dynamic import is ambiguous with import declaration at module code
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-01-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         dynamic import is ambiguous with import declaration at module code
4         https://bugs.webkit.org/show_bug.cgi?id=167098
5
6         Reviewed by Darin Adler.
7
8         This patch fixes two syntax issues related to dynamic import.
9
10         1. Fix member expression parsing with dynamic import results
11
12         We should not return import expression immediately after parsing
13         it in parseMemberExpression. This prohibits us to parse the following
14         code,
15
16             import("...").then(function () {
17             });
18
19         2. dynamic import with import declaration under the module context
20
21         Before this patch, we always attempt to parse IMPORT as import declaration
22         under the module context. It means that import call in the top level
23         expression statement fails to be parsed since the parser attempts to parse
24         it as import declaration.
25
26             import("...")  // module top level statement.
27
28         In this patch, we check the condition `[lookahead != (]` before starting
29         parsing import declaration. This allows us to put import call in the module
30         top level statement.
31
32         * parser/Parser.cpp:
33         (JSC::Parser<LexerType>::parseModuleSourceElements):
34         (JSC::Parser<LexerType>::parseMemberExpression):
35
36 2017-01-20  Joseph Pecoraro  <pecoraro@apple.com>
37
38         Remove outdated ENABLE(CSP_NEXT) build flag
39         https://bugs.webkit.org/show_bug.cgi?id=167252
40
41         Reviewed by Brent Fulgham.
42
43         * Configurations/FeatureDefines.xcconfig:
44
45 2017-01-20  Saam Barati  <sbarati@apple.com>
46
47         We should flash a safepoint before each DFG/FTL phase
48         https://bugs.webkit.org/show_bug.cgi?id=167234
49
50         Reviewed by Filip Pizlo.
51
52         The recent GC changes caused us to regress Kraken because of a
53         longstanding issue that happened to be hit with higher frequency because
54         of a change in timing between when a particular GC was happening and 
55         when a particular FTL compilation was happening. The regression is caused
56         by the GC was waiting for a large function to make it through the DFG portion
57         of an FTL compilation. This was taking 20ms-30ms and started happened during a
58         particular test with much higher frequency.
59         
60         This means that anytime the GC waits for this compilation, the test ran at least
61         ~20ms slower because the GC waits for the compiler threads the mutator is stopped.
62         
63         It's good that we have such an easily reproducible case of this performance
64         issue because it will effect many real JS programs, especially ones with
65         large functions that get hot.
66         
67         The most straight forward solution to fix this is to flash a safepoint before
68         each phase, allowing the GC to suspend the compiler if needed. In my testing,
69         this progresses Kraken in the browser, and doesn't regress anything else. This
70         solution also makes the most sense. I did some analysis on the compilation time
71         of this function that took ~20-30ms to pass through the DFG phases, and
72         the phase times were mostly evenly distributed. Some took longer than others,
73         but no phase was longer than 3ms. Most were in the 0.25ms to 1.5ms range.
74
75         * dfg/DFGPlan.cpp:
76         (JSC::DFG::Plan::compileInThreadImpl):
77         * dfg/DFGSafepoint.cpp:
78         (JSC::DFG::Safepoint::begin):
79         * runtime/Options.h:
80
81 2017-01-20  Skachkov Oleksandr  <gskachkov@gmail.com>
82
83         Super property access in base class constructor doesn't work
84         https://bugs.webkit.org/show_bug.cgi?id=166665
85
86         Reviewed by Ryosuke Niwa.
87
88         Allow to use super inside of the constructor for classes 
89         without parent class.
90         Parser checks if super used within the constructor and 
91         add this information to function metedata, and later it is used
92         during byte code generation.
93
94         * bytecompiler/NodesCodegen.cpp:
95         (JSC::ClassExprNode::emitBytecode):
96         * parser/Parser.cpp:
97         (JSC::Parser<LexerType>::parseFunctionBody):
98         (JSC::Parser<LexerType>::parseFunctionInfo):
99         * parser/Parser.h:
100         (JSC::Scope::usesEval):
101         (JSC::Scope::fillParametersForSourceProviderCache):
102         (JSC::Scope::restoreFromSourceProviderCache):
103         (JSC::Parser::adjustSuperBindingForBaseConstructor):
104         * parser/SourceProviderCacheItem.h:
105         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
106
107 2017-01-19  Chris Dumez  <cdumez@apple.com>
108
109         iterable<> should be enabled on WK1
110         https://bugs.webkit.org/show_bug.cgi?id=167221
111         <rdar://problem/30108531>
112
113         Reviewed by Youenn Fablet.
114
115         * runtime/CommonIdentifiers.h:
116
117 2017-01-19  Filip Pizlo  <fpizlo@apple.com>
118
119         Structure::pin() needs to be called while holding a lock
120         https://bugs.webkit.org/show_bug.cgi?id=167220
121
122         Reviewed by Saam Barati.
123
124         Imagine this race: the mutator calls pin() and the collector calls visitChildren(),
125         on the same Structure at the same time. In trunk pin() does not require a lock to be
126         held and it doesn't grab any locks. Meanwhile visitChildren() grabs the lock, checks
127         if the structure is pinned, and if not, it removes it by overwriting with zero. Now
128         imagine how this plays out when pin() runs. Since pin() grabs no locks, it is
129         irrelevant that visitChildren() grabs any locks. So, visitChildren() might check if
130         the table is pinned before pin() pins it, and then clear the table after it was
131         already pinned.
132
133         The problem here is that pin() should be holding a lock. We could either make pin()
134         grab that lock by itself, or what this patch does is makes the caller grab the lock.
135         This is great because it means that sometimes we don't have to introduce any new
136         locking.
137
138         This fixes a materializePropertyTable() checkOffsetConsistency() crash that happens
139         very rarely, but I was able to get it to reproduce with run-webkit-tests and
140         aggressive GC settings.
141
142         * runtime/ConcurrentJSLock.h:
143         * runtime/Structure.cpp:
144         (JSC::Structure::materializePropertyTable):
145         (JSC::Structure::changePrototypeTransition):
146         (JSC::Structure::attributeChangeTransition):
147         (JSC::Structure::toDictionaryTransition):
148         (JSC::Structure::nonPropertyTransition):
149         (JSC::Structure::pin):
150         (JSC::Structure::pinForCaching):
151         (JSC::Structure::add):
152         * runtime/Structure.h:
153         * runtime/StructureInlines.h:
154         (JSC::Structure::checkOffsetConsistency):
155         (JSC::Structure::add):
156         (JSC::Structure::addPropertyWithoutTransition):
157
158 2017-01-19  Filip Pizlo  <fpizlo@apple.com>
159
160         The mutator needs to fire a barrier after memmoving stuff around in an object that the GC scans
161         https://bugs.webkit.org/show_bug.cgi?id=167208
162
163         Reviewed by Saam Barati.
164         
165         It used to be that if you moved a value from one place to another in the same object
166         then there is no need for a barrier because the generational GC would have no need to
167         know that some old object still continues to refer to the same other old object.
168
169         But the concurrent GC might scan that object as the mutator moves pointers around in
170         it. If the ordering is right, this could mean that the collector never sees some of
171         those pointers. This can be fixed by adding a barrier.
172
173         This fixes the most obvious cases I found. There may be more and I'll continue to
174         audit. Most of the other memmove users seem to already use some kind of synchronization
175         to prevent this. For example, this can also be fixed by just holding the cell lock
176         around the memmove since we're dealing with indexing storage and the GC reads that
177         under the cell lock.
178
179         * runtime/JSArray.cpp:
180         (JSC::JSArray::shiftCountWithAnyIndexingType):
181         (JSC::JSArray::unshiftCountWithAnyIndexingType):
182
183 2017-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
184
185         [Cocoa] Variation fonts are erroneously disabled on iOS
186         https://bugs.webkit.org/show_bug.cgi?id=167172
187
188         Reviewed by Simon Fraser.
189
190         OpenSource builders don't seem to understand sdk=embedded*.
191
192         * Configurations/FeatureDefines.xcconfig:
193
194 2017-01-19  Skachkov Oleksandr  <gskachkov@gmail.com>
195
196         "this" missing after await in async arrow function
197         https://bugs.webkit.org/show_bug.cgi?id=166919
198
199         Reviewed by NOBODY Saam Barati.
200
201         This patch fixed issue in async arrow function. Issue appears because in arrow
202         function _this_ is loaded from arrow function virtual scope. 
203         Async arrow function can be suspended and when resuming should be used _this_ from 
204         virtual scope, to allow this we load _this_ from virtual scope before store it to 
205         generator.generatorThis property 
206
207         * bytecompiler/NodesCodegen.cpp:
208         (JSC::FunctionNode::emitBytecode):
209
210 2017-01-18  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [B3] B3 strength reduction could encounter Value without owner in PureCSE
213         https://bugs.webkit.org/show_bug.cgi?id=167161
214
215         Reviewed by Filip Pizlo.
216
217         PureCSE relies on the fact that all the stored Values have owner member.
218         This assumption is broken when you execute specializeSelect in B3ReduceStrength phase.
219         It clears owner of Values which are in between Select and Check to clone them to then/else
220         blocks. If these cleared Values are already stored in PureCSE map, this map poses a Value
221         with nullptr owner in PureCSE.
222
223         This patch changes PureCSE to ignore stored Values tha have nullptr owner. This even means
224         that a client of PureCSE could deliberately null the owner if they wanted to signal the
225         Value should be ignored.
226
227         While PureCSE ignores chance for optimization if Value's owner is nullptr, in the current
228         strength reduction algorithm, this does not hurt optimization because CSE will be eventually
229         applied since the strength reduction phase want to reach fixed point. But even without
230         this iterations, our result itself is valid since PureCSE is allowed to be conservative.
231
232         * b3/B3PureCSE.cpp:
233         (JSC::B3::PureCSE::findMatch):
234         (JSC::B3::PureCSE::process):
235         * b3/testb3.cpp:
236         (JSC::B3::testCheckSelectAndCSE):
237         (JSC::B3::run):
238
239 2017-01-18  Filip Pizlo  <fpizlo@apple.com>
240
241         JSSegmentedVariableObject and its subclasses should have a sane destruction story
242         https://bugs.webkit.org/show_bug.cgi?id=167193
243
244         Reviewed by Saam Barati.
245         
246         Prior to this change, JSSegmentedVariableObjects' subclasses install finalizers that call
247         destroy. They did this in random ways, which sometimes resulted in
248         JSSegmentedVariableObject::~JSSegmentedVariableObject executing more than once (which worked
249         because of the way that ~SegmentedVector is written). Maybe this works now, but it's a disaster
250         waiting to happen.
251
252         Fortunately we can now just give those things their own Subspace and teach it its own protocol of
253         destruction. This change introduces JSSegmentedVariableObjectSubspace and stashes a m_classInfo
254         in JSSegmentedVariableObject. Now, subclasses of JSSegmentedVariableObject are destructible in
255         much the same way as JSDestructibleObject without having to be subclasses of
256         JSDestructibleObject.
257
258         * API/JSCallbackObject.cpp:
259         (JSC::JSCallbackObject<JSGlobalObject>::create):
260         * CMakeLists.txt:
261         * JavaScriptCore.xcodeproj/project.pbxproj:
262         * jsc.cpp:
263         (GlobalObject::create):
264         * runtime/JSGlobalLexicalEnvironment.h:
265         (JSC::JSGlobalLexicalEnvironment::create):
266         * runtime/JSGlobalObject.cpp:
267         (JSC::JSGlobalObject::create):
268         (JSC::JSGlobalObject::finishCreation):
269         * runtime/JSGlobalObject.h:
270         (JSC::JSGlobalObject::create): Deleted.
271         (JSC::JSGlobalObject::finishCreation): Deleted.
272         * runtime/JSSegmentedVariableObject.cpp:
273         (JSC::JSSegmentedVariableObject::destroy):
274         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
275         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
276         (JSC::JSSegmentedVariableObject::finishCreation):
277         * runtime/JSSegmentedVariableObject.h:
278         (JSC::JSSegmentedVariableObject::subspaceFor):
279         (JSC::JSSegmentedVariableObject::classInfo):
280         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): Deleted.
281         (JSC::JSSegmentedVariableObject::finishCreation): Deleted.
282         * runtime/JSSegmentedVariableObjectSubspace.cpp: Added.
283         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
284         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace):
285         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
286         (JSC::JSSegmentedVariableObjectSubspace::destroy):
287         * runtime/JSSegmentedVariableObjectSubspace.h: Added.
288         * runtime/VM.cpp:
289         (JSC::VM::VM):
290         * runtime/VM.h:
291         * testRegExp.cpp:
292         (GlobalObject::create):
293
294 2017-01-18  Joseph Pecoraro  <pecoraro@apple.com>
295
296         Web Inspector: console.table only works for the first 5 properties
297         https://bugs.webkit.org/show_bug.cgi?id=167175
298
299         Reviewed by Timothy Hatcher.
300
301         * inspector/InjectedScriptSource.js:
302         (InjectedScript.prototype.wrapTable):
303         (InjectedScript.RemoteObject.createObjectPreviewForValue):
304         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
305         Pass through secondLevelKeys. Though the keys are themselves ignored, the
306         existence is a signal that we should send more than the first 5 properties.
307
308 2017-01-18  Antti Koivisto  <antti@apple.com>
309
310         Only delete source provider caches on full collection
311         https://bugs.webkit.org/show_bug.cgi?id=167173
312
313         Reviewed by Andreas Kling.
314
315         They are currently often wiped and recreated during page loading due to eden collections.
316
317         It is not clear that tying the lifetime of these caches to gc makes sense at all but this
318         should at least help some.
319
320         * heap/Heap.cpp:
321         (JSC::Heap::deleteSourceProviderCaches):
322
323 2017-01-18  Filip Pizlo  <fpizlo@apple.com>
324
325         JSObjectSetPrivate should not use jsCast<>
326         rdar://problem/30069096
327
328         Reviewed by Keith Miller.
329
330         * API/JSObjectRef.cpp:
331         (JSObjectSetPrivate):
332
333 2017-01-18  Brian Burg  <bburg@apple.com>
334
335         Web Inspector: remove an unnecessary include in generated Objective-C Inspector protocol code
336         https://bugs.webkit.org/show_bug.cgi?id=167156
337
338         Rubber-stamped by Geoffrey Garen.
339
340         * inspector/scripts/codegen/objc_generator_templates.py:
341         This include of config.h doesn't make sense when using the code generator
342         outside of JavaScriptCore/WebKit. It is not necessary either, so remove it.
343
344         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
345         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
346         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
347         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
348         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
349         * inspector/scripts/tests/generic/expected/enum-values.json-result:
350         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
351         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
352         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
353         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
354         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
355         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
356         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
357         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
358         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
359         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
360         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
361         Rebaseline test results.
362
363 2017-01-18  Csaba Osztrogonác  <ossy@webkit.org>
364
365         Fix the JSCOnly build after r210844
366         https://bugs.webkit.org/show_bug.cgi?id=167155
367
368         Unreviewed buildfix.
369
370         * heap/EdenGCActivityCallback.cpp:
371
372 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
373
374         Make opaque root scanning truly constraint-based
375         https://bugs.webkit.org/show_bug.cgi?id=165760
376
377         Reviewed by Geoffrey Garen.
378
379         We have bugs when visitChildren() changes its mind about what opaque root to add, since
380         we don't have barriers on opaque roots. This supposedly once worked for generational GC,
381         and I started adding more barriers to support concurrent GC. But I think that the real
382         bug here is that we want the JSObject->OpaqueRoot to be evaluated as a constraint that
383         participates in the fixpoint. I like to think of this as an *output* constraint, because it
384         is concerned with outgoing edges in the heap from the object that registered the constraint.
385         An *input* constraint is like what Weak<> does when deciding whether the thing it points to
386         should be live.
387
388         Whether or not an object has output constraints depends on its type. So, we want the GC to
389         have a feature where we rapidly call some function on all marked objects of some type.
390         
391         It's easy to rapidly scan all marked objects in a MarkedBlock. So, we want to allocate all
392         objects that have output constraints in their own MarkedBlocks and we want to track the set
393         of MarkedBlocks with output constraints.
394         
395         This patch makes it easy to have clients of JSC's internal C++ APIs create a Subspace - like
396         what we used to call MarkedSpace::Subspace but now it's in the JSC namespace - which is
397         a collection of objects that you can easily scan during GC from a MarkingConstraint. It's
398         now possible for internal C++ API clients to register their own MarkingConstraints. The DOM
399         now uses this to create two Subspaces (more on why two below) and it calls
400         JSCell::visitOutputConstraints() on all of the marked objects in those subspaces using a new
401         MarkingConstraint. That MarkingConstraint uses a new style of volatility, called
402         SeldomGreyed, which is like GreyedByExecution except it is opportunistically not executed
403         as roots in the hopes that their sole execution will be the snapshot-at-the-end. I also
404         converted the CodeBlock rescan constraint to SeldomGreyed, since that's also an output
405         constraint.
406         
407         This patch also uses Subspace for something pretty obvious: knowing how to call the
408         destructor. Subspaces can specialize the sweep for their way of invoking destructors. We
409         have the following subspaces:
410         
411         - auxiliary
412         - cell
413         - destructibleCell - for JSCell subclasses that have destructors and StructureIsImmortal
414         - stringSpace - inlines ~JSString into the sweep, making string allocation 7% faster
415         - destructibleObjectSpace - for JSDestructibleObject subclasses
416         
417         And WebCore adds:
418         
419         - outputConstraint - for JSDOMObjects that have a visitAdditionalChildren
420         - globalObjectOutputConstraint - for JSDOMGlobalObjects that have a visitAdditionalChildren,
421           since JSDOMGlobalObjects are not JSDestructibleObjects
422         
423         The Subspace for a type is selected by saying JSC::subspaceFor<Type>(vm). This calls
424         Type::subspaceFor<Type>(vm). This allows cell classes to override subspaceFor<> and it
425         allows any subspaceFor<> implementation to query static flags in the type. This is how
426         JSCell::subspaceFor<> can select either cellSpace or destructibleCellSpace.
427         
428         This patch is mostly about:
429         
430         - Moving MarkedSpace::Subspace out of MarkedSpace and making it a nice class with a nice
431           API. Almost all of its functionality is just taken out of MarkedSpace.
432         - Converting users of the old API for allocating objects and getting MarkedAllocators, like
433           heap.allocatorForObjectWithoutDestructor() and its friends. That would now say
434           vm.cellSpace.allocatorFor().
435         
436         Altogether, this means that we only have a small regression on Dromaeo. The regression is
437         due to the fact that we scan output constraints. Before the Subspace optimizations (see
438         r209766, which was rolled out in r209812), this regression on Dromaeo/jslib was 2x but after
439         the optimizations in this patch it's only 1.12x. Note that Dromaeo/jslib creats gigabytes of
440         DOM nodes. Compared to web pages, this is a very extreme synthetic microbenchmark. Still, we
441         like optimizing these because we don't want to presume what web pages will look like.
442         
443         The use of Subspaces to specialize destructors happened not because it's super necessary but
444         because I wanted to introduce a single unified way of communicating to the GC how to treat
445         different types. Any Subspace feature that allowed us to collect some types together would
446         have to be mindful of the destructorness of objects. I could have turned this into a
447         liability where each Subspace has two subsubspaces - one for destructor objects and one for
448         non-destructor objects, which would have allowed me to keep the old sweep specialization
449         code. Just days prior, mlam wanted to do something that was hard because of that old sweep
450         specializer, so I decided to take the opportunity to fix the sweep specializer while also
451         making Subspace be the one true way of teaching the GC about types. To validate that this
452         actually does things, I added a JSStringSubspace and a test that shows that this is a 7%
453         string allocation progression.
454         
455         In bug 167066, I'm getting rid of the rest of the code in JSC that would special-case for
456         JSDestructibleObject vs StructureIsImmortal by using the GC's DestructionMode. After that,
457         Subspace will be only mechanism by which JSC uses the GC to encode types.
458         
459         Prior to this change, having multiple MarkedSpace::Subspaces would have been expensive
460         because they create a bunch of MarkedAllocators upfront. We now have the ability to create
461         MarkedAllocators lazily. We create them on the first allocation from that size class or when
462         a JIT asks for the MarkedAllocator. The concurrent JITs can ask for MarkedAllocators because
463         their creation is under a lock.
464         
465         On my machine, this might be a 1.1% JetStream speed-up with 87% confidence and it might be
466         a 0.4% PLT3 slow-down with 92% confidence. Note that 0.4% on PLT3 is the level of systematic
467         error on PLT3 on my computer: I've seen definite 0.4% speed-ups and slow-downs that were not
468         confirmed by any bot. Let's see what the bots say.
469         
470         * CMakeLists.txt:
471         * JavaScriptCore.xcodeproj/project.pbxproj:
472         * bytecode/ObjectAllocationProfile.h:
473         (JSC::ObjectAllocationProfile::initialize):
474         * bytecode/PolymorphicAccess.cpp:
475         (JSC::AccessCase::generateImpl):
476         * dfg/DFGSpeculativeJIT.cpp:
477         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
478         (JSC::DFG::SpeculativeJIT::compileMakeRope):
479         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
480         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
481         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
482         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
483         * dfg/DFGSpeculativeJIT64.cpp:
484         (JSC::DFG::SpeculativeJIT::compile):
485         * ftl/FTLAbstractHeapRepository.h:
486         * ftl/FTLLowerDFGToB3.cpp:
487         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
488         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
489         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
490         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
491         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
492         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
493         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
494         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
495         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
496         * heap/AllocatorAttributes.h:
497         (JSC::AllocatorAttributes::AllocatorAttributes):
498         * heap/ConstraintVolatility.h: Added.
499         (WTF::printInternal):
500         * heap/GCActivityCallback.cpp:
501         * heap/Heap.cpp:
502         (JSC::Heap::Heap):
503         (JSC::Heap::lastChanceToFinalize):
504         (JSC::Heap::markToFixpoint):
505         (JSC::Heap::updateObjectCounts):
506         (JSC::Heap::collectAllGarbage):
507         (JSC::Heap::collectInThread):
508         (JSC::Heap::stopTheWorld):
509         (JSC::Heap::updateAllocationLimits):
510         (JSC::Heap::bytesVisited):
511         (JSC::Heap::addCoreConstraints):
512         (JSC::Heap::addMarkingConstraint):
513         (JSC::Heap::notifyIsSafeToCollect):
514         (JSC::Heap::preventCollection):
515         (JSC::Heap::allowCollection):
516         (JSC::Heap::setMutatorShouldBeFenced):
517         (JSC::Heap::buildConstraintSet): Deleted.
518         (JSC::Heap::writeBarrierOpaqueRootSlow): Deleted.
519         (JSC::Heap::addMutatorShouldBeFencedCache): Deleted.
520         * heap/Heap.h:
521         (JSC::Heap::mutatorExecutionVersion):
522         (JSC::Heap::numOpaqueRoots):
523         (JSC::Heap::vm): Deleted.
524         (JSC::Heap::subspaceForObjectWithoutDestructor): Deleted.
525         (JSC::Heap::subspaceForObjectDestructor): Deleted.
526         (JSC::Heap::subspaceForAuxiliaryData): Deleted.
527         (JSC::Heap::allocatorForObjectWithoutDestructor): Deleted.
528         (JSC::Heap::allocatorForObjectWithDestructor): Deleted.
529         (JSC::Heap::allocatorForAuxiliaryData): Deleted.
530         * heap/HeapInlines.h:
531         (JSC::Heap::vm):
532         (JSC::Heap::allocateWithDestructor): Deleted.
533         (JSC::Heap::allocateWithoutDestructor): Deleted.
534         (JSC::Heap::allocateObjectOfType): Deleted.
535         (JSC::Heap::subspaceForObjectOfType): Deleted.
536         (JSC::Heap::allocatorForObjectOfType): Deleted.
537         (JSC::Heap::allocateAuxiliary): Deleted.
538         (JSC::Heap::tryAllocateAuxiliary): Deleted.
539         (JSC::Heap::tryReallocateAuxiliary): Deleted.
540         (JSC::Heap::ascribeOwner): Deleted.
541         (JSC::Heap::writeBarrierOpaqueRoot): Deleted.
542         * heap/LargeAllocation.cpp:
543         (JSC::LargeAllocation::tryCreate):
544         (JSC::LargeAllocation::LargeAllocation):
545         (JSC::LargeAllocation::~LargeAllocation):
546         (JSC::LargeAllocation::sweep):
547         * heap/LargeAllocation.h:
548         * heap/MarkedAllocator.cpp:
549         (JSC::MarkedAllocator::MarkedAllocator):
550         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
551         (JSC::MarkedAllocator::tryAllocateIn):
552         (JSC::MarkedAllocator::allocateSlowCaseImpl):
553         (JSC::MarkedAllocator::tryAllocateBlock):
554         (JSC::MarkedAllocator::shrink):
555         (JSC::MarkedAllocator::markedSpace):
556         * heap/MarkedAllocator.h:
557         (JSC::MarkedAllocator::nextAllocatorInSubspace):
558         (JSC::MarkedAllocator::setNextAllocatorInSubspace):
559         (JSC::MarkedAllocator::subspace):
560         (JSC::MarkedAllocator::tryAllocate): Deleted.
561         (JSC::MarkedAllocator::allocate): Deleted.
562         (JSC::MarkedAllocator::forEachBlock): Deleted.
563         * heap/MarkedAllocatorInlines.h: Added.
564         (JSC::MarkedAllocator::tryAllocate):
565         (JSC::MarkedAllocator::allocate):
566         (JSC::MarkedAllocator::forEachBlock):
567         (JSC::MarkedAllocator::forEachNotEmptyBlock):
568         * heap/MarkedBlock.cpp:
569         (JSC::MarkedBlock::Handle::subspace):
570         (JSC::MarkedBlock::Handle::sweep):
571         (JSC::MarkedBlock::Handle::specializedSweep): Deleted.
572         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode): Deleted.
573         (JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode): Deleted.
574         (JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated): Deleted.
575         (JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode): Deleted.
576         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode): Deleted.
577         * heap/MarkedBlock.h:
578         (JSC::MarkedBlock::Handle::visitWeakSet):
579         * heap/MarkedBlockInlines.h:
580         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale):
581         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
582         (JSC::MarkedBlock::heap):
583         (JSC::MarkedBlock::space):
584         (JSC::MarkedBlock::Handle::space):
585         (JSC::MarkedBlock::Handle::specializedSweep):
586         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
587         (JSC::MarkedBlock::Handle::sweepDestructionMode):
588         (JSC::MarkedBlock::Handle::emptyMode):
589         (JSC::MarkedBlock::Handle::scribbleMode):
590         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
591         (JSC::MarkedBlock::Handle::marksMode):
592         (JSC::MarkedBlock::Handle::forEachMarkedCell):
593         * heap/MarkedSpace.cpp:
594         (JSC::MarkedSpace::initializeSizeClassForStepSize):
595         (JSC::MarkedSpace::MarkedSpace):
596         (JSC::MarkedSpace::lastChanceToFinalize):
597         (JSC::MarkedSpace::addMarkedAllocator):
598         (JSC::MarkedSpace::allocate): Deleted.
599         (JSC::MarkedSpace::tryAllocate): Deleted.
600         (JSC::MarkedSpace::allocateLarge): Deleted.
601         (JSC::MarkedSpace::tryAllocateLarge): Deleted.
602         * heap/MarkedSpace.h:
603         (JSC::MarkedSpace::heap):
604         (JSC::MarkedSpace::allocatorLock):
605         (JSC::MarkedSpace::subspaceForObjectsWithDestructor): Deleted.
606         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor): Deleted.
607         (JSC::MarkedSpace::subspaceForAuxiliaryData): Deleted.
608         (JSC::MarkedSpace::allocatorFor): Deleted.
609         (JSC::MarkedSpace::destructorAllocatorFor): Deleted.
610         (JSC::MarkedSpace::auxiliaryAllocatorFor): Deleted.
611         (JSC::MarkedSpace::allocateWithoutDestructor): Deleted.
612         (JSC::MarkedSpace::allocateWithDestructor): Deleted.
613         (JSC::MarkedSpace::allocateAuxiliary): Deleted.
614         (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
615         (JSC::MarkedSpace::forEachSubspace): Deleted.
616         * heap/MarkingConstraint.cpp:
617         (JSC::MarkingConstraint::MarkingConstraint):
618         * heap/MarkingConstraint.h:
619         (JSC::MarkingConstraint::volatility):
620         * heap/MarkingConstraintSet.cpp:
621         (JSC::MarkingConstraintSet::resetStats):
622         (JSC::MarkingConstraintSet::add):
623         (JSC::MarkingConstraintSet::executeConvergenceImpl):
624         * heap/MarkingConstraintSet.h:
625         * heap/SlotVisitor.cpp:
626         (JSC::SlotVisitor::visitChildren):
627         (JSC::SlotVisitor::visitAsConstraint):
628         (JSC::SlotVisitor::drain):
629         (JSC::SlotVisitor::addOpaqueRoot):
630         (JSC::SlotVisitor::mergeIfNecessary):
631         (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary): Deleted.
632         * heap/SlotVisitor.h:
633         (JSC::SlotVisitor::setIgnoreNewOpaqueRoots):
634         * heap/SlotVisitorInlines.h:
635         (JSC::SlotVisitor::reportExtraMemoryVisited):
636         (JSC::SlotVisitor::reportExternalMemoryVisited):
637         * heap/Subspace.cpp: Added.
638         (JSC::Subspace::Subspace):
639         (JSC::Subspace::~Subspace):
640         (JSC::Subspace::finishSweep):
641         (JSC::Subspace::destroy):
642         (JSC::Subspace::allocate):
643         (JSC::Subspace::tryAllocate):
644         (JSC::Subspace::allocatorForSlow):
645         (JSC::Subspace::allocateSlow):
646         (JSC::Subspace::tryAllocateSlow):
647         * heap/Subspace.h: Added.
648         (JSC::Subspace::tryAllocatorFor):
649         (JSC::Subspace::allocatorFor):
650         * heap/SubspaceInlines.h: Added.
651         (JSC::Subspace::forEachMarkedBlock):
652         (JSC::Subspace::forEachNotEmptyMarkedBlock):
653         (JSC::Subspace::forEachLargeAllocation):
654         (JSC::Subspace::forEachMarkedCell):
655         * heap/WeakBlock.cpp:
656         (JSC::WeakBlock::specializedVisit):
657         * heap/WeakBlock.h:
658         * heap/WeakSet.h:
659         (JSC::WeakSet::visit):
660         * jit/AssemblyHelpers.h:
661         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
662         (JSC::AssemblyHelpers::emitAllocateVariableSized):
663         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
664         * jit/JITOpcodes.cpp:
665         (JSC::JIT::emit_op_new_object):
666         * jsc.cpp:
667         * runtime/ButterflyInlines.h:
668         (JSC::Butterfly::createUninitialized):
669         (JSC::Butterfly::growArrayRight):
670         * runtime/ClassInfo.h:
671         * runtime/ClonedArguments.cpp:
672         (JSC::ClonedArguments::createEmpty):
673         * runtime/DirectArguments.cpp:
674         (JSC::DirectArguments::overrideThings):
675         * runtime/GenericArgumentsInlines.h:
676         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
677         * runtime/HashMapImpl.h:
678         (JSC::HashMapBuffer::create):
679         * runtime/JSArray.cpp:
680         (JSC::JSArray::tryCreateUninitialized):
681         (JSC::JSArray::unshiftCountSlowCase):
682         * runtime/JSArrayBufferView.cpp:
683         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
684         * runtime/JSCell.h:
685         (JSC::subspaceFor):
686         * runtime/JSCellInlines.h:
687         (JSC::JSCell::visitOutputConstraints):
688         (JSC::JSCell::subspaceFor):
689         (JSC::allocateCell):
690         * runtime/JSDestructibleObject.h:
691         (JSC::JSDestructibleObject::subspaceFor):
692         * runtime/JSDestructibleObjectSubspace.cpp: Added.
693         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
694         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace):
695         (JSC::JSDestructibleObjectSubspace::finishSweep):
696         (JSC::JSDestructibleObjectSubspace::destroy):
697         * runtime/JSDestructibleObjectSubspace.h: Added.
698         * runtime/JSObject.h:
699         (JSC::JSObject::JSObject):
700         * runtime/JSObjectInlines.h:
701         * runtime/JSSegmentedVariableObject.h:
702         * runtime/JSString.h:
703         (JSC::JSString::subspaceFor):
704         * runtime/JSStringSubspace.cpp: Added.
705         (JSC::JSStringSubspace::JSStringSubspace):
706         (JSC::JSStringSubspace::~JSStringSubspace):
707         (JSC::JSStringSubspace::finishSweep):
708         (JSC::JSStringSubspace::destroy):
709         * runtime/JSStringSubspace.h: Added.
710         * runtime/RegExpMatchesArray.h:
711         (JSC::tryCreateUninitializedRegExpMatchesArray):
712         * runtime/VM.cpp:
713         (JSC::VM::VM):
714         * runtime/VM.h:
715
716 2017-01-17  Michael Saboff  <msaboff@apple.com>
717
718         Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory
719         https://bugs.webkit.org/show_bug.cgi?id=167125
720
721         Reviewed by Filip Pizlo.
722
723         Changed Yarr to handle nested parenthesized subexpressions where the minimum count is
724         not 0 directly in the Yarr interpreter.  Previously we'd factor an expression like
725         (a|b)+ into (a|b)(a|b)* with special handling for captures.  This factoring was done
726         using a deep copy that doubled the size of the resulting expresion for each nested 
727         parenthesized subexpression.  Now the Yarr interpreter can directly process a regexp
728         like (a|b){2,42}.  
729
730         The parser will allow one level of nested, non-zero minimum, counted parenthesis using
731         the old copy method.  After one level, it will generate parenthesis terms with a non-zero
732         minimum.   Such an expression wasn't handled by the Yarr JIT before the change, so this
733         change isn't a performance regression.
734
735         Added a minimum count to the YarrPattern and ByteTerm classes, and then factored that
736         minimum into the interpreter.  A non-zero minimum is only handled by the Yarr interpreter.
737         If the Yarr JIT see such a term, it punts back to the interpreter.
738
739         * yarr/YarrInterpreter.cpp:
740         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
741         (JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
742         (JSC::Yarr::Interpreter::matchCharacterClass):
743         (JSC::Yarr::Interpreter::backtrackCharacterClass):
744         (JSC::Yarr::Interpreter::matchBackReference):
745         (JSC::Yarr::Interpreter::backtrackBackReference):
746         (JSC::Yarr::Interpreter::matchParenthesesOnceBegin):
747         (JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
748         (JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin):
749         (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
750         (JSC::Yarr::Interpreter::matchParenthesesTerminalBegin):
751         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalBegin):
752         (JSC::Yarr::Interpreter::matchParentheticalAssertionBegin):
753         (JSC::Yarr::Interpreter::matchParentheticalAssertionEnd):
754         (JSC::Yarr::Interpreter::backtrackParentheticalAssertionBegin):
755         (JSC::Yarr::Interpreter::backtrackParentheticalAssertionEnd):
756         (JSC::Yarr::Interpreter::matchParentheses):
757         (JSC::Yarr::Interpreter::backtrackParentheses):
758         (JSC::Yarr::Interpreter::matchDisjunction):
759         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
760         (JSC::Yarr::ByteCompiler::atomCharacterClass):
761         (JSC::Yarr::ByteCompiler::atomBackReference):
762         (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
763         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
764         (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
765         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
766         (JSC::Yarr::ByteCompiler::emitDisjunction):
767         * yarr/YarrInterpreter.h:
768         (JSC::Yarr::ByteTerm::ByteTerm):
769         * yarr/YarrJIT.cpp:
770         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
771         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
772         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
773         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
774         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
775         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
776         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
777         (JSC::Yarr::YarrGenerator::generateTerm):
778         (JSC::Yarr::YarrGenerator::backtrackTerm):
779         (JSC::Yarr::YarrGenerator::generate):
780         (JSC::Yarr::YarrGenerator::backtrack):
781         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
782         * yarr/YarrPattern.cpp:
783         (JSC::Yarr::YarrPatternConstructor::copyTerm):
784         (JSC::Yarr::YarrPatternConstructor::quantifyAtom):
785         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
786         (JSC::Yarr::YarrPattern::YarrPattern):
787         * yarr/YarrPattern.h:
788         (JSC::Yarr::PatternTerm::PatternTerm):
789         (JSC::Yarr::PatternTerm::quantify):
790         (JSC::Yarr::YarrPattern::reset):
791
792 2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
793
794         ENABLE(USER_TIMING) Not Defined for Apple Windows or OS X Ports
795         https://bugs.webkit.org/show_bug.cgi?id=116551
796         <rdar://problem/13949830>
797
798         Reviewed by Alex Christensen.
799
800         * Configurations/FeatureDefines.xcconfig:
801
802 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
803
804         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
805         https://bugs.webkit.org/show_bug.cgi?id=167066
806
807         Reviewed by Keith Miller and Michael Saboff.
808         
809         This reduces the size of JSCell::classInfo() by half and removes some checks that
810         this function previously had to do in case it was called from destructors.
811         
812         I changed all of the destructors so that they don't call JSCell::classInfo() and I
813         added an assertion to JSCell::classInfo() to catch cases where someone called it
814         from a destructor accidentally.
815         
816         This means that we only have one place in destruction that needs to know the class:
817         the sweeper's call to the destructor.
818         
819         One of the trickiest outcomes of this is the need to support inherits() tests in
820         JSObjectGetPrivate(), when it is called from the destructor callback on the object
821         being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
822         on any dead-but-not-destructed object other than the one being destructed right
823         now. The purpose of the inherits() tests is to distinguish between different kinds
824         of CallbackObjects, which may have different kinds of base classes. I think that
825         this was always subtly wrong - for example, if the object being destructed is a
826         JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
827         but does not have an immortal Structure - so classInfo() is not valid. This fixes
828         the issue by having ~JSCallbackObject know its classInfo. It now stashes its
829         classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
830         that it's being used on a currently-destructing object.
831         
832         That was the only really weird part of this patch. The rest is mostly removing
833         illegal uses of jsCast<> in destructors. There were a few other genuine uses of
834         classInfo() but they were in code that already knew how to get its classInfo()
835         using other means:
836         
837         - You can still say structure()->classInfo(), and I use this form in code that
838           knows that its StructureIsImmortal.
839         
840         - You can use this->classInfo() if it's overridden, like in subclasses of
841           JSDestructibleObject.
842         
843         Rolling this back in because I think I fixed the crashes.
844
845         * API/JSAPIWrapperObject.mm:
846         (JSAPIWrapperObjectHandleOwner::finalize):
847         * API/JSCallbackObject.h:
848         * API/JSCallbackObjectFunctions.h:
849         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
850         (JSC::JSCallbackObject<Parent>::init):
851         * API/JSObjectRef.cpp:
852         (classInfoPrivate):
853         (JSObjectGetPrivate):
854         (JSObjectSetPrivate):
855         * bytecode/EvalCodeBlock.cpp:
856         (JSC::EvalCodeBlock::destroy):
857         * bytecode/FunctionCodeBlock.cpp:
858         (JSC::FunctionCodeBlock::destroy):
859         * bytecode/ModuleProgramCodeBlock.cpp:
860         (JSC::ModuleProgramCodeBlock::destroy):
861         * bytecode/ProgramCodeBlock.cpp:
862         (JSC::ProgramCodeBlock::destroy):
863         * bytecode/UnlinkedEvalCodeBlock.cpp:
864         (JSC::UnlinkedEvalCodeBlock::destroy):
865         * bytecode/UnlinkedFunctionCodeBlock.cpp:
866         (JSC::UnlinkedFunctionCodeBlock::destroy):
867         * bytecode/UnlinkedFunctionExecutable.cpp:
868         (JSC::UnlinkedFunctionExecutable::destroy):
869         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
870         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
871         * bytecode/UnlinkedProgramCodeBlock.cpp:
872         (JSC::UnlinkedProgramCodeBlock::destroy):
873         * heap/CodeBlockSet.cpp:
874         (JSC::CodeBlockSet::lastChanceToFinalize):
875         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
876         * heap/MarkedAllocator.cpp:
877         (JSC::MarkedAllocator::allocateSlowCaseImpl):
878         * heap/MarkedBlock.cpp:
879         (JSC::MarkedBlock::Handle::sweep):
880         * jit/JITThunks.cpp:
881         (JSC::JITThunks::finalize):
882         * runtime/AbstractModuleRecord.cpp:
883         (JSC::AbstractModuleRecord::destroy):
884         * runtime/ExecutableBase.cpp:
885         (JSC::ExecutableBase::clearCode):
886         * runtime/JSCellInlines.h:
887         (JSC::JSCell::classInfo):
888         (JSC::JSCell::callDestructor):
889         * runtime/JSLock.h:
890         (JSC::JSLock::ownerThread):
891         * runtime/JSModuleNamespaceObject.cpp:
892         (JSC::JSModuleNamespaceObject::destroy):
893         * runtime/JSModuleRecord.cpp:
894         (JSC::JSModuleRecord::destroy):
895         * runtime/JSPropertyNameEnumerator.cpp:
896         (JSC::JSPropertyNameEnumerator::destroy):
897         * runtime/JSSegmentedVariableObject.h:
898         * runtime/SymbolTable.cpp:
899         (JSC::SymbolTable::destroy):
900         * runtime/VM.h:
901         * wasm/js/JSWebAssemblyCallee.cpp:
902         (JSC::JSWebAssemblyCallee::destroy):
903         * wasm/js/WebAssemblyModuleRecord.cpp:
904         (JSC::WebAssemblyModuleRecord::destroy):
905         * wasm/js/WebAssemblyToJSCallee.cpp:
906         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
907         (JSC::WebAssemblyToJSCallee::destroy):
908
909 2017-01-17  Filip Pizlo  <fpizlo@apple.com>
910
911         Unreviewed, roll out http://trac.webkit.org/changeset/210821
912         It was causing crashes.
913
914         * API/JSAPIWrapperObject.mm:
915         (JSAPIWrapperObjectHandleOwner::finalize):
916         * API/JSCallbackObject.h:
917         * API/JSCallbackObjectFunctions.h:
918         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
919         (JSC::JSCallbackObject<Parent>::init):
920         * API/JSObjectRef.cpp:
921         (JSObjectGetPrivate):
922         (JSObjectSetPrivate):
923         (classInfoPrivate): Deleted.
924         * bytecode/EvalCodeBlock.cpp:
925         (JSC::EvalCodeBlock::destroy):
926         * bytecode/FunctionCodeBlock.cpp:
927         (JSC::FunctionCodeBlock::destroy):
928         * bytecode/ModuleProgramCodeBlock.cpp:
929         (JSC::ModuleProgramCodeBlock::destroy):
930         * bytecode/ProgramCodeBlock.cpp:
931         (JSC::ProgramCodeBlock::destroy):
932         * bytecode/UnlinkedEvalCodeBlock.cpp:
933         (JSC::UnlinkedEvalCodeBlock::destroy):
934         * bytecode/UnlinkedFunctionCodeBlock.cpp:
935         (JSC::UnlinkedFunctionCodeBlock::destroy):
936         * bytecode/UnlinkedFunctionExecutable.cpp:
937         (JSC::UnlinkedFunctionExecutable::destroy):
938         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
939         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
940         * bytecode/UnlinkedProgramCodeBlock.cpp:
941         (JSC::UnlinkedProgramCodeBlock::destroy):
942         * heap/CodeBlockSet.cpp:
943         (JSC::CodeBlockSet::lastChanceToFinalize):
944         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
945         * heap/MarkedAllocator.cpp:
946         (JSC::MarkedAllocator::allocateSlowCaseImpl):
947         * heap/MarkedBlock.cpp:
948         (JSC::MarkedBlock::Handle::sweep):
949         * jit/JITThunks.cpp:
950         (JSC::JITThunks::finalize):
951         * runtime/AbstractModuleRecord.cpp:
952         (JSC::AbstractModuleRecord::destroy):
953         * runtime/ExecutableBase.cpp:
954         (JSC::ExecutableBase::clearCode):
955         * runtime/JSCellInlines.h:
956         (JSC::JSCell::classInfo):
957         (JSC::JSCell::callDestructor):
958         * runtime/JSLock.h:
959         (JSC::JSLock::exclusiveThread):
960         (JSC::JSLock::ownerThread): Deleted.
961         * runtime/JSModuleNamespaceObject.cpp:
962         (JSC::JSModuleNamespaceObject::destroy):
963         * runtime/JSModuleRecord.cpp:
964         (JSC::JSModuleRecord::destroy):
965         * runtime/JSPropertyNameEnumerator.cpp:
966         (JSC::JSPropertyNameEnumerator::destroy):
967         * runtime/JSSegmentedVariableObject.h:
968         * runtime/SymbolTable.cpp:
969         (JSC::SymbolTable::destroy):
970         * runtime/VM.h:
971         * wasm/js/JSWebAssemblyCallee.cpp:
972         (JSC::JSWebAssemblyCallee::destroy):
973         * wasm/js/WebAssemblyModuleRecord.cpp:
974         (JSC::WebAssemblyModuleRecord::destroy):
975         * wasm/js/WebAssemblyToJSCallee.cpp:
976         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
977         (JSC::WebAssemblyToJSCallee::destroy):
978
979 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
980
981         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
982         https://bugs.webkit.org/show_bug.cgi?id=167066
983
984         Reviewed by Keith Miller and Michael Saboff.
985         
986         This reduces the size of JSCell::classInfo() by half and removes some checks that
987         this function previously had to do in case it was called from destructors.
988         
989         I changed all of the destructors so that they don't call JSCell::classInfo() and I
990         added an assertion to JSCell::classInfo() to catch cases where someone called it
991         from a destructor accidentally.
992         
993         This means that we only have one place in destruction that needs to know the class:
994         the sweeper's call to the destructor.
995         
996         One of the trickiest outcomes of this is the need to support inherits() tests in
997         JSObjectGetPrivate(), when it is called from the destructor callback on the object
998         being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
999         on any dead-but-not-destructed object other than the one being destructed right
1000         now. The purpose of the inherits() tests is to distinguish between different kinds
1001         of CallbackObjects, which may have different kinds of base classes. I think that
1002         this was always subtly wrong - for example, if the object being destructed is a
1003         JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
1004         but does not have an immortal Structure - so classInfo() is not valid. This fixes
1005         the issue by having ~JSCallbackObject know its classInfo. It now stashes its
1006         classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
1007         that it's being used on a currently-destructing object.
1008         
1009         That was the only really weird part of this patch. The rest is mostly removing
1010         illegal uses of jsCast<> in destructors. There were a few other genuine uses of
1011         classInfo() but they were in code that already knew how to get its classInfo()
1012         using other means:
1013         
1014         - You can still say structure()->classInfo(), and I use this form in code that
1015           knows that its StructureIsImmortal.
1016         
1017         - You can use this->classInfo() if it's overridden, like in subclasses of
1018           JSDestructibleObject.
1019
1020         * API/JSAPIWrapperObject.mm:
1021         (JSAPIWrapperObjectHandleOwner::finalize):
1022         * API/JSCallbackObject.h:
1023         * API/JSCallbackObjectFunctions.h:
1024         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
1025         (JSC::JSCallbackObject<Parent>::init):
1026         * API/JSObjectRef.cpp:
1027         (classInfoPrivate):
1028         (JSObjectGetPrivate):
1029         (JSObjectSetPrivate):
1030         * bytecode/EvalCodeBlock.cpp:
1031         (JSC::EvalCodeBlock::destroy):
1032         * bytecode/FunctionCodeBlock.cpp:
1033         (JSC::FunctionCodeBlock::destroy):
1034         * bytecode/ModuleProgramCodeBlock.cpp:
1035         (JSC::ModuleProgramCodeBlock::destroy):
1036         * bytecode/ProgramCodeBlock.cpp:
1037         (JSC::ProgramCodeBlock::destroy):
1038         * bytecode/UnlinkedEvalCodeBlock.cpp:
1039         (JSC::UnlinkedEvalCodeBlock::destroy):
1040         * bytecode/UnlinkedFunctionCodeBlock.cpp:
1041         (JSC::UnlinkedFunctionCodeBlock::destroy):
1042         * bytecode/UnlinkedFunctionExecutable.cpp:
1043         (JSC::UnlinkedFunctionExecutable::destroy):
1044         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1045         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
1046         * bytecode/UnlinkedProgramCodeBlock.cpp:
1047         (JSC::UnlinkedProgramCodeBlock::destroy):
1048         * heap/CodeBlockSet.cpp:
1049         (JSC::CodeBlockSet::lastChanceToFinalize):
1050         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1051         * heap/MarkedAllocator.cpp:
1052         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1053         * heap/MarkedBlock.cpp:
1054         (JSC::MarkedBlock::Handle::sweep):
1055         * jit/JITThunks.cpp:
1056         (JSC::JITThunks::finalize):
1057         * runtime/AbstractModuleRecord.cpp:
1058         (JSC::AbstractModuleRecord::destroy):
1059         * runtime/ExecutableBase.cpp:
1060         (JSC::ExecutableBase::clearCode):
1061         * runtime/JSCellInlines.h:
1062         (JSC::JSCell::classInfo):
1063         (JSC::JSCell::callDestructor):
1064         * runtime/JSLock.h:
1065         (JSC::JSLock::ownerThread):
1066         * runtime/JSModuleNamespaceObject.cpp:
1067         (JSC::JSModuleNamespaceObject::destroy):
1068         * runtime/JSModuleRecord.cpp:
1069         (JSC::JSModuleRecord::destroy):
1070         * runtime/JSPropertyNameEnumerator.cpp:
1071         (JSC::JSPropertyNameEnumerator::destroy):
1072         * runtime/JSSegmentedVariableObject.h:
1073         * runtime/SymbolTable.cpp:
1074         (JSC::SymbolTable::destroy):
1075         * runtime/VM.h:
1076         * wasm/js/JSWebAssemblyCallee.cpp:
1077         (JSC::JSWebAssemblyCallee::destroy):
1078         * wasm/js/WebAssemblyModuleRecord.cpp:
1079         (JSC::WebAssemblyModuleRecord::destroy):
1080         * wasm/js/WebAssemblyToJSCallee.cpp:
1081         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
1082         (JSC::WebAssemblyToJSCallee::destroy):
1083
1084 2017-01-16  Joseph Pecoraro  <pecoraro@apple.com>
1085
1086         Remove the REQUEST_ANIMATION_FRAME flag
1087         https://bugs.webkit.org/show_bug.cgi?id=156980
1088         <rdar://problem/25906849>
1089
1090         Reviewed by Simon Fraser.
1091
1092         * Configurations/FeatureDefines.xcconfig:
1093
1094 2017-01-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1095
1096         WebAssembly: Suppress warnings & errors in GCC
1097         https://bugs.webkit.org/show_bug.cgi?id=167049
1098
1099         Reviewed by Sam Weinig.
1100
1101         * wasm/WasmFunctionParser.h:
1102         Add missing { } after the switch. Ideally, it is not necessary.
1103         But in GCC, it is required. Since this function is fairly large,
1104         I think the code generated by this does not cause performance
1105         regression.
1106
1107         * wasm/WasmPageCount.h:
1108         UINT_MAX is defined in limits.h.
1109
1110         * wasm/generateWasmValidateInlinesHeader.py:
1111         On the other hand, we use this suppress pragma here to solve the
1112         same problem in wasm/WasmFunctionParser.h. Since the load function
1113         is fairly small, the additional `return { };` may generate some
1114         suboptimal code. See bug 150794 for more detail.
1115
1116 2017-01-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1117
1118         Reserve capacity for StringBuilder in unescape
1119         https://bugs.webkit.org/show_bug.cgi?id=167008
1120
1121         Reviewed by Sam Weinig.
1122
1123         `unescape` function is frequently called in Kraken sha256-iterative.
1124         This patch just reserves the capacity for the StringBuilder.
1125
1126         Currently, we select the length of the string for the reserved capacity.
1127         It improves the performance 2.73%.
1128
1129             Benchmark report for Kraken on sakura-trick.
1130
1131             VMs tested:
1132             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
1133             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
1134
1135             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
1136             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
1137             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
1138             milliseconds.
1139
1140                                                        baseline                  patched
1141
1142             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1143
1144             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1145
1146         * runtime/JSGlobalObjectFunctions.cpp:
1147         (JSC::globalFuncUnescape):
1148
1149 2017-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1150
1151         Remove ENABLE(DETAILS_ELEMENT) guards
1152         https://bugs.webkit.org/show_bug.cgi?id=167042
1153
1154         Reviewed by Alex Christensen.
1155
1156         * Configurations/FeatureDefines.xcconfig:
1157
1158 2017-01-11  Darin Adler  <darin@apple.com>
1159
1160         Remove PassRefPtr from more of "platform"
1161         https://bugs.webkit.org/show_bug.cgi?id=166809
1162
1163         Reviewed by Sam Weinig.
1164
1165         * inspector/JSInjectedScriptHost.h:
1166         (Inspector::JSInjectedScriptHost::impl): Simplified code since we don't need a
1167         const_cast here any more.
1168         * runtime/PrivateName.h:
1169         (JSC::PrivateName::uid): Ditto.
1170
1171 2017-01-13  Ryan Haddad  <ryanhaddad@apple.com>
1172
1173         Unreviewed, rolling out r210735.
1174
1175         This change introduced LayoutTest and JSC test flakiness.
1176
1177         Reverted changeset:
1178
1179         "Reserve capacity for StringBuilder in unescape"
1180         https://bugs.webkit.org/show_bug.cgi?id=167008
1181         http://trac.webkit.org/changeset/210735
1182
1183 2017-01-13  Saam Barati  <sbarati@apple.com>
1184
1185         Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time
1186         https://bugs.webkit.org/show_bug.cgi?id=167017
1187         <rdar://problem/30019309>
1188
1189         Reviewed by Keith Miller and Filip Pizlo.
1190
1191         This patch is to reverse the JSBench regression from r210695.
1192         
1193         The new state diagram for the array species watchpoint is as
1194         follows:
1195         
1196         1. On GlobalObject construction, it starts life out as ClearWatchpoint.
1197         2. When slice is called for the first time, we observe the state
1198         of the world, and either transition it to IsWatched if we were able
1199         to set up the object property conditions, or to IsInvalidated if we
1200         were not.
1201         3. The DFG compiler will now only lower slice as an intrinsic if
1202         it observed the speciesWatchpoint.state() as IsWatched.
1203         4. The IsWatched => IsInvalidated transition happens only when
1204         one of the object property condition watchpoints fire.
1205
1206         * dfg/DFGByteCodeParser.cpp:
1207         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1208         * runtime/ArrayPrototype.cpp:
1209         (JSC::speciesWatchpointIsValid):
1210         (JSC::speciesConstructArray):
1211         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1212         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1213         (JSC::ArrayPrototype::initializeSpeciesWatchpoint): Deleted.
1214         * runtime/ArrayPrototype.h:
1215         * runtime/JSGlobalObject.cpp:
1216         (JSC::JSGlobalObject::JSGlobalObject):
1217         (JSC::JSGlobalObject::init):
1218
1219 2017-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1220
1221         Reserve capacity for StringBuilder in unescape
1222         https://bugs.webkit.org/show_bug.cgi?id=167008
1223
1224         Reviewed by Sam Weinig.
1225
1226         `unescape` function is frequently called in Kraken sha256-iterative.
1227         This patch just reserves the capacity for the StringBuilder.
1228
1229         Currently, we select the length of the string for the reserved capacity.
1230         It improves the performance 2.73%.
1231
1232             Benchmark report for Kraken on sakura-trick.
1233
1234             VMs tested:
1235             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
1236             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
1237
1238             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
1239             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
1240             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
1241             milliseconds.
1242
1243                                                        baseline                  patched
1244
1245             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1246
1247             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1248
1249         * runtime/JSGlobalObjectFunctions.cpp:
1250         (JSC::globalFuncUnescape):
1251
1252 2017-01-12  Saam Barati  <sbarati@apple.com>
1253
1254         Add a slice intrinsic to the DFG/FTL
1255         https://bugs.webkit.org/show_bug.cgi?id=166707
1256         <rdar://problem/29913445>
1257
1258         Reviewed by Filip Pizlo.
1259
1260         The gist of this patch is to inline Array.prototype.slice
1261         into the DFG/FTL. The implementation in the DFG-backend
1262         and FTLLowerDFGToB3 is just a straight forward implementation
1263         of what the C function is doing. The more interesting bits
1264         of this patch are setting up the proper watchpoints and conditions
1265         in the executing code to prove that its safe to skip all of the
1266         observable JS actions that Array.prototype.slice normally does.
1267         
1268         We perform the following proofs:
1269         1. Array.prototype.constructor has not changed (via a watchpoint).
1270         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
1271         3. The global object is not having a bad time.
1272         4. The array that is being sliced has an original array structure.
1273         5. Array.prototype/Object.prototype have not transitioned.
1274         
1275         Conditions 1, 2, and 3 are strictly required.
1276         
1277         4 is ensuring a couple things:
1278         1. That a "constructor" property hasn't been added to the array
1279         we're slicing since we're supposed to perform a Get(array, "constructor").
1280         2. That we're not slicing an instance of a subclass of Array.
1281         
1282         We could relax 4.1 in the future if we find other ways to test if
1283         the incoming array hasn't changed the "constructor" property. We
1284         would probably use TryGetById to do this.
1285         
1286         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
1287         the total benchmark (the results are sometimes noisy).
1288
1289         * dfg/DFGAbstractInterpreterInlines.h:
1290         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1291         * dfg/DFGByteCodeParser.cpp:
1292         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1293         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1294         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1295         * dfg/DFGClobberize.h:
1296         (JSC::DFG::clobberize):
1297         * dfg/DFGDoesGC.cpp:
1298         (JSC::DFG::doesGC):
1299         * dfg/DFGFixupPhase.cpp:
1300         (JSC::DFG::FixupPhase::fixupNode):
1301         * dfg/DFGNodeType.h:
1302         * dfg/DFGPredictionPropagationPhase.cpp:
1303         * dfg/DFGSafeToExecute.h:
1304         (JSC::DFG::safeToExecute):
1305         * dfg/DFGSpeculativeJIT.cpp:
1306         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1307         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1308         * dfg/DFGSpeculativeJIT.h:
1309         * dfg/DFGSpeculativeJIT32_64.cpp:
1310         (JSC::DFG::SpeculativeJIT::compile):
1311         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1312         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1313         * dfg/DFGSpeculativeJIT64.cpp:
1314         (JSC::DFG::SpeculativeJIT::compile):
1315         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1316         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1317         * ftl/FTLAbstractHeapRepository.h:
1318         * ftl/FTLCapabilities.cpp:
1319         (JSC::FTL::canCompile):
1320         * ftl/FTLLowerDFGToB3.cpp:
1321         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1322         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1323         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1324         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1325         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1326         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1327         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1328         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1329         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1330         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1331         * jit/AssemblyHelpers.cpp:
1332         (JSC::AssemblyHelpers::emitLoadStructure):
1333         * runtime/ArrayPrototype.cpp:
1334         (JSC::ArrayPrototype::finishCreation):
1335         (JSC::speciesWatchpointIsValid):
1336         (JSC::speciesConstructArray):
1337         (JSC::arrayProtoFuncSlice):
1338         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1339         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
1340         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1341         (JSC::speciesWatchpointsValid): Deleted.
1342         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
1343         * runtime/ArrayPrototype.h:
1344         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
1345         (): Deleted.
1346         * runtime/Intrinsic.h:
1347         * runtime/JSGlobalObject.cpp:
1348         (JSC::JSGlobalObject::JSGlobalObject):
1349         (JSC::JSGlobalObject::init):
1350         * runtime/JSGlobalObject.h:
1351         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
1352         * runtime/Structure.h:
1353
1354 2017-01-12  Saam Barati  <sbarati@apple.com>
1355
1356         Concurrent GC has a bug where we would detect a race but fail to rescan the object
1357         https://bugs.webkit.org/show_bug.cgi?id=166960
1358         <rdar://problem/29983526>
1359
1360         Reviewed by Filip Pizlo and Mark Lam.
1361
1362         We have code like this in JSC:
1363         
1364         ```
1365         Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
1366         nukeStructureAndSetButterfly(vm, structureID, butterfly);
1367         structure->setLastOffset(newLastOffset);
1368         WTF::storeStoreFence();
1369         setStructureIDDirectly(structureID);
1370         ```
1371         
1372         Note that the collector could detect a race here, which sometimes
1373         incorrectly caused us to not visit the object again.
1374         
1375         Mutator Thread: M, Collector Thread: C, assuming sequential consistency via
1376         proper barriers:
1377         
1378         M: allocate new butterfly
1379         M: Set nuked structure ID
1380         M: Set butterfly (this does a barrier)
1381         C: Start scanning O
1382         C: load structure ID
1383         C: See it's nuked and bail, (we used to rely on a write barrier to rescan).
1384         
1385         We sometimes never rescanned here because we were calling
1386         setStructureIDDirectly which doesn't do a write barrier.
1387         (Note, the places that do this but call setStructure were
1388         OK because setStructure will perform a write barrier.)
1389         
1390         (This same issue also existed in places where the collector thread
1391         detected races for Structure::m_offset, but places that changed
1392         Structure::m_offset didn't perform a write barrier on the object
1393         after changing its Structure's m_offset.)
1394         
1395         To prevent such code from requiring every call site to perform
1396         a write barrier on the object, I've changed the collector code
1397         to keep a stack of cells to be revisited due to races. This stack
1398         is then consulted when we do marking. Because such races are rare,
1399         we have a single stack on Heap that is guarded by a lock.
1400
1401         * heap/Heap.cpp:
1402         (JSC::Heap::Heap):
1403         (JSC::Heap::~Heap):
1404         (JSC::Heap::markToFixpoint):
1405         (JSC::Heap::endMarking):
1406         (JSC::Heap::buildConstraintSet):
1407         (JSC::Heap::addToRaceMarkStack):
1408         * heap/Heap.h:
1409         (JSC::Heap::collectorSlotVisitor):
1410         (JSC::Heap::mutatorMarkStack): Deleted.
1411         * heap/SlotVisitor.cpp:
1412         (JSC::SlotVisitor::didRace):
1413         * heap/SlotVisitor.h:
1414         (JSC::SlotVisitor::didRace):
1415         (JSC::SlotVisitor::didNotRace): Deleted.
1416         * heap/SlotVisitorInlines.h:
1417         (JSC::SlotVisitor::didNotRace): Deleted.
1418         * runtime/JSObject.cpp:
1419         (JSC::JSObject::visitButterfly):
1420         (JSC::JSObject::visitButterflyImpl):
1421         * runtime/JSObjectInlines.h:
1422         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1423         * runtime/Structure.cpp:
1424         (JSC::Structure::flattenDictionaryStructure):
1425
1426 2017-01-12  Chris Dumez  <cdumez@apple.com>
1427
1428         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
1429         https://bugs.webkit.org/show_bug.cgi?id=166995
1430
1431         Reviewed by Jer Noble.
1432
1433         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
1434         as some people are having trouble building without it.
1435
1436         * Configurations/FeatureDefines.xcconfig:
1437
1438 2017-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1439
1440         Implement InlineClassicScript
1441         https://bugs.webkit.org/show_bug.cgi?id=166925
1442
1443         Reviewed by Ryosuke Niwa.
1444
1445         Add ScriptFetcher field for SourceOrigin.
1446
1447         * runtime/SourceOrigin.h:
1448         (JSC::SourceOrigin::SourceOrigin):
1449         (JSC::SourceOrigin::fetcher):
1450
1451 2017-01-11  Andreas Kling  <akling@apple.com>
1452
1453         Crash when WebCore's GC heap grows way too large.
1454         <https://webkit.org/b/166875>
1455         <rdar://problem/27896585>
1456
1457         Reviewed by Mark Lam.
1458
1459         Add a simple API to JSC::Heap that allows setting a hard limit on the amount
1460         of live bytes. If this is exceeded, we crash with a recognizable signature.
1461         By default there is no limit.
1462
1463         * heap/Heap.cpp:
1464         (JSC::Heap::didExceedMaxLiveSize):
1465         (JSC::Heap::updateAllocationLimits):
1466         * heap/Heap.h:
1467         (JSC::Heap::setMaxLiveSize):
1468
1469 2017-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1470
1471         Decouple module loading initiator from ScriptElement
1472         https://bugs.webkit.org/show_bug.cgi?id=166888
1473
1474         Reviewed by Saam Barati and Ryosuke Niwa.
1475
1476         Add ScriptFetcher and JSScriptFetcher.
1477
1478         * CMakeLists.txt:
1479         * JavaScriptCore.xcodeproj/project.pbxproj:
1480         * builtins/ModuleLoaderPrototype.js:
1481         (requestFetch):
1482         (requestInstantiate):
1483         (requestSatisfy):
1484         (requestInstantiateAll):
1485         (requestLink):
1486         (moduleEvaluation):
1487         (loadAndEvaluateModule):
1488         (importModule):
1489         * llint/LLIntData.cpp:
1490         (JSC::LLInt::Data::performAssertions):
1491         * llint/LowLevelInterpreter.asm:
1492         * runtime/Completion.cpp:
1493         (JSC::loadAndEvaluateModule):
1494         (JSC::loadModule):
1495         (JSC::linkAndEvaluateModule):
1496         * runtime/Completion.h:
1497         * runtime/JSModuleLoader.cpp:
1498         (JSC::JSModuleLoader::loadAndEvaluateModule):
1499         (JSC::JSModuleLoader::loadModule):
1500         (JSC::JSModuleLoader::linkAndEvaluateModule):
1501         (JSC::JSModuleLoader::resolve):
1502         (JSC::JSModuleLoader::fetch):
1503         (JSC::JSModuleLoader::instantiate):
1504         (JSC::JSModuleLoader::evaluate):
1505         * runtime/JSModuleLoader.h:
1506         * runtime/JSScriptFetcher.cpp: Copied from Source/WebCore/dom/LoadableScript.cpp.
1507         (JSC::JSScriptFetcher::destroy):
1508         * runtime/JSScriptFetcher.h: Added.
1509         (JSC::JSScriptFetcher::createStructure):
1510         (JSC::JSScriptFetcher::create):
1511         (JSC::JSScriptFetcher::fetcher):
1512         (JSC::JSScriptFetcher::JSScriptFetcher):
1513         * runtime/JSType.h:
1514         * runtime/ScriptFetcher.h: Copied from Source/WebCore/dom/LoadableScript.cpp.
1515         (JSC::ScriptFetcher::~ScriptFetcher):
1516         * runtime/VM.cpp:
1517         (JSC::VM::VM):
1518         * runtime/VM.h:
1519
1520 2017-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1521
1522         Implement JSSourceCode to propagate SourceCode in module pipeline
1523         https://bugs.webkit.org/show_bug.cgi?id=166861
1524
1525         Reviewed by Saam Barati.
1526
1527         Instead of propagating source code string, we propagate JSSourceCode
1528         cell in the module pipeline. This allows us to attach a metadata
1529         to the propagated source code string. In particular, it propagates
1530         SourceOrigin through the module pipeline.
1531
1532         And it also fixes JSC shell to use Module source type for module source code.
1533
1534         * CMakeLists.txt:
1535         * JavaScriptCore.xcodeproj/project.pbxproj:
1536         * builtins/ModuleLoaderPrototype.js:
1537         (fulfillFetch):
1538         (requestFetch):
1539         * jsc.cpp:
1540         (GlobalObject::moduleLoaderFetch):
1541         (runWithScripts):
1542         * llint/LLIntData.cpp:
1543         (JSC::LLInt::Data::performAssertions):
1544         * llint/LowLevelInterpreter.asm:
1545         * runtime/Completion.cpp:
1546         (JSC::loadAndEvaluateModule):
1547         (JSC::loadModule):
1548         * runtime/JSModuleLoader.cpp:
1549         (JSC::JSModuleLoader::provide):
1550         * runtime/JSModuleLoader.h:
1551         * runtime/JSSourceCode.cpp: Added.
1552         (JSC::JSSourceCode::destroy):
1553         * runtime/JSSourceCode.h: Added.
1554         (JSC::JSSourceCode::createStructure):
1555         (JSC::JSSourceCode::create):
1556         (JSC::JSSourceCode::sourceCode):
1557         (JSC::JSSourceCode::JSSourceCode):
1558         * runtime/JSType.h:
1559         * runtime/ModuleLoaderPrototype.cpp:
1560         (JSC::moduleLoaderPrototypeParseModule):
1561         * runtime/VM.cpp:
1562         (JSC::VM::VM):
1563         * runtime/VM.h:
1564
1565 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1566
1567         Unreviewed, rolling out r210052.
1568         https://bugs.webkit.org/show_bug.cgi?id=166915
1569
1570         "breaks web compatability" (Requested by keith_miller on
1571         #webkit).
1572
1573         Reverted changeset:
1574
1575         "Add support for global"
1576         https://bugs.webkit.org/show_bug.cgi?id=165171
1577         http://trac.webkit.org/changeset/210052
1578
1579 2017-01-10  Sam Weinig  <sam@webkit.org>
1580
1581         [WebIDL] Remove most of the custom bindings for the WebGL code
1582         https://bugs.webkit.org/show_bug.cgi?id=166834
1583
1584         Reviewed by Alex Christensen.
1585
1586         * runtime/ArrayPrototype.h:
1587         * runtime/ObjectPrototype.h:
1588         Export the ClassInfo so it can be used from WebCore.
1589
1590 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1591
1592         Streamline the GC barrier slowpath
1593         https://bugs.webkit.org/show_bug.cgi?id=166878
1594
1595         Reviewed by Geoffrey Garen and Saam Barati.
1596         
1597         This implements two optimizations to the barrier:
1598         
1599         - Removes the write barrier buffer. This was just overhead.
1600         
1601         - Teaches the slow path how to white an object that was black but unmarked, ensuring that
1602           we don't take slow path for this object again.
1603
1604         * JavaScriptCore.xcodeproj/project.pbxproj:
1605         * dfg/DFGSpeculativeJIT.cpp:
1606         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1607         * ftl/FTLLowerDFGToB3.cpp:
1608         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1609         * heap/CellState.h:
1610         * heap/Heap.cpp:
1611         (JSC::Heap::Heap):
1612         (JSC::Heap::markToFixpoint):
1613         (JSC::Heap::addToRememberedSet):
1614         (JSC::Heap::stopTheWorld):
1615         (JSC::Heap::writeBarrierSlowPath):
1616         (JSC::Heap::buildConstraintSet):
1617         (JSC::Heap::flushWriteBarrierBuffer): Deleted.
1618         * heap/Heap.h:
1619         (JSC::Heap::writeBarrierBuffer): Deleted.
1620         * heap/SlotVisitor.cpp:
1621         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1622         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1623         (JSC::SlotVisitor::appendToMarkStack):
1624         (JSC::SlotVisitor::visitChildren):
1625         * heap/WriteBarrierBuffer.cpp: Removed.
1626         * heap/WriteBarrierBuffer.h: Removed.
1627         * jit/JITOperations.cpp:
1628         * jit/JITOperations.h:
1629         * runtime/JSCellInlines.h:
1630         (JSC::JSCell::JSCell):
1631         * runtime/StructureIDBlob.h:
1632         (JSC::StructureIDBlob::StructureIDBlob):
1633
1634 2017-01-10  Mark Lam  <mark.lam@apple.com>
1635
1636         Property setters should not be called for bound arguments list entries.
1637         https://bugs.webkit.org/show_bug.cgi?id=165631
1638
1639         Reviewed by Filip Pizlo.
1640
1641         * builtins/FunctionPrototype.js:
1642         (bind):
1643         - use @putByValDirect to set the bound arguments so that we don't consult the
1644           prototype chain for setters.
1645
1646         * runtime/IntlDateTimeFormatPrototype.cpp:
1647         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1648         * runtime/IntlNumberFormatPrototype.cpp:
1649         (JSC::IntlNumberFormatPrototypeGetterFormat):
1650         - no need to create a bound arguments array because these bound functions binds
1651           no arguments according to the spec.
1652
1653 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
1654
1655         Calling async arrow function which is in a class's member function will cause error
1656         https://bugs.webkit.org/show_bug.cgi?id=166879
1657
1658         Reviewed by Saam Barati.
1659
1660         Current patch fixed loading 'super' in async arrow function. Errored appear becuase 
1661         super was loaded always nevertherless if it used in async arrow function or not, but bytecompiler
1662         put to arrow function context only if it used within arrow function. So to fix this issue we need to 
1663         check if super was used in arrow function. 
1664
1665         * bytecompiler/BytecodeGenerator.h:
1666         * bytecompiler/NodesCodegen.cpp:
1667         (JSC::FunctionNode::emitBytecode):
1668
1669 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1670
1671         Unreviewed, rolling out r210537.
1672         https://bugs.webkit.org/show_bug.cgi?id=166903
1673
1674         This change introduced JSC test failures (Requested by
1675         ryanhaddad on #webkit).
1676
1677         Reverted changeset:
1678
1679         "Implement JSSourceCode to propagate SourceCode in module
1680         pipeline"
1681         https://bugs.webkit.org/show_bug.cgi?id=166861
1682         http://trac.webkit.org/changeset/210537
1683
1684 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1685
1686         Unreviewed, rolling out r210540.
1687         https://bugs.webkit.org/show_bug.cgi?id=166896
1688
1689         too crude for non-WebCore clients (Requested by kling on
1690         #webkit).
1691
1692         Reverted changeset:
1693
1694         "Crash when GC heap grows way too large."
1695         https://bugs.webkit.org/show_bug.cgi?id=166875
1696         http://trac.webkit.org/changeset/210540
1697
1698 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1699
1700         JSArray has some object scanning races
1701         https://bugs.webkit.org/show_bug.cgi?id=166874
1702
1703         Reviewed by Mark Lam.
1704         
1705         This fixes two separate bugs, both of which I detected by running
1706         array-splice-contiguous.js in extreme anger:
1707         
1708         1) Some of the paths of shifting and unshifting were not grabbing the internal cell
1709            lock. This was causing the array storage scan to crash, even though it was well
1710            synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
1711            that memmoves the innards of the butterfly.
1712         
1713         2) Out of line property scanning was synchronized using double collect snapshot. Array
1714            storage scanning was synchronized using locks. But what if array storage
1715            transformations messed up the out of line properties? It turns out that we actually
1716            need to hoist the array storage scanner's locking up into the double collect
1717            snapshot.
1718         
1719         I don't know how to write a test that does any better of a job of catching this than
1720         array-splice-contiguous.js.
1721
1722         * heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
1723         * runtime/JSArray.cpp:
1724         (JSC::JSArray::unshiftCountSlowCase):
1725         (JSC::JSArray::shiftCountWithArrayStorage):
1726         (JSC::JSArray::unshiftCountWithArrayStorage):
1727         * runtime/JSObject.cpp:
1728         (JSC::JSObject::visitButterflyImpl):
1729
1730 2017-01-10  Andreas Kling  <akling@apple.com>
1731
1732         Crash when GC heap grows way too large.
1733         <https://webkit.org/b/166875>
1734         <rdar://problem/27896585>
1735
1736         Reviewed by Mark Lam.
1737
1738         Hard cap the JavaScript heap at 4GB of live objects (determined post-GC.)
1739         If we go past this limit, crash with a recognizable signature.
1740
1741         * heap/Heap.cpp:
1742         (JSC::Heap::didExceedHeapSizeLimit):
1743         (JSC::Heap::updateAllocationLimits):
1744
1745 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1746
1747         Implement JSSourceCode to propagate SourceCode in module pipeline
1748         https://bugs.webkit.org/show_bug.cgi?id=166861
1749
1750         Reviewed by Saam Barati.
1751
1752         Instead of propagating source code string, we propagate JSSourceCode
1753         cell in the module pipeline. This allows us to attach a metadata
1754         to the propagated source code string. In particular, it propagates
1755         SourceOrigin through the module pipeline.
1756
1757         * CMakeLists.txt:
1758         * JavaScriptCore.xcodeproj/project.pbxproj:
1759         * builtins/ModuleLoaderPrototype.js:
1760         (fulfillFetch):
1761         (requestFetch):
1762         * jsc.cpp:
1763         (GlobalObject::moduleLoaderFetch):
1764         * llint/LLIntData.cpp:
1765         (JSC::LLInt::Data::performAssertions):
1766         * llint/LowLevelInterpreter.asm:
1767         * runtime/Completion.cpp:
1768         (JSC::loadAndEvaluateModule):
1769         (JSC::loadModule):
1770         * runtime/JSModuleLoader.cpp:
1771         (JSC::JSModuleLoader::provide):
1772         * runtime/JSModuleLoader.h:
1773         * runtime/JSSourceCode.cpp: Added.
1774         (JSC::JSSourceCode::destroy):
1775         * runtime/JSSourceCode.h: Added.
1776         (JSC::JSSourceCode::createStructure):
1777         (JSC::JSSourceCode::create):
1778         (JSC::JSSourceCode::sourceCode):
1779         (JSC::JSSourceCode::JSSourceCode):
1780         * runtime/JSType.h:
1781         * runtime/ModuleLoaderPrototype.cpp:
1782         (JSC::moduleLoaderPrototypeParseModule):
1783         * runtime/VM.cpp:
1784         (JSC::VM::VM):
1785         * runtime/VM.h:
1786
1787 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1788
1789         REGRESSION (r210522): ASSERTION FAILED: divot.offset >= divotStart.offset seen with stress/import-basic.js and stress/import-from-eval.js
1790         https://bugs.webkit.org/show_bug.cgi?id=166873
1791
1792         Reviewed by Saam Barati.
1793
1794         The divot should be the end of `import` token.
1795
1796         * parser/Parser.cpp:
1797         (JSC::Parser<LexerType>::parseMemberExpression):
1798
1799 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1800
1801         Unreviewed, fix cloop.
1802
1803         * dfg/DFGPlanInlines.h:
1804
1805 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1806
1807         [JSC] Prototype dynamic-import
1808         https://bugs.webkit.org/show_bug.cgi?id=165724
1809
1810         Reviewed by Saam Barati.
1811
1812         In this patch, we implement stage3 dynamic-import proposal[1].
1813         This patch adds a new special operator `import`. And by using it, we can import
1814         the module dynamically from modules and scripts. Before this feature, the module
1815         is always imported statically and before executing the modules, importing the modules
1816         needs to be done. And especially, the module can only be imported from the module.
1817         So the classic script cannot import and use the modules. This dynamic-import relaxes
1818         the above restrictions.
1819
1820         The typical dynamic-import form is the following.
1821
1822             import("...").then(function (namespace) { ... });
1823
1824         You can pass any AssignmentExpression for the import operator. So you can determine
1825         the importing modules dynamically.
1826
1827             import(value).then(function (namespace) { ... });
1828
1829         And previously the module import declaration is only allowed in the top level statements.
1830         But this import operator is just an expression. So you can use it in the function.
1831         And you can use it conditionally.
1832
1833             async function go(cond)
1834             {
1835                 if (cond)
1836                     return import("...");
1837                 return undefined;
1838             }
1839             await go(true);
1840
1841         Currently, this patch just implements this feature only for the JSC shell.
1842         JSC module loader requires a new hook, `importModule`. And the JSC shell implements
1843         this hook. So, for now, this dynamic-import is not available in the browser side.
1844         If you write this `import` call, it always returns the rejected promise.
1845
1846         import is implemented like a special operator similar to `super`.
1847         This is because import is context-sensitive. If you call the `import`, the module
1848         key resolution is done based on the caller's running context.
1849
1850         For example, if you are running the script which filename is "./ok/hello.js", the module
1851         key for the call`import("./resource/syntax.js")` becomes `"./ok/resource/syntax.js"`.
1852         But if you write the completely same import form in the script "./error/hello.js", the
1853         key becomes "./error/resource/syntax.js". So exposing this feature as the `import`
1854         function is misleading: this function becomes caller's context-sensitive. That's why
1855         dynamic-import is specified as a special operator.
1856
1857         To resolve the module key, we need the caller's context information like the filename of
1858         the caller. This is provided by the SourceOrigin implemented in r210149.
1859         In the JSC shell implementation, this SourceOrigin holds the filename of the caller. So
1860         based on this implementation, the module loader resolve the module key.
1861         In the near future, we will extend this SourceOrigin to hold more information needed for
1862         the browser-side import implementation.
1863
1864         [1]: https://tc39.github.io/proposal-dynamic-import/
1865
1866         * builtins/ModuleLoaderPrototype.js:
1867         (importModule):
1868         * bytecompiler/BytecodeGenerator.cpp:
1869         (JSC::BytecodeGenerator::emitGetTemplateObject):
1870         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
1871         * bytecompiler/BytecodeGenerator.h:
1872         * bytecompiler/NodesCodegen.cpp:
1873         (JSC::ImportNode::emitBytecode):
1874         * jsc.cpp:
1875         (absolutePath):
1876         (GlobalObject::moduleLoaderImportModule):
1877         (functionRun):
1878         (functionLoad):
1879         (functionCheckSyntax):
1880         (runWithScripts):
1881         * parser/ASTBuilder.h:
1882         (JSC::ASTBuilder::createImportExpr):
1883         * parser/NodeConstructors.h:
1884         (JSC::ImportNode::ImportNode):
1885         * parser/Nodes.h:
1886         (JSC::ExpressionNode::isImportNode):
1887         * parser/Parser.cpp:
1888         (JSC::Parser<LexerType>::parseMemberExpression):
1889         * parser/SyntaxChecker.h:
1890         (JSC::SyntaxChecker::createImportExpr):
1891         * runtime/JSGlobalObject.cpp:
1892         (JSC::JSGlobalObject::init):
1893         * runtime/JSGlobalObject.h:
1894         * runtime/JSGlobalObjectFunctions.cpp:
1895         (JSC::globalFuncImportModule):
1896         * runtime/JSGlobalObjectFunctions.h:
1897         * runtime/JSModuleLoader.cpp:
1898         (JSC::JSModuleLoader::importModule):
1899         (JSC::JSModuleLoader::getModuleNamespaceObject):
1900         * runtime/JSModuleLoader.h:
1901         * runtime/ModuleLoaderPrototype.cpp:
1902         (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):
1903
1904 2017-01-08  Filip Pizlo  <fpizlo@apple.com>
1905
1906         Make the collector's fixpoint smart about scheduling work
1907         https://bugs.webkit.org/show_bug.cgi?id=165910
1908
1909         Reviewed by Keith Miller.
1910         
1911         Prior to this change, every time the GC would run any constraints in markToFixpoint, it
1912         would run all of the constraints. It would always run them in the same order. That means
1913         that so long as any one constraint was generating new work, we'd pay the price of all
1914         constraints. This is usually OK because most constraints are cheap but it artificially
1915         inflates the cost of slow constraints - especially ones that are expensive but usually
1916         generate no new work.
1917         
1918         This patch redoes how the GC runs constraints by applying ideas from data flow analysis.
1919         The GC now builds a MarkingConstraintSet when it boots up, and this contains all of the
1920         constraints as well as some meta-data about them. Now, markToFixpoint just calls into
1921         MarkingConstraintSet to execute constraints. Because constraint execution and scheduling
1922         need to be aware of each other, I rewrote markToFixpoint in such a way that it's more
1923         obvious how the GC goes between constraint solving, marking with stopped mutator, and
1924         marking with resumed mutator. This also changes the scheduler API in such a way that a
1925         synchronous stop-the-world collection no longer needs to do fake stop/resume - instead we
1926         just swap the space-time scheduler for the stop-the-world scheduler.
1927         
1928         This is a big streamlining of the GC. This is a speed-up in GC-heavy tests because we
1929         now execute most constraints exactly twice regardless of how many total fixpoint
1930         iterations we do. Now, when we run out of marking work, the constraint solver will just
1931         run the constraint that is most likely to generate new visiting work, and if it does
1932         generate work, then the GC now goes back to marking. Before, it would run *all*
1933         constraints and then go back to marking. The constraint solver is armed with three
1934         information signals that it uses to sort the constraints in order of descending likelihood
1935         to generate new marking work. Then it runs them in that order until it there is new
1936         marking work. The signals are:
1937         
1938         1) Whether the constraint is greyed by marking or execution. We call this the volatility
1939            of the constraint. For example, weak reference constraints have GreyedByMarking as
1940            their volatility because they are most likely to have something to say after we've done
1941            some marking. On the other hand, conservative roots have GreyedByExecution as their
1942            volatility because they will give new information anytime we let the mutator run. The
1943            constraint solver will only run GreyedByExecution constraints as roots and after the
1944            GreyedByMarking constraints go silent. This ensures that we don't try to scan
1945            conservative roots every time we need to re-run weak references and vice-versa.
1946            
1947            Another way to look at it is that the constraint solver tries to predict if the
1948            wavefront is advancing or retreating. The wavefront is almost certainly advancing so
1949            long as the mark stacks are non-empty or so long as at least one of the GreyedByMarking
1950            constraints is still producing work. Otherwise the wavefront is almost certainly
1951            retreating. It's most profitable to run GreyedByMarking constraints when the wavefront
1952            is advancing, and most profitable to run GreyedByExecution constraints when the
1953            wavefront is retreating.
1954            
1955            We use the predicted wavefront direction and the volatility of constraints as a
1956            first-order signal of constraint profitability.
1957         
1958         2) How much visiting work was created the last time the constraint ran. The solver
1959            remembers the lastVisitCount, and uses it to predict how much work the constraint will
1960            generate next time. In practice this means we will keep re-running the one interesting
1961            constraint until it shuts up.
1962         
1963         3) Optional work predictors for some constraints. The constraint that shuffles the mutator
1964            mark stack into the main SlotVisitor's mutator mark stack always knows exactly how much
1965            work it will create.
1966            
1967            The sum of (2) and (3) are used as a second-order signal of constraint profitability.
1968         
1969         The constraint solver will always run all of the GreyedByExecution constraints at GC
1970         start, since these double as the GC's roots. The constraint solver will always run all of
1971         the GreyedByMarking constraints the first time that marking stalls. Other than that, the
1972         solver will keep running constraints, sorted according to their likelihood to create work,
1973         until either work is created or we run out of constraints to run. GC termination happens
1974         when we run out of constraints to run.
1975         
1976         This new infrastructure means that we have a much better chance of dealing with worst-case
1977         DOM pathologies. If we can intelligently factor different evil DOM things into different
1978         constraints with the right work predictions then this could reduce the cost of those DOM
1979         things by a factor of N where N is the number of fixpoint iterations the GC typically
1980         does. N is usually around 5-6 even for simple heaps.
1981         
1982         My perf measurements say:
1983         
1984         PLT3: 0.02% faster with 5.3% confidence.
1985         JetStream: 0.15% faster with 17% confidence.
1986         Speedometer: 0.58% faster with 82% confidence.
1987         
1988         Here are the details from JetStream:
1989         
1990         splay: 1.02173x faster with 0.996841 confidence
1991         splay-latency: 1.0617x faster with 0.987462 confidence
1992         towers.c: 1.01852x faster with 0.92128 confidence
1993         crypto-md5: 1.06058x faster with 0.482363 confidence
1994         score: 1.00152x faster with 0.16892 confidence
1995         
1996         I think that Speedometer is legitimately benefiting from this change based on looking at
1997         --logGC=true output. We are now spending less time reexecuting expensive constraints. I
1998         think that JetStream/splay is also benefiting, because although the constraints it sees
1999         are cheap, it spends 30% of its time in GC so even small improvements matter.
2000
2001         * CMakeLists.txt:
2002         * JavaScriptCore.xcodeproj/project.pbxproj:
2003         * dfg/DFGPlan.cpp:
2004         (JSC::DFG::Plan::markCodeBlocks): Deleted.
2005         (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
2006         * dfg/DFGPlan.h:
2007         * dfg/DFGPlanInlines.h: Added.
2008         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2009         * dfg/DFGWorklist.cpp:
2010         (JSC::DFG::Worklist::markCodeBlocks): Deleted.
2011         (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
2012         (JSC::DFG::rememberCodeBlocks): Deleted.
2013         * dfg/DFGWorklist.h:
2014         * dfg/DFGWorklistInlines.h: Added.
2015         (JSC::DFG::iterateCodeBlocksForGC):
2016         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2017         * heap/CodeBlockSet.cpp:
2018         (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting): Deleted.
2019         * heap/CodeBlockSet.h:
2020         (JSC::CodeBlockSet::iterate): Deleted.
2021         * heap/CodeBlockSetInlines.h:
2022         (JSC::CodeBlockSet::iterate):
2023         (JSC::CodeBlockSet::iterateCurrentlyExecuting):
2024         * heap/Heap.cpp:
2025         (JSC::Heap::Heap):
2026         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2027         (JSC::Heap::iterateExecutingAndCompilingCodeBlocksWithoutHoldingLocks):
2028         (JSC::Heap::assertSharedMarkStacksEmpty):
2029         (JSC::Heap::markToFixpoint):
2030         (JSC::Heap::endMarking):
2031         (JSC::Heap::collectInThread):
2032         (JSC::Heap::stopIfNecessarySlow):
2033         (JSC::Heap::acquireAccessSlow):
2034         (JSC::Heap::collectIfNecessaryOrDefer):
2035         (JSC::Heap::buildConstraintSet):
2036         (JSC::Heap::notifyIsSafeToCollect):
2037         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope): Deleted.
2038         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope): Deleted.
2039         (JSC::Heap::harvestWeakReferences): Deleted.
2040         (JSC::Heap::visitConservativeRoots): Deleted.
2041         (JSC::Heap::visitCompilerWorklistWeakReferences): Deleted.
2042         * heap/Heap.h:
2043         * heap/MarkingConstraint.cpp: Added.
2044         (JSC::MarkingConstraint::MarkingConstraint):
2045         (JSC::MarkingConstraint::~MarkingConstraint):
2046         (JSC::MarkingConstraint::resetStats):
2047         (JSC::MarkingConstraint::execute):
2048         * heap/MarkingConstraint.h: Added.
2049         (JSC::MarkingConstraint::index):
2050         (JSC::MarkingConstraint::abbreviatedName):
2051         (JSC::MarkingConstraint::name):
2052         (JSC::MarkingConstraint::lastVisitCount):
2053         (JSC::MarkingConstraint::quickWorkEstimate):
2054         (JSC::MarkingConstraint::workEstimate):
2055         (JSC::MarkingConstraint::volatility):
2056         * heap/MarkingConstraintSet.cpp: Added.
2057         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext):
2058         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething):
2059         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut):
2060         (JSC::MarkingConstraintSet::ExecutionContext::drain):
2061         (JSC::MarkingConstraintSet::ExecutionContext::didExecute):
2062         (JSC::MarkingConstraintSet::ExecutionContext::execute):
2063         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2064         (JSC::MarkingConstraintSet::~MarkingConstraintSet):
2065         (JSC::MarkingConstraintSet::resetStats):
2066         (JSC::MarkingConstraintSet::add):
2067         (JSC::MarkingConstraintSet::executeBootstrap):
2068         (JSC::MarkingConstraintSet::executeConvergence):
2069         (JSC::MarkingConstraintSet::isWavefrontAdvancing):
2070         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2071         (JSC::MarkingConstraintSet::executeAll):
2072         * heap/MarkingConstraintSet.h: Added.
2073         (JSC::MarkingConstraintSet::isWavefrontRetreating):
2074         * heap/MutatorScheduler.cpp: Added.
2075         (JSC::MutatorScheduler::MutatorScheduler):
2076         (JSC::MutatorScheduler::~MutatorScheduler):
2077         (JSC::MutatorScheduler::didStop):
2078         (JSC::MutatorScheduler::willResume):
2079         (JSC::MutatorScheduler::didExecuteConstraints):
2080         (JSC::MutatorScheduler::log):
2081         (JSC::MutatorScheduler::shouldStop):
2082         (JSC::MutatorScheduler::shouldResume):
2083         * heap/MutatorScheduler.h: Added.
2084         * heap/OpaqueRootSet.h:
2085         (JSC::OpaqueRootSet::add):
2086         * heap/SlotVisitor.cpp:
2087         (JSC::SlotVisitor::visitAsConstraint):
2088         (JSC::SlotVisitor::drain):
2089         (JSC::SlotVisitor::didReachTermination):
2090         (JSC::SlotVisitor::hasWork):
2091         (JSC::SlotVisitor::drainFromShared):
2092         (JSC::SlotVisitor::drainInParallelPassively):
2093         (JSC::SlotVisitor::addOpaqueRoot):
2094         * heap/SlotVisitor.h:
2095         (JSC::SlotVisitor::addToVisitCount):
2096         * heap/SpaceTimeMutatorScheduler.cpp: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.cpp.
2097         (JSC::SpaceTimeMutatorScheduler::Snapshot::Snapshot):
2098         (JSC::SpaceTimeMutatorScheduler::Snapshot::now):
2099         (JSC::SpaceTimeMutatorScheduler::Snapshot::bytesAllocatedThisCycle):
2100         (JSC::SpaceTimeMutatorScheduler::SpaceTimeMutatorScheduler):
2101         (JSC::SpaceTimeMutatorScheduler::~SpaceTimeMutatorScheduler):
2102         (JSC::SpaceTimeMutatorScheduler::state):
2103         (JSC::SpaceTimeMutatorScheduler::beginCollection):
2104         (JSC::SpaceTimeMutatorScheduler::didStop):
2105         (JSC::SpaceTimeMutatorScheduler::willResume):
2106         (JSC::SpaceTimeMutatorScheduler::didExecuteConstraints):
2107         (JSC::SpaceTimeMutatorScheduler::timeToStop):
2108         (JSC::SpaceTimeMutatorScheduler::timeToResume):
2109         (JSC::SpaceTimeMutatorScheduler::log):
2110         (JSC::SpaceTimeMutatorScheduler::endCollection):
2111         (JSC::SpaceTimeMutatorScheduler::bytesAllocatedThisCycleImpl):
2112         (JSC::SpaceTimeMutatorScheduler::bytesSinceBeginningOfCycle):
2113         (JSC::SpaceTimeMutatorScheduler::maxHeadroom):
2114         (JSC::SpaceTimeMutatorScheduler::headroomFullness):
2115         (JSC::SpaceTimeMutatorScheduler::mutatorUtilization):
2116         (JSC::SpaceTimeMutatorScheduler::collectorUtilization):
2117         (JSC::SpaceTimeMutatorScheduler::elapsedInPeriod):
2118         (JSC::SpaceTimeMutatorScheduler::phase):
2119         (JSC::SpaceTimeMutatorScheduler::shouldBeResumed):
2120         (JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization): Deleted.
2121         (JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization): Deleted.
2122         (JSC::SpaceTimeScheduler::Decision::elapsedInPeriod): Deleted.
2123         (JSC::SpaceTimeScheduler::Decision::phase): Deleted.
2124         (JSC::SpaceTimeScheduler::Decision::shouldBeResumed): Deleted.
2125         (JSC::SpaceTimeScheduler::Decision::timeToResume): Deleted.
2126         (JSC::SpaceTimeScheduler::Decision::timeToStop): Deleted.
2127         (JSC::SpaceTimeScheduler::SpaceTimeScheduler): Deleted.
2128         (JSC::SpaceTimeScheduler::snapPhase): Deleted.
2129         (JSC::SpaceTimeScheduler::currentDecision): Deleted.
2130         * heap/SpaceTimeMutatorScheduler.h: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.h.
2131         (JSC::SpaceTimeScheduler::Decision::operator bool): Deleted.
2132         * heap/SpaceTimeScheduler.cpp: Removed.
2133         * heap/SpaceTimeScheduler.h: Removed.
2134         * heap/SynchronousStopTheWorldMutatorScheduler.cpp: Added.
2135         (JSC::SynchronousStopTheWorldMutatorScheduler::SynchronousStopTheWorldMutatorScheduler):
2136         (JSC::SynchronousStopTheWorldMutatorScheduler::~SynchronousStopTheWorldMutatorScheduler):
2137         (JSC::SynchronousStopTheWorldMutatorScheduler::state):
2138         (JSC::SynchronousStopTheWorldMutatorScheduler::beginCollection):
2139         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToStop):
2140         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToResume):
2141         (JSC::SynchronousStopTheWorldMutatorScheduler::endCollection):
2142         * heap/SynchronousStopTheWorldMutatorScheduler.h: Added.
2143         * heap/VisitingTimeout.h: Added.
2144         (JSC::VisitingTimeout::VisitingTimeout):
2145         (JSC::VisitingTimeout::visitCount):
2146         (JSC::VisitingTimeout::didVisitSomething):
2147         (JSC::VisitingTimeout::shouldTimeOut):
2148         * runtime/Options.h:
2149
2150 2017-01-09  Commit Queue  <commit-queue@webkit.org>
2151
2152         Unreviewed, rolling out r210476.
2153         https://bugs.webkit.org/show_bug.cgi?id=166859
2154
2155         "4% JSBench regression" (Requested by keith_mi_ on #webkit).
2156
2157         Reverted changeset:
2158
2159         "Add a slice intrinsic to the DFG/FTL"
2160         https://bugs.webkit.org/show_bug.cgi?id=166707
2161         http://trac.webkit.org/changeset/210476
2162
2163 2017-01-08  Andreas Kling  <akling@apple.com>
2164
2165         Inject MarkedSpace size classes for a few more high-volume objects.
2166         <https://webkit.org/b/166815>
2167
2168         Reviewed by Darin Adler.
2169
2170         Add the following classes to the list of manually injected size classes:
2171
2172             - JSString
2173             - JSFunction
2174             - PropertyTable
2175             - Structure
2176
2177         Only Structure actually ends up with a new size class, the others already
2178         can't get any tighter due to the current MarkedBlock::atomSize being 16.
2179         I've put them in anyway to ensure that we have optimally carved-out cells
2180         for them in the future, should they grow.
2181
2182         With this change, Structures get allocated in 128-byte cells instead of
2183         160-byte cells, giving us 25% more Structures per MarkedBlock.
2184
2185         * heap/MarkedSpace.cpp:
2186
2187 2017-01-06  Saam Barati  <sbarati@apple.com>
2188
2189         Add a slice intrinsic to the DFG/FTL
2190         https://bugs.webkit.org/show_bug.cgi?id=166707
2191
2192         Reviewed by Filip Pizlo.
2193
2194         The gist of this patch is to inline Array.prototype.slice
2195         into the DFG/FTL. The implementation in the DFG-backend
2196         and FTLLowerDFGToB3 is just a straight forward implementation
2197         of what the C function is doing. The more interesting bits
2198         of this patch are setting up the proper watchpoints and conditions
2199         in the executing code to prove that its safe to skip all of the
2200         observable JS actions that Array.prototype.slice normally does.
2201         
2202         We perform the following proofs:
2203         1. Array.prototype.constructor has not changed (via a watchpoint).
2204         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
2205         3. The global object is not having a bad time.
2206         3. The array that is being sliced has an original array structure.
2207         5. Array.prototype/Object.prototype have not transitioned.
2208         
2209         Conditions 1, 2, and 3 are strictly required.
2210         
2211         4 is ensuring a couple things:
2212         1. That a "constructor" property hasn't been added to the array
2213         we're slicing since we're supposed to perform a Get(array, "constructor").
2214         2. That we're not slicing an instance of a subclass of Array.
2215         
2216         We could relax 4.1 in the future if we find other ways to test if
2217         the incoming array hasn't changed the "constructor" property.
2218         
2219         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
2220         the total benchmark (the results are sometimes noisy).
2221
2222         * bytecode/ExitKind.cpp:
2223         (JSC::exitKindToString):
2224         * bytecode/ExitKind.h:
2225         * dfg/DFGAbstractInterpreterInlines.h:
2226         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2227         * dfg/DFGByteCodeParser.cpp:
2228         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2229         * dfg/DFGClobberize.h:
2230         (JSC::DFG::clobberize):
2231         * dfg/DFGDoesGC.cpp:
2232         (JSC::DFG::doesGC):
2233         * dfg/DFGFixupPhase.cpp:
2234         (JSC::DFG::FixupPhase::fixupNode):
2235         * dfg/DFGNode.h:
2236         (JSC::DFG::Node::hasHeapPrediction):
2237         (JSC::DFG::Node::hasArrayMode):
2238         * dfg/DFGNodeType.h:
2239         * dfg/DFGPredictionPropagationPhase.cpp:
2240         * dfg/DFGSafeToExecute.h:
2241         (JSC::DFG::safeToExecute):
2242         * dfg/DFGSpeculativeJIT.cpp:
2243         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2244         * dfg/DFGSpeculativeJIT.h:
2245         * dfg/DFGSpeculativeJIT32_64.cpp:
2246         (JSC::DFG::SpeculativeJIT::compile):
2247         * dfg/DFGSpeculativeJIT64.cpp:
2248         (JSC::DFG::SpeculativeJIT::compile):
2249         * ftl/FTLCapabilities.cpp:
2250         (JSC::FTL::canCompile):
2251         * ftl/FTLLowerDFGToB3.cpp:
2252         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2253         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2254         * jit/AssemblyHelpers.cpp:
2255         (JSC::AssemblyHelpers::emitLoadStructure):
2256         * runtime/ArrayPrototype.cpp:
2257         (JSC::ArrayPrototype::finishCreation):
2258         (JSC::speciesWatchpointIsValid):
2259         (JSC::speciesConstructArray):
2260         (JSC::arrayProtoFuncSlice):
2261         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2262         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
2263         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2264         (JSC::speciesWatchpointsValid): Deleted.
2265         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
2266         * runtime/ArrayPrototype.h:
2267         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
2268         (): Deleted.
2269         * runtime/Intrinsic.h:
2270         * runtime/JSGlobalObject.cpp:
2271         (JSC::JSGlobalObject::JSGlobalObject):
2272         (JSC::JSGlobalObject::init):
2273         * runtime/JSGlobalObject.h:
2274         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
2275
2276 2017-01-06  Mark Lam  <mark.lam@apple.com>
2277
2278         The ObjC API's JSVirtualMachine's map tables need to be guarded by a lock.
2279         https://bugs.webkit.org/show_bug.cgi?id=166778
2280         <rdar://problem/29761198>
2281
2282         Reviewed by Filip Pizlo.
2283
2284         Now that we have a concurrent GC, access to JSVirtualMachine's
2285         m_externalObjectGraph and m_externalRememberedSet need to be guarded by a lock
2286         since both the GC marker thread and the mutator thread may access them at the
2287         same time.
2288
2289         * API/JSVirtualMachine.mm:
2290         (-[JSVirtualMachine addExternalRememberedObject:]):
2291         (-[JSVirtualMachine addManagedReference:withOwner:]):
2292         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2293         (-[JSVirtualMachine externalDataMutex]):
2294         (scanExternalObjectGraph):
2295         (scanExternalRememberedSet):
2296
2297         * API/JSVirtualMachineInternal.h:
2298         - Deleted externalObjectGraph method.  There's no need to expose this.
2299
2300 2017-01-06  Michael Saboff  <msaboff@apple.com>
2301
2302         @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
2303         https://bugs.webkit.org/show_bug.cgi?id=153486
2304
2305         Reviewed by Saam Barati.
2306
2307         Moved read only check in putDirect() to all paths.
2308
2309         * runtime/SparseArrayValueMap.cpp:
2310         (JSC::SparseArrayValueMap::putDirect):
2311
2312 2016-12-30  Filip Pizlo  <fpizlo@apple.com>
2313
2314         DeferGC::~DeferGC should be super cheap
2315         https://bugs.webkit.org/show_bug.cgi?id=166626
2316
2317         Reviewed by Saam Barati.
2318         
2319         Right now, ~DeferGC requires running the collector's full collectIfNecessaryOrDefer()
2320         hook, which is super big. Normally, that hook would only be called from GC slow paths,
2321         so it ought to be possible to add complex logic to it. It benefits the GC algorithm to
2322         make that code smart, not necessarily fast.
2323
2324         The right thing for it to do is to have ~DeferGC check a boolean to see if
2325         collectIfNecessaryOrDefer() had previously deferred anything, and only call it if that
2326         is true. That's what this patch does.
2327         
2328         Unfortunately, this means that we lose the collectAccordingToDeferGCProbability mode,
2329         which we used for two tests. Since I could only see two tests that used this mode, I
2330         felt that it was better to enhance the GC than to keep the tests. I filed bug 166627 to
2331         bring back something like that mode.
2332         
2333         Although this patch does make some paths faster, its real goal is to ensure that bug
2334         165963 can add more logic to collectIfNecessaryOrDefer() without introducing a big
2335         regression. Until then, I wouldn't be surprised if this patch was a progression, but I'm
2336         not betting on it.
2337
2338         * heap/Heap.cpp:
2339         (JSC::Heap::collectIfNecessaryOrDefer):
2340         (JSC::Heap::decrementDeferralDepthAndGCIfNeededSlow):
2341         (JSC::Heap::canCollect): Deleted.
2342         (JSC::Heap::shouldCollectHeuristic): Deleted.
2343         (JSC::Heap::shouldCollect): Deleted.
2344         (JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
2345         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
2346         * heap/Heap.h:
2347         * heap/HeapInlines.h:
2348         (JSC::Heap::incrementDeferralDepth):
2349         (JSC::Heap::decrementDeferralDepth):
2350         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2351         (JSC::Heap::mayNeedToStop):
2352         (JSC::Heap::stopIfNecessary):
2353         * runtime/Options.h:
2354
2355 2017-01-05  Filip Pizlo  <fpizlo@apple.com>
2356
2357         AutomaticThread timeout shutdown leaves a small window where notify() would think that the thread is still running
2358         https://bugs.webkit.org/show_bug.cgi?id=166742
2359
2360         Reviewed by Geoffrey Garen.
2361         
2362         Update to new AutomaticThread API.
2363
2364         * dfg/DFGWorklist.cpp:
2365
2366 2017-01-05  Per Arne Vollan  <pvollan@apple.com>
2367
2368         [Win] Compile error.
2369         https://bugs.webkit.org/show_bug.cgi?id=166726
2370
2371         Reviewed by Alex Christensen.
2372
2373         Add include folder.
2374
2375         * CMakeLists.txt:
2376
2377 2016-12-21  Brian Burg  <bburg@apple.com>
2378
2379         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2380         https://bugs.webkit.org/show_bug.cgi?id=166003
2381         <rdar://problem/28718990>
2382
2383         Reviewed by Joseph Pecoraro.
2384
2385         This patch implements parser, model, and generator-side changes to account for
2386         platform-specific types, events, and commands. The 'platform' property is parsed
2387         for top-level definitions and assumed to be the 'generic' platform if none is specified.
2388
2389         Since the generator's platform setting acts to filter definitions with an incompatible platform,
2390         all generators must be modified to consult a list of filtered types/commands/events for
2391         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
2392         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
2393         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
2394
2395         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2396         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2397         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2398         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2399         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2400         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2401         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2402         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2403         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2404         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
2405         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2406         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2407         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2408         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2409         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2410         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2411         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2412         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2413         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2414         (_generate_typedefs_for_domain):
2415         (_generate_builders_for_domain):
2416         (_generate_forward_declarations_for_binding_traits):
2417         (_generate_declarations_for_enum_conversion_methods):
2418         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2419         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2420         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2421         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2422         * inspector/scripts/codegen/generate_js_backend_commands.py:
2423         (JSBackendCommandsGenerator.should_generate_domain):
2424         (JSBackendCommandsGenerator.domains_to_generate):
2425         (JSBackendCommandsGenerator.generate_domain):
2426         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
2427         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2428         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2429         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2430         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2431         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2432         (ObjCBackendDispatcherImplementationGenerator):
2433         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2434         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
2435         (ObjCConfigurationImplementationGenerator): Deleted.
2436         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
2437         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
2438         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
2439         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
2440         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
2441         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
2442         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
2443         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
2444         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
2445         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
2446         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
2447         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2448         (ObjCConfigurationHeaderGenerator.generate_output):
2449         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2450         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2451         (ObjCConfigurationImplementationGenerator):
2452         (ObjCConfigurationImplementationGenerator.generate_output):
2453         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
2454         (ObjCConfigurationImplementationGenerator._generate_ivars):
2455         (ObjCConfigurationImplementationGenerator._generate_dealloc):
2456         (ObjCBackendDispatcherImplementationGenerator): Deleted.
2457         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
2458         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
2459         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
2460         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
2461         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
2462         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
2463         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
2464         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
2465         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
2466         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2467         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2468         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2469         * inspector/scripts/codegen/generate_objc_header.py:
2470         (ObjCHeaderGenerator.generate_output):
2471         (ObjCHeaderGenerator._generate_forward_declarations):
2472         (ObjCHeaderGenerator._generate_enums):
2473         (ObjCHeaderGenerator._generate_types):
2474         (ObjCHeaderGenerator._generate_command_protocols):
2475         (ObjCHeaderGenerator._generate_event_interfaces):
2476         * inspector/scripts/codegen/generate_objc_internal_header.py:
2477         (ObjCInternalHeaderGenerator.generate_output):
2478         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2479         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2480         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2481         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
2482         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2483         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2484         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
2485         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
2486         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2487         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2488         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
2489
2490         * inspector/scripts/codegen/generator.py:
2491         (Generator.can_generate_platform):
2492         (Generator):
2493         (Generator.type_declarations_for_domain):
2494         (Generator.commands_for_domain):
2495         (Generator.events_for_domain):
2496         These are the core methods for computing whether a definition can be used given a target platform.
2497
2498         (Generator.calculate_types_requiring_shape_assertions):
2499         (Generator._traverse_and_assign_enum_values):
2500         * inspector/scripts/codegen/models.py:
2501         (Protocol.parse_type_declaration):
2502         (Protocol.parse_command):
2503         (Protocol.parse_event):
2504         (Protocol.resolve_types):
2505
2506         (Domain.__init__):
2507         (Domain):
2508         (Domain.all_type_declarations):
2509         (Domain.all_commands):
2510         (Domain.all_events):
2511         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
2512
2513         (Domain.resolve_type_references):
2514         (TypeDeclaration.__init__):
2515         (Command.__init__):
2516         (Event.__init__):
2517         * inspector/scripts/codegen/objc_generator.py:
2518         (ObjCGenerator.should_generate_types_for_domain):
2519         (ObjCGenerator):
2520         (ObjCGenerator.should_generate_commands_for_domain):
2521         (ObjCGenerator.should_generate_events_for_domain):
2522         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
2523         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
2524         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
2525         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
2526         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
2527         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
2528         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
2529         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
2530
2531         The results above need rebaselining because the class names for two generators were swapped by accident.
2532         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
2533         generated file includes the same copyright block at the top.
2534
2535         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2536         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2537         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2538         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2539         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2540         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2541         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2542         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2543         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2544         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2545         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2546         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2547         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2548
2549         * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Added.
2550         * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Added.
2551         * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Added.
2552         * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Added.
2553
2554         Add error test cases for invalid platforms in commands, types, and events.
2555
2556         * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Added.
2557         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Added.
2558         * inspector/scripts/tests/all/definitions-with-mac-platform.json: Added.
2559         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Added.
2560         * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Added.
2561         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Added.
2562         * inspector/scripts/tests/mac/definitions-with-mac-platform.json: Added.
2563         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Added.
2564
2565         Add a basic 4-way test that generates code for each platform from the same specification.
2566         With 'macos' platform for each definition, only 'all' and 'mac' generate anything interesting.
2567
2568 2017-01-03  Brian Burg  <bburg@apple.com>
2569
2570         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2571         https://bugs.webkit.org/show_bug.cgi?id=166003
2572         <rdar://problem/28718990>
2573
2574         Reviewed by Joseph Pecoraro.
2575
2576         This patch implements parser, model, and generator-side changes to account for
2577         platform-specific types, events, and commands. The 'platform' property is parsed
2578         for top-level definitions and assumed to be the 'generic' platform if none is specified.
2579
2580         Since the generator's platform setting acts to filter definitions with an incompatible platform,
2581         all generators must be modified to consult a list of filtered types/commands/events for
2582         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
2583         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
2584         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
2585
2586         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2587         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2588         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2589         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2590         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2591         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2592         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2593         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2594         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2595         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
2596         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2597         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2598         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2599         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2600         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2601         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2602         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2603         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2604         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2605         (_generate_typedefs_for_domain):
2606         (_generate_builders_for_domain):
2607         (_generate_forward_declarations_for_binding_traits):
2608         (_generate_declarations_for_enum_conversion_methods):
2609         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2610         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2611         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2612         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2613         * inspector/scripts/codegen/generate_js_backend_commands.py:
2614         (JSBackendCommandsGenerator.should_generate_domain):
2615         (JSBackendCommandsGenerator.domains_to_generate):
2616         (JSBackendCommandsGenerator.generate_domain):
2617         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
2618         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2619         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2620         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2621         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2622         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2623         (ObjCBackendDispatcherImplementationGenerator):
2624         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2625         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
2626         (ObjCConfigurationImplementationGenerator): Deleted.
2627         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
2628         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
2629         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
2630         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
2631         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
2632         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
2633         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
2634         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
2635         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
2636         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
2637         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
2638         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2639         (ObjCConfigurationHeaderGenerator.generate_output):
2640         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2641         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2642         (ObjCConfigurationImplementationGenerator):
2643         (ObjCConfigurationImplementationGenerator.generate_output):
2644         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
2645         (ObjCConfigurationImplementationGenerator._generate_ivars):
2646         (ObjCConfigurationImplementationGenerator._generate_dealloc):
2647         (ObjCBackendDispatcherImplementationGenerator): Deleted.
2648         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
2649         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
2650         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
2651         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
2652         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
2653         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
2654         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
2655         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
2656         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
2657         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2658         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2659         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2660         * inspector/scripts/codegen/generate_objc_header.py:
2661         (ObjCHeaderGenerator.generate_output):
2662         (ObjCHeaderGenerator._generate_forward_declarations):
2663         (ObjCHeaderGenerator._generate_enums):
2664         (ObjCHeaderGenerator._generate_types):
2665         (ObjCHeaderGenerator._generate_command_protocols):
2666         (ObjCHeaderGenerator._generate_event_interfaces):
2667         * inspector/scripts/codegen/generate_objc_internal_header.py:
2668         (ObjCInternalHeaderGenerator.generate_output):
2669         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2670         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2671         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2672         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
2673         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2674         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2675         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
2676         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
2677         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2678         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2679         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
2680
2681         * inspector/scripts/codegen/generator.py:
2682         (Generator.can_generate_platform):
2683         (Generator):
2684         (Generator.type_declarations_for_domain):
2685         (Generator.commands_for_domain):
2686         (Generator.events_for_domain):
2687         These are the core methods for computing whether a definition can be used given a target platform.
2688
2689         (Generator.calculate_types_requiring_shape_assertions):
2690         (Generator._traverse_and_assign_enum_values):
2691         * inspector/scripts/codegen/models.py:
2692         (Protocol.parse_type_declaration):
2693         (Protocol.parse_command):
2694         (Protocol.parse_event):
2695         (Protocol.resolve_types):
2696
2697         (Domain.__init__):
2698         (Domain):
2699         (Domain.all_type_declarations):
2700         (Domain.all_commands):
2701         (Domain.all_events):
2702         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
2703
2704         (Domain.resolve_type_references):
2705         (TypeDeclaration.__init__):
2706         (Command.__init__):
2707         (Event.__init__):
2708         * inspector/scripts/codegen/objc_generator.py:
2709         (ObjCGenerator.should_generate_types_for_domain):
2710         (ObjCGenerator):
2711         (ObjCGenerator.should_generate_commands_for_domain):
2712         (ObjCGenerator.should_generate_events_for_domain):
2713         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
2714         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
2715         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
2716         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
2717         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
2718         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
2719         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
2720         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
2721
2722         The following results need rebaselining because the class names for two generators were swapped by accident.
2723         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
2724         generated file includes the same copyright block at the top.
2725
2726         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2727         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2728         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2729         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2730         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2731         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2732         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2733         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2734         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2735         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2736         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2737         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2738         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2739
2740 2017-01-03  Brian Burg  <bburg@apple.com>
2741
2742         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2743         https://bugs.webkit.org/show_bug.cgi?id=166003
2744         <rdar://problem/28718990>
2745
2746         Reviewed by Joseph Pecoraro.
2747
2748         Make it possible to test inspector protocol generator output for different platforms.
2749
2750         Move existing tests to the generic/ subdirectory, as they are to be generated
2751         without any specific platform. Later, platform-specific generator behavior will be
2752         tested by cloning the same test to multiple platform directories.
2753
2754         * inspector/scripts/tests{/ => /generic/}commands-with-async-attribute.json
2755         * inspector/scripts/tests{/ => /generic/}commands-with-optional-call-return-parameters.json
2756         * inspector/scripts/tests{/ => /generic/}domains-with-varying-command-sizes.json
2757         * inspector/scripts/tests{/ => /generic/}enum-values.json
2758         * inspector/scripts/tests{/ => /generic/}events-with-optional-parameters.json
2759         * inspector/scripts/tests{/ => /generic/}expected/commands-with-async-attribute.json-result
2760         * inspector/scripts/tests{/ => /generic/}expected/commands-with-optional-call-return-parameters.json-result
2761         * inspector/scripts/tests{/ => /generic/}expected/domains-with-varying-command-sizes.json-result
2762         * inspector/scripts/tests{/ => /generic/}expected/enum-values.json-result
2763         * inspector/scripts/tests{/ => /generic/}expected/events-with-optional-parameters.json-result
2764         * inspector/scripts/tests{/ => /generic/}expected/fail-on-domain-availability.json-error
2765         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-call-parameter-names.json-error
2766         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-return-parameter-names.json-error
2767         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-event-parameter-names.json-error
2768         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-declarations.json-error
2769         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-member-names.json-error
2770         * inspector/scripts/tests{/ => /generic/}expected/fail-on-enum-with-no-values.json-error
2771         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-parameter-flag.json-error
2772         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-type-member.json-error
2773         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-parameter-flag.json-error
2774         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-type-member.json-error
2775         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-declaration-using-type-reference.json-error
2776         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-reference-as-primitive-type.json-error
2777         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-with-lowercase-name.json-error
2778         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-declaration.json-error
2779         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-member.json-error
2780         * inspector/scripts/tests{/ => /generic/}expected/generate-domains-with-feature-guards.json-result
2781         * inspector/scripts/tests{/ => /generic/}expected/same-type-id-different-domain.json-result
2782         * inspector/scripts/tests{/ => /generic/}expected/shadowed-optional-type-setters.json-result
2783         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-aliased-primitive-type.json-result
2784         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-array-type.json-result
2785         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-enum-type.json-result
2786         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-object-type.json-result
2787         * inspector/scripts/tests{/ => /generic/}expected/type-requiring-runtime-casts.json-result
2788         * inspector/scripts/tests{/ => /generic/}fail-on-domain-availability.json
2789         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-call-parameter-names.json
2790         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-return-parameter-names.json
2791         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-event-parameter-names.json
2792         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-declarations.json
2793         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-member-names.json
2794         * inspector/scripts/tests{/ => /generic/}fail-on-enum-with-no-values.json
2795         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-parameter-flag.json
2796         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-type-member.json
2797         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-parameter-flag.json
2798         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-type-member.json
2799         * inspector/scripts/tests{/ => /generic/}fail-on-type-declaration-using-type-reference.json
2800         * inspector/scripts/tests{/ => /generic/}fail-on-type-reference-as-primitive-type.json
2801         * inspector/scripts/tests{/ => /generic/}fail-on-type-with-lowercase-name.json
2802         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-declaration.json
2803         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-member.json
2804         * inspector/scripts/tests{/ => /generic/}generate-domains-with-feature-guards.json
2805         * inspector/scripts/tests{/ => /generic/}same-type-id-different-domain.json
2806         * inspector/scripts/tests{/ => /generic/}shadowed-optional-type-setters.json
2807         * inspector/scripts/tests{/ => /generic/}type-declaration-aliased-primitive-type.json
2808         * inspector/scripts/tests{/ => /generic/}type-declaration-array-type.json
2809         * inspector/scripts/tests{/ => /generic/}type-declaration-enum-type.json
2810         * inspector/scripts/tests{/ => /generic/}type-declaration-object-type.json
2811         * inspector/scripts/tests{/ => /generic/}type-requiring-runtime-casts.json
2812
2813 2017-01-03  Brian Burg  <bburg@apple.com>
2814
2815         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2816         https://bugs.webkit.org/show_bug.cgi?id=166003
2817         <rdar://problem/28718990>
2818
2819         Reviewed by Joseph Pecoraro.
2820
2821         Add a --platform argument to generate-inspector-protocol-bindings.py and propagate
2822         the specified platform to each generator. This will be used in the next few patches
2823         to exclude types, events, and commands that are unsupported by the backend platform.
2824
2825         Covert all subclasses of Generator to pass along their positional arguments so that we
2826         can easily change base class arguments without editing all generator constructors.
2827
2828         * inspector/scripts/codegen/cpp_generator.py:
2829         (CppGenerator.__init__):
2830         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2831         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
2832         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2833         (CppBackendDispatcherHeaderGenerator.__init__):
2834         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2835         (CppBackendDispatcherImplementationGenerator.__init__):
2836         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2837         (CppFrontendDispatcherHeaderGenerator.__init__):
2838         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2839         (CppFrontendDispatcherImplementationGenerator.__init__):
2840         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2841         (CppProtocolTypesHeaderGenerator.__init__):
2842         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2843         (CppProtocolTypesImplementationGenerator.__init__):
2844         * inspector/scripts/codegen/generate_js_backend_commands.py:
2845         (JSBackendCommandsGenerator.__init__):
2846         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2847         (ObjCBackendDispatcherHeaderGenerator.__init__):
2848         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2849         (ObjCConfigurationImplementationGenerator.__init__):
2850         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2851         (ObjCConfigurationHeaderGenerator.__init__):
2852         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2853         (ObjCBackendDispatcherImplementationGenerator.__init__):
2854         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2855         (ObjCFrontendDispatcherImplementationGenerator.__init__):
2856         * inspector/scripts/codegen/generate_objc_header.py:
2857         (ObjCHeaderGenerator.__init__):
2858         * inspector/scripts/codegen/generate_objc_internal_header.py:
2859         (ObjCInternalHeaderGenerator.__init__):
2860         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2861         (ObjCProtocolTypeConversionsHeaderGenerator.__init__):
2862         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2863         (ObjCProtocolTypeConversionsImplementationGenerator.__init__):
2864         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2865         (ObjCProtocolTypesImplementationGenerator.__init__):
2866         Pass along *args instead of single positional arguments.
2867
2868         * inspector/scripts/codegen/generator.py:
2869         (Generator.__init__):
2870         Save the target platform and add a getter.
2871
2872         * inspector/scripts/codegen/models.py:
2873         (Platform):
2874         (Platform.__init__):
2875         (Platform.fromString):
2876         (Platforms):
2877         Define the allowed Platform instances (iOS, macOS, and Any).
2878
2879         * inspector/scripts/codegen/objc_generator.py:
2880         (ObjCGenerator.and.__init__):
2881         * inspector/scripts/generate-inspector-protocol-bindings.py:
2882         (generate_from_specification):
2883         Pass along *args instead of single positional arguments.
2884
2885 2017-01-04  JF Bastien  <jfbastien@apple.com>
2886
2887         WebAssembly JS API: add Module.sections
2888         https://bugs.webkit.org/show_bug.cgi?id=165159
2889         <rdar://problem/29760326>
2890
2891         Reviewed by Mark Lam.
2892
2893         As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections
2894
2895         This was added for Emscripten, and is likely to be used soon.
2896
2897         * wasm/WasmFormat.h: custom sections are just name + bytes
2898         * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
2899         * wasm/WasmModuleParser.h:
2900         * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
2901         ArrayBuffer as described in the spec
2902         (JSC::webAssemblyModuleProtoCustomSections):
2903
2904 2017-01-04  Saam Barati  <sbarati@apple.com>
2905
2906         We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
2907         https://bugs.webkit.org/show_bug.cgi?id=163720
2908
2909         Reviewed by Mark Lam.
2910
2911         In the LLInt, we were incorrectly doing the exception check after the call.
2912         Before the exception check, we were unwinding to our caller's
2913         frame under the assumption that our caller was always a JS frame.
2914         This is incorrect, however, because our caller might be a C frame.
2915         One way that it can be a C frame is when C calls to JS, and JS tail
2916         calls to native. This patch fixes this bug by doing unwinding from
2917         the native callee's frame instead of its callers.
2918
2919         * llint/LowLevelInterpreter32_64.asm:
2920         * llint/LowLevelInterpreter64.asm:
2921
2922 2017-01-03  JF Bastien  <jfbastien@apple.com>
2923
2924         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
2925         https://bugs.webkit.org/show_bug.cgi?id=166669
2926         <rdar://problem/29856455>
2927
2928         Reviewed by Saam Barati.
2929
2930         Bug #165282 added wasm -> wasm calls, but caused crashes in
2931         release builds because the pinned registers are also callee-saved
2932         and were being clobbered. B3 didn't see itself clobbering them
2933         when no memory was used, and therefore omitted a restore.
2934
2935         This was causing the C++ code in callWebAssemblyFunction to crash
2936         because $r12 was 0, and it expected it to have its value prior to
2937         the call.
2938
2939         * wasm/WasmB3IRGenerator.cpp:
2940         (JSC::Wasm::createJSToWasmWrapper):
2941
2942 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
2943
2944         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
2945         https://bugs.webkit.org/show_bug.cgi?id=166300
2946
2947         Reviewed by Brian Burg.
2948
2949         * debugger/Debugger.cpp:
2950         (JSC::Debugger::continueProgram):
2951         When continuing, clear states that would have had us pause again.
2952
2953         * inspector/agents/InspectorDebuggerAgent.cpp:
2954         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
2955         When resuming after becoming idle, be sure to clear Debugger state.
2956
2957 2017-01-03  JF Bastien  <jfbastien@apple.com>
2958
2959         WebAssembly JS API: check and test in-call / out-call values
2960         https://bugs.webkit.org/show_bug.cgi?id=164876
2961         <rdar://problem/29844107>
2962
2963         Reviewed by Saam Barati.
2964
2965         * wasm/WasmBinding.cpp:
2966         (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
2967         f64 which the assotiated tests inadvertently tripped on: the
2968         previous code wasn't correctly performing JSValue boxing for
2969         "double" values. This change is slightly involved because it
2970         requires two scratch registers to materialize the
2971         `DoubleEncodeOffset` value. This change therefore reorganizes the
2972         code to first generate traps, then handle all integers (freeing
2973         all GPRs), and then all the floating-point values.
2974         * wasm/js/WebAssemblyFunction.cpp:
2975         (JSC::callWebAssemblyFunction): Implement the defined semantics
2976         for mismatched arities when JS calls wasm:
2977         https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
2978           - i32 is 0, f32 / f64 are NaN.
2979           - wasm functions which return "void" are "undefined" in JS.
2980
2981 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
2982
2983         [Win] jsc.exe sometimes never exits.
2984         https://bugs.webkit.org/show_bug.cgi?id=158073
2985
2986         Reviewed by Darin Adler.
2987
2988         On Windows the thread specific destructor is also called when the main thread is exiting.
2989         This may lead to the main thread waiting forever for the machine thread lock when exiting,
2990         if the sampling profiler thread was terminated by the system while holding the machine
2991         thread lock.
2992
2993         * heap/MachineStackMarker.cpp:
2994         (JSC::MachineThreads::removeThread):
2995
2996 2017-01-02  Julien Brianceau  <jbriance@cisco.com>
2997
2998         Remove sh4 specific code from JavaScriptCore
2999         https://bugs.webkit.org/show_bug.cgi?id=166640
3000
3001         Reviewed by Filip Pizlo.
3002
3003         sh4-specific code does not compile for a while (r189884 at least).
3004         As nobody seems to have interest in this architecture anymore, let's
3005         remove this dead code and thus ease the burden for JSC maintainers.
3006
3007         * CMakeLists.txt:
3008         * JavaScriptCore.xcodeproj/project.pbxproj:
3009         * assembler/AbstractMacroAssembler.h:
3010         (JSC::AbstractMacroAssembler::Jump::Jump):
3011         (JSC::AbstractMacroAssembler::Jump::link):
3012         * assembler/MacroAssembler.h:
3013         * assembler/MacroAssemblerSH4.h: Removed.
3014         * assembler/MaxFrameExtentForSlowPathCall.h:
3015         * assembler/SH4Assembler.h: Removed.
3016         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
3017         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3018         * dfg/DFGSpeculativeJIT.h:
3019         (JSC::DFG::SpeculativeJIT::callOperation):
3020         * jit/AssemblyHelpers.h:
3021         (JSC::AssemblyHelpers::debugCall):
3022         * jit/CCallHelpers.h:
3023         (JSC::CCallHelpers::setupArgumentsWithExecState):
3024         (JSC::CCallHelpers::prepareForTailCallSlow):
3025         * jit/CallFrameShuffler.cpp:
3026         (JSC::CallFrameShuffler::prepareForTailCall):
3027         * jit/ExecutableAllocator.h:
3028         * jit/FPRInfo.h:
3029         * jit/GPRInfo.h:
3030         * jit/JITInlines.h:
3031         (JSC::JIT::callOperation):
3032         * jit/JITOpcodes32_64.cpp:
3033         (JSC::JIT::privateCompileCTINativeCall):
3034         * jit/JITOperations.cpp:
3035         * jit/RegisterSet.cpp:
3036         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3037         (JSC::RegisterSet::dfgCalleeSaveRegisters):
3038         * jit/ThunkGenerators.cpp:
3039         (JSC::nativeForGenerator):
3040         * llint/LLIntData.cpp:
3041         (JSC::LLInt::Data::performAssertions):
3042         * llint/LLIntOfflineAsmConfig.h:
3043         * llint/LowLevelInterpreter.asm:
3044         * llint/LowLevelInterpreter32_64.asm:
3045         * offlineasm/backends.rb:
3046         * offlineasm/instructions.rb:
3047         * offlineasm/sh4.rb: Removed.
3048         * yarr/YarrJIT.cpp:
3049         (JSC::Yarr::YarrGenerator::generateEnter):
3050         (JSC::Yarr::YarrGenerator::generateReturn):
3051
3052 2017-01-02  JF Bastien  <jfbastien@apple.com>
3053
3054         WebAssembly: handle and optimize wasm export → wasm import calls
3055         https://bugs.webkit.org/show_bug.cgi?id=165282
3056
3057         Reviewed by Saam Barati.
3058
3059           - Add a new JSType for WebAssemblyFunction, and use it when creating its
3060             structure. This will is used to quickly detect from wasm whether the import
3061             call is to another wasm module, or whether it's to JS.
3062           - Generate two stubs from the import stub generator: one for wasm->JS and one
3063             for wasm -> wasm. This is done at Module time. Which is called will only be
3064             known at Instance time, once we've received the import object. We want to
3065             avoid codegen at Instance time, so having both around is great.
3066           - Restore the WebAssembly global state (VM top Instance, and pinned registers)
3067             after call / call_indirect, and in the JS->wasm entry stub.
3068           - Pinned registers are now a global thing, not per-Memory, because the wasm ->
3069             wasm stubs are generated at Module time where we don't really have enough
3070             information to do the right thing (doing so would generate too much code).
3071
3072         * CMakeLists.txt:
3073         * JavaScriptCore.xcodeproj/project.pbxproj:
3074         * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
3075         * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
3076         could be external work, and how we save / restore global state:
3077         VM's top Instance, and pinned registers
3078         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3079         (JSC::Wasm::getMemoryBaseAndSize):
3080         (JSC::Wasm::restoreWebAssemblyGlobalState):
3081         (JSC::Wasm::createJSToWasmWrapper):
3082         (JSC::Wasm::parseAndCompile):
3083         * wasm/WasmB3IRGenerator.h:
3084         * wasm/WasmBinding.cpp:
3085         (JSC::Wasm::materializeImportJSCell):
3086         (JSC::Wasm::wasmToJS):
3087         (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
3088         (JSC::Wasm::exitStubGenerator):
3089         * wasm/WasmBinding.h:
3090         * wasm/WasmFormat.h: Get rid of much of the function index space:
3091         we already have all of its information elsewhere, and as-is it
3092         provides no extra efficiency.
3093         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
3094         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
3095         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
3096         * wasm/WasmFunctionParser.h:
3097         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
3098         * wasm/WasmMemory.cpp: Add some logging.
3099         (JSC::Wasm::Memory::dump): this was nice when debugging
3100         (JSC::Wasm::Memory::makeString):
3101         (JSC::Wasm::Memory::Memory):
3102         (JSC::Wasm::Memory::~Memory):
3103         (JSC::Wasm::Memory::grow):
3104         * wasm/WasmMemory.h: don't use extra indirection, it wasn't
3105         needed. Reorder some of the fields which are looked up at runtime
3106         so they're more cache-friendly.
3107         (JSC::Wasm::Memory::Memory):
3108         (JSC::Wasm::Memory::mode):
3109         (JSC::Wasm::Memory::offsetOfSize):
3110         * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
3111         global thing for all of JSC, not a per-Memory thing
3112         anymore. wasm->wasm calls are more complex otherwise: they have to
3113         figure out how to bridge between the caller and callee's
3114         special-snowflake pinning.
3115         (JSC::Wasm::PinnedRegisterInfo::get):
3116         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
3117         (JSC::Wasm::MemoryInformation::MemoryInformation):
3118         * wasm/WasmMemoryInformation.h:
3119         * wasm/WasmModuleParser.cpp:
3120         * wasm/WasmModuleParser.h:
3121         * wasm/WasmPageCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
3122         (JSC::Wasm::PageCount::dump): nice for debugging
3123         * wasm/WasmPageCount.h:
3124         * wasm/WasmPlan.cpp:
3125         (JSC::Wasm::Plan::parseAndValidateModule):
3126         (JSC::Wasm::Plan::run):
3127         * wasm/WasmPlan.h:
3128         (JSC::Wasm::Plan::takeWasmExitStubs):
3129         * wasm/WasmSignature.cpp:
3130         (JSC::Wasm::Signature::toString):
3131         (JSC::Wasm::Signature::dump):
3132         * wasm/WasmSignature.h:
3133         * wasm/WasmValidate.cpp:
3134         (JSC::Wasm::validateFunction):
3135         * wasm/WasmValidate.h:
3136         * wasm/js/JSWebAssemblyInstance.h:
3137         (JSC::JSWebAssemblyInstance::offsetOfTable):
3138         (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
3139         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
3140         * wasm/js/JSWebAssemblyMemory.cpp:
3141         (JSC::JSWebAssemblyMemory::create):
3142         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
3143         (JSC::JSWebAssemblyMemory::buffer):
3144         (JSC::JSWebAssemblyMemory::grow):
3145         * wasm/js/JSWebAssemblyMemory.h:
3146         (JSC::JSWebAssemblyMemory::memory):
3147         (JSC::JSWebAssemblyMemory::offsetOfMemory):
3148         (JSC::JSWebAssemblyMemory::offsetOfSize):
3149         * wasm/js/JSWebAssemblyModule.cpp:
3150         (JSC::JSWebAssemblyModule::create):
3151         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
3152         * wasm/js/JSWebAssemblyModule.h:
3153         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
3154         (JSC::JSWebAssemblyModule::functionImportCount):
3155         * wasm/js/WebAssemblyFunction.cpp:
3156         (JSC::callWebAssemblyFunction):
3157         (JSC::WebAssemblyFunction::create):
3158         (JSC::WebAssemblyFunction::createStructure):
3159         (JSC::WebAssemblyFunction::WebAssemblyFunction):
3160         (JSC::WebAssemblyFunction::finishCreation):
3161         * wasm/js/WebAssemblyFunction.h:
3162         (JSC::WebAssemblyFunction::wasmEntrypoint):
3163         (JSC::WebAssemblyFunction::offsetOfInstance):
3164         (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode):
3165         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3166         (JSC::constructJSWebAssemblyInstance): always start with a dummy
3167         memory, so wasm->wasm calls don't need to null-check
3168         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3169         (JSC::constructJSWebAssemblyMemory):
3170         * wasm/js/WebAssemblyModuleConstructor.cpp:
3171         (JSC::WebAssemblyModuleConstructor::createModule):
3172         * wasm/js/WebAssemblyModuleRecord.cpp:
3173         (JSC::WebAssemblyModuleRecord::link):
3174         (JSC::WebAssemblyModuleRecord::evaluate):
3175         * wasm/js/WebAssemblyModuleRecord.h:
3176
3177 2017-01-02  Saam Barati  <sbarati@apple.com>
3178
3179         WebAssembly: Some loads don't take into account the offset
3180         https://bugs.webkit.org/show_bug.cgi?id=166616
3181         <rdar://problem/29841541>
3182
3183         Reviewed by Keith Miller.
3184
3185         * wasm/WasmB3IRGenerator.cpp:
3186         (JSC::Wasm::B3IRGenerator::emitLoadOp):
3187
3188 2017-01-01  Jeff Miller  <jeffm@apple.com>
3189
3190         Update user-visible copyright strings to include 2017
3191         https://bugs.webkit.org/show_bug.cgi?id=166278
3192
3193         Reviewed by Dan Bernstein.
3194
3195         * Info.plist:
3196
3197 2016-12-28  Saam Barati  <sbarati@apple.com>
3198
3199         WebAssembly: Don't allow duplicate export names
3200         https://bugs.webkit.org/show_bug.cgi?id=166490
3201         <rdar://problem/29815000>
3202
3203         Reviewed by Keith Miller.
3204
3205         * wasm/WasmModuleParser.cpp:
3206
3207 2016-12-28  Saam Barati  <sbarati@apple.com>
3208
3209         Unreviewed. Fix jsc.cpp build error.
3210
3211         * jsc.cpp:
3212         (functionTestWasmModuleFunctions):
3213
3214 2016-12-28  Saam Barati  <sbarati@apple.com>
3215
3216         WebAssembly: Implement grow_memory and current_memory
3217         https://bugs.webkit.org/show_bug.cgi?id=166448
3218         <rdar://problem/29803676>
3219
3220         Reviewed by Keith Miller.
3221
3222         This patch implements grow_memory, current_memory, and WebAssembly.prototype.grow.
3223         See relevant spec texts here:
3224         
3225         https://github.com/WebAssembly/design/blob/master/Semantics.md#linear-memory-accesses
3226         https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymemoryprototypegrow
3227         
3228         I also fix a couple miscellaneous bugs:
3229         
3230         1. Data section now understands full init_exprs. 
3231         2. parseVarUint1 no longer has a bug where we allow values larger than 1 if
3232         their bottom 8 bits are zero.
3233         
3234         Since the JS API can now grow memory, we need to make calling an import
3235         and call_indirect refresh the base memory register and the size registers.
3236
3237         * jsc.cpp:
3238         (functionTestWasmModuleFunctions):
3239         * runtime/Options.h:
3240         * runtime/VM.h:
3241         * wasm/WasmB3IRGenerator.cpp:
3242         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3243         (JSC::Wasm::reloadPinnedRegisters):
3244         (JSC::Wasm::B3IRGenerator::emitReloadPinnedRegisters):
3245         (JSC::Wasm::createJSToWasmWrapper):
3246         (JSC::Wasm::parseAndCompile):
3247         * wasm/WasmFormat.cpp:
3248         (JSC::Wasm::Segment::create):
3249         * wasm/WasmFormat.h:
3250         (JSC::Wasm::I32InitExpr::I32InitExpr):
3251         (JSC::Wasm::I32InitExpr::globalImport):