h:
        * heap/HeapSnapshotBuilder.cpp:
        Update the snapshot version. Change the node's 0 | 1 internal value
        to be a 32bit bit flag. This is nice in that it is both compatible
        with the previous snapshot version and the same size. We can use more
        flags in the future.

        (JSC::HeapSnapshotBuilder::json):
        In cases where the classInfo gives us "Object" check for a better
        class name by checking (o).__proto__.constructor.name. We avoid this
        check in cases where (o).hasOwnProperty("constructor") which is the
        case for most Foo.prototype objects. Otherwise this would get the
        name of the Foo superclass for the Foo.prototype object.

        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        Handle some possible edge cases that were not handled before. Such
        as a JSObject without a GlobalObject, and an object which doesn't
        have a default getPrototype. Try to make the code a little clearer.

2017-06-05  Saam Barati  <sbarati@apple.com>

        Update JSC's features.json
        https://bugs.webkit.org/show_bug.cgi?id=172942

        Rubber stamped by Mark Lam.

        * features.json:

2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>

        Fix build of Windows-specific code with ICU 59.1
        https://bugs.webkit.org/show_bug.cgi?id=172729

        Reviewed by Darin Adler.

        Fix conversions from WTF::String to wchar_t* and vice versa.

        * jsc.cpp:
        (currentWorkingDirectory):
        (fetchModuleFromLocalFileSystem):
        * runtime/DateConversion.cpp:
        (JSC::formatDateTime):

2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop unnecessary USE(CF) guard for getenv
        https://bugs.webkit.org/show_bug.cgi?id=172903

        Reviewed by Sam Weinig.

        getenv is not related to USE(CF) and OS(UNIX). It seems that this
        ifdef only hits in WinCairo, but WinCairo can use getenv.
        Moreover, in VM::VM, we already use getenv without any ifdef guard.

        This patch just drops it.

        * runtime/VM.cpp:
        (JSC::enableAssembler):

2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop OS(DARWIN) for uintptr_t type conflict
        https://bugs.webkit.org/show_bug.cgi?id=172904

        Reviewed by Sam Weinig.

        In non-Darwin environment, uintptr_t may have the same type
        to uint64_t. We avoided the compile error by using OS(DARWIN).
        But, since it depends on cstdint implementaion rather than OS, it is flaky.
        Instead, we just use template parameter IntegralType.
        And we describe the type constraint in a SFINAE manner.

        * dfg/DFGOpInfo.h:
        (JSC::DFG::OpInfo::OpInfo):

2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Unreviewed buildfix after r217711.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::xor32):

2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
        https://bugs.webkit.org/show_bug.cgi?id=168844

        Reviewed by Saam Barati.

        As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.

        * parser/Parser.cpp:
        (JSC::DepthManager::DepthManager):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        * parser/Parser.h:
        (JSC::Parser::DepthManager::DepthManager): Deleted.
        (JSC::Parser::DepthManager::~DepthManager): Deleted.

2017-06-02  Keith Miller  <keith_miller@apple.com>

        Defer installing mach breakpoint handler until watchdog is actually called
        https://bugs.webkit.org/show_bug.cgi?id=172885

        Reviewed by Saam Barati.

        Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
        This hides the issue, so it won't occur as often.

        * runtime/VMTraps.cpp:
        (JSC::VMTraps::SignalSender::send):
        (JSC::VMTraps::VMTraps): Deleted.
        * runtime/VMTraps.h:

2017-06-02  Filip Pizlo  <fpizlo@apple.com>

        Atomics.load and Atomics.store need to be fully fenced
        https://bugs.webkit.org/show_bug.cgi?id=172844

        Reviewed by Keith Miller.
        
        Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
        AtomicXchg(value, ptr) for the store.
        
        DFG needed no changes because it implements all atomics using a CAS loop.
        
        AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
        
        Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
        is not correct according to my current understanding of the SAB memory model, which requires
        that atomic operations are SC with respect to everything not just other atomics.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::atomicWeakCAS):
        * ftl/FTLOutput.h:
        * runtime/AtomicsObject.cpp:

2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, attempt to fix the iOS build after r217711.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::xor32):
        (JSC::MacroAssemblerARM64::xor64):

2017-06-01  Filip Pizlo  <fpizlo@apple.com>

        GC should use scrambled free-lists
        https://bugs.webkit.org/show_bug.cgi?id=172793

        Reviewed by Mark Lam.
        
        Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
        The linked-list would be threaded through free memory, as is the usual convention.
        
        This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
        this leads to a more natural fast-path structure and saves one register on ARM64.
        
        The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
        every time they do a sweep-to-pop.
        
        This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
        quite a bit. Previously, there were four copies of the allocator fast path: two in
        MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
        was obviously different-looking, but the other three were almost identical. This moves all of
        that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
        AssemblyHelpers.h.
        
        This appears to be just as fast as our previously allocator.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/FreeList.cpp:
        (JSC::FreeList::FreeList):
        (JSC::FreeList::~FreeList):
        (JSC::FreeList::clear):
        (JSC::FreeList::initializeList):
        (JSC::FreeList::initializeBump):
        (JSC::FreeList::contains):
        (JSC::FreeList::dump):
        * heap/FreeList.h:
        (JSC::FreeList::allocationWillFail):
        (JSC::FreeList::originalSize):
        (JSC::FreeList::addressOfList):
        (JSC::FreeList::offsetOfBlock):
        (JSC::FreeList::offsetOfList):
        (JSC::FreeList::offsetOfIndex):
        (JSC::FreeList::offsetOfPayloadEnd):
        (JSC::FreeList::offsetOfRemaining):
        (JSC::FreeList::offsetOfOriginalSize):
        (JSC::FreeList::FreeList): Deleted.
        (JSC::FreeList::list): Deleted.
        (JSC::FreeList::bump): Deleted.
        (JSC::FreeList::operator==): Deleted.
        (JSC::FreeList::operator!=): Deleted.
        (JSC::FreeList::operator bool): Deleted.
        * heap/FreeListInlines.h: Added.
        (JSC::FreeList::addFreeCell):
        (JSC::FreeList::allocate):
        (JSC::FreeList::forEach):
        (JSC::FreeList::toOffset):
        (JSC::FreeList::fromOffset):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::sweepNextBlock):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::didConsumeFreeList):
        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
        (JSC::MarkedAllocator::tryAllocateIn):
        (JSC::MarkedAllocator::allocateSlowCaseImpl):
        (JSC::MarkedAllocator::stopAllocating):
        (JSC::MarkedAllocator::prepareForAllocation):
        (JSC::MarkedAllocator::resumeAllocating):
        (JSC::MarkedAllocator::sweep):
        (JSC::MarkedAllocator::setFreeList): Deleted.
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::freeList):
        (JSC::MarkedAllocator::isFreeListedCell): Deleted.
        * heap/MarkedAllocatorInlines.h:
        (JSC::MarkedAllocator::isFreeListedCell):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::stopAllocating):
        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
        (JSC::MarkedBlock::Handle::resumeAllocating):
        (JSC::MarkedBlock::Handle::zap):
        (JSC::MarkedBlock::Handle::sweep):
        (JSC::MarkedBlock::Handle::isFreeListedCell):
        (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
        * heap/MarkedBlock.h:
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):
        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
        (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
        * heap/Subspace.cpp:
        (JSC::Subspace::finishSweep):
        * heap/Subspace.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
        * runtime/JSDestructibleObjectSubspace.cpp:
        (JSC::JSDestructibleObjectSubspace::finishSweep):
        * runtime/JSDestructibleObjectSubspace.h:
        * runtime/JSSegmentedVariableObjectSubspace.cpp:
        (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
        * runtime/JSSegmentedVariableObjectSubspace.h:
        * runtime/JSStringSubspace.cpp:
        (JSC::JSStringSubspace::finishSweep):
        * runtime/JSStringSubspace.h:
        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
        * wasm/js/JSWebAssemblyCodeBlockSubspace.h:

2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use @globalPrivate for concatSlowPath
        https://bugs.webkit.org/show_bug.cgi?id=172802

        Reviewed by Darin Adler.

        Use @globalPrivate instead of manually putting it to JSGlobalObject.

        * builtins/ArrayPrototype.js:
        (concatSlowPath): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2017-06-01  Andy Estes  <aestes@apple.com>

        REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
        https://bugs.webkit.org/show_bug.cgi?id=172828

        Reviewed by Beth Dakin.

        * Configurations/FeatureDefines.xcconfig:

2017-06-01  Keith Miller  <keith_miller@apple.com>

        Undo rollout in r217638 with bug fix
        https://bugs.webkit.org/show_bug.cgi?id=172824

        Unreviewed, reland patch with unused set_state code removed.

        * API/tests/ExecutionTimeLimitTest.cpp:
        (dispatchTermitateCallback):
        (testExecutionTimeLimit):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        * runtime/Options.cpp:
        (JSC::overrideDefaults):
        (JSC::Options::initialize):
        * runtime/Options.h:
        * runtime/VMTraps.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
        (JSC::installSignalHandler):
        (JSC::VMTraps::SignalSender::send):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::dump):
        (JSC::installCrashHandler):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        (JSC::Wasm::enableFastMemory):
        * wasm/WasmMachineThreads.cpp:
        (JSC::Wasm::resetInstructionCacheOnAllThreads):

2017-06-01  Guillaume Emont  <guijemont@igalia.com>

        [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
        https://bugs.webkit.org/show_bug.cgi?id=172800

        Reviewed by Saam Barati.

        This fixes a static_cast<uint64_t> by making it a cast to int64_t
        instead, which looks like the original intent. This fixes the
        sampling-profiler tests in JSTests/stress.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::timerLoop):

2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>

        RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
        https://bugs.webkit.org/show_bug.cgi?id=170945

        Reviewed by Mark Lam.

        Re-define PutByIdFlags as a int32_t enum explicitly because it is
        stored as an int32_t value in UnlinkedInstruction.  This prevents
        a bug on 64-bit big endian architectures where the word order is
        inverted (when we convert the UnlinkedInstruction into a CodeBlock
        Instruction), resulting in the PutByIdFlags value not being stored in
        the 32-bit word that the rest of the code expects it to be in.

        * bytecode/PutByIdFlags.h:

2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement String.prototype.concat in JS builtins
        https://bugs.webkit.org/show_bug.cgi?id=172798

        Reviewed by Sam Weinig.

        Since we have highly effective + operation for strings,
        implementing String.prototype.concat in JS simplifies the
        implementation and improves performance by using speculated
        types.

        Added microbenchmarks show performance improvement.

        string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
        string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
        string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
        string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster

        * builtins/StringPrototype.js:
        (globalPrivate.stringConcatSlowPath):
        (concat):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncConcat): Deleted.

2017-05-31  Mark Lam  <mark.lam@apple.com>

        Remove overrides of visitChildren() that do not add any functionality.
        https://bugs.webkit.org/show_bug.cgi?id=172789
        <rdar://problem/32500865>

        Reviewed by Andreas Kling.

        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
        (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
        * bytecode/UnlinkedModuleProgramCodeBlock.h:
        * bytecode/UnlinkedProgramCodeBlock.cpp:
        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
        * bytecode/UnlinkedProgramCodeBlock.h:
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::visitChildren): Deleted.
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
        * wasm/js/WebAssemblyInstanceConstructor.h:
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
        * wasm/js/WebAssemblyMemoryConstructor.h:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
        * wasm/js/WebAssemblyModuleConstructor.h:
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
        * wasm/js/WebAssemblyTableConstructor.h:

2017-05-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r217611 and r217631.
        https://bugs.webkit.org/show_bug.cgi?id=172785

        "caused wasm-hashset-many.html to become flaky." (Requested by
        keith_miller on #webkit).

        Reverted changesets:

        "Reland r216808, underlying lldb bug has been fixed."
        https://bugs.webkit.org/show_bug.cgi?id=172759
        http://trac.webkit.org/changeset/217611

        "Use dispatch queues for mach exceptions"
        https://bugs.webkit.org/show_bug.cgi?id=172775
        http://trac.webkit.org/changeset/217631

2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>

        Rolling out: Prevent async methods named 'function'
        https://bugs.webkit.org/show_bug.cgi?id=172776

        Reviewed by Mark Lam.

        Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
        https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
        PR to spec was closed, so changes need to roll out. See
        https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parsePropertyMethod):

2017-05-31  Andy Estes  <aestes@apple.com>

        Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
        https://bugs.webkit.org/show_bug.cgi?id=172366

        Reviewed by Daniel Bates.

        * Configurations/FeatureDefines.xcconfig:

2017-05-31  Keith Miller  <keith_miller@apple.com>

        Reland r216808, underlying lldb bug has been fixed.
        https://bugs.webkit.org/show_bug.cgi?id=172759


        Unreviewed, relanding old patch. See: rdar://problem/31183352

        * API/tests/ExecutionTimeLimitTest.cpp:
        (dispatchTermitateCallback):
        (testExecutionTimeLimit):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        * runtime/Options.cpp:
        (JSC::overrideDefaults):
        (JSC::Options::initialize):
        * runtime/Options.h:
        * runtime/VMTraps.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
        (JSC::installSignalHandler):
        (JSC::VMTraps::SignalSender::send):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::dump):
        (JSC::installCrashHandler):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        (JSC::Wasm::enableFastMemory):
        * wasm/WasmMachineThreads.cpp:
        (JSC::Wasm::resetInstructionCacheOnAllThreads):

2017-05-31  Keith Miller  <keith_miller@apple.com>

        Fix leak in PromiseDeferredTimer
        https://bugs.webkit.org/show_bug.cgi?id=172755

        Reviewed by JF Bastien.

        We were not properly freeing the list of dependencies if we were already tracking the promise before.
        This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
        where we were already tracking the promise we append the provided dependency list to the existing list.
        Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
        contents.

        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::addPendingPromise):

2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>

        Prevent async methods named 'function' in Object literal
        https://bugs.webkit.org/show_bug.cgi?id=172660

        Reviewed by Saam Barati.

        Prevent async method named 'function' in object.
        https://github.com/tc39/ecma262/pull/884

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePropertyMethod):

2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>

        ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
        https://bugs.webkit.org/show_bug.cgi?id=171274

        Reviewed by Saam Barati.

        Current patch allow to use async arrow function within constructor,
        and allow to access to `this`. Current patch force load 'this' from 
        virtual scope each time as we access to `this` in async arrow function
        within constructor it is neccessary because async function can be 
        suspended and `superCall` can be called and async function resumed. 
   
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutGeneratorFields):
        (JSC::BytecodeGenerator::ensureThis):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):

2017-05-30  Ali Juma  <ajuma@chromium.org>

        [CredentialManagement] Incorporate IDL updates from latest spec
        https://bugs.webkit.org/show_bug.cgi?id=172011

        Reviewed by Daniel Bates.

        * runtime/CommonIdentifiers.h:

2017-05-30  Alex Christensen  <achristensen@webkit.org>

        Update libwebrtc configuration
        https://bugs.webkit.org/show_bug.cgi?id=172727

        Reviewed by Geoffrey Garen.

        * Configurations/FeatureDefines.xcconfig:

2017-05-28  Dan Bernstein  <mitz@apple.com>

        [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
        https://bugs.webkit.org/show_bug.cgi?id=172691

        Reviewed by Tim Horton.

        * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
        * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.

2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Provide better type information of toLength and tighten bytecode
        https://bugs.webkit.org/show_bug.cgi?id=172690

        Reviewed by Sam Weinig.

        In this patch, we carefully leverage operator + in order to

        1. tighten bytecode

        operator+ emits to_number bytecode. What this bytecode does is the same
        to @Number() call. It is more efficient, and it is smaller bytecode
        than @Number() call (load global variable @Number, set up arguments, and
        call it).

        2. offer better type prediction data

        Now, we have code like

            length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0

        This is not good because DFG prediction propagation phase predicts as Double
        since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
        Usually, the result becomes Int32. This patch leverages to_number in a bit
        interesting way: to_number has value profiling to offer better type prediction.
        This value profiling can offer a chance to change the prediction to Int32 efficiently.
        It is a bit tricky. But it is worth doing to speed up our builtin functions,
        which should leverage all the JSC's tricky things to be optimized.

        Related microbenchmarks show performance improvement.

                                                  baseline                  patched

            array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
            array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
            array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
            array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
            array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
            array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster


        * builtins/GlobalOperations.js:
        (globalPrivate.toInteger):
        (globalPrivate.toLength):

2017-05-28  Sam Weinig  <sam@webkit.org>

        [WebIDL] @@iterator should only be accessed once when disambiguating a union type
        https://bugs.webkit.org/show_bug.cgi?id=172684

        Reviewed by Yusuke Suzuki.

        * runtime/IteratorOperations.cpp:
        (JSC::iteratorMethod):
        (JSC::iteratorForIterable):
        * runtime/IteratorOperations.h:
        (JSC::forEachInIterable):
        Add additional iterator helpers to allow union + sequence conversion code
        to check for iterability by getting the iterator method, and iterate using
        that method later on.

2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for Windows
        https://bugs.webkit.org/show_bug.cgi?id=172413

        Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].

        [1]: https://bugs.webkit.org/show_bug.cgi?id=172685

        * runtime/JSMap.h:
        (JSC::isJSMap):
        (JSC::jsDynamicCast): Deleted.
        (JSC::>): Deleted.
        * runtime/JSSet.h:
        (JSC::isJSSet):
        (JSC::jsDynamicCast): Deleted.
        (JSC::>): Deleted.
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):

2017-05-28  Mark Lam  <mark.lam@apple.com>

        Implement a faster Interpreter::getOpcodeID().
        https://bugs.webkit.org/show_bug.cgi?id=172669

        Reviewed by Saam Barati.

        We can implement Interpreter::getOpcodeID() without a hash table lookup by always
        embedding the OpcodeID in the 32-bit word just before the start of the LLInt
        handler code that executes each opcode.  getOpcodeID() can therefore just read
        the 32-bits before the opcode address to get its OpcodeID.

        This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
        CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
        well, but I'll let the Linux folks turn that on after they have verified that it
        works on linux too.

        I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
        1. we only need to initialize it once per process, not once per VM / interpreter
           instance.
        2. we can initialize it in the Interpreter constructor instead of requiring a
           separate call to an initialize() function.

        On debug builds, the Interpreter constructor will also verify that getOpcodeID()
        is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).

        * bytecode/BytecodeList.json:
        * generate-bytecode-files:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::opcodeIDTable):
        (JSC::Interpreter::initialize): Deleted.
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * llint/LowLevelInterpreter.cpp:
        * runtime/VM.cpp:
        (JSC::VM::VM):

2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Map and Set constructors should have fast path for cloning
        https://bugs.webkit.org/show_bug.cgi?id=172413

        Reviewed by Saam Barati.

        In this patch, we add a fast path for cloning in Set and Map constructors.

        In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
        At that time, our generic path just iterates the given set object and add
        it to the newly created one. It is quite slow because we need to follow
        the iterator protocol inside C++ and we need to call set.add() repeatedly
        while the given set guarantees the elements are unique.

        This patch implements clone() function to JSMap and JSSet. Cloning JSMap
        and JSSet are done really fast without invoking any observable JS functions.
        To check whether we can use this clone() function in Set and Map constructors,
        we set several watchpoints.

        In the case of Set,

        1. Set.prototype[Symbol.iterator] is not changed.
        2. SetIterator.prototype.next is not changed.
        3. Set.prototype.add is not changed.
        4. The given Set does not have [Symbol.iterator] function in its instance.
        5. The given Set's [[Prototype]] is Set.prototype.
        6. Newly created set's [[Prototype]] is Set.prototype.

        If the above requirements are met, cloning the given Set is not observable to users.
        Thus we can take a fast path.

        Currently, we do not integrate this optimization into DFG and FTL.
        And we do not optimize other iterables. For example, we can optimize Set
        constructor taking Int32 Array. And we should optimize generic iterator cases too.
        They are planned as part of a separate bug[1].

        This change improves ARES-6 Air by 5.3% in steady state.

        Baseline:
            Running... Air ( 1  to go)
            firstIteration:     76.41 +- 15.60 ms
            averageWorstCase:   40.63 +- 7.54 ms
            steadyState:        9.13 +- 0.51 ms


        Patched:
            Running... Air ( 1  to go)
            firstIteration:     75.00 +- 22.54 ms
            averageWorstCase:   39.18 +- 8.45 ms
            steadyState:        8.67 +- 0.28 ms

        [1]: https://bugs.webkit.org/show_bug.cgi?id=172419

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
        * runtime/HashMapImpl.h:
        (JSC::HashMapBucket::extractValue):
        (JSC::HashMapImpl::finishCreation):
        (JSC::HashMapImpl::add):
        (JSC::HashMapImpl::setUpHeadAndTail):
        (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
        (JSC::HashMapImpl::addNormalizedInternal):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructureSlow):
        (JSC::InternalFunction::createSubclassStructure): Deleted.
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
        (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
        (JSC::JSGlobalObject::mapSetWatchpoint):
        (JSC::JSGlobalObject::setAddWatchpoint):
        (JSC::JSGlobalObject::mapPrototype):
        (JSC::JSGlobalObject::jsSetPrototype):
        (JSC::JSGlobalObject::setStructure):
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
        (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
        (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
        (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
        * runtime/JSMap.cpp:
        (JSC::JSMap::clone):
        (JSC::JSMap::canCloneFastAndNonObservable):
        * runtime/JSMap.h:
        (JSC::jsDynamicCast):
        (JSC::>):
        (JSC::JSMap::createStructure): Deleted.
        (JSC::JSMap::create): Deleted.
        (JSC::JSMap::set): Deleted.
        (JSC::JSMap::JSMap): Deleted.
        * runtime/JSSet.cpp:
        (JSC::JSSet::clone):
        (JSC::JSSet::canCloneFastAndNonObservable):
        * runtime/JSSet.h:
        (JSC::jsDynamicCast):
        (JSC::>):
        (JSC::JSSet::createStructure): Deleted.
        (JSC::JSSet::create): Deleted.
        (JSC::JSSet::JSSet): Deleted.
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
        (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):

2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
        https://bugs.webkit.org/show_bug.cgi?id=172260

        Reviewed by Filip Pizlo.

        DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
        to be used as a general-purpose injectable compiler over all the JIT tiers.

        We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
        (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
        * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
        (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
        * bytecode/GetterSetterAccessCase.cpp:
        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::blessCallDOMGetter):
        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
        * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
        (JSC::DFG::SnippetParams::SnippetParams):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::allocateTemporaryRegistersForSnippet):
        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
        (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
        * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
        (JSC::DOMJIT::CallDOMGetterSnippet::create):
        * domjit/DOMJITGetterSetter.h:
        * domjit/DOMJITSignature.h:
        * domjit/DOMJITValue.h: Removed.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
        * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
        (JSC::FTL::SnippetParams::SnippetParams):
        * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
        (JSC::Snippet::create):
        (JSC::Snippet::setGenerator):
        (JSC::Snippet::generator):
        * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
        (JSC::SnippetParams::~SnippetParams):
        (JSC::SnippetParams::Value::Value):
        (JSC::SnippetParams::Value::isGPR):
        (JSC::SnippetParams::Value::isFPR):
        (JSC::SnippetParams::Value::isJSValueRegs):
        (JSC::SnippetParams::Value::gpr):
        (JSC::SnippetParams::Value::fpr):
        (JSC::SnippetParams::Value::jsValueRegs):
        (JSC::SnippetParams::Value::reg):
        (JSC::SnippetParams::Value::value):
        (JSC::SnippetParams::SnippetParams):
        * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
        (JSC::SnippetReg::SnippetReg):
        * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
        * jsc.cpp:
        (WTF::DOMJITNode::checkSubClassSnippet):
        (WTF::DOMJITFunctionObject::checkSubClassSnippet):
        (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
        * runtime/ClassInfo.h:

2017-05-26  Keith Miller  <keith_miller@apple.com>

        REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
        https://bugs.webkit.org/show_bug.cgi?id=172654

        Reviewed by Mark Lam.

        The test's intent is to assert that an exception has not been
        thrown (as indicated by the message string), but the test was
        erroneously checking for ! the right condition. This is now fixed.

        * API/tests/JSExportTests.mm:
        (wrapperForNSObjectisObject):

2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
        https://bugs.webkit.org/show_bug.cgi?id=172664
        <rdar://problem/32362933>

        Reviewed by Matt Baker.

        Automatically pause on connection was triggering a pause before the
        frontend may have initialized. Often during frontend initialization
        the frontend may perform an action that clears the pause state requested
        by the developer. This change defers the pause until after the frontend
        has initialized, right before returning to the application's code.

        * inspector/remote/RemoteControllableTarget.h:
        * inspector/remote/RemoteInspectionTarget.h:
        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
        (Inspector::RemoteConnectionToTarget::setup):
        * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
        (Inspector::RemoteConnectionToTarget::setup):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pause): Deleted.
        * runtime/JSGlobalObjectDebuggable.h:
        Pass an immediatelyPause boolean on to the controller. Remove
        the current path that invokes a pause before initialization.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        Manage should immediately pause state.

        (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
        (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
        When initialized, trigger a pause if requested.

2017-05-26  Mark Lam  <mark.lam@apple.com>

        Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
        https://bugs.webkit.org/show_bug.cgi?id=172655

        Reviewed by Saam Barati.

        * API/tests/JSExportTests.mm:
        (wrapperForNSObjectisObject):

2017-05-26  Mark Lam  <mark.lam@apple.com>

        REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
        https://bugs.webkit.org/show_bug.cgi?id=172651

        Reviewed by Saam Barati.

        This is because the assertion utility functions used in testCFStrings() expects
        to get the JSGlobalContextRef from the global context variable.  However,
        testCFStrings() creates its own JSGlobalContextRef but does not set the global
        context variable to it.

        The fix is to make testCFStrings() initialize the global context variable properly.

        * API/tests/testapi.c:
        (testCFStrings):

2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
        https://bugs.webkit.org/show_bug.cgi?id=167805

        Reviewed by Saam Barati.

        Since ModuleProgramExecutable is executed only once, we can skip compiling
        code unreachable from the current program count. This can skip massive
        initialization code.

        We already do this for global code in bug#167725. This patch extends it to
        module code.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeModuleProgram):
        * interpreter/Interpreter.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::evaluate):
        * runtime/JSModuleRecord.h:
        (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.

2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>

        Prevent async methods named 'function'
        https://bugs.webkit.org/show_bug.cgi?id=172598

        Reviewed by Mark Lam.

        Prevent async method named 'function' in class.
        Link to change in ecma262 specification
        https://github.com/tc39/ecma262/pull/884

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):

2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for GCC

        std::tuple does not have implicit constructor.
        Thus, we cannot use implicit construction with initializer brace.
        We should specify the name like `GetInst { }`.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::StructureForInContext::addGetInst):

2017-05-25  Keith Miller  <keith_miller@apple.com>

        Cleanup tests after r217240
        https://bugs.webkit.org/show_bug.cgi?id=172466

        Reviewed by Mark Lam.

        I forgot to make my test an actual test. Also, remove second call runJSExportTests()

        * API/tests/JSExportTests.mm:
        (wrapperForNSObjectisObject):
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):

2017-05-25  Michael Saboff  <msaboff@apple.com>

        The default setting of Option::criticalGCMemoryThreshold is too high for iOS
        https://bugs.webkit.org/show_bug.cgi?id=172617

        Reviewed by Mark Lam.

        Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
        when tested running JetStream.

        * runtime/Options.h:

2017-05-25  Saam Barati  <sbarati@apple.com>

        Our for-in optimization in the bytecode generator does its static analysis incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=172532
        <rdar://problem/32369452>

        Reviewed by Mark Lam.

        Our static analysis for when a for-in induction variable
        is written to tried to its analysis as we generate
        bytecode. This has issues, since it does not account for
        the dynamic execution path of the program. Let's consider
        a program where our old analysis worked:
        
        ```
        for (let p in o) {
            o[p]; // We can transform this into a fast get_direct_pname
            p = 20;
            o[p]; // We cannot transform this since p has been changed.
        }
        ```
        
        However, our static analysis did not account for loops, which exist
        in JavaScript. e.g, it would incorrectly compile this program as:
        ```
        for (let p in o) {
            for (let i = 0; i < 20; ++i) {
                o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
                p = 20;
                o[p]; // We correctly do not transform this.
            } 
        }
        ```
        
        Because of this flaw, I've made the optimization more conservative.
        We now optimistically emit code for the optimized access. However,
        if a for-in context is *ever* invalidated, before we pop it off
        the stack, we rewrite the program's optimized accesses to no longer
        be optimized. To do this, each context keeps track of its optimized
        accesses.
        
        This patch also adds a new bytecode, op_nop, which is just a no-op.
        It was helpful to add this because reverting get_direct_pname to get_by_val
        will leave us with an extra instruction word because get_direct_pname is
        has a length of 7 where get_by_val has a length of 6. This leaves us with
        an extra slot that we fill with an op_nop.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::popIndexedForInScope):
        (JSC::BytecodeGenerator::popStructureForInScope):
        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
        (JSC::StructureForInContext::pop):
        (JSC::IndexedForInContext::pop):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::StructureForInContext::addGetInst):
        (JSC::IndexedForInContext::addGetInst):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_nop):
        * llint/LowLevelInterpreter.asm:

2017-05-25  Mark Lam  <mark.lam@apple.com>

        ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
        https://bugs.webkit.org/show_bug.cgi?id=172548
        <rdar://problem/31458393>

        Reviewed by Filip Pizlo.

        Consider the following scenario:

        1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
           structure transitions, e.g. structure S2 transitioning to structure S3.
           In this case, O1 would be installed in S2's watchpoint set.
        2. When the structure transition happens, structure S2 will fire watchpoint O1.
        3. O1's handler will normally re-install itself in the watchpoint set of the new
           "transitioned to" structure S3.
        4. "Installation" here requires writing into the StructureRareData SD3 of the new
           structure S3.  If SD3 does not exist yet, the installation process will trigger
           the allocation of StructureRareData SD3.
        5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
           ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
           by the GC, and therefore will be collected soon.
        6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
           SD1.  This, in turn, triggers the deletion of the
           ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.

        After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
        AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
        structure S3's watchpoint set.  This is obviously incorrect because O1 is already
        deleted.  The result is that badness happens later when S3's watchpoint set fires
        its watchpoints and accesses the deleted O1.

        The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
        check if "this" is still valid before proceeding to re-install itself or to
        invoke its handleFire() method.

        ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
        AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
        and return false its owner StructureRareData is no longer reachable by the GC.
        This ensures that it won't be deleted while it's installed to any watchpoint set.

        Additional considerations and notes:
        1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
           being installed in watchpoint sets.  What actually happens is that
           ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
           (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
           watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
           not itself a Watchpoint object.

           But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
           instead of its Watchpoint members.  The description of the issue is still
           accurate given the life-cycle of the Watchpoint members are embedded in the
           enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
           hence, they share the same life-cycle.

        2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
           m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
           watchpoint sets.  This is safe to do even if the owner StructureRareData is no
           longer reachable by the GC.

           This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
           is if its Watchpoint members are still installed in some watchpoint set that
           fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
           instance has not been deleted yet, because its destructor will automatically
           remove the Watchpoint members from any watchpoint sets.

        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
        * heap/FreeList.cpp:
        (JSC::FreeList::contains):
        * heap/FreeList.h:
        * heap/HeapCell.h:
        * heap/HeapCellInlines.h:
        (JSC::HeapCell::isLive):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::isFreeListedCell):
        * heap/MarkedBlock.h:
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::isFreeListedCell):
        * runtime/StructureRareData.cpp:
        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):

2017-05-23  Saam Barati  <sbarati@apple.com>

        We should not mmap zero bytes for a memory in Wasm
        https://bugs.webkit.org/show_bug.cgi?id=172528
        <rdar://problem/32257076>

        Reviewed by Mark Lam.

        This patch fixes a bug where we would call into mmap with zero bytes
        when creating a slow WasmMemory with zero initial page size. This fix
        is simple: if we don't have any initial bytes, we just call the constructor
        in WasmMemory that's meant to handle this case.

        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::create):

2017-05-23  Brian Burg  <bburg@apple.com>

        REGRESSION(r217051): Automation sessions fail to complete bootstrap
        https://bugs.webkit.org/show_bug.cgi?id=172513
        <rdar://problem/32338354>

        Reviewed by Joseph Pecoraro.

        The changes to be more strict about typechecking messages were too strict.

        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::receivedSetupMessage):
        WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
        into an NSDictionary as NSNull if the key isn't present in a forwarded command.
        We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
        [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.

2017-05-23  Myles C. Maxfield  <mmaxfield@apple.com>

        Remove dead ENABLE(FONT_LOAD_EVENTS) code
        https://bugs.webkit.org/show_bug.cgi?id=172517

        Rubber-stamped by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2017-05-23  Saam Barati  <sbarati@apple.com>

        CFGSimplificationPhase should not merge a block with itself
        https://bugs.webkit.org/show_bug.cgi?id=172508
        <rdar://problem/28424006>

        Reviewed by Keith Miller.

        CFGSimplificationPhase can run into or create IR that ends up with a
        block that has a Jump to itself, and no other predecessors. It should
        gracefully handle such IR. Before this patch, it would not. The only criteria
        for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
        The code is written in such a way that if we merge a block with itself, we
        will infinite loop until we run out of memory.
        
        Merging a block with itself does not make sense for a few reasons. First,
        we're joining the contents of two blocks. What is the definition of joining
        a block with itself? I suppose we could simply unroll this self loop
        one level, but that would not be wise because this self loop is by definition
        unreachable unless it's the root block in the graph (which I think is
        invalid IR since we'd never generate bytecode that would do this).
        
        This patch employs an easy fix: we can't merge a block with itself.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::convertToJump):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):

2017-05-22  Brian Burg  <bburg@apple.com>

        Web Inspector: webkit reload policy should match default behavior
        https://bugs.webkit.org/show_bug.cgi?id=171385
        <rdar://problem/31871515>

        Reviewed by Joseph Pecoraro.

        Add a new option to Page.reload that allows the test harness
        to reload its test page using the old reload behavior.

        The new behavior of revalidating expired cached subresources only
        is the current default, since only the test harness needs the old behavior.

        * inspector/protocol/Page.json:

2017-05-22  Keith Miller  <keith_miller@apple.com>

        [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
        https://bugs.webkit.org/show_bug.cgi?id=167708

        Reviewed by Geoffrey Garen.

        This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
        class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.

        Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
        creating a wrapper for NSObject.

        * API/APICast.h:
        (toJSGlobalObject):
        * API/JSContext.mm:
        (-[JSContext ensureWrapperMap]):
        (-[JSContext initWithVirtualMachine:]):
        (-[JSContext dealloc]):
        (-[JSContext wrapperMap]):
        (-[JSContext initWithGlobalContextRef:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSWrapperMap.h:
        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo initForClass:]):
        (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
        (-[JSObjCClassInfo wrapperForObject:inContext:]):
        (-[JSObjCClassInfo constructorInContext:]):
        (-[JSObjCClassInfo prototypeInContext:]):
        (-[JSWrapperMap initWithGlobalContextRef:]):
        (-[JSWrapperMap classInfoForClass:]):
        (-[JSWrapperMap jsWrapperForObject:inContext:]):
        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
        (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
        (-[JSObjCClassInfo wrapperForObject:]): Deleted.
        (-[JSObjCClassInfo constructor]): Deleted.
        (-[JSObjCClassInfo prototype]): Deleted.
        (-[JSWrapperMap initWithContext:]): Deleted.
        (-[JSWrapperMap jsWrapperForObject:]): Deleted.
        (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
        * API/tests/JSExportTests.mm:
        (wrapperLifetimeIsTiedToGlobalObject):
        (runJSExportTests):
        * API/tests/testapi.mm:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::wrapperMap):
        (JSC::JSGlobalObject::setWrapperMap):

2017-05-22  Filip Pizlo  <fpizlo@apple.com>

        FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
        https://bugs.webkit.org/show_bug.cgi?id=172455

        Reviewed by Mark Lam.
        
        The FTL needs to run B3's callee-save register restoration before it runs the exception
        handler's callee-save register restoration.  This exposes B3's callee-save register
        algorithm in AssemblyHelpers so that the FTL can call it.

        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::generate):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
        * heap/Subspace.cpp: Added some debugging support.
        (JSC::Subspace::allocate):
        (JSC::Subspace::tryAllocate):
        (JSC::Subspace::didAllocate):
        * heap/Subspace.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::addressFor):
        (JSC::AssemblyHelpers::emitSave):
        (JSC::AssemblyHelpers::emitRestore):

2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
        https://bugs.webkit.org/show_bug.cgi?id=172216

        Reviewed by Saam Barati.

        This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
        To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
        ArrayStorage and SlowPutArrayStorage, then it produces vector length.
        CheckInBounds uses this vector length to perform bound checking for ArrayStorage
        and SlowPutArrayStorage.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::permitsBoundsCheckLowering):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        (JSC::FTL::AbstractHeapRepository::forIndexingType):
        (JSC::FTL::AbstractHeapRepository::forArrayType):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitArrayStoragePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitArrayStorageLoad):
        (JSC::JIT::emitArrayStoragePutByVal):

2017-05-21  Saam Barati  <sbarati@apple.com>

        We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
        https://bugs.webkit.org/show_bug.cgi?id=171041
        <rdar://problem/32082516>

        Reviewed by Yusuke Suzuki.

        We were treating a for-loop variable declaration potentially as a top
        level statement, e.g, in a program like this:
        ```
        function foo() {
            for (let variable of expr) { }
        }
        ```
        But we should not be. This had the consequence of making this type of program
        throw a syntax error:
        ```
        function foo(arg) {
            for (let arg of expr) { }
        }
        ```
        even though it should not. The fix is simple, we just need to increment the
        statement depth before parsing anything inside the for loop.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):

2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Make get_by_val & string "499" to number 499
        https://bugs.webkit.org/show_bug.cgi?id=172225

        Reviewed by Saam Barati.

        Property subscript will be converted by ToString. So JS code is not aware of
        the original type of the subscript value. But our get_by_val can leverage
        information if the given subscript is number. Thus, passing number instead of
        string can improve the performance of get_by_val in all the tiers.

        In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
        convert the given value to Int32 index constant if the given value is a string
        that can be converted to Int32.

        This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
        appear in some code like accessing the result of JSON.

            map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNodeForProperty):
        (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TaggedTemplateNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::PostfixNode::emitBracket):
        (JSC::PrefixNode::emitBracket):
        (JSC::AssignBracketNode::emitBytecode):
        (JSC::ReadModifyBracketNode::emitBytecode):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ObjectPatternNode::bindValue):
        (JSC::AssignmentElementNode::bindValue):

2017-05-21  Saam Barati  <sbarati@apple.com>

        We overwrite the callee save space on the stack when throwing stack overflow from wasm
        https://bugs.webkit.org/show_bug.cgi?id=172316

        Reviewed by Mark Lam.

        When throwing a stack overflow exception, the overflow
        thunk would do the following:
          move fp, sp
          populate argument registers
          call C code
        
        However, the C function is allowed to clobber our spilled
        callee saves that live below fp. The reason I did this move is that
        when we jump to this code, we've proven that sp is out of bounds on
        the stack. So we're not allowed to just use its value or keep growing
        the stack from that point. However, this patch revises this approach
        to be the same in spirit, but actually correct. We conservatively assume
        the B3 function we're coming from could have saved all callee saves.
        So we emit code like this now:
          add -maxNumCalleeSaveSpace, fp, sp
          populate argument registers
          call C code
        
        This ensures our callee saves will not be overwritten. Note
        that fp is still in a valid stack range here, since the thing
        calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
        is less than our redzone size, so it's safe to decrement sp by 
        this amount.
        
        The previously added wasm stack overflow test is an instance crash
        without this change on arm64. It also appears that this test crashed
        on some other x86 devices.

        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):

2017-05-20  Chris Dumez  <cdumez@apple.com>

        Drop [NoInterfaceObject]