WebAssembly JS API: add Module.sections
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-01-04  JF Bastien  <jfbastien@apple.com>
2
3         WebAssembly JS API: add Module.sections
4         https://bugs.webkit.org/show_bug.cgi?id=165159
5         <rdar://problem/29760326>
6
7         Reviewed by Mark Lam.
8
9         As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections
10
11         This was added for Emscripten, and is likely to be used soon.
12
13         * wasm/WasmFormat.h: custom sections are just name + bytes
14         * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
15         * wasm/WasmModuleParser.h:
16         * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
17         ArrayBuffer as described in the spec
18         (JSC::webAssemblyModuleProtoCustomSections):
19
20 2017-01-04  Saam Barati  <sbarati@apple.com>
21
22         We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
23         https://bugs.webkit.org/show_bug.cgi?id=163720
24
25         Reviewed by Mark Lam.
26
27         In the LLInt, we were incorrectly doing the exception check after the call.
28         Before the exception check, we were unwinding to our caller's
29         frame under the assumption that our caller was always a JS frame.
30         This is incorrect, however, because our caller might be a C frame.
31         One way that it can be a C frame is when C calls to JS, and JS tail
32         calls to native. This patch fixes this bug by doing unwinding from
33         the native callee's frame instead of its callers.
34
35         * llint/LowLevelInterpreter32_64.asm:
36         * llint/LowLevelInterpreter64.asm:
37
38 2017-01-03  JF Bastien  <jfbastien@apple.com>
39
40         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
41         https://bugs.webkit.org/show_bug.cgi?id=166669
42         <rdar://problem/29856455>
43
44         Reviewed by Saam Barati.
45
46         Bug #165282 added wasm -> wasm calls, but caused crashes in
47         release builds because the pinned registers are also callee-saved
48         and were being clobbered. B3 didn't see itself clobbering them
49         when no memory was used, and therefore omitted a restore.
50
51         This was causing the C++ code in callWebAssemblyFunction to crash
52         because $r12 was 0, and it expected it to have its value prior to
53         the call.
54
55         * wasm/WasmB3IRGenerator.cpp:
56         (JSC::Wasm::createJSToWasmWrapper):
57
58 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
59
60         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
61         https://bugs.webkit.org/show_bug.cgi?id=166300
62
63         Reviewed by Brian Burg.
64
65         * debugger/Debugger.cpp:
66         (JSC::Debugger::continueProgram):
67         When continuing, clear states that would have had us pause again.
68
69         * inspector/agents/InspectorDebuggerAgent.cpp:
70         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
71         When resuming after becoming idle, be sure to clear Debugger state.
72
73 2017-01-03  JF Bastien  <jfbastien@apple.com>
74
75         WebAssembly JS API: check and test in-call / out-call values
76         https://bugs.webkit.org/show_bug.cgi?id=164876
77         <rdar://problem/29844107>
78
79         Reviewed by Saam Barati.
80
81         * wasm/WasmBinding.cpp:
82         (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
83         f64 which the assotiated tests inadvertently tripped on: the
84         previous code wasn't correctly performing JSValue boxing for
85         "double" values. This change is slightly involved because it
86         requires two scratch registers to materialize the
87         `DoubleEncodeOffset` value. This change therefore reorganizes the
88         code to first generate traps, then handle all integers (freeing
89         all GPRs), and then all the floating-point values.
90         * wasm/js/WebAssemblyFunction.cpp:
91         (JSC::callWebAssemblyFunction): Implement the defined semantics
92         for mismatched arities when JS calls wasm:
93         https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
94           - i32 is 0, f32 / f64 are NaN.
95           - wasm functions which return "void" are "undefined" in JS.
96
97 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
98
99         [Win] jsc.exe sometimes never exits.
100         https://bugs.webkit.org/show_bug.cgi?id=158073
101
102         Reviewed by Darin Adler.
103
104         On Windows the thread specific destructor is also called when the main thread is exiting.
105         This may lead to the main thread waiting forever for the machine thread lock when exiting,
106         if the sampling profiler thread was terminated by the system while holding the machine
107         thread lock.
108
109         * heap/MachineStackMarker.cpp:
110         (JSC::MachineThreads::removeThread):
111
112 2017-01-02  Julien Brianceau  <jbriance@cisco.com>
113
114         Remove sh4 specific code from JavaScriptCore
115         https://bugs.webkit.org/show_bug.cgi?id=166640
116
117         Reviewed by Filip Pizlo.
118
119         sh4-specific code does not compile for a while (r189884 at least).
120         As nobody seems to have interest in this architecture anymore, let's
121         remove this dead code and thus ease the burden for JSC maintainers.
122
123         * CMakeLists.txt:
124         * JavaScriptCore.xcodeproj/project.pbxproj:
125         * assembler/AbstractMacroAssembler.h:
126         (JSC::AbstractMacroAssembler::Jump::Jump):
127         (JSC::AbstractMacroAssembler::Jump::link):
128         * assembler/MacroAssembler.h:
129         * assembler/MacroAssemblerSH4.h: Removed.
130         * assembler/MaxFrameExtentForSlowPathCall.h:
131         * assembler/SH4Assembler.h: Removed.
132         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
133         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
134         * dfg/DFGSpeculativeJIT.h:
135         (JSC::DFG::SpeculativeJIT::callOperation):
136         * jit/AssemblyHelpers.h:
137         (JSC::AssemblyHelpers::debugCall):
138         * jit/CCallHelpers.h:
139         (JSC::CCallHelpers::setupArgumentsWithExecState):
140         (JSC::CCallHelpers::prepareForTailCallSlow):
141         * jit/CallFrameShuffler.cpp:
142         (JSC::CallFrameShuffler::prepareForTailCall):
143         * jit/ExecutableAllocator.h:
144         * jit/FPRInfo.h:
145         * jit/GPRInfo.h:
146         * jit/JITInlines.h:
147         (JSC::JIT::callOperation):
148         * jit/JITOpcodes32_64.cpp:
149         (JSC::JIT::privateCompileCTINativeCall):
150         * jit/JITOperations.cpp:
151         * jit/RegisterSet.cpp:
152         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
153         (JSC::RegisterSet::dfgCalleeSaveRegisters):
154         * jit/ThunkGenerators.cpp:
155         (JSC::nativeForGenerator):
156         * llint/LLIntData.cpp:
157         (JSC::LLInt::Data::performAssertions):
158         * llint/LLIntOfflineAsmConfig.h:
159         * llint/LowLevelInterpreter.asm:
160         * llint/LowLevelInterpreter32_64.asm:
161         * offlineasm/backends.rb:
162         * offlineasm/instructions.rb:
163         * offlineasm/sh4.rb: Removed.
164         * yarr/YarrJIT.cpp:
165         (JSC::Yarr::YarrGenerator::generateEnter):
166         (JSC::Yarr::YarrGenerator::generateReturn):
167
168 2017-01-02  JF Bastien  <jfbastien@apple.com>
169
170         WebAssembly: handle and optimize wasm export → wasm import calls
171         https://bugs.webkit.org/show_bug.cgi?id=165282
172
173         Reviewed by Saam Barati.
174
175           - Add a new JSType for WebAssemblyFunction, and use it when creating its
176             structure. This will is used to quickly detect from wasm whether the import
177             call is to another wasm module, or whether it's to JS.
178           - Generate two stubs from the import stub generator: one for wasm->JS and one
179             for wasm -> wasm. This is done at Module time. Which is called will only be
180             known at Instance time, once we've received the import object. We want to
181             avoid codegen at Instance time, so having both around is great.
182           - Restore the WebAssembly global state (VM top Instance, and pinned registers)
183             after call / call_indirect, and in the JS->wasm entry stub.
184           - Pinned registers are now a global thing, not per-Memory, because the wasm ->
185             wasm stubs are generated at Module time where we don't really have enough
186             information to do the right thing (doing so would generate too much code).
187
188         * CMakeLists.txt:
189         * JavaScriptCore.xcodeproj/project.pbxproj:
190         * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
191         * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
192         could be external work, and how we save / restore global state:
193         VM's top Instance, and pinned registers
194         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
195         (JSC::Wasm::getMemoryBaseAndSize):
196         (JSC::Wasm::restoreWebAssemblyGlobalState):
197         (JSC::Wasm::createJSToWasmWrapper):
198         (JSC::Wasm::parseAndCompile):
199         * wasm/WasmB3IRGenerator.h:
200         * wasm/WasmBinding.cpp:
201         (JSC::Wasm::materializeImportJSCell):
202         (JSC::Wasm::wasmToJS):
203         (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
204         (JSC::Wasm::exitStubGenerator):
205         * wasm/WasmBinding.h:
206         * wasm/WasmFormat.h: Get rid of much of the function index space:
207         we already have all of its information elsewhere, and as-is it
208         provides no extra efficiency.
209         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
210         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
211         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
212         * wasm/WasmFunctionParser.h:
213         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
214         * wasm/WasmMemory.cpp: Add some logging.
215         (JSC::Wasm::Memory::dump): this was nice when debugging
216         (JSC::Wasm::Memory::makeString):
217         (JSC::Wasm::Memory::Memory):
218         (JSC::Wasm::Memory::~Memory):
219         (JSC::Wasm::Memory::grow):
220         * wasm/WasmMemory.h: don't use extra indirection, it wasn't
221         needed. Reorder some of the fields which are looked up at runtime
222         so they're more cache-friendly.
223         (JSC::Wasm::Memory::Memory):
224         (JSC::Wasm::Memory::mode):
225         (JSC::Wasm::Memory::offsetOfSize):
226         * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
227         global thing for all of JSC, not a per-Memory thing
228         anymore. wasm->wasm calls are more complex otherwise: they have to
229         figure out how to bridge between the caller and callee's
230         special-snowflake pinning.
231         (JSC::Wasm::PinnedRegisterInfo::get):
232         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
233         (JSC::Wasm::MemoryInformation::MemoryInformation):
234         * wasm/WasmMemoryInformation.h:
235         * wasm/WasmModuleParser.cpp:
236         * wasm/WasmModuleParser.h:
237         * wasm/WasmPageCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
238         (JSC::Wasm::PageCount::dump): nice for debugging
239         * wasm/WasmPageCount.h:
240         * wasm/WasmPlan.cpp:
241         (JSC::Wasm::Plan::parseAndValidateModule):
242         (JSC::Wasm::Plan::run):
243         * wasm/WasmPlan.h:
244         (JSC::Wasm::Plan::takeWasmExitStubs):
245         * wasm/WasmSignature.cpp:
246         (JSC::Wasm::Signature::toString):
247         (JSC::Wasm::Signature::dump):
248         * wasm/WasmSignature.h:
249         * wasm/WasmValidate.cpp:
250         (JSC::Wasm::validateFunction):
251         * wasm/WasmValidate.h:
252         * wasm/js/JSWebAssemblyInstance.h:
253         (JSC::JSWebAssemblyInstance::offsetOfTable):
254         (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
255         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
256         * wasm/js/JSWebAssemblyMemory.cpp:
257         (JSC::JSWebAssemblyMemory::create):
258         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
259         (JSC::JSWebAssemblyMemory::buffer):
260         (JSC::JSWebAssemblyMemory::grow):
261         * wasm/js/JSWebAssemblyMemory.h:
262         (JSC::JSWebAssemblyMemory::memory):
263         (JSC::JSWebAssemblyMemory::offsetOfMemory):
264         (JSC::JSWebAssemblyMemory::offsetOfSize):
265         * wasm/js/JSWebAssemblyModule.cpp:
266         (JSC::JSWebAssemblyModule::create):
267         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
268         * wasm/js/JSWebAssemblyModule.h:
269         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
270         (JSC::JSWebAssemblyModule::functionImportCount):
271         * wasm/js/WebAssemblyFunction.cpp:
272         (JSC::callWebAssemblyFunction):
273         (JSC::WebAssemblyFunction::create):
274         (JSC::WebAssemblyFunction::createStructure):
275         (JSC::WebAssemblyFunction::WebAssemblyFunction):
276         (JSC::WebAssemblyFunction::finishCreation):
277         * wasm/js/WebAssemblyFunction.h:
278         (JSC::WebAssemblyFunction::wasmEntrypoint):
279         (JSC::WebAssemblyFunction::offsetOfInstance):
280         (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode):
281         * wasm/js/WebAssemblyInstanceConstructor.cpp:
282         (JSC::constructJSWebAssemblyInstance): always start with a dummy
283         memory, so wasm->wasm calls don't need to null-check
284         * wasm/js/WebAssemblyMemoryConstructor.cpp:
285         (JSC::constructJSWebAssemblyMemory):
286         * wasm/js/WebAssemblyModuleConstructor.cpp:
287         (JSC::WebAssemblyModuleConstructor::createModule):
288         * wasm/js/WebAssemblyModuleRecord.cpp:
289         (JSC::WebAssemblyModuleRecord::link):
290         (JSC::WebAssemblyModuleRecord::evaluate):
291         * wasm/js/WebAssemblyModuleRecord.h:
292
293 2017-01-02  Saam Barati  <sbarati@apple.com>
294
295         WebAssembly: Some loads don't take into account the offset
296         https://bugs.webkit.org/show_bug.cgi?id=166616
297         <rdar://problem/29841541>
298
299         Reviewed by Keith Miller.
300
301         * wasm/WasmB3IRGenerator.cpp:
302         (JSC::Wasm::B3IRGenerator::emitLoadOp):
303
304 2017-01-01  Jeff Miller  <jeffm@apple.com>
305
306         Update user-visible copyright strings to include 2017
307         https://bugs.webkit.org/show_bug.cgi?id=166278
308
309         Reviewed by Dan Bernstein.
310
311         * Info.plist:
312
313 2016-12-28  Saam Barati  <sbarati@apple.com>
314
315         WebAssembly: Don't allow duplicate export names
316         https://bugs.webkit.org/show_bug.cgi?id=166490
317         <rdar://problem/29815000>
318
319         Reviewed by Keith Miller.
320
321         * wasm/WasmModuleParser.cpp:
322
323 2016-12-28  Saam Barati  <sbarati@apple.com>
324
325         Unreviewed. Fix jsc.cpp build error.
326
327         * jsc.cpp:
328         (functionTestWasmModuleFunctions):
329
330 2016-12-28  Saam Barati  <sbarati@apple.com>
331
332         WebAssembly: Implement grow_memory and current_memory
333         https://bugs.webkit.org/show_bug.cgi?id=166448
334         <rdar://problem/29803676>
335
336         Reviewed by Keith Miller.
337
338         This patch implements grow_memory, current_memory, and WebAssembly.prototype.grow.
339         See relevant spec texts here:
340         
341         https://github.com/WebAssembly/design/blob/master/Semantics.md#linear-memory-accesses
342         https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymemoryprototypegrow
343         
344         I also fix a couple miscellaneous bugs:
345         
346         1. Data section now understands full init_exprs. 
347         2. parseVarUint1 no longer has a bug where we allow values larger than 1 if
348         their bottom 8 bits are zero.
349         
350         Since the JS API can now grow memory, we need to make calling an import
351         and call_indirect refresh the base memory register and the size registers.
352
353         * jsc.cpp:
354         (functionTestWasmModuleFunctions):
355         * runtime/Options.h:
356         * runtime/VM.h:
357         * wasm/WasmB3IRGenerator.cpp:
358         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
359         (JSC::Wasm::reloadPinnedRegisters):
360         (JSC::Wasm::B3IRGenerator::emitReloadPinnedRegisters):
361         (JSC::Wasm::createJSToWasmWrapper):
362         (JSC::Wasm::parseAndCompile):
363         * wasm/WasmFormat.cpp:
364         (JSC::Wasm::Segment::create):
365         * wasm/WasmFormat.h:
366         (JSC::Wasm::I32InitExpr::I32InitExpr):
367         (JSC::Wasm::I32InitExpr::globalImport):
368         (JSC::Wasm::I32InitExpr::constValue):
369         (JSC::Wasm::I32InitExpr::isConst):
370         (JSC::Wasm::I32InitExpr::isGlobalImport):
371         (JSC::Wasm::I32InitExpr::globalImportIndex):
372         (JSC::Wasm::Segment::byte):
373         (JSC::Wasm::ModuleInformation::importFunctionCount):
374         (JSC::Wasm::ModuleInformation::hasMemory):
375         * wasm/WasmFunctionParser.h:
376         * wasm/WasmMemory.cpp:
377         (JSC::Wasm::Memory::Memory):
378         (JSC::Wasm::Memory::grow):
379         * wasm/WasmMemory.h:
380         (JSC::Wasm::Memory::size):
381         (JSC::Wasm::Memory::sizeInPages):
382         (JSC::Wasm::Memory::offsetOfMemory):
383         (JSC::Wasm::Memory::isValid): Deleted.
384         (JSC::Wasm::Memory::grow): Deleted.
385         * wasm/WasmModuleParser.cpp:
386         (JSC::Wasm::makeI32InitExpr):
387         * wasm/WasmModuleParser.h:
388         * wasm/WasmPageCount.h:
389         (JSC::Wasm::PageCount::bytes):
390         (JSC::Wasm::PageCount::pageCount):
391         (JSC::Wasm::PageCount::fromBytes):
392         (JSC::Wasm::PageCount::operator+):
393         * wasm/WasmParser.h:
394         (JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
395         * wasm/WasmValidate.cpp:
396         * wasm/js/JSWebAssemblyInstance.h:
397         (JSC::JSWebAssemblyInstance::offsetOfMemory):
398         * wasm/js/JSWebAssemblyMemory.cpp:
399         (JSC::JSWebAssemblyMemory::~JSWebAssemblyMemory):
400         (JSC::JSWebAssemblyMemory::grow):
401         * wasm/js/JSWebAssemblyMemory.h:
402         (JSC::JSWebAssemblyMemory::offsetOfMemory):
403         * wasm/js/JSWebAssemblyModule.h:
404         (JSC::JSWebAssemblyModule::functionImportCount):
405         (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace):
406         (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace):
407         (JSC::JSWebAssemblyModule::importCount): Deleted.
408         * wasm/js/WebAssemblyFunction.cpp:
409         (JSC::callWebAssemblyFunction):
410         * wasm/js/WebAssemblyInstanceConstructor.cpp:
411         (JSC::constructJSWebAssemblyInstance):
412         * wasm/js/WebAssemblyMemoryConstructor.cpp:
413         (JSC::constructJSWebAssemblyMemory):
414         * wasm/js/WebAssemblyMemoryPrototype.cpp:
415         (JSC::getMemory):
416         (JSC::webAssemblyMemoryProtoFuncBuffer):
417         (JSC::webAssemblyMemoryProtoFuncGrow):
418         * wasm/js/WebAssemblyModuleRecord.cpp:
419         (JSC::WebAssemblyModuleRecord::link):
420         (JSC::dataSegmentFail):
421         (JSC::WebAssemblyModuleRecord::evaluate):
422         * wasm/wasm.json:
423
424 2016-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
425
426         Use variadic templates in JSC Parser to clean up
427         https://bugs.webkit.org/show_bug.cgi?id=166482
428
429         Reviewed by Saam Barati.
430
431         * parser/Parser.cpp:
432         (JSC::Parser<LexerType>::logError):
433         * parser/Parser.h:
434
435 2016-12-25  Yusuke Suzuki  <utatane.tea@gmail.com>
436
437         Propagate the source origin as much as possible
438         https://bugs.webkit.org/show_bug.cgi?id=166348
439
440         Reviewed by Darin Adler.
441
442         This patch introduces CallFrame::callerSourceOrigin, SourceOrigin class
443         and SourceProvider::m_sourceOrigin. CallFrame::callerSourceOrigin returns
444         an appropriate SourceOrigin if possible. If we cannot find the appropriate
445         one, we just return null SourceOrigin.
446
447         This paves the way for implementing the module dynamic-import[1].
448         When the import operator is evaluated, it will resolve the module
449         specifier with this propagated source origin of the caller function.
450
451         To support import operator inside the dynamic code generation
452         functions (like `eval`, `new Function`, indirect call to `eval`),
453         we need to propagate the caller's source origin to the generated
454         source code.
455
456         We do not use sourceURL for that purpose. This is because we
457         would like to keep sourceURL for `eval` / `new Function` null.
458         This sourceURL will be used for the stack dump for errors with line/column
459         numbers. Dumping the caller's sourceURL with line/column numbers are
460         meaningless. So we would like to keep it null while we would like
461         to propagate SourceOrigin for dynamic imports.
462
463         [1]: https://github.com/tc39/proposal-dynamic-import
464
465         * API/JSBase.cpp:
466         (JSEvaluateScript):
467         (JSCheckScriptSyntax):
468         * API/JSObjectRef.cpp:
469         (JSObjectMakeFunction):
470         * API/JSScriptRef.cpp:
471         (OpaqueJSScript::create):
472         (OpaqueJSScript::vm):
473         (OpaqueJSScript::OpaqueJSScript):
474         (parseScript):
475         * JavaScriptCore.xcodeproj/project.pbxproj:
476         * Scripts/builtins/builtins_templates.py:
477         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
478         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
479         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
480         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
481         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
482         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
483         * builtins/BuiltinExecutables.cpp:
484         (JSC::BuiltinExecutables::BuiltinExecutables):
485         (JSC::BuiltinExecutables::createDefaultConstructor):
486         * debugger/DebuggerCallFrame.cpp:
487         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
488         * inspector/InjectedScriptManager.cpp:
489         (Inspector::InjectedScriptManager::createInjectedScript):
490         * inspector/JSInjectedScriptHost.cpp:
491         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
492         * inspector/agents/InspectorRuntimeAgent.cpp:
493         (Inspector::InspectorRuntimeAgent::parse):
494         * interpreter/CallFrame.cpp:
495         (JSC::CallFrame::callerSourceOrigin):
496         * interpreter/CallFrame.h:
497         * interpreter/Interpreter.cpp:
498         (JSC::eval):
499         * jsc.cpp:
500         (jscSource):
501         (GlobalObject::finishCreation):
502         (extractDirectoryName):
503         (currentWorkingDirectory):
504         (GlobalObject::moduleLoaderResolve):
505         (functionRunString):
506         (functionLoadString):
507         (functionCallerSourceOrigin):
508         (functionCreateBuiltin):
509         (functionCheckModuleSyntax):
510         (runInteractive):
511         * parser/SourceCode.h:
512         (JSC::makeSource):
513         * parser/SourceProvider.cpp:
514         (JSC::SourceProvider::SourceProvider):
515         * parser/SourceProvider.h:
516         (JSC::SourceProvider::sourceOrigin):
517         (JSC::StringSourceProvider::create):
518         (JSC::StringSourceProvider::StringSourceProvider):
519         (JSC::WebAssemblySourceProvider::create):
520         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
521         * runtime/FunctionConstructor.cpp:
522         (JSC::constructFunction):
523         (JSC::constructFunctionSkippingEvalEnabledCheck):
524         * runtime/FunctionConstructor.h:
525         * runtime/JSGlobalObjectFunctions.cpp:
526         (JSC::globalFuncEval):
527         * runtime/ModuleLoaderPrototype.cpp:
528         (JSC::moduleLoaderPrototypeParseModule):
529         * runtime/ScriptExecutable.h:
530         (JSC::ScriptExecutable::sourceOrigin):
531         * runtime/SourceOrigin.h: Added.
532         (JSC::SourceOrigin::SourceOrigin):
533         (JSC::SourceOrigin::string):
534         (JSC::SourceOrigin::isNull):
535         * tools/FunctionOverrides.cpp:
536         (JSC::initializeOverrideInfo):
537
538 2016-12-24  Caio Lima  <ticaiolima@gmail.com>
539
540         [test262] Fixing mapped arguments object property test case
541         https://bugs.webkit.org/show_bug.cgi?id=159398
542
543         Reviewed by Saam Barati.
544
545         This patch changes GenericArguments' override mechanism to
546         implement corret behavior on ECMAScript test262 suite test cases of
547         mapped arguments object with non-configurable and non-writable
548         property. Also it is ensuring that arguments[i]
549         cannot be deleted when argument "i" is {configurable: false}.
550         
551         The previous implementation is against to the specification for 2 reasons:
552
553         1. Every argument in arguments object are {writable: true} by default
554            (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject).
555            It means that we have to stop mapping a defined property index
556            if the new property descriptor contains writable (i.e writable is
557            present) and its value is false (also check
558            https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
559            Previous implementation considers {writable: false} if writable is
560            not present.
561
562         2. When a property is overriden, "delete" operation is always returning true. However
563            delete operations should follow the specification.
564
565         We created an auxilary boolean array named m_modifiedArgumentsDescriptor
566         to store which arguments[i] descriptor was changed from its default
567         property descriptor. This modification was necessary because m_overrides
568         was responsible to keep this information at the same time
569         of keeping information about arguments mapping. The problem of this apporach was
570         that we needed to call overridesArgument(i) as soon as the ith argument's property
571         descriptor was changed and it stops the argument's mapping as sideffect, producing
572         wrong behavior.
573         To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
574         DirectArguments::m_mappedArguments and now we it is responsible to manage if an
575         argument[i] is mapped or not.
576         With these 2 structures, now it is possible to an argument[i] have its property 
577         descriptor modified and don't stop the mapping as soon as it happens. One example
578         of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
579         test case, that now is fixed by this new mechanism.
580
581         * bytecode/PolymorphicAccess.cpp:
582         (JSC::AccessCase::generateWithGuard):
583         * dfg/DFGSpeculativeJIT.cpp:
584         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
585         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
586         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
587         * ftl/FTLAbstractHeapRepository.h:
588         * ftl/FTLLowerDFGToB3.cpp:
589         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
590         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
591         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
592         * jit/JITOperations.cpp:
593         (JSC::canAccessArgumentIndexQuickly):
594         * jit/JITPropertyAccess.cpp:
595         (JSC::JIT::emitDirectArgumentsGetByVal):
596         * runtime/DirectArguments.cpp:
597         (JSC::DirectArguments::estimatedSize):
598         (JSC::DirectArguments::visitChildren):
599         (JSC::DirectArguments::overrideThings):
600         (JSC::DirectArguments::overrideThingsIfNecessary):
601         (JSC::DirectArguments::unmapArgument):
602         (JSC::DirectArguments::copyToArguments):
603         (JSC::DirectArguments::overridesSize):
604         (JSC::DirectArguments::overrideArgument): Deleted.
605         * runtime/DirectArguments.h:
606         (JSC::DirectArguments::length):
607         (JSC::DirectArguments::isMappedArgument):
608         (JSC::DirectArguments::isMappedArgumentInDFG):
609         (JSC::DirectArguments::getIndexQuickly):
610         (JSC::DirectArguments::setIndexQuickly):
611         (JSC::DirectArguments::overrodeThings):
612         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
613         (JSC::DirectArguments::setModifiedArgumentDescriptor):
614         (JSC::DirectArguments::isModifiedArgumentDescriptor):
615         (JSC::DirectArguments::offsetOfMappedArguments):
616         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
617         (JSC::DirectArguments::canAccessIndexQuickly): Deleted.
618         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
619         (JSC::DirectArguments::offsetOfOverrides): Deleted.
620         * runtime/GenericArguments.h:
621         * runtime/GenericArgumentsInlines.h:
622         (JSC::GenericArguments<Type>::visitChildren):
623         (JSC::GenericArguments<Type>::getOwnPropertySlot):
624         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
625         (JSC::GenericArguments<Type>::getOwnPropertyNames):
626         (JSC::GenericArguments<Type>::put):
627         (JSC::GenericArguments<Type>::putByIndex):
628         (JSC::GenericArguments<Type>::deleteProperty):
629         (JSC::GenericArguments<Type>::deletePropertyByIndex):
630         (JSC::GenericArguments<Type>::defineOwnProperty):
631         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
632         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
633         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
634         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
635         (JSC::GenericArguments<Type>::copyToArguments):
636         * runtime/ScopedArguments.cpp:
637         (JSC::ScopedArguments::visitChildren):
638         (JSC::ScopedArguments::unmapArgument):
639         (JSC::ScopedArguments::overrideArgument): Deleted.
640         * runtime/ScopedArguments.h:
641         (JSC::ScopedArguments::isMappedArgument):
642         (JSC::ScopedArguments::isMappedArgumentInDFG):
643         (JSC::ScopedArguments::getIndexQuickly):
644         (JSC::ScopedArguments::setIndexQuickly):
645         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
646         (JSC::ScopedArguments::setModifiedArgumentDescriptor):
647         (JSC::ScopedArguments::isModifiedArgumentDescriptor):
648         (JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
649         (JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
650
651 2016-12-23  Mark Lam  <mark.lam@apple.com>
652
653         Using Option::breakOnThrow() shouldn't crash while printing a null CodeBlock.
654         https://bugs.webkit.org/show_bug.cgi?id=166466
655
656         Reviewed by Keith Miller.
657
658         * runtime/VM.cpp:
659         (JSC::VM::throwException):
660
661 2016-12-23  Mark Lam  <mark.lam@apple.com>
662
663         Enhance LLInt tracing to dump the codeBlock signature instead of just a pointer where appropriate.
664         https://bugs.webkit.org/show_bug.cgi?id=166465
665
666         Reviewed by Keith Miller.
667
668         * llint/LLIntSlowPaths.cpp:
669         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
670         (JSC::LLInt::traceFunctionPrologue):
671
672 2016-12-23  Keith Miller  <keith_miller@apple.com>
673
674         WebAssembly: trap on bad division.
675         https://bugs.webkit.org/show_bug.cgi?id=164786
676
677         Reviewed by Mark Lam.
678
679         This patch adds traps for division / modulo by zero and for
680         division by int_min / -1.
681
682         * wasm/WasmB3IRGenerator.cpp:
683         (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
684         * wasm/WasmExceptionType.h:
685         * wasm/WasmPlan.cpp:
686         (JSC::Wasm::Plan::run):
687         * wasm/wasm.json:
688
689 2016-12-23  Mark Lam  <mark.lam@apple.com>
690
691         Fix broken LLINT_SLOW_PATH_TRACING build.
692         https://bugs.webkit.org/show_bug.cgi?id=166463
693
694         Reviewed by Keith Miller.
695
696         * llint/LLIntExceptions.cpp:
697         (JSC::LLInt::returnToThrow):
698         (JSC::LLInt::callToThrow):
699         * runtime/CommonSlowPathsExceptions.cpp:
700         (JSC::CommonSlowPaths::interpreterThrowInCaller):
701
702 2016-12-22  Keith Miller  <keith_miller@apple.com>
703
704         WebAssembly: Make spec-tests/f32.wast.js and spec-tests/f64.wast.js pass
705         https://bugs.webkit.org/show_bug.cgi?id=166447
706
707         Reviewed by Saam Barati.
708
709         We needed to treat -0.0 < 0.0 for floating point min/max. For min,
710         the algorithm works because if a == b then a and b are not NaNs so
711         either they are the same or they are some zero. When we or a and b
712         either we get the same number back or we get -0.0. Similarly for
713         max we use an and and the sign bit gets dropped if one is 0.0 and
714         the other is -0.0, otherwise, we get the same number back.
715
716         * wasm/wasm.json:
717
718 2016-12-22  Saam Barati  <sbarati@apple.com>
719
720         WebAssembly: Make calling Wasm functions that returns or takes an i64 as a parameter an early exception
721         https://bugs.webkit.org/show_bug.cgi?id=166437
722         <rdar://problem/29793949>
723
724         Reviewed by Keith Miller.
725
726         This patch makes it so that we throw an exception before we do
727         anything else if we call a wasm function that either takes an
728         i64 as an argument or returns an i64.
729
730         * wasm/js/WebAssemblyFunction.cpp:
731         (JSC::callWebAssemblyFunction):
732         (JSC::WebAssemblyFunction::WebAssemblyFunction):
733         (JSC::WebAssemblyFunction::call): Deleted.
734         * wasm/js/WebAssemblyFunction.h:
735         (JSC::WebAssemblyFunction::signatureIndex):
736         (JSC::WebAssemblyFunction::jsEntrypoint):
737
738 2016-12-22  Keith Miller  <keith_miller@apple.com>
739
740         Add BitOr for floating points to B3
741         https://bugs.webkit.org/show_bug.cgi?id=166446
742
743         Reviewed by Saam Barati.
744
745         This patch does some slight refactoring to the ARM assembler,
746         which groups all the vector floating point instructions together.
747
748         * assembler/ARM64Assembler.h:
749         (JSC::ARM64Assembler::vand):
750         (JSC::ARM64Assembler::vorr):
751         (JSC::ARM64Assembler::vectorDataProcessingLogical):
752         (JSC::ARM64Assembler::vectorDataProcessing2Source): Deleted.
753         * assembler/MacroAssemblerARM64.h:
754         (JSC::MacroAssemblerARM64::orDouble):
755         (JSC::MacroAssemblerARM64::orFloat):
756         * assembler/MacroAssemblerX86Common.h:
757         (JSC::MacroAssemblerX86Common::orDouble):
758         (JSC::MacroAssemblerX86Common::orFloat):
759         * assembler/X86Assembler.h:
760         (JSC::X86Assembler::orps_rr):
761         * b3/B3ConstDoubleValue.cpp:
762         (JSC::B3::ConstDoubleValue::bitOrConstant):
763         (JSC::B3::ConstDoubleValue::bitXorConstant):
764         * b3/B3ConstDoubleValue.h:
765         * b3/B3ConstFloatValue.cpp:
766         (JSC::B3::ConstFloatValue::bitOrConstant):
767         (JSC::B3::ConstFloatValue::bitXorConstant):
768         * b3/B3ConstFloatValue.h:
769         * b3/B3LowerToAir.cpp:
770         (JSC::B3::Air::LowerToAir::lower):
771         * b3/B3Validate.cpp:
772         * b3/air/AirInstInlines.h:
773         (JSC::B3::Air::Inst::shouldTryAliasingDef):
774         * b3/air/AirOpcode.opcodes:
775         * b3/testb3.cpp:
776         (JSC::B3::bitOrDouble):
777         (JSC::B3::testBitOrArgDouble):
778         (JSC::B3::testBitOrArgsDouble):
779         (JSC::B3::testBitOrArgImmDouble):
780         (JSC::B3::testBitOrImmsDouble):
781         (JSC::B3::bitOrFloat):
782         (JSC::B3::testBitOrArgFloat):
783         (JSC::B3::testBitOrArgsFloat):
784         (JSC::B3::testBitOrArgImmFloat):
785         (JSC::B3::testBitOrImmsFloat):
786         (JSC::B3::testBitOrArgsFloatWithUselessDoubleConversion):
787         (JSC::B3::run):
788
789 2016-12-22  Mark Lam  <mark.lam@apple.com>
790
791         BytecodeGenerator::m_finallyDepth should be unsigned.
792         https://bugs.webkit.org/show_bug.cgi?id=166438
793
794         Reviewed by Saam Barati.
795
796         Also removed FinallyContext::m_finallyDepth because it is not used.
797
798         * bytecompiler/BytecodeGenerator.cpp:
799         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
800         (JSC::BytecodeGenerator::labelScopeDepth):
801         * bytecompiler/BytecodeGenerator.h:
802         (JSC::FinallyContext::FinallyContext):
803         (JSC::FinallyContext::finallyLabel):
804         (JSC::FinallyContext::depth): Deleted.
805
806 2016-12-22  Mark Lam  <mark.lam@apple.com>
807
808         De-duplicate finally blocks.
809         https://bugs.webkit.org/show_bug.cgi?id=160168
810
811         Reviewed by Saam Barati.
812
813         JS execution can arrive at a finally block when there are abrupt completions from
814         its try or catch block.  The abrupt completion types include Break,
815         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
816         (i.e. the case of a try block falling through to the finally block).
817
818         Previously, we enable each of these paths for abrupt completion (except for Throw)
819         to run the finally block code by duplicating the finally block code at each of
820         the sites that trigger those completions.  This patch fixes the implementation so
821         that each of these abrupt completions will set a completionTypeRegister (plus a
822         completionValueRegister for CompletionType::Return) and then jump to the
823         relevant finally blocks, and continue to thread through subsequent outer finally
824         blocks until execution reaches the outermost finally block that the completion
825         type dictates.  We no longer duplicate the finally block code.
826
827         The implementation details:
828         1. We allocate a pair of registers (completionTypeRegister and completionValueRegister)
829            just before entering the outermost try-catch-finally scope.
830
831            On allocating the registers, we initialize the completionTypeRegister to
832            CompletionType::Normal, and set the completionValueRegister to the empty
833            JSValue.
834
835         2. The completionTypeRegister will hold a CompletionType value.  This is how we
836            encode the CompletionType value to be set:
837
838            a. For Normal, Return, and Throw completion types: 
839               - The completionTypeRegister is set to CompletionType::Normal,
840                 CompletionType::Return, and CompletionType::Throw respectively.
841
842            b. For Break and Continue completion types:
843               - The completionTypeRegister is set to a unique jumpID where the jumpID is
844                 computed as:
845
846                 jumpID = CompletionType::NumberOfTypes + bytecodeOffset
847
848                 The bytecodeOffset used here is the bytecodeOffset of the break or continue
849                 statement that triggered this completion.
850
851         3. Each finally block will have 2 entries:
852            a. the catch entry.
853            b. the normal entry.
854
855            The catch entry is recorded in the codeBlock's exception handler table,
856            and can only be jumped to by the VM's exception handling mechanism.
857
858            The normal entry is recorded in a FinallyContext (at bytecode generation time
859            only) and is jumped to when we want enter the finally block due any of the
860            other CompletionTypes.
861
862         4. How each completion type works?
863
864            CompletionType::Normal
865            ======================
866            We normally encounter this when falling through from a try or catch block to
867            the finally block.  
868           
869            For the try block case, since completionTypeRegister is set to Normal by default,
870            there's nothing more that needs to be done.
871
872            For the catch block case, since we entered the catch block with an exception,
873            completionTypeRegister may be set to Throw.  We'll need to set it to Normal
874            before jumping to the finally block's normal entry.
875
876            CompletionType::Break
877            =====================
878            When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
879            that we need to service before jumping to the breakTarget.  If we don't, then
880            emit op_jump to the breakTarget as usual.  Otherwise:
881
882            a. we'll register a jumpID and the breakTarget with the FinallyContext for the
883               outermost finally block that we're supposed to run through.
884            b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
885               from the innermost to the one for that outermost finally block.
886            c. emit bytecode to set the completionTypeRegister to the jumpID.
887            d. emit bytecode to jump to the normal entry of the innermost finally block.
888
889            Each finally block will take care of cascading to the next outer finally block
890            as needed (see (5) below).
891
892            CompletionType::Continue
893            ========================
894            Since continues and breaks work the same way (i.e. with a jump), we handle this
895            exactly the same way as CompletionType::Break, except that we use the
896            continueTarget instead of the breakTarget.
897
898            CompletionType::Return
899            ======================
900            When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
901            at all on the m_controlFlowScopeStack.  If we don't, then emit op_ret as usual.
902            Otherwise:
903
904            a. emit bytecode to set the completionTypeRegister to CompletionType::Return.
905            b. emit bytecode to move the return value into the completionValueRegister.
906            c. emit bytecode to jump to the normal entry of the innermost finally block.
907
908            Each finally block will take care of cascading to the next outer finally block
909            as needed (see (5) below).
910
911            CompletionType::Throw
912            ======================
913            At the catch entry a finally block, we:
914            1. emit an op_catch that stores the caught Exception object in the
915               completionValueRegister.
916            2. emit bytecode to set the completionTypeRegister to CompletionType::Throw.
917            3. Fall through or jump to the finally block's normal entry.
918
919         5. What happens in each finally block?
920            ==================================
921            For details on the finally block's catch entry, see "CompletionType::Throw" in
922            (4) above.
923
924            The finally block's normal entry will:
925            1. restore the scope of the finally block.
926            2. save the completionTypeRegister in a savedCompletionTypeRegister.
927            3. proceed to execute the body of the finally block.
928
929            At the end of the finally block, we will emit bytecode check the
930            savedCompletionTypeRegister for each completion type see emitFinallyCompletion())
931            in the following order:
932           
933            a. Check for CompletionType::Normal
934               ================================
935               If savedCompletionTypeRegister is CompletionType::Normal, jump to the
936               designated normalCompletion label.  We only need this check this finally
937               block also needs to check for Break, Continue, or Return.  If not, the
938               completion type check for CompletionType::Throw below will make this check
939               redundant.
940
941            b. Check for CompletionType::Break and Continue
942               ============================================
943               If the FinallyContext for this block has registered FinallyJumps, we'll
944               check the jumpIDs against the savedCompletionTypeRegister.  If the jumpID
945               matches, jump to the corresponding jumpTarget.
946
947               If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
948               greater than the number of registered FinallyJumps, then this means that
949               we have a Break or Continue that needs to be handled by an outer finally
950               block.  In that case, jump to the next outer finally block's normal entry.
951              
952            c. Check for CompletionType::Return
953               ================================
954               If this finally block is not the outermost and the savedCompletionTypeRegister
955               is set to CompletionType::Return, then jump to the next outer finally
956               block's normal entry.
957
958               Otherwise, if this finally block is the outermost and the savedCompletionTypeRegister
959               is set to CompletionType::Return, then execute op_ret and return the value
960               in the completionValueRegister.
961
962            d. CompletionType::Throw
963               =====================
964               If savedCompletionTypeRegister is CompletionType::Throw, then just re-throw the
965               Exception object in the completionValueRegister.
966
967            Detail 1: that we check the savedCompletionTypeRegister (and not the
968            completionTypeRegister).  This is because the finally block may itself contain
969            a try-finally, and this inner try-finally may have trashed the completionTypeRegister.
970            Here's an example:
971
972                try {
973                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
974                } finally {
975                    // completionTypeRegister is CompletionType::Return here.
976
977                    try {
978                        ... // do stuff.
979                    } finally {
980                        ... // do more stuff.
981                    }
982
983                    // completionTypeRegister may be anything here depending on what
984                    // was executed in the inner try-finally block above.
985
986                    // Hence, finally completion here must be based on a saved copy of the
987                    // completionTypeRegister when we entered this finally block.
988                }
989
990            Detail 2: the finally completion for CompletionType::Throw must always explicitly
991            check if the savedCompletionTypeRegister is CompletionType::Throw before throwing.
992            We cannot imply that it is so from the Throw case being last.  Here's why:
993
994                // completionTypeRegister is CompletionType::Normal here.
995                try {
996                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
997                } finally {
998                    // completionTypeRegister is CompletionType::Return here.
999
1000                    try {
1001                        ... // do stuff.  No abrupt completions.
1002                    } finally {
1003                        // completionTypeRegister is CompletionType::Return here (from the outer try-finally).
1004                        // savedCompletionTypeRegister is set to completionTypeRegister (i.e. CompletionType::Return) here.
1005
1006                        ... // do more stuff.  No abrupt completions.
1007
1008                        // Unless there's an abrupt completion since entering the outer
1009                        // finally block, the savedCompletionTypeRegister will remain set
1010                        // to CompletionType::Return.  If we don't explicitly check if the
1011                        // savedCompletionTypeRegister is CompletionType::Throw before
1012                        // throwing here, we'll end up erroneously throwing "r1".
1013                    }
1014
1015                    ...
1016                }
1017
1018         6. restoreScopeRegister()
1019        
1020            Since the needed scope objects are always stored in a local, we can restore
1021            the scope register by simply moving from that local instead of going through
1022            op_get_parent_scope.
1023
1024         7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
1025            This makes it easier to keep a pointer to the FinallyContext on that stack,
1026            and not have to worry about the vector being realloc'ed due to resizing. 
1027
1028         Performance appears to be neutral both on ES6SampleBench (run via cli) and the
1029         JSC benchmarks.
1030
1031         Relevant spec references:
1032         https://tc39.github.io/ecma262/#sec-completion-record-specification-type
1033         https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
1034
1035         * bytecode/HandlerInfo.h:
1036         (JSC::HandlerInfoBase::typeName):
1037         * bytecompiler/BytecodeGenerator.cpp:
1038         (JSC::BytecodeGenerator::generate):
1039         (JSC::BytecodeGenerator::BytecodeGenerator):
1040         (JSC::BytecodeGenerator::emitReturn):
1041         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
1042         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
1043         (JSC::BytecodeGenerator::allocateAndEmitScope):
1044         (JSC::BytecodeGenerator::pushTry):
1045         (JSC::BytecodeGenerator::popTry):
1046         (JSC::BytecodeGenerator::emitCatch):
1047         (JSC::BytecodeGenerator::restoreScopeRegister):
1048         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
1049         (JSC::BytecodeGenerator::labelScopeDepth):
1050         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
1051         (JSC::BytecodeGenerator::popLocalControlFlowScope):
1052         (JSC::BytecodeGenerator::emitEnumeration):
1053         (JSC::BytecodeGenerator::emitIsNumber):
1054         (JSC::BytecodeGenerator::emitYield):
1055         (JSC::BytecodeGenerator::emitDelegateYield):
1056         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
1057         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
1058         (JSC::BytecodeGenerator::emitFinallyCompletion):
1059         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
1060         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
1061         (JSC::BytecodeGenerator::emitJumpIf):
1062         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
1063         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
1064         (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
1065         (JSC::BytecodeGenerator::emitPopScopes): Deleted.
1066         (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
1067         * bytecompiler/BytecodeGenerator.h:
1068         (JSC::bytecodeOffsetToJumpID):
1069         (JSC::FinallyJump::FinallyJump):
1070         (JSC::FinallyContext::FinallyContext):
1071         (JSC::FinallyContext::outerContext):
1072         (JSC::FinallyContext::finallyLabel):
1073         (JSC::FinallyContext::depth):
1074         (JSC::FinallyContext::numberOfBreaksOrContinues):
1075         (JSC::FinallyContext::incNumberOfBreaksOrContinues):
1076         (JSC::FinallyContext::handlesReturns):
1077         (JSC::FinallyContext::setHandlesReturns):
1078         (JSC::FinallyContext::registerJump):
1079         (JSC::FinallyContext::numberOfJumps):
1080         (JSC::FinallyContext::jumps):
1081         (JSC::ControlFlowScope::ControlFlowScope):
1082         (JSC::ControlFlowScope::isLabelScope):
1083         (JSC::ControlFlowScope::isFinallyScope):
1084         (JSC::BytecodeGenerator::currentLexicalScopeIndex):
1085         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
1086         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
1087         (JSC::BytecodeGenerator::completionTypeRegister):
1088         (JSC::BytecodeGenerator::completionValueRegister):
1089         (JSC::BytecodeGenerator::emitSetCompletionType):
1090         (JSC::BytecodeGenerator::emitSetCompletionValue):
1091         (JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
1092         * bytecompiler/NodesCodegen.cpp:
1093         (JSC::ContinueNode::emitBytecode):
1094         (JSC::BreakNode::emitBytecode):
1095         (JSC::ReturnNode::emitBytecode):
1096         (JSC::TryNode::emitBytecode):
1097
1098 2016-12-22  Saam Barati  <sbarati@apple.com>
1099
1100         WebAssembly: Make the spec-tests/address.wast.js test pass
1101         https://bugs.webkit.org/show_bug.cgi?id=166429
1102         <rdar://problem/29793220>
1103
1104         Reviewed by Keith Miller.
1105
1106         Right now, provably out of bound loads/stores (given a load/store's constant
1107         offset) are not a validation error. However, we were failing to catch uint32_t
1108         overflows in release builds (we did have a debug assertion). To fix this,
1109         I now detect when uint32_t addition will overflow, and instead of emitting
1110         a normal load/store, I emit code that throws an out of bounds memory exception.
1111
1112         * wasm/WasmB3IRGenerator.cpp:
1113
1114 2016-12-22  Keith Miller  <keith_miller@apple.com>
1115
1116         WebAssembly: The validator should not allow unused stack entries at the end of a block
1117         https://bugs.webkit.org/show_bug.cgi?id=166411
1118
1119         Reviewed by Saam Barati.
1120
1121         This patch also cleans up some of the verbose mode logging.
1122
1123         * wasm/WasmB3IRGenerator.cpp:
1124         (JSC::Wasm::dumpExpressionStack):
1125         (JSC::Wasm::B3IRGenerator::dump):
1126         * wasm/WasmFunctionParser.h:
1127         * wasm/WasmValidate.cpp:
1128         (JSC::Wasm::dumpExpressionStack):
1129         (JSC::Wasm::Validate::dump):
1130
1131 2016-12-22  Saam Barati  <sbarati@apple.com>
1132
1133         WebAssembly: Make the spec-tests/start.wast.js test pass
1134         https://bugs.webkit.org/show_bug.cgi?id=166416
1135         <rdar://problem/29784532>
1136
1137         Reviewed by Yusuke Suzuki.
1138
1139         To make the test run, I had to fix two bugs:
1140         
1141         1. We weren't properly finding the start function. There was code
1142         that would try to find the start function from the list of *exported*
1143         functions. This is wrong; the start function is an index into the
1144         function index space, which is the space for *imports* and *local*
1145         functions. So the code was just wrong in this respect, and I've
1146         fixed it do the right thing. We weren't sure if this was originally
1147         allowed or not in the spec, but it has been decided that it is allowed
1148         and the spec-tests test for it: https://github.com/WebAssembly/design/issues/896
1149         
1150         2. We were emitting a breakpoint for Unreachable. Instead of crashing,
1151         this opcode needs to throw an exception when executing.
1152
1153         * wasm/WasmB3IRGenerator.cpp:
1154         * wasm/WasmExceptionType.h:
1155         * wasm/js/WebAssemblyModuleRecord.cpp:
1156         (JSC::WebAssemblyModuleRecord::link):
1157         (JSC::WebAssemblyModuleRecord::evaluate):
1158         * wasm/js/WebAssemblyModuleRecord.h:
1159
1160 2016-12-21  Keith Miller  <keith_miller@apple.com>
1161
1162         WebAssembly: Fix decode floating point constants in unreachable code
1163         https://bugs.webkit.org/show_bug.cgi?id=166400
1164
1165         Reviewed by Saam Barati.
1166
1167         We decoded these as variable length but they should be fixed length.
1168
1169         * wasm/WasmFunctionParser.h:
1170
1171 2016-12-21  Keith Miller  <keith_miller@apple.com>
1172
1173         WebAssembly: Allow br, br_if, and br_table to act as a return
1174         https://bugs.webkit.org/show_bug.cgi?id=166393
1175
1176         Reviewed by Saam Barati.
1177
1178         This patch allows br, br_if, and br_table to treat branching to
1179         the size of the control stack to act as a return. This change was
1180         made by adding a new block type to the wasm function parser,
1181         TopLevel. Adding this new block eliminates a lot of the special
1182         case code we had in the parser previously. The only special case
1183         we need is when the end opcode is parsed from the top level.  The
1184         B3 IR generator needs to automatically emit a return at that
1185         point.
1186
1187         Also, this patch adds the function number to validation errors
1188         in the function parser. The current error message is not helpful
1189         otherwise.
1190
1191         * wasm/WasmB3IRGenerator.cpp:
1192         (JSC::Wasm::B3IRGenerator::ControlData::dump):
1193         (JSC::Wasm::B3IRGenerator::addTopLevel):
1194         * wasm/WasmFunctionParser.h:
1195         * wasm/WasmPlan.cpp:
1196         (JSC::Wasm::Plan::parseAndValidateModule):
1197         (JSC::Wasm::Plan::run):
1198         * wasm/WasmValidate.cpp:
1199         (JSC::Wasm::Validate::ControlData::dump):
1200         (JSC::Wasm::Validate::Validate):
1201         (JSC::Wasm::Validate::addTopLevel):
1202         (JSC::Wasm::validateFunction):
1203
1204 2016-12-21  JF Bastien  <jfbastien@apple.com>
1205
1206         WebAssembly JS API: cleanup & pass VM around to {Compile/Runtime}Error
1207         https://bugs.webkit.org/show_bug.cgi?id=166295
1208         <rdar://problem/29762017>
1209
1210         Reviewed by Mark Lam.
1211
1212         Rename the create* functions, and pass VM around, as suggested for
1213         LinkError in #165805.
1214
1215         At the same time, use the default source appender when
1216         constructing these error types, which gives a nice map back to the
1217         original source as part of the error message. This is clearer when
1218         using the current frame, so add that as well.
1219
1220         * jit/ThunkGenerators.cpp:
1221         (JSC::throwExceptionFromWasmThunkGenerator):
1222         * wasm/js/JSWebAssemblyCompileError.cpp:
1223         (JSC::JSWebAssemblyCompileError::create):
1224         (JSC::createJSWebAssemblyCompileError):
1225         (JSC::createWebAssemblyCompileError): Deleted.
1226         * wasm/js/JSWebAssemblyCompileError.h:
1227         (JSC::JSWebAssemblyCompileError::create):
1228         * wasm/js/JSWebAssemblyRuntimeError.cpp:
1229         (JSC::JSWebAssemblyRuntimeError::create):
1230         * wasm/js/JSWebAssemblyRuntimeError.h:
1231         (JSC::JSWebAssemblyRuntimeError::create):
1232         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1233         (JSC::constructJSWebAssemblyCompileError):
1234         * wasm/js/WebAssemblyModuleConstructor.cpp:
1235         (JSC::WebAssemblyModuleConstructor::createModule):
1236         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1237         (JSC::constructJSWebAssemblyRuntimeError):
1238
1239 2016-12-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1240
1241         [ES6] Fix modules document in features.json
1242         https://bugs.webkit.org/show_bug.cgi?id=166313
1243
1244         Reviewed by Saam Barati.
1245
1246         * features.json:
1247
1248 2016-12-20  Taras Tsugrii  <ttsugrii@fb.com>
1249
1250         Fix undefined behavior caused by macro expansion producing 'defined'
1251         https://bugs.webkit.org/show_bug.cgi?id=166047
1252
1253         Reviewed by Darin Adler.
1254
1255         * API/JSBase.h:
1256
1257 2016-12-20  Keith Miller  <keith_miller@apple.com>
1258
1259         Add support for global
1260         https://bugs.webkit.org/show_bug.cgi?id=165171
1261
1262         Reviewed by Filip Pizlo.
1263
1264         This patch adds spport for the global property on the global object.
1265         The global property spec is in stage three and is quite simple.
1266         For reference: http://tc39.github.io/proposal-global/
1267
1268         * runtime/JSGlobalObject.cpp:
1269
1270 2016-12-20  Saam Barati  <sbarati@apple.com>
1271
1272         WebAssembly: We should compile wasm functions in parallel
1273         https://bugs.webkit.org/show_bug.cgi?id=165993
1274
1275         Reviewed by Keith Miller.
1276
1277         This patch adds a very simple parallel compiler for Wasm code.
1278         This patch speeds up compiling the Unity headless benchmark by
1279         slightly more than 4x on my MBP. To make this safe, I perform
1280         all linking on the main thread. I also had to change some code
1281         inside Wasmb3IRGenerator to be thread safe.
1282
1283         * b3/air/AirCustom.h:
1284         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
1285         * b3/air/AirGenerationContext.h:
1286         * wasm/WasmB3IRGenerator.cpp:
1287         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1288         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
1289         (JSC::Wasm::createJSToWasmWrapper):
1290         (JSC::Wasm::parseAndCompile):
1291         * wasm/WasmB3IRGenerator.h:
1292         * wasm/WasmCallingConvention.h:
1293         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
1294         * wasm/WasmPlan.cpp:
1295         (JSC::Wasm::Plan::parseAndValidateModule):
1296         (JSC::Wasm::Plan::run):
1297         * wasm/WasmPlan.h:
1298
1299 2016-12-20  Brent Fulgham  <bfulgham@apple.com>
1300
1301         Address some style problems found by static analysis
1302         https://bugs.webkit.org/show_bug.cgi?id=165975
1303
1304         Reviewed by Alex Christensen.
1305
1306         Correct the const-correctness of functions that are implemented using stricter
1307         const declarations.
1308
1309         * inspector/agents/InspectorDebuggerAgent.h:
1310         * inspector/agents/InspectorHeapAgent.cpp:
1311         * inspector/agents/InspectorHeapAgent.h:
1312         * inspector/agents/InspectorRuntimeAgent.h:
1313         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1314         * inspector/agents/InspectorScriptProfilerAgent.h:
1315         * inspector/scripts/codegen/cpp_generator.py:
1316         (cpp_type_for_unchecked_formal_in_parameter): Update to match const declarations of
1317         implementation files.
1318         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1319         Rebaselined results for "const Ptr* const" syntax.
1320
1321 2016-12-20  JF Bastien  <jfbastien@apple.com>
1322
1323         WebAssembly: construct 32-bit encodedJSValue properly
1324         https://bugs.webkit.org/show_bug.cgi?id=166199
1325
1326         Reviewed by Mark Lam.
1327
1328         Constructing an encodedJSValue using `{ }` yields the wrong value
1329         on 32-bit platforms. WebAssembly doesn't currently target 32-bit
1330         platforms, but we may as well get it right.
1331
1332         * wasm/JSWebAssembly.cpp:
1333         (JSC::webAssemblyCompileFunc):
1334         (JSC::webAssemblyValidateFunc):
1335         * wasm/js/JSWebAssemblyHelpers.h:
1336         (JSC::toNonWrappingUint32):
1337         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1338         (JSC::constructJSWebAssemblyCompileError):
1339         * wasm/js/WebAssemblyFunction.cpp:
1340         (JSC::callWebAssemblyFunction):
1341         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1342         (JSC::constructJSWebAssemblyInstance):
1343         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1344         (JSC::constructJSWebAssemblyMemory):
1345         * wasm/js/WebAssemblyModuleConstructor.cpp:
1346         (JSC::constructJSWebAssemblyModule):
1347         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1348         (JSC::constructJSWebAssemblyRuntimeError):
1349         * wasm/js/WebAssemblyTableConstructor.cpp:
1350         (JSC::constructJSWebAssemblyTable):
1351         * wasm/js/WebAssemblyTablePrototype.cpp:
1352         (JSC::webAssemblyTableProtoFuncLength):
1353         (JSC::webAssemblyTableProtoFuncGrow):
1354         (JSC::webAssemblyTableProtoFuncGet):
1355         (JSC::webAssemblyTableProtoFuncSet):
1356
1357 2016-12-20  Dean Jackson  <dino@apple.com>
1358
1359         Remove INDIE_UI
1360         https://bugs.webkit.org/show_bug.cgi?id=165881
1361         <rdar://problem/29672532>
1362
1363         Reviewed by Simon Fraser.
1364
1365         The Indie UI work has been discontinued.
1366
1367         * Configurations/FeatureDefines.xcconfig:
1368
1369 2016-12-20  JF Bastien  <jfbastien@apple.com>
1370
1371         WebAssembly API: implement WebAssembly.LinkError
1372         https://bugs.webkit.org/show_bug.cgi?id=165805
1373         <rdar://problem/29747874>
1374
1375         Reviewed by Mark Lam.
1376
1377         As described here: https://github.com/WebAssembly/design/pull/901
1378         Some TypeError and RangeError are now converted to WebAssembly.LinkError.
1379
1380         * CMakeLists.txt: add files
1381         * DerivedSources.make: add autoget .lut.h files
1382         * JavaScriptCore.xcodeproj/project.pbxproj: add files
1383         * builtins/BuiltinNames.h: new name LinkError
1384         * runtime/JSGlobalObject.h: auto-register LinkError using existing macro magic
1385         * wasm/JSWebAssembly.h: make the new includes available
1386         * wasm/js/JSWebAssemblyLinkError.cpp: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.cpp.
1387         (JSC::JSWebAssemblyLinkError::create):
1388         (JSC::JSWebAssemblyLinkError::JSWebAssemblyLinkError):
1389         (JSC::createWebAssemblyLinkError):
1390         * wasm/js/JSWebAssemblyLinkError.h: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.h.
1391         (JSC::JSWebAssemblyLinkError::create):
1392         * wasm/js/WebAssemblyInstanceConstructor.cpp: update as per spec change
1393         (JSC::constructJSWebAssemblyInstance):
1394         * wasm/js/WebAssemblyLinkErrorConstructor.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.cpp.
1395         (JSC::constructJSWebAssemblyLinkError):
1396         (JSC::callJSWebAssemblyLinkError):
1397         (JSC::WebAssemblyLinkErrorConstructor::create):
1398         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
1399         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
1400         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
1401         (JSC::WebAssemblyLinkErrorConstructor::getConstructData):
1402         (JSC::WebAssemblyLinkErrorConstructor::getCallData):
1403         * wasm/js/WebAssemblyLinkErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.h.
1404         * wasm/js/WebAssemblyLinkErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.cpp.
1405         (JSC::WebAssemblyLinkErrorPrototype::create):
1406         (JSC::WebAssemblyLinkErrorPrototype::createStructure):
1407         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
1408         (JSC::WebAssemblyLinkErrorPrototype::WebAssemblyLinkErrorPrototype):
1409         * wasm/js/WebAssemblyLinkErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.h.
1410         * wasm/js/WebAssemblyModuleRecord.cpp: update as per spec change
1411         (JSC::dataSegmentFail):
1412         (JSC::WebAssemblyModuleRecord::evaluate):
1413
1414 2016-12-20  JF Bastien  <jfbastien@apple.com>
1415
1416         WebAssembly: unique function signatures
1417         https://bugs.webkit.org/show_bug.cgi?id=165957
1418         <rdar://problem/29735737>
1419
1420         Reviewed by Saam Barati.
1421
1422         Signatures in a Module's Type section can be duplicated, we
1423         therefore need to unique them so that call_indirect only needs to
1424         do a single integer compare to check that a callee's Signature is
1425         the same as the Signature declared at the call site. Without
1426         uniquing we'd either trap when duplicate Signatures are used, or
1427         we'd need to do multiple comparisons. This patch makes that narrow
1428         usecase function correctly.
1429
1430         There's further complication when calling from wasm to
1431         wasm, in which case the Signatures must also match. Such
1432         cross-instance calls will be improved in bug #165282, but this
1433         patch sets the groundwork for it:
1434
1435         - Signatures are now owned by SignatureInformation which lives on
1436           VM, and is shared by all Modules.
1437         - When parsing a Module, a Signature is created for every Type
1438           entry, and then uniqued by SignatureInformation's adopt
1439           method. Duplicate Signatures are dropped and the previous
1440           SignatureIndex is returned, new Signatures are adopted and a new
1441           SignatureIndex is created.
1442         - The SignatureIndex values are monotonic. 0 is used to represent
1443           invalid indices, which trap. This can only occur through Table.
1444         - SignatureInformation is used while generating code to map a
1445           SignatureIndex back to the Signature* when return / argument
1446           information is needed. This is a simple lookup into a Vector. It
1447           isn't used at runtime.
1448         - These Signatures live forever on VM because the bookkeeping
1449           likely isn't worth it. We may want to empty things out if all
1450           Modules die, this is tracked in bug #166037.
1451         - We can further improve things by bit-packing SignatureIndex with
1452           Code*, which is tracked by bug #165511.
1453
1454         * CMakeLists.txt:
1455         * JavaScriptCore.xcodeproj/project.pbxproj:
1456         * runtime/VM.h: wasm signatures are uniqued here, but aren't accessed frequently (only during parsing) so indirection is fine
1457         * wasm/WasmB3IRGenerator.cpp: use SignatureIndex instead of Signature* when appropriate, and when still using Signature* do so with its new API
1458         (JSC::Wasm::createJSToWasmWrapper):
1459         (JSC::Wasm::parseAndCompile):
1460         * wasm/WasmBinding.cpp:
1461         (JSC::Wasm::importStubGenerator): use SignatureIndex
1462         * wasm/WasmBinding.h:
1463         * wasm/WasmCallingConvention.h:
1464         (JSC::Wasm::CallingConvention::loadArguments):
1465         * wasm/WasmFormat.cpp: drive-by move of alloc/free functions to the implementation file, allows the .h file to drop an FastMalloc.h
1466         (JSC::Wasm::Segment::create):
1467         (JSC::Wasm::Segment::destroy):
1468         (JSC::Wasm::Segment::createPtr):
1469         * wasm/WasmFormat.h: move Signature to its own file
1470         (JSC::Wasm::CallableFunction::CallableFunction):
1471         * wasm/WasmFunctionParser.h:
1472         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
1473         * wasm/WasmModuleParser.cpp:
1474         * wasm/WasmModuleParser.h:
1475         (JSC::Wasm::ModuleParser::ModuleParser):
1476         * wasm/WasmParser.h:
1477         (JSC::Wasm::Parser<SuccessType>::Parser):
1478         * wasm/WasmPlan.cpp:
1479         (JSC::Wasm::Plan::parseAndValidateModule):
1480         (JSC::Wasm::Plan::run):
1481         * wasm/WasmSignature.cpp: Added.
1482         (JSC::Wasm::Signature::dump):
1483         (JSC::Wasm::Signature::hash):
1484         (JSC::Wasm::Signature::create):
1485         (JSC::Wasm::Signature::createInvalid):
1486         (JSC::Wasm::Signature::destroy):
1487         (JSC::Wasm::SignatureInformation::~SignatureInformation):
1488         (JSC::Wasm::SignatureInformation::adopt):
1489         (JSC::Wasm::SignatureInformation::get):
1490         * wasm/WasmSignature.h: Added.
1491         (JSC::Wasm::Signature::Signature):
1492         (JSC::Wasm::Signature::storage):
1493         (JSC::Wasm::Signature::allocatedSize):
1494         (JSC::Wasm::Signature::returnType):
1495         (JSC::Wasm::Signature::returnCount):
1496         (JSC::Wasm::Signature::argumentCount):
1497         (JSC::Wasm::Signature::argument):
1498         (JSC::Wasm::Signature::operator==):
1499         (JSC::Wasm::SignatureHash::empty):
1500         (JSC::Wasm::SignatureHash::deleted):
1501         (JSC::Wasm::SignatureHash::SignatureHash):
1502         (JSC::Wasm::SignatureHash::operator==):
1503         (JSC::Wasm::SignatureHash::equal):
1504         (JSC::Wasm::SignatureHash::hash):
1505         (JSC::Wasm::SignatureHash::isHashTableDeletedValue):
1506         * wasm/WasmValidate.cpp:
1507         (JSC::Wasm::validateFunction):
1508         * wasm/WasmValidate.h:
1509         * wasm/js/JSWebAssemblyInstance.cpp:
1510         (JSC::JSWebAssemblyInstance::create):
1511         * wasm/js/JSWebAssemblyModule.h:
1512         (JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
1513         * wasm/js/JSWebAssemblyTable.cpp:
1514         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1515         (JSC::JSWebAssemblyTable::clearFunction):
1516         (JSC::JSWebAssemblyTable::setFunction):
1517         * wasm/js/WebAssemblyFunction.cpp:
1518         (JSC::callWebAssemblyFunction):
1519         (JSC::WebAssemblyFunction::call):
1520         (JSC::WebAssemblyFunction::create):
1521         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1522         (JSC::WebAssemblyFunction::finishCreation):
1523         * wasm/js/WebAssemblyFunction.h:
1524         (JSC::WebAssemblyFunction::signatureIndex):
1525         * wasm/js/WebAssemblyModuleRecord.cpp:
1526         (JSC::WebAssemblyModuleRecord::link):
1527         (JSC::WebAssemblyModuleRecord::evaluate):
1528
1529 2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>
1530
1531         Modernize for loops in JSC
1532         https://bugs.webkit.org/show_bug.cgi?id=166060
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         * API/JSCallbackObject.h:
1537         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
1538         * bytecode/CodeBlock.cpp:
1539         (JSC::CodeBlock::dumpBytecode):
1540         (JSC::CodeBlock::propagateTransitions):
1541         (JSC::CodeBlock::stronglyVisitStrongReferences):
1542         (JSC::CodeBlock::stronglyVisitWeakReferences):
1543         (JSC::CodeBlock::jettison):
1544         (JSC::CodeBlock::getArrayProfile):
1545         (JSC::CodeBlock::tallyFrequentExitSites):
1546         (JSC::CodeBlock::nameForRegister):
1547         * bytecompiler/BytecodeGenerator.cpp:
1548         (JSC::BytecodeGenerator::generate):
1549         (JSC::BytecodeGenerator::BytecodeGenerator):
1550         * bytecompiler/NodesCodegen.cpp:
1551         (JSC::ObjectPatternNode::bindValue):
1552         * debugger/Debugger.cpp:
1553         (JSC::Debugger::applyBreakpoints):
1554         * dfg/DFGCPSRethreadingPhase.cpp:
1555         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1556         * dfg/DFGClobberSet.cpp:
1557         (JSC::DFG::ClobberSet::setOf):
1558         * dfg/DFGDesiredIdentifiers.cpp:
1559         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1560         * dfg/DFGGraph.cpp:
1561         (JSC::DFG::Graph::visitChildren):
1562         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1563         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1564         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1565         * dfg/DFGJITCompiler.cpp:
1566         (JSC::DFG::JITCompiler::link):
1567         * dfg/DFGLICMPhase.cpp:
1568         (JSC::DFG::LICMPhase::run):
1569         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1570         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1571         * dfg/DFGPutStackSinkingPhase.cpp:
1572         * dfg/DFGSpeculativeJIT.cpp:
1573         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1574         (JSC::DFG::SpeculativeJIT::linkBranches):
1575         * dfg/DFGStructureRegistrationPhase.cpp:
1576         (JSC::DFG::StructureRegistrationPhase::run):
1577         * dfg/DFGTypeCheckHoistingPhase.cpp:
1578         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1579         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1580         * dfg/DFGValidate.cpp:
1581         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1582         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1583         * heap/HeapVerifier.cpp:
1584         (JSC::trimDeadObjectsFromList):
1585         (JSC::HeapVerifier::trimDeadObjects):
1586         * heap/LiveObjectList.cpp:
1587         (JSC::LiveObjectList::findObject):
1588         * heap/MarkedAllocator.cpp:
1589         (JSC::MarkedAllocator::isPagedOut):
1590         * inspector/ScriptCallStack.cpp:
1591         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1592         * jit/JIT.cpp:
1593         (JSC::JIT::link):
1594         * parser/VariableEnvironment.cpp:
1595         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
1596         (JSC::VariableEnvironment::hasCapturedVariables):
1597         * runtime/FunctionHasExecutedCache.cpp:
1598         (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
1599         (JSC::FunctionHasExecutedCache::getFunctionRanges):
1600         * runtime/JSPropertyNameEnumerator.cpp:
1601         (JSC::JSPropertyNameEnumerator::visitChildren):
1602         * runtime/TypeProfiler.cpp:
1603         (JSC::TypeProfiler::findLocation):
1604         * runtime/TypeSet.cpp:
1605         (JSC::TypeSet::addTypeInformation):
1606         (JSC::TypeSet::dumpTypes):
1607         * runtime/VM.cpp:
1608         (JSC::VM::gatherConservativeRoots):
1609         * runtime/WeakMapData.cpp:
1610         (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
1611         (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
1612         * tools/ProfileTreeNode.h:
1613         (JSC::ProfileTreeNode::dumpInternal):
1614         * yarr/YarrInterpreter.cpp:
1615         (JSC::Yarr::ByteCompiler::emitDisjunction):
1616
1617 2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>
1618
1619         __cpuid() requires <intrin.h> to be included
1620         https://bugs.webkit.org/show_bug.cgi?id=166051
1621
1622         Reviewed by Yusuke Suzuki.
1623
1624         * assembler/MacroAssemblerX86Common.h:
1625
1626 2016-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1627
1628         [ES6] Enable ES6 Modules
1629         https://bugs.webkit.org/show_bug.cgi?id=165849
1630
1631         Reviewed by Geoffrey Garen.
1632
1633         * features.json:
1634
1635 2016-12-19  Mark Lam  <mark.lam@apple.com>
1636
1637         Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 2: Rollout r209952.
1638         https://bugs.webkit.org/show_bug.cgi?id=166049
1639
1640         Not reviewed.
1641
1642         * bytecode/HandlerInfo.h:
1643         (JSC::HandlerInfoBase::typeName):
1644         * bytecompiler/BytecodeGenerator.cpp:
1645         (JSC::BytecodeGenerator::generate):
1646         (JSC::BytecodeGenerator::BytecodeGenerator):
1647         (JSC::BytecodeGenerator::emitReturn):
1648         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
1649         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope):
1650         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
1651         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope):
1652         (JSC::BytecodeGenerator::emitComplexPopScopes):
1653         (JSC::BytecodeGenerator::emitPopScopes):
1654         (JSC::BytecodeGenerator::pushTry):
1655         (JSC::BytecodeGenerator::popTryAndEmitCatch):
1656         (JSC::BytecodeGenerator::labelScopeDepth):
1657         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
1658         (JSC::BytecodeGenerator::popLocalControlFlowScope):
1659         (JSC::BytecodeGenerator::emitEnumeration):
1660         (JSC::BytecodeGenerator::emitYield):
1661         (JSC::BytecodeGenerator::emitDelegateYield):
1662         (JSC::BytecodeGenerator::popTry): Deleted.
1663         (JSC::BytecodeGenerator::emitCatch): Deleted.
1664         (JSC::BytecodeGenerator::restoreScopeRegister): Deleted.
1665         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex): Deleted.
1666         (JSC::BytecodeGenerator::emitIsNumber): Deleted.
1667         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded): Deleted.
1668         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded): Deleted.
1669         (JSC::BytecodeGenerator::emitFinallyCompletion): Deleted.
1670         (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
1671         (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
1672         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
1673         * bytecompiler/BytecodeGenerator.h:
1674         (JSC::BytecodeGenerator::isInFinallyBlock):
1675         (JSC::FinallyJump::FinallyJump): Deleted.
1676         (JSC::FinallyContext::FinallyContext): Deleted.
1677         (JSC::FinallyContext::outerContext): Deleted.
1678         (JSC::FinallyContext::finallyLabel): Deleted.
1679         (JSC::FinallyContext::depth): Deleted.
1680         (JSC::FinallyContext::numberOfBreaksOrContinues): Deleted.
1681         (JSC::FinallyContext::incNumberOfBreaksOrContinues): Deleted.
1682         (JSC::FinallyContext::handlesReturns): Deleted.
1683         (JSC::FinallyContext::setHandlesReturns): Deleted.
1684         (JSC::FinallyContext::registerJump): Deleted.
1685         (JSC::FinallyContext::numberOfJumps): Deleted.
1686         (JSC::FinallyContext::jumps): Deleted.
1687         (JSC::ControlFlowScope::ControlFlowScope): Deleted.
1688         (JSC::ControlFlowScope::isLabelScope): Deleted.
1689         (JSC::ControlFlowScope::isFinallyScope): Deleted.
1690         (JSC::BytecodeGenerator::currentLexicalScopeIndex): Deleted.
1691         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
1692         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
1693         (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
1694         (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
1695         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
1696         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
1697         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
1698         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
1699         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
1700         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
1701         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
1702         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
1703         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
1704         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
1705         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
1706         * bytecompiler/NodesCodegen.cpp:
1707         (JSC::ContinueNode::emitBytecode):
1708         (JSC::BreakNode::emitBytecode):
1709         (JSC::ReturnNode::emitBytecode):
1710         (JSC::TryNode::emitBytecode):
1711
1712 2016-12-19  Mark Lam  <mark.lam@apple.com>
1713
1714         Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 1: Rollout r209974.
1715         https://bugs.webkit.org/show_bug.cgi?id=166049
1716
1717         Not reviewed.
1718
1719         * bytecompiler/BytecodeGenerator.cpp:
1720         (JSC::BytecodeGenerator::emitEnumeration):
1721         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
1722         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
1723         (JSC::BytecodeGenerator::emitFinallyCompletion):
1724         (JSC::BytecodeGenerator::allocateFinallyRegisters):
1725         (JSC::BytecodeGenerator::releaseFinallyRegisters):
1726         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
1727         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters): Deleted.
1728         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters): Deleted.
1729         (JSC::BytecodeGenerator::emitJumpIfCompletionType): Deleted.
1730         * bytecompiler/BytecodeGenerator.h:
1731         (JSC::FinallyJump::FinallyJump):
1732         (JSC::FinallyContext::registerJump):
1733         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
1734         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
1735         (JSC::BytecodeGenerator::finallyActionRegister):
1736         (JSC::BytecodeGenerator::finallyReturnValueRegister):
1737         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
1738         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
1739         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
1740         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
1741         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
1742         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
1743         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
1744         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
1745         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
1746         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
1747         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
1748         (JSC::bytecodeOffsetToJumpID): Deleted.
1749         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope): Deleted.
1750         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope): Deleted.
1751         (JSC::BytecodeGenerator::completionTypeRegister): Deleted.
1752         (JSC::BytecodeGenerator::completionValueRegister): Deleted.
1753         (JSC::BytecodeGenerator::emitSetCompletionType): Deleted.
1754         (JSC::BytecodeGenerator::emitSetCompletionValue): Deleted.
1755         * bytecompiler/NodesCodegen.cpp:
1756         (JSC::TryNode::emitBytecode):
1757
1758 2016-12-19  Joseph Pecoraro  <pecoraro@apple.com>
1759
1760         Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open
1761         https://bugs.webkit.org/show_bug.cgi?id=166034
1762         <rdar://problem/29554366>
1763
1764         Reviewed by Brian Burg.
1765
1766         * inspector/agents/InspectorDebuggerAgent.cpp:
1767         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
1768         Remove assertion. This assert can happen if the currently executing callback
1769         was just explicitly cancelled by script. Existing code already handles if
1770         no async data was found for the given identifier.
1771
1772 2016-12-18  Saam Barati  <sbarati@apple.com>
1773
1774         WebAssembly: Implement the WebAssembly.compile and WebAssembly.validate
1775         https://bugs.webkit.org/show_bug.cgi?id=165936
1776
1777         Reviewed by Mark Lam.
1778
1779         The APIs are documented here:
1780         - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblycompile
1781         - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyvalidate
1782
1783         * wasm/JSWebAssembly.cpp:
1784         (JSC::webAssemblyCompileFunc):
1785         (JSC::webAssemblyValidateFunc):
1786         (JSC::JSWebAssembly::finishCreation):
1787         * wasm/WasmPlan.cpp:
1788         (JSC::Wasm::Plan::parseAndValidateModule):
1789         (JSC::Wasm::Plan::run):
1790         * wasm/WasmPlan.h:
1791         * wasm/js/JSWebAssemblyHelpers.h:
1792         (JSC::getWasmBufferFromValue):
1793         * wasm/js/WebAssemblyModuleConstructor.cpp:
1794         (JSC::constructJSWebAssemblyModule):
1795         (JSC::callJSWebAssemblyModule):
1796         (JSC::WebAssemblyModuleConstructor::createModule):
1797         * wasm/js/WebAssemblyModuleConstructor.h:
1798
1799 2016-12-18  Mark Lam  <mark.lam@apple.com>
1800
1801         Rename finallyActionRegister to completionTypeRegister and only store int JSValues in it.
1802         https://bugs.webkit.org/show_bug.cgi?id=165979
1803
1804         Reviewed by Saam Barati.
1805
1806         This patch makes it so that we only store int JSValues in the finallyActionRegister
1807         thereby making type prediction on this register more successful for JITs.  In so
1808         doing, we are able to get some additional benefits:
1809
1810         1. Renamed the following:
1811            FinallyRegistersScope => CompletionRecordScope
1812            finallyActionRegister => completionTypeRegister
1813            finallyReturnValueRegister => completionValueRegister
1814
1815            These new names are more in line with the ES spec, which describes these
1816            values as the completion record and its type and value properties.
1817            https://tc39.github.io/ecma262/#sec-completion-record-specification-type
1818
1819         2. We now think of the Break and Continue jumpIDs as encodings of CompletionType
1820            (in our implementation of completion type).  As a result, we only need one of
1821            each of the emitter methods for getting, setting, and compare-and-jump on the
1822            completion type.  The code using these methods also reads much clearer now.  
1823
1824         3. Finally blocks' op_catch should now always pop the caught Exception object into
1825            the completionValueRegister instead of the completionTypeRegister (formerly
1826            finallyActionRegister). 
1827
1828         Also removed the restoreScopeRegister() call in the IteratorClose catch block
1829         because that is an implementation specific synthesized catch block, and we
1830         can guarantee that it never needs to resolve any symbols from the scope.  Hence,
1831         there is no need to restore the scope register.
1832
1833         * bytecompiler/BytecodeGenerator.cpp:
1834         (JSC::BytecodeGenerator::emitEnumeration):
1835         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
1836         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
1837         (JSC::BytecodeGenerator::emitFinallyCompletion):
1838         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
1839         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
1840         (JSC::BytecodeGenerator::emitJumpIfCompletionType):
1841         (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
1842         (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
1843         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
1844         * bytecompiler/BytecodeGenerator.h:
1845         (JSC::bytecodeOffsetToJumpID):
1846         (JSC::FinallyJump::FinallyJump):
1847         (JSC::FinallyContext::registerJump):
1848         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
1849         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
1850         (JSC::BytecodeGenerator::completionTypeRegister):
1851         (JSC::BytecodeGenerator::completionValueRegister):
1852         (JSC::BytecodeGenerator::emitSetCompletionType):
1853         (JSC::BytecodeGenerator::emitSetCompletionValue):
1854         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
1855         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
1856         (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
1857         (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
1858         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
1859         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
1860         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
1861         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
1862         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
1863         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
1864         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
1865         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
1866         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
1867         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
1868         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
1869         * bytecompiler/NodesCodegen.cpp:
1870         (JSC::TryNode::emitBytecode):
1871
1872 2016-12-17  Saam Barati  <sbarati@apple.com>
1873
1874         WebAssembly: WasmB3IRGenerator uses WarmAny as a ValueRep but expects the incoming value to be a register
1875         https://bugs.webkit.org/show_bug.cgi?id=165989
1876
1877         Reviewed by Mark Lam.
1878
1879         The input should be constrained to a register to match what
1880         the patchpoint code expects.
1881
1882         * wasm/WasmB3IRGenerator.cpp:
1883
1884 2016-12-17  Saam Barati  <sbarati@apple.com>
1885
1886         WebAssembly: Change a RELEASE_ASSERT_NOT_REACHED to a jit.breakpoint() for now to allow us to run some wasm benchmarks
1887         https://bugs.webkit.org/show_bug.cgi?id=165990
1888
1889         Reviewed by Mark Lam.
1890
1891         * wasm/WasmBinding.cpp:
1892         (JSC::Wasm::importStubGenerator):
1893
1894 2016-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1895
1896         JSContext Inspector: Avoid some possible exceptions inspecting a JSContext
1897         https://bugs.webkit.org/show_bug.cgi?id=165986
1898         <rdar://problem/29551379>
1899
1900         Reviewed by Matt Baker.
1901
1902         * inspector/InjectedScriptSource.js:
1903         (InjectedScript.prototype.processProperties):
1904         Prefer String.prototype.endsWith now that it is available.
1905
1906         (InjectedScript.prototype._describe):
1907         Prefer Function.prototype.toString for converting functions to String.
1908         Previously we were doing String(f) which would to Symbol.toPrimitive
1909         conversion which seems unnecessary here.
1910
1911 2016-12-16  Michael Catanzaro  <mcatanzaro@igalia.com>
1912
1913         Unreviewed, fix GCC 6 build failure after r209952
1914
1915         Return false, not nullptr, in function returning bool.
1916
1917         * bytecompiler/BytecodeGenerator.cpp:
1918         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
1919
1920 2016-12-16  Saam Barati  <sbarati@apple.com>
1921
1922         WebAssembly: We still have some incorrect parsing productions inside unreachable code
1923         https://bugs.webkit.org/show_bug.cgi?id=165981
1924
1925         Reviewed by Keith Miller.
1926
1927         This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.
1928         
1929         It also fixes a more nefarious bug in which we were decoding an extra varuint32
1930         for Br/BrIf inside unreachable code.
1931
1932         * wasm/WasmFunctionParser.h:
1933
1934 2016-12-16  Filip Pizlo  <fpizlo@apple.com>
1935
1936         CellState should have members with accurate names
1937         https://bugs.webkit.org/show_bug.cgi?id=165969
1938
1939         Reviewed by Mark Lam.
1940         
1941         This once again renames the members in CellState. I wanted to convey the following
1942         pieces of information in the names:
1943         
1944         - What does the state mean for Generational GC?
1945         - What does the state mean for Concurrent GC?
1946         - Does the state guarantee what it means, or is there some contingency?
1947         
1948         The names I came up with are:
1949         
1950         PossiblyOldOrBlack: An object in this state may be old, or may be black, depending on
1951             other things. If the mark bit is set then the object is either black or being
1952             blackened as we speak. It's going to survive the GC, so it will be old, but may be
1953             new now. In between GCs, objects in this state are definitely old. If the mark bit
1954             is not set, then the object is actually old and white.
1955         
1956         DefinitelyNewAndWhite: The object was just allocated so it is white (not marked) and
1957             new.
1958         
1959         DefinitelyGrey: The object is definitely grey - it will be rescanned in the future. It
1960             may be new or old depending on other things.
1961
1962         * heap/CellState.h:
1963         * heap/Heap.cpp:
1964         (JSC::Heap::addToRememberedSet):
1965         (JSC::Heap::writeBarrierSlowPath):
1966         * heap/SlotVisitor.cpp:
1967         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1968         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1969         (JSC::SlotVisitor::appendToMarkStack):
1970         (JSC::SlotVisitor::visitChildren):
1971         * runtime/JSCellInlines.h:
1972         (JSC::JSCell::JSCell):
1973         * runtime/StructureIDBlob.h:
1974         (JSC::StructureIDBlob::StructureIDBlob):
1975
1976 2016-12-16  Saam Barati  <sbarati@apple.com>
1977
1978         B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi)
1979         https://bugs.webkit.org/show_bug.cgi?id=165946
1980
1981         Reviewed by Keith Miller.
1982
1983         This was happening because the phase will convert some Phi nodes
1984         from Double to Float. However, one place that did this conversion
1985         forgot to first check if the Phi was already a Float. If it's already
1986         a Float, a later part of the phase will be buggy if the phase claims that it has
1987         converted it from Double->Float. The reason is that at the end of the
1988         phase, we'll look for all uses of former Double Phi nodes and make them
1989         be a use of ConvertFloatToDouble on the Phi, instead of a use of the Phi itself.
1990         This is clearly wrong if the Phi were Float to begin with (and
1991         therefore, the uses were Float uses to begin with).
1992
1993         * b3/B3ReduceDoubleToFloat.cpp:
1994         * b3/testb3.cpp:
1995         (JSC::B3::testReduceFloatToDoubleValidates):
1996         (JSC::B3::run):
1997
1998 2016-12-16  Mark Lam  <mark.lam@apple.com>
1999
2000         De-duplicate finally blocks.
2001         https://bugs.webkit.org/show_bug.cgi?id=160168
2002
2003         Reviewed by Keith Miller.
2004
2005         JS execution can arrive at a finally block when there are abrupt completions from
2006         its try or catch block.  The abrupt completion types include Break,
2007         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
2008         (i.e. the case of a try block falling through to the finally block).
2009
2010         Previously, we enable each of these paths for abrupt completion (except for Throw)
2011         to run the finally block code by duplicating the finally block code at each of
2012         the sites that trigger those completions.  This patch fixes the implementation so
2013         that each of these abrupt completions will set a finallyActionRegister (plus a
2014         finallyReturnValueRegister for CompletionType::Return) and then jump to the
2015         relevant finally blocks, and continue to thread through subsequent outer finally
2016         blocks until execution reaches the outermost finally block that the completion
2017         type dictates.  We no longer duplicate the finally block code.
2018
2019         The implementation details:
2020         1. We allocate a pair of finallyActionRegister and finallyReturnValueRegister
2021            just before entering the outermost try-catch-finally scope.
2022
2023            On allocating the registers, we set them to the empty JSValue.  This serves
2024            to set the completion type to CompletionType::Normal (see (2) below).
2025
2026         2. The finallyActionRegister serves 2 purpose:
2027            a. indicates the CompletionType that triggered entry into the finally block.
2028
2029               This is how we encode the completion type in the finallyActionRegister:
2030               1. CompletionType::Normal
2031                  - finallyActionRegister is set to the empty JSValue.
2032               2. CompletionType::Break
2033                  - finallyActionRegister is set to the int jumpID for the site of the break statement.
2034               3. CompletionType::Continue
2035                  - finallyActionRegister is set to the int jumpID for the site of the continue statement.
2036               4. CompletionType::Return
2037                  - finallyActionRegister is set to CompletionType::Return as an int JSValue.
2038                  - finallyReturnValueRegister is set to the value to be returned. 
2039               5. CompletionType::Throw
2040                  - finallyActionRegister is set to the exception object that was caught by the finally block.
2041
2042               Hence, if the finallyActionRegister can either be:
2043               1. empty i.e. we're handling CompletionType::Normal.
2044               2. an int JSValue i.e. we're handling CompletionType::Break, Continue, or Return.
2045               3. an object i.e. we're handling CompletionType::Throw.
2046
2047            b. stores the exception caught in the finally block if we're handing
2048               CompletionType::Throw.
2049
2050         3. Each finally block will have 2 entries:
2051            a. the entry via throw.
2052            b. the normal entry.
2053
2054            The entry via throw is recorded in the codeBlock's exception table, and can
2055            only be jumped to by the VM's exception handling mechanism.
2056
2057            The normal entry is recorded in a FinallyContext (at bytecode generation time
2058            only) and is jumped to when we want enter the finally block due any of the
2059            other CompletionTypes.
2060
2061         4. CompletionType::Normal
2062            ======================
2063            We encounter this when falling through from a try or catch block to the finally block.  
2064            
2065            For the try block case, since finallyActionRegister is set to Normal by default,
2066            there's nothing more that needs to be done.
2067
2068            For the catch block case, since we entered the catch block with an exception,
2069            finallyActionRegister may be set to Throw.  We'll need to set it to Normal
2070            before jumping to the finally block's normal entry.
2071
2072            CompletionType::Break
2073            =====================
2074            When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
2075            that we need to service before jumping to the breakTarget.  If we do, then:
2076            a. we'll register a jumpID along with the breakTarget with the outermost FinallyContext.
2077            b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
2078               from the innermost to the outermost.
2079            c. instead of emitting bytecode to jump to the breakTarget, we:
2080               1. emit bytecode to set finallyActionRegister to the jumpID.
2081               b. emit bytecode to jump to the normal entry of the innermost finally block.
2082
2083            Each finally block will take care of cascading to the next outer finally block
2084            as needed (see (5) below).
2085
2086            CompletionType::Continue
2087            ========================
2088            Since continues and breaks work the same way (i.e. with a jump), we handle this
2089            exactly the same way as CompletionType::Break, except that we use the
2090            continueTarget instead of the breakTarget.
2091
2092            CompletionType::Return
2093            ======================
2094            When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
2095            at all on the m_controlFlowScopeStack.
2096
2097            If so, then instead of emitting op_ret, we:
2098               1. emit bytecode to set finallyActionRegister to the CompletionType::Return.
2099               1. emit bytecode to move the return value into finallyReturnValueRegister.
2100               2. emit bytecode to jump to the normal entry of the innermost finally block.
2101
2102            Each finally block will take care of cascading to the next outer finally block
2103            as needed (see (5) below).
2104
2105            CompletionType::Throw
2106            ======================
2107            The op_catch of a finally block will always store the caught exception object
2108            in the finallyActionRegister.  This means we're handling CompletionType::Throw
2109            (see (2) above).
2110
2111         5. What happens in each finally block?
2112            ==================================
2113            Only the finally block's entry via throw will have an op_catch that catches the
2114            pending exception (and stores it in the finallyActionRegister).  This throw
2115            entry then falls through to the normal entry.
2116
2117            The finally block's normal entry will restore the scope of the finally block
2118            and proceed to execute its code.
2119
2120            At the end of the finally block (see emitFinallyCompletion()), the finally
2121            block will check the finallyActionRegister for each completion type in the
2122            following order:
2123            
2124            a. CompletionType::Normal: jump to the code after the finally block as
2125               designated by a normalCompletion label.
2126
2127            b. CompletionType::Break and Continue:
2128               If the FinallyContext for this block has registered FinallyJumps, we'll
2129               check for the jumpIDs against the finallyActionRegister.  If the jumpID
2130               matches, jump to the corresponding jumpTarget.
2131
2132               If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
2133               greater than the number of registered FinallyJumps, then this means that
2134               we have a Break or Continue that needs to be handled by an outer finally
2135               block.  In that case, jump to the outer finally block's normal entry.
2136               
2137            c. CompletionType::Return:
2138               If this finally block is not the outermost and finallyActionRegister contains
2139               CompletionType::Return, then jump to the outer finally block's normal entry.
2140
2141               Otherwise, if this finally block is the outermost and finallyActionRegister
2142               contains CompletionType::Return, then execute op_ret and return the value
2143               in finallyReturnValueRegister.
2144
2145            d. CompletionType::Throw:
2146               If we're not handling any of the above cases, then just throw the
2147               finallyActionRegister which contains the exception to re-throw.
2148
2149         6. restoreScopeRegister()
2150         
2151            Since the needed scope objects are always stored in a local, we can restore
2152            the scope register by simply moving from that local instead of going through
2153            op_get_parent_scope.
2154
2155         7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
2156            This makes it easier to keep a pointer to the FinallyContext on that stack,
2157            and not have to worry about the vector being realloc'ed due to resizing. 
2158
2159         Performance appears to be neutral both on ES6SampleBench (run via cli) and the
2160         JSC benchmarks.
2161
2162         Relevant spec references:
2163         https://tc39.github.io/ecma262/#sec-completion-record-specification-type
2164         https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
2165
2166         * bytecode/HandlerInfo.h:
2167         (JSC::HandlerInfoBase::typeName):
2168         * bytecompiler/BytecodeGenerator.cpp:
2169         (JSC::BytecodeGenerator::generate):
2170         (JSC::BytecodeGenerator::BytecodeGenerator):
2171         (JSC::BytecodeGenerator::emitReturn):
2172         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2173         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
2174         (JSC::BytecodeGenerator::allocateAndEmitScope):
2175         (JSC::BytecodeGenerator::pushTry):
2176         (JSC::BytecodeGenerator::popTry):
2177         (JSC::BytecodeGenerator::emitCatch):
2178         (JSC::BytecodeGenerator::restoreScopeRegister):
2179         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
2180         (JSC::BytecodeGenerator::labelScopeDepth):
2181         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
2182         (JSC::BytecodeGenerator::popLocalControlFlowScope):
2183         (JSC::BytecodeGenerator::emitEnumeration):
2184         (JSC::BytecodeGenerator::emitIsNumber):
2185         (JSC::BytecodeGenerator::emitYield):
2186         (JSC::BytecodeGenerator::emitDelegateYield):
2187         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2188         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
2189         (JSC::BytecodeGenerator::emitFinallyCompletion):
2190         (JSC::BytecodeGenerator::allocateFinallyRegisters):
2191         (JSC::BytecodeGenerator::releaseFinallyRegisters):
2192         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
2193         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
2194         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
2195         (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
2196         (JSC::BytecodeGenerator::emitPopScopes): Deleted.
2197         (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
2198         * bytecompiler/BytecodeGenerator.h:
2199         (JSC::FinallyJump::FinallyJump):
2200         (JSC::FinallyContext::FinallyContext):
2201         (JSC::FinallyContext::outerContext):
2202         (JSC::FinallyContext::finallyLabel):
2203         (JSC::FinallyContext::depth):
2204         (JSC::FinallyContext::numberOfBreaksOrContinues):
2205         (JSC::FinallyContext::incNumberOfBreaksOrContinues):
2206         (JSC::FinallyContext::handlesReturns):
2207         (JSC::FinallyContext::setHandlesReturns):
2208         (JSC::FinallyContext::registerJump):
2209         (JSC::FinallyContext::numberOfJumps):
2210         (JSC::FinallyContext::jumps):
2211         (JSC::ControlFlowScope::ControlFlowScope):
2212         (JSC::ControlFlowScope::isLabelScope):
2213         (JSC::ControlFlowScope::isFinallyScope):
2214         (JSC::BytecodeGenerator::currentLexicalScopeIndex):
2215         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
2216         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
2217         (JSC::BytecodeGenerator::finallyActionRegister):
2218         (JSC::BytecodeGenerator::finallyReturnValueRegister):
2219         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
2220         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
2221         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
2222         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
2223         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
2224         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
2225         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
2226         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
2227         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
2228         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
2229         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
2230         (JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
2231         * bytecompiler/NodesCodegen.cpp:
2232         (JSC::ContinueNode::emitBytecode):
2233         (JSC::BreakNode::emitBytecode):
2234         (JSC::ReturnNode::emitBytecode):
2235         (JSC::TryNode::emitBytecode):
2236
2237 2016-12-16  Keith Miller  <keith_miller@apple.com>
2238
2239         Add missing cases to parseUnreachableExpression and cleanup FunctionParser
2240         https://bugs.webkit.org/show_bug.cgi?id=165966
2241
2242         Reviewed by Saam Barati.
2243
2244         This patch adds a number of missing cases to the Wasm FunctionParser's unreachable
2245         code decoder. It also, removes unneeded OpType namespaces where they were not
2246         needed and has the unary / binary macros cover all the cases rather than
2247         just the simple cases.
2248
2249         * wasm/WasmFunctionParser.h:
2250
2251 2016-12-16  Mark Lam  <mark.lam@apple.com>
2252
2253         Add predecessor info to dumps from JSC_dumpBytecodeLivenessResults=true.
2254         https://bugs.webkit.org/show_bug.cgi?id=165958
2255
2256         Reviewed by Saam Barati.
2257
2258         Also:
2259         1. refactored the code to use a common lambda function to dump FastBitVectors.
2260         2. list successors by their block index instead of pointers.
2261
2262         * bytecode/BytecodeLivenessAnalysis.cpp:
2263         (JSC::BytecodeLivenessAnalysis::dumpResults):
2264
2265 2016-12-16  Saam Barati  <sbarati@apple.com>
2266
2267         WebAssembly: WasmB3IRGenerator should throw exceptions instead of crash
2268         https://bugs.webkit.org/show_bug.cgi?id=165834
2269
2270         Reviewed by Keith Miller.
2271
2272         This patch generalizes how we throw exceptions in the Wasm::B3IRGenerator.
2273         There are still places where we need to throw exceptions and we don't, but
2274         this patch removes most of those places inside the IR generator. There are
2275         still a few places we need to throw exceptions inside the IR generator, like
2276         div/mod by 0. Those will be done in a separate patch. Also, there are
2277         still some stubs we need to throw exceptions from; those will also be
2278         done in a separate patch.
2279
2280         All exceptions thrown from Wasm share a common stub. The ABI for the stub
2281         is to move the Wasm::ExceptionType into argGPR1 and jump to the stub.
2282         The stub will then throw an exception with an error message tailored
2283         to the particular Wasm::ExceptionType failure.
2284
2285         This patch also refactors B3::Compilation. Before, B3::Compilation(VM, Procedure)
2286         constructor would compile a B3 function. This patch makes B3::Compilation a simple 
2287         tuple that keeps the necessary bits of B3 function alive in order to be runnable.
2288         There is a new function that actually does the compilation for you. It is:
2289         Compilation B3::compile(VM&, Procedure&)
2290         The reason for this change is that I'm now using B3::Compilation(CodeRef, OpaqueByproducts)
2291         constructor in Wasm code. It is weird to have a class both have a
2292         constructor that instantiates the tuple, and another that performs the
2293         compilation and then instantiates the tuple. It's more straight
2294         forward if Compilation's job wasn't to actually do the compilation
2295         but just to hold the necessary bits to keep a compiled B3 alive.
2296
2297         * CMakeLists.txt:
2298         * JavaScriptCore.xcodeproj/project.pbxproj:
2299         * b3/B3Compilation.cpp:
2300         (JSC::B3::Compilation::Compilation):
2301         * b3/B3Compilation.h:
2302         * b3/B3Compile.cpp: Added.
2303         (JSC::B3::compile):
2304         * b3/B3Compile.h: Added.
2305         * b3/testb3.cpp:
2306         (JSC::B3::compile):
2307         * jit/ThunkGenerators.cpp:
2308         (JSC::throwExceptionFromWasmThunkGenerator):
2309         * jit/ThunkGenerators.h:
2310         * wasm/WasmB3IRGenerator.cpp:
2311         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2312         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2313         (JSC::Wasm::createJSToWasmWrapper):
2314         (JSC::Wasm::parseAndCompile):
2315         * wasm/WasmExceptionType.h: Added.
2316         (JSC::Wasm::errorMessageForExceptionType):
2317
2318 2016-12-16  Keith Miller  <keith_miller@apple.com>
2319
2320         i64.eqz should use an Int64 zero
2321         https://bugs.webkit.org/show_bug.cgi?id=165942
2322
2323         Reviewed by Mark Lam.
2324
2325         This patch fixes i64.eqz, which was using an Int32 zero
2326         for the comparison previously. This patch also, adds
2327         printing opcodes names in verbose mode.
2328
2329         * wasm/WasmFunctionParser.h:
2330         * wasm/generateWasmOpsHeader.py:
2331         * wasm/wasm.json:
2332
2333 2016-12-15  Darin Adler  <darin@apple.com>
2334
2335         Use asString instead of toWTFString, toString, or getString when we already checked isString
2336         https://bugs.webkit.org/show_bug.cgi?id=165895
2337
2338         Reviewed by Yusuke Suzuki.
2339
2340         Once we have called isString, we should always use asString and value rather than using
2341         functions that have to deal with non-JSString objects. This leads to slightly fewer branches,
2342         slightly less reference count churn, since the string is stored right inside the JSString,
2343         and obviates the need for exception handling.
2344
2345         * bindings/ScriptValue.cpp:
2346         (Inspector::jsToInspectorValue): Use asString/value instead of getString.
2347         * dfg/DFGOperations.cpp:
2348         (JSC::DFG::operationMapHash): Call jsMapHash with its new arguments.
2349         * inspector/JSInjectedScriptHost.cpp:
2350         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): Use asString/value instead
2351         of toWTFString.
2352         * inspector/JSJavaScriptCallFrame.cpp:
2353         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): Ditto.
2354         * inspector/agents/InspectorHeapAgent.cpp:
2355         (Inspector::InspectorHeapAgent::getPreview): Use asString/tryGetValue, instead of the
2356         peculiar getString(nullptr) that was here before.
2357         * jsc.cpp:
2358         (functionGetGetterSetter): Use asString/toIdentifier instead of the much less efficient
2359         toWTFString/Identifier::fromString.
2360         (functionIsRope): Use asString instead of jsCast<JSString*>; same thing, but we should
2361         prefer the asString function, since it exists.
2362         (functionFindTypeForExpression): Use asString/value instead of getString.
2363         (functionHasBasicBlockExecuted): Ditto.
2364         (functionBasicBlockExecutionCount): Ditto.
2365         (functionCreateBuiltin): Use asString/value instead of toWTFString and removed
2366         unneeded RETURN_IF_EXCEPTION.
2367         (valueWithTypeOfWasmValue): Use asString instead of jsCast<String*>.
2368         (box): Ditto.
2369         * runtime/DateConstructor.cpp:
2370         (JSC::constructDate): Use asString/values instead of getString.
2371         * runtime/ExceptionHelpers.cpp:
2372         (JSC::errorDescriptionForValue): Tweaked formatting.
2373
2374         * runtime/HashMapImpl.h:
2375         (JSC::jsMapHash): Changed this function to use asString/value.
2376
2377         * runtime/JSCJSValue.cpp:
2378         (JSC::JSValue::dumpInContextAssumingStructure): Use asString instead of
2379         jsCast<JSString*>.
2380         (JSC::JSValue::dumpForBacktrace): Ditto.
2381         * runtime/JSCJSValueInlines.h:
2382         (JSC::toPreferredPrimitiveType): Ditto.
2383
2384         * runtime/JSGlobalObjectFunctions.cpp:
2385         (JSC::globalFuncEval): Use asString/value instead of toWTFString.
2386
2387         * runtime/JSString.cpp:
2388         (JSC::JSString::destroy): Streamlined by removing local variable.
2389         (JSC::JSString::estimatedSize): Use asString instead of jsCast<JSString*>.
2390         (JSC::JSString::visitChildren): Ditto.
2391         (JSC::JSString::toThis): Ditto.
2392         * runtime/JSString.h:
2393         (JSC::JSValue::toString): Ditto.
2394         (JSC::JSValue::toStringOrNull): Ditto.
2395         * runtime/NumberPrototype.cpp:
2396         (JSC::numberProtoFuncValueOf): Ditto.
2397         * runtime/ObjectPrototype.cpp:
2398         (JSC::objectProtoFuncToString): Ditto.
2399         * runtime/StringPrototype.cpp:
2400         (JSC::stringProtoFuncRepeatCharacter): Ditto.
2401         (JSC::stringProtoFuncSubstr): Ditto.
2402         (JSC::builtinStringSubstrInternal): Simplified assertion by removing local variable.
2403
2404 2016-12-15  Keith Miller  <keith_miller@apple.com>
2405
2406         Fix validation of non-void if blocks with no else
2407         https://bugs.webkit.org/show_bug.cgi?id=165938
2408
2409         Reviewed by Saam Barati.
2410
2411         We should not have been allowing non-void if-blocks that don't
2412         have an else. Since this causes a value to be placed on the
2413         stack that only appears under some control flow and not another.
2414
2415         * wasm/WasmValidate.cpp:
2416
2417 2016-12-15  Filip Pizlo  <fpizlo@apple.com>
2418
2419         Get rid of HeapRootVisitor and make SlotVisitor less painful to use
2420         https://bugs.webkit.org/show_bug.cgi?id=165911
2421
2422         Reviewed by Geoffrey Garen.
2423         
2424         Previously we had two ways of adding a raw pointer to the GC's mark stack:
2425         
2426         - SlotVisitor::appendUnbarrieredXYZ() methods
2427         - HeapRootVisitor::visit() methods
2428         
2429         HeapRootVisitor existed only to prevent you from calling its non-WriteBarrier<> methods
2430         unless you had permission. But SlotVisitor would let you do it anyway, because that was
2431         a lot more practical.
2432         
2433         I think that we should just have one way to do it. This removes HeapRootVisitor. It
2434         also renames appendUnbarrieredXYZ to appendUnbarriered, and it removes the use of extra
2435         indirection (so you now pass const WriteBarrier<>& instead of WriteBarrier<>*).
2436
2437         * API/JSCallbackObject.h:
2438         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
2439         * JavaScriptCore.xcodeproj/project.pbxproj:
2440         * Scripts/builtins/builtins_templates.py:
2441         * bytecode/CodeBlock.cpp:
2442         (JSC::CodeBlock::visitWeakly):
2443         (JSC::CodeBlock::visitChildren):
2444         (JSC::CodeBlock::propagateTransitions):
2445         (JSC::CodeBlock::determineLiveness):
2446         (JSC::CodeBlock::visitOSRExitTargets):
2447         (JSC::CodeBlock::stronglyVisitStrongReferences):
2448         (JSC::CodeBlock::stronglyVisitWeakReferences):
2449         * bytecode/DirectEvalCodeCache.cpp:
2450         (JSC::DirectEvalCodeCache::visitAggregate):
2451         * bytecode/InternalFunctionAllocationProfile.h:
2452         (JSC::InternalFunctionAllocationProfile::visitAggregate):
2453         * bytecode/ObjectAllocationProfile.h:
2454         (JSC::ObjectAllocationProfile::visitAggregate):
2455         * bytecode/PolymorphicAccess.cpp:
2456         (JSC::AccessCase::propagateTransitions):
2457         * bytecode/UnlinkedCodeBlock.cpp:
2458         (JSC::UnlinkedCodeBlock::visitChildren):
2459         * bytecode/UnlinkedFunctionExecutable.cpp:
2460         (JSC::UnlinkedFunctionExecutable::visitChildren):
2461         * debugger/DebuggerScope.cpp:
2462         (JSC::DebuggerScope::visitChildren):
2463         * dfg/DFGDesiredTransitions.cpp:
2464         (JSC::DFG::DesiredTransition::visitChildren):
2465         * dfg/DFGDesiredWeakReferences.cpp:
2466         (JSC::DFG::DesiredWeakReferences::visitChildren):
2467         * dfg/DFGGraph.cpp:
2468         (JSC::DFG::Graph::visitChildren):
2469         * dfg/DFGPlan.cpp:
2470         (JSC::DFG::Plan::markCodeBlocks):
2471         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2472         * heap/HandleSet.cpp:
2473         (JSC::HandleSet::visitStrongHandles):
2474         * heap/HandleSet.h:
2475         * heap/HandleStack.cpp:
2476         (JSC::HandleStack::visit):
2477         * heap/HandleStack.h:
2478         * heap/Heap.cpp:
2479         (JSC::Heap::markToFixpoint):
2480         * heap/Heap.h:
2481         * heap/HeapRootVisitor.h: Removed.
2482         * heap/LargeAllocation.cpp:
2483         (JSC::LargeAllocation::visitWeakSet):
2484         * heap/LargeAllocation.h:
2485         * heap/MarkedBlock.h:
2486         (JSC::MarkedBlock::Handle::visitWeakSet):
2487         * heap/MarkedSpace.cpp:
2488         (JSC::MarkedSpace::visitWeakSets):
2489         * heap/MarkedSpace.h:
2490         * heap/SlotVisitor.cpp:
2491         (JSC::SlotVisitor::appendUnbarriered):
2492         * heap/SlotVisitor.h:
2493         * heap/SlotVisitorInlines.h:
2494         (JSC::SlotVisitor::appendUnbarriered):
2495         (JSC::SlotVisitor::append):
2496         (JSC::SlotVisitor::appendHidden):
2497         (JSC::SlotVisitor::appendValues):
2498         (JSC::SlotVisitor::appendValuesHidden):
2499         (JSC::SlotVisitor::appendUnbarrieredPointer): Deleted.
2500         (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer): Deleted.
2501         (JSC::SlotVisitor::appendUnbarrieredValue): Deleted.
2502         (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue): Deleted.
2503         (JSC::SlotVisitor::appendUnbarrieredWeak): Deleted.
2504         * heap/WeakBlock.cpp:
2505         (JSC::WeakBlock::specializedVisit):
2506         (JSC::WeakBlock::visit):
2507         * heap/WeakBlock.h:
2508         * heap/WeakSet.h:
2509         (JSC::WeakSet::visit):
2510         * interpreter/ShadowChicken.cpp:
2511         (JSC::ShadowChicken::visitChildren):
2512         * jit/GCAwareJITStubRoutine.cpp:
2513         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
2514         * jit/PolymorphicCallStubRoutine.cpp:
2515         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
2516         * jsc.cpp:
2517         (WTF::Element::visitChildren):
2518         (WTF::ImpureGetter::visitChildren):
2519         (WTF::SimpleObject::visitChildren):
2520         * runtime/AbstractModuleRecord.cpp:
2521         (JSC::AbstractModuleRecord::visitChildren):
2522         * runtime/ArgList.cpp:
2523         (JSC::MarkedArgumentBuffer::markLists):
2524         * runtime/ArgList.h:
2525         * runtime/ClonedArguments.cpp:
2526         (JSC::ClonedArguments::visitChildren):
2527         * runtime/DirectArguments.cpp:
2528         (JSC::DirectArguments::visitChildren):
2529         * runtime/EvalExecutable.cpp:
2530         (JSC::EvalExecutable::visitChildren):
2531         * runtime/Exception.cpp:
2532         (JSC::Exception::visitChildren):
2533         * runtime/FunctionExecutable.cpp:
2534         (JSC::FunctionExecutable::visitChildren):
2535         * runtime/FunctionRareData.cpp:
2536         (JSC::FunctionRareData::visitChildren):
2537         * runtime/GetterSetter.cpp:
2538         (JSC::GetterSetter::visitChildren):
2539         * runtime/HashMapImpl.cpp:
2540         (JSC::HashMapBucket<Data>::visitChildren):
2541         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2542         * runtime/InferredTypeTable.cpp:
2543         (JSC::InferredTypeTable::visitChildren):
2544         * runtime/InternalFunction.cpp:
2545         (JSC::InternalFunction::visitChildren):
2546         * runtime/IntlCollator.cpp:
2547         (JSC::IntlCollator::visitChildren):
2548         * runtime/IntlCollatorConstructor.cpp:
2549         (JSC::IntlCollatorConstructor::visitChildren):
2550         * runtime/IntlDateTimeFormat.cpp:
2551         (JSC::IntlDateTimeFormat::visitChildren):
2552         * runtime/IntlDateTimeFormatConstructor.cpp:
2553         (JSC::IntlDateTimeFormatConstructor::visitChildren):
2554         * runtime/IntlNumberFormat.cpp:
2555         (JSC::IntlNumberFormat::visitChildren):
2556         * runtime/IntlNumberFormatConstructor.cpp:
2557         (JSC::IntlNumberFormatConstructor::visitChildren):
2558         * runtime/JSBoundFunction.cpp:
2559         (JSC::JSBoundFunction::visitChildren):
2560         * runtime/JSCallee.cpp:
2561         (JSC::JSCallee::visitChildren):
2562         * runtime/JSCellInlines.h:
2563         (JSC::JSCell::visitChildren):
2564         * runtime/JSCustomGetterSetterFunction.cpp:
2565         (JSC::JSCustomGetterSetterFunction::visitChildren):
2566         * runtime/JSFunction.cpp:
2567         (JSC::JSFunction::visitChildren):
2568         * runtime/JSGlobalObject.cpp:
2569         (JSC::JSGlobalObject::visitChildren):
2570         * runtime/JSMapIterator.cpp:
2571         (JSC::JSMapIterator::visitChildren):
2572         * runtime/JSModuleEnvironment.cpp:
2573         (JSC::JSModuleEnvironment::visitChildren):
2574         * runtime/JSModuleNamespaceObject.cpp:
2575         (JSC::JSModuleNamespaceObject::visitChildren):
2576         * runtime/JSModuleRecord.cpp:
2577         (JSC::JSModuleRecord::visitChildren):
2578         * runtime/JSNativeStdFunction.cpp:
2579         (JSC::JSNativeStdFunction::visitChildren):
2580         * runtime/JSObject.cpp:
2581         (JSC::JSObject::visitButterflyImpl):
2582         * runtime/JSPromiseDeferred.cpp:
2583         (JSC::JSPromiseDeferred::visitChildren):
2584         * runtime/JSPropertyNameEnumerator.cpp:
2585         (JSC::JSPropertyNameEnumerator::visitChildren):
2586         * runtime/JSPropertyNameIterator.cpp:
2587         (JSC::JSPropertyNameIterator::visitChildren):
2588         * runtime/JSProxy.cpp:
2589         (JSC::JSProxy::visitChildren):
2590         * runtime/JSScope.cpp:
2591         (JSC::JSScope::visitChildren):
2592         * runtime/JSSegmentedVariableObject.cpp:
2593         (JSC::JSSegmentedVariableObject::visitChildren):
2594         * runtime/JSSetIterator.cpp:
2595         (JSC::JSSetIterator::visitChildren):
2596         * runtime/JSString.cpp:
2597         (JSC::JSRopeString::visitFibers):
2598         * runtime/JSSymbolTableObject.cpp:
2599         (JSC::JSSymbolTableObject::visitChildren):
2600         * runtime/JSWeakMap.cpp:
2601         (JSC::JSWeakMap::visitChildren):
2602         * runtime/JSWeakSet.cpp:
2603         (JSC::JSWeakSet::visitChildren):
2604         * runtime/JSWithScope.cpp:
2605         (JSC::JSWithScope::visitChildren):
2606         * runtime/JSWrapperObject.cpp:
2607         (JSC::JSWrapperObject::visitChildren):
2608         * runtime/LazyClassStructure.cpp:
2609         (JSC::LazyClassStructure::visit):
2610         * runtime/LazyPropertyInlines.h:
2611         (JSC::ElementType>::visit):
2612         * runtime/MapBase.cpp:
2613         (JSC::MapBase<HashMapBucketType>::visitChildren):
2614         * runtime/ModuleProgramExecutable.cpp:
2615         (JSC::ModuleProgramExecutable::visitChildren):
2616         * runtime/NativeErrorConstructor.cpp:
2617         (JSC::NativeErrorConstructor::visitChildren):
2618         * runtime/ProgramExecutable.cpp:
2619         (JSC::ProgramExecutable::visitChildren):
2620         * runtime/ProxyObject.cpp:
2621         (JSC::ProxyObject::visitChildren):
2622         * runtime/ProxyRevoke.cpp:
2623         (JSC::ProxyRevoke::visitChildren):
2624         * runtime/RegExpCachedResult.cpp:
2625         (JSC::RegExpCachedResult::visitChildren):
2626         * runtime/RegExpObject.cpp:
2627         (JSC::RegExpObject::visitChildren):
2628         * runtime/RegExpPrototype.cpp:
2629         (JSC::RegExpPrototype::visitChildren):
2630         * runtime/SamplingProfiler.cpp:
2631         (JSC::SamplingProfiler::visit):
2632         * runtime/ScopedArguments.cpp:
2633         (JSC::ScopedArguments::visitChildren):
2634         * runtime/SmallStrings.cpp:
2635         (JSC::SmallStrings::visitStrongReferences):
2636         * runtime/SparseArrayValueMap.cpp:
2637         (JSC::SparseArrayValueMap::visitChildren):
2638         * runtime/Structure.cpp:
2639         (JSC::Structure::visitChildren):
2640         (JSC::Structure::markIfCheap):
2641         * runtime/StructureChain.cpp:
2642         (JSC::StructureChain::visitChildren):
2643         * runtime/StructureRareData.cpp:
2644         (JSC::StructureRareData::visitChildren):
2645         * runtime/SymbolTable.cpp:
2646         (JSC::SymbolTable::visitChildren):
2647         * runtime/TypeProfilerLog.cpp:
2648         (JSC::TypeProfilerLog::visit):
2649         * runtime/WeakMapData.cpp:
2650         (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
2651         * wasm/js/JSWebAssemblyInstance.cpp:
2652         (JSC::JSWebAssemblyInstance::visitChildren):
2653         * wasm/js/JSWebAssemblyMemory.cpp:
2654         (JSC::JSWebAssemblyMemory::visitChildren):
2655         * wasm/js/JSWebAssemblyModule.cpp:
2656         (JSC::JSWebAssemblyModule::visitChildren):
2657         * wasm/js/JSWebAssemblyTable.cpp:
2658         (JSC::JSWebAssemblyTable::visitChildren):
2659         * wasm/js/WebAssemblyFunction.cpp:
2660         (JSC::WebAssemblyFunction::visitChildren):
2661         * wasm/js/WebAssemblyModuleRecord.cpp:
2662         (JSC::WebAssemblyModuleRecord::visitChildren):
2663
2664 2016-12-15  Myles C. Maxfield  <mmaxfield@apple.com>
2665
2666         Sort Xcode project files
2667         https://bugs.webkit.org/show_bug.cgi?id=165937
2668
2669         Reviewed by Simon Fraser.
2670
2671         * JavaScriptCore.xcodeproj/project.pbxproj:
2672
2673 2016-12-15  Keith Miller  <keith_miller@apple.com>
2674
2675         Wasm should not create empty unlinked callsites
2676         https://bugs.webkit.org/show_bug.cgi?id=165933
2677
2678         Reviewed by Mark Lam.
2679
2680         Wasm would create holes in the unlinked callsite vector if B3 was able to
2681         eliminate the callsite.
2682
2683         * wasm/WasmB3IRGenerator.cpp:
2684         (JSC::Wasm::B3IRGenerator::addCall):
2685
2686 2016-12-15  JF Bastien  <jfbastien@apple.com>
2687
2688         WebAssembly: improve compilation error messages
2689         https://bugs.webkit.org/show_bug.cgi?id=163919
2690
2691         Reviewed by Saam Barati.
2692
2693         The error handling messages were underwhelming because most
2694         locations merely returned `false` on failure. This patch uses
2695         std::expected to denote that failure isn't expected. Doing this
2696         makes it almost impossible to mess up the code: either a function
2697         returns a result (or a partial result for internal helpers) or an
2698         error. We're not synchronizing the error string with the m_failed
2699         bool anymore, and the caller will abort if they try to get a
2700         result but the outcome was an error.
2701
2702         This also shortens the code significantly using macros, while also
2703         judiciously preventing inlining of error handling code and biasing
2704         towards success using UNLIKELY. This means that the generated code
2705         should be more efficient (no string formatting on success, and
2706         regalloc can avoid these unlikely paths).
2707
2708         The patch adds a few missing checks as well, especially related to
2709         count limits and memory allocation failure.
2710
2711         As a follow-up I'd like to improve WTF::makeString further, so it
2712         does coercions to string and understands ADL as I did in this
2713         patch.
2714
2715         * wasm/WasmB3IRGenerator.cpp:
2716         (JSC::Wasm::B3IRGenerator::fail):
2717         (JSC::Wasm::parseAndCompile):
2718         * wasm/WasmB3IRGenerator.h:
2719         * wasm/WasmFormat.h:
2720         (JSC::Wasm::isValidExternalKind):
2721         (JSC::Wasm::makeString):
2722         * wasm/WasmFunctionParser.h:
2723         * wasm/WasmModuleParser.cpp:
2724         * wasm/WasmModuleParser.h:
2725         * wasm/WasmParser.h:
2726         (JSC::Wasm::FailureHelper::makeString):
2727         (JSC::Wasm::Parser::fail):
2728         (JSC::Wasm::Parser<SuccessType>::Parser):
2729         (JSC::Wasm::Parser<SuccessType>::consumeCharacter):
2730         (JSC::Wasm::Parser<SuccessType>::consumeString):
2731         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2732         (JSC::Wasm::Parser<SuccessType>::parseVarUInt32):
2733         (JSC::Wasm::Parser<SuccessType>::parseVarUInt64):
2734         (JSC::Wasm::Parser<SuccessType>::parseVarInt32):
2735         (JSC::Wasm::Parser<SuccessType>::parseVarInt64):
2736         (JSC::Wasm::Parser<SuccessType>::parseUInt32):
2737         (JSC::Wasm::Parser<SuccessType>::parseUInt64):
2738         (JSC::Wasm::Parser<SuccessType>::parseUInt8):
2739         (JSC::Wasm::Parser<SuccessType>::parseInt7):
2740         (JSC::Wasm::Parser<SuccessType>::parseUInt7):
2741         (JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
2742         (JSC::Wasm::Parser<SuccessType>::parseResultType):
2743         (JSC::Wasm::Parser<SuccessType>::parseValueType):
2744         (JSC::Wasm::Parser<SuccessType>::parseExternalKind):
2745         * wasm/WasmPlan.cpp:
2746         (JSC::Wasm::Plan::run):
2747         * wasm/WasmSections.h:
2748         (JSC::Wasm::isValidSection):
2749         (JSC::Wasm::validateOrder):
2750         (JSC::Wasm::makeString):
2751         * wasm/WasmValidate.cpp:
2752         (JSC::Wasm::Validate::fail):
2753         (JSC::Wasm::Validate::addUnreachable):
2754         (JSC::Wasm::validateFunction):
2755         * wasm/WasmValidate.h:
2756         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
2757         * wasm/generateWasmOpsHeader.py:
2758         * wasm/generateWasmValidateInlinesHeader.py:
2759         (loadMacro):
2760         (storeMacro):
2761         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2762         (JSC::constructJSWebAssemblyInstance):
2763         * wasm/js/WebAssemblyModuleRecord.cpp:
2764         (JSC::WebAssemblyModuleRecord::link):
2765
2766 2016-12-15  JF Bastien  <jfbastien@apple.com>
2767
2768         WebAssembly API: improve data section errors, initialize after Element
2769         https://bugs.webkit.org/show_bug.cgi?id=165733
2770
2771         Reviewed by Keith Miller.
2772
2773         * wasm/WasmModuleParser.cpp:
2774         (JSC::Wasm::ModuleParser::parseData): Data section without Memory section or import is a validation error
2775         * wasm/js/WebAssemblyModuleRecord.cpp:
2776         (JSC::dataSegmentFail):
2777         (JSC::WebAssemblyModuleRecord::evaluate): tighten checks (though the spec isn't fully baked), and move after Element initialization
2778
2779 2016-12-15  Keith Miller  <keith_miller@apple.com>
2780
2781         Turn on WebAssembly by default
2782         https://bugs.webkit.org/show_bug.cgi?id=165918
2783
2784         Reviewed by Saam Barati.
2785
2786         * runtime/Options.h:
2787
2788 2016-12-15  Konstantin Tokarev  <annulen@yandex.ru>
2789
2790         Added missing override and final specifiers
2791         https://bugs.webkit.org/show_bug.cgi?id=165903
2792
2793         Reviewed by Darin Adler.
2794
2795         * bytecompiler/BytecodeGenerator.h:
2796         * jsc.cpp:
2797         * parser/Nodes.h:
2798
2799 2016-12-15  Chris Dumez  <cdumez@apple.com>
2800
2801         Harden JSObject::getOwnPropertyDescriptor()
2802         https://bugs.webkit.org/show_bug.cgi?id=165908
2803
2804         Reviewed by Geoffrey Garen.
2805
2806         * runtime/JSObject.cpp:
2807         (JSC::JSObject::getOwnPropertyDescriptor):
2808
2809 2016-12-15  Keith Miller  <keith_miller@apple.com>
2810
2811         Fix 64-bit shift family Wasm opcodes
2812         https://bugs.webkit.org/show_bug.cgi?id=165902
2813
2814         Reviewed by Geoffrey Garen.
2815
2816         The Int64 versions of the shift family B3 opcodes take an Int32
2817         for the shift value. Wasm, however, takes an i64, so we need to
2818         Trunc the shift value. Also, this fixes a bug where shr_u mapped
2819         to signed shift and shr_s mapped to the unsigned shift.
2820
2821         * wasm/wasm.json:
2822
2823 2016-12-14  Keith Miller  <keith_miller@apple.com>
2824
2825         Wasm should decode constants correctly
2826         https://bugs.webkit.org/show_bug.cgi?id=165886
2827
2828         Reviewed by Saam Barati.
2829
2830         This patch fixes how we decode the constant part of i32, i64, f32,
2831         and f64.const opcodes.
2832
2833         * wasm/WasmFunctionParser.h:
2834         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2835         * wasm/wasm.json:
2836
2837 2016-12-14  Saam Barati  <sbarati@apple.com>
2838
2839         WebAssembly: Add various low hanging fruit that will allow us to run the LLVM torture tests in Wasm
2840         https://bugs.webkit.org/show_bug.cgi?id=165883
2841
2842         Reviewed by Keith Miller.
2843
2844         This patch implements some low hanging fruit:
2845         - Exporting Table
2846         - Exporting Memory
2847         - Load16 with zero extension to both 32 and 64 bit values.
2848         - Fixes Unreachable to emit code that will prevent B3 from having a validation error.
2849
2850         * wasm/WasmB3IRGenerator.cpp:
2851         (JSC::Wasm::B3IRGenerator::addUnreachable):
2852         (JSC::Wasm::sizeOfLoadOp):
2853         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2854         * wasm/WasmFunctionParser.h:
2855         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2856         * wasm/WasmModuleParser.cpp:
2857         (JSC::Wasm::ModuleParser::parseExport):
2858         * wasm/WasmValidate.cpp:
2859         (JSC::Wasm::Validate::addUnreachable):
2860         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2861         (JSC::constructJSWebAssemblyInstance):
2862         * wasm/js/WebAssemblyModuleRecord.cpp:
2863         (JSC::WebAssemblyModuleRecord::finishCreation):
2864         (JSC::WebAssemblyModuleRecord::link):
2865
2866 2016-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2867
2868         Update ModuleLoader code by using the latest builtin primitives
2869         https://bugs.webkit.org/show_bug.cgi?id=165851
2870
2871         Reviewed by Sam Weinig.
2872
2873         Update the module loader code,
2874
2875         1. Use @globalPrivate for the utilities, instead of setting them as the member of ModuleLoader.
2876         2. Use @putByValDirect instead of @push. @push is user-observable since it uses Set() operation
2877            and it can be observed by defining indexed setters in Array.prototype.
2878
2879         * builtins/ModuleLoaderPrototype.js:
2880         (ensureRegistered):
2881         (fulfillFetch):
2882         (commitInstantiated):
2883         (requestFetch):
2884         (requestSatisfy):
2885         (setStateToMax): Deleted.
2886         (newRegistryEntry): Deleted.
2887         * runtime/ModuleLoaderPrototype.cpp:
2888
2889 2016-12-14  Michael Saboff  <msaboff@apple.com>
2890
2891         The stress GC bot crashes in JavaScriptCore beneath ShadowChicken::update and Inspector::jsToInspectorValue
2892         https://bugs.webkit.org/show_bug.cgi?id=165871
2893
2894         Reviewed by Mark Lam.
2895
2896         This fixes two issues with the VM watch dog timer firing in a worker.
2897
2898         The first issue has to do with bytecode ordering.  Prior to this change, the first few opcodes
2899         generated when the watch dog is enabled are:
2900                 op_enter
2901                 op_watchdog
2902                 op_get_scope
2903         When the watchdog fires, the function will get an exception at op_watchdog.  In processing that exception,
2904         we'll try to update the ShadowChicken shadow stack.  That update assumes that if there is a scope 
2905         VirtualRegister allocated, then the slot contains a valid JSScope.  With the current bytecode ordering,
2906         this is not true at op_watchdog as op_enter will put JSUndefined in the scope slot.  It isn't until the
2907         op_get_scope gets processed that we'll have a valid scope in the slot.  The fix for this issue is to 
2908         ensure that op_get_scope happens before the op_watchdog.
2909
2910         The second issue is that ScriptFunctionCall::call() will not tell its caller that a terminated
2911         execution exception happened.  Instead call() returns an empty JSValue.  InjectedScript::wrapCallFrames()
2912         wasn't checking for an empty JSValue, but was passing it to another function.  Added a short circuit
2913         return when call returns an empty JSValue.
2914
2915         Added <https://bugs.webkit.org/show_bug.cgi?id=165875> to fix other callers of ScriptFunctionCall::call()
2916         to check for an empty JSValue return value.
2917         Also tracked with <rdar://problem/29671015>.
2918
2919         * bytecompiler/BytecodeGenerator.cpp:
2920         (JSC::BytecodeGenerator::BytecodeGenerator):
2921         (JSC::BytecodeGenerator::emitEnter):
2922         * inspector/InjectedScript.cpp:
2923         (Inspector::InjectedScript::wrapCallFrames):
2924
2925 2016-12-14  Filip Pizlo  <fpizlo@apple.com>
2926
2927         DirectTailCall implementation needs to tell the shuffler what to put into the ArgumentCount explicitly
2928         https://bugs.webkit.org/show_bug.cgi?id=165882
2929
2930         Reviewed by Mark Lam.
2931         
2932         The CallFrameShuffler was assuming that the ArgumentCount that it should store into the
2933         callee frame is simply the size of the args vector.
2934         
2935         That's not true for DirectTailCall, which will pad the args vector with undefined if we
2936         are optimizing an arity mismatch. We need to pass the ArgumentCount explicitly in this
2937         case.
2938
2939         * dfg/DFGSpeculativeJIT32_64.cpp:
2940         (JSC::DFG::SpeculativeJIT::emitCall):
2941         * dfg/DFGSpeculativeJIT64.cpp:
2942         (JSC::DFG::SpeculativeJIT::emitCall):
2943         * ftl/FTLLowerDFGToB3.cpp:
2944         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2945         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2946         * jit/CallFrameShuffleData.h:
2947         * jit/CallFrameShuffler.cpp:
2948         (JSC::CallFrameShuffler::CallFrameShuffler):
2949         (JSC::CallFrameShuffler::prepareAny):
2950         * jit/CallFrameShuffler.h:
2951         (JSC::CallFrameShuffler::snapshot):
2952         * jit/JITCall.cpp:
2953         (JSC::JIT::compileOpCall):
2954
2955 2016-12-14  Keith Miller  <keith_miller@apple.com>
2956
2957         WebAssembly JS API: implement Global
2958         https://bugs.webkit.org/show_bug.cgi?id=164133
2959
2960         Reviewed by Saam Barati.
2961
2962         This patch adds support for globals. It handles imports, exports
2963         and internal globals. In the MVP only internal globals are allowed
2964         to be mutable. This means we can store a C-array of 64-bit slots
2965         off the instance holding them. When globals are exported to JS
2966         they are done so as numbers. This means that i64 globals cannot be
2967         imported or exported.
2968
2969         * wasm/WasmB3IRGenerator.cpp:
2970         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2971         (JSC::Wasm::B3IRGenerator::getGlobal):
2972         (JSC::Wasm::B3IRGenerator::setGlobal):
2973         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2974         (JSC::Wasm::parseAndCompile):
2975         * wasm/WasmFormat.h:
2976         * wasm/WasmFunctionParser.h:
2977         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2978         * wasm/WasmModuleParser.cpp:
2979         (JSC::Wasm::ModuleParser::parseImport):
2980         (JSC::Wasm::ModuleParser::parseGlobal):
2981         (JSC::Wasm::ModuleParser::parseExport):
2982         (JSC::Wasm::ModuleParser::parseElement):
2983         (JSC::Wasm::ModuleParser::parseInitExpr):
2984         (JSC::Wasm::ModuleParser::parseGlobalType):
2985         (JSC::Wasm::ModuleParser::parseData):
2986         * wasm/WasmModuleParser.h:
2987         * wasm/WasmParser.h:
2988         (JSC::Wasm::Parser::parseVarInt32):
2989         (JSC::Wasm::Parser::parseVarInt64):
2990         (JSC::Wasm::Parser::parseUInt64):
2991         * wasm/WasmValidate.cpp:
2992         (JSC::Wasm::Validate::hasMemory):
2993         (JSC::Wasm::Validate::Validate):
2994         (JSC::Wasm::Validate::getGlobal):
2995         (JSC::Wasm::Validate::setGlobal):
2996         (JSC::Wasm::validateFunction):
2997         * wasm/generateWasmOpsHeader.py:
2998         * wasm/js/JSWebAssemblyInstance.cpp:
2999         (JSC::JSWebAssemblyInstance::create):
3000         (JSC::JSWebAssemblyInstance::finishCreation):
3001         (JSC::JSWebAssemblyInstance::visitChildren):
3002         * wasm/js/JSWebAssemblyInstance.h:
3003         (JSC::JSWebAssemblyInstance::loadI32Global):
3004         (JSC::JSWebAssemblyInstance::loadI64Global):
3005         (JSC::JSWebAssemblyInstance::loadF32Global):
3006         (JSC::JSWebAssemblyInstance::loadF64Global):
3007         (JSC::JSWebAssemblyInstance::setGlobal):
3008         (JSC::JSWebAssemblyInstance::offsetOfGlobals):
3009         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3010         (JSC::constructJSWebAssemblyInstance):
3011         * wasm/js/WebAssemblyModuleRecord.cpp:
3012         (JSC::WebAssemblyModuleRecord::finishCreation):
3013         (JSC::WebAssemblyModuleRecord::link):
3014
3015 2016-12-14  Filip Pizlo  <fpizlo@apple.com>
3016
3017         Unreviewed, re-enable concurrent GC on ARM64 now that the most likely culprit of the memory
3018         regressions is fixed. Lets see what the bots think!
3019
3020         * runtime/Options.cpp:
3021         (JSC::recomputeDependentOptions):
3022
3023 2016-12-14  Filip Pizlo  <fpizlo@apple.com>
3024
3025         Devices with fewer cores should use a more aggressive GC schedule by default
3026         https://bugs.webkit.org/show_bug.cgi?id=165859
3027
3028         Reviewed by Mark Lam.
3029
3030         * heap/Heap.cpp:
3031         (JSC::Heap::markToFixpoint): Log when we have an unexpected delay in wake-up.
3032         * heap/SlotVisitor.cpp:
3033         (JSC::SlotVisitor::drainInParallelPassively): Don't drain passively if there aren't many cores.
3034         * runtime/Options.cpp:
3035         (JSC::overrideDefaults): Change the heuristics if we have fewer cores.
3036         (JSC::Options::initialize):
3037         * runtime/Options.h:
3038
3039 2016-12-14  Mark Lam  <mark.lam@apple.com>
3040
3041         BytecodeBasicBlock::computeImpl() should not keep iterating blocks if all jump targets have already been found.
3042         https://bugs.webkit.org/show_bug.cgi?id=165820
3043
3044         Reviewed by Saam Barati.
3045
3046         Currently, if an opcode is a branch type opcode, BytecodeBasicBlock::computeImpl()
3047         will iterate over all basic blocks looking for the block containing the jump
3048         target, and it will continue to do this even when all the jump targets have been
3049         found.  This is wasted work, and all the more so given that most branch type
3050         opcodes only have a single jump target.
3051
3052         * bytecode/BytecodeBasicBlock.cpp:
3053         (JSC::BytecodeBasicBlock::computeImpl):
3054
3055 2016-12-14  Gavin Barraclough  <barraclough@apple.com>
3056
3057         MarkedBlock::marksConveyLivenessDuringMarking should take into account collection scope
3058         https://bugs.webkit.org/show_bug.cgi?id=165741
3059
3060         Unreviewed, re-landing this with fix (revert erroneous change to Options).
3061
3062         * CMakeLists.txt:
3063         * JavaScriptCore.xcodeproj/project.pbxproj:
3064         * heap/CellContainer.cpp: Added.
3065         (JSC::CellContainer::isNewlyAllocated):
3066         * heap/CellContainer.h:
3067         * heap/MarkedAllocator.cpp:
3068         (JSC::MarkedAllocator::addBlock):
3069         (JSC::MarkedAllocator::removeBlock):
3070         (JSC::MarkedAllocator::dumpBits):
3071         * heap/MarkedAllocator.h:
3072         (JSC::MarkedAllocator::forEachBitVector):
3073         (JSC::MarkedAllocator::forEachBitVectorWithName):
3074         * heap/MarkedBlock.cpp:
3075         (JSC::MarkedBlock::tryCreate):
3076         (JSC::MarkedBlock::Handle::~Handle):
3077         (JSC::MarkedBlock::MarkedBlock):
3078         (JSC::MarkedBlock::Handle::specializedSweep):
3079         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
3080         (JSC::MarkedBlock::Handle::stopAllocating):
3081         (JSC::MarkedBlock::Handle::resumeAllocating):
3082         (JSC::MarkedBlock::aboutToMarkSlow):
3083         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3084         (JSC::MarkedBlock::Handle::dumpState):
3085         * heap/MarkedBlock.h:
3086         (JSC::MarkedBlock::markingVersion):
3087         (JSC::MarkedBlock::isMarkedRaw):
3088         (JSC::MarkedBlock::isMarked):
3089         * heap/MarkedBlockInlines.h:
3090         (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
3091         * heap/SlotVisitor.cpp:
3092         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3093         * runtime/StructureIDTable.h:
3094         (JSC::StructureIDTable::size):
3095         (JSC::StructureIDTable::get):
3096
3097 2016-12-14  Chris Dumez  <cdumez@apple.com>
3098
3099         Unreviewed, rolling out r209766.
3100
3101         Regressed Dromaeo JSLib by ~50%
3102
3103         Reverted changeset:
3104
3105         "Make opaque root scanning truly constraint-based"
3106         https://bugs.webkit.org/show_bug.cgi?id=165760
3107         http://trac.webkit.org/changeset/209766
3108
3109 2016-12-14  Commit Queue  <commit-queue@webkit.org>
3110
3111         Unreviewed, rolling out r209795.
3112         https://bugs.webkit.org/show_bug.cgi?id=165853
3113
3114         rolled out the wrong revision (Requested by pizlo on #webkit).
3115
3116         Reverted changeset:
3117
3118         "MarkedBlock::marksConveyLivenessDuringMarking should take
3119         into account collection scope"
3120         https://bugs.webkit.org/show_bug.cgi?id=165741
3121         http://trac.webkit.org/changeset/209795
3122
3123 2016-12-14  Filip Pizlo  <fpizlo@apple.com>
3124
3125         Unreviewed, disable concurrent GC on ARM while we investigate a memory use regression.
3126
3127         * runtime/Options.cpp:
3128         (JSC::recomputeDependentOptions):
3129
3130 2016-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3131
3132         Use JSValue::toWTFString instead of calling toString(exec) and value(exec)
3133         https://bugs.webkit.org/show_bug.cgi?id=165795
3134
3135         Reviewed by Saam Barati.
3136
3137         In old days, we frequently use the idiom like, `value.toString(exec)->value(exec)` to
3138         get WTFString from the given JSValue. But now, we have better function, `toWTFString`.
3139         `toWTFString` does not create intermediate JSString objects, then reduce unnecessary
3140         allocations.
3141
3142         This patch mechanically replaces `value.toString(exec)->value(exec)` with `toWTFString(exec)`.
3143
3144         * API/JSValueRef.cpp:
3145         (JSValueToStringCopy):
3146         * bindings/ScriptValue.cpp:
3147         (Deprecated::ScriptValue::toString):
3148         * inspector/JSGlobalObjectInspectorController.cpp:
3149         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3150         * inspector/JSInjectedScriptHost.cpp:
3151         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3152         * inspector/JSJavaScriptCallFrame.cpp:
3153         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3154         * inspector/ScriptCallStackFactory.cpp:
3155         (Inspector::extractSourceInformationFromException):
3156         * runtime/ConsoleObject.cpp:
3157         (JSC::valueToStringWithUndefinedOrNullCheck):
3158         (JSC::valueOrDefaultLabelString):
3159         * runtime/DateConstructor.cpp:
3160         (JSC::dateParse):
3161         * runtime/DatePrototype.cpp:
3162         (JSC::formatLocaleDate):
3163         * runtime/ErrorInstance.cpp:
3164         (JSC::ErrorInstance::sanitizedToString):
3165         * runtime/ErrorPrototype.cpp:
3166         (JSC::errorProtoFuncToString):
3167         * runtime/InspectorInstrumentationObject.cpp:
3168         (JSC::inspectorInstrumentationObjectLog):
3169         * runtime/JSGlobalObjectFunctions.cpp:
3170         (JSC::globalFuncEval):
3171         * runtime/JSModuleLoader.cpp:
3172         (JSC::JSModuleLoader::fetch):
3173         * runtime/ModuleLoaderPrototype.cpp:
3174         (JSC::moduleLoaderPrototypeParseModule):
3175         * runtime/RegExpConstructor.cpp:
3176         (JSC::regExpCreate):
3177         * runtime/RegExpPrototype.cpp:
3178         (JSC::regExpProtoFuncCompile):
3179         (JSC::regExpProtoFuncToString):
3180         * runtime/StringPrototype.cpp:
3181         (JSC::replaceUsingRegExpSearch):
3182         (JSC::replaceUsingStringSearch):
3183         (JSC::stringProtoFuncSlice):
3184         (JSC::stringProtoFuncSplitFast):
3185         (JSC::stringProtoFuncSubstr):
3186         (JSC::stringProtoFuncLocaleCompare):
3187         (JSC::stringProtoFuncBig):
3188         (JSC::stringProtoFuncSmall):
3189         (JSC::stringProtoFuncBlink):
3190         (JSC::stringProtoFuncBold):
3191         (JSC::stringProtoFuncFixed):
3192         (JSC::stringProtoFuncItalics):
3193         (JSC::stringProtoFuncStrike):
3194         (JSC::stringProtoFuncSub):
3195         (JSC::stringProtoFuncSup):
3196         (JSC::stringProtoFuncFontcolor):
3197         (JSC::stringProtoFuncFontsize):
3198         (JSC::stringProtoFuncAnchor):
3199         (JSC::stringProtoFuncLink):
3200         (JSC::trimString):
3201         (JSC::stringProtoFuncStartsWith):
3202         (JSC::stringProtoFuncEndsWith):
3203         (JSC::stringProtoFuncIncludes):
3204         (JSC::builtinStringIncludesInternal):
3205         (JSC::stringProtoFuncNormalize):
3206         * tools/JSDollarVMPrototype.cpp:
3207         (JSC::functionPrint):
3208         * wasm/js/JSWebAssemblyCompileError.h:
3209         (JSC::JSWebAssemblyCompileError::create):
3210         * wasm/js/JSWebAssemblyRuntimeError.h:
3211         (JSC::JSWebAssemblyRuntimeError::create):
3212
3213 2016-12-14  Gavin Barraclough  <barraclough@apple.com>
3214
3215         MarkedBlock::marksConveyLivenessDuringMarking should take into account collection scope
3216         https://bugs.webkit.org/show_bug.cgi?id=165741
3217
3218         Unreviewed rollout due to performance regression.
3219
3220         * CMakeLists.txt:
3221         * JavaScriptCore.xcodeproj/project.pbxproj:
3222         * heap/CellContainer.cpp: Removed.
3223         * heap/CellContainer.h:
3224         * heap/MarkedAllocator.cpp:
3225         (JSC::MarkedAllocator::addBlock):
3226         (JSC::MarkedAllocator::removeBlock):
3227         (JSC::MarkedAllocator::dumpBits):
3228         * heap/MarkedAllocator.h:
3229         (JSC::MarkedAllocator::forEachBitVector):
3230         (JSC::MarkedAllocator::forEachBitVectorWithName):
3231         * heap/MarkedBlock.cpp:
3232         (JSC::MarkedBlock::tryCreate):
3233         (JSC::MarkedBlock::Handle::~Handle):
3234         (JSC::MarkedBlock::MarkedBlock):
3235         (JSC::MarkedBlock::Handle::specializedSweep):
3236         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
3237         (JSC::MarkedBlock::Handle::stopAllocating):
3238         (JSC::MarkedBlock::Handle::resumeAllocating):
3239         (JSC::MarkedBlock::aboutToMarkSlow):
3240         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3241         (JSC::MarkedBlock::Handle::dumpState): Deleted.
3242         * heap/MarkedBlock.h:
3243         (JSC::MarkedBlock::isMarked):
3244         (JSC::MarkedBlock::markingVersion): Deleted.
3245         (JSC::MarkedBlock::isMarkedRaw): Deleted.
3246         * heap/MarkedBlockInlines.h:
3247         (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
3248         * heap/SlotVisitor.cpp:
3249         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3250         * runtime/Options.h:
3251         * runtime/StructureIDTable.h:
3252         (JSC::StructureIDTable::get):
3253         (JSC::StructureIDTable::size): Deleted.
3254
3255 2016-12-13  Commit Queue  <commit-queue@webkit.org>
3256
3257         Unreviewed, rolling out r209792.
3258         https://bugs.webkit.org/show_bug.cgi?id=165841
3259
3260         Cause build failures (Requested by yusukesuzuki on #webkit).
3261
3262         Reverted changeset:
3263
3264         "Use JSValue::toWTFString instead of calling toString(exec)
3265         and value(exec)"
3266         https://bugs.webkit.org/show_bug.cgi?id=165795
3267         http://trac.webkit.org/changeset/209792
3268
3269 2016-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3270
3271         Use JSValue::toWTFString instead of calling toString(exec) and value(exec)
3272         https://bugs.webkit.org/show_bug.cgi?id=165795
3273
3274         Reviewed by Saam Barati.
3275
3276         In old days, we frequently use the idiom like, `value.toString(exec)->value(exec)` to
3277         get WTFString from the given JSValue. But now, we have better function, `toWTFString`.
3278         `toWTFString` does not create intermediate JSString objects, then reduce unnecessary
3279         allocations.
3280
3281         This patch mechanically replaces `value.toString(exec)->value(exec)` with `toWTFString(exec)`.
3282
3283         * API/JSValueRef.cpp:
3284         (JSValueToStringCopy):
3285         * bindings/ScriptValue.cpp:
3286         (Deprecated::ScriptValue::toString):
3287         * inspector/JSGlobalObjectInspectorController.cpp:
3288         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3289         * inspector/JSInjectedScriptHost.cpp:
3290         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3291         * inspector/JSJavaScriptCallFrame.cpp:
3292         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3293         * inspector/ScriptCallStackFactory.cpp:
3294         (Inspector::extractSourceInformationFromException):
3295         * runtime/ConsoleObject.cpp:
3296         (JSC::valueToStringWithUndefinedOrNullCheck):
3297         (JSC::valueOrDefaultLabelString):
3298         * runtime/DateConstructor.cpp:
3299         (JSC::dateParse):
3300         * runtime/DatePrototype.cpp:
3301         (JSC::formatLocaleDate):
3302         * runtime/ErrorInstance.cpp:
3303         (JSC::ErrorInstance::sanitizedToString):
3304         * runtime/ErrorPrototype.cpp:
3305         (JSC::errorProtoFuncToString):
3306         * runtime/InspectorInstrumentationObject.cpp:
3307         (JSC::inspectorInstrumentationObjectLog):
3308         * runtime/JSCJSValue.cpp:
3309         (JSC::JSValue::toWTFStringSlowCase):