[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-04-04  Mark Lam  <mark.lam@apple.com>

        On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.
        https://bugs.webkit.org/show_bug.cgi?id=170473
        <rdar://problem/29912391>

        Reviewed by Saam Barati.

        In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the
        divisor is 0, we want it to return 0.  The result is expected to be of
        DataFormatIn32.

        The ARM implementation just returns the value in the divisor register.  However,
        the divisor in this case can be of DataFormatJSInt32.  On ARM64, returning the
        divisor register yields the wrong result format because the same register also
        holds the upper 32-bit of the JSValue encoding.  The fix is to return an
        immediate 0 instead.

        Also turned on the assertion in jitAssertIsInt32 for ARM64.  This assertion being
        disabled may have contributed to this bug going unnoticed all this time.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsInt32):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Air::eliminateDeadCode should not repeatedly process the same live instructions
        https://bugs.webkit.org/show_bug.cgi?id=170490

        Reviewed by Keith Miller.
        
        This makes the eliminateDeadCode() fixpoint somewhat worklist-based: we track the set
        of Insts that might be dead. Every time we detect that one is live, we remove it from
        the set. This is a big (>2x) speed-up because lots of Insts are immediately found to
        be live.
        
        This is a ~1% wasm -O1 compile time progression.

        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Air::eliminateDeadCode() should not use a HashSet
        https://bugs.webkit.org/show_bug.cgi?id=170487

        Reviewed by Saam Barati.
        
        Introduce TmpSet, which is like a HashSet<Tmp>. Use this to make eliminateDeadCode()
        about 50% faster, resulting in a 1% wasm -O1 compile time progression.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode):
        * b3/air/AirTmpSet.h: Added.
        (JSC::B3::Air::TmpSet::TmpSet):
        (JSC::B3::Air::TmpSet::add):
        (JSC::B3::Air::TmpSet::remove):
        (JSC::B3::Air::TmpSet::contains):
        (JSC::B3::Air::TmpSet::size):
        (JSC::B3::Air::TmpSet::isEmpty):
        (JSC::B3::Air::TmpSet::iterator::iterator):
        (JSC::B3::Air::TmpSet::iterator::operator*):
        (JSC::B3::Air::TmpSet::iterator::operator++):
        (JSC::B3::Air::TmpSet::iterator::operator==):
        (JSC::B3::Air::TmpSet::iterator::operator!=):
        (JSC::B3::Air::TmpSet::begin):
        (JSC::B3::Air::TmpSet::end):

2017-04-04  Keith Miller  <keith_miller@apple.com>

        WebAssembly: ModuleInformation should be a ref counted thing that can be shared across threads.
        https://bugs.webkit.org/show_bug.cgi?id=170478

        Reviewed by Saam Barati.

        ModuleInformation has been moved to its own file and is now
        ThreadSafeRefCounted.  All the Strings we used to keep in the
        ModuleInformation have been switched to Vector<LChar> this has the
        advantage that it can be passed across threads. However, this does
        mean that we need to decode the utf8 strings in each thread. This
        is likely not a problem because:

        1) most modules have few imports/exports/custom sections.
        2) most of the time they are ascii so the conversion is cheap.
        3) we only have to do it once per thread, and there shouldn't be too many.

        This patch also removes
        moduleSignatureIndicesToUniquedSignatureIndices since that
        information can already be recovered from the
        SignatureInformation.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (functionTestWasmModuleFunctions):
        * runtime/Identifier.h:
        (JSC::Identifier::fromString):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmFormat.cpp:
        (JSC::Wasm::makeString):
        (JSC::Wasm::ModuleInformation::~ModuleInformation): Deleted.
        * wasm/WasmFormat.h:
        (JSC::Wasm::makeString):
        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize): Deleted.
        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace): Deleted.
        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace): Deleted.
        (JSC::Wasm::ModuleInformation::importFunctionCount): Deleted.
        (JSC::Wasm::ModuleInformation::internalFunctionCount): Deleted.
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleInformation.cpp: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
        (JSC::Wasm::ModuleInformation::~ModuleInformation):
        * wasm/WasmModuleInformation.h: Added.
        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
        (JSC::Wasm::ModuleInformation::importFunctionCount):
        (JSC::Wasm::ModuleInformation::internalFunctionCount):
        (JSC::Wasm::ModuleInformation::ModuleInformation):
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::ModuleParser):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::prepare):
        (JSC::Wasm::Plan::compileFunctions):
        (JSC::Wasm::Plan::complete):
        (JSC::Wasm::Plan::cancel):
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::internalFunctionCount):
        (JSC::Wasm::Plan::takeModuleInformation):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::SignatureInformation::get):
        * wasm/WasmSignature.h:
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::createSourceBufferFromValue):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::createStub):
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
        (JSC::JSWebAssemblyModule::finishCreation):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::moduleInformation):
        (JSC::JSWebAssemblyModule::source):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModulePrototype.cpp:
        (JSC::webAssemblyModuleProtoCustomSections):
        (JSC::webAssemblyModuleProtoImports):
        (JSC::webAssemblyModuleProtoExports):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyModuleRecord.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        B3::fixSSA() needs a tune-up
        https://bugs.webkit.org/show_bug.cgi?id=170485

        Reviewed by Saam Barati.
        
        After the various optimizations to liveness, register allocation, and other phases, the
        fixSSA() phase now looks like one of the top offenders. This includes a bunch of
        changes to make this phase run faster. This is a ~7% wasm -O1 compile time progression.
        
        Here's what I did:
        
        - We now use IndexSparseSet instead of IndexMap for tracking variable values. This
          makes it cheaper to chew through small blocks while there is a non-trivial number of
          total variables.
        
        - We now do a "local SSA conversion" pass before anything else. This eliminates
          obvious Get's. If we were using temporary Variables, it would eliminate many of
          those. That's useful for when we use demoteValues() and duplciateTails(). For wasm
          -O1, we mainly care about the fact that it makes a bunch of Set's dead.
        
        - We now do a Set DCE pass after the local SSA but before SSA conversion. This ensures
          that any block-local live intervals of Variables disappear and don't need further
          consideration.
        
        - We now cache the reaching defs calculation.
        
        - We now perform the reaching defs calculation lazily.

        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        (JSC::B3::fixSSA):
        * b3/B3SSACalculator.cpp:
        (JSC::B3::SSACalculator::reachingDefAtTail):
        * b3/B3VariableLiveness.cpp:
        (JSC::B3::VariableLiveness::VariableLiveness):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::Liveness::Liveness):
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase): Deleted.
        (JSC::DFG::LivenessAnalysisPhase::run): Deleted.
        (JSC::DFG::LivenessAnalysisPhase::processBlock): Deleted.

2017-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Remove stale LLVM Header Path includes from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=170483

        Reviewed by Mark Lam.

        * Configurations/Base.xcconfig:

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        B3::LowerToAir incorrectly selects BitXor(AtomicStrongCAS(...), $1)
        https://bugs.webkit.org/show_bug.cgi?id=169867

        Reviewed by Saam Barati.
        
        The BitXor(AtomicWeakCAS(...), $1) optimization makes a lot of sense because we an fold the
        BitXor into the CAS condition read-out. But there is no version of this that is profitable or
        correct for AtomicStrongCAS. The inversion case is handled by Equal(AtomicStrongCAS(...), ...)
        becoming NotEqual(AtomicStrongCAS(...), ...), and we alraedy handle that separately.
        
        So, the fix here is to make the BitXor CAS pattern only recognize AtomicWeakCAS.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/testb3.cpp:
        (JSC::B3::testAtomicStrongCAS):

2017-04-04  Saam Barati  <sbarati@apple.com>

        WebAssembly: JSWebAssemblyCallee should not be a JSCell
        https://bugs.webkit.org/show_bug.cgi?id=170135

        Reviewed by Michael Saboff.

        This patch is perhaps the last big change to the design of fundamental
        Wasm API to allow for PIC. It changes JSWebAssemblyCallee into a thing
        called Wasm::Callee. It serves the same purpose as before, except
        Wasm::Callee is not a JSCell. I had to refactor the various parts of the
        runtime that will see CallFrame's with Wasm::Callee's in the callee slot.
        Thankfully, the parts of the runtime that Wasm touches are limited. The
        main refactoring is changing the exception handling code, such as taking
        a stack trace, to be friendly to seeing a non JSCell callee.
        
        The callee() function on ExecState now returns a class I added in this
        patch called CalleeBits. CalleeBits will tell you if the callee is a
        JSCell or a Wasm::Callee. We tag Wasm::Callee's with a 1 in their lower
        bit so we can easily tell what is and isn't a Wasm::Callee.
        
        The stub that calls out from Wasm to JS still puts a JSCell callee
        into the call frame, even though the callee logically represents a
        Wasm frame. The reason for this is that we use the call IC infrastructure
        to make a call out to JS code, and the code that writes the IC expects
        a JSCell as the callee. This is knowingly part of our design. When we
        do structured cloning of Wasm Modules, we'll need to regenerate these
        JS call stubs.

        * API/JSContextRef.cpp:
        (BacktraceFunctor::operator()):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::currentDebuggerCallFrame):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::create):
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::currentPosition):
        (JSC::DebuggerCallFrame::positionForCallFrame):
        * debugger/DebuggerCallFrame.h:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::vmEntryGlobalObject):
        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
        (JSC::CallFrame::isAnyWasmCallee):
        (JSC::CallFrame::callerSourceOrigin):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        (JSC::ExecState::jsCallee):
        (JSC::ExecState::callee):
        (JSC::ExecState::unsafeCallee):
        (JSC::ExecState::scope):
        (JSC::ExecState::iterate):
        * interpreter/CalleeBits.h: Added.
        (JSC::CalleeBits::CalleeBits):
        (JSC::CalleeBits::operator=):
        (JSC::CalleeBits::boxWasm):
        (JSC::CalleeBits::isWasm):
        (JSC::CalleeBits::isCell):
        (JSC::CalleeBits::asCell):
        (JSC::CalleeBits::asWasmCallee):
        (JSC::CalleeBits::rawPtr):
        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::Interpreter::getStackTrace):
        (JSC::notifyDebuggerOfUnwinding):
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
        * interpreter/Interpreter.h:
        * interpreter/Register.h:
        (JSC::Register::pointer):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
        * interpreter/ShadowChickenInlines.h:
        (JSC::ShadowChicken::iterate):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::StackVisitor):
        (JSC::StackVisitor::readFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        (JSC::StackVisitor::readInlinedFrame):
        (JSC::StackVisitor::Frame::calleeSaveRegisters):
        (JSC::StackVisitor::Frame::functionName):
        (JSC::StackVisitor::Frame::dump):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::Frame::callee):
        (JSC::StackVisitor::visit):
        * jit/Repatch.cpp:
        (JSC::linkFor):
        (JSC::linkPolymorphicCall):
        * jsc.cpp:
        (callWasmFunction):
        (functionTestWasmModuleFunctions):
        * runtime/ArrayPrototype.cpp:
        * runtime/Error.cpp:
        (JSC::addErrorInfoAndGetBytecodeOffset):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
        * runtime/JSCell.cpp:
        (JSC::JSCell::isAnyWasmCallee): Deleted.
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::ExecState::vm):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveArgumentsFunctor::operator()):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        * runtime/JSGlobalObject.cpp:
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::recordJSFrame):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::sourceURL):
        (JSC::StackFrame::functionName):
        * runtime/StackFrame.h:
        (JSC::StackFrame::wasm):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::throwException):
        * runtime/VM.h:
        * wasm/JSWebAssembly.h:
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
        (JSC::Wasm::Callee::Callee):
        (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee): Deleted.
        (JSC::JSWebAssemblyCallee::finishCreation): Deleted.
        (JSC::JSWebAssemblyCallee::destroy): Deleted.
        * wasm/WasmCallee.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.h.
        (JSC::Wasm::Callee::create):
        (JSC::JSWebAssemblyCallee::create): Deleted.
        (JSC::JSWebAssemblyCallee::createStructure): Deleted.
        (JSC::JSWebAssemblyCallee::entrypoint): Deleted.
        (JSC::JSWebAssemblyCallee::calleeSaveRegisters): Deleted.
        * wasm/WasmContext.h:
        * wasm/WasmPlan.cpp:
        * wasm/WasmPlan.h:
        * wasm/WasmPlanInlines.h:
        (JSC::Wasm::Plan::initializeCallees):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        * wasm/js/JSWebAssemblyCallee.cpp: Removed.
        * wasm/js/JSWebAssemblyCallee.h: Removed.
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        (JSC::JSWebAssemblyCodeBlock::initialize):
        (JSC::JSWebAssemblyCodeBlock::visitChildren):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
        (JSC::JSWebAssemblyCodeBlock::allocationSize):
        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
        (JSC::JSWebAssemblyCodeBlock::callees): Deleted.
        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees): Deleted.
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
        * wasm/js/JSWebAssemblyModule.cpp:
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::create):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        (JSC::WebAssemblyFunction::visitChildren):
        (JSC::WebAssemblyFunction::finishCreation):
        * wasm/js/WebAssemblyFunction.h:
        (JSC::WebAssemblyFunction::wasmEntrypoint):
        (JSC::WebAssemblyFunction::jsEntrypoint):
        (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint):
        (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode): Deleted.
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):

2017-04-04  Keith Miller  <keith_miller@apple.com>

        WasmBench asserts in debug jsc
        https://bugs.webkit.org/show_bug.cgi?id=170462

        Reviewed by Saam Barati.

        The assertion should have been an if.

        * wasm/WasmWorklist.cpp:

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Air::lowerAfterRegAlloc should bail early if it finds no Shuffles or ColdCCalls
        https://bugs.webkit.org/show_bug.cgi?id=170305

        Reviewed by Saam Barati.
        
        This reduces and sometimes completely eliminates the need to run lowerAfterRegAlloc().
        
        This lowers the Shuffle for the arguments of a CCall before register allocation unless
        the CCall arguments require a real shuffle (like if the CCall arguments were argument
        registers). This lowers a ColdCCall like a CCall for optLevel<2.
        
        Finally, lowerAfterRegAlloc() now checks if there are any Shuffles or CCalls before it
        does anything else. For wasm at -O1, this means that the phase doesn't run at all. This
        is a ~3% wasm -O1 compile time progression.
        
        To make this easy, I changed optLevel into a property of Procedure and Code rather than
        an argument we thread through everything. I like how Procedure and Code are dumping
        ground classes. This does not bother me. Note that I cloned optLevel into Procedure and
        Code so that it's cheap to query inside Air phases.

        * b3/B3Compile.cpp:
        (JSC::B3::compile):
        * b3/B3Compile.h:
        * b3/B3Generate.cpp:
        (JSC::B3::prepareForGeneration):
        (JSC::B3::generateToAir):
        * b3/B3Generate.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::setOptLevel):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::optLevel):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::isPinned):
        (JSC::B3::Air::Code::setOptLevel):
        (JSC::B3::Air::Code::optLevel):
        * b3/air/AirEmitShuffle.cpp:
        (JSC::B3::Air::ShufflePair::bank):
        (JSC::B3::Air::ShufflePair::opcode):
        (JSC::B3::Air::ShufflePair::inst):
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirEmitShuffle.h:
        (JSC::B3::Air::moveFor):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirGenerate.h:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerMacros.cpp:
        (JSC::B3::Air::lowerMacros):
        * b3/testb3.cpp:
        (JSC::B3::compileProc):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Don't need to Air::reportUsedRegisters for wasm at -O1
        https://bugs.webkit.org/show_bug.cgi?id=170459

        Reviewed by Saam Barati.
        
        I did some refactorings to Liveness<> to try to understand its performance. Based on
        this I concluded that the bigger immediate issue is just removing unnecessary phases
        from -O1.
        
        This removes Air::reportUsedRegisters() from -O1 if the user has indicated that he is
        not interested in StackmapGenerationParams::usedRegisters(). The logic here is a bit
        weird because of how Air does spill code generation. The register allocator's spiller
        will emit spill code using identifiable spill slots, which allows subsequent phases to
        register-allocate the spill slots. We do this by a forward flow CSE phase called
        fixObviousSpills (which is a terrible name since there is no longer anything obvious
        about some of the spills that this phase can fix!). As is most natural for CSEs over
        3AC, it rewires the uses of redundant computations rather than removing the redundant
        computations. This means that if a spill got "fixed", there may be either or both of
        the following:
        
        - Dead loads from the stack.
        - Dead stores to the stack.
        
        We know that a load from the stack is dead if the register is dead at the point of the
        load. We know that a store to the stack is dead if the spill slot is dead at the point
        of the store.
        
        Unfortunately, liveness analysis - over either registers or spill slots - is expensive.
        
        Fortunately, allocateStack() already does liveness analysis over spill slots. So, we
        baked elimination of stores to the stack into that phase. That aspect of clean-up after
        the spill CSE comes for free.
        
        Also fortunately for the FTL, we have to do reportUsedRegisters() anyway. This is a
        phase that enables StackmapGenerationParams::usedRegisters() to work, which then
        enables the FTL's patchpoints to do crazy slow-path live range splitting. So, Air's
        strategy for the load fix-up after spill CSE is to do it as part of
        reportUsedRegisters().
        
        This patch introduces the Procedure::setNeedsUsedRegisters() API. But if you set
        needsUsedRegisters to false then we will still run reportUsedRegisters() at -O2 as an
        optimization - it removes dead loads from the stack that are left behind from
        fixObviousSpills().
        
        This is a ~6% compile time progression at -O1.

        * b3/B3Procedure.h:
        (JSC::B3::Procedure::setNeedsUsedRegisters):
        (JSC::B3::Procedure::needsUsedRegisters):
        * b3/B3StackmapGenerationParams.h:
        * b3/B3VariableLiveness.cpp:
        (JSC::B3::VariableLiveness::VariableLiveness):
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::needsUsedRegisters):
        * b3/air/AirCode.h:
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::Liveness::Liveness):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        Air liveness should build constraints and solve them rather than repeatedly parsing IR
        https://bugs.webkit.org/show_bug.cgi?id=170421

        Reviewed by Saam Barati.
        
        Inst::forEach<> is expensive. The LivenessAdapter uses forEach with a particularly
        gnarly lambda that has many extra checks. Therefore, a lot of the time spent in
        liveness analysis is just recomputing forEach<> and that lambda to get uses and defs.
        
        This introduces LivenessConstraints<>, which is a liveness constraint system based on
        Adapter. It basically caches the results of doing forEach. It'll give you the uses and
        defs at each instruction boundary.
        
        This is a ~5% compile time progression at optLevel=1. It's also a ~3% compile time
        progression at optLevel=2.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirLivenessAdapter.h:
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        * b3/air/AirLivenessConstraints.h: Added.
        (JSC::B3::Air::LivenessConstraints::Actions::Actions):
        (JSC::B3::Air::LivenessConstraints::LivenessConstraints):
        (JSC::B3::Air::LivenessConstraints::at):

2017-04-03  Mark Lam  <mark.lam@apple.com>

        Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add().
        https://bugs.webkit.org/show_bug.cgi?id=170412
        <rdar://problem/29697336>

        Reviewed by Filip Pizlo.

        Here's an example of code that will trigger underflow in the "deprecatedExtraMemory"
        reported by SparseArrayValueMap::add() that is added to Heap::m_deprecatedExtraMemorySize:
        
            arr = new Array;
            Object.defineProperty(arr, 18, ({writable: true, configurable: true}));
            for (var i = 0; i < 3; ++i) {
                Array.prototype.push.apply(arr, ["", () => {}, {}]);
                Array.prototype.sort.apply(arr, [() => {}, []]);
            }

        However, Heap::m_deprecatedExtraMemorySize is only 1 of 3 values that are added
        up to form the result of Heap::extraMemorySize().  Heap::m_extraMemorySize and
        Heap::m_arrayBuffers.size() are the other 2.

        While Heap::m_arrayBuffers.size() is bounded by actual allocated memory, both
        Heap::m_deprecatedExtraMemorySize and Heap::m_extraMemorySize are added to
        without any bounds checks, and they are only reset to 0 at the start of a full
        GC.  As a result, if we have a long sequence of eden GCs with a lot of additions
        to Heap::m_extraMemorySize and/or Heap::m_deprecatedExtraMemorySize, then these
        values could theoretically overflow.  Coupling this with the underflow from
        SparseArrayValueMap::add(), the result for Heap::extraMemorySize() can easily
        overflow.  Note: Heap::extraMemorySize() is used to compute the value
        currentHeapSize.

        If multiple conditions line up just right, the above overflows can result in this
        debug assertion failure during an eden GC:

            ASSERT(currentHeapSize >= m_sizeAfterLastCollect);

        Otherwise, the effects of the overflows will only result in the computed
        currentHeapSize not being representative of actual memory usage, and therefore,
        a full GC may be triggered earlier or later than is ideal.

        This patch ensures that SparseArrayValueMap::add() cannot underflow
        Heap::m_deprecatedExtraMemorySize.  It also adds overflows checks in the
        calculations of Heap::m_deprecatedExtraMemorySize, Heap::m_extraMemorySize, and
        Heap::extraMemorySize() so that their values are saturated appropriately to
        ensure that GC collections are triggered based on representative memory usage.

        * heap/Heap.cpp:
        (JSC::Heap::deprecatedReportExtraMemorySlowCase):
        (JSC::Heap::extraMemorySize):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::reportExtraMemoryVisited):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::add):

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        Move the Liveness<> adapters from AirLiveness.h to AirLivenessAdapter.h.

        Rubber stamped by Keith Miller.
        
        This will make it easier to write other code that uses those adapters.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter): Deleted.
        (JSC::B3::Air::LivenessAdapter::blockSize): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachUse): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachDef): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::numIndices): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::indexToValue): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue): Deleted.
        * b3/air/AirLivenessAdapter.h: Added.
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::blockSize):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
        (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex):
        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        WTF::Liveness should have an API that focuses on actions at instruction boundaries
        https://bugs.webkit.org/show_bug.cgi?id=170407

        Reviewed by Keith Miller.
        
        Adopt changes to the WTF::Liveness<> API. Instead of having separate functions for the
        early/late versions of uses and defs, we now have just a use/def API. Those
        automatically take care of eary/late issues as needed.
        
        This reduces the API surface between WTF::Liveness<> and its clients, which makes it
        easier to implement some other optimizations I'm thinking about.

        * b3/B3VariableLiveness.h:
        (JSC::B3::VariableLivenessAdapter::forEachUse):
        (JSC::B3::VariableLivenessAdapter::forEachDef):
        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse): Deleted.
        (JSC::B3::VariableLivenessAdapter::forEachLateUse): Deleted.
        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef): Deleted.
        (JSC::B3::VariableLivenessAdapter::forEachLateDef): Deleted.
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::LivenessAdapter::blockSize):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachLateUse): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachLateDef): Deleted.

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        Inst::forEachArg could compile to more compact code
        https://bugs.webkit.org/show_bug.cgi?id=170406

        Reviewed by Sam Weinig.
        
        Prior to this change, Inst::forEachArg compiled to a ginormous ALWAYS_INLINE switch statement.
        It had one case for each opcode, and then each of those cases would have a switch statement over
        the number of operands. Then the cases of that switch statement would have a sequence of calls to
        the passed lambda. This meant that every user of forEachArg would generate an insane amount of
        code. It also meant that the inlining achieved nothing, since the lambda would surely then not
        be inlined - and if it was, then the icache pressure due to code bloat would surely negate any
        benefits.
        
        This replaces that code with a loop over a compact look-up table. We use the opcode and number of
        operands as keys into that look-up table. The table only takes about 20KB. It has one byte for
        each argument in each overload of each opcode.
        
        I can't measure any reproducible change in performance, but the JavaScriptCore framework binary
        shrinks by 2.7 MB. This is a 15% reduction in JavaScriptCore binary size.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Width.h:
        * b3/air/AirCustom.h:
        (JSC::B3::Air::PatchCustom::forEachArg):
        * b3/air/AirFormTable.h: Added.
        (JSC::B3::Air::decodeFormRole):
        (JSC::B3::Air::decodeFormBank):
        (JSC::B3::Air::decodeFormWidth):
        * b3/air/AirInst.h:
        * b3/air/opcode_generator.rb:

2017-04-03  Keith Miller  <keith_miller@apple.com>

        WebAssembly: remove lastAllocatedMode from Memory
        https://bugs.webkit.org/show_bug.cgi?id=170405

        Reviewed by Mark Lam.

        It's not used anymore so there isn't any point in keeping it around.

        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::createImpl):
        (JSC::Wasm::Memory::lastAllocatedMode): Deleted.
        * wasm/WasmMemory.h:

2017-04-03  Zan Dobersek  <zdobersek@igalia.com>

        [jsc] Add patchableJumpSize() for MIPS
        https://bugs.webkit.org/show_bug.cgi?id=169716

        Reviewed by Yusuke Suzuki.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::patchableJumpSize): Added.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::patchableJumpSize): Added.

2017-04-03  Guillaume Emont  <guijemont@igalia.com>

        [jsc] implement MIPSAssembler::relinkJumpToNop()
        https://bugs.webkit.org/show_bug.cgi?id=169720

        Reviewed by Yusuke Suzuki.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::relinkJumpToNop): Added.

2017-04-02  Carlos Garcia Campos  <cgarcia@igalia.com>

        Share implementation of JSRunLoopTimer::timerDidFire
        https://bugs.webkit.org/show_bug.cgi?id=170392

        Reviewed by Michael Catanzaro.

        The code is cross-platform but it's duplicated in CF and GLib implementations, it could be shared instead.

        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::timerDidFire): Move common implementation here.
        (JSC::JSRunLoopTimer::setRunLoop): Use timerDidFireCallback.
        (JSC::JSRunLoopTimer::timerDidFireCallback): Call JSRunLoopTimer::timerDidFire().
        * runtime/JSRunLoopTimer.h:

2017-04-01  Oleksandr Skachkov  <gskachkov@gmail.com>

        Object with numerical keys with gaps gets filled by NaN values
        https://bugs.webkit.org/show_bug.cgi?id=164412

        Reviewed by Mark Lam.

        This patch fixes issue when object have two properties 
        with name as number. The issue appears when during invoking 
        convertDoubleToArrayStorage, array is filled by pNaN and 
        method converting it to real NaN. This happeneds because a 
        pNaN in a Double array is a hole, and Double arrays cannot 
        have NaN values. To fix issue we need to check value and 
        clear it if it pNaN.

        * runtime/JSObject.cpp:
        (JSC::JSObject::convertDoubleToArrayStorage):

2017-03-31  Saam Barati  <sbarati@apple.com>

        WebAssembly: Make our calls out to JS PIC friendly
        https://bugs.webkit.org/show_bug.cgi?id=170261

        Reviewed by Keith Miller.

        This patch removes a direct call from the module to the Wasm to JS stub.
        Instead, we do an indirect call to the stub by loading the stub's executable
        address off of the CodeBlock. This is to make the code we emit for comply with
        requirements needed for PIC.
        
        Adding this indirection is not ideal. Although this patch is neutral on
        WasmBench, we really want to get back to a world where we have an IC
        call infrastructure. This patch is obviously a regression on some
        types of programs. I've filed this bug to make sure we implement a
        PIC compliant Wasm to JS call IC:
        https://bugs.webkit.org/show_bug.cgi?id=170375

        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFormat.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::complete):
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::initialize):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
        (JSC::JSWebAssemblyCodeBlock::allocationSize):
        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfCodeBlock):

2017-03-31  Keith Miller  <keith_miller@apple.com>

        WebAssembly: webAssemblyB3OptimizationLevel should use defaultB3OptLevel by default
        https://bugs.webkit.org/show_bug.cgi?id=170378

        Reviewed by Saam Barati.

        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.h:

2017-03-31  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Add compilation level option
        https://bugs.webkit.org/show_bug.cgi?id=170374

        Reviewed by Mark Lam.

        This patch adds an option, webAssemblyB3OptimizationLevel, which
        changes the optimization mode wasm passes to B3.

        * runtime/Options.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::compileFunctions):

2017-03-31  Saam Barati  <sbarati@apple.com>

        WebAssembly: Strip WasmParser and WasmFunctionParser from knowing about VM
        https://bugs.webkit.org/show_bug.cgi?id=170312

        Reviewed by Mark Lam.

        This is another step towards PIC-ifying Wasm. This patch removes
        the VM field that is no longer used.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::ModuleParser):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::Parser):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::compileFunctions):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:

2017-03-31  Saam Barati  <sbarati@apple.com>

        WebAssembly: Ref count Signature and SignatureInformation should not care about VM
        https://bugs.webkit.org/show_bug.cgi?id=170316

        Reviewed by Keith Miller.

        This is yet again another step towards PIC-ifying Wasm.
        Signature should be ref counted so we can tell when
        no code is holding onto a Signature. This makes it easy
        to free unused Signatures. Also, this patch rids SignatureInfo
        of any VM knowledge. Now, there is just a single SignatureInfo that
        lives in a process.

        * runtime/VM.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::loadArguments):
        * wasm/WasmFormat.h:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::compileFunctions):
        (JSC::Wasm::Plan::complete):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::Signature::hash):
        (JSC::Wasm::Signature::tryCreate):
        (JSC::Wasm::SignatureInformation::SignatureInformation):
        (JSC::Wasm::SignatureInformation::singleton):
        (JSC::Wasm::SignatureInformation::adopt):
        (JSC::Wasm::SignatureInformation::get):
        (JSC::Wasm::SignatureInformation::tryCleanup):
        (JSC::Wasm::Signature::create): Deleted.
        (JSC::Wasm::Signature::createInvalid): Deleted.
        (JSC::Wasm::Signature::destroy): Deleted.
        (JSC::Wasm::SignatureInformation::~SignatureInformation): Deleted.
        * wasm/WasmSignature.h:
        (JSC::Wasm::Signature::allocatedSize):
        (JSC::Wasm::Signature::operator==):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::destroy):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):
        * wasm/js/WebAssemblyWrapperFunction.h:

2017-03-31  Mark Lam  <mark.lam@apple.com>

        Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
        https://bugs.webkit.org/show_bug.cgi?id=170303
        <rdar://problem/31358281>

        Reviewed by Filip Pizlo.

        This is because it needs to call getProperty() later to get the values for
        initializing the array.  getProperty() can execute arbitrary code and potentially
        trigger the GC.  This is not allowed for clients of JSArray::tryCreateForInitializationPrivate().

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):
        (JSC::copySplicedArrayElements): Deleted.

2017-03-31  Oleksandr Skachkov  <gskachkov@gmail.com>

        String.prototype.replace incorrectly applies "special replacement parameters" when passed a function
        https://bugs.webkit.org/show_bug.cgi?id=170151

        Reviewed by Saam Barati.

        This patch fixes issue for String.prototype.replace when passed a function 
        with special symbols "$$". It happeneds because substituteBackreferences applies 
        unconditionally, but according to the spec it should be applied only for text 
        21.1.3.16.8 https://tc39.github.io/ecma262/#sec-string.prototype.replace

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2017-03-30  Saam Barati  <sbarati@apple.com>

        WebAssembly: When Wasm calls to C, it should use Wasm::Context* instead of ExecState* to get VM
        https://bugs.webkit.org/show_bug.cgi?id=170185

        Reviewed by Michael Saboff.

        This is one more step in the direction of PIC-ified Wasm.
        When we lift WasmCallee above VM, we will no longer be
        able to get VM from ExecState*. This patch ensures that
        we don't do that from within the Wasm runtime. Instead,
        we use the Wasm::Context* to get the VM.

        This patch also adds a new class, Wasm::Thunks. There
        is a single Wasm::Thunks that lives in the process. It
        is responsible for generating a thunk that Wasm relies on.
        The only such thunk right now is the exception throwing
        thunk.

        This patch also rids WasmFaultSignalHandler from any knowledge
        of VM. Previously, it relied on VM to get the exception handling
        thunk.

        The only part of the Wasm runtime that will be allowed
        to get VM& from ExecState will be WasmBinding. In the
        future, we plan to keep the calls out to JS to keep
        a JSCell as the callee.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBufferImpl):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromWasmThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::getAllCalleeSaveRegisterOffsets):
        * runtime/VM.h:
        (JSC::VM::topVMEntryFrameOffset):
        (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::tryGetFastMemory):
        * wasm/WasmThunks.cpp: Added.
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        (JSC::Wasm::Thunks::initialize):
        (JSC::Wasm::Thunks::singleton):
        (JSC::Wasm::Thunks::stub):
        (JSC::Wasm::Thunks::existingStub):
        * wasm/WasmThunks.h: Added.
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfVM):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::grow):
        * wasm/js/JSWebAssemblyMemory.h:
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::webAssemblyMemoryProtoFuncGrow):

2017-03-30  Mark Lam  <mark.lam@apple.com>

        IntlObject should not be using JSArray::initializeIndex().
        https://bugs.webkit.org/show_bug.cgi?id=170302
        <rdar://problem/31356918>

        Reviewed by Saam Barati.

        JSArray::initializeIndex() is only meant to be used with arrays created using
        JSArray::tryCreateForInitializationPrivate() under very constrained conditions.

        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLocaleList):
        (JSC::intlObjectFuncGetCanonicalLocales):

2017-03-30  Filip Pizlo  <fpizlo@apple.com>

        Air should support linear scan for optLevel<2
        https://bugs.webkit.org/show_bug.cgi?id=170161

        Reviewed by Saam Barati.
        
        This changes the default opt level of B3 to 2. It makes the other opt levels useful by adding a
        new register allocator. This new linear scan allocator will produce significantly worse code.
        But it will produce that code a lot faster than IRC or Briggs.
        
        The opt levels are:
            0: no optimizations, linear scan
            1: some optimizations, linear scan
            2: full optimizations, graph coloring (IRC or Briggs based on CPU)
        
        What we used to call optLevel=1 is not called optLevel=2, or better yet,
        optLevel=B3::defaultOptLevel(). We no longer have anything like the old optLevel=0 (which did no
        optimizations but ran graph coloring).
        
        allocateRegistersByLinearScan() faithfully implements Massimiliano Poletto and Vivek Sarkar's
        famous algorithm. It uses the variant that handles clobbered registers by avoiding assigning
        ranges to those registers if the range overlaps a clobber. It's engineered to allocate registers
        very quickly and generate inefficient code without falling off a cliff.
        
        The new optLevel=1 speeds up B3 by a factor of 2, and results in a 80% throughput regression.
        Linear scan runs 4.7x faster than graph coloring on average.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3BasicBlockUtils.h:
        (JSC::B3::blocksInPreOrder):
        (JSC::B3::blocksInPostOrder):
        * b3/B3BlockWorklist.h:
        * b3/B3CFG.h:
        (JSC::B3::CFG::newMap):
        * b3/B3Common.h:
        (JSC::B3::defaultOptLevel):
        * b3/B3Compile.h:
        * b3/B3DuplicateTails.cpp:
        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        (JSC::B3::fixSSA):
        * b3/B3FixSSA.h:
        * b3/B3Generate.cpp:
        (JSC::B3::prepareForGeneration):
        (JSC::B3::generateToAir):
        * b3/B3Generate.h:
        * b3/B3HeapRange.cpp: Removed.
        * b3/B3HeapRange.h:
        (JSC::B3::HeapRange::HeapRange): Deleted.
        (JSC::B3::HeapRange::top): Deleted.
        (JSC::B3::HeapRange::operator==): Deleted.
        (JSC::B3::HeapRange::operator!=): Deleted.
        (JSC::B3::HeapRange::operator|): Deleted.
        (JSC::B3::HeapRange::operator bool): Deleted.
        (JSC::B3::HeapRange::begin): Deleted.
        (JSC::B3::HeapRange::end): Deleted.
        (JSC::B3::HeapRange::overlaps): Deleted.
        * b3/B3LowerToAir.cpp:
        * b3/B3MoveConstants.cpp:
        * b3/B3PhiChildren.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::dump):
        (JSC::B3::Procedure::deleteOrphans):
        (JSC::B3::Procedure::setBlockOrderImpl):
        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/B3SSACalculator.h:
        * b3/B3UseCounts.h:
        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
        * b3/air/AirAllocateRegistersByLinearScan.cpp: Added.
        (JSC::B3::Air::allocateRegistersByLinearScan):
        * b3/air/AirAllocateRegistersByLinearScan.h: Added.
        * b3/air/AirAllocateStack.cpp:
        (JSC::B3::Air::allocateStack):
        * b3/air/AirArg.cpp:
        (WTF::printInternal):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::activeAt):
        (JSC::B3::Air::Arg::timing):
        (JSC::B3::Air::Arg::forEachPhase):
        * b3/air/AirBasicBlock.h:
        * b3/air/AirBlockWorklist.h:
        * b3/air/AirCFG.h:
        (JSC::B3::Air::CFG::newMap):
        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode):
        * b3/air/AirFixObviousSpills.cpp:
        * b3/air/AirFixPartialRegisterStalls.cpp:
        (JSC::B3::Air::fixPartialRegisterStalls):
        * b3/air/AirFixSpillsAfterTerminals.cpp: Added.
        (JSC::B3::Air::fixSpillsAfterTerminals):
        * b3/air/AirFixSpillsAfterTerminals.h: Added.
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        (JSC::B3::Air::generate):
        * b3/air/AirGenerate.h:
        * b3/air/AirGenerationContext.h:
        * b3/air/AirInsertionSet.h:
        * b3/air/AirInst.cpp:
        (JSC::B3::Air::Inst::needsPadding):
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerEntrySwitch.cpp:
        (JSC::B3::Air::lowerEntrySwitch):
        * b3/air/AirOpcode.opcodes:
        * b3/air/AirPhaseInsertionSet.cpp: Added.
        (JSC::B3::Air::PhaseInsertionSet::execute):
        * b3/air/AirPhaseInsertionSet.h: Added.
        (JSC::B3::Air::PhaseInsertion::PhaseInsertion):
        (JSC::B3::Air::PhaseInsertion::phase):
        (JSC::B3::Air::PhaseInsertion::operator<):
        (JSC::B3::Air::PhaseInsertionSet::PhaseInsertionSet):
        (JSC::B3::Air::PhaseInsertionSet::appendInsertion):
        (JSC::B3::Air::PhaseInsertionSet::insertInst):
        (JSC::B3::Air::PhaseInsertionSet::insert):
        * b3/air/AirRegLiveness.h:
        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
        * b3/air/AirSpillEverything.cpp:
        (JSC::B3::Air::spillEverything):
        * b3/air/AirTmp.cpp:
        * b3/air/AirTmp.h:
        (JSC::B3::Air::Tmp::tmpForIndex):
        * b3/air/AirTmpInlines.h:
        (JSC::B3::Air::Tmp::Indexed::Indexed):
        (JSC::B3::Air::Tmp::Indexed::index):
        (JSC::B3::Air::Tmp::AbsolutelyIndexed::AbsolutelyIndexed):
        (JSC::B3::Air::Tmp::AbsolutelyIndexed::index):
        (JSC::B3::Air::Tmp::indexed):
        (JSC::B3::Air::Tmp::absolutelyIndexed):
        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
        * b3/testb3.cpp:
        (JSC::B3::compile):
        (JSC::B3::testMulLoadTwice):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::add):
        (JSC::RegisterSet::remove):
        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.h:

2017-03-30  Youenn Fablet  <youenn@apple.com>

        Clean up RTCDataChannel
        https://bugs.webkit.org/show_bug.cgi?id=169732

        Reviewed by Chris Dumez.

        * runtime/CommonIdentifiers.h: Adding RTCDataChannelEvent.

2017-03-30  Saam Barati  <sbarati@apple.com>

        WebAssembly: pass Wasm::Context* to vmEntryToWasm when not using fast TLS
        https://bugs.webkit.org/show_bug.cgi?id=170182

        Reviewed by Mark Lam.

        This is one more step in the direction of PIC-ified Wasm.
        I'm removing assumptions that a wasm callee is a cell. We used to use
        the callee to get the WasmContext off the callee's VM. Instead,
        this patch makes it so that we pass in the context as a parameter
        to the JS entrypoint.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::offsetOfVM): Deleted.
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::loadWasmContext):
        (JSC::AssemblyHelpers::storeWasmContext):
        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
        * jsc.cpp:
        (functionTestWasmModuleFunctions):
        * runtime/VM.h:
        (JSC::VM::wasmContextOffset): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/WasmContext.cpp:
        (JSC::Wasm::loadContext):
        (JSC::Wasm::storeContext):
        (JSC::loadWasmContext): Deleted.
        (JSC::storeWasmContext): Deleted.
        * wasm/WasmContext.h:
        (JSC::Wasm::useFastTLS):
        (JSC::Wasm::useFastTLSForContext):
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::PinnedRegisterInfo::get):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::useFastTLS): Deleted.
        (JSC::Wasm::useFastTLSForWasmContext): Deleted.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2017-03-30  JF Bastien  <jfbastien@apple.com>

        WebAssembly: fix misc JS API implementation inconsistencies
        https://bugs.webkit.org/show_bug.cgi?id=170187

        Reviewed by Keith Miller.

        Auto-generate lookup tables.
        Methods should be on prototype.
        Exception returns should be idiomatic.

        * wasm/JSWebAssembly.cpp: validate / compile / instantiate should
        be on the prototype
        (JSC::JSWebAssembly::create):
        (JSC::JSWebAssembly::finishCreation):
        (JSC::reject): Deleted.
        (JSC::webAssemblyCompileFunc): Deleted.
        (JSC::resolve): Deleted.
        (JSC::instantiate): Deleted.
        (JSC::compileAndInstantiate): Deleted.
        (JSC::webAssemblyInstantiateFunc): Deleted.
        (JSC::webAssemblyValidateFunc): Deleted.
        * wasm/JSWebAssembly.h:
        * wasm/js/WebAssemblyMemoryPrototype.cpp: move from JSWebAssembly.cpp
        (JSC::webAssemblyMemoryProtoFuncBuffer):
        (JSC::WebAssemblyMemoryPrototype::create):
        (JSC::WebAssemblyMemoryPrototype::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::reject):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyFunctionValidate): Deleted.
        (JSC::webAssemblyFunctionCompile): Deleted.
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncGrow):
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):
        (JSC::WebAssemblyTablePrototype::create):
        (JSC::WebAssemblyTablePrototype::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.h:

2017-03-29  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix the build, again. Hopefully for the last time, again!

        * runtime/Options.cpp:

2017-03-29  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix the build, again. Hopefully for the last time!

        * runtime/Options.cpp:
        (JSC::parse):

2017-03-29  Keith Miller  <keith_miller@apple.com>

        Unreviewed, windows build fix.

        * runtime/Options.cpp:
        (JSC::parse):

2017-03-29  Keith Miller  <keith_miller@apple.com>

        WebAssembly: B3IRGenerator should pool constants
        https://bugs.webkit.org/show_bug.cgi?id=170266

        Reviewed by Filip Pizlo.

        This patch adds a HashMap to B3IRGenerator that contains all the constants used in a function.
        B3IRGenerator then uses an InsertionSet to add all those constants to the root BB. This doesn't
        appear to be a compile time improvement but it could be valuable in the future.

        * b3/B3Opcode.h:
        (JSC::B3::opcodeForConstant):
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::addConstant):
        * b3/B3Procedure.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::constant):
        (JSC::Wasm::B3IRGenerator::insertConstants):
        (JSC::Wasm::B3IRGenerator::addConstant):
        (JSC::Wasm::B3IRGenerator::dump):
        (JSC::Wasm::parseAndCompile):
        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
        (JSC::Wasm::B3IRGenerator::zeroForType): Deleted.
        * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
        (generateConstCode):

2017-03-29  Saam Barati  <sbarati@apple.com>

        LinkBuffer and ExecutableAllocator shouldn't have anything to do with VM
        https://bugs.webkit.org/show_bug.cgi?id=170210

        Reviewed by Mark Lam.

        This is one more step in the direction of PIC-ified Wasm.
        LinkBuffer and ExecutableAllocator have no business knowing about VM.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::allocate):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::vm): Deleted.
        * b3/B3Compile.cpp:
        (JSC::B3::compile):
        * b3/B3Compile.h:
        * b3/air/testair.cpp:
        * b3/testb3.cpp:
        (JSC::B3::compileProc):
        (JSC::B3::compileAndRun):
        (JSC::B3::testLoadAcq42):
        (JSC::B3::testAddArgZeroImmZDef):
        (JSC::B3::testAddLoadTwice):
        (JSC::B3::testMulLoadTwice):
        (JSC::B3::testMulAddArgsLeft):
        (JSC::B3::testMulAddArgsRight):
        (JSC::B3::testMulAddArgsLeft32):
        (JSC::B3::testMulAddArgsRight32):
        (JSC::B3::testMulSubArgsLeft):
        (JSC::B3::testMulSubArgsRight):
        (JSC::B3::testMulSubArgsLeft32):
        (JSC::B3::testMulSubArgsRight32):
        (JSC::B3::testMulNegArgs):
        (JSC::B3::testMulNegArgs32):
        (JSC::B3::testCompareFloatToDoubleThroughPhi):
        (JSC::B3::testDoubleToFloatThroughPhi):
        (JSC::B3::testReduceFloatToDoubleValidates):
        (JSC::B3::testDoubleProducerPhiToFloatConversion):
        (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
        (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
        (JSC::B3::testIToD64Arg):
        (JSC::B3::testIToF64Arg):
        (JSC::B3::testIToD32Arg):
        (JSC::B3::testIToF32Arg):
        (JSC::B3::testIToD64Mem):
        (JSC::B3::testIToF64Mem):
        (JSC::B3::testIToD32Mem):
        (JSC::B3::testIToF32Mem):
        (JSC::B3::testIToDReducedToIToF64Arg):
        (JSC::B3::testIToDReducedToIToF32Arg):
        (JSC::B3::testStoreRelAddLoadAcq32):
        (JSC::B3::testStoreRelAddLoadAcq8):
        (JSC::B3::testStoreRelAddFenceLoadAcq8):
        (JSC::B3::testStoreRelAddLoadAcq16):
        (JSC::B3::testStoreRelAddLoadAcq64):
        (JSC::B3::testBranch):
        (JSC::B3::testBranchPtr):
        (JSC::B3::testDiamond):
        (JSC::B3::testBranchNotEqual):
        (JSC::B3::testBranchNotEqualCommute):
        (JSC::B3::testBranchNotEqualNotEqual):
        (JSC::B3::testBranchEqual):
        (JSC::B3::testBranchEqualEqual):
        (JSC::B3::testBranchEqualCommute):
        (JSC::B3::testBranchEqualEqual1):
        (JSC::B3::testBranchLoadPtr):
        (JSC::B3::testBranchLoad32):
        (JSC::B3::testBranchLoad8S):
        (JSC::B3::testBranchLoad8Z):
        (JSC::B3::testBranchLoad16S):
        (JSC::B3::testBranchLoad16Z):
        (JSC::B3::testBranch8WithLoad8ZIndex):
        (JSC::B3::testComplex):
        (JSC::B3::testSimpleCheck):
        (JSC::B3::testCheckFalse):
        (JSC::B3::testCheckTrue):
        (JSC::B3::testCheckLessThan):
        (JSC::B3::testCheckMegaCombo):
        (JSC::B3::testCheckTrickyMegaCombo):
        (JSC::B3::testCheckTwoMegaCombos):
        (JSC::B3::testCheckTwoNonRedundantMegaCombos):
        (JSC::B3::testCheckAddImm):
        (JSC::B3::testCheckAddImmCommute):
        (JSC::B3::testCheckAddImmSomeRegister):
        (JSC::B3::testCheckAdd):
        (JSC::B3::testCheckAdd64):
        (JSC::B3::testCheckAddFold):
        (JSC::B3::testCheckAddFoldFail):
        (JSC::B3::testCheckAddSelfOverflow64):
        (JSC::B3::testCheckAddSelfOverflow32):
        (JSC::B3::testCheckSubImm):
        (JSC::B3::testCheckSubBadImm):
        (JSC::B3::testCheckSub):
        (JSC::B3::testCheckSub64):
        (JSC::B3::testCheckSubFold):
        (JSC::B3::testCheckSubFoldFail):
        (JSC::B3::testCheckNeg):
        (JSC::B3::testCheckNeg64):
        (JSC::B3::testCheckMul):
        (JSC::B3::testCheckMulMemory):
        (JSC::B3::testCheckMul2):
        (JSC::B3::testCheckMul64):
        (JSC::B3::testCheckMulFold):
        (JSC::B3::testCheckMulFoldFail):
        (JSC::B3::testCheckMul64SShr):
        (JSC::B3::testSwitch):
        (JSC::B3::testSwitchChillDiv):
        (JSC::B3::testSwitchTargettingSameBlock):
        (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
        (JSC::B3::testBasicSelect):
        (JSC::B3::testSelectTest):
        (JSC::B3::testSelectCompareDouble):
        (JSC::B3::testSelectDouble):
        (JSC::B3::testSelectDoubleTest):
        (JSC::B3::testSelectDoubleCompareDouble):
        (JSC::B3::testSelectFloatCompareFloat):
        (JSC::B3::testSelectFold):
        (JSC::B3::testSelectInvert):
        (JSC::B3::testCheckSelect):
        (JSC::B3::testCheckSelectCheckSelect):
        (JSC::B3::testCheckSelectAndCSE):
        (JSC::B3::testTrivialInfiniteLoop):
        (JSC::B3::testFoldPathEqual):
        (JSC::B3::testLShiftSelf32):
        (JSC::B3::testRShiftSelf32):
        (JSC::B3::testURShiftSelf32):
        (JSC::B3::testLShiftSelf64):
        (JSC::B3::testRShiftSelf64):
        (JSC::B3::testURShiftSelf64):
        (JSC::B3::testPatchpointDoubleRegs):
        (JSC::B3::testSpillDefSmallerThanUse):
        (JSC::B3::testSpillUseLargerThanDef):
        (JSC::B3::testLateRegister):
        (JSC::B3::testInterpreter):
        (JSC::B3::testEntrySwitchSimple):
        (JSC::B3::testEntrySwitchNoEntrySwitch):
        (JSC::B3::testEntrySwitchWithCommonPaths):
        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
        (JSC::B3::testEntrySwitchLoop):
        (JSC::B3::testSomeEarlyRegister):
        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
        (JSC::B3::testPatchpointTerminalReturnValue):
        (JSC::B3::testMemoryFence):
        (JSC::B3::testStoreFence):
        (JSC::B3::testLoadFence):
        (JSC::B3::testPCOriginMapDoesntInsertNops):
        (JSC::B3::testPinRegisters):
        (JSC::B3::testX86LeaAddAddShlLeft):
        (JSC::B3::testX86LeaAddAddShlRight):
        (JSC::B3::testX86LeaAddAdd):
        (JSC::B3::testX86LeaAddShlRight):
        (JSC::B3::testX86LeaAddShlLeftScale1):
        (JSC::B3::testX86LeaAddShlLeftScale2):
        (JSC::B3::testX86LeaAddShlLeftScale4):
        (JSC::B3::testX86LeaAddShlLeftScale8):
        (JSC::B3::testAddShl32):
        (JSC::B3::testAddShl64):
        (JSC::B3::testAddShl65):
        (JSC::B3::testLoadBaseIndexShift2):
        (JSC::B3::testLoadBaseIndexShift32):
        (JSC::B3::testOptimizeMaterialization):
        (JSC::B3::testAtomicWeakCAS):
        (JSC::B3::testAtomicStrongCAS):
        (JSC::B3::testAtomicXchg):
        (JSC::B3::testDepend32):
        (JSC::B3::testDepend64):
        (JSC::B3::testWasmBoundsCheck):
        (JSC::B3::testWasmAddress):
        (JSC::B3::run):
        (JSC::B3::compile): Deleted.
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::regenerate):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::emit):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::generate):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOSRExitHandle.cpp:
        (JSC::FTL::OSRExitHandle::emitExitThunk):
        * ftl/FTLSlowPathCall.cpp:
        (JSC::FTL::SlowPathCallContext::makeCall):
        * ftl/FTLSlowPathCall.h:
        (JSC::FTL::callOperation):
        * ftl/FTLState.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::genericGenerationThunkGenerator):
        (JSC::FTL::slowPathCallThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::generateIfNecessary):
        (JSC::FTL::Thunks::getSlowPathCallThunk):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitDumbVirtualCall):
        * jit/AssemblyHelpers.h:
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::singleton):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        * jit/JITMathIC.h:
        (JSC::JITMathIC::generateOutOfLine):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompileGetByValWithCachedId):
        (JSC::JIT::privateCompilePutByVal):
        (JSC::JIT::privateCompilePutByValWithCachedId):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::ftlThunkAwareRepatchCall):
        (JSC::linkPolymorphicCall):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::linkCallThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::arityFixupGenerator):
        (JSC::unreachableGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        (JSC::throwExceptionFromWasmThunkGenerator):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::takeSample):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * runtime/VMTraps.cpp:
        (JSC::VMTraps::tryInstallTrapBreakpoints):
        * tools/VMInspector.cpp:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        (JSC::Wasm::wasmToWasm):
        (JSC::Wasm::exitStubGenerator):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::complete):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):

2017-03-29  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Worklist should periodically check in to see if there are higher priority jobs to do.
        https://bugs.webkit.org/show_bug.cgi?id=170204

        Reviewed by Saam Barati.

        This patch makes it so that Wasm::Plan's compileFunctions method can return periodically
        to its caller. The main use for this is if a user asynchronously compiles a wasm module
        then later synchronously compiles another module. In this case we want to be able to pause
        compilation of other worklists.

        This patch also adds support for size_t Options.

        * runtime/Options.cpp:
        (JSC::parse):
        (JSC::Option::dump):
        (JSC::Option::operator==):
        * runtime/Options.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::moveToState):
        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
        (JSC::Wasm::Plan::compileFunctions):
        * wasm/WasmPlan.h:
        * wasm/WasmWorklist.cpp:

2017-03-29  Mark Lam  <mark.lam@apple.com>

        Remove obsolete references to HeapTimer in JavaScriptCore.order.
        https://bugs.webkit.org/show_bug.cgi?id=170252

        Reviewed by Saam Barati.

        The HeapTimer was renamed to JSRunLoopTimer back in r214504.  These HeapTimer
        entries are now no longer meaningful.

        * JavaScriptCore.order:

2017-03-29  JF Bastien  <jfbastien@apple.com>

        WebAssembly: add shell-only Memory mode helper
        https://bugs.webkit.org/show_bug.cgi?id=170227

        Reviewed by Mark Lam.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionWebAssemblyMemoryMode):
        * wasm/WasmMemory.h:
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/JSWebAssemblyMemory.h:

2017-03-29  Keith Miller  <keith_miller@apple.com>

        WebAssembly: pack OpcodeOrigin to fit in a pointer
        https://bugs.webkit.org/show_bug.cgi?id=170244

        Reviewed by Michael Saboff.

        This patch makes it so we don't have to have allocate the OpcodeOrigin and can just
        pack all the data into the pointer B3::Origin already has.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmOpcodeOrigin.cpp:
        (JSC::Wasm::OpcodeOrigin::dump):
        * wasm/WasmOpcodeOrigin.h:
        (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
        (JSC::Wasm::OpcodeOrigin::opcode):
        (JSC::Wasm::OpcodeOrigin::location):

2017-03-29  JF Bastien  <jfbastien@apple.com>

        WebAssembly: NFC s/goto/lambda/g
        https://bugs.webkit.org/show_bug.cgi?id=170242

        Reviewed by Mark Lam.

        Lambdas are more in-style than the goto I just used.

        * wasm/WasmMemory.cpp:
        (JSC::Wasm::tryGetFastMemory):

2017-03-28  Saam Barati  <sbarati@apple.com>

        AssemblyHelpers should not have a VM field
        https://bugs.webkit.org/show_bug.cgi?id=170207

        Reviewed by Yusuke Suzuki.

        APIs that need VM should take one as a parameter. When doing position
        independent code for Wasm, we can't tie code generation to a VM.

        * b3/B3Compile.cpp:
        (JSC::B3::compile):
        * b3/air/testair.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testEntrySwitchSimple):
        (JSC::B3::testEntrySwitchNoEntrySwitch):
        (JSC::B3::testEntrySwitchWithCommonPaths):
        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
        (JSC::B3::testEntrySwitchLoop):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generateImpl):
        * bytecode/DOMJITAccessCasePatchpointParams.cpp:
        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
        * bytecode/InlineAccess.cpp:
        (JSC::InlineAccess::dumpCacheSizesAndCrash):
        (JSC::InlineAccess::generateSelfPropertyAccess):
        (JSC::InlineAccess::generateSelfPropertyReplace):
        (JSC::InlineAccess::generateArrayLength):
        (JSC::InlineAccess::rewireStubAsJump):
        * bytecode/InlineAccess.h:
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationState::AccessGenerationState):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::exceptionCheck):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
        (JSC::DFG::JITCompiler::fastExceptionCheck):
        (JSC::DFG::JITCompiler::vm):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::generate):
        * ftl/FTLLazySlowPathCall.h:
        (JSC::FTL::createLazyCallGenerator):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLSlowPathCall.h:
        (JSC::FTL::callOperation):
        * ftl/FTLState.h:
        (JSC::FTL::State::vm):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::genericGenerationThunkGenerator):
        (JSC::FTL::slowPathCallThunkGenerator):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitReleaseAssertNoException):
        (JSC::AssemblyHelpers::callExceptionFuzz):
        (JSC::AssemblyHelpers::emitJumpIfException):
        (JSC::AssemblyHelpers::emitExceptionCheck):
        (JSC::AssemblyHelpers::emitNonPatchableExceptionCheck):
        (JSC::AssemblyHelpers::emitLoadStructure):
        (JSC::AssemblyHelpers::emitRandomThunk):
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        (JSC::AssemblyHelpers::debugCall):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::AssemblyHelpers):
        (JSC::AssemblyHelpers::codeBlock):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::barrierBranch):
        (JSC::AssemblyHelpers::barrierStoreLoadFence):
        (JSC::AssemblyHelpers::mutatorFence):
        (JSC::AssemblyHelpers::storeButterfly):
        (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
        (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
        (JSC::AssemblyHelpers::emitAllocateJSObject):
        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
        (JSC::AssemblyHelpers::vm): Deleted.
        (JSC::AssemblyHelpers::debugCall): Deleted.
        * jit/CCallHelpers.cpp:
        (JSC::CCallHelpers::ensureShadowChickenPacket):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::CCallHelpers):
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        (JSC::JIT::exceptionCheck):
        (JSC::JIT::exceptionCheckWithCallFrameRollback):
        * jit/JITMathIC.h:
        (JSC::JITMathIC::generateOutOfLine):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::JSInterfaceJIT):
        (JSC::JSInterfaceJIT::vm):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::linkPolymorphicCall):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetupVarargsFrameFastCase):
        * jit/SetupVarargsFrame.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::linkCallThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::randomThunkGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        (JSC::throwExceptionFromWasmThunkGenerator):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        (JSC::Wasm::wasmToWasm):

2017-03-28  Keith Miller  <keith_miller@apple.com>

        WebAssembly: We should have Origins
        https://bugs.webkit.org/show_bug.cgi?id=170217

        Reviewed by Mark Lam.

        This patch adds wasm origins for B3::Values, called OpcodeOrigin. Currently,
        OpcodeOrigin just tracks the original opcode and the location of that opcode.

        Here's a sample:

        BB#0: ; frequency = 1.000000
            Int64 @4 = Patchpoint(generator = 0x10f487fa8, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister)
            Int64 @5 = FramePointer()
            Void @8 = Store(@4, @5, offset = 24, ControlDependent|Writes:Top)
            Int64 @10 = Const64(0)
            Void @12 = Store($0(@10), @5, offset = 16, ControlDependent|Writes:Top)
            Int64 @13 = Patchpoint(generator = 0x10f4be7f0, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister, ExitsSideways|ControlDependent|WritesPinned|ReadsPinned|Fence|Writes:Top|Reads:Top)
            Int64 @16 = ArgumentReg(%rdi)
            Int64 @18 = ArgumentReg(%rsi)
            Int32 @22 = Trunc(@18, Wasm: {opcode: I64Rotl, location: 5})
            Int64 @23 = RotL(@16, @22, Wasm: {opcode: I64Rotl, location: 5})
            Void @27 = Return(@23, Terminal, Wasm: {opcode: End, location: 6})

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Value.cpp:
        (JSC::B3::Value::deepDump):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::setParser):
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::B3IRGenerator::emitLoadOp):
        (JSC::Wasm::B3IRGenerator::emitStoreOp):
        (JSC::Wasm::B3IRGenerator::addConstant):
        (JSC::Wasm::B3IRGenerator::addLoop):
        (JSC::Wasm::B3IRGenerator::unify):
        (JSC::Wasm::parseAndCompile):
        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
        (JSC::Wasm::getMemoryBaseAndSize): Deleted.
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser::currentOpcode):
        (JSC::Wasm::FunctionParser::currentOpcodeStartingOffset):
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmOpcodeOrigin.cpp: Added.
        (JSC::Wasm::OpcodeOrigin::dump):
        * wasm/WasmOpcodeOrigin.h: Added.
        (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::setParser):
        * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
        (CodeGenerator.generate):
        (generateB3OpCode):
        (generateConstCode):

2017-03-28  JF Bastien  <jfbastien@apple.com>

        WebAssembly: option to crash if no fast memory is available
        https://bugs.webkit.org/show_bug.cgi?id=170219

        Reviewed by Mark Lam.

        * runtime/Options.h:
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::webAssemblyCouldntGetFastMemory):
        (JSC::Wasm::tryGetFastMemory):

2017-03-28  Mark Lam  <mark.lam@apple.com>

        The Mutator should not be able to steal the conn if the Collector hasn't reached the NotRunning phase yet.
        https://bugs.webkit.org/show_bug.cgi?id=170213
        <rdar://problem/30755345>

        Reviewed by Filip Pizlo.

        The current condition for stealing the conn isn't tight enough.  Restricting the
        stealing to when m_currentPhase == NotRunning ensures that the Collector is
        really done running.

        No test because this issue only manifests with a race condition that is difficult
        to reproduce on demand.

        * heap/Heap.cpp:
        (JSC::Heap::requestCollection):

2017-03-28  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Make WebAssembly.instantiate/compile truly asynchronous
        https://bugs.webkit.org/show_bug.cgi?id=169187

        Reviewed by Saam Barati.

        This patch allows WebAssembly compilations to happen asynchronously.
        To do so, it refactors how much of the compilation happens and adds
        new infrastructure for async promises.

        First, there is a new class, PromiseDeferredTimer that lives on
        the VM.  PromiseDeferredTimer will manage the life-cycle of async
        pending promises and any dependencies that promise
        needs. PromiseDeferredTimer automagically releases the pending
        promise and dependencies once the JSPromiseDeferred is resolved or
        rejected. Additionally, PromiseDeferredTimer provides a mechanism
        to poll the run-loop whenever the async task needs to synchronize
        with the JS thread. Normally, that will be whenever the async task
        finishes. In the case of Web Assembly we also use this feature for
        the compile + instantiate case, where we might have more work
        after the first async task completes (more on that later).

        The next class is Wasm::Worklist, which is used to manage Wasm
        compilation tasks. The worklist class works similarly to the
        DFG/FTL Worklists. It has a pool of threads that it manages. One
        interesting aspect of Wasm Worklist is that it can synchronously
        compile a plan that is already potentially running
        asynchronously. This can occur if a user calls
        WebAssembly.instantiate() then new WebAssembly.instantiate() on
        the same module. In that case the Wasm Worklist will bump the
        priority of the running pending Plan and block the JS thread.

        This patch also makes some of the Wasm Plan code cleaner. Since we
        now defer all compilation to instantiation time, we no longer need
        to guess at which memory we are going to get. Also, Wasm Plans now
        track the work they have done with a state enum.

        Finally, this patch makes renamed HeapTimer to JSRunLoopTimer. It
        also adds changes test262AsyncTest to a more generic testing
        infrastructure. Now, in addition to the old functionality, you can
        call asyncTest() with the number of tests you expect. When the jsc
        CLI exits, it will guarantee that asyncTestPassed() is called that
        many times.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/GCActivityCallback.h:
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::scheduleTimer):
        (JSC::IncrementalSweeper::IncrementalSweeper):
        * heap/IncrementalSweeper.h:
        * heap/StopIfNecessaryTimer.cpp:
        (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
        * heap/StopIfNecessaryTimer.h:
        * heap/StrongInlines.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (printInternal):
        (functionAsyncTestStart):
        (functionAsyncTestPassed):
        (functionTestWasmModuleFunctions):
        (CommandLine::parseArguments):
        (runJSC):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::JSPromiseDeferred::resolve):
        (JSC::JSPromiseDeferred::reject):
        * runtime/JSPromiseDeferred.h:
        (JSC::JSPromiseDeferred::promiseAsyncPending):
        * runtime/JSRunLoopTimer.cpp: Renamed from Source/JavaScriptCore/heap/HeapTimer.cpp.
        (JSC::JSRunLoopTimer::JSRunLoopTimer):
        (JSC::JSRunLoopTimer::setRunLoop):
        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
        (JSC::JSRunLoopTimer::timerDidFire):
        (JSC::JSRunLoopTimer::scheduleTimer):
        (JSC::JSRunLoopTimer::cancelTimer):
        (JSC::JSRunLoopTimer::invalidate):
        * runtime/JSRunLoopTimer.h: Copied from Source/JavaScriptCore/heap/HeapTimer.h.
        * runtime/Options.h:
        * runtime/PromiseDeferredTimer.cpp: Added.
        (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
        (JSC::PromiseDeferredTimer::doWork):
        (JSC::PromiseDeferredTimer::runRunLoop):
        (JSC::PromiseDeferredTimer::addPendingPromise):
        (JSC::PromiseDeferredTimer::cancelPendingPromise):
        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
        (JSC::PromiseDeferredTimer::scheduleBlockedTask):
        * runtime/PromiseDeferredTimer.h: Renamed from Source/JavaScriptCore/heap/HeapTimer.h.
        (JSC::PromiseDeferredTimer::stopRunningTasks):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        * wasm/JSWebAssembly.cpp:
        (JSC::reject):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::B3IRGenerator::memoryKind):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmFormat.h:
        (JSC::Wasm::ModuleInformation::internalFunctionCount):
        * wasm/WasmFunctionParser.h:
        * wasm/WasmMemory.h:
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::MemoryInformation::MemoryInformation):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::MemoryInformation::maximum):
        (JSC::Wasm::MemoryInformation::hasReservedMemory): Deleted.
        (JSC::Wasm::MemoryInformation::takeReservedMemory): Deleted.
        (JSC::Wasm::MemoryInformation::mode): Deleted.
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::ModuleParser):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::stateString):
        (JSC::Wasm::Plan::moveToState):
        (JSC::Wasm::Plan::fail):
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::prepare):
        (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder):
        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
        (JSC::Wasm::Plan::compileFunctions):
        (JSC::Wasm::Plan::complete):
        (JSC::Wasm::Plan::waitForCompletion):
        (JSC::Wasm::Plan::cancel):
        (JSC::Wasm::Plan::run): Deleted.
        (JSC::Wasm::Plan::initializeCallees): Deleted.
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::dontFinalize):
        (JSC::Wasm::Plan::exports):
        (JSC::Wasm::Plan::internalFunctionCount):
        (JSC::Wasm::Plan::takeModuleInformation):
        (JSC::Wasm::Plan::takeCallLinkInfos):
        (JSC::Wasm::Plan::takeWasmExitStubs):
        (JSC::Wasm::Plan::setModeAndPromise):
        (JSC::Wasm::Plan::mode):
        (JSC::Wasm::Plan::pendingPromise):
        (JSC::Wasm::Plan::vm):
        (JSC::Wasm::Plan::errorMessage):
        (JSC::Wasm::Plan::failed):
        (JSC::Wasm::Plan::hasWork):
        (JSC::Wasm::Plan::hasBeenPrepared):
        * wasm/WasmPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmB3IRGenerator.h.
        (JSC::Wasm::Plan::initializeCallees):
        * wasm/WasmValidate.cpp:
        * wasm/WasmWorklist.cpp: Added.
        (JSC::Wasm::Worklist::priorityString):
        (JSC::Wasm::Worklist::QueueElement::setToNextPriority):
        (JSC::Wasm::Worklist::iterate):
        (JSC::Wasm::Worklist::enqueue):
        (JSC::Wasm::Worklist::completePlanSynchronously):
        (JSC::Wasm::Worklist::stopAllPlansForVM):
        (JSC::Wasm::Worklist::Worklist):
        (JSC::Wasm::Worklist::~Worklist):
        (JSC::Wasm::existingWorklistOrNull):
        (JSC::Wasm::ensureWorklist):
        * wasm/WasmWorklist.h: Added.
        (JSC::Wasm::Worklist::nextTicket):
        (JSC::Wasm::Worklist::Comparator::operator()):
        * wasm/js/JSWebAssemblyCallee.h:
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        (JSC::JSWebAssemblyCodeBlock::initialize):
        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::initialized):
        (JSC::JSWebAssemblyCodeBlock::plan):
        (JSC::JSWebAssemblyCodeBlock::runnable):
        (JSC::JSWebAssemblyCodeBlock::errorMessage):
        (JSC::JSWebAssemblyCodeBlock::callees):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::createSourceBufferFromValue):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finishCreation):
        (JSC::JSWebAssemblyInstance::visitChildren):
        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
        (JSC::JSWebAssemblyInstance::finalizeCreation):
        (JSC::JSWebAssemblyInstance::create):
        (JSC::JSWebAssemblyInstance::setMemory): Deleted.
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::codeBlock):
        (JSC::JSWebAssemblyInstance::initialized):
        (JSC::JSWebAssemblyInstance::module):
        (JSC::JSWebAssemblyInstance::importFunction):
        (JSC::JSWebAssemblyInstance::setMemory):
        (JSC::JSWebAssemblyInstance::table):
        (JSC::JSWebAssemblyInstance::importFunctions):
        (JSC::JSWebAssemblyInstance::setImportFunction): Deleted.
        (JSC::JSWebAssemblyInstance::setTable): Deleted.
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::createStub):
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
        (JSC::JSWebAssemblyModule::finishCreation):
        (JSC::JSWebAssemblyModule::setCodeBlock):
        (JSC::JSWebAssemblyModule::buildCodeBlock): Deleted.
        (JSC::JSWebAssemblyModule::create): Deleted.
        (JSC::JSWebAssemblyModule::codeBlock): Deleted.
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::moduleInformation):
        (JSC::JSWebAssemblyModule::codeBlock):
        (JSC::JSWebAssemblyModule::source):
        (JSC::JSWebAssemblyModule::takeReservedMemory): Deleted.
        (JSC::JSWebAssemblyModule::codeBlockFor): Deleted.
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        (JSC::WebAssemblyInstanceConstructor::createInstance): Deleted.
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModulePrototype.cpp:
        (JSC::webAssemblyModuleProtoImports):
        (JSC::webAssemblyModuleProtoExports):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::finishCreation):
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyModuleRecord.h:

2017-03-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        WebAssembly: add fallback to use pinned register to load/store state
        https://bugs.webkit.org/show_bug.cgi?id=169773

        Reviewed by Saam Barati.

        This patch adds a new pinned register to hold JSWebAssemblyInstance,
        which is used to represent the context of running Wasm code.
        While we use fast TLS to hold the context in macOS, we do not have
        any system reserved fast TLS slot in the other systems. This pinned
        register approach is used in these systems. These changes decouple
        VM from Wasm module to make Wasm module position independent code.

        While using fast TLS could be beneficial in x64 systems which number of
        registers is relatively small, pinned register approach could be
        beneficial in ARM64 which has plenty of registers. In macOS, we can
        switch the implementation with the runtime flag. Thus macOS port can
        compare the performance and decide which implementation is used after
        landing this patch.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::offsetOfVM):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::loadWasmContext):
        (JSC::AssemblyHelpers::storeWasmContext):
        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::loadWasmContext): Deleted.
        (JSC::AssemblyHelpers::storeWasmContext): Deleted.
        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister): Deleted.
        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister): Deleted.
        * jit/Repatch.cpp:
        (JSC::webAssemblyOwner):
        (JSC::linkFor):
        (JSC::linkPolymorphicCall):
        (JSC::isWebAssemblyToJSCallee): Deleted.
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromWasmThunkGenerator):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/JSCell.cpp:
        (JSC::JSCell::isAnyWasmCallee):
        * runtime/JSCellInlines.h:
        (JSC::isWebAssemblyToJSCallee):
        * runtime/JSType.h:
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::functionName):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::wasmContextOffset):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::getMemoryBaseAndSize):
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::loadWasmContext): Deleted.
        (JSC::Wasm::storeWasmContext): Deleted.
        (JSC::Wasm::restoreWebAssemblyGlobalState): Deleted.
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        * wasm/WasmContext.cpp:
        (JSC::loadWasmContext):
        (JSC::storeWasmContext):
        * wasm/WasmContext.h:
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::getPinnedRegisters):
        (JSC::Wasm::PinnedRegisterInfo::get):
        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::PinnedRegisterInfo::toSave):
        (JSC::Wasm::useFastTLS):
        (JSC::Wasm::useFastTLSForWasmContext):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finishCreation):
        (JSC::JSWebAssemblyInstance::visitChildren):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfCallee):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::finishCreation):
        (JSC::JSWebAssemblyModule::visitChildren):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::callee):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::create):
        * wasm/js/WebAssemblyToJSCallee.cpp:
        (JSC::WebAssemblyToJSCallee::create):
        (JSC::WebAssemblyToJSCallee::createStructure):
        (JSC::WebAssemblyToJSCallee::finishCreation):
        (JSC::WebAssemblyToJSCallee::visitChildren):
        (JSC::WebAssemblyToJSCallee::destroy): Deleted.
        * wasm/js/WebAssemblyToJSCallee.h:

2017-03-28  Brian Burg  <bburg@apple.com>

        Web Inspector: Add "Disable Caches" option that only applies to the inspected page while Web Inspector is open
        https://bugs.webkit.org/show_bug.cgi?id=169865
        <rdar://problem/31250573>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Network.json:
        Rename the command for disabling resource caching to match the WebCore::Page
        flag. This also removes the possibility that this could be confused for the old,
        buggy command that this patch rips out.

2017-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Move platformThreadSignal to WTF
        https://bugs.webkit.org/show_bug.cgi?id=170097

        Reviewed by Mark Lam.

        It is a small clean up towards https://bugs.webkit.org/show_bug.cgi?id=170027.
        platformThreadSignal uses PlatformThread in JSC, but it can be implemented in
        WTF ThreadIdentifier.

        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        * runtime/JSLock.h:
        (JSC::JSLock::ownerThread):
        (JSC::JSLock::currentThreadIsHoldingLock):
        * runtime/PlatformThread.h:
        (JSC::platformThreadSignal): Deleted.
        * runtime/VM.h:
        (JSC::VM::ownerThread):
        * runtime/VMTraps.cpp:
        (JSC::VMTraps::SignalSender::send):

2017-03-28  JF Bastien  <jfbastien@apple.com>

        WebAssembly: implement Module imports/exports
        https://bugs.webkit.org/show_bug.cgi?id=166982

        Reviewed by Saam Barati.

        As defined in: https://github.com/WebAssembly/design/commit/18cbacb90cd3584dd5c9aa3d392e4e55f66af6ab

        * wasm/WasmFormat.h:
        (JSC::Wasm::makeString): use uppercase instead, it was only used
        for diagnostic but is now used for the expected JS property's
        capitalization
        * wasm/js/WebAssemblyModulePrototype.cpp:
        (JSC::webAssemblyModuleProtoImports):
        (JSC::webAssemblyModuleProtoExports):

2017-03-27  JF Bastien  <jfbastien@apple.com>

        WebAssembly: JSWebAssemblyCodeBlock.h belongs in JavaScriptCore/wasm/js not JavaScriptCore/wasm
        https://bugs.webkit.org/show_bug.cgi?id=170160

        Reviewed by Mark Lam.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wasm/js/JSWebAssemblyCodeBlock.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssemblyCodeBlock.h.

2017-03-27  JF Bastien  <jfbastien@apple.com>

        WebAssembly: misc memory testing
        https://bugs.webkit.org/show_bug.cgi?id=170137

        Reviewed by Keith Miller.

        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::createInstance): improve error messages

2017-03-27  Michael Saboff  <msaboff@apple.com>

        Add ARM64 system instructions to disassembler
        https://bugs.webkit.org/show_bug.cgi?id=170084

        Reviewed by Saam Barati.

        This changes adds support for MRS and MSR instructions, and refactors the DMB
        disassembly to handle all of the barrier instructions.

        * disassembler/ARM64/A64DOpcode.cpp:
        (JSC::ARM64Disassembler::A64DOpcodeMSRImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::format):
        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::format):
        (JSC::ARM64Disassembler::A64DOpcodeDmb::format): Deleted.
        * disassembler/ARM64/A64DOpcode.h:
        (JSC::ARM64Disassembler::A64DOpcodeSystem::lBit):
        (JSC::ARM64Disassembler::A64DOpcodeSystem::op0):
        (JSC::ARM64Disassembler::A64DOpcodeSystem::op1):
        (JSC::ARM64Disassembler::A64DOpcodeSystem::crN):
        (JSC::ARM64Disassembler::A64DOpcodeSystem::crM):
        (JSC::ARM64Disassembler::A64DOpcodeSystem::op2):
        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::opName):
        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::systemRegister):
        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::opName):
        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::option):
        (JSC::ARM64Disassembler::A64DOpcodeDmb::opName): Deleted.
        (JSC::ARM64Disassembler::A64DOpcodeDmb::option): Deleted.
        (JSC::ARM64Disassembler::A64DOpcodeDmb::crM): Deleted.

2017-03-26  Filip Pizlo  <fpizlo@apple.com>

        B3::fixSSA should do liveness pruning
        https://bugs.webkit.org/show_bug.cgi?id=170111

        Reviewed by Saam Barati.
        
        This moves all of the logic of Air::Liveness<> to WTF::Liveness<> and then uses that to
        create B3::VariableLiveness. Then this uses VariableLiveness::LiveAtHead to prune Phi
        construction.
        
        This makes B3::fixSSA run twice as fast. This is a 13% progression on WasmBench compile
        times.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3BasicBlock.h:
        (JSC::B3::BasicBlock::get):
        * b3/B3FixSSA.cpp:
        (JSC::B3::fixSSA):
        * b3/B3VariableLiveness.cpp: Added.
        (JSC::B3::VariableLiveness::VariableLiveness):
        (JSC::B3::VariableLiveness::~VariableLiveness):
        * b3/B3VariableLiveness.h: Added.
        (JSC::B3::VariableLivenessAdapter::VariableLivenessAdapter):
        (JSC::B3::VariableLivenessAdapter::numIndices):
        (JSC::B3::VariableLivenessAdapter::valueToIndex):
        (JSC::B3::VariableLivenessAdapter::indexToValue):
        (JSC::B3::VariableLivenessAdapter::blockSize):
        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse):
        (JSC::B3::VariableLivenessAdapter::forEachLateUse):
        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef):
        (JSC::B3::VariableLivenessAdapter::forEachLateDef):
        * b3/air/AirCFG.h: Added.
        (JSC::B3::Air::CFG::CFG):
        (JSC::B3::Air::CFG::root):
        (JSC::B3::Air::CFG::newMap):
        (JSC::B3::Air::CFG::successors):
        (JSC::B3::Air::CFG::predecessors):
        (JSC::B3::Air::CFG::index):
        (JSC::B3::Air::CFG::node):
        (JSC::B3::Air::CFG::numNodes):
        (JSC::B3::Air::CFG::dump):
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::Code):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::cfg):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::blockSize):
        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse):
        (JSC::B3::Air::LivenessAdapter::forEachLateUse):
        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef):
        (JSC::B3::Air::LivenessAdapter::forEachLateDef):
        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
        (JSC::B3::Air::Liveness::Liveness):
        (JSC::B3::Air::Liveness::LocalCalc::LocalCalc): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::end): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::contains): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::live): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::isLive): Deleted.
        (JSC::B3::Air::Liveness::LocalCalc::execute): Deleted.
        (JSC::B3::Air::Liveness::rawLiveAtHead): Deleted.
        (JSC::B3::Air::Liveness::Iterable::Iterable): Deleted.
        (JSC::B3::Air::Liveness::Iterable::iterator::iterator): Deleted.
        (JSC::B3::Air::Liveness::Iterable::iterator::operator*): Deleted.
        (JSC::B3::Air::Liveness::Iterable::iterator::operator++): Deleted.
        (JSC::B3::Air::Liveness::Iterable::iterator::operator==): Deleted.
        (JSC::B3::Air::Liveness::Iterable::iterator::operator!=): Deleted.
        (JSC::B3::Air::Liveness::Iterable::begin): Deleted.
        (JSC::B3::Air::Liveness::Iterable::end): Deleted.
        (JSC::B3::Air::Liveness::Iterable::contains): Deleted.
        (JSC::B3::Air::Liveness::liveAtHead): Deleted.
        (JSC::B3::Air::Liveness::liveAtTail): Deleted.
        (JSC::B3::Air::Liveness::workset): Deleted.

2017-03-25  Filip Pizlo  <fpizlo@apple.com>

        Air::Liveness shouldn't need HashSets
        https://bugs.webkit.org/show_bug.cgi?id=170102

        Reviewed by Yusuke Suzuki.
        
        This converts Air::Liveness<> to no longer use HashSets or BitVectors. This turns out to be
        easy because it's cheap enough to do a sorted merge of the things being added to liveAtHead and
        the things in the predecessors' liveAtTail. This turns out to be faster - it's a 2% overall
        compile time progression on WasmBench.
        
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower): Add a FIXME unrelated to this patch.
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
        (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc):
        (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
        (JSC::B3::Air::AbstractLiveness::liveAtHead):
        (JSC::B3::Air::AbstractLiveness::liveAtTail):
        * b3/air/AirTmp.h:
        (JSC::B3::Air::Tmp::bank):
        (JSC::B3::Air::Tmp::tmpIndex):
        * dfg/DFGStoreBarrierClusteringPhase.cpp:

2017-03-26  Filip Pizlo  <fpizlo@apple.com>

        Air should use RegisterSet for RegLiveness
        https://bugs.webkit.org/show_bug.cgi?id=170108

        Reviewed by Yusuke Suzuki.
        
        The biggest change here is the introduction of the new RegLiveness class. This is a
        drop-in replacement for the old RegLiveness, which was a specialization of
        AbstractLiveness<>, but it's about 30% faster. It gets its speed boost from just using
        sets everywhere, which is efficient for registers since RegisterSet is just two (on
        x86-64) or three 32-bit (on ARM64) statically allocated words. This looks like a 1%
        compile time progression on WasmBench.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3TimingScope.cpp: Records phase timing totals.
        (JSC::B3::TimingScope::TimingScope):
        (JSC::B3::TimingScope::~TimingScope):
        * b3/B3TimingScope.h:
        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
        (JSC::B3::Air::allocateRegistersByGraphColoring):
        * b3/air/AirLiveness.h: Move code around and rename a bit to make it more like RegLiveness; in particular we want the `iterator` to be called `iterator` not `Iterator`, and we want it to be internal to its iterable. Also rename this template to Liveness, to match the header filename.
        (JSC::B3::Air::Liveness::Liveness):
        (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin):
        (JSC::B3::Air::Liveness::LocalCalc::Iterable::end):
        (JSC::B3::Air::Liveness::Iterable::Iterable):
        (JSC::B3::Air::Liveness::Iterable::iterator::iterator):
        (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::numIndices): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::acceptsBank): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::acceptsRole): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::valueToIndex): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::indexToValue): Deleted.
        (JSC::B3::Air::AbstractLiveness::AbstractLiveness): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::Iterator): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator++): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator*): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator==): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator!=): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::Iterable): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::live): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive): Deleted.
        (JSC::B3::Air::AbstractLiveness::LocalCalc::execute): Deleted.
        (JSC::B3::Air::AbstractLiveness::rawLiveAtHead): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::Iterable): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::begin): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::end): Deleted.
        (JSC::B3::Air::AbstractLiveness::Iterable::contains): Deleted.
        (JSC::B3::Air::AbstractLiveness::liveAtHead): Deleted.
        (JSC::B3::Air::AbstractLiveness::liveAtTail): Deleted.
        (JSC::B3::Air::AbstractLiveness::workset): Deleted.
        * b3/air/AirLogRegisterPressure.cpp:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        * b3/air/AirRegLiveness.cpp: Added.
        (JSC::B3::Air::RegLiveness::RegLiveness):
        (JSC::B3::Air::RegLiveness::~RegLiveness):
        (JSC::B3::Air::RegLiveness::LocalCalc::execute):
        * b3/air/AirRegLiveness.h: Added.
        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
        (JSC::B3::Air::RegLiveness::LocalCalc::live):
        (JSC::B3::Air::RegLiveness::LocalCalc::isLive):
        (JSC::B3::Air::RegLiveness::liveAtHead):
        (JSC::B3::Air::RegLiveness::liveAtTail):
        * b3/air/AirReportUsedRegisters.cpp:
        * jit/RegisterSet.h:
        (JSC::RegisterSet::add):
        (JSC::RegisterSet::remove):
        (JSC::RegisterSet::contains):
        (JSC::RegisterSet::subsumes):
        (JSC::RegisterSet::iterator::iterator):
        (JSC::RegisterSet::iterator::operator*):
        (JSC::RegisterSet::iterator::operator++):
        (JSC::RegisterSet::iterator::operator==):
        (JSC::RegisterSet::iterator::operator!=):
        (JSC::RegisterSet::begin):
        (JSC::RegisterSet::end):

2017-03-25  Filip Pizlo  <fpizlo@apple.com>

        Fix wasm by returning after we do TLS.

        Rubber stamped by Keith Miller.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeWasmContext):

2017-03-24  Mark Lam  <mark.lam@apple.com>

        Add some instrumentation in Heap::resumeThePeriphery() to help debug an issue.
        https://bugs.webkit.org/show_bug.cgi?id=170086
        <rdar://problem/31253673>

        Reviewed by Saam Barati.

        Adding some instrumentation in Heap::resumeThePeriphery() to dump some Heap state
        just before we RELEASE_ASSERT_NOT_REACHED.

        * heap/Heap.cpp:
        (JSC::Heap::resumeThePeriphery):

2017-03-24  JF Bastien  <jfbastien@apple.com>

        WebAssembly: store state in TLS instead of on VM
        https://bugs.webkit.org/show_bug.cgi?id=169611

        Reviewed by Filip Pizlo.

        Using thread-local storage instead of VM makes code more position
        independent. We used to store the WebAssembly top Instance (the
        latest one in the call stack) on VM, now we instead store it in
        TLS. This top Instance is used to access a bunch of state such as
        Memory location, size, table (for call_indirect), etc.

        Instead of calling it "top", which is confusing, we now just call
        it WasmContext.

        Making the code PIC means future patches will be able to
        postMessage and structured clone into IDB without having to
        recompile the code. This wasn't possible before because we
        hard-coded the address of VM at compilation time. That doesn't
        work between workers, and doesn't work across reloads (which IDB
        is intended to do).

        It'll also potentially make code faster once we start tuning
        what's in TLS, what's in which of the 4 free slots, and what's in
        pinned registers. I'm leaving this tuning for later because
        there's lower lying fruit for us to pick.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * assembler/AllowMacroScratchRegisterUsageIf.h: Copied from assembler/AllowMacroScratchRegisterUsage.h.
        (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
        (JSC::AllowMacroScratchRegisterUsageIf::~AllowMacroScratchRegisterUsageIf):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::storeToTLSPtr): we previously didn't have
        the code required to store to TLS, only to load
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::loadFromTLSPtrNeedsMacroScratchRegister):
        (JSC::MacroAssemblerARM64::storeToTLS32):
        (JSC::MacroAssemblerARM64::storeToTLS64):
        (JSC::MacroAssemblerARM64::storeToTLSPtrNeedsMacroScratchRegister):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::loadFromTLSPtrNeedsMacroScratchRegister):
        (JSC::MacroAssemblerX86Common::storeToTLS32):
        (JSC::MacroAssemblerX86Common::storeToTLSPtrNeedsMacroScratchRegister):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::loadFromTLS64): was loading 32-bit instead of 64-bit
        (JSC::MacroAssemblerX86_64::storeToTLS64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movl_rm):
        (JSC::X86Assembler::movq_rm):
        * b3/testb3.cpp:
        (JSC::B3::testFastTLSLoad):
        (JSC::B3::testFastTLSStore):
        (JSC::B3::run):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::loadWasmContext):
        (JSC::AssemblyHelpers::storeWasmContext):
        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
        * jit/Repatch.cpp:
        (JSC::webAssemblyOwner):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromWasmThunkGenerator):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::loadWasmContext):
        (JSC::Wasm::storeWasmContext):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::getMemoryBaseAndSize):
        (JSC::Wasm::restoreWebAssemblyGlobalState):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::materializeImportJSCell):
        (JSC::Wasm::wasmToJs):
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmContext.cpp: Added.
        (JSC::loadWasmContext):
        (JSC::storeWasmContext):
        * wasm/WasmContext.h: Added. Replaces "top" JSWebAssemblyInstance.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyInstanceConstructor.h:

2017-03-24  JF Bastien  <jfbastien@apple.com>

        WebAssembly: spec-tests/memory.wast.js fails in debug
        https://bugs.webkit.org/show_bug.cgi?id=169794

        Reviewed by Keith Miller.

        The failure was due to empty memories (with maximum size 0). Those
        only occur in tests and in code that's trying to trip us. This
        patch adds memory mode "none" which represents no memory. It can
        work with either bounds checked or signaling code because it never
        contains loads and stores.

        The spec tests which were failing did the following:
            > (module (memory (data)) (func (export "memsize") (result i32) (current_memory)))
            > (assert_return (invoke "memsize") (i32.const 0))
            > (module (memory (data "")) (func (export "memsize") (result i32) (current_memory)))
            > (assert_return (invoke "memsize") (i32.const 0))
            > (module (memory (data "x")) (func (export "memsize") (result i32) (current_memory)))
            > (assert_return (invoke "memsize") (i32.const 1))

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::memoryKind):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::tryGetFastMemory):
        (JSC::Wasm::releaseFastMemory):
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::createImpl):
        (JSC::Wasm::Memory::create):
        (JSC::Wasm::Memory::grow):
        (JSC::Wasm::Memory::makeString):
        * wasm/WasmMemory.h:
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::MemoryInformation::MemoryInformation):
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::codeBlock):
        (JSC::JSWebAssemblyModule::finishCreation):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::codeBlock):
        (JSC::JSWebAssemblyModule::codeBlockFor):

2017-03-24  Mark Lam  <mark.lam@apple.com>

        Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
        https://bugs.webkit.org/show_bug.cgi?id=170064
        <rdar://problem/31246098>

        Reviewed by Geoffrey Garen.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        * runtime/JSArray.cpp:
        (JSC::JSArray::fastSlice):

2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use jsNontrivialString agressively for ToString(Int52)
        https://bugs.webkit.org/show_bug.cgi?id=170002

        Reviewed by Sam Weinig.

        We use the same logic used for Int32 to use jsNontvirialString.
        After single character check, produced string is always longer than 1.
        Thus, we can use jsNontrivialString.

        * runtime/NumberPrototype.cpp:
        (JSC::int52ToString):

2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use WeakRandom for SamplingProfiler interval fluctuation
        https://bugs.webkit.org/show_bug.cgi?id=170045

        Reviewed by Mark Lam.

        It is unnecessary to use cryptographicallyRandomNumber for SamplingProfiler
        interval fluctuation. Use WeakRandom instead.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::timerLoop):
        * runtime/SamplingProfiler.h:

2017-03-23  Mark Lam  <mark.lam@apple.com>

        Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
        https://bugs.webkit.org/show_bug.cgi?id=170025
        <rdar://problem/31228679>

        Reviewed by Saam Barati.

        * runtime/ArrayPrototype.cpp:
        (JSC::copySplicedArrayElements):
        (JSC::arrayProtoFuncSplice):

2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC][DFG] Make addShouldSpeculateAnyInt more conservative to avoid regression caused by Double <-> Int52 conversions
        https://bugs.webkit.org/show_bug.cgi?id=169998

        Reviewed by Saam Barati.

        Double <-> Int52 and JSValue <-> Int52 conversions are not so cheap. Thus, Int52Rep is super carefully emitted.
        We make addShouldSpeculateAnyInt more conservative to avoid regressions caused by the above conversions.
        We select ArithAdd(Int52, Int52) only when this calculation is beneficial compared to added Int52Rep conversions.

        This patch tighten the conditions of addShouldSpeculateAnyInt.

        1. Honor DoubleConstant.

        When executing imaging-darkroom, we have a thing like that,

            132:< 2:loc36> DoubleConstant(Double|UseAsOther, AnyIntAsDouble, Double: 4607182418800017408, 1.000000, bc#114)
            1320:< 1:loc38>        Int52Rep(Check:Int32:@82, Int52|PureInt, Int32, Exits, bc#114)
            1321:< 1:loc39>        Int52Constant(Int52|PureInt, Boolint32Nonboolint32Int52, Double: 4607182418800017408, 1.000000, bc#114)
            133:<!3:loc39> ArithSub(Int52Rep:@1320<Int52>, Int52Rep:@1321<Int52>, Int52|MustGen, Int52, CheckOverflow, Exits, bc#114)

        The LHS of ArithSub says predicting Boolint32, and the rhs says AnyIntAsDouble. Thus we select ArithSub(Int52, Int52) instead
        of ArithSub(Double, Double). However, it soon causes OSR exits. In imaging-darkroom, LHS's Int32 prediction will be broken.
        While speculating Int32 in the above situation is reasonable approach since the given LHS says predicting Int32, this causes
        severe performance regression.

        Previously, we always select ArithSub(Double, Double). So accidentally, we do not encounter this misprediction issue.

        One thing can be found that we have DoubleConstant in the RHS. It means that we have `1.0` instead of `1` in the code.
        We can see the code like `lhs - 1.0` instead of `lhs - 1` in imaging-darkroom. It offers good information that lhs and
        the resulting value would be double. Handling the above ArithSub in double seems more appropriate rather than handling
        it in Int52.

        So, in this patch, we honor DoubleConstant. If we find DoubleConstant on one operand, we give up selecting
        Arith[Sub,Add](Int52, Int52). This change removes OSR exits occurr in imaging-darkroom right now.

        2. Two Int52Rep(Double) conversions are not desirable.

        We allow AnyInt ArithAdd only when the one operand of the binary operation should be speculated AnyInt. It is a bit conservative
        decision. This is because Double to Int52 conversion is not so cheap. Frequent back-and-forth conversions between Double and Int52
        rather hurt the performance. If the one operand of the operation is already Int52, the cost for constructing ArithAdd becomes
        cheap since only one Double to Int52 conversion could be required.
        This recovers some regression in assorted tests while keeping kraken crypto improvements.

        3. Avoid frequent Int52 to JSValue conversions.

        Int52 to JSValue conversion is not so cheap. Thus, we would like to avoid such situations. So, in this patch, we allow
        Arith(Int52, Int52) with AnyIntAsDouble operand only when the node is used as number. By doing so, we avoid the case like,
        converting Int52, performing ArithAdd, and soon converting back to JSValue.

        The above 3 changes recover the regression measured in microbenchmarks/int52-back-and-forth.js and assorted benchmarks.
        And still it keeps kraken crypto improvements.

                                                   baseline                  patched

        imaging-darkroom                       201.112+-3.192      ^     189.532+-2.883         ^ definitely 1.0611x faster
        stanford-crypto-pbkdf2                 103.953+-2.325            100.926+-2.396           might be 1.0300x faster
        stanford-crypto-sha256-iterative        35.103+-1.071      ?      36.049+-1.143         ? might be 1.0270x slower

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateAnyInt):

== Rolled over to ChangeLog-2017-03-23 ==