CachedCall should let GC know to keep its arguments alive.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-02-19  Mark Lam  <mark.lam@apple.com>

        CachedCall should let GC know to keep its arguments alive.
        https://bugs.webkit.org/show_bug.cgi?id=168567
        <rdar://problem/30475767>

        Reviewed by Saam Barati.

        We fix this by having CachedCall use a MarkedArgumentBuffer to store its
        arguments instead of a Vector.

        Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
        WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
        correctness.

        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        (JSC::CachedCall::call):
        (JSC::CachedCall::clearArguments):
        (JSC::CachedCall::appendArgument):
        (JSC::CachedCall::setArgument): Deleted.
        * interpreter/CallFrame.h:
        (JSC::ExecState::emptyList):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/Interpreter.h:
        * interpreter/ProtoCallFrame.h:
        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::expandCapacity):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::ensureCapacity):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-02-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r212466.
        https://bugs.webkit.org/show_bug.cgi?id=168577

        causes crashes on AArch64 on linux, maybe it's causing crashes
        on iOS too (Requested by pizlo on #webkit).

        Reverted changeset:

        "The collector thread should only start when the mutator
        doesn't have heap access"
        https://bugs.webkit.org/show_bug.cgi?id=167737
        http://trac.webkit.org/changeset/212466

2017-02-17  Michael Saboff  <msaboff@apple.com>

        Improve ARM64 disassembler handling of pseudo ops, unsupported opcodes and zero reg
        https://bugs.webkit.org/show_bug.cgi?id=168527

        Reviewed by Filip Pizlo.

        Added support for data processing 1 source instructions like rbit, rev, clz and cls.
        Added support for the FP conditional select instruction, fcsel.  Consolidated the
        two classes for handling dmb instructions into one class.  Fixed the instruction
        selection mask in the integer conditional select class, A64DOpcodeConditionalSelect.
        Fixed the processing of extract instruction (extr) including the rotate right (ror)
        pseudo instruction.  Changed the printing of x31 and w31 to xzr and wzr as operands
        according to the spec.  Added support for common pseudo instructions.  This includes:
        - mvn x1, X2 in place of orn x1, xzr, x2
        - lsl x3, x4, #count in place of ubfiz x3, x4, #count, #count
        - smull x5, w6, w7 in place of smaddl x5, w6, w7, XZR
        - More understandable mov x8, #-304 in place of movn x8, #0x12f
        - Eliminated xzr from register index loads and stores, outputing
          ldr x10, [x11] instead of ldr x10, [x11, xzr]

        Changed the move wide instructions to use hex literals for movz and movk.
        This makes it much easier to decifer sequences of wide moves for large literals.
                Before                       After
          movz   x17, #26136           movz   x17, #0x6618
          movk   x17, #672, lsl #16    movk   x17, #0x2a0, lsl #16
          movk   x17, #1, lsl #32      movk   x17, #0x1, lsl #32

        Verified that all instructions currently generated by the JSC stress tests are
        disassembled.

        * disassembler/ARM64/A64DOpcode.cpp:
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeExtract::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::format):
        (JSC::ARM64Disassembler::A64DOpcodeDmb::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterPair::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::format):
        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
        (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::format): Deleted.
        (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::format): Deleted.
        * disassembler/ARM64/A64DOpcode.h:
        (JSC::ARM64Disassembler::A64DOpcode::appendSignedImmediate64):
        (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedHexImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opName):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::sBit):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode2):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opNameIndex):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::condition):
        (JSC::ARM64Disassembler::A64DOpcodeDmb::option):
        (JSC::ARM64Disassembler::A64DOpcodeDmb::crM):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isMov):
        (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::opName): Deleted.
        (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::opName): Deleted.

2017-02-17  Zan Dobersek  <zdobersek@igalia.com>

        [GLib] GCActivityCallback::scheduleTimer() keeps pushing dispatch into the future
        https://bugs.webkit.org/show_bug.cgi?id=168363

        Reviewed by Carlos Garcia Campos.

        Mimic the USE(CF) implementation of GCActivityCallback and HeapTimer by
        scheduling the timer a decade into the future instead of completely
        cancelling it. That way new dispatch times for GCActivityCallback can be
        computed by simply deducting the difference in the new and previous
        delay from the GSource's current dispatch time. Previously we handled an
        extra 'paused' state (where m_delay was -1) and allowed for a delay of
        an infinite value to be valid, complicating the next dispatch time
        computation.

        HeapTimer gains the static s_decade variable. The dispatch function in
        heapTimerSourceFunctions only dispatches the callback, which now delays
        the GSource by a decade. HeapTimer::scheduleTimer() simply schedules the
        source to dispatch in the specified amount of time, and cancelTimer()
        'cancels' the source by setting the dispatch time to a decade.

        GCActivityCallback constructor initializes the delay to the s_decade
        value and immediately sets the ready time for GSource a decade into the
        future, avoiding the default -1 value as the ready time that would cause
        problems in scheduleTimer(). scheduleTimer() doesn't special-case the
        zero-delay value anymore, instead it just computes the difference
        between the old and the new delay and rolls back the GSource's ready
        time for that amount. cancelTimer() sets m_delay to the decade value and
        delays the GSource for that same amount.

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        * heap/GCActivityCallback.h:
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::HeapTimer):
        (JSC::HeapTimer::scheduleTimer):
        (JSC::HeapTimer::cancelTimer):
        * heap/HeapTimer.h:

2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop PassRefPtr from ArrayBuffer
        https://bugs.webkit.org/show_bug.cgi?id=168455

        Reviewed by Geoffrey Garen.

        This patch finally drops all the PassRefPtr in JSC.
        We changed PassRefPtr<ArrayBuffer> to RefPtr<ArrayBuffer>&&.
        Since ArrayBuffer may be nullptr if the array is neutered,
        we hold it as RefPtr<> instead of Ref<>.

        And we also drops 2 files, TypedArrayBase.h and IntegralTypedArrayBase.h.
        They are not used (and they are not referenced from the project file).

        * inspector/JavaScriptCallFrame.h:
        * jsc.cpp:
        (functionDollarAgentReceiveBroadcast):
        * runtime/ArrayBufferView.cpp:
        (JSC::ArrayBufferView::ArrayBufferView):
        * runtime/ArrayBufferView.h:
        (JSC::ArrayBufferView::possiblySharedBuffer):
        (JSC::ArrayBufferView::unsharedBuffer):
        (JSC::ArrayBufferView::verifySubRangeLength):
        (JSC::ArrayBufferView::clampOffsetAndNumElements):
        * runtime/ClassInfo.h:
        * runtime/DataView.cpp:
        (JSC::DataView::DataView):
        (JSC::DataView::create):
        * runtime/DataView.h:
        * runtime/GenericTypedArrayView.h:
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
        (JSC::GenericTypedArrayView<Adaptor>::create):
        (JSC::GenericTypedArrayView<Adaptor>::subarray):
        * runtime/IntegralTypedArrayBase.h: Removed.
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::JSArrayBuffer):
        (JSC::JSArrayBuffer::create):
        * runtime/JSArrayBuffer.h:
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
        * runtime/JSArrayBufferView.h:
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::possiblySharedImpl):
        (JSC::JSArrayBufferView::unsharedImpl):
        * runtime/JSCell.cpp:
        (JSC::JSCell::slowDownAndWasteMemory):
        (JSC::JSCell::getTypedArrayImpl):
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        (JSC::JSDataView::possiblySharedTypedImpl):
        (JSC::JSDataView::unsharedTypedImpl):
        (JSC::JSDataView::getTypedArrayImpl):
        * runtime/JSDataView.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::create):
        (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
        (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
        (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSTypedArrays.cpp:
        (JSC::createUint8TypedArray):
        * runtime/TypedArrayBase.h: Removed.

2017-02-16  Keith Miller  <keith_miller@apple.com>

        ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
        https://bugs.webkit.org/show_bug.cgi?id=168354

        Reviewed by Geoffrey Garen.

        Instead of adding a custom vmEntryGlobalObject for the debugger
        we can just have it use vmEntryScope instead.

        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach): Deleted.
        * interpreter/CallFrame.h:

2017-02-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop build.

        * heap/Heap.cpp:
        (JSC::Heap::stopThePeriphery):
        * runtime/JSLock.cpp:

2017-02-10  Filip Pizlo  <fpizlo@apple.com>

        The collector thread should only start when the mutator doesn't have heap access
        https://bugs.webkit.org/show_bug.cgi?id=167737

        Reviewed by Keith Miller.
        
        This turns the collector thread's workflow into a state machine, so that the mutator thread can
        run it directly. This reduces the amount of synchronization we do with the collector thread, and
        means that most apps will never start the collector thread. The collector thread will still start
        when we need to finish collecting and we don't have heap access.
        
        In this new world, "stopping the world" means relinquishing control of collection to the mutator.
        This means tracking who is conducting collection. I use the GCConductor enum to say who is
        conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
        refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
        So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
        collector the conn.
        
        This meant bringing back the conservative scan of the calling thread. It turns out that this
        scan was too slow to be called on each GC increment because apparently setjmp() now does system
        calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
        whether or not it was correct, so I also made it so that the GC only rarely asks for the register
        state. I think we still want to use my register saving code instead of setjmp because setjmp
        seems to save things we don't need, and that could make us overly conservative.
        
        It turns out that this new scheduling discipline makes the old space-time scheduler perform
        better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
        because the mutator having the conn enables us to time the mutator<->collector context switches
        by polling. The OS is never involved. So, we can use super precise timing. This allows the old
        space-time schduler to shine like it hadn't before.
        
        The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
        times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
        half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
        effect.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::ThreadBody::ThreadBody):
        (JSC::DFG::Worklist::dump):
        (JSC::DFG::numberOfWorklists):
        (JSC::DFG::ensureWorklistForIndex):
        (JSC::DFG::existingWorklistForIndexOrNull):
        (JSC::DFG::existingWorklistForIndex):
        * dfg/DFGWorklist.h:
        (JSC::DFG::numberOfWorklists): Deleted.
        (JSC::DFG::ensureWorklistForIndex): Deleted.
        (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
        (JSC::DFG::existingWorklistForIndex): Deleted.
        * heap/CollectingScope.h: Added.
        (JSC::CollectingScope::CollectingScope):
        (JSC::CollectingScope::~CollectingScope):
        * heap/CollectorPhase.cpp: Added.
        (JSC::worldShouldBeSuspended):
        (WTF::printInternal):
        * heap/CollectorPhase.h: Added.
        * heap/EdenGCActivityCallback.cpp:
        (JSC::EdenGCActivityCallback::lastGCLength):
        * heap/FullGCActivityCallback.cpp:
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::FullGCActivityCallback::lastGCLength):
        * heap/GCConductor.cpp: Added.
        (JSC::gcConductorShortName):
        (WTF::printInternal):
        * heap/GCConductor.h: Added.
        * heap/Heap.cpp:
        (JSC::Heap::Thread::Thread):
        (JSC::Heap::Heap):
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::gatherStackRoots):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::shouldCollectInCollectorThread):
        (JSC::Heap::collectInCollectorThread):
        (JSC::Heap::checkConn):
        (JSC::Heap::runCurrentPhase):
        (JSC::Heap::runNotRunningPhase):
        (JSC::Heap::runBeginPhase):
        (JSC::Heap::runFixpointPhase):
        (JSC::Heap::runConcurrentPhase):
        (JSC::Heap::runReloopPhase):
        (JSC::Heap::runEndPhase):
        (JSC::Heap::changePhase):
        (JSC::Heap::finishChangingPhase):
        (JSC::Heap::stopThePeriphery):
        (JSC::Heap::resumeThePeriphery):
        (JSC::Heap::stopTheMutator):
        (JSC::Heap::resumeTheMutator):
        (JSC::Heap::stopIfNecessarySlow):
        (JSC::Heap::collectInMutatorThread):
        (JSC::Heap::collectInMutatorThreadImpl):
        (JSC::Heap::waitForCollector):
        (JSC::Heap::acquireAccessSlow):
        (JSC::Heap::releaseAccessSlow):
        (JSC::Heap::relinquishConn):
        (JSC::Heap::finishRelinquishingConn):
        (JSC::Heap::handleNeedFinalize):
        (JSC::Heap::notifyThreadStopping):
        (JSC::Heap::finalize):
        (JSC::Heap::requestCollection):
        (JSC::Heap::waitForCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::preventCollection):
        (JSC::Heap::performIncrement):
        (JSC::Heap::markToFixpoint): Deleted.
        (JSC::Heap::shouldCollectInThread): Deleted.
        (JSC::Heap::collectInThread): Deleted.
        (JSC::Heap::stopTheWorld): Deleted.
        (JSC::Heap::resumeTheWorld): Deleted.
        * heap/Heap.h:
        (JSC::Heap::machineThreads):
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        * heap/HeapInlines.h:
        (JSC::Heap::mutatorIsStopped): Deleted.
        * heap/HeapStatistics.cpp: Removed.
        * heap/HeapStatistics.h: Removed.
        * heap/HelpingGCScope.h: Removed.
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::sweep):
        * heap/MutatorState.cpp:
        (WTF::printInternal):
        * heap/MutatorState.h:
        * heap/RegisterState.h: Added.
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::drainInParallelPassively):
        (JSC::SlotVisitor::donateAll):
        * heap/StochasticSpaceTimeMutatorScheduler.cpp:
        (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
        (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
        (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
        * heap/SweepingScope.h: Added.
        (JSC::SweepingScope::SweepingScope):
        (JSC::SweepingScope::~SweepingScope):
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Thread::Thread):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFlashHeapAccess):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::classInfo):
        * runtime/Options.cpp:
        (JSC::overrideDefaults):
        * runtime/Options.h:
        * runtime/TestRunnerUtils.cpp:
        (JSC::finalizeStatsAtEndOfTesting):

2017-02-16  Anders Carlsson  <andersca@apple.com>

        Remove EFL from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=168459

        Reviewed by Geoffrey Garen.

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        * heap/GCActivityCallback.h:
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::add): Deleted.
        (JSC::HeapTimer::stop): Deleted.
        (JSC::HeapTimer::timerEvent): Deleted.
        * heap/HeapTimer.h:
        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::cycle):
        * jsc.cpp:
        (main):
        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):

2017-02-15  Brian Burg  <bburg@apple.com>

        [Cocoa] Web Inspector: Inspector::fromProtocolString<T> should return std::optional<T>
        https://bugs.webkit.org/show_bug.cgi?id=168018
        <rdar://problem/30468779>

        Reviewed by Joseph Pecoraro.

        These methods parse untrusted string inputs, so they should return an optional instead
        of asserting or crashing when the input is not usable.

        Update various pieces of generated code to handle the error case gracefully.

        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
        (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
        The local variable holding the ObjC-friendly converted value should take a std::optional
        when converting an enum from a string into an NS_ENUM value. If the enum command parameter
        is not optional, then send a response with a command failure message and return.

        The optional enum parameter case is not handled correctly, but no existing code requires it.

        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_from_protocol_string):
        Fix signature and remove default case ASSERT_NOT_REACHED.

        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
        (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation):
        Since this code assumes all inputs to be valid and throws an exception otherwise, we
        try to convert the enum and throw an exception if it's nullopt. If it's valid, write to outValue.

        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
        The local variable holding the ObjC-friendly converted value should take a std::optional
        when converting an enum from a string into an NS_ENUM value. If the enum command parameter
        is not optional, then throw an exception if the value is nullopt. Otherwise, allow it to be empty.

        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.protocol_to_objc_expression_for_member):
        Unconditionally unwrap the optional. This expression is only used inside the typechecked
        ObjC protocol objects. In this case we are guaranteed to have already initialized the enum with a valid
        value, but must store it as a string inside a wrapped InspectorObject. The getter needs to
        re-convert the stored string into an NS_ENUM value.

        * inspector/scripts/codegen/objc_generator_templates.py:
        Update type template for fromProtocolString<T>().

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        Rebaseline tests.

2017-02-16  Keith Miller  <keith_miller@apple.com>

        ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
        https://bugs.webkit.org/show_bug.cgi?id=168354

        Reviewed by Filip Pizlo.

        Add a new vmEntryGlobalObject method for the debugger so that
        the debugger does not crash in debug builds when trying to
        detach itself from a global object.

        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach):
        * interpreter/CallFrame.h:

2017-02-16  Keith Miller  <keith_miller@apple.com>

        Refactor AccessCase to be more like B3Value
        https://bugs.webkit.org/show_bug.cgi?id=168408

        Reviewed by Filip Pizlo.

        This patch makes AccessCase (and new subclasses) more like B3Value. In the new system each
        type has an associated AccessCase subclass. For instance any getter should use the
        GetterSetterAccessCase subclass. The new system is easier to follow since you no longer need
        to know exactly which members are used by which types. The subclass to AccessType mapping is:

        GetterSetterAccessCase:
            Getter
            CustomAccessorGetter
            CustomValueGetter
            Setter

        ProxyableAccessCase:
            Load
            Miss
            GetGetter

        IntrinsicGetterAccessCase:
            IntrinsicGetter

        AccessCase:
            Everything else

        It also has the additional advantage that it uses less memory for the cases where we would have needed
        rare data in the past but that case would only use a small bit of it.

        This patch also removes megamorphic loads and renames some TryGetById related enum values from Pure to Try.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/AccessCase.cpp: Added.
        (JSC::AccessCase::AccessCase):
        (JSC::AccessCase::create):
        (JSC::AccessCase::~AccessCase):
        (JSC::AccessCase::fromStructureStubInfo):
        (JSC::AccessCase::clone):
        (JSC::AccessCase::commit):
        (JSC::AccessCase::guardedByStructureCheck):
        (JSC::AccessCase::doesCalls):
        (JSC::AccessCase::couldStillSucceed):
        (JSC::AccessCase::canReplace):
        (JSC::AccessCase::dump):
        (JSC::AccessCase::visitWeak):
        (JSC::AccessCase::propagateTransitions):
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generate):
        (JSC::AccessCase::generateImpl):
        * bytecode/AccessCase.h: Added.
        (JSC::AccessCase::as):
        (JSC::AccessCase::create):
        (JSC::AccessCase::type):
        (JSC::AccessCase::state):
        (JSC::AccessCase::offset):
        (JSC::AccessCase::structure):
        (JSC::AccessCase::newStructure):
        (JSC::AccessCase::conditionSet):
        (JSC::AccessCase::alternateBase):
        (JSC::AccessCase::additionalSet):
        (JSC::AccessCase::viaProxy):
        (JSC::AccessCase::isGetter):
        (JSC::AccessCase::isAccessor):
        (JSC::AccessCase::dumpImpl):
        (JSC::AccessCase::resetState):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetterSetterAccessCase.cpp: Added.
        (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
        (JSC::GetterSetterAccessCase::create):
        (JSC::GetterSetterAccessCase::~GetterSetterAccessCase):
        (JSC::GetterSetterAccessCase::clone):
        (JSC::GetterSetterAccessCase::alternateBase):
        (JSC::GetterSetterAccessCase::dumpImpl):
        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
        * bytecode/GetterSetterAccessCase.h: Added.
        (JSC::GetterSetterAccessCase::callLinkInfo):
        (JSC::GetterSetterAccessCase::customSlotBase):
        (JSC::GetterSetterAccessCase::domJIT):
        * bytecode/IntrinsicGetterAccessCase.cpp: Added.
        (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
        (JSC::IntrinsicGetterAccessCase::create):
        (JSC::IntrinsicGetterAccessCase::~IntrinsicGetterAccessCase):
        (JSC::IntrinsicGetterAccessCase::clone):
        * bytecode/IntrinsicGetterAccessCase.h: Added.
        (JSC::IntrinsicGetterAccessCase::intrinsicFunction):
        (JSC::IntrinsicGetterAccessCase::intrinsic):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::regenerate):
        (WTF::printInternal):
        (JSC::AccessCase::AccessCase): Deleted.
        (JSC::AccessCase::tryGet): Deleted.
        (JSC::AccessCase::get): Deleted.
        (JSC::AccessCase::megamorphicLoad): Deleted.
        (JSC::AccessCase::replace): Deleted.
        (JSC::AccessCase::transition): Deleted.
        (JSC::AccessCase::setter): Deleted.
        (JSC::AccessCase::in): Deleted.
        (JSC::AccessCase::getLength): Deleted.
        (JSC::AccessCase::getIntrinsic): Deleted.
        (JSC::AccessCase::~AccessCase): Deleted.
        (JSC::AccessCase::fromStructureStubInfo): Deleted.
        (JSC::AccessCase::clone): Deleted.
        (JSC::AccessCase::commit): Deleted.
        (JSC::AccessCase::guardedByStructureCheck): Deleted.
        (JSC::AccessCase::alternateBase): Deleted.
        (JSC::AccessCase::doesCalls): Deleted.
        (JSC::AccessCase::couldStillSucceed): Deleted.
        (JSC::AccessCase::canBeReplacedByMegamorphicLoad): Deleted.
        (JSC::AccessCase::canReplace): Deleted.
        (JSC::AccessCase::dump): Deleted.
        (JSC::AccessCase::visitWeak): Deleted.
        (JSC::AccessCase::propagateTransitions): Deleted.
        (JSC::AccessCase::generateWithGuard): Deleted.
        (JSC::AccessCase::generate): Deleted.
        (JSC::AccessCase::generateImpl): Deleted.
        (JSC::AccessCase::emitDOMJITGetter): Deleted.
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::type): Deleted.
        (JSC::AccessCase::state): Deleted.
        (JSC::AccessCase::offset): Deleted.
        (JSC::AccessCase::viaProxy): Deleted.
        (JSC::AccessCase::structure): Deleted.
        (JSC::AccessCase::newStructure): Deleted.
        (JSC::AccessCase::conditionSet): Deleted.
        (JSC::AccessCase::intrinsicFunction): Deleted.
        (JSC::AccessCase::intrinsic): Deleted.
        (JSC::AccessCase::domJIT): Deleted.
        (JSC::AccessCase::additionalSet): Deleted.
        (JSC::AccessCase::customSlotBase): Deleted.
        (JSC::AccessCase::isGetter): Deleted.
        (JSC::AccessCase::callLinkInfo): Deleted.
        (JSC::AccessCase::RareData::RareData): Deleted.
        * bytecode/ProxyableAccessCase.cpp: Added.
        (JSC::ProxyableAccessCase::ProxyableAccessCase):
        (JSC::ProxyableAccessCase::create):
        (JSC::ProxyableAccessCase::~ProxyableAccessCase):
        (JSC::ProxyableAccessCase::clone):
        (JSC::ProxyableAccessCase::dumpImpl):
        * bytecode/ProxyableAccessCase.h: Added.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::reset):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileTryGetById):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        * jit/IntrinsicEmitter.cpp:
        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
        (JSC::AccessCase::canEmitIntrinsicGetter): Deleted.
        (JSC::AccessCase::emitIntrinsicGetter): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_try_get_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_try_get_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * jit/Repatch.h:
        * runtime/Options.h:

2017-02-16  Filip Pizlo  <fpizlo@apple.com>

        JSONParseTest needs to hold the lock when the VM is destroyed
        https://bugs.webkit.org/show_bug.cgi?id=168450

        Rubber stamped by Alex Christensen.

        * API/tests/JSONParseTest.cpp:
        (testJSONParse):

2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop PassRefPtr in inspector/
        https://bugs.webkit.org/show_bug.cgi?id=168420

        Reviewed by Alex Christensen.

        Drop PassRefPtr uses.
        And use Ref<Inspector::ScriptArguments> and Ref<ScriptCallStack> as much as possible.
        It drops some unnecessary null checks.

        * debugger/Debugger.cpp:
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::currentDebuggerCallFrame):
        * debugger/Debugger.h:
        * inspector/AsyncStackTrace.cpp:
        (Inspector::AsyncStackTrace::create):
        (Inspector::AsyncStackTrace::AsyncStackTrace):
        (Inspector::AsyncStackTrace::buildInspectorObject):
        (Inspector::AsyncStackTrace::truncate):
        * inspector/AsyncStackTrace.h:
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        * inspector/ConsoleMessage.h:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::InjectedScriptManager):
        (Inspector::InjectedScriptManager::injectedScriptHost):
        * inspector/InjectedScriptManager.h:
        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
        (Inspector::JSGlobalObjectConsoleClient::count):
        (Inspector::JSGlobalObjectConsoleClient::timeEnd):
        (Inspector::JSGlobalObjectConsoleClient::timeStamp):
        (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
        * inspector/JSGlobalObjectConsoleClient.h:
        ConsoleClient now takes Ref<ScriptArgument>&& instead of RefPtr<ScriptArgument>&&.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
        (Inspector::toJS):
        * inspector/JSJavaScriptCallFrame.h:
        (Inspector::JSJavaScriptCallFrame::create):
        * inspector/JavaScriptCallFrame.cpp:
        (Inspector::JavaScriptCallFrame::JavaScriptCallFrame):
        (Inspector::JavaScriptCallFrame::caller):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::create):
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        (Inspector::ScriptDebugServer::dispatchDidPause):
        (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::stopTiming):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
        (JSC::ConsoleClient::logWithLevel):
        (JSC::ConsoleClient::dir):
        (JSC::ConsoleClient::dirXML):
        (JSC::ConsoleClient::table):
        (JSC::ConsoleClient::trace):
        (JSC::ConsoleClient::assertion):
        (JSC::ConsoleClient::group):
        (JSC::ConsoleClient::groupCollapsed):
        (JSC::ConsoleClient::groupEnd):
        * runtime/ConsoleClient.h:
        * runtime/ConsoleObject.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):

2017-02-15  Keith Miller  <keith_miller@apple.com>

        Weak should not use jsCast in its accessors
        https://bugs.webkit.org/show_bug.cgi?id=168406

        Reviewed by Filip Pizlo.

        This can cause assertion failures in WebCore where classes might remove themselves
        from a data structure in a weak reference, if that reference is still alive.

        * heap/WeakInlines.h:
        (JSC::>):
        (JSC::Weak<T>::operator):
        (JSC::Weak<T>::get):

2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        Web Inspector: allow import() inside the inspector
        https://bugs.webkit.org/show_bug.cgi?id=167457

        Reviewed by Ryosuke Niwa.

        We relax import module hook to accept null SourceOrigin.
        Such a script can be evaluated from the inspector console.

        * jsc.cpp:
        (GlobalObject::moduleLoaderImportModule):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncImportModule):

2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Update module namespace object according to the latest ECMA262
        https://bugs.webkit.org/show_bug.cgi?id=168280

        Reviewed by Saam Barati.

        Reflect updates to the module namespace object.

        1. @@iterator property is dropped[1].
        2. @@toStringTag property becomes non-configurable[1].
        3. delete with Symbol should be delegated to the JSObject's one[2].

        [1]: https://tc39.github.io/ecma262/#sec-module-namespace-objects
        [2]: https://github.com/tc39/ecma262/pull/767

        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::finishCreation):
        (JSC::JSModuleNamespaceObject::deleteProperty):
        (JSC::moduleNamespaceObjectSymbolIterator): Deleted.

2017-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix the build after r212424.

        Add missing file.

        * inspector/remote/RemoteInspector.cpp: Added.
        (Inspector::RemoteInspector::startDisabled):
        (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
        (Inspector::RemoteInspector::registerTarget):
        (Inspector::RemoteInspector::unregisterTarget):
        (Inspector::RemoteInspector::updateTarget):
        (Inspector::RemoteInspector::updateClientCapabilities):
        (Inspector::RemoteInspector::setRemoteInspectorClient):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupCompleted):
        (Inspector::RemoteInspector::waitingForAutomaticInspection):
        (Inspector::RemoteInspector::clientCapabilitiesDidChange):
        (Inspector::RemoteInspector::stop):
        (Inspector::RemoteInspector::listingForTarget):
        (Inspector::RemoteInspector::updateHasActiveDebugSession):

2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop PassRefPtr in bytecompiler/
        https://bugs.webkit.org/show_bug.cgi?id=168374

        Reviewed by Sam Weinig.

        This patch drops PassRefPtr in bytecompiler directory.
        We carefully change this to Ref<>. And we use Ref<Label>
        as much as possible instead of using RefPtr<Label>.
        And use Label& instead of Label* as much as possible.

        Currently we do not apply this change for RefPtr<RegisterID>,
        to reduce the size of this patch.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::newLabelScope):
        (JSC::BytecodeGenerator::newLabel):
        (JSC::BytecodeGenerator::newEmittedLabel):
        Introduce a new helper function, which returns new label that is emitted right here.

        (JSC::BytecodeGenerator::emitLabel):
        (JSC::BytecodeGenerator::emitJump):
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
        Drop returning Ref<Label> since nobody uses it.

        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitReturn):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
        (JSC::BytecodeGenerator::breakTarget):
        (JSC::BytecodeGenerator::pushTry):
        (JSC::BytecodeGenerator::popTry):
        (JSC::prepareJumpTableForSwitch):
        (JSC::prepareJumpTableForStringSwitch):
        (JSC::BytecodeGenerator::endSwitch):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitIteratorNext):
        (JSC::BytecodeGenerator::emitIteratorNextWithValue):
        (JSC::BytecodeGenerator::emitIteratorClose):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
        (JSC::BytecodeGenerator::emitRequireObjectCoercible):
        (JSC::BytecodeGenerator::emitYieldPoint):
        (JSC::BytecodeGenerator::emitYield):
        (JSC::BytecodeGenerator::emitDelegateYield):
        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitFinallyCompletion):
        (JSC::BytecodeGenerator::emitJumpIf):
        * bytecompiler/BytecodeGenerator.h:
        FinallyJump, FinallyContext, TryData, TryContext and TryRange hold Ref<Label>
        instead of RefPtr<Label>. They are never nullptr.

        (JSC::FinallyJump::FinallyJump):
        (JSC::FinallyContext::FinallyContext):
        (JSC::FinallyContext::registerJump):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
        * bytecompiler/Label.h:
        Make Label noncopyable.

        * bytecompiler/LabelScope.h:
        (JSC::LabelScope::LabelScope):
        (JSC::LabelScope::breakTarget):
        breakTarget always returns Label&. On the other hand, continueTarget may be nullptr.
        So it returns Label*.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ExpressionNode::emitBytecodeInConditionContext):
        (JSC::ConstantNode::emitBytecodeInConditionContext):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::LogicalNotNode::emitBytecodeInConditionContext):
        (JSC::BinaryOpNode::emitBytecodeInConditionContext):
        (JSC::InstanceOfNode::emitBytecode):
        (JSC::LogicalOpNode::emitBytecode):
        (JSC::LogicalOpNode::emitBytecodeInConditionContext):
        (JSC::ConditionalNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ContinueNode::trivialTarget):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::trivialTarget):
        (JSC::CaseBlockNode::emitBytecodeForBlock):
        (JSC::TryNode::emitBytecode):
        (JSC::FunctionNode::emitBytecode):
        (JSC::ClassExprNode::emitBytecode):
        (JSC::assignDefaultValueIfUndefined):
        (JSC::ArrayPatternNode::bindValue):
        Use Ref<Label> and Label&.

        * parser/Nodes.h:

2017-02-15  Alex Christensen  <achristensen@webkit.org>

        Unreviewed, rolling out r212394.

        Fixed iOS WebInspector

        Reverted changeset:

        "Unreviewed, rolling out r212169."
        https://bugs.webkit.org/show_bug.cgi?id=166681
        http://trac.webkit.org/changeset/212394

2017-02-15  Guillaume Emont  <guijemont@igalia.com>

        MIPS: add missing implementations of load8SignedExtendTo32()

        JSC: missing implementations of MacroAssemblerMIPS::load8SignedExtendTo32()
        https://bugs.webkit.org/show_bug.cgi?id=168350

        Reviewed by Yusuke Suzuki.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
        Add missing implementations

2017-02-15  Alex Christensen  <achristensen@webkit.org>

        Unreviewed, rolling out r212169.

        Broke iOS WebInspector

        Reverted changeset:

        "WebInspector: refactor RemoteInspector to move cocoa specific
        code to their own files"
        https://bugs.webkit.org/show_bug.cgi?id=166681
        http://trac.webkit.org/changeset/212169

2017-02-15  Chris Dumez  <cdumez@apple.com>

        Expose Symbol.toPrimitive / valueOf on Location instances
        https://bugs.webkit.org/show_bug.cgi?id=168295

        Reviewed by Geoffrey Garen, Keith Miller and Mark Lam.

        Cache origin objectProtoValueOf function on JSGlobalObject.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectProtoValueOfFunction):

2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop PassRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=168320

        Reviewed by Saam Barati.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        Use Ref<VM> from the factory function.

        * API/JSScriptRef.cpp:
        (OpaqueJSScript::create):
        Return Ref<> instead.

        * API/tests/JSONParseTest.cpp:
        (testJSONParse):
        Use Ref<VM>.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
        Use reference since we already perform null check.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
        Take Ref<>&& instead of PassRefPtr<>.

        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setStub):
        (JSC::CallLinkInfo::setSlowStub):
        Take Ref<>&& instead of PassRefPtr<>.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        Take RefPtr<SourceProvider>. Currently, the SourceProvider would be nullptr.
        We will change it to Ref<SourceProvider> in https://bugs.webkit.org/show_bug.cgi?id=168325.

        (JSC::CodeBlock::finishCreation):
        Take Ref<TypeSet>&&.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setJITCode):
        Take Ref<>&& instead.

        (JSC::CodeBlock::jitCode):
        Return RefPtr<> instead.

        * bytecode/EvalCodeBlock.h:
        (JSC::EvalCodeBlock::create):
        Take RefPtr<>&& instead since SourceProvider woule be nullptr.

        (JSC::EvalCodeBlock::EvalCodeBlock):
        * bytecode/FunctionCodeBlock.h:
        (JSC::FunctionCodeBlock::create):
        (JSC::FunctionCodeBlock::FunctionCodeBlock):
        Take RefPtr<>&& instead since SourceProvider woule be nullptr.

        * bytecode/GlobalCodeBlock.h:
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        Take RefPtr<>&& instead since SourceProvider woule be nullptr.

        * bytecode/ModuleProgramCodeBlock.h:
        (JSC::ModuleProgramCodeBlock::create):
        (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
        Take RefPtr<>&& instead since SourceProvider woule be nullptr.

        * bytecode/ProgramCodeBlock.h:
        (JSC::ProgramCodeBlock::create):
        (JSC::ProgramCodeBlock::ProgramCodeBlock):
        Take RefPtr<>&& instead since SourceProvider woule be nullptr.

        * debugger/DebuggerParseData.cpp:
        (JSC::gatherDebuggerParseDataForSource):
        Ensure the provider is not nullptr. It is OK because we already
        touch `provider->xxx` values.

        * dfg/DFGBlockInsertionSet.cpp:
        (JSC::DFG::BlockInsertionSet::insert):
        Take Ref<>&& instead.

        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        Pass Ref<>&& to appendBlock.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        (JSC::DFG::compile):
        Pass Ref<Plan>&&. And take Ref<>&& callback.

        * dfg/DFGDriver.h:
        * dfg/DFGGraph.h:
        appendBlock takes Ref<>&&.

        (JSC::DFG::Graph::appendBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::jitCode):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::JITFinalizer):
        Take Ref<JITCode>&&.

        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        (JSC::DFG::JITFinalizer::finalizeCommon):
        Pass compilation reference since we already perform null check.

        * dfg/DFGJITFinalizer.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::enqueue):
        Take Ref<Plan>&&.

        * dfg/DFGWorklist.h:
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        Dereference and pass jitCode & compilation references.

        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::createJITStubRoutine):
        Return Ref<> instead.

        * jit/GCAwareJITStubRoutine.h:
        (JSC::createJITStubRoutine):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        Pass compilation reference since we already perform null check.

        * jit/JITStubRoutine.h:
        (JSC::JITStubRoutine::asCodePtr):
        Take Ref<>&& instead. And this drops unnecessary null check.

        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        Pass Ref<> to NativeExecutable::create.

        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        (JSC::LLInt::setModuleProgramEntrypoint):
        Use Ref<>&& instead.

        * parser/SourceCode.h:
        (JSC::SourceCode::SourceCode):
        (JSC::SourceCode::subExpression):
        Add constructors taking Ref<>&&.
        We still have constructors that take RefPtr<>&&.
        We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.

        * parser/UnlinkedSourceCode.h:
        (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
        Add constructors taking Ref<>&&.
        We still have constructors that take RefPtr<>&&.
        We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.

        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::addCompilation):
        Take Ref<Compilation>&&.

        * profiler/ProfilerDatabase.h:
        Change data structures to hold Ref<> instead of RefPtr<>.

        * runtime/EvalExecutable.h:
        (JSC::EvalExecutable::generatedJITCode):
        Return Ref<> instead.

        * runtime/ExecutableBase.h:
        (JSC::ExecutableBase::generatedJITCodeForCall):
        (JSC::ExecutableBase::generatedJITCodeForConstruct):
        (JSC::ExecutableBase::generatedJITCodeFor):
        Return Ref<> instead.

        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setInputCursor):
        And take Ref<> in this method.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::inputCursor):
        Change m_inputCursor from RefPtr<> to Ref<>.

        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::create):
        (JSC::JSPropertyNameEnumerator::finishCreation):
        Take Ref<PropertyNameArray>&&.

        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSString.h:
        (JSC::JSString::JSString):
        Take Ref<StringImpl>&& since we do not allow nullptr in this constructor.

        (JSC::JSString::create):
        (JSC::JSString::createHasOtherOwner):
        Take Ref<StringImpl>&& in these factory functions. And drop unnecessary assertions.

        (JSC::jsSingleCharacterString):
        Use StringImpl::create() which returns Ref<>.

        (JSC::jsNontrivialString):
        Dereference impl() since we ensure that `s.length() > 1`.

        (JSC::jsString):
        Use releaseNonNull() since we ensure that `s.length() > 1`.

        (JSC::jsOwnedString):
        Use releaseNonNull() since we ensure that `s.length() > 1`.

        * runtime/ModuleProgramExecutable.h:
        * runtime/NativeExecutable.cpp:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        Take Ref<JITCode>&&.

        * runtime/NativeExecutable.h:
        * runtime/ProgramExecutable.h:
        Return Ref<JITCode>.

        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::releaseData):
        (JSC::PropertyNameArray::setData): Deleted.
        This is not used.

        * runtime/RegExpKey.h:
        (JSC::RegExpKey::RegExpKey):
        Take RefPtr<>&&.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::rep):
        Return StringImpl& since m_reps is already initialized in the constructor.

        (JSC::SmallStrings::createEmptyString):
        Dereference StringImpl::empty().

        (JSC::SmallStrings::createSingleCharacterString):
        Use StringImpl&.

        (JSC::SmallStrings::singleCharacterStringRep):
        Return StringImpl&.

        (JSC::SmallStrings::initialize):
        Use AtomicStringImpl::add instead.

        * runtime/SmallStrings.h:
        * runtime/Structure.cpp:
        (JSC::Structure::toStructureShape):
        Return Ref<>.

        * runtime/Structure.h:
        * runtime/TypeLocationCache.cpp:
        (JSC::TypeLocationCache::getTypeLocation):
        Take RefPtr<TypeSet>&&.

        * runtime/TypeLocationCache.h:
        * runtime/TypeProfilerLog.cpp:
        Pass Ref<>&&.

        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        Take RefPtr<>&& since it can be nullptr.
        And clean up "not found" code.

        (JSC::TypeSet::allStructureRepresentations):
        Use range based iteration.

        (JSC::StructureShape::leastCommonAncestor):
        We found that this method accidentally takes `const Vector<>` instead of `const Vector<>&`.
        And internally, we just use raw pointers since these StructureShapes are owned by the m_proto trees which starts from the given Vector<>.

        (JSC::StructureShape::hasSamePrototypeChain):
        Take const reference instead. And use raw pointers internally.

        (JSC::StructureShape::merge):
        Take Ref<>&&.

        * runtime/TypeSet.h:
        (JSC::StructureShape::setProto):
        Take Ref<>&&.

        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):
        Pass Ref<>&&.

        (JSC::VM::queueMicrotask):
        Take and pass Ref<>&&.

        * runtime/VM.h:
        (JSC::QueuedTask::QueuedTask):
        Take Ref<>&&.

        * tools/FunctionOverrides.cpp:
        (JSC::initializeOverrideInfo):
        We need this change due to Ref<>&& and RefPtr<>&& ambiguity of SourceCode constructors.
        Once SourceCode is fixed to only take Ref<>&&, this change is unnecessary.

2017-02-15  Csaba Osztrogonác  <ossy@webkit.org>

        [Mac][cmake] Unreviewed trivial buildfix after r212169.
        https://bugs.webkit.org/show_bug.cgi?id=166681

        * PlatformMac.cmake: Removed inspector/remote/RemoteInspectorXPCConnection.mm.

2017-02-14  Mark Lam  <mark.lam@apple.com>

        Add JSC_sweepSynchronously and fix JSC_useZombieMode options.
        https://bugs.webkit.org/show_bug.cgi?id=168257
        <rdar://problem/30451496>

        Reviewed by Filip Pizlo.

        JSC_useZombieMode now basically enables JSC_sweepSynchronously and
        JSC_scribbleFreeCells, which together does the job of zombifying dead objects
        immediately after a GC.

        * heap/Heap.cpp:
        (JSC::Heap::sweepSynchronously):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::finalize):
        (JSC::Heap::didFinishCollection):
        (JSC::Zombify::visit): Deleted.
        (JSC::Zombify::operator()): Deleted.
        (JSC::Heap::zombifyDeadObjects): Deleted.
        * heap/Heap.h:
        (JSC::Heap::isZombified): Deleted.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2017-02-13  Michael Saboff  <msaboff@apple.com>

        asyncDisassembly crashes on iOS
        https://bugs.webkit.org/show_bug.cgi?id=168259

        Reviewed by Filip Pizlo.

        Eliminated the dumping of  the disassembly for the JIT write thunk.
        Not only does it fix the crash, but given the nature of the JIT
        write thunk, we probably don't want to disassemble it anyway.
        
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):

2017-02-12  Ryosuke Niwa  <rniwa@webkit.org>

        C loop build fix attempt after r212207.

        * runtime/Lookup.h:

2017-02-11  Sam Weinig  <sam@webkit.org>

        Remove the remaining functions out of JSDOMBinding
        https://bugs.webkit.org/show_bug.cgi?id=168179

        Reviewed by Darin Adler.

        Move utility functions into more appropriate locations.
        - Move hasIteratorMethod to IteratorOperations.
        - Move nonCachingStaticFunctionGetter to Lookup

        * runtime/IteratorOperations.cpp:
        (JSC::hasIteratorMethod):
        * runtime/IteratorOperations.h:
        * runtime/Lookup.h:
        (JSC::nonCachingStaticFunctionGetter):

2017-02-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement (Shared)ArrayBuffer.prototype.byteLength
        https://bugs.webkit.org/show_bug.cgi?id=166476

        Reviewed by Saam Barati.

        `byteLength` becomes getter and is set in ArrayBuffer.prototype
        and SharedArrayBuffer.prototype. This patch implements the
        above getter in native function. We do not have any optimization
        path for that for now since ArrayBuffer.prototype.byteLength is
        not considered a hot function: while TypedArrays have [] accesses,
        ArrayBuffer does not have that. Thus byteLength getter is not so
        meaningful for a hot paths like iterations.

        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::getOwnPropertySlot): Deleted.
        (JSC::JSArrayBuffer::put): Deleted.
        (JSC::JSArrayBuffer::defineOwnProperty): Deleted.
        (JSC::JSArrayBuffer::deleteProperty): Deleted.
        (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): Deleted.
        * runtime/JSArrayBuffer.h:
        (JSC::JSArrayBuffer::impl): Deleted.
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoGetterFuncByteLength):
        (JSC::sharedArrayBufferProtoGetterFuncByteLength):
        (JSC::JSArrayBufferPrototype::finishCreation):

2017-02-10  Saam Barati  <sbarati@apple.com>

        Object allocation sinking phase doesn't properly handle control flow when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object
        https://bugs.webkit.org/show_bug.cgi?id=168140
        <rdar://problem/30205880>

        Reviewed by Filip Pizlo.

        This patch fixes a bug in allocation sinking phase where
        we don't properly handle control flow when materializing
        an object and also PutHinting that materialization into
        a still sunken object. We were performing the PutHint
        for the materialization at the point of materialization,
        however, we may have materialized along both edges
        of a control flow diamond, in which case, we need to
        also PutHint at the join point. Consider this program:
        
        ```
        bb#0:
        b: PhantomActivation()
        a: PhantomNewFunction()
        c: PutHint(@a, @b, ActivationLoc)
        Branch(#1, #2)
        
        bb#1:
        d: MaterializeActivation()
        e: PutHint(@a, @d, ActivationLoc)
        f: Upsilon(@d, ^p)
        Jump(#3)
        
        bb#2:
        g: MaterializeActivation()
        h: PutHint(@a, @g, ActivationLoc)
        i: Upsilon(@d, ^p)
        Jump(#3)
        
        bb#3:
        p: Phi()
        // What is PromotedHeapLocation(@a, ActivationLoc) here?
        // What would we do if we exited?
        ```
        Before this patch, we didn't perform a PutHint of the Phi.
        However, we need to, otherwise when exit, we won't know
        the value of PromotedHeapLocation(@a, ActivationLoc)
        
        The program we need then, for correctness, is this:
        ```
        bb#0:
        b: PhantomActivation()
        a: PhantomNewFunction()
        c: PutHint(@a, @b, ActivationLoc)
        Branch(#1, #2)
        
        bb#1:
        d: MaterializeActivation()
        e: PutHint(@a, @d, ActivationLoc)
        f: Upsilon(@d, ^p)
        Jump(#3)
        
        bb#2:
        g: MaterializeActivation()
        h: PutHint(@a, @g, ActivationLoc)
        i: Upsilon(@d, ^p)
        Jump(#3)
        
        bb#3:
        p: Phi()
        j: PutHint(@a, @p, ActivationLoc)
        ```
        
        This patch makes it so that we emit the necessary PutHint at node `j`.
        I've also added more validation to the OSRAvailabilityAnalysisPhase
        to catch this problem during validation.

        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):

2017-02-10  Carlos Garcia Campos  <cgarcia@igalia.com>

        WebInspector: refactor RemoteInspector to move cocoa specific code to their own files
        https://bugs.webkit.org/show_bug.cgi?id=166681

        Reviewed by Michael Catanzaro.

        Move RemoteConnectionToTarget.mm and RemoteInspector.mm to a cocoa directory renamed with a Cocoa prefix,
        because those are now the cocoa implementation of RemoteConnectionToTarget and RemoteInspector. The
        cross-platform parts of RemoteInspector have been moced to a new RemoteInspector.cpp file. Also moved to cocoa
        directory RemoteInspectorXPCConnection.h and RemoteInspectorXPCConnection.mm keeping the same name. Other than
        that there aren't important code changes, only some cocoa specific types like NSString used in common headers,
        and some other platform ifdefs needed. This is in preparation for adding a remote inspector implementation for
        the GTK+ port.

        * API/JSRemoteInspector.cpp:
        (JSRemoteInspectorSetParentProcessInformation): Add PLATFORM(COCOA) to the ifdef.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * PlatformMac.cmake:
        * inspector/remote/RemoteConnectionToTarget.h: Add platform ifdefs for cocoa specific parts and change
        sendMessageToTarget to receive a WTF String instead of an NSString.
        * inspector/remote/RemoteControllableTarget.h: Add platform ifdefs for CF specific parts.
        * inspector/remote/RemoteInspectionTarget.h:
        * inspector/remote/RemoteInspector.cpp: Added.
        (Inspector::RemoteInspector::startDisabled):
        (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
        (Inspector::RemoteInspector::registerTarget):
        (Inspector::RemoteInspector::unregisterTarget):
        (Inspector::RemoteInspector::updateTarget):
        (Inspector::RemoteInspector::updateClientCapabilities):
        (Inspector::RemoteInspector::setRemoteInspectorClient):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupCompleted):
        (Inspector::RemoteInspector::waitingForAutomaticInspection):
        (Inspector::RemoteInspector::clientCapabilitiesDidChange):
        (Inspector::RemoteInspector::stop):
        (Inspector::RemoteInspector::listingForTarget):
        (Inspector::RemoteInspector::updateHasActiveDebugSession):
        * inspector/remote/RemoteInspector.h: Add platform ifdefs for cocoa specific parts. Also add TargetListing
        typedef to define platform specific types for the listings without more ifdefs.
        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.mm.
        (Inspector::RemoteTargetInitializeGlobalQueue):
        (Inspector::RemoteConnectionToTarget::setup):
        (Inspector::RemoteConnectionToTarget::close):
        (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
        (Inspector::RemoteConnectionToTarget::setupRunLoop):
        * inspector/remote/cocoa/RemoteInspectorCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspector.mm.
        (Inspector::canAccessWebInspectorMachPort):
        (Inspector::RemoteInspector::singleton):
        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::pushListingsSoon):
        (Inspector::RemoteInspector::receivedIndicateMessage):
        (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
        * inspector/remote/cocoa/RemoteInspectorXPCConnection.h: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.h.
        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.mm.
        (Inspector::RemoteInspectorXPCConnection::closeFromMessage):

2017-02-10  Brian Burg  <bburg@apple.com>

        [Cocoa] Web Inspector: payload initializers for ObjC protocol types handles special-cased property names incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=168141

        Reviewed by Joseph Pecoraro.

        The generated code erroneously uses the ObjC variable name as the payload key,
        rather than the raw type member name. For example, 'identifier' would be used instead of 'id'.

        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):

        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        Rebaseline an affected test.

2017-02-10  Mark Lam  <mark.lam@apple.com>

        StructureStubInfo::considerCaching() should write barrier its owner CodeBlock when buffering a new Structure.
        https://bugs.webkit.org/show_bug.cgi?id=168137
        <rdar://problem/28656664>

        Reviewed by Filip Pizlo.

        If we're adding a new structure to StructureStubInfo's bufferedStructures, we
        should write barrier the StubInfo's owner CodeBlock because that structure may be
        collected during the next GC.  Write barrier-ing the owner CodeBlock ensures that
        CodeBlock::finalizeBaselineJITInlineCaches() is called on it during the GC,
        which, in turn, gives the StructureStubInfo the opportunity to filter out the
        dead structure.

        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        * jit/JITOperations.cpp:

2017-02-10  Brian Burg  <bburg@apple.com>

        [Cocoa] Web Inspector: generate an NS_ENUM containing platforms supported by the protocol code generator
        https://bugs.webkit.org/show_bug.cgi?id=168019
        <rdar://problem/28718990>

        Reviewed by Joseph Pecoraro.

        It's useful to have an symbolic value (not a string) for each of the supported platform values.
        Generate this once per protocol for the Objective-C bindings. Covered by existing tests.

        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.generate_output):
        (ObjCHeaderGenerator._generate_enum_for_platforms):
        Create an NS_ENUM for Platform values in Platforms.

        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
        (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_for_platforms):
        Add type conversion/parsing methods for the newly added enum.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        (Generator.stylized_name_for_enum_value.replaceCallback):
        Support arbitrary special-cased substrings in enums, not just all-caps. Add 'IOS' and 'MacOS'.

        * inspector/scripts/codegen/models.py:
        (Platforms):
        Use lower-case string values for platform names, to avoid guesswork.

        (Platforms.__metaclass__):
        (Platforms.__metaclass__.__iter__):
        Make it possible to iterate over Platform instances of Platforms.

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        Rebaseline results.

2017-02-09  Filip Pizlo  <fpizlo@apple.com>

        SharedArrayBuffer does not need to be in the transfer list
        https://bugs.webkit.org/show_bug.cgi?id=168079

        Reviewed by Geoffrey Garen and Keith Miller.
        
        Exposes a simple shareWith() API for when you know you want to share the contents of
        a shared buffer. Also a useful explicit operator bool.

        * runtime/ArrayBuffer.cpp:
        (JSC::ArrayBuffer::shareWith):
        * runtime/ArrayBuffer.h:
        (JSC::ArrayBufferContents::operator bool):

2017-02-09  Mark Lam  <mark.lam@apple.com>

        B3::Procedure::deleteOrphans() should neutralize upsilons with dead phis.
        https://bugs.webkit.org/show_bug.cgi?id=167437
        <rdar://problem/30198083>

        Reviewed by Filip Pizlo.

        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::deleteOrphans):

2017-02-09  Saam Barati  <sbarati@apple.com>

        Sloppy mode: We don't properly hoist functions names "arguments" when we have a non-simple parameter list
        https://bugs.webkit.org/show_bug.cgi?id=167319
        <rdar://problem/30149432>

        Reviewed by Mark Lam.

        When hoisting a function inside sloppy mode, we were assuming all "var"s are inside
        what we call the "var" SymbolTableEntry. This was almost true, execpt for "arguments",
        which has sufficiently weird behavior. "arguments" can be visible to the default
        parameter expressions inside a function, therefore can't go inside the "var"
        SymbolTableEntry since the parameter SymbolTableEntry comes before the "var"
        SymbolTableEntry in the scope chain.  Therefore, if we hoist a function named
        "arguments", then we must also look for that variable inside the parameter scope
        stack entry.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):

2017-02-09  Mark Lam  <mark.lam@apple.com>

        Fix max length check in ArrayPrototype.js' concatSlowPath().
        https://bugs.webkit.org/show_bug.cgi?id=167270
        <rdar://problem/30128133>

        Reviewed by Filip Pizlo.

        1. Fixed concatSlowPath() to ensure that the result array length does not exceed
           @MAX_ARRAY_INDEX.  The old code was checking against @MAX_SAFE_INTEGER in some
           cases, but this is overly permissive.

        2. Changed concatSlowPath() to throw a RangeError instead of a TypeError to be
           consistent with the C++ runtime functions in JSArray.cpp.

        3. Changed the RangeError message in concatSlowPath() and JSArray.cpp to "Length
           exceeded the maximum array length" when the error is that the result length
           exceeds MAX_ARRAY_INDEX.  We do this for 2 reasons:
           a. "Length exceeded the maximum array length" is more informative than
              "Invalid array length".
           b. We want to use the same string consistently for the same error.

           There are still 2 places in JSArray.cpp that still throws a RangeError with
           message "Invalid array length".  In those cases, the error is not necessarily
           due to the result length exceeding MAX_ARRAY_INDEX, but is due to attempting to
           set a length value that is not an integer that fits in MAX_ARRAY_INDEX e.g.
           an attempt to set a fractional length value.  Hence, "Invalid array length" is
           appropriate for those cases.

        4. Fixed JSArray::appendMemcpy() to handle overflows when computing the result
           array length.

        * builtins/ArrayPrototype.js:
        (concatSlowPath):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::concatAppendOne):
        (JSC::arrayProtoPrivateFuncAppendMemcpy):
        * runtime/JSArray.cpp:
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::push):

2017-02-09  Mark Lam  <mark.lam@apple.com>

        Constructed object's global object should be the global object of the constructor.
        https://bugs.webkit.org/show_bug.cgi?id=167121
        <rdar://problem/30054759>

        Reviewed by Filip Pizlo and Geoffrey Garen.

        The realm (i.e. globalObject) of any object should be the same as the constructor
        that instantiated the object.  Changed PrototypeMap::createEmptyStructure() to
        be passed the correct globalObject to use instead of assuming it's the same one
        as the prototype object.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::initialize):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::initializeObjectAllocationProfile):
        * runtime/FunctionRareData.h:
        (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/IteratorOperations.cpp:
        (JSC::createIteratorResultObjectStructure):
        * runtime/JSBoundFunction.cpp:
        (JSC::getBoundFunctionStructure):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::allocateAndInitializeRareData):
        (JSC::JSFunction::initializeRareData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::createEmptyStructure):
        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
        * runtime/PrototypeMap.h:

2017-02-09  Keith Miller  <keith_miller@apple.com>

        We should not allow Function.caller to be used on native functions
        https://bugs.webkit.org/show_bug.cgi?id=165628

        Reviewed by Mark Lam.

        Also remove unneeded dynamic cast.

        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::JSFunction::callerGetter):

2017-02-08  Keith Miller  <keith_miller@apple.com>

        [JSC] op_in should have ArrayProfile
        https://bugs.webkit.org/show_bug.cgi?id=164581

        Reviewed by Filip Pizlo.

        This patch adds an ArrayProfile to the op_in bytecode. In the
        DFG, if we see that we the key is an int32 we will convert the In
        DFG node to a HasIndexedProperty node instead.

        This patch also flips the two arguments of op_in and the In node
        to reflect the other property lookup bytecodes.

        * bytecode/BytecodeList.json:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitIn):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitIn): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        (JSC::DFG::Node::hasInternalMethodType):
        (JSC::DFG::Node::internalMethodType):
        (JSC::DFG::Node::setInternalMethodType):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LowLevelInterpreter.asm:
        * parser/Nodes.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):

2017-02-08  Saam Barati  <sbarati@apple.com>

        Air IRC might spill a terminal that produces a value after the terminal
        https://bugs.webkit.org/show_bug.cgi?id=167919
        <rdar://problem/29754721>

        Reviewed by Filip Pizlo.

        IRC may spill a value-producing terminal (a patchpoint can be a value-producing terminal).
        It used to do this by placing the spill *after* the terminal. This produces an invalid
        graph because no instructions are allowed after the terminal.
        
        I fixed this bug by having a cleanup pass over the IR after IRC is done.
        The pass detects this problem, and fixes it by moving the spill into the
        successors. However, it is careful to detect when the edge to the
        successor is a critical edge. If the value-producing patchpoint is
        the only predecessor of the successor, it just moves the spill
        code to the beginning of the successor. Otherwise, it's a critical
        edge and it breaks it by adding a block that does the spilling then
        jumps to the successor.

        * b3/air/AirInsertionSet.cpp:
        * b3/air/AirInsertionSet.h:
        (JSC::B3::Air::InsertionSet::insertInsts):
        * b3/air/AirIteratedRegisterCoalescing.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
        (JSC::B3::run):

2017-02-07  Mark Lam  <mark.lam@apple.com>

        SigillCrashAnalyzer::analyze() should use a do-while loop instead of a lambda.
        https://bugs.webkit.org/show_bug.cgi?id=167950

        Reviewed by Michael Saboff.

        Lambdas aren't free (apparently, the compiler isn't able to detect that the
        lambda does not escape and can be inlined completely).  So, use a do-while loop
        instead since we don't really need a lambda here.

        * tools/SigillCrashAnalyzer.cpp:

2017-02-05  Mark Lam  <mark.lam@apple.com>

        The SigillCrashAnalyzer should play nicer with client code that may install its own SIGILL handler.
        https://bugs.webkit.org/show_bug.cgi?id=167858

        Reviewed by Michael Saboff.

        Here are the scenarios that may come up:

        1. Client code did not install a SIGILL handler.
           - In this case, once we're done analyzing the SIGILL, we can just restore the
             default handler and return to let the OS do the default action i.e. capture
             a core dump.

        2. Client code installed a SIGILL handler before JSC does.
           - In this case, we will see a non-null handler returned as the old signal
             handler when we install ours.
           - In our signal handler, after doing our crash analysis, we should invoke the
             client handler to let it do its work.
           - Our analyzer can also tell us if the SIGILL source is from JSC code in
             general (right now, this would just mean JIT code).
           - If the SIGILL source is not from JSC, we'll just let the client handler
             decided how to proceed.  We assume that the client handler will do the right
             thing (which is how the old behavior is before the SigillCrashAnalyzer was
             introduced).
           - If the SIGILL source is from JSC, then we know the SIGILL is an unrecoverable
             condition.  Hence, after we have given the client handler a chance to run,
             we should restore the default handler and let the OS capture a core dump.
             This intentionally overrides whatever signal settings the client handler may
             have set.

        3. Client code installed a SIGILL handler after JSC does.
           - In this case, we are dependent on the client handler to call our handler
             after it does its work.  This is compatible with the old behavior before
             SigillCrashAnalyzer was introduced.
           - In our signal handler, if we determine that the SIGILL source is from JSC
             code, then the SIGILL is not recoverable.  We should then restore the
             default handler and get a core dump.
           - If the SIGILL source is not from JSC, we check to see if there's a client
             handler installed after us.
           - If we detect a client handler installed after us, we defer judgement on what
             to do to the client handler.  Since the client handler did not uninstall
             itself, it must have considered itself to have recovered from the SIGILL.
             We'll trust the client handler and take no restore action of our own (which
             is compatible with old code behavior).
           - If we detect no client handler and we have no previous handler, then we
             should restore the default handler and get a core dump.

        * tools/SigillCrashAnalyzer.cpp:
        (JSC::handleCrash):
        (JSC::installCrashHandler):
        (JSC::SigillCrashAnalyzer::analyze): Deleted.

2017-02-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, manual roll out of r211777
        https://bugs.webkit.org/show_bug.cgi?id=167457

        * jsc.cpp:
        (GlobalObject::moduleLoaderImportModule):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncImportModule):

2017-02-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        Web Inspector: allow import() inside the inspector
        https://bugs.webkit.org/show_bug.cgi?id=167457

        Reviewed by Ryosuke Niwa.

        We relax import module hook to accept null SourceOrigin.
        Such a script can be evaluated from the inspector console.

        * jsc.cpp:
        (GlobalObject::moduleLoaderImportModule):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncImportModule):

2017-02-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Do not use RunLoop when dispatching inspector GC event
        https://bugs.webkit.org/show_bug.cgi?id=167683
        <rdar://problem/30167791>

        Reviewed by Brian Burg.

        Move the RunLoop deferred implementation to WebCore. It is not needed
        for JSContext inspection, and in JSContext inspection we are not
        guarenteed a RunLoop to defer to.

        * inspector/agents/InspectorHeapAgent.h:
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::InspectorHeapAgent):
        (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
        (Inspector::InspectorHeapAgent::disable):
        (Inspector::InspectorHeapAgent::didGarbageCollect):
        (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask): Deleted.
        (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection): Deleted.
        (Inspector::SendGarbageCollectionEventsTask::reset): Deleted.
        (Inspector::SendGarbageCollectionEventsTask::timerFired): Deleted.

        (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
        Make a virtual method so that WebCore implementations of this agent can choose
        to dispatch this event asynchronously.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        Remove unnecessary RunLoop include.

2017-02-06  Joseph Pecoraro  <pecoraro@apple.com>

        Static Analyzer: JSContext.mm: Incorrect decrement of the reference count of an object
        https://bugs.webkit.org/show_bug.cgi?id=167848

        Reviewed by Saam Barati.

        Source/JavaScriptCore/API/JSContext.mm:87:5: warning: Incorrect decrement of the reference count of an object that is not owned at this point by the caller
            [self.exceptionHandler release];
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        1 warning generated.

        * API/JSContext.mm:
        (-[JSContext dealloc]):
        Use the ivar in dealloc instead of going through the getter.

2017-02-05  Mark Lam  <mark.lam@apple.com>

        The VMInspector should use an RAII Locker.
        https://bugs.webkit.org/show_bug.cgi?id=167854

        Reviewed by Saam Barati.

        Previously, VMInspector::lock() was returning an expected LockToken, and there's
        no way to unlock it when we're done with it.  This was not a problem before
        because the VMInspector had only one client, the SigillCrashAnalyzer, that
        expected the process to crash due to a SIGILL shortly thereafter.

        However, the VMInspector is useful as a debugging tool that we can apply in other
        debugging tasks.  Fixing VMInspector::lock() to return an RAII locker will enable
        other use cases.  Plus it's just bad form to be able to lock something and never
        be able to unlock it.

        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SigillCrashAnalyzer::analyze):
        * tools/VMInspector.cpp:
        * tools/VMInspector.h:

2017-02-04  Joseph Pecoraro  <pecoraro@apple.com>

        Static Analyzer: Value stored to 'recordedMachineThreads' during its initialization is never read
        https://bugs.webkit.org/show_bug.cgi?id=167845

        Reviewed by Saam Barati.

        Source/JavaScriptCore/heap/MachineStackMarker.cpp:151:14: warning: Value stored to 'recordedMachineThreads' during its initialization is never read
                auto recordedMachineThreads = m_set.take(machineThreads);
                     ^~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~~~~~~~~

        * heap/MachineStackMarker.cpp:
        (JSC::ActiveMachineThreadsManager::remove):

2017-02-04  Joseph Pecoraro  <pecoraro@apple.com>

        Static Analyzer: Value stored to 'prev' is never read
        https://bugs.webkit.org/show_bug.cgi?id=167844

        Reviewed by Saam Barati.

        Source/JavaScriptCore/runtime/JSMapIterator.h:60:13: warning: Value stored to 'prev' is never read
                    prev = bucket;
                    ^      ~~~~~~
        Source/JavaScriptCore/runtime/JSSetIterator.h:60:13: warning: Value stored to 'prev' is never read
                    prev = bucket;
                    ^      ~~~~~~

        * runtime/JSMapIterator.h:
        (JSC::JSMapIterator::advanceIter):
        * runtime/JSSetIterator.h:
        (JSC::JSSetIterator::advanceIter):

2017-02-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add operationToInt32SensibleSlow to optimize kraken pbkdf2 and sha256
        https://bugs.webkit.org/show_bug.cgi?id=167736

        Reviewed by Saam Barati.

        Add a new function operationToInt32SensibleSlow. This function is only
        called after x86 cvttss2si_rr is failed. This means that the
        given double number never in range of int32 truncatable numbers.

        As a result, exp in operationToInt32 always becomes >= 31. So
        we can change the condition from `exp < 32` to `exp == 31`.
        This makes missingOne constant. And it leads significantly good
        code generation.

        The original operationToInt32 code.

            170:   66 48 0f 7e c1          movq   %xmm0,%rcx
            175:   31 c0                   xor    %eax,%eax
            177:   66 48 0f 7e c6          movq   %xmm0,%rsi
            17c:   48 c1 f9 34             sar    $0x34,%rcx
            180:   81 e1 ff 07 00 00       and    $0x7ff,%ecx
            186:   8d 91 01 fc ff ff       lea    -0x3ff(%rcx),%edx
            18c:   83 fa 53                cmp    $0x53,%edx
            18f:   77 37                   ja     1c8 <_ZN3JSC16operationToInt32Ed+0x58>
            191:   83 fa 34                cmp    $0x34,%edx
            194:   7f 3a                   jg     1d0 <_ZN3JSC16operationToInt32Ed+0x60>
            196:   b9 34 00 00 00          mov    $0x34,%ecx
            19b:   66 48 0f 7e c7          movq   %xmm0,%rdi
            1a0:   29 d1                   sub    %edx,%ecx
            1a2:   48 d3 ff                sar    %cl,%rdi
            1a5:   83 fa 1f                cmp    $0x1f,%edx
            1a8:   89 f8                   mov    %edi,%eax
            1aa:   7f 12                   jg     1be <_ZN3JSC16operationToInt32Ed+0x4e>
            1ac:   89 d1                   mov    %edx,%ecx
            1ae:   b8 01 00 00 00          mov    $0x1,%eax
            1b3:   d3 e0                   shl    %cl,%eax
            1b5:   89 c2                   mov    %eax,%edx
            1b7:   8d 40 ff                lea    -0x1(%rax),%eax
            1ba:   21 f8                   and    %edi,%eax
            1bc:   01 d0                   add    %edx,%eax
            1be:   89 c2                   mov    %eax,%edx
            1c0:   f7 da                   neg    %edx
            1c2:   48 85 f6                test   %rsi,%rsi
            1c5:   0f 48 c2                cmovs  %edx,%eax
            1c8:   f3 c3                   repz retq
            1ca:   66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
            1d0:   66 48 0f 7e c0          movq   %xmm0,%rax
            1d5:   81 e9 33 04 00 00       sub    $0x433,%ecx
            1db:   48 d3 e0                shl    %cl,%rax
            1de:   eb de                   jmp    1be <_ZN3JSC16operationToInt32Ed+0x4e>

        The operationToInt32SensibleSlow code.

            1e0:   66 48 0f 7e c1          movq   %xmm0,%rcx
            1e5:   66 48 0f 7e c2          movq   %xmm0,%rdx
            1ea:   48 c1 f9 34             sar    $0x34,%rcx
            1ee:   81 e1 ff 07 00 00       and    $0x7ff,%ecx
            1f4:   8d b1 01 fc ff ff       lea    -0x3ff(%rcx),%esi
            1fa:   83 fe 34                cmp    $0x34,%esi
            1fd:   7e 21                   jle    220 <_ZN3JSC28operationToInt32SensibleSlowEd+0x40>
            1ff:   66 48 0f 7e c0          movq   %xmm0,%rax
            204:   81 e9 33 04 00 00       sub    $0x433,%ecx
            20a:   48 d3 e0                shl    %cl,%rax
            20d:   89 c1                   mov    %eax,%ecx
            20f:   f7 d9                   neg    %ecx
            211:   48 85 d2                test   %rdx,%rdx
            214:   0f 48 c1                cmovs  %ecx,%eax
            217:   c3                      retq
            218:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
            21f:   00
            220:   66 48 0f 7e c0          movq   %xmm0,%rax
            225:   b9 34 00 00 00          mov    $0x34,%ecx
            22a:   29 f1                   sub    %esi,%ecx
            22c:   48 d3 f8                sar    %cl,%rax
            22f:   89 c1                   mov    %eax,%ecx
            231:   81 c9 00 00 00 80       or     $0x80000000,%ecx
            237:   83 fe 1f                cmp    $0x1f,%esi
            23a:   0f 44 c1                cmove  %ecx,%eax
            23d:   89 c1                   mov    %eax,%ecx
            23f:   f7 d9                   neg    %ecx
            241:   48 85 d2                test   %rdx,%rdx
            244:   0f 48 c1                cmovs  %ecx,%eax
            247:   c3                      retq
            248:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
            24f:   00

        This improves kraken pbkdf2 by 10.8% and sha256 by 7.5%.

                                                       baseline                  patched

            stanford-crypto-pbkdf2                 153.195+-2.745      ^     138.204+-2.513         ^ definitely 1.1085x faster
            stanford-crypto-sha256-iterative        49.047+-1.038      ^      45.610+-1.235         ^ definitely 1.0754x faster

            <arithmetic>                           101.121+-1.379      ^      91.907+-1.500         ^ definitely 1.1003x faster

        * assembler/CPU.h:
        (JSC::hasSensibleDoubleToInt):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
        * ftl/FTLOutput.h:
        * runtime/MathCommon.cpp:
        (JSC::operationToInt32SensibleSlow):
        * runtime/MathCommon.h:

2017-02-03  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rollout of r211486, r211629.

        Original change is not ideal and is causing issues.

        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):

2017-02-03  JF Bastien  <jfbastien@apple.com>

        OSR entry: delay outer-loop compilation when at inner-loop
        https://bugs.webkit.org/show_bug.cgi?id=167149

        Reviewed by Filip Pizlo.

        r211224 and r211461 were reverted because they caused massive
        kraken/ai-astar regressions. This patch instead does the
        minimally-disruptive change to fix the original bug as described
        below, but omits extra tuning and refactoring which I had
        before. I'll commit tuning and refactoring separately, if this
        sticks. This patch is therefore very minimal, and layers carefully
        on top of the complex spaghetti-logic. The only change it makes is
        that it uses triggers to indicate to outer loops that they should
        compile, which fixes the immediate bug and seems roughly perf
        neutral (maybe a small gain on kraken sometimes, other times a
        small regression as would be expected from slightly compiling
        later). As opposed to r211461 this patch doesn't unconditionally
        unset the trigger because it prevents further DFG executions from
        entering. It therefore makes the trigger a tri-state enum class:
        don't trigger, compilation done, start compilation. Only "start
        compilation" gets reset to "don't trigger". "Compilation done"
        does not (unless there's a problem compiling, then it gets set
        back to "don't trigger").

        As of https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
        compilation can be kicked off for an entry into an outer-loop,
        while executing an inner-loop. This is desirable because often the
        codegen from an inner-entry isn't as good as the codegen from an
        outer-entry, but execution from an inner-loop is often pretty hot
        and likely to kick off compilation. This approach provided nice
        speedups on Kraken because we'd select to enter to the outer-loop
        very reliably, which reduces variability (the inner-loop was
        selected roughly 1/5 times from my unscientific measurements).

        When compilation starts we take a snapshot of the JSValues at the
        current execution state using OSR's recovery mechanism. These
        values are passed to the compiler and are used as way to perform
        type profiling, and could be used to observe cell types as well as
        to perform predictions such as through constant propagation.

        It's therefore desired to enter from the outer-loop when we can,
        but we need to be executing from that location to capture the
        right JSValues, otherwise we're confusing the compiler and giving
        it inaccurate JSValues which can lead it to predict the wrong
        things, leading to suboptimal code or recompilation due to
        misprediction, or in super-corner-cases a crash.

        DFG tier-up was added here:
        https://bugs.webkit.org/show_bug.cgi?id=112838

        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
        (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:

2017-02-03  Saam Barati  <sbarati@apple.com>

        When OSR entering to the baseline JIT from the LLInt for a ProgramCodeBlock we can skip compiling a lot of the program
        https://bugs.webkit.org/show_bug.cgi?id=167725
        <rdar://problem/30339082>

        Reviewed by Michael Saboff.

        We often want to baseline compile ProgramCode once we hit a loop in the LLInt.
        However, some programs execute a non-trivial amount of code before the loop.
        This code can never be executed again because ProgramCodeBlocks never run more
        than once. We're wasting time and memory by compiling code that is unreachable
        from the OSR entry destination. This patch fixes this by only compiling code
        that is reachable from the OSR entry destination.

        This is a speedup on Kraken/ai-astar for devices with limited CPUs (I've been
        testing on devices with 2 CPUs). On ai-astar, we were spending 50-100ms compiling
        a huge ProgramCodeBlock in the baseline JIT where the majority of the code
        would never execute. If this compilation was kicked off on the main thread,
        then we'd be stalled for a long time. If it were started on the baseline JITs
        background compilation thread, we'd still waste 50-100ms in that thread, causing
        all other baseline compilations to happen on the main thread.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        * interpreter/Interpreter.h:
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JSC::JIT::compile):
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Plan::Plan):
        (JSC::JITWorklist::Plan::compileNow):
        (JSC::JITWorklist::compileLater):
        (JSC::JITWorklist::compileNow):
        * jit/JITWorklist.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Completion.cpp:
        (JSC::evaluate):

2017-02-03  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed typo fix after r211630.

        * CMakeLists.txt:

2017-02-03  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Add initial implementation of resource usage overlay
        https://bugs.webkit.org/show_bug.cgi?id=167731

        Reviewed by Michael Catanzaro.

        Also expose nextFireTime() for GTK+ port.

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        * heap/GCActivityCallback.h:

2017-02-03  Csaba Osztrogonác  <ossy@webkit.org>

        [cmake] Unreviewed AArch64 buildfix after r211603.
        https://bugs.webkit.org/show_bug.cgi?id=167714

        * CMakeLists.txt:

2017-02-02  Andreas Kling  <akling@apple.com>

        [Mac] In-process memory pressure monitor for WebContent processes AKA websam
        <https://webkit.org/b/167491>
        <rdar://problem/30116072>

        Reviewed by Antti Koivisto.

        Remove the sloppy "max live heap size" mechanism from JSC in favor of the new
        WebCore-side memory footprint monitor.

        * heap/Heap.cpp:
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didExceedMaxLiveSize): Deleted.
        * heap/Heap.h:
        (JSC::Heap::setMaxLiveSize): Deleted.

2017-02-02  Mark Lam  <mark.lam@apple.com>

        Add a SIGILL crash analyzer to make debugging SIGILLs easier.
        https://bugs.webkit.org/show_bug.cgi?id=167714
        <rdar://problem/30318237>

        Not reviewed.

        Build fix for CLOOP build.

        * tools/VMInspector.cpp:

2017-02-02  Mark Lam  <mark.lam@apple.com>

        Add a SIGILL crash analyzer to make debugging SIGILLs easier.
        https://bugs.webkit.org/show_bug.cgi?id=167714
        <rdar://problem/30318237>

        Reviewed by Filip Pizlo.

        The current implementation is only for X86_64 and ARM64 on OS(DARWIN).  The
        analyzer is not enabled for all other ports.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * API/JSVirtualMachine.mm:
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::illegalInstruction):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::illegalInstruction):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::illegalInstruction):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::illegalInstruction):
        * heap/Heap.cpp:
        (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        * tools/SigillCrashAnalyzer.cpp: Added.
        (JSC::SignalContext::SignalContext):
        (JSC::SignalContext::dump):
        (JSC::handleCrash):
        (JSC::initializeCrashHandler):
        (JSC::ensureSigillCrashAnalyzer):
        (JSC::SigillCrashAnalyzer::analyze):
        (JSC::SigillCrashAnalyzer::dumpCodeBlock):
        * tools/SigillCrashAnalyzer.h: Added.
        * tools/VMInspector.cpp: Added.
        (JSC::VMInspector::instance):
        (JSC::VMInspector::add):
        (JSC::VMInspector::remove):
        (JSC::ensureIsSafeToLock):
        * tools/VMInspector.h: Added.
        (JSC::VMInspector::iterate):

2017-02-02  Chris Dumez  <cdumez@apple.com>

        {}.toString.call(crossOriginWindow) should return "[object Object]"
        https://bugs.webkit.org/show_bug.cgi?id=167701
        <rdar://problem/30330797>

        Reviewed by Keith Miller.

        Have JSProxy forward toStringName calls to its target so Window
        can override it.

        * runtime/JSProxy.cpp:
        (JSC::JSProxy::toStringName):
        * runtime/JSProxy.h:

2017-02-02  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r211571 and r211582.
        https://bugs.webkit.org/show_bug.cgi?id=167751

        This change caused API test WebKit1.MemoryPressureHandler to
        fail with an assertion. (Requested by ryanhaddad on #webkit).

        Reverted changesets:

        "[Mac] In-process memory pressure monitor for WebContent
        processes."
        https://bugs.webkit.org/show_bug.cgi?id=167491
        http://trac.webkit.org/changeset/211571

        "Unreviewed attempt to fix the Windows build after r211571."
        http://trac.webkit.org/changeset/211582

2017-02-02  Andreas Kling  <akling@apple.com>

        [Mac] In-process memory pressure monitor for WebContent processes.
        <https://webkit.org/b/167491>
        <rdar://problem/30116072>

        Reviewed by Antti Koivisto.

        Remove the sloppy "max live heap size" mechanism from JSC in favor of the new
        WebCore-side memory footprint monitor.

        * heap/Heap.cpp:
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didExceedMaxLiveSize): Deleted.
        * heap/Heap.h:
        (JSC::Heap::setMaxLiveSize): Deleted.

2017-02-02  Joseph Pecoraro  <pecoraro@apple.com>

        Removed unused m_errorHandlingModeReentry from Interpreter
        https://bugs.webkit.org/show_bug.cgi?id=167726

        Reviewed by Yusuke Suzuki.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        * interpreter/Interpreter.h:

2017-02-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r211461.
        https://bugs.webkit.org/show_bug.cgi?id=167721

        Big regression on kraken (Requested by jfbastien on #webkit).

        Reverted changeset:

        "OSR entry: delay outer-loop compilation when at inner-loop"
        https://bugs.webkit.org/show_bug.cgi?id=167149
        http://trac.webkit.org/changeset/211461

2017-02-01  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix unintended change.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::displayName):

2017-02-01  Keith Miller  <keith_miller@apple.com>

        The sampling profile should have an option to sample from C frames.
        https://bugs.webkit.org/show_bug.cgi?id=167614

        Reviewed by Saam Barati.

        We should be able to use the sampling profiler, at least
        internally, to trace C calls.  This patch only modifies the JSC
        shell although it would be nice to add it to the Web Inspector in
        a future patch.

        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::walk):
        (JSC::FrameWalker::recordJSFrame):
        (JSC::CFrameWalker::CFrameWalker):
        (JSC::CFrameWalker::walk):
        (JSC::CFrameWalker::isCFrame):
        (JSC::CFrameWalker::advanceToParentFrame):
        (JSC::CFrameWalker::frame):
        (JSC::SamplingProfiler::takeSample):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::StackFrame::displayName):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):

2017-02-01  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Use guaranteed RunLoop instead of RunLoop::current for dispatching inspector GC event
        https://bugs.webkit.org/show_bug.cgi?id=167683
        <rdar://problem/30167791>

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
        Use RunLoop::main instead of RunLoop::current which may go away.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        Ensure RunLoop::main is initialized when using JSC APIs.

2017-02-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        ArityFixup should adjust SP first
        https://bugs.webkit.org/show_bug.cgi?id=167239

        Reviewed by Michael Saboff.

        Arity fixup extends the stack and copy/fill the stack with
        the values. At that time, we accidentally read/write stack
        space below the stack pointer. As a result, we touch the area
        of the stack space below the x64 red zone. These areas are unsafe.
        OS may corrupt this space when constructing a signal stack.
        The Linux kernel could not populate the pages for this space
        and causes segmentation fault. This patch changes the stack
        pointer before performing the arity fixup.

        * jit/ThunkGenerators.cpp:
        (JSC::arityFixupGenerator):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2017-01-31  Filip Pizlo  <fpizlo@apple.com>

        Make verifyEdge a RELEASE_ASSERT
        <rdar://problem/30296879>

        Rubber stamped by Saam Barati.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2017-01-31  JF Bastien  <jfbastien@apple.com>

        OSR entry: delay outer-loop compilation when at inner-loop
        https://bugs.webkit.org/show_bug.cgi?id=167149

        Reviewed by Filip Pizlo.

        r211224 was reverted because it caused a massive kraken/ai-astar
        regression. This patch instead does the minimally-disruptive
        change to fix the original bug as described below, but omits extra
        tuning and refactoring which I had before. I'll commit tuning and
        refactoring separately, if this sticks. This patch is therefore
        very minimal, and layers carefully on top of the complex
        spaghetti-logic. The only change it makes is that it uses triggers
        to indicate to outer loops that they should compile, which fixes
        the immediate bug and seems roughly perf neutral (maybe a small
        gain on kraken sometimes, other times a small regression as would
        be expected from compiling later).

        As of https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
        compilation can be kicked off for an entry into an outer-loop,
        while executing an inner-loop. This is desirable because often the
        codegen from an inner-entry isn't as good as the codegen from an
        outer-entry, but execution from an inner-loop is often pretty hot
        and likely to kick off compilation. This approach provided nice
        speedups on Kraken because we'd select to enter to the outer-loop
        very reliably, which reduces variability (the inner-loop was
        selected roughly 1/5 times from my unscientific measurements).

        When compilation starts we take a snapshot of the JSValues at the
        current execution state using OSR's recovery mechanism. These
        values are passed to the compiler and are used as way to perform
        type profiling, and could be used to observe cell types as well as
        to perform predictions such as through constant propagation.

        It's therefore desired to enter from the outer-loop when we can,
        but we need to be executing from that location to capture the
        right JSValues, otherwise we're confusing the compiler and giving
        it inaccurate JSValues which can lead it to predict the wrong
        things, leading to suboptimal code or recompilation due to
        misprediction, or in super-corner-cases a crash.

        These effects are pretty hard to measure: Fil points out that
        marsalis-osr-entry really needs mustHandleValues (the JSValues
        from the point of execution) because right now it just happens to
        correctly guess int32. I tried removing mustHandleValues entirely
        and saw no slowdowns, but our benchmarks probably aren't
        sufficient to reliably find issues, sometimes because we happen to
        have sufficient mitigations.

        DFG tier-up was added here:
        https://bugs.webkit.org/show_bug.cgi?id=112838

        * dfg/DFGOperations.cpp:

2017-01-31  Filip Pizlo  <fpizlo@apple.com>

        The mutator should be able to perform increments of GC work
        https://bugs.webkit.org/show_bug.cgi?id=167528

        Reviewed by Keith Miller and Geoffrey Garen.

        The cool thing about having a concurrent and parallel collector is that it's easy to also make
        it incremental, because the load balancer can also hand over work to anyone (including the
        mutator) and since the collector is running concurrently anyway, the mutator can usually rely
        on the balancer having some spare work.

        This change adds a classic work-based incremental mode to the GC. When you allocate K bytes,
        you have to do Options::gcIncrementScale() * K "bytes" of draining. This is ammortized so that
        it only happens in allocation slow paths.

        On computers that have a lot of CPUs, this mode is not profitable and we set gcIncrementScale
        to zero. On such computers, Riptide was already performing great because there was no way that
        one mutator thread could outpace many GC threads. But on computers with fewer CPUs, there were
        problems having to do with making the collector progress quickly enough so that the heap
        doesn't grow too much. The stochastic scheduler actually made things worse, because it relies
        a lot on the fact that the GC will simply be faster than the mutator anyway. The old scheduler
        claimed to address the problem of GC pace, but it used a time-based scheduler, which is not as
        precise at keeping pase as the new work-based incremental mode.

        In theory, the work-based mode guarantees a bound on how much the heap can grow during a
        collection just because each byte allocated means some number of bytes visited. We don't try
        to create such a theoretical bound. We're just trying to give the collector an unfair advantage
        in any race with the mutator.

        Turning on incremental mode, the stochastic scheduler, and passive draining in combination with
        each other is a huge splay-latency speed-up on my iPad. It's also a CDjs progression. It does
        regress splay-throughput, but I think that's fine (the regression is 11%, the progression is
        3x).

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::markToFixpoint):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::endMarking):
        (JSC::Heap::finalize):
        (JSC::Heap::didAllocate):
        (JSC::Heap::visitCount):
        (JSC::Heap::bytesVisited):
        (JSC::Heap::forEachSlotVisitor):
        (JSC::Heap::performIncrement):
        (JSC::Heap::threadVisitCount): Deleted.
        (JSC::Heap::threadBytesVisited): Deleted.
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::transferTo):
        * heap/MarkStack.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::clearMarkStacks):
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::noteLiveAuxiliaryCell):
        (JSC::SlotVisitor::donateKnownParallel):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::performIncrementOfDraining):
        (JSC::SlotVisitor::didReachTermination):
        (JSC::SlotVisitor::hasWork):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::drainInParallelPassively):
        (JSC::SlotVisitor::donateAll):
        (JSC::SlotVisitor::correspondingGlobalStack):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryVisited):
        (JSC::SlotVisitor::forEachMarkStack):
        * heap/SpaceTimeMutatorScheduler.cpp:
        (JSC::SpaceTimeMutatorScheduler::log):
        * heap/StochasticSpaceTimeMutatorScheduler.cpp:
        (JSC::StochasticSpaceTimeMutatorScheduler::log):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionHeapCapacity):
        * runtime/Options.cpp:
        (JSC::overrideDefaults):
        * runtime/Options.h:

2017-01-31  Tomas Popela  <tpopela@redhat.com>

        Compilation error in JSArrayBufferView.h
        https://bugs.webkit.org/show_bug.cgi?id=167642

        Reviewed by Alex Christensen.

        * runtime/JSArrayBufferView.h:
        (JSC::JSArrayBufferView::vector):

2017-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Do not reject WebAssembly.compile() with Exception
        https://bugs.webkit.org/show_bug.cgi?id=167585

        Reviewed by Mark Lam.

        We accidentally reject the promise with Exception instead of Exception::value()
        for the result of WebAssembly::compile().

        * wasm/JSWebAssembly.cpp:
        (JSC::webAssemblyCompileFunc):

2017-01-30  Joseph Pecoraro  <pecoraro@apple.com>

        Implement PerformanceObserver
        https://bugs.webkit.org/show_bug.cgi?id=167546
        <rdar://problem/30247959>

        Reviewed by Ryosuke Niwa.

        * runtime/CommonIdentifiers.h:

2017-01-30  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Need some limit on Async Call Stacks for async loops (rAF loops)
        https://bugs.webkit.org/show_bug.cgi?id=165633
        <rdar://problem/29738502>

        Reviewed by Joseph Pecoraro.

        This patch limits the memory used by the Inspector backend to store async
        stack trace data.

        Asynchronous stack traces are stored as a disjoint set of parent pointer
        trees. Tree nodes represent asynchronous operations, and hold a copy of
        the stack trace at the time the operation was scheduled. Each tree can
        be regarded as a set of stack traces, stored as singly linked lists that
        share part of their structure (specifically their tails). Traces belonging
        to the same tree will at least share a common root. A stack trace begins
        at a leaf node and follows the chain of parent pointers to the root of
        of the tree. Leaf nodes always contain pending asynchronous calls.

        When an asynchronous operation is scheduled with requestAnimationFrame,
        setInterval, etc, a node is created containing the current call stack and
        some bookkeeping data for the operation. An unique identifier comprised
        of an operation type and callback identifier is mapped to the node. If
        scheduling the callback was itself the result of an asynchronous call,
        the node becomes a child of the node associated with that call, otherwise
        it becomes the root of a new tree.

        A node is either `pending`, `active`, `dispatched`, or `canceled`. Nodes
        start out as pending. After a callback for a pending node is dispatched
        the node is marked as such, unless it is a repeating callback such as
        setInterval, in which case it remains pending. Once a node is no longer
        pending it is removed, as long as it has no children. Since nodes are
        reference counted, it is a property of the stack trace tree that nodes
        that are no longer pending and have no children pointing to them will be
        automatically pruned from the tree.

        If an async operation is canceled (e.g. cancelTimeout), the associated
        node is marked as such. If the callback is not being dispatched at the
        time, and has no children, it is removed.

        Because async operations can be chained indefinitely, stack traces are
        limited to a maximum depth. The depth of a stack trace is equal to the
        sum of the depths of its nodes, with a node's depth equal to the number
        of frames in its associated call stack. For any stack trace,

            S = { s𝟶, s𝟷, …, s𝑘 }, with endpoints s𝟶, s𝑘
            depth(S) = depth(s𝟶) + depth(s𝟷) + … + depth(s𝑘)

        A stack trace is truncated when it exceeds the maximum depth. Truncation
        occurs on node boundaries, not call frames, consequently the maximum depth
        is more of a target than a guarantee:

            d = maximum stack trace depth
            for all S, depth(S) ≤ d + depth(s𝑘)

        Because nodes can belong to multiple stack traces, it may be necessary
        to clone the tail of a stack trace being truncated to prevent other traces
        from being effected.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/AsyncStackTrace.cpp: Added.
        (Inspector::AsyncStackTrace::create):
        (Inspector::AsyncStackTrace::AsyncStackTrace):
        (Inspector::AsyncStackTrace::~AsyncStackTrace):
        (Inspector::AsyncStackTrace::isPending):
        (Inspector::AsyncStackTrace::isLocked):
        (Inspector::AsyncStackTrace::willDispatchAsyncCall):
        (Inspector::AsyncStackTrace::didDispatchAsyncCall):
        (Inspector::AsyncStackTrace::didCancelAsyncCall):
        (Inspector::AsyncStackTrace::buildInspectorObject):
        (Inspector::AsyncStackTrace::truncate):
        (Inspector::AsyncStackTrace::remove):
        * inspector/AsyncStackTrace.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
        (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
        (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
        (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
        (Inspector::InspectorDebuggerAgent::didPause):
        (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
        (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace): Deleted.
        (Inspector::InspectorDebuggerAgent::refAsyncCallData): Deleted.
        (Inspector::InspectorDebuggerAgent::derefAsyncCallData): Deleted.
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/protocol/Console.json:

2017-01-30  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r211345.

        The LayoutTest for this change is failing an assertion.

        Reverted changeset:

        "Web Inspector: Need some limit on Async Call Stacks for async
        loops (rAF loops)"
        https://bugs.webkit.org/show_bug.cgi?id=165633
        http://trac.webkit.org/changeset/211345

2017-01-28  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Need some limit on Async Call Stacks for async loops (rAF loops)
        https://bugs.webkit.org/show_bug.cgi?id=165633
        <rdar://problem/29738502>

        Reviewed by Joseph Pecoraro.

        This patch limits the memory used by the Inspector backend to store async
        stack trace data.

        Asynchronous stack traces are stored as a disjoint set of parent pointer
        trees. Tree nodes represent asynchronous operations, and hold a copy of
        the stack trace at the time the operation was scheduled. Each tree can
        be regarded as a set of stack traces, stored as singly linked lists that
        share part of their structure (specifically their tails). Traces belonging
        to the same tree will at least share a common root. A stack trace begins
        at a leaf node and follows the chain of parent pointers to the root of
        of the tree. Leaf nodes always contain pending asynchronous calls.

        When an asynchronous operation is scheduled with requestAnimationFrame,
        setInterval, etc, a node is created containing the current call stack and
        some bookkeeping data for the operation. An unique identifier comprised
        of an operation type and callback identifier is mapped to the node. If
        scheduling the callback was itself the result of an asynchronous call,
        the node becomes a child of the node associated with that call, otherwise
        it becomes the root of a new tree.

        A node is either `pending`, `active`, `dispatched`, or `canceled`. Nodes
        start out as pending. After a callback for a pending node is dispatched
        the node is marked as such, unless it is a repeating callback such as
        setInterval, in which case it remains pending. Once a node is no longer
        pending it is removed, as long as it has no children. Since nodes are
        reference counted, it is a property of the stack trace tree that nodes
        that are no longer pending and have no children pointing to them will be
        automatically pruned from the tree.

        If an async operation is canceled (e.g. cancelTimeout), the associated
        node is marked as such. If the callback is not being dispatched at the
        time, and has no children, it is removed.

        Because async operations can be chained indefinitely, stack traces are
        limited to a maximum depth. The depth of a stack trace is equal to the
        sum of the depths of its nodes, with a node's depth equal to the number
        of frames in its associated call stack. For any stack trace,

            S = { s𝟶, s𝟷, …, s𝑘 }, with endpoints s𝟶, s𝑘
            depth(S) = depth(s𝟶) + depth(s𝟷) + … + depth(s𝑘)

        A stack trace is truncated when it exceeds the maximum depth. Truncation
        occurs on node boundaries, not call frames, consequently the maximum depth
        is more of a target than a guarantee:

            d = maximum stack trace depth
            for all S, depth(S) ≤ d + depth(s𝑘)

        Because nodes can belong to multiple stack traces, it may be necessary
        to clone the tail of a stack trace being truncated to prevent other traces
        from being effected.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/AsyncStackTrace.cpp: Added.
        (Inspector::AsyncStackTrace::create):
        (Inspector::AsyncStackTrace::AsyncStackTrace):
        (Inspector::AsyncStackTrace::~AsyncStackTrace):
        (Inspector::AsyncStackTrace::isPending):
        (Inspector::AsyncStackTrace::isLocked):
        (Inspector::AsyncStackTrace::willDispatchAsyncCall):
        (Inspector::AsyncStackTrace::didDispatchAsyncCall):
        (Inspector::AsyncStackTrace::didCancelAsyncCall):
        (Inspector::AsyncStackTrace::buildInspectorObject):
        (Inspector::AsyncStackTrace::truncate):
        (Inspector::AsyncStackTrace::remove):
        * inspector/AsyncStackTrace.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
        (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
        (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
        (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
        (Inspector::InspectorDebuggerAgent::didPause):
        (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
        (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace): Deleted.
        (Inspector::InspectorDebuggerAgent::refAsyncCallData): Deleted.
        (Inspector::InspectorDebuggerAgent::derefAsyncCallData): Deleted.
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/protocol/Console.json:

2017-01-28  Joseph Pecoraro  <pecoraro@apple.com>

        Remote Inspector: Listing should be updated when a target gains or loses a debugger session
        https://bugs.webkit.org/show_bug.cgi?id=167449

        Reviewed by Brian Burg.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::updateTargetListing):
        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::receivedDidCloseMessage):
        (Inspector::RemoteInspector::receivedConnectionDiedMessage):
        Whenever we add/remove a connection we should update the listing properties
        for that target that corresponded to that connection. In this way group
        updating active sessions, the target, and pushing listing together.

2017-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        Lift template escape sequence restrictions in tagged templates
        https://bugs.webkit.org/show_bug.cgi?id=166871

        Reviewed by Saam Barati.

        This patch implements stage 3 Lifting Template Literal Restriction[1].
        Prior to this patch, template literal becomes syntax error if it contains
        invalid escape sequences. But it is too restricted; Template literal
        can have cooked and raw representations and only cooked representation
        can escape sequences. So even if invalid escape sequences are included,
        the raw representation can be valid.

        Lifting Template Literal Restriction relaxes the above restriction.
        When invalid escape sequence is included, if target template literals
        are used as tagged templates, we make the result of the template including
        the invalid escape sequence `undefined` instead of making it SyntaxError
        immediately. It allows us to accept the templates including invalid
        escape sequences in the raw representations in tagged templates.

        On the other hand, the raw representation is only used in tagged templates.
        So if invalid escape sequences are included in the usual template literals,
        we just make it SyntaxError as before.

        [1]: https://github.com/tc39/proposal-template-literal-revision

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetTemplateObject):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TemplateStringNode::emitBytecode):
        (JSC::TemplateLiteralNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createTemplateString):
        * parser/Lexer.cpp:
        (JSC::Lexer<CharacterType>::parseUnicodeEscape):
        (JSC::Lexer<T>::parseTemplateLiteral):
        (JSC::Lexer<T>::lex):
        (JSC::Lexer<T>::scanTemplateString):
        (JSC::Lexer<T>::scanTrailingTemplateString): Deleted.
        * parser/Lexer.h:
        * parser/NodeConstructors.h:
        (JSC::TemplateStringNode::TemplateStringNode):
        * parser/Nodes.h:
        (JSC::TemplateStringNode::cooked):
        (JSC::TemplateStringNode::raw):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseAssignmentElement):
        (JSC::Parser<LexerType>::parseTemplateString):
        (JSC::Parser<LexerType>::parseTemplateLiteral):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createTemplateString):
        * runtime/TemplateRegistry.cpp:
        (JSC::TemplateRegistry::getTemplateObject):
        * runtime/TemplateRegistryKey.h:
        (JSC::TemplateRegistryKey::cookedStrings):
        (JSC::TemplateRegistryKey::create):
        (JSC::TemplateRegistryKey::TemplateRegistryKey):
        * runtime/TemplateRegistryKeyTable.cpp:
        (JSC::TemplateRegistryKeyTable::createKey):
        * runtime/TemplateRegistryKeyTable.h:

2017-01-27  Saam Barati  <sbarati@apple.com>

        Make the CLI for the sampling profiler better for inlined call site indices
        https://bugs.webkit.org/show_bug.cgi?id=167482

        Reviewed by Mark Lam.

        This patches changes the command line interface for the sampling
        profiler to also dump the machine frame that the semantic code
        origin is in if the semantic code origin is inlined. This helps
        when doing performance work because it's helpful to know the
        context that an inlined frame is in. Before, we used to just
        say it was in the baseline JIT if it didn't have its own optimized
        compile. Now, we can tell that its inlined into a DFG or FTL frame.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::buildSamples):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::reportTopFunctions):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::StackFrame::CodeLocation::hasCodeBlockHash):
        (JSC::SamplingProfiler::StackFrame::CodeLocation::hasBytecodeIndex):
        (JSC::SamplingProfiler::StackFrame::CodeLocation::hasExpressionInfo):
        (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
        (JSC::SamplingProfiler::StackFrame::lineNumber):
        (JSC::SamplingProfiler::StackFrame::columnNumber):
        (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex): Deleted.
        (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash): Deleted.

2017-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        Extend create_hash_table to specify Intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=167505

        Reviewed by Sam Weinig.

        This patch extends create_hash_table to specify Intrinsic.
        We can set Intrinsic in the static property table definition
        in runtime/XXX.h.

        And drop the adhoc code for String.fromCharCode in create_hash_table.

        * create_hash_table:
        * runtime/StringConstructor.cpp:

2017-01-27  Filip Pizlo  <fpizlo@apple.com>

        scanExternalRememberedSet needs to mergeIfNecessary
        https://bugs.webkit.org/show_bug.cgi?id=167523

        Reviewed by Keith Miller.
        
        The protocol for opaque roots is that if you add to them outside of draining, then you need to call
        mergeIfNecessary.
        
        This means that every MarkingConstraint that adds opaque roots needs to mergeIfNecessary after.
        
        scanExternalRememberedSet transitively calls addOpaqueRoot, is called from a MarkingConstraint, and
        was missing a call to mergeIfNecessary. This fixes it.

        * API/JSVirtualMachine.mm:
        (scanExternalRememberedSet):

2017-01-27  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix GTK+ debug build after r211247.

        * heap/GCAssertions.h:

2017-01-26  Keith Miller  <keith_miller@apple.com>

        classInfo should take a VM so it is not materialized from the object on each call
        https://bugs.webkit.org/show_bug.cgi?id=167424

        Rubber Stamped by Michael Saboff.

        Previously, classInfo() would get the VM from the target's
        MarkedBlock.  Most callers already have a VM on hand, so it is
        wasteful to compute the VM from the marked block every time. This
        patch refactors some of the most common callers of classInfo(),
        jsDynamicCast and inherits to take a VM as well.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::asCallbackObject):
        (JSC::JSCallbackObject<Parent>::finishCreation):
        * API/JSObjectRef.cpp:
        (JSObjectSetPrototype):
        (classInfoPrivate):
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSTypedArray.cpp:
        (JSValueGetTypedArrayType):
        (JSObjectMakeTypedArrayWithArrayBuffer):
        (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
        (JSObjectGetTypedArrayBytesPtr):
        (JSObjectGetTypedArrayLength):
        (JSObjectGetTypedArrayByteLength):
        (JSObjectGetTypedArrayByteOffset):
        (JSObjectGetTypedArrayBuffer):
        (JSObjectGetArrayBufferBytesPtr):
        (JSObjectGetArrayBufferByteLength):
        * API/JSValue.mm:
        (isDate):
        (isArray):
        (valueToObjectWithoutCopy):
        * API/JSValueRef.cpp:
        (JSValueIsArray):
        (JSValueIsDate):
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.h:
        * API/ObjCCallbackFunction.mm:
        (tryUnwrapConstructor):
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        * bytecode/CallVariant.h:
        (JSC::CallVariant::internalFunction):
        (JSC::CallVariant::function):
        (JSC::CallVariant::isClosureCall):
        (JSC::CallVariant::executable):
        (JSC::CallVariant::functionExecutable):
        (JSC::CallVariant::nativeExecutable):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::setConstantRegisters):
        (JSC::CodeBlock::replacement):
        (JSC::CodeBlock::computeCapabilityLevel):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * bytecode/ObjectPropertyCondition.cpp:
        (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::isValidValueForPresence):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isValidValueForAttributes):
        (JSC::PropertyCondition::isValidValueForPresence):
        (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
        * bytecode/PropertyCondition.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):
        * debugger/Debugger.cpp:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::type):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::name):
        (JSC::DebuggerScope::location):
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::planLoad):
        (JSC::DFG::ByteCodeParser::checkPresenceLike):
        (JSC::DFG::ByteCodeParser::load):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDesiredWeakReferences.cpp:
        (JSC::DFG::DesiredWeakReferences::reallyAdd):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupMakeRope):
        * dfg/DFGFrozenValue.h:
        (JSC::DFG::FrozenValue::FrozenValue):
        (JSC::DFG::FrozenValue::dynamicCast):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::tryGetConstantClosureVar):
        (JSC::DFG::Graph::tryGetFoldableView):
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        (JSC::DFG::Graph::isStringPrototypeMethodSane):
        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::tryGetStringImpl):
        (JSC::DFG::LazyJSValue::tryGetString):
        * dfg/DFGLazyJSValue.h:
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToPutStructureHint):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::dynamicCastConstant):
        (JSC::DFG::Node::castConstant):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::lastChanceToFinalize):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        * heap/CodeBlockSet.h:
        * heap/GCAssertions.h:
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::protectedObjectTypeCounts):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * heap/SlotVisitor.cpp:
        (JSC::validate):
        * inspector/InjectedScriptHost.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::finishCreation):
        (Inspector::JSInjectedScriptHost::isHTMLAllCollection):
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::functionDetails):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        (Inspector::JSInjectedScriptHost::proxyTargetValue):
        (Inspector::JSInjectedScriptHost::weakMapSize):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::weakSetSize):
        (Inspector::JSInjectedScriptHost::weakSetEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
        (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
        (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
        (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
        (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::finishCreation):
        (Inspector::toJSJavaScriptCallFrame): Deleted.
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
        (Inspector::jsJavaScriptCallFrameAttributeCaller):
        (Inspector::jsJavaScriptCallFrameAttributeSourceID):
        (Inspector::jsJavaScriptCallFrameAttributeLine):
        (Inspector::jsJavaScriptCallFrameAttributeColumn):
        (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
        (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
        (Inspector::jsJavaScriptCallFrameAttributeThisObject):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        (Inspector::jsJavaScriptCallFrameIsTailDeleted):
        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString):
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::getPreview):
        * interpreter/Interpreter.cpp:
        (JSC::notifyDebuggerOfUnwinding):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
        (JSC::Interpreter::execute):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
   &nbs