Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
        https://bugs.webkit.org/show_bug.cgi?id=164793

        Reviewed by Matt Baker.

        * inspector/protocol/Page.json:

2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for Windows debug build after r208738
        https://bugs.webkit.org/show_bug.cgi?id=164727

        This static member variable can be touched outside of the JSC project
        since inlined MacroAssembler member functions read / write it.
        So it should be exported.

        * assembler/MacroAssemblerX86Common.h:

2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
        https://bugs.webkit.org/show_bug.cgi?id=164787

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
        Clear this DebuggerAgent state when we resume.

2016-11-15  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to disable concurrent GC timeslicing
        https://bugs.webkit.org/show_bug.cgi?id=164788

        Reviewed by Saam Barati.
        
        Collector timeslicing means that the collector will try to pause once every 2ms. This is
        great because it throttles the mutator and prevents it from outpacing the collector. But
        it reduces some of the efficacy of the collectContinuously=true configuration: while
        it's great that collecting continuously means that the collector will also pause more
        frequently and so it will test the pausing code, it also means that the collector will
        spend less time running concurrently. The primary purpose of collectContinuously is to
        maximize the amount of time that the collector is running concurrently to the mutator to
        maximize the likelihood that a race will cause a detectable error.
        
        This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
        The idea is that we will usually use this in conjunction with collectContinuously=true
        to find race conditions during marking, but we can also use the two options
        independently to focus our testing on other things.

        * heap/Heap.cpp:
        (JSC::Heap::markToFixpoint):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
        * heap/SlotVisitor.h:
        * runtime/Options.h:

2016-11-15  Filip Pizlo  <fpizlo@apple.com>

        The concurrent GC should have a timeslicing controller
        https://bugs.webkit.org/show_bug.cgi?id=164783

        Reviewed by Geoffrey Garen.
        
        This adds a simple control system for deciding when the collector should let the mutator run
        and when it should stop the mutator. We definitely have to stop the mutator during certain
        collector phases, but during marking - which takes the most time - we can go either way.
        Normally we want to let the mutator run, but if the heap size starts to grow then we have to
        stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
        lead to memory exhaustion, so it's better to just stop in that case.
        
        The controller tries to never stop the mutator for longer than short timeslices. It slices on
        a 2ms period (configurable via Options). The amount of that period that the collector spends
        with the mutator stopped is determined by the fraction of the collector's concurrent headroom
        that has been allocated over. The headroom is currently configured at 50% of what was
        allocated before the collector started.
        
        This moves a bunch of parameters into Options so that it's easier to play with different
        configurations.
        
        I tried these different values for the period:
        
        1ms: 30% worse than 2ms on splay-latency.
        2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
        3ms: 40% worse than 2ms on splay-latency.
        4ms: 40% worse than 2ms on splay-latency.
        
        I also tried 100% headroom as an alternate to 50% and found it to be a worse.
        
        This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
        enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
        would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
        concurrent GC.

        * heap/Heap.cpp:
        (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
        (JSC::Heap::markToFixpoint):
        (JSC::Heap::collectInThread):
        * runtime/Options.h:

2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for CLoop after r208738
        https://bugs.webkit.org/show_bug.cgi?id=164727

        * jsc.cpp:
        (WTF::DOMJITFunctionObject::unsafeFunction):
        (WTF::DOMJITFunctionObject::finishCreation):

2016-11-15  Mark Lam  <mark.lam@apple.com>

        The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
        https://bugs.webkit.org/show_bug.cgi?id=164781
        <rdar://problem/28418590>

        Reviewed by Geoffrey Garen and Michael Saboff.

        * jsc.cpp:
        (functionSetImpureGetterDelegate):

2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
        https://bugs.webkit.org/show_bug.cgi?id=164727

        Reviewed by Filip Pizlo.

        While CallDOMGetter can use macro assembler scratch registers, we previiously
        assumed that CheckDOM code generator does not use macro assembler scratch registers.
        It is currently true in x86 environment. But it is not true in the other environments.

        We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
        arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
        CheckDOM to use macro assembler scratch registers.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
        * jsc.cpp:
        (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
        (WTF::DOMJITFunctionObject::createStructure):
        (WTF::DOMJITFunctionObject::create):
        (WTF::DOMJITFunctionObject::unsafeFunction):
        (WTF::DOMJITFunctionObject::safeFunction):
        (WTF::DOMJITFunctionObject::checkDOMJITNode):
        (WTF::DOMJITFunctionObject::finishCreation):
        (GlobalObject::finishCreation):
        (functionCreateDOMJITFunctionObject):

2016-11-14  Geoffrey Garen  <ggaren@apple.com>

        CodeCache should stop pretending to cache builtins
        https://bugs.webkit.org/show_bug.cgi?id=164750

        Reviewed by Saam Barati.

        We were passing JSParserBuiltinMode to all CodeCache functions, but the
        passed-in value was always NotBuiltin.

        Let's stop passing it.

        * parser/SourceCodeKey.h:
        (JSC::SourceCodeFlags::SourceCodeFlags):
        (JSC::SourceCodeKey::SourceCodeKey):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
        (JSC::CodeCache::getUnlinkedProgramCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
        (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        (JSC::generateUnlinkedCodeBlock):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createLocalEvalCodeBlock):
        (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):

2016-11-15  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
        https://bugs.webkit.org/show_bug.cgi?id=164775

        Reviewed by Mark Lam and Keith Miller.
        
        We were calling inlineStorage() which asserts that inline storage is not empty. But we
        were calling it in a context where it could be empty and that's fine. So, we now call
        inlineStorageUnsafe().

        * runtime/JSObject.h:
        (JSC::JSFinalObject::JSFinalObject):

2016-11-14  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Unreviewed buildfix after r208720.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.

2016-11-14  Caitlin Potter  <caitp@igalia.com>

        [JSC] do not reference AwaitExpression Promises in async function Promise chain
        https://bugs.webkit.org/show_bug.cgi?id=164753

        Reviewed by Yusuke Suzuki.

        Previously, long-running async functions which contained many AwaitExpressions
        would allocate and retain references to intermediate Promise objects for each `await`,
        resulting in a memory leak.

        To mitigate this leak, a reference to the original Promise (and its resolve and reject
        functions) associated with the async function are kept, and passed to each call to
        @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
        a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
        with an async function wrapper. The capability is used to reject the Promise if an
        exception is thrown during parameter initialization, and is used to store the resulting
        value once the async function has terminated.

        * builtins/AsyncFunctionPrototype.js:
        (globalPrivate.asyncFunctionResume):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::promiseCapabilityRegister):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionNode::emitBytecode):

2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Worker debugging should pause all targets and view call frames in all targets
        https://bugs.webkit.org/show_bug.cgi?id=164305
        <rdar://problem/29056192>

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._propertyDescriptors):
        Accessing __proto__ does a ToThis(...) conversion on the receiver.
        In the case of GlobalObjects (such as WorkerGlobalScope when paused)
        this would return undefined and throw an exception. We can use
        Object.getPrototypeOf to avoid that conversion and possible error.

        * inspector/protocol/Debugger.json:
        Provide a new way to effectively `resume` + `pause` immediately.
        This must be implemented on the backend to correctly synchronize
        the resuming and pausing.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
        Treat this as `resume` and `pause`. Resume now, and trigger
        a pause if the VM becomes idle and we didn't pause before then
        (such as hitting a breakpoint after we resumed).

        (Inspector::InspectorDebuggerAgent::pause):
        (Inspector::InspectorDebuggerAgent::resume):
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
        Clean up and correct pause on next statement logic.

        (Inspector::InspectorDebuggerAgent::registerIdleHandler):
        (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
        (Inspector::InspectorDebuggerAgent::didBecomeIdle):
        (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
        The idle handler may now also trigger a pause in the case
        where continueUntilNextRunLoop resumed and wants to pause.

        (Inspector::InspectorDebuggerAgent::didPause):
        Eliminate the useless didPause. The DOMDebugger was keeping track
        of its own state that was worse then the state in DebuggerAgent.

2016-11-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop.

        * runtime/JSCellInlines.h:

2016-11-14  Filip Pizlo  <fpizlo@apple.com>

        The GC should be optionally concurrent and disabled by default
        https://bugs.webkit.org/show_bug.cgi?id=164454

        Reviewed by Geoffrey Garen.
        
        This started out as a patch to have the GC scan the stack at the end, and then the
        outage happened and I decided to pick a more aggresive target: give the GC a concurrent
        mode that can be enabled at runtime, and whose only effect is that it turns on the
        ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
        thread is running solo with the world stopped and the parallel markers converged and
        waiting. We have a parallel work scope to enable the parallel markers and now we have a
        ResumeTheWorldScope that will optionally resume the world and then stop it again.
        
        It's easy to make a concurrent GC that always instantly crashes. I can't promise that
        this one won't do that when you run it. I set a specific goal: I wanted to do >10
        concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
        disabled.
        
        To reach this milestone, I needed to do a bunch of stuff:
        
        - The mutator needs a separate mark stack for the barrier, since it will mutate this
          stack concurrently to the collector's slot visitors.
        
        - The use of CellState to indicate whether an object is being scanned the first time or
          a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
          time as visitChildren is running or if the barrier runs at the same time as the GC
          marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
          you know why you're being scanned by looking at which stack you came off of.
        
        - All of root marking must be in the collector fixpoint. I renamed markRoots to
          markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
          this way. We never gained anything from forcing people to make a choice between
          scanning something in the fixpoint versus outside of it. Because root scanning is
          cheap, we can afford to do it repeatedly, which means all root scanning can now do
          constraint-based marking (like: I'll mark you if that thing is marked).
        
        - JSObject::visitChildren's scanning of the butterfly raced with property additions,
          indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
          reshaping functions - like the one that flattens a dictionary and some sneaky
          ArrayStorage transformations. Many of these can be fixed by using store-store fences
          in the mutator and load-load fences in the collector. I've adopted the rule that the
          collector must always see either a butterfly and structure that match or a newer
          butterfly with an older structure, where their age is just one transition apart. This
          can be achieved with fences. For the cases where it breaks down, I added a lock to
          every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
          the indexingType. See the WTF ChangeLog for details.
          
          The mutator fencing rules are as follows:
          
          - Store-store fence before and after setting the butterfly.
          - Store-store fence before setting structure if you had changed the shape of the
            butterfly.
          - Store-store fence after initializing all fields in an allocation.
        
        - A dictionary Structure can change in strange ways while the GC is trying to scan it.
          So, JSObject::visitChildren will now grab the object's structure's lock if the
          object's structure is a dictionary. Dictionary structures are 1:1 with their object,
          so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
          scan an object from two threads).
        
        - The GC can blow away a Structure's property table at any time. As a small consolation,
          it's now holding the Structure's lock when it does so. But there was tons of code in
          Structure that uses DeferGC to prevent the GC from blowing away the property table.
          This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
          its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
          marking and it was the Structure::visitChildren that would delete the table. It turns
          out that Structure's reliance on the property table not being deleted was the product
          of code rot. We already had functions that would materialize the table on demand. We
          were simply making the mistake of saying:
          
              structure->materializePropertyMap();
              ...
              structure->propertyTable()->things
          
          Instead of saying:
          
              PropertyTable* table = structure->ensurePropertyTable();
              ...
              table->things
          
          Switching the code to use the latter idiom allowed me to simplify the code a lot while
          fixing the race.
        
        - The LLInt's get_by_val handling was broken because the indexing shape constants were
          wrong. Once I started putting more things into the IndexingType, that started causing
          crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
          had rotted in subtle ways.
        
        This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
        Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
        that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
        is disabled: in all of the places where it would have resumed the world to run marking
        concurrently to the mutator, it will just skip the resume step. When you enable
        concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
        It seems to perform quite well: on my machine, it improves both splay-throughput and
        splay-latency. It's probably unstable for other programs.

        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine isOldExternalObject:]):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeFence):
        * bytecode/InlineAccess.cpp:
        (JSC::InlineAccess::dumpCacheSizesAndCrash):
        (JSC::InlineAccess::generateSelfPropertyAccess):
        (JSC::InlineAccess::generateArrayLength):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
        (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
        (JSC::ObjectAllocationProfile::initialize):
        (JSC::ObjectAllocationProfile::inlineCapacity):
        (JSC::ObjectAllocationProfile::clear):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generateImpl):
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::markCodeBlocks):
        (JSC::DFG::Plan::rememberCodeBlocks):
        * dfg/DFGPlan.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::markCodeBlocks):
        (JSC::DFG::Worklist::rememberCodeBlocks):
        (JSC::DFG::markCodeBlocks):
        (JSC::DFG::completeAllPlansForVM):
        (JSC::DFG::rememberCodeBlocks):
        * dfg/DFGWorklist.h:
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::~JITCode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::splatWords):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
        (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::signExt32ToPtr):
        (JSC::FTL::Output::fence):
        * ftl/FTLOutput.h:
        * heap/CellState.h:
        * heap/GCSegmentedArray.h:
        * heap/Heap.cpp:
        (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
        (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::harvestWeakReferences):
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::completeAllJITPlans):
        (JSC::Heap::markToFixpoint):
        (JSC::Heap::gatherStackRoots):
        (JSC::Heap::beginMarking):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::visitCompilerWorklistWeakReferences):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::endMarking):
        (JSC::Heap::addToRememberedSet):
        (JSC::Heap::collectInThread):
        (JSC::Heap::stopTheWorld):
        (JSC::Heap::resumeTheWorld):
        (JSC::Heap::setGCDidJIT):
        (JSC::Heap::setNeedFinalize):
        (JSC::Heap::setMutatorWaiting):
        (JSC::Heap::clearMutatorWaiting):
        (JSC::Heap::finalize):
        (JSC::Heap::flushWriteBarrierBuffer):
        (JSC::Heap::writeBarrierSlowPath):
        (JSC::Heap::canCollect):
        (JSC::Heap::reportExtraMemoryVisited):
        (JSC::Heap::reportExternalMemoryVisited):
        (JSC::Heap::notifyIsSafeToCollect):
        (JSC::Heap::markRoots): Deleted.
        (JSC::Heap::visitExternalRememberedSet): Deleted.
        (JSC::Heap::visitSmallStrings): Deleted.
        (JSC::Heap::visitProtectedObjects): Deleted.
        (JSC::Heap::visitArgumentBuffers): Deleted.
        (JSC::Heap::visitException): Deleted.
        (JSC::Heap::visitStrongHandles): Deleted.
        (JSC::Heap::visitHandleStack): Deleted.
        (JSC::Heap::visitSamplingProfiler): Deleted.
        (JSC::Heap::visitTypeProfiler): Deleted.
        (JSC::Heap::visitShadowChicken): Deleted.
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
        (JSC::Heap::visitWeakHandles): Deleted.
        (JSC::Heap::flushOldStructureIDTables): Deleted.
        (JSC::Heap::stopAllocation): Deleted.
        * heap/Heap.h:
        (JSC::Heap::collectorSlotVisitor):
        (JSC::Heap::mutatorMarkStack):
        (JSC::Heap::mutatorShouldBeFenced):
        (JSC::Heap::addressOfMutatorShouldBeFenced):
        (JSC::Heap::slotVisitor): Deleted.
        (JSC::Heap::notifyIsSafeToCollect): Deleted.
        (JSC::Heap::barrierShouldBeFenced): Deleted.
        (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::transferTo):
        * heap/MarkStack.h:
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateIn):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::Handle::specializedSweep):
        (JSC::MarkedBlock::Handle::sweep):
        (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
        (JSC::MarkedBlock::Handle::stopAllocating):
        (JSC::MarkedBlock::Handle::resumeAllocating):
        (JSC::MarkedBlock::aboutToMarkSlow):
        (JSC::MarkedBlock::Handle::didConsumeFreeList):
        (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
        (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::resumeAllocating):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):
        (JSC::SlotVisitor::~SlotVisitor):
        (JSC::SlotVisitor::reset):
        (JSC::SlotVisitor::clearMarkStacks):
        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::appendToMutatorMarkStack):
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::donateKnownParallel):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::containsOpaqueRoot):
        (JSC::SlotVisitor::donateAndDrain):
        (JSC::SlotVisitor::mergeOpaqueRoots):
        (JSC::SlotVisitor::dump):
        (JSC::SlotVisitor::clearMarkStack): Deleted.
        (JSC::SlotVisitor::opaqueRootCount): Deleted.
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::collectorMarkStack):
        (JSC::SlotVisitor::mutatorMarkStack):
        (JSC::SlotVisitor::isEmpty):
        (JSC::SlotVisitor::bytesVisited):
        (JSC::SlotVisitor::markStack): Deleted.
        (JSC::SlotVisitor::bytesCopied): Deleted.
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryVisited):
        (JSC::SlotVisitor::reportExternalMemoryVisited):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        (JSC::AssemblyHelpers::barrierStoreLoadFence):
        (JSC::AssemblyHelpers::mutatorFence):
        (JSC::AssemblyHelpers::storeButterfly):
        (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
        (JSC::AssemblyHelpers::emitInitializeInlineStorage):
        (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
        (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
        * jit/JITInlines.h:
        (JSC::JIT::emitArrayProfilingSiteWithCell):
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emit_op_put_to_arguments):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::create):
        (JSC::Butterfly::createOrGrowPropertyStorage):
        * runtime/ConcurrentJITLock.h:
        (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
        (JSC::GenericArguments<Type>::putByIndex):
        * runtime/IndexingType.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        * runtime/JSCell.h:
        (JSC::JSCell::InternalLocker::InternalLocker):
        (JSC::JSCell::InternalLocker::~InternalLocker):
        (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
        (JSC::JSCell::atomicCompareExchangeCellStateStrong):
        (JSC::JSCell::indexingTypeAndMiscOffset):
        (JSC::JSCell::indexingTypeOffset): Deleted.
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        (JSC::JSCell::indexingTypeAndMisc):
        (JSC::JSCell::indexingType):
        (JSC::JSCell::setStructure):
        (JSC::JSCell::callDestructor):
        (JSC::JSCell::lockInternalLock):
        (JSC::JSCell::unlockInternalLock):
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::visitChildren):
        (JSC::JSFinalObject::visitChildren):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::reallocateAndShrinkButterfly):
        (JSC::JSObject::allocateMoreOutOfLineStorage):
        (JSC::JSObject::shiftButterflyAfterFlattening):
        (JSC::JSObject::growOutOfLineStorage): Deleted.
        * runtime/JSObject.h:
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::JSObject::setButterfly):
        (JSC::JSObject::getOwnNonIndexPropertySlot):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::setStructureAndButterfly): Deleted.
        (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
        (JSC::JSObject::putDirectInternal): Deleted.
        (JSC::JSObject::putDirectWithoutTransition): Deleted.
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectInternal):
        * runtime/Options.h:
        * runtime/SparseArrayValueMap.h:
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::findStructuresAndMapForMaterialization):
        (JSC::Structure::materializePropertyTable):
        (JSC::Structure::addNewPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::pinForCaching):
        (JSC::Structure::willStoreValueSlow):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::add):
        (JSC::Structure::remove):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::visitChildren):
        (JSC::Structure::materializePropertyMap): Deleted.
        (JSC::Structure::addPropertyWithoutTransition): Deleted.
        (JSC::Structure::removePropertyWithoutTransition): Deleted.
        (JSC::Structure::copyPropertyTable): Deleted.
        (JSC::Structure::createPropertyMap): Deleted.
        (JSC::PropertyTable::checkConsistency): Deleted.
        (JSC::Structure::checkConsistency): Deleted.
        * runtime/Structure.h:
        * runtime/StructureIDBlob.h:
        (JSC::StructureIDBlob::StructureIDBlob):
        (JSC::StructureIDBlob::indexingTypeIncludingHistory):
        (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
        (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
        (JSC::StructureIDBlob::indexingType): Deleted.
        (JSC::StructureIDBlob::setIndexingType): Deleted.
        (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        (JSC::Structure::checkOffsetConsistency):
        (JSC::Structure::checkConsistency):
        (JSC::Structure::add):
        (JSC::Structure::remove):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::setPropertyTable):
        (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
        (JSC::Structure::propertyTable): Deleted.
        (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.

2016-11-14  Keith Miller  <keith_miller@apple.com>

        Add Wasm select
        https://bugs.webkit.org/show_bug.cgi?id=164743

        Reviewed by Saam Barati.

        Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
        when they shouldn't be.

        * jsc.cpp:
        (box):
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addSelect):

2016-11-11  Geoffrey Garen  <ggaren@apple.com>

        JSC should distinguish between local and global eval
        https://bugs.webkit.org/show_bug.cgi?id=164628

        Reviewed by Saam Barati.

        Local use of the 'eval' keyword and invocation of the global window.eval
        function are distinct operations in JavaScript.

        This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
        order to help distinguish these operations in code.

        Our code used to do some silly things for lack of distinguishing these
        cases. For example, it would double cache local eval in CodeCache and
        EvalCodeCache. This made CodeCache seem more complicated than it really
        was.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.

        * bytecode/CodeBlock.h:

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::tryGet):
        (JSC::EvalCodeCache::set):
        (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
        the cache to avoid tight coupling. Now the cache just caches.

        * bytecode/UnlinkedEvalCodeBlock.h:
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedModuleProgramCodeBlock.h:
        * bytecode/UnlinkedProgramCodeBlock.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
        changes.

        * interpreter/Interpreter.cpp:
        (JSC::eval): Moved code generation here so the cache didn't need to build
        it in.

        * llint/LLIntOffsetsExtractor.cpp:

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
        variables any more. We only cache global programs, and global variable
        access always does TDZ checks.

        (JSC::CodeCache::getUnlinkedProgramCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
        (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):

        (JSC::CodeCache::CodeCache): Deleted.
        (JSC::CodeCache::~CodeCache): Deleted.
        (JSC::CodeCache::getGlobalCodeBlock): Deleted.
        (JSC::CodeCache::getProgramCodeBlock): Deleted.
        (JSC::CodeCache::getEvalCodeBlock): Deleted.
        (JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.

        * runtime/CodeCache.h:
        (JSC::CodeCache::clear):
        (JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
        out of the CodeCache class and into a stand-alone function because
        we need it for local eval, which does not live in CodeCache.

        * runtime/EvalExecutable.cpp:
        (JSC::EvalExecutable::create): Deleted.
        * runtime/EvalExecutable.h:
        (): Deleted.
        * runtime/GlobalEvalExecutable.cpp: Added.
        (JSC::GlobalEvalExecutable::create):
        (JSC::GlobalEvalExecutable::GlobalEvalExecutable):
        * runtime/GlobalEvalExecutable.h: Added.
        * runtime/LocalEvalExecutable.cpp: Added.
        (JSC::LocalEvalExecutable::create):
        (JSC::LocalEvalExecutable::LocalEvalExecutable):
        * runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
        EvalExecutable classes to distinguish these operations in code. The key
        difference is that LocalEvalExecutable does not live in the CodeCache
        and only lives in the EvalCodeCache.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createLocalEvalCodeBlock):
        (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):

        * runtime/JSScope.cpp:
        (JSC::JSScope::collectClosureVariablesUnderTDZ):
        (JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
        global lexical variables in our concept of TDZ scopes anymore. Global
        variable access always does TDZ checks unconditionally. So, only closure
        scope accesses give specific consideration to TDZ checks.

        * runtime/JSScope.h:

2016-11-14  Caitlin Potter  <caitp@igalia.com>

        [JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
        https://bugs.webkit.org/show_bug.cgi?id=164037

        Reviewed by Yusuke Suzuki.

        This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
        in much the same capacity that https://trac.webkit.org/changeset/194216 added
        DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
        PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.

        Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
        async wrapper functions may be deferred or eliminated during the allocation sinking
        phase.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPhantomNewFunction):
        (JSC::DFG::Node::convertToPhantomNewAsyncFunction):
        (JSC::DFG::Node::hasCellOperand):
        (JSC::DFG::Node::isFunctionAllocation):
        (JSC::DFG::Node::isPhantomFunctionAllocation):
        (JSC::DFG::Node::isPhantomAllocation):
        * dfg/DFGNodeType.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunction):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationPopulateObjectInOSR):
        (JSC::FTL::operationMaterializeObjectInOSR):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::asyncFunctionPrototype):
        (JSC::JSGlobalObject::asyncFunctionStructure):
        (JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
        (JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
        (JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.

2016-11-14  Mark Lam  <mark.lam@apple.com>

        Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
        https://bugs.webkit.org/show_bug.cgi?id=164701
        <rdar://problem/27462104>

        Reviewed by Darin Adler.

        The characters8(), characters16(), and operator[] in JSString::SafeView converts
        the underlying JSString to a StringView via get(), and then uses the StringView
        without first checking if an exception was thrown during the conversion.  This is
        unsafe because the conversion may have failed.
        
        Instead, we should remove these 3 convenience methods, and make the caller
        explicitly call get() and do the appropriate exception checks before using the
        StringView.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::toStringView):
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncParseInt):
        (JSC::globalFuncEscape):
        (JSC::globalFuncUnescape):
        (JSC::toSafeView): Deleted.
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/JSString.h:
        (JSC::JSString::SafeView::length):
        (JSC::JSString::SafeView::characters8): Deleted.
        (JSC::JSString::SafeView::characters16): Deleted.
        (JSC::JSString::SafeView::operator[]): Deleted.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncRepeatCharacter):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncNormalize):

2016-11-14  Mark Lam  <mark.lam@apple.com>

        RegExpObject::exec/match should handle errors gracefully.
        https://bugs.webkit.org/show_bug.cgi?id=155145
        <rdar://problem/27435934>

        Reviewed by Keith Miller.

        1. Added some missing exception checks to RegExpObject::execInline() and
           RegExpObject::matchInline().
        2. Updated related code to work with ExceptionScope verification requirements.

        * dfg/DFGOperations.cpp:
        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::execInline):
        (JSC::RegExpObject::matchInline):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncMatchFast):

2016-11-13  Mark Lam  <mark.lam@apple.com>

        Add debugging facility to limit the max single allocation size.
        https://bugs.webkit.org/show_bug.cgi?id=164681

        Reviewed by Keith Miller.

        Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
        This option is only available on Debug builds.

        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-11-12  Joseph Pecoraro  <pecoraro@apple.com>

        Follow-up fix to r208639.

        Unreviewed fix. This is a straightfoward change where I forgot to
        switch from uncheckedArgument() to argument() in once case after
        dropping an argumentCount check. All other cases do this properly.
        This addresses an ASSERT seen on the bots running tests.

        * runtime/JSDataViewPrototype.cpp:
        (JSC::setData):

2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>

        test262: DataView with explicit undefined byteLength should be the same as it not being present
        https://bugs.webkit.org/show_bug.cgi?id=164453

        Reviewed by Darin Adler.

        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        Handle the special case of DataView construction with an undefined byteLength value.

2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>

        test262: DataView get methods should allow for missing offset, set methods should allow for missing value
        https://bugs.webkit.org/show_bug.cgi?id=164451

        Reviewed by Darin Adler.

        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        Missing offset is still valid and will be coerced to 0.

        (JSC::setData):
        Missing value is still valid and will be coerced to 0.

2016-11-11  Saam Barati  <sbarati@apple.com>

        We should have a more concise way of determining when we're varargs calling a function using rest parameters
        https://bugs.webkit.org/show_bug.cgi?id=164258

        Reviewed by Yusuke Suzuki.

        This patch adds two new bytecodes and DFG nodes for the following code patterns:

        ```
        foo(a, b, ...c)
        let x = [a, b, ...c];
        ```

        To do this, I've introduced two new bytecode operations (and their
        corresponding DFG nodes):

        op_spread and op_new_array_with_spread.

        op_spread takes a single input and performs the ES6 iteration protocol on it.
        It returns the result of doing the spread inside a new class I've
        made called JSFixedArray. JSFixedArray is a cell with a single 'size'
        field and a buffer of values allocated inline in the cell. Abstracting
        the protocol into a single node is good because it will make IR analysis
        in the future much simpler. For now, it's also good because it allows
        us to create fast paths for array iteration (which is quite common).
        This fast path allows us to emit really good code for array iteration
        inside the DFG/FTL.

        op_new_array_with_spread is a variable argument bytecode that also
        has a bit vector associated with it. The bit vector indicates if
        any particular argument is to be spread or not. Arguments that
        are spread are known to be JSFixedArray because we must emit an
        op_spread before op_new_array_with_spread consumes the value.
        For example, for this array:
        [a, b, ...c, d, ...e]
        we will have this bit vector:
        [0, 0, 1, 0, 1]

        The reason I've chosen this IR is that it will make eliminating
        a rest allocation for this type of code much easier:

        ```
        function foo(...args) {
            return bar(a, b, ...args);
        }
        ```

        It will be easier to analyze the IR now that the operations
        will be described at a high level.

        This patch is an ~8% speedup on ES6SampleBench on my MBP.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/IteratorHelpers.js: Added.
        (performIteration):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionForSelfEquivalence):
        * bytecode/ObjectPropertyConditionSet.h:
        * bytecode/TrackedReferences.cpp:
        (JSC::TrackedReferences::check):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::bitVectors):
        (JSC::UnlinkedCodeBlock::bitVector):
        (JSC::UnlinkedCodeBlock::addBitVector):
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArrayWithSpread):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::watchHavingABadTime):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::bitVector):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array_with_spread):
        (JSC::JIT::emit_op_spread):
        * jit/JITOperations.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.asm:
        * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
        (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
        (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
        * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/IteratorOperations.h:
        (JSC::forEachInIterable):
        * runtime/JSCInlines.h:
        * runtime/JSFixedArray.cpp: Added.
        (JSC::JSFixedArray::visitChildren):
        * runtime/JSFixedArray.h: Added.
        (JSC::JSFixedArray::createStructure):
        (JSC::JSFixedArray::createFromArray):
        (JSC::JSFixedArray::get):
        (JSC::JSFixedArray::buffer):
        (JSC::JSFixedArray::size):
        (JSC::JSFixedArray::offsetOfSize):
        (JSC::JSFixedArray::offsetOfData):
        (JSC::JSFixedArray::create):
        (JSC::JSFixedArray::JSFixedArray):
        (JSC::JSFixedArray::allocationSize):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
        (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
        (JSC::JSGlobalObject::iteratorProtocolFunction):
        * runtime/JSGlobalObjectInlines.h: Added.
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
        * runtime/JSType.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2016-11-11  Keith Miller  <keith_miller@apple.com>

        Move Wasm tests to JS
        https://bugs.webkit.org/show_bug.cgi?id=164611

        Reviewed by Geoffrey Garen.

        This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
        ommited tests were earliest tests, which tested trivial things, like adding two
        constants. Some tests are ommited for other reasons, however. These are:

        1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers.  2)
        Tests that would validate the memory of the module once wasm was done with it since that's
        not really possible in JS.

        In order to make such a translation easier this patch also adds some features to the JS
        testing api:

        1) Blocks can now be done lexically by adding a lambda as the last argument of the block
        opcode. For example one can do:
            ...
            .Block("i32", b => b.I32Const(1) )

        and the nested lambda will automatically have an end attached.

        2) The JS testing api can now handle inline signature types.

        3) Relocate some code to make it easier to follow and prevent 44 space indentation.

        4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
        wasm.json without being remapped.

        5) Add support for Memory and Function sections to the Builder.

        6) Add support for local variables.

        On the JSC side, we needed to expose a new function to validate the compiled wasm code
        behaves the way we expect. At least until the JS Wasm API is finished. The new validation
        function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
        number of functions in the blob and tests for each of those functions.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (box):
        (callWasmFunction):
        (functionTestWasmModuleFunctions):
        * testWasm.cpp:
        (checkPlan):
        (runWasmTests):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parse):
        (JSC::Wasm::FunctionParser<Context>::parseBody):
        (JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
        * wasm/WasmModuleParser.cpp:
        (JSC::Wasm::ModuleParser::parseMemory):
        (JSC::Wasm::ModuleParser::parseExport):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::run):
        * wasm/WasmPlan.h:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::constructJSWebAssemblyModule):

2016-11-11  Saam Barati  <sbarati@apple.com>

        Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2016-11-11  Saam Barati  <sbarati@apple.com>

        We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
        https://bugs.webkit.org/show_bug.cgi?id=164650

        Reviewed by Geoffrey Garen.

        Some code was incorrectly holding a lock when recursively calling
        back into the bytecode parser's via inlining a put_by_val as a put_by_id.
        This can cause a deadlock if the inlinee CodeBlock is something we're
        already holding a lock for. I've changed the range of the lock holder
        to be as narrow as possible.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2016-11-11  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r208584.

        Seems to have regressed Speedometer by 1% on Mac

        Reverted changeset:

        "We should have a more concise way of determining when we're
        varargs calling a function using rest parameters"
        https://bugs.webkit.org/show_bug.cgi?id=164258
        http://trac.webkit.org/changeset/208584

2016-11-11  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r208117 and r208160.

        Regressed Speedometer by >1.5%

        Reverted changesets:

        "We should have a way of profiling when a get_by_id is pure
        and to emit a PureGetById in the DFG/FTL"
        https://bugs.webkit.org/show_bug.cgi?id=163305
        http://trac.webkit.org/changeset/208117

        "Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
        out"
        https://bugs.webkit.org/show_bug.cgi?id=164227
        http://trac.webkit.org/changeset/208160

2016-11-11  Saam Barati  <sbarati@apple.com>

        We should have a more concise way of determining when we're varargs calling a function using rest parameters
        https://bugs.webkit.org/show_bug.cgi?id=164258

        Reviewed by Yusuke Suzuki.

        This patch adds two new bytecodes and DFG nodes for the following code patterns:

        ```
        foo(a, b, ...c)
        let x = [a, b, ...c];
        ```

        To do this, I've introduced two new bytecode operations (and their
        corresponding DFG nodes):

        op_spread and op_new_array_with_spread.

        op_spread takes a single input and performs the ES6 iteration protocol on it.
        It returns the result of doing the spread inside a new class I've
        made called JSFixedArray. JSFixedArray is a cell with a single 'size'
        field and a buffer of values allocated inline in the cell. Abstracting
        the protocol into a single node is good because it will make IR analysis
        in the future much simpler. For now, it's also good because it allows
        us to create fast paths for array iteration (which is quite common).
        This fast path allows us to emit really good code for array iteration
        inside the DFG/FTL.

        op_new_array_with_spread is a variable argument bytecode that also
        has a bit vector associated with it. The bit vector indicates if
        any particular argument is to be spread or not. Arguments that
        are spread are known to be JSFixedArray because we must emit an
        op_spread before op_new_array_with_spread consumes the value.
        For example, for this array:
        [a, b, ...c, d, ...e]
        we will have this bit vector:
        [0, 0, 1, 0, 1]

        The reason I've chosen this IR is that it will make eliminating
        a rest allocation for this type of code much easier:

        ```
        function foo(...args) {
            return bar(a, b, ...args);
        }
        ```

        It will be easier to analyze the IR now that the operations
        will be described at a high level.

        This patch is an ~8% speedup on ES6SampleBench on my MBP.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/IteratorHelpers.js: Added.
        (performIteration):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionForSelfEquivalence):
        * bytecode/ObjectPropertyConditionSet.h:
        * bytecode/TrackedReferences.cpp:
        (JSC::TrackedReferences::check):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::bitVectors):
        (JSC::UnlinkedCodeBlock::bitVector):
        (JSC::UnlinkedCodeBlock::addBitVector):
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArrayWithSpread):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::watchHavingABadTime):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::bitVector):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array_with_spread):
        (JSC::JIT::emit_op_spread):
        * jit/JITOperations.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.asm:
        * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
        (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
        (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
        * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/IteratorOperations.h:
        (JSC::forEachInIterable):
        * runtime/JSCInlines.h:
        * runtime/JSFixedArray.cpp: Added.
        (JSC::JSFixedArray::visitChildren):
        * runtime/JSFixedArray.h: Added.
        (JSC::JSFixedArray::createStructure):
        (JSC::JSFixedArray::createFromArray):
        (JSC::JSFixedArray::get):
        (JSC::JSFixedArray::buffer):
        (JSC::JSFixedArray::size):
        (JSC::JSFixedArray::offsetOfSize):
        (JSC::JSFixedArray::offsetOfData):
        (JSC::JSFixedArray::create):
        (JSC::JSFixedArray::JSFixedArray):
        (JSC::JSFixedArray::allocationSize):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
        (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
        (JSC::JSGlobalObject::iteratorProtocolFunction):
        * runtime/JSGlobalObjectInlines.h: Added.
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
        * runtime/JSType.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2016-11-10  JF Bastien  <jfbastien@apple.com>

        ASSERTION FAILED: length > offset encountered with wasm.yaml/wasm/js-api/test_Module.js.default-wasm
        https://bugs.webkit.org/show_bug.cgi?id=164597

        Reviewed by Keith Miller.

        * wasm/WasmParser.h:
        (JSC::Wasm::Parser::parseVarUInt32): move closer to other parsers
        (JSC::Wasm::Parser::parseVarUInt64): move closer to other parsers

2016-11-10  Joseph Pecoraro  <pecoraro@apple.com>

        test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex)
        https://bugs.webkit.org/show_bug.cgi?id=164450

        Reviewed by Darin Adler.

        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toIndex):
        Introduce a method for toIndex, which is used by DataView and TypedArrays
        to convert an argument to a number with the possibility of throwing
        RangeErrors for negative values. We also throw RangeErrors for large
        values, because wherever this is used we expect an unsigned.

        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):
        (JSC::constructGenericTypedArrayView):
        Use toIndex instead of toUint32 where required.

2016-11-10  Mark Lam  <mark.lam@apple.com>

        A few bits of minor code clean up.
        https://bugs.webkit.org/show_bug.cgi?id=164523

        Reviewed by Yusuke Suzuki.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::dump):
        - Insert a space to make the dump more legible.

        * runtime/Options.h:
        - Fixed some typos.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplaceUsingRegExp):
        (JSC::stringProtoFuncReplaceUsingStringSearch):
        - Use the VM& that is already available.

2016-11-10  Mark Lam  <mark.lam@apple.com>

        Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node.
        https://bugs.webkit.org/show_bug.cgi?id=164600
        <rdar://problem/28828676>

        Reviewed by Filip Pizlo.

        Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG
        node that it is provided with always has a different origin than the node that is
        using that operand.  For example, in a DFG graph that looks like this:

            a: ...
            b: ArithAdd(@a, ...)

        ... when emitting speculation checks on @a for the ArithAdd node at @b,
        Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to
        originate from a different bytecode than @b.  The intent here is to get the
        profile for @a so that the OSR exit ramp for @b can update @a's profile with the
        observed result type from @a so that future type prediction on incoming args for
        the ArithAdd node can take this into consideration.

        However, op_negate can be compiled into the following series of nodes:

            a: ...
            b: BooleanToNumber(@a)
            c: DoubleRep(@b)
            d: ArithNegate(@c)

        All 3 nodes @b, @c, and @d maps to the same op_negate bytecode i.e. they have the
        same origin.  When the speculativeJIT emits a speculationCheck for DoubleRep, it
        calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the
        BooleanToNumber node.  But because all 3 nodes have the same origin,
        Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for
        the op_negate.  Subsequently, the OSR exit ramp will modify the ArithProfile of
        the op_negate and corrupt its profile.  Instead, what the OSR exit ramp should be
        doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's
        operand @a in this case.

        The fix is to always pass the current node we're generating code for (in addition
        to the operand node) to Graph::methodOfGettingAValueProfileFor().  This way, we
        know the profile is valid if and only if the current node and its operand node
        does not have the same origin.

        In this patch, we also fixed the following:
        1. Teach Graph::methodOfGettingAValueProfileFor() to get the profile for
           BooleanToNumber's operand if the operand node it is given is BooleanToNumber.
        2. Change JITCompiler::appendExceptionHandlingOSRExit() to explicitly pass an
           empty MethodOfGettingAValueProfile().  It was implicitly doing this before.
        3. Change SpeculativeJIT::emitInvalidationPoint() to pass an empty
           MethodOfGettingAValueProfile().  It has no child node.  Hence, it doesn't
           make sense to call Graph::methodOfGettingAValueProfileFor() for a child node
           that does not exist.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):

2016-11-10  Aaron Chu  <aaron_chu@apple.com>

        Web Inspector: AXI: clarify button roles (e.g. toggle or popup button)
        https://bugs.webkit.org/show_bug.cgi?id=130726
        <rdar://problem/16420420>

        Reviewed by Brian Burg.

        Add the isPopupButton flag to the AccessibilityProperties type.

        * inspector/protocol/DOM.json:

2016-11-10  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Unreviewed buildfix after r208450.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8SignedExtendTo32): Added.

2016-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Avoid cloned arguments allocation in ArrayPrototype methods
        https://bugs.webkit.org/show_bug.cgi?id=164502

        Reviewed by Saam Barati.

        In many builtin functions, we use `arguments` to just get optional parameters.
        While FTL argument elimination can drop `arguments` allocations, it leaves
        the allocations in LLInt, Baseline, and DFG. And we found that DFG compiled
        Array#map is heavily used in ES6SampleBench/Basic. And it always creates
        a meaningless ClonedArguments.

        Using ES6 default parameter here is not a solution. It increases the number
        of parameters of the CodeBlock (not `function.length`). And the optional
        parameters in Array.prototype.xxx methods are not typically passed. For
        example, we typically do not pass `thisArg` to `Array.prototype.map` function.
        In this case, the arity check frequently fails. It requires the additional C
        call to fixup arguments and it becomes pure overhead.

        To solve this problem, this patch introduces a new bytecode intrinsic @argument().
        This offers the way to retrieve the argument value without increasing the
        arity of the function. And if the argument is not passed (out of bounds), it
        just returns `undefined`. The semantics of this intrinsic is the same to the C++
        ExecState::argument(). This operation does not require `arguments` object. And we
        can drop the `argument` references even in lower 3 tiers.

        We implement op_get_argument for this intrinsic. And later this will be converted
        to DFG GetArgument node. All the tiers handles this feature.

        This patch improves ES6SampleBench/Basic 13.8% in steady state. And in summary,
        it improves 4.5%.

        In the future, we can improve the implementation of the default parameters.
        Currently, the default parameter always increases the arity of the function. So
        if you do not pass the argument, the arity check fails. But since it is the default
        parameter, it is likely that we don't pass the argument. Using op_get_argument to
        implement the default parameter can decrease the case in which the arity check
        frequently fails. And it can change the builtin implementation to use the ES6
        default parameters instead of using the special @argument() intrinsic in the future.
        And at that case, the user code also receives the benefit.

        ES6SampleBench/Basic.
            Baseline:
                Running... Basic ( 1  to go)
                firstIteration:     39.38 ms +- 4.48 ms
                averageWorstCase:   20.79 ms +- 0.96 ms
                steadyState:        1959.22 ms +- 65.55 ms

            Patched:
                Running... Basic ( 1  to go)
                firstIteration:     37.85 ms +- 4.09 ms
                averageWorstCase:   18.60 ms +- 0.76 ms
                steadyState:        1721.89 ms +- 57.58 ms

        All summary.
            Baseline:
                summary:            164.34 ms +- 5.01 ms
            Patched:
                summary:            157.26 ms +- 5.96 ms

        * builtins/ArrayConstructor.js:
        * builtins/ArrayPrototype.js:
        (reduce):
        (reduceRight):
        (every):
        (forEach):
        (filter):
        (map):
        (some):
        (fill):
        (find):
        (findIndex):
        (includes):
        (copyWithin):
        * builtins/DatePrototype.js:
        (toLocaleString):
        (toLocaleDateString):
        (toLocaleTimeString):
        * builtins/MapPrototype.js:
        (forEach):
        * builtins/NumberPrototype.js:
        (toLocaleString):
        * builtins/SetPrototype.js:
        (forEach):
        * builtins/StringPrototype.js:
        (padStart):
        (padEnd):
        (localeCompare):
        * builtins/TypedArrayConstructor.js:
        * builtins/TypedArrayPrototype.js:
        (every):
        (fill):
        (find):
        (findIndex):
        (forEach):
        (some):
        (reduce):
        (reduceRight):
        (map):
        (filter):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetArgument):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_argument):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasArgumentIndex):
        (JSC::DFG::Node::argumentIndex):
        * dfg/DFGNodeType.h:
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetArgument):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_argument):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_argument):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2016-11-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: DebuggerManager.Event.Resumed introduces test flakiness
        https://bugs.webkit.org/show_bug.cgi?id=161951
        <rdar://problem/28295767>

        Reviewed by Brian Burg.

        This removes an ambiguity in the protocol when stepping through
        JavaScript. Previously, when paused and issuing a Debugger.step*
        command the frontend would always receive a Debugger.resumed event and
        then, maybe, a Debugger.paused event indicating we paused again (after
        stepping). However, this ambiguity means that the frontend needs to
        wait for a short period of time to determine if we really resumed
        or not. And even still that decision may be incorrect if the step
        takes a sufficiently long period of time.

        The new approach removes this ambiguity. Now, in response to a
        Debugger.step* command the backend MUST send a single Debugger.paused
        event or Debugger.resumed event. Now the frontend knows that the
        next Debugger event it receives after issuing the step command is
        the result (stepped and paused, or stepped and resumed).

        To make resuming consistent in all cases, a Debugger.resume command
        will always respond with a Debugger.resumed event.

        Finally, Debugger.continueToLocation is treated like a "big step"
        in cases where we can resolve the location. If we can't resolve the
        location it is treated as a resume, maintaining the old behavior.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::stepOver):
        (Inspector::InspectorDebuggerAgent::stepInto):
        (Inspector::InspectorDebuggerAgent::stepOut):
        (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
        (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping):
        When stepping register a VM exit observer so that we can issue
        a Debugger.resumed event if the step caused us to exit the VM.

        (Inspector::InspectorDebuggerAgent::resume):
        Set a flag to issue a Debugger.resumed event once we break out
        of the nested run loop.

        (Inspector::InspectorDebuggerAgent::didPause):
        We are issuing Debugger.paused so clear the state to indicate that
        we no longer need to issue Debugger.resumed event, we have paused.

        (Inspector::InspectorDebuggerAgent::didContinue):
        Only issue the Debugger.resumed event if needed (explicitly asked
        to resume).

        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        All places that do continueProgram should be audited. In error cases,
        if we are paused and continue we should remember to send Debugger.resumed.

        * inspector/protocol/Debugger.json:
        Clarify in the protocol description the contract of these methods.

2016-11-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Associate Worker Resources with the Worker and not the Page
        https://bugs.webkit.org/show_bug.cgi?id=164342
        <rdar://problem/29075775>

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Network.json:
        * inspector/protocol/Page.json:
        Associate Resource data with a target.

2016-11-09  Keith Miller  <keith_miller@apple.com>

        jsc CLI should work with the remote inspector
        https://bugs.webkit.org/show_bug.cgi?id=164569

        Reviewed by Joseph Pecoraro.

        This patch enables using the remote inspector on the jsc CLI.
        In order to use the remote inspector, jsc users need to pass an option.

        * jsc.cpp:
        (CommandLine::parseArguments):
        (runJSC):

2016-11-09  Saam Barati  <sbarati@apple.com>

        Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser
        https://bugs.webkit.org/show_bug.cgi?id=164464
        <rdar://problem/29131452>

        Reviewed by Darin Adler.

        We were incorrectly matching this pattern inside the bytecode parser
        to return NaN. Instead, we must return:
          Infinity for Math.min()
         -Infinity for Math.max()

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleMinMax):

2016-11-09  Saam Barati  <sbarati@apple.com>

        TypeProfiler and running GC collection on another thread don't play nicely with each other
        https://bugs.webkit.org/show_bug.cgi?id=164441
        <rdar://problem/29132174>

        Reviewed by Geoffrey Garen.

        This fix here is simple: we now treat the type profiler log as a GC root.
        GC will make sure that we mark any values/structures that are in the log.
        It's easy to reason about the correctness of this, and it also solves
        the problem that we were clearing the log on the GC thread. Clearing the
        log on the GC thread was a problem because when we clear the log, we may
        allocate, which we're not allowed to do from the GC thread.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitTypeProfiler):
        (JSC::Heap::collectInThread):
        * heap/Heap.h:
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        (JSC::TypeProfilerLog::visit):
        * runtime/TypeProfilerLog.h:

2016-11-09  JF Bastien  <jfbastien@apple.com>

        WebAssembly: Silence noisy warning
        https://bugs.webkit.org/show_bug.cgi?id=164459

        Reviewed by Yusuke Suzuki.

        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):

2016-11-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t
        https://bugs.webkit.org/show_bug.cgi?id=164432

        Reviewed by Michael Saboff.

        Except for X86, our supported MacroAssemblers do not have native 8bit instructions.
        It means that all the 8bit instructions are converted to 32bit operations by using
        scratch registers. For example, ARM64 branch8 implementation is the following.

            Jump branch8(RelationCondition cord, Address left, TrustedImm32 right)
            {
                TrustedImm32 right8(static_cast<int8_t>(right.m_value));
                load8(left, getCachedMemoryTempRegisterIDAndInvalidate());
                return branch32(cone, memoryTempRegister, right8);
            }

        The problem is that we exclusively use zero-extended load instruction (load8). Even
        for signed RelationConditions, we do not perform sign extension. It makes signed
        operations with negative numbers incorrect! Consider the |left| address holds `-1`
        in int8_t form. However load8 will load it as 255 into 32bit register. On the other hand,
        |right| will be sign extended. If you pass 0 as |right| and LessThan condition, this
        branch8 should jump based on the answer of `-1 < 0`. But the current MacroAssembler
        performs `255 < 0` in int32_t context and returns the incorrect result.

        We should follow the x86 model. So we should select the appropriate load operation and masking
        operation based on the RelationCondition. This patch introduces mask8OnCondition and load8OnCondition.
        And we use them in 8bit operations including branch8, branchTest8, compare8, and test8.

        We intentionally do not change anything on x86 assembler since it has the native signed 8bit operations.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::isSigned):
        (JSC::MacroAssembler::isUnsigned):
        (JSC::MacroAssembler::branchTest8):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch8):
        (JSC::MacroAssemblerARM::branchTest8):
        (JSC::MacroAssemblerARM::compare8):
        (JSC::MacroAssemblerARM::test8):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
        (JSC::MacroAssemblerARM64::branch8):
        (JSC::MacroAssemblerARM64::branchTest8):
        (JSC::MacroAssemblerARM64::compare8):
        (JSC::MacroAssemblerARM64::test8):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branch8):
        (JSC::MacroAssemblerARMv7::branchTest8):
        (JSC::MacroAssemblerARMv7::compare8):
        (JSC::MacroAssemblerARMv7::test8):
        * assembler/MacroAssemblerHelpers.h: Added.
        (JSC::MacroAssemblerHelpers::isSigned):
        (JSC::MacroAssemblerHelpers::isUnsigned):
        (JSC::MacroAssemblerHelpers::mask8OnCondition):
        (JSC::MacroAssemblerHelpers::load8OnCondition):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branch8):
        (JSC::MacroAssemblerMIPS::compare8):
        (JSC::MacroAssemblerMIPS::branchTest8):
        (JSC::MacroAssemblerMIPS::test8):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchTest8):
        (JSC::MacroAssemblerSH4::branch8):
        (JSC::MacroAssemblerSH4::compare8):
        (JSC::MacroAssemblerSH4::test8):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branch8):

2016-11-08  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: date-format-tofte.js is super slow
        https://bugs.webkit.org/show_bug.cgi?id=164499

        Reviewed by Sam Weinig.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::CacheKey::operator==): Use character comparison,
        not pointer comparison. (This function was always wrong, but I started
        calling it in more places.)

2016-11-08  Saam Barati  <sbarati@apple.com>

        REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache
        https://bugs.webkit.org/show_bug.cgi?id=164433

        Reviewed by Mark Lam.

        Clearing the HasOwnPropertyCache will call deref() on the StringImpls
        in the cache. We were doing this from the collector thread, which is
        not allowed. It must be done from the mutator thread. We now clear the
        cache in Heap::finalize() which happens before the mutator begins
        executing JS after a collection happens.

        * heap/Heap.cpp:
        (JSC::Heap::collectInThread):
        (JSC::Heap::finalize):

2016-11-05  Konstantin Tokarev  <annulen@yandex.ru>

        Fixed compilation of LLInt with MinGW
        https://bugs.webkit.org/show_bug.cgi?id=164449

        Reviewed by Michael Catanzaro.

        MinGW uses LLIntAssembly.h with GNU assembler syntax, just like GCC on
        other platforms.

        * llint/LowLevelInterpreter.cpp: Include LLIntAssembly.h with
        appropriate preamble.

2016-11-04  Filip Pizlo  <fpizlo@apple.com>

        WTF::ParkingLot should stop using std::chrono because std::chrono::duration casts are prone to overflows
        https://bugs.webkit.org/show_bug.cgi?id=152045

        Reviewed by Andy Estes.
        
        Probably the nicest example of why this patch is a good idea is the change in
        AtomicsObject.cpp.

        * jit/ICStats.cpp:
        (JSC::ICStats::ICStats):
        * runtime/AtomicsObject.cpp:
        (JSC::atomicsFuncWait):

2016-11-04  JF Bastien  <jfbastien@apple.com>

        testWASM should be very sad if no options are provided
        https://bugs.webkit.org/show_bug.cgi?id=164444

        Reviewed by Saam Barati.

        Detect missing or invalid options on the command line.

        * testWasm.cpp:
        (CommandLine::parseArguments):

2016-11-04  Mark Lam  <mark.lam@apple.com>

        Error description code should be able to handle Symbol values.
        https://bugs.webkit.org/show_bug.cgi?id=164436
        <rdar://problem/29115583>

        Reviewed by Filip Pizlo and Saam Barati.

        Previously, we try to toString() the Symbol value, resulting in it throwing an
        exception in errorDescriptionForValue() which breaks the invariant that
        errorDescriptionForValue() should not throw.

        We fixed this by making errorDescriptionForValue() aware of the Symbol type, and
        not so a toString() on Symbol values.  Also fixed notAFunctionSourceAppender()
        to build a nicer message for Symbol values.

        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):
        (JSC::notAFunctionSourceAppender):

2016-11-02  Geoffrey Garen  <ggaren@apple.com>

        EvalCodeCache should not give up in strict mode and other cases
        https://bugs.webkit.org/show_bug.cgi?id=164357

        Reviewed by Michael Saboff.

        EvalCodeCache gives up in non-trivial cases because generated eval code
        can't soundly migrate from, for example, a let scope to a non-let scope.
        The number of cases has grown over time.

        Instead, let's cache eval code based on the location of the call to
        eval(). That way, we never relocate the code, and it's sound to make
        normal assumptions about our surrounding scope.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::CacheKey::CacheKey): Use CallSiteIndex to uniquely
        identify the location of our call to eval().

        (JSC::EvalCodeCache::CacheKey::hash):
        (JSC::EvalCodeCache::CacheKey::operator==):
        (JSC::EvalCodeCache::CacheKey::Hash::equal): Use CallSiteIndex instead
        of lots of other flags.

        (JSC::EvalCodeCache::tryGet): No need to include details that are implied
        by our CallSiteIndex.

        (JSC::EvalCodeCache::getSlow): No need to skip caching in complex
        situations. We promise we'll never relocate the cached code.

        (JSC::EvalCodeCache::isCacheableScope): Deleted.
        (JSC::EvalCodeCache::isCacheable): Deleted.

        * interpreter/Interpreter.cpp:
        (JSC::eval): Pass through a CallSiteIndex to uniquely identify this call
        to eval().

2016-11-04  Keith Miller  <keith_miller@apple.com>

        Add support for Wasm br_table
        https://bugs.webkit.org/show_bug.cgi?id=164429

        Reviewed by Michael Saboff.

        This patch adds support for Wasm br_table. The Wasm br_table
        opcode essentially directly maps to B3's switch opcode.

        There are also three other minor changes:
        1) all non-argument locals should be initialized to zero at function entry.
        2) add new setErrorMessage member to WasmFunctionParser.h
        3) return does not decode an extra immediate anymore.

        * testWasm.cpp:
        (runWasmTests):
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser::setErrorMessage):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        (JSC::Wasm::FunctionParser<Context>::popExpressionStack):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::checkBranchTarget):
        (JSC::Wasm::Validate::addBranch):
        (JSC::Wasm::Validate::addSwitch):

2016-11-04  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: implement more sections
        https://bugs.webkit.org/show_bug.cgi?id=164023

        Reviewed by Keith Miller.

        On the JSC side:

         - Put in parser stubs for all WebAssembly sections.
         - Parse Import, Export sections.
         - Use tryReserveCapacity instead of reserve, and bail out of the parser if it fails. This prevents the parser from bringing everything down when faced with a malicious input.
         - Encapsulate all parsed module information into its own structure, making it easier to pass around (from parser to Plan to Module to Instance).
         - Create WasmFormat.cpp to hold parsed module information's dtor to avoid including WasmMemory.h needlessly.
         - Remove all remainders of polyfill-prototype-1, and update license.
         - Add missing WasmOps.h and WasmValidateInlines.h auto-generation for cmake build.

        On the Builder.js testing side:

         - Implement Type, Import (function only), Export (function only) sections.
         - Check section order and uniqueness.
         - Optionally auto-generate the Type section from subsequent Export / Import / Code entries.
         - Allow re-exporting an import.

        * CMakeLists.txt: missing auto-genration
        * JavaScriptCore.xcodeproj/project.pbxproj: merge conflict
        * testWasm.cpp: update for API changes, no functional change
        (checkPlan):
        (runWasmTests):
        * wasm/WasmFormat.cpp: add a dtor which requires extra headers which I'd rather not include in WasmFormat.h
        (JSC::Wasm::ModuleInformation::~ModuleInformation):
        * wasm/WasmFormat.h: Add External, Import, Functioninformation, Export, ModuleInformation, CompiledFunction, and remove obsolete stuff which was a holdover from the first implementation (all that code is now gone, so remove its license)
        (JSC::Wasm::External::isValid):
        * wasm/WasmModuleParser.cpp: simplify some, make names consistent with the WebAssembly section names, check memory allocations so they can fail early
        (JSC::Wasm::ModuleParser::parse):
        (JSC::Wasm::ModuleParser::parseType):
        (JSC::Wasm::ModuleParser::parseImport):
        (JSC::Wasm::ModuleParser::parseFunction):
        (JSC::Wasm::ModuleParser::parseTable):
        (JSC::Wasm::ModuleParser::parseMemory):
        (JSC::Wasm::ModuleParser::parseGlobal):
        (JSC::Wasm::ModuleParser::parseExport):
        (JSC::Wasm::ModuleParser::parseStart):
        (JSC::Wasm::ModuleParser::parseElement):
        (JSC::Wasm::ModuleParser::parseCode): avoid overflow through function size.
        (JSC::Wasm::ModuleParser::parseData):
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::moduleInformation):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser::consumeUTF8String): add as required by spec
        (JSC::Wasm::Parser::parseExternalKind): add as per spec
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan): fix some ownership, improve some error messages
        * wasm/WasmPlan.h: fix some ownership
        (JSC::Wasm::Plan::getModuleInformation):
        (JSC::Wasm::Plan::getMemory):
        (JSC::Wasm::Plan::compiledFunctionCount):
        (JSC::Wasm::Plan::compiledFunction):
        (JSC::Wasm::Plan::getCompiledFunctions):
        * wasm/WasmSections.h: macroize with description, so that error messages are super pretty. This could be auto-generated.
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::create): take module information
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule): ditto
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::moduleInformation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance): check that modules with imports are instantiated with an import object, as per spec. This needs to be tested.
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::constructJSWebAssemblyModule):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):

2016-11-03  Mark Lam  <mark.lam@apple.com>

        ClonedArguments need to also support haveABadTime mode.
        https://bugs.webkit.org/show_bug.cgi?id=164200
        <rdar://problem/27211336>

        Reviewed by Geoffrey Garen.

        For those who are not familiar with the parlance, "have a bad time" in the VM
        means that Object.prototype has been modified in such a way that we can no longer
        trivially do indexed property accesses without consulting the Object.prototype.
        This defeats JIT indexed put optimizations, and hence, makes the VM "have a
        bad time".

        Once the VM enters haveABadTime mode, all existing objects are converted to use
        slow put storage.  Thereafter, JSArrays are always created with slow put storage.
        JSObjects are always created with a blank indexing type.  When a new indexed
        property is put into the new object, its indexing type will be converted to the
        slow put array indexing type just before we perform the put operation.  This is
        how we ensure that the objects will also use slow put storage.

        However, ClonedArguments is an object which was previously created unconditionally
        to use contiguous storage.  Subsequently, if we try to call Object.preventExtensions()
        on that ClonedArguments object, Object.preventExtensions() will:
        1. make the ClonedArguments enter dictionary indexing mode, which means it will
        2. first ensure that the ClonedArguments is using slow put array storage via
           JSObject::ensureArrayStorageSlow().

        However, JSObject::ensureArrayStorageSlow() expects that we never see an object
        with contiguous storage once we're in haveABadTime mode.  Our ClonedArguments
        object did not obey this invariant.

        The fix is to make the ClonedArguments factories create objects that use slow put
        array storage when in haveABadTime mode.  This means:

        1. JSGlobalObject::haveABadTime() now changes m_clonedArgumentsStructure to use
           its slow put version.

           Also the caching of the slow put version of m_regExpMatchesArrayStructure,
           because we only need to create it when we are having a bad time. 

        2. The ClonedArguments factories now allocates a butterfly with slow put array
           storage if we're in haveABadTime mode.

           Also added some assertions in ClonedArguments' factory methods to ensure that
           the created object has the slow put indexing type when it needsSlowPutIndexing().

        3. DFGFixupPhase now watches the havingABadTimeWatchpoint because ClonedArguments'
           structure will change when having a bad time.

        4. DFGArgumentEliminationPhase and DFGVarargsForwardingPhase need not be changed
           because it is still valid to eliminate the creation of the arguments object
           even having a bad time, as long as the arguments object does not escape.

        5. The DFGAbstractInterpreterInlines now checks for haveABadTime, and sets the
           predicted type to be SpecObject.

        Note: this issue does not apply to DirectArguments and ScopedArguments because
        they use a blank indexing type (just like JSObject).

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::dump):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):
        (JSC::ClonedArguments::createWithInlineFrame):
        (JSC::ClonedArguments::createWithMachineFrame):
        (JSC::ClonedArguments::createByCopyingFrom):
        (JSC::ClonedArguments::createStructure):
        (JSC::ClonedArguments::createSlowPutStructure):
        * runtime/ClonedArguments.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::haveABadTime):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:

2016-11-03  Filip Pizlo  <fpizlo@apple.com>

        DFG plays fast and loose with the shadow values of a Phi
        https://bugs.webkit.org/show_bug.cgi?id=164309

        Reviewed by Saam Barati.
        
        Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
        tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
        not a special case for most compiler transforms. It does this by introducing another value
        called Upsilon, which stores a value into some Phi.
        
        B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
        the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
        times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
        Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
        the value from its phiTmp to its tmp.
        
        This is necessary to support scenarios like this:
        
            a: Phi()
            b: Upsilon(@x, ^a)
            c: Use(@a)
        
        Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
        the a value (like @a) doesn't change during its lifetime.
        
        Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
        all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
        model the Upsilon as storing into the Phi directly.
        
        Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
        shadow value. This change addresses this problem by introducing the concept of a
        NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
        optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
        rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
        a good amount of code.
        
        This looks to be perf-neutral.

        Rolled back in after fixing the debug build.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
        (JSC::B3::Air::RegLivenessAdapter::numIndices):
        (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
        (JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::forNode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
        * dfg/DFGAtTailAbstractState.cpp:
        (JSC::DFG::AtTailAbstractState::createValueForNode):
        (JSC::DFG::AtTailAbstractState::forNode):
        * dfg/DFGAtTailAbstractState.h:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGCombinedLiveness.cpp:
        (JSC::DFG::liveNodesAtHead):
        * dfg/DFGCombinedLiveness.h:
        * dfg/DFGFlowIndexing.cpp: Added.
        (JSC::DFG::FlowIndexing::FlowIndexing):
        (JSC::DFG::FlowIndexing::~FlowIndexing):
        (JSC::DFG::FlowIndexing::recompute):
        * dfg/DFGFlowIndexing.h: Added.
        (JSC::DFG::FlowIndexing::graph):
        (JSC::DFG::FlowIndexing::numIndices):
        (JSC::DFG::FlowIndexing::index):
        (JSC::DFG::FlowIndexing::shadowIndex):
        (JSC::DFG::FlowIndexing::nodeProjection):
        * dfg/DFGFlowMap.h: Added.
        (JSC::DFG::FlowMap::FlowMap):
        (JSC::DFG::FlowMap::resize):
        (JSC::DFG::FlowMap::graph):
        (JSC::DFG::FlowMap::at):
        (JSC::DFG::FlowMap::atShadow):
        (WTF::printInternal):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::abstractValuesCache): Deleted.
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
        (JSC::DFG::setLiveValues):
        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
        (JSC::DFG::InPlaceAbstractState::merge):
        * dfg/DFGInPlaceAbstractState.h:
        (JSC::DFG::InPlaceAbstractState::createValueForNode):
        (JSC::DFG::InPlaceAbstractState::forNode):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
        (JSC::DFG::LivenessAnalysisPhase::run):
        (JSC::DFG::LivenessAnalysisPhase::processBlock):
        (JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::NodeComparator::operator()):
        (JSC::DFG::nodeListDump):
        (JSC::DFG::nodeMapDump):
        (JSC::DFG::nodeValuePairListDump):
        (JSC::DFG::nodeComparator): Deleted.
        * dfg/DFGNodeAbstractValuePair.cpp: Added.
        (JSC::DFG::NodeAbstractValuePair::dump):
        * dfg/DFGNodeAbstractValuePair.h: Added.
        (JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
        * dfg/DFGNodeFlowProjection.cpp: Added.
        (JSC::DFG::NodeFlowProjection::dump):
        * dfg/DFGNodeFlowProjection.h: Added.
        (JSC::DFG::NodeFlowProjection::NodeFlowProjection):
        (JSC::DFG::NodeFlowProjection::operator bool):
        (JSC::DFG::NodeFlowProjection::kind):
        (JSC::DFG::NodeFlowProjection::node):
        (JSC::DFG::NodeFlowProjection::operator*):
        (JSC::DFG::NodeFlowProjection::operator->):
        (JSC::DFG::NodeFlowProjection::hash):
        (JSC::DFG::NodeFlowProjection::operator==):
        (JSC::DFG::NodeFlowProjection::operator!=):
        (JSC::DFG::NodeFlowProjection::operator<):
        (JSC::DFG::NodeFlowProjection::operator>):
        (JSC::DFG::NodeFlowProjection::operator<=):
        (JSC::DFG::NodeFlowProjection::operator>=):
        (JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
        (JSC::DFG::NodeFlowProjection::isStillValid):
        (JSC::DFG::NodeFlowProjection::forEach):
        (JSC::DFG::NodeFlowProjectionHash::hash):
        (JSC::DFG::NodeFlowProjectionHash::equal):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:

2016-11-03  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r208364.
        https://bugs.webkit.org/show_bug.cgi?id=164402

        broke the build (Requested by smfr on #webkit).

        Reverted changeset:

        "DFG plays fast and loose with the shadow values of a Phi"
        https://bugs.webkit.org/show_bug.cgi?id=164309
        http://trac.webkit.org/changeset/208364

2016-11-03  Filip Pizlo  <fpizlo@apple.com>

        DFG plays fast and loose with the shadow values of a Phi
        https://bugs.webkit.org/show_bug.cgi?id=164309

        Reviewed by Saam Barati.
        
        Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
        tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
        not a special case for most compiler transforms. It does this by introducing another value
        called Upsilon, which stores a value into some Phi.
        
        B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
        the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
        times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
        Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
        the value from its phiTmp to its tmp.
        
        This is necessary to support scenarios like this:
        
            a: Phi()
            b: Upsilon(@x, ^a)
            c: Use(@a)
        
        Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
        the a value (like @a) doesn't change during its lifetime.
        
        Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
        all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
        model the Upsilon as storing into the Phi directly.
        
        Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
        shadow value. This change addresses this problem by introducing the concept of a
        NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
        optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
        rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
        a good amount of code.
        
        This looks to be perf-neutral.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
        (JSC::B3::Air::RegLivenessAdapter::numIndices):
        (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
        (JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
        (JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::forNode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
        * dfg/DFGAtTailAbstractState.cpp:
        (JSC::DFG::AtTailAbstractState::createValueForNode):
        (JSC::DFG::AtTailAbstractState::forNode):
        * dfg/DFGAtTailAbstractState.h:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGCombinedLiveness.cpp:
        (JSC::DFG::liveNodesAtHead):
        * dfg/DFGCombinedLiveness.h:
        * dfg/DFGFlowIndexing.cpp: Added.
        (JSC::DFG::FlowIndexing::FlowIndexing):
        (JSC::DFG::FlowIndexing::~FlowIndexing):
        (JSC::DFG::FlowIndexing::recompute):
        * dfg/DFGFlowIndexing.h: Added.
        (JSC::DFG::FlowIndexing::graph):
        (JSC::DFG::FlowIndexing::numIndices):
        (JSC::DFG::FlowIndexing::index):
        (JSC::DFG::FlowIndexing::shadowIndex):
        (JSC::DFG::FlowIndexing::nodeProjection):
        * dfg/DFGFlowMap.h: Added.
        (JSC::DFG::FlowMap::FlowMap):
        (JSC::DFG::FlowMap::resize):
        (JSC::DFG::FlowMap::graph):
        (JSC::DFG::FlowMap::at):
        (JSC::DFG::FlowMap::atShadow):
        (WTF::printInternal):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::abstractValuesCache): Deleted.
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
        (JSC::DFG::setLiveValues):
        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
        (JSC::DFG::InPlaceAbstractState::merge):
        * dfg/DFGInPlaceAbstractState.h:
        (JSC::DFG::InPlaceAbstractState::createValueForNode):
        (JSC::DFG::InPlaceAbstractState::forNode):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
        (JSC::DFG::LivenessAnalysisPhase::run):
        (JSC::DFG::LivenessAnalysisPhase::processBlock):
        (JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::NodeComparator::operator()):
        (JSC::DFG::nodeListDump):
        (JSC::DFG::nodeMapDump):
        (JSC::DFG::nodeValuePairListDump):
        (JSC::DFG::nodeComparator): Deleted.
        * dfg/DFGNodeAbstractValuePair.cpp: Added.
        (JSC::DFG::NodeAbstractValuePair::dump):
        * dfg/DFGNodeAbstractValuePair.h: Added.
        (JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
        * dfg/DFGNodeFlowProjection.cpp: Added.
        (JSC::DFG::NodeFlowProjection::dump):
        * dfg/DFGNodeFlowProjection.h: Added.
        (JSC::DFG::NodeFlowProjection::NodeFlowProjection):
        (JSC::DFG::NodeFlowProjection::operator bool):
        (JSC::DFG::NodeFlowProjection::kind):
        (JSC::DFG::NodeFlowProjection::node):
        (JSC::DFG::NodeFlowProjection::operator*):
        (JSC::DFG::NodeFlowProjection::operator->):
        (JSC::DFG::NodeFlowProjection::hash):
        (JSC::DFG::NodeFlowProjection::operator==):
        (JSC::DFG::NodeFlowProjection::operator!=):
        (JSC::DFG::NodeFlowProjection::operator<):
        (JSC::DFG::NodeFlowProjection::operator>):
        (JSC::DFG::NodeFlowProjection::operator<=):
        (JSC::DFG::NodeFlowProjection::operator>=):
        (JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
        (JSC::DFG::NodeFlowProjection::isStillValid):
        (JSC::DFG::NodeFlowProjection::forEach):
        (JSC::DFG::NodeFlowProjectionHash::hash):
        (JSC::DFG::NodeFlowProjectionHash::equal):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:

2016-11-03  Keith Miller  <keith_miller@apple.com>

        Unreviewed, changelog fix due to failed git rebase..

2016-11-03  Keith Miller  <keith_miller@apple.com>

        Wasm starts a new stack whenever it adds a new block and has return types for blocks.
        https://bugs.webkit.org/show_bug.cgi?id=164100

        Reviewed by Saam Barati.

        This patch overhauls much of the Wasm function parser, validator, and B3 IR generator
        to work with block return types. In Wasm, blocks can act as expressions and have a
        return value. Most of the control flow operators needed to be rewritten in order to
        support this feature. To enable return types the function parser needed to be able
        to save and restore the expression stack from previous blocks, which is done via the
        control stack.

        This patch also removes the lazy continuation block system added previously. It's
        not clear if there would be any performance win from such a system. There are likely
        many other things with orders of magnitude more impact on B3 IR generation. The
        complexity cost of such a system is not worth the effort without sufficient evidence
        otherwise.

        * testWasm.cpp:
        (runWasmTests):
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseBlock):
        (JSC::Wasm::FunctionParser<Context>::addReturn):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        (JSC::Wasm::FunctionParser<Context>::popExpressionStack):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::ControlData::hasNonVoidSignature):
        (JSC::Wasm::Validate::addElse):
        (JSC::Wasm::Validate::addElseToUnreachable):
        (JSC::Wasm::Validate::addBranch):
        (JSC::Wasm::Validate::endBlock):
        (JSC::Wasm::Validate::addEndToUnreachable):
        (JSC::Wasm::Validate::dump):
        (JSC::Wasm::validateFunction):
        (JSC::Wasm::Validate::isContinuationReachable): Deleted.

2016-11-03  Saam Barati  <sbarati@apple.com>

        Asking for a value profile prediction should be defensive against not finding a value profile
        https://bugs.webkit.org/show_bug.cgi?id=164306

        Reviewed by Mark Lam.

        Currently, the code that calls CodeBlock::valueProfilePredictionForBytecodeOffset
        in the DFG assumes it will always be at a value producing node. However, this isn't
        true if we tail call from an inlined setter. When we're at a tail call, we try
        to find the first caller that isn't a tail call to see what value the
        tail_call produces. If we inline a setter, however, we will end up finding
        the put_by_id as our first non-tail-called "caller", and that won't have a
        value profile associated with it since it's not a value producing node.
        CodeBlock::valueProfilePredictionForBytecodeOffset should be defensive
        against finding a null value profile.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):

2016-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix CLoop build after r208320.
        https://bugs.webkit.org/show_bug.cgi?id=162980

        Add required forward declarations.

        * domjit/DOMJITHeapRange.cpp:
        * domjit/DOMJITSignature.h:
        * runtime/VM.h:

2016-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Add DOMJIT::Signature
        https://bugs.webkit.org/show_bug.cgi?id=162980

        Reviewed by Saam Barati and Sam Weinig.

        This patch introduces a new mechanism called DOMJIT::Signature. We can annotate the function with DOMJIT::Signature.
        DOMJIT::Signature has type information of that function. And it also maintains the effect of the function and the
        pointer to the unsafe function. The unsafe function means the function without type and argument count checks.
        By using these information, we can separate type and argument count checks from the function. And we can emit
        these things as DFG checks and convert the function call itself to CallDOM node. CallDOM node can call the unsafe
        function directly without any checks. Furthermore, this CallDOM node can represent its own clobberizing rules based
        on DOMJIT::Effect maintained by DOMJIT::Signature. It allows us to make opaque Call node to a CallDOM node that
        merely reads some part of heap. These changes (1) can drop duplicate type checks in DFG, (2) offer ability to move
        CallDOM node to somewhere, and (3) track more detailed heap reads and writes of CallDOM nodes.

        We first emit Call node with DOMJIT::Signature in DFGByteCodeParser. And in the fixup phase, we attempt to lower
        Call node to CallDOM node with checks & edge filters. This is because we do not know the type predictions in
        DFGByteCodeParser phase. If we always emit CallDOM node in DFGByteCodeParser, if we evaluate `div.getAttribute(true)`
        thingy, the Uncountable OSR exits repeatedly happen because AI figures out the abstract value is cleared.

        Currently, DOMJIT signature only allows the types that can reside in GPR. This is because the types of the unsafe
        function arguments are represented as the sequence of void*. In the future, we will extend to accept other types like
        float, double etc.

        We annotate several functions in Element. In particular, we annotate Element::getAttribute. This allows us to perform
        LICM in Dromaeo dom-attr test. In the Dromaeo dom-attr getAttribute test, we can see 32x improvement. (134974.8 v.s. 4203.4)

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallVariant.h:
        (JSC::CallVariant::functionExecutable):
        (JSC::CallVariant::nativeExecutable):
        (JSC::CallVariant::signatureFor):
        * bytecode/SpeculatedType.h:
        (JSC::isNotStringSpeculation):
        (JSC::isNotInt32Speculation):
        (JSC::isNotBooleanSpeculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleDOMJITCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
        (JSC::DFG::FixupPhase::fixupCheckDOM):
        (JSC::DFG::FixupPhase::fixupCallDOM):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToCallDOM):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::shouldSpeculateNotInt32):
        (JSC::DFG::Node::shouldSpeculateNotBoolean):
        (JSC::DFG::Node::shouldSpeculateNotString):
        (JSC::DFG::Node::hasSignature):
        (JSC::DFG::Node::signature):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * domjit/DOMJITEffect.h:
        (JSC::DOMJIT::Effect::Effect):
        (JSC::DOMJIT::Effect::forWrite):
        (JSC::DOMJIT::Effect::forRead):
        (JSC::DOMJIT::Effect::forReadWrite):
        (JSC::DOMJIT::Effect::forPure):
        (JSC::DOMJIT::Effect::forDef):
        (JSC::DOMJIT::Effect::mustGenerate):
        In clang, we cannot make this Effect constructor constexpr if we use Optional<HeapRange>.
        So we use HeapRange::top() for Nullopt def now.

        * domjit/DOMJITHeapRange.h:
        (JSC::DOMJIT::HeapRange::fromRaw):
        (JSC::DOMJIT::HeapRange::operator bool):
        (JSC::DOMJIT::HeapRange::operator==):
        (JSC::DOMJIT::HeapRange::operator!=):
        (JSC::DOMJIT::HeapRange::fromConstant):
        * domjit/DOMJITSignature.h: Copied from Source/JavaScriptCore/domjit/DOMJITEffect.h.
        (JSC::DOMJIT::Signature::Signature):
        (JSC::DOMJIT::Signature::argumentCount):
        (JSC::DOMJIT::Signature::checkDOM):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        * jit/JITOperations.h:
        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        * runtime/JSFunction.h:
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunction):
        * runtime/JSObject.h:
        * runtime/Lookup.h:
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::signature):
        (JSC::reifyStaticProperty):
        * runtime/NativeExecutable.cpp:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::NativeExecutable):
        * runtime/NativeExecutable.h:
        * runtime/PropertySlot.h:
        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):
        * runtime/VM.h:

2016-11-02  Andreas Kling  <akling@apple.com>

        MarkedSpace should have specialized size classes for popular engine objects.
        <https://webkit.org/b/164345>

        Reviewed by Filip Pizlo.

        The MarkedSpace size classes were recently reworked to minimize wasted space
        at the end of MarkedBlocks.

        However, we know that some specific objects will be allocated in very high volume.
        Adding specialized size classes for those object sizes achieves greater utilization
        since we're basically guaranteed to allocate them all the time.

        Inject specialized size classes for these four objects:

            - FunctionCodeBlock
                560 bytes instead of 624
                28 per block instead of 26 (+2)

            - FunctionExecutable
                176 bytes instead of 224
                92 per block instead of 72 (+20)

            - UnlinkedFunctionCodeBlock
                256 bytes instead of 320
                63 per block instead of 50 (+13)

            - UnlinkedFunctionExecutable
                192 bytes instead of 224
                84 per block instead of 72 (+12)

        * heap/MarkedSpace.cpp:

2016-11-02  Geoffrey Garen  <ggaren@apple.com>

        One file per class for UnlinkedCodeBlock.h/.cpp
        https://bugs.webkit.org/show_bug.cgi?id=164348

        Reviewed by Saam Barati.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/FunctionCodeBlock.h:
        * bytecode/ModuleProgramCodeBlock.h:
        * bytecode/ProgramCodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
        * bytecode/UnlinkedEvalCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
        (JSC::dumpLineColumnEntry): Deleted.
        (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
        (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::instructions): Deleted.
        (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
        (JSC::UnlinkedCodeBlock::applyModification): Deleted.
        * bytecode/UnlinkedEvalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
        (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
        (JSC::UnlinkedSimpleJumpTable::add): Deleted.
        (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
        (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
        (JSC::UnlinkedCodeBlock::usesEval): Deleted.
        (JSC::UnlinkedCodeBlock::parseMode): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
        (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
        (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
        (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
        (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addParameter): Deleted.
        (JSC::UnlinkedCodeBlock::numParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
        (JSC::UnlinkedCodeBlock::regexp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addConstant): Deleted.
        (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
        (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
        (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
        (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
        (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
        (JSC::UnlinkedCodeBlock::superBinding): Deleted.
        (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
        (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
        (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
        (JSC::UnlinkedCodeBlock::codeType): Deleted.
        (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
        (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
        (JSC::UnlinkedCodeBlock::recordParse): Deleted.
        (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
        (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
        (JSC::UnlinkedCodeBlock::firstLine): Deleted.
        (JSC::UnlinkedCodeBlock::lineCount): Deleted.
        (JSC::UnlinkedCodeBlock::startColumn): Deleted.
        (JSC::UnlinkedCodeBlock::endColumn): Deleted.
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
        (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
        (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
        (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
        (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
        * bytecode/UnlinkedFunctionCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
        (JSC::dumpLineColumnEntry): Deleted.
        (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
        (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::instructions): Deleted.
        (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
        (JSC::UnlinkedCodeBlock::applyModification): Deleted.
        * bytecode/UnlinkedFunctionCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
        (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
        (JSC::UnlinkedSimpleJumpTable::add): Deleted.
        (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
        (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
        (JSC::UnlinkedCodeBlock::usesEval): Deleted.
        (JSC::UnlinkedCodeBlock::parseMode): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
        (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
        (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
        (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
        (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addParameter): Deleted.
        (JSC::UnlinkedCodeBlock::numParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
        (JSC::UnlinkedCodeBlock::regexp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addConstant): Deleted.
        (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
        (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
        (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
        (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
        (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
        (JSC::UnlinkedCodeBlock::superBinding): Deleted.
        (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
        (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
        (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
        (JSC::UnlinkedCodeBlock::codeType): Deleted.
        (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
        (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
        (JSC::UnlinkedCodeBlock::recordParse): Deleted.
        (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
        (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
        (JSC::UnlinkedCodeBlock::firstLine): Deleted.
        (JSC::UnlinkedCodeBlock::lineCount): Deleted.
        (JSC::UnlinkedCodeBlock::startColumn): Deleted.
        (JSC::UnlinkedCodeBlock::endColumn): Deleted.
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
        (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
        (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
        (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
        (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::destroy):
        * bytecode/UnlinkedGlobalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
        (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
        (JSC::UnlinkedSimpleJumpTable::add): Deleted.
        (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
        (): Deleted.
        (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
        (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
        (JSC::UnlinkedCodeBlock::usesEval): Deleted.
        (JSC::UnlinkedCodeBlock::parseMode): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
        (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
        (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
        (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
        (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addParameter): Deleted.
        (JSC::UnlinkedCodeBlock::numParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
        (JSC::UnlinkedCodeBlock::regexp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addConstant): Deleted.
        (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
        (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
        (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
        (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
        (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
        (JSC::UnlinkedCodeBlock::superBinding): Deleted.
        (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
        (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
        (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
        (JSC::UnlinkedCodeBlock::codeType): Deleted.
        (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
        (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
        (JSC::UnlinkedCodeBlock::recordParse): Deleted.
        (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
        (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
        (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
        (JSC::UnlinkedCodeBlock::firstLine): Deleted.
        (JSC::UnlinkedCodeBlock::lineCount): Deleted.
        (JSC::UnlinkedCodeBlock::startColumn): Deleted.
        (JSC::UnlinkedCodeBlock::endColumn): Deleted.
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
        (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
        (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
        (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
        (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
        * bytecode/UnlinkedModuleProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
        (JSC::dumpLineColumnEntry): Deleted.
        (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
        (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::instructions): Deleted.
        (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
        (JSC::UnlinkedCodeBlock::applyModification): Deleted.
        * bytecode/UnlinkedModuleProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
        (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
        (JSC::UnlinkedSimpleJumpTable::add): Deleted.
        (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
        (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
        (JSC::UnlinkedCodeBlock::usesEval): Deleted.
        (JSC::UnlinkedCodeBlock::parseMode): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
        (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
        (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
        (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
        (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
        (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addParameter): Deleted.
        (JSC::UnlinkedCodeBlock::numParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
        (JSC::UnlinkedCodeBlock::regexp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addConstant): Deleted.
        (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
        (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
        (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
        (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
        (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
        (JSC::UnlinkedCodeBlock::superBinding): Deleted.
        (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
        (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.