[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2015-09-16  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement indirect calls in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149100

        Reviewed by Geoffrey Garen.

        This patch implement indirect calls for WebAssembly files generated by
        pack-asmjs <https://github.com/WebAssembly/polyfill-prototype-1>.
        pack-asmjs uses the same indirect call model as asm.js. In asm.js, an
        indirect call looks like this:
            t[i & n](...)
        where t is a variable referring to an array of functions with the same
        signature, i is an integer expression, n is an integer that is equal to
        (t.length - 1), and t.length is a power of two. pack-asmjs does not
        use the '&' operator nor n in the WebAssembly output, but the semantics
        is still the same as asm.js.

        * tests/stress/wasm-calls.js:
        * tests/stress/wasm/calls.wasm:
        * wasm/WASMFormat.h:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildCallIndirect):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseExpressionF32):
        (JSC::WASMFunctionParser::parseExpressionF64):
        (JSC::WASMFunctionParser::parseCallIndirect):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildCallIndirect):
        * wasm/WASMModuleParser.cpp:
        (JSC::WASMModuleParser::parseFunctionPointerTableSection):
        (JSC::WASMModuleParser::parseFunctionDefinitionSection):

2015-09-16  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Fix 32-bit build issues in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149240

        Reviewed by Geoffrey Garen.

        Fix the syntax error and replace the instructions that are not available on
        64-bit platforms.

        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::startFunction):
        (JSC::WASMFunctionCompiler::endFunction):
        (JSC::WASMFunctionCompiler::buildReturn):
        (JSC::WASMFunctionCompiler::callAndUnboxResult):
        (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble):

2015-09-16  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore should discard baseline code after some time
        https://bugs.webkit.org/show_bug.cgi?id=149220

        Reviewed by Saam Barati.

        This is a bit more complicated than discarding optimized code because
        the engine previously assumed that we would never discard baseline code.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock): Record creation time (and compute time since
        creation) instead of install time because CodeBlocks can be installed
        more than once, and we don't want to have to worry about edge cases
        created by CodeBlocks seeming to get younger.

        (JSC::CodeBlock::visitAggregate): Be explicit about only doing the 
        weak reference fixpoint for optimized CodeBlocks. We used to avoid the
        fixpoint for baseline CodeBlocks implicitly, since they would always
        visit themselves strongly right away. But now baseline CodeBlocks might
        not visit themselves strongly, since they might choose to jettison due
        to old age.

        (JSC::CodeBlock::shouldVisitStrongly): Add old age as a reason not to
        visit ourselves strongly, so that baseline CodeBlocks can jettison due
        to old age.

        (JSC::CodeBlock::shouldJettisonDueToWeakReference): Be explicit about
        only jettisoning optimized CodeBlocks due to weak references so that we
        don't confuse ourselves into thinking that we will jettison a baseline
        CodeBlock due to weak references.

        (JSC::CodeBlock::shouldJettisonDueToOldAge): Updated to use creation time.

        (JSC::CodeBlock::visitOSRExitTargets): Clarify a comment and add an
        ASSERT to help record some things I discovered while debugging.

        (JSC::CodeBlock::jettison): Allow a baseline CodeBlock to jettison. Don't
        assume that we have an alternative or a profiler.

        (JSC::CodeBlock::install): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::releaseAlternative): Deleted.
        (JSC::CodeBlock::setInstallTime): Deleted.
        (JSC::CodeBlock::timeSinceInstall): Deleted.

        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit): Simplified the computation of
        baseline CodeBlock.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::checkLivenessAndVisitChildren): Be sure to strongly
        visit our inline callframes because we assume that an optimized CodeBlock
        will keep its OSR exit targets alive, but the CodeBlock object won't be
        able to mark them for itself until compilation has completed (since it
        won't have a JITCode object yet).

        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
        Updated for interface change.

        * jit/JITCode.h:
        (JSC::JITCode::timeToLive): Provide a time to live for interpreter and
        baseline code, so they will jettison when old. Use seconds in our
        code so that we don't need comments. Make DFG 2X interpreter+baseline,
        and FTL 2X DFG+interpreter+baseline, also matching the time we allot
        before throwing away all code.

        * jit/JITToDFGDeferredCompilationCallback.cpp:
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics): Updated for interface change.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode): Allow our caller to install nullptr,
        since we need to do this when jettisoning a baseline CodeBlock. Require
        our caller to specify the details of the installation because we can't
        rely on a non-null CodeBlock in order to compute them.

        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::recordParse): Updated for interface change.

        * runtime/Options.h: Renamed the CodeBlock liveness option since it now
        controls baseline and optimized code.

2015-09-16  Geoffrey Garen  <ggaren@apple.com>

        Remove obsolete code for deleting CodeBlocks
        https://bugs.webkit.org/show_bug.cgi?id=149231

        Reviewed by Mark Lam.

        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCodeBlocks): ASSERT that we're called in a valid
        state, and do the compiler waiting ourselves instead of having our
        caller do it. This is more appropriate to our new limited use.

        (JSC::Heap::collectImpl):
        (JSC::Heap::deleteOldCode): Deleted. Don't call deleteAllCodeBlocks
        periodically because it's not such a good idea to delete everything
        at once, and CodeBlocks now have a more precise individual policy for
        when to delete. Also, this function used to fail all or nearly all of
        the time because its invariants that we were not executing or compiling
        could not be met.

        * heap/Heap.h:

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDeleteAllCompiledCode): Deleted.
        * tests/stress/deleteAllCompiledCode.js: Removed. Removed this testing
        code because it did not do what it thought it did. All of this code
        was guaranteed to no-op since it would run JavaScript to call a function
        that would return early because JavaScript was running.

        * runtime/VM.cpp:
        (JSC::VM::deleteAllCode): This code is simpler now becaue 
        heap.deleteAllCodeBlocks does some work for us.

        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope): Don't delete code on VM entry. This
        policy was old, and it dated back to a time when we 

            (a) couldn't run in the interpreter if compilation failed;

            (b) didn't reduce the rate of compilation in response to executable
            memory pressure;

            (c) didn't throw away individual CodeBlocks automatically.

2015-09-16  Michael Saboff  <msaboff@apple.com>

        [ES6] Implement tail calls in the LLInt and Baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=148661

        Fix for the breakage of Speedometer/Full.html (https://bugs.webkit.org/show_bug.cgi?id=149162).

        Reviewed by Filip Pizlo.
        Changed SetupVarargsFrame.cpp::emitSetVarargsFrame to align the callframe size to be a
        multiple of stackAlignmentRegisters() in addition to the location of the new frame.

        Fixed Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Call::Call):
        (JSC::AbstractMacroAssembler::repatchNearCall):
        (JSC::AbstractMacroAssembler::repatchCompact):
        * assembler/CodeLocation.h:
        (JSC::CodeLocationNearCall::CodeLocationNearCall):
        (JSC::CodeLocationNearCall::callMode):
        (JSC::CodeLocationCommon::callAtOffset):
        (JSC::CodeLocationCommon::nearCallAtOffset):
        (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::locationOfNearCall):
        (JSC::LinkBuffer::locationOf):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::nearCall):
        (JSC::MacroAssemblerARM::nearTailCall):
        (JSC::MacroAssemblerARM::call):
        (JSC::MacroAssemblerARM::linkCall):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::nearCall):
        (JSC::MacroAssemblerARM64::nearTailCall):
        (JSC::MacroAssemblerARM64::ret):
        (JSC::MacroAssemblerARM64::linkCall):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::nearTailCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::linkCall):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::nearCall):
        (JSC::MacroAssemblerMIPS::nearTailCall):
        (JSC::MacroAssemblerMIPS::call):
        (JSC::MacroAssemblerMIPS::linkCall):
        (JSC::MacroAssemblerMIPS::repatchCall):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::call):
        (JSC::MacroAssemblerSH4::nearTailCall):
        (JSC::MacroAssemblerSH4::nearCall):
        (JSC::MacroAssemblerSH4::linkCall):
        (JSC::MacroAssemblerSH4::repatchCall):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::linkCall):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::breakpoint):
        (JSC::MacroAssemblerX86Common::nearTailCall):
        (JSC::MacroAssemblerX86Common::nearCall):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::linkCall):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::isVarargsCallType):
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::specializationKind):
        (JSC::CallLinkInfo::callModeFor):
        (JSC::CallLinkInfo::callMode):
        (JSC::CallLinkInfo::isTailCall):
        (JSC::CallLinkInfo::isVarargs):
        (JSC::CallLinkInfo::registerPreservationMode):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCallInTailPosition):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::LabelNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::isCallBytecode):
        (JSC::calleeFrameForVarargs):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_tail_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_tail_call_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_tail_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_tail_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_tail_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_tail_call_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlines.h:
        (JSC::JIT::emitNakedCall):
        (JSC::JIT::emitNakedTailCall):
        (JSC::JIT::updateTopCallFrame):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/Repatch.cpp:
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetVarargsFrame):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::arityFixupGenerator):
        (JSC::unreachableGenerator):
        (JSC::baselineGetterReturnThunkGenerator):
        * jit/ThunkGenerators.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (JSC::CommonSlowPaths::opIn):

2015-09-15  Michael Saboff  <msaboff@apple.com>

        Rollout r189774 and 189818.

        Broke Speedometer/Full.html

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Call::Call):
        (JSC::AbstractMacroAssembler::repatchNearCall):
        (JSC::AbstractMacroAssembler::repatchCompact):
        * assembler/CodeLocation.h:
        (JSC::CodeLocationNearCall::CodeLocationNearCall):
        (JSC::CodeLocationCommon::callAtOffset):
        (JSC::CodeLocationCommon::nearCallAtOffset):
        (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
        (JSC::CodeLocationNearCall::callMode): Deleted.
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::locationOfNearCall):
        (JSC::LinkBuffer::locationOf):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::nearCall):
        (JSC::MacroAssemblerARM::call):
        (JSC::MacroAssemblerARM::linkCall):
        (JSC::MacroAssemblerARM::nearTailCall): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::nearCall):
        (JSC::MacroAssemblerARM64::ret):
        (JSC::MacroAssemblerARM64::linkCall):
        (JSC::MacroAssemblerARM64::nearTailCall): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::linkCall):
        (JSC::MacroAssemblerARMv7::nearTailCall): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::nearCall):
        (JSC::MacroAssemblerMIPS::call):
        (JSC::MacroAssemblerMIPS::linkCall):
        (JSC::MacroAssemblerMIPS::repatchCall):
        (JSC::MacroAssemblerMIPS::nearTailCall): Deleted.
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::call):
        (JSC::MacroAssemblerSH4::nearCall):
        (JSC::MacroAssemblerSH4::linkCall):
        (JSC::MacroAssemblerSH4::repatchCall):
        (JSC::MacroAssemblerSH4::nearTailCall): Deleted.
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::linkCall):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::breakpoint):
        (JSC::MacroAssemblerX86Common::nearCall):
        (JSC::MacroAssemblerX86Common::nearTailCall): Deleted.
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::linkCall):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::specializationKind):
        (JSC::CallLinkInfo::registerPreservationMode):
        (JSC::CallLinkInfo::isVarargsCallType): Deleted.
        (JSC::CallLinkInfo::callModeFor): Deleted.
        (JSC::CallLinkInfo::callMode): Deleted.
        (JSC::CallLinkInfo::isTailCall): Deleted.
        (JSC::CallLinkInfo::isVarargs): Deleted.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCallInTailPosition):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::LabelNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::isCallBytecode):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        (JSC::CCallHelpers::prepareForTailCallSlow): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_tail_call): Deleted.
        (JSC::JIT::emit_op_tail_call_varargs): Deleted.
        (JSC::JIT::emitSlow_op_tail_call): Deleted.
        (JSC::JIT::emitSlow_op_tail_call_varargs): Deleted.
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emitSlow_op_tail_call): Deleted.
        (JSC::JIT::emitSlow_op_tail_call_varargs): Deleted.
        (JSC::JIT::emit_op_tail_call): Deleted.
        (JSC::JIT::emit_op_tail_call_varargs): Deleted.
        * jit/JITInlines.h:
        (JSC::JIT::emitNakedCall):
        (JSC::JIT::updateTopCallFrame):
        (JSC::JIT::emitNakedTailCall): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/Repatch.cpp:
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::arityFixupGenerator):
        (JSC::baselineGetterReturnThunkGenerator):
        (JSC::unreachableGenerator): Deleted.
        * jit/ThunkGenerators.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (JSC::CommonSlowPaths::opIn):
        * tests/stress/mutual-tail-call-no-stack-overflow.js: Removed.
        * tests/stress/tail-call-no-stack-overflow.js: Removed.
        * tests/stress/tail-call-recognize.js: Removed.
        * tests/stress/tail-call-varargs-no-stack-overflow.js: Removed.
        * tests/stress/tail-calls-dont-overwrite-live-stack.js: Removed.

2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement imported global variables in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149206

        Reviewed by Filip Pizlo.

        Values can now be imported to a WebAssembly module through properties of
        the imports object that is passed to loadWebAssembly(). In order to
        avoid any side effect when accessing the imports object, we check that
        the properties are data properties. We also check that each value is a
        primitive and is not a Symbol. According to the ECMA262 6.0 spec,
        calling ToNumber() on a primitive that is not a Symbol should not cause
        any side effect.[1]

        [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-tonumber

        * tests/stress/wasm-globals.js:
        * tests/stress/wasm/globals.wasm:
        * wasm/WASMModuleParser.cpp:
        (JSC::WASMModuleParser::parseModule):
        (JSC::WASMModuleParser::parseGlobalSection):
        * wasm/WASMModuleParser.h:

2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Fix asm.js errors in WebAssembly tests
        https://bugs.webkit.org/show_bug.cgi?id=149203

        Reviewed by Geoffrey Garen.

        Our WebAssembly implementation uses asm.js for testing. Using Firefox to
        parse asm.js reveals many errors that are not caught by pack-asmjs. For
        example,
        - asm.js does not allow the use of the multiplication operator (*) to
          multiply two integers, because the result can be so large that some
          lower bits of precision are lost. Math.imul is used instead.
        - an int variable must be coerced to either signed (via x|0) or unsigned
          (via x>>>0) before it's returned.

        * tests/stress/wasm-arithmetic-int32.js:
        * tests/stress/wasm-calls.js:
        * tests/stress/wasm-control-flow.js:
        * tests/stress/wasm-globals.js:
        * tests/stress/wasm-locals.js:
        * tests/stress/wasm-relational.js:
        * tests/stress/wasm/control-flow.wasm:

2015-09-15  Ryosuke Niwa  <rniwa@webkit.org>

        Add ShadowRoot interface and Element.prototype.attachShadow
        https://bugs.webkit.org/show_bug.cgi?id=149187

        Reviewed by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:

2015-09-15  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Paused Debugger prevents page reload
        https://bugs.webkit.org/show_bug.cgi?id=148174

        Reviewed by Brian Burg.

        * debugger/Debugger.h:
        (JSC::Debugger::suppressAllPauses):
        (JSC::Debugger::setSuppressAllPauses):
        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::pauseIfNeeded):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::setSuppressAllPauses):
        Provide a way to suppress pauses.

2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement calls to JavaScript functions in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149093

        Reviewed by Filip Pizlo.

        This patch implements calls to JavaScript functions in WebAssembly.
        WebAssembly functions can only call JavaScript functions that are
        imported to their module via an object that is passed into
        loadWebAssembly(). References to JavaScript functions are resolved at
        the module's load time, just like asm.js.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionLoadWebAssembly):
        * tests/stress/wasm-calls.js:
        * tests/stress/wasm/calls.wasm:
        * wasm/JSWASMModule.cpp:
        (JSC::JSWASMModule::visitChildren):
        * wasm/JSWASMModule.h:
        (JSC::JSWASMModule::importedFunctions):
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildCallImport):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseExpressionF64):
        (JSC::WASMFunctionParser::parseCallImport):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildCallInternal):
        (JSC::WASMFunctionSyntaxChecker::buildCallImport):
        (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall):
        * wasm/WASMModuleParser.cpp:
        (JSC::WASMModuleParser::WASMModuleParser):
        (JSC::WASMModuleParser::parse):
        (JSC::WASMModuleParser::parseModule):
        (JSC::WASMModuleParser::parseFunctionImportSection):
        (JSC::WASMModuleParser::getImportedValue):
        (JSC::parseWebAssembly):
        * wasm/WASMModuleParser.h:

2015-09-15  Csaba Osztrogonác  <ossy@webkit.org>

        Fix the !ENABLE(DFG_JIT) build after r188696
        https://bugs.webkit.org/show_bug.cgi?id=149158

        Reviewed by Yusuke Suzuki.

        * bytecode/GetByIdStatus.cpp:
        * bytecode/GetByIdStatus.h:

2015-09-15  Saam barati  <sbarati@apple.com>

        functions that use try/catch will allocate a top level JSLexicalEnvironment even when it is not necessary
        https://bugs.webkit.org/show_bug.cgi?id=148169

        Reviewed by Geoffrey Garen.

        We used to do this before we had proper lexical scoping
        in the bytecode generator. There is absolutely no reason
        why need to allocate a top-level "var" activation when a
        function/program uses a "catch" block.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::incConstants):
        (JSC::ASTBuilder::usesThis):
        (JSC::ASTBuilder::usesArguments):
        (JSC::ASTBuilder::usesWith):
        (JSC::ASTBuilder::usesEval):
        (JSC::ASTBuilder::usesCatch): Deleted.
        * parser/Nodes.h:
        (JSC::ScopeNode::isStrictMode):
        (JSC::ScopeNode::setUsesArguments):
        (JSC::ScopeNode::usesThis):
        (JSC::ScopeNode::needsActivation):
        (JSC::ScopeNode::hasCapturedVariables):
        (JSC::ScopeNode::captures):
        (JSC::ScopeNode::needsActivationForMoreThanVariables): Deleted.
        * parser/ParserModes.h:
        * runtime/Executable.h:
        (JSC::ScriptExecutable::usesEval):
        (JSC::ScriptExecutable::usesArguments):
        (JSC::ScriptExecutable::needsActivation):
        (JSC::ScriptExecutable::isStrictMode):
        (JSC::ScriptExecutable::ecmaMode):

2015-09-15  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r189774): CLoop doesn't build after r189774
        https://bugs.webkit.org/show_bug.cgi?id=149171

        Unreviewed build fix for the C Loop.

        Added needed C Loop label opcodes.

        * bytecode/BytecodeList.json:

2015-09-15  Andy VanWagoner  <thetalecrafter@gmail.com>

        [INTL] Implement supportedLocalesOf on Intl Constructors
        https://bugs.webkit.org/show_bug.cgi?id=147599

        Reviewed by Benjamin Poulain.

        Implements all of the abstract operations used by supportedLocalesOf,
        except during canonicalization it does not replace redundant tags,
        or subtags with their preferred values.

        * icu/unicode/ucal.h: Added.
        * icu/unicode/udat.h: Added.
        * icu/unicode/umisc.h: Added.
        * icu/unicode/unum.h: Added.
        * icu/unicode/utypes.h: Clear the U_SHOW_CPLUSPLUS_API flag to prevent C++ headers from being included.
        * runtime/CommonIdentifiers.h: Adde localeMatcher.
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Implemented.
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Implemented.
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Implemented.
        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLanguageTag):
        (JSC::getCanonicalLangTag):
        (JSC::getPrivateUseLangTag):
        (JSC::getGrandfatheredLangTag):
        (JSC::canonicalizeLocaleList):
        (JSC::bestAvailableLocale):
        (JSC::lookupSupportedLocales):
        (JSC::bestFitSupportedLocales):
        (JSC::supportedLocales):
        (JSC::getIntlStringOption):
        (JSC::getIntlBooleanOption):
        * runtime/IntlObject.h:
        * runtime/JSCJSValue.h: Added toLength.
        * runtime/JSCJSValue.cpp: Added toLength.
        (JSC::JSValue::toLength): Implement ToLength from ECMA 262 6.0 7.1.15
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::intlCollatorAvailableLocales): Added lazy locale list.
        (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): Added lazy locale list.
        (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): Added lazy locale list.
        * runtime/JSGlobalObject.h:

2015-09-14  Saam barati  <sbarati@apple.com>

        rename callFrameForThrow to callFrameForCatch
        https://bugs.webkit.org/show_bug.cgi?id=149136

        Reviewed by Michael Saboff.

        We use "callFrameForThrow" to mean the call frame in
        which we're catching the exception. The field name
        should accurately represent its purpose by being
        named "callFrameForCatch".

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:
        (JSC::VM::exceptionOffset):
        (JSC::VM::callFrameForCatchOffset):
        (JSC::VM::targetMachinePCForThrowOffset):
        (JSC::VM::callFrameForThrowOffset): Deleted.

2015-09-14  Basile Clement  <basile_clement@apple.com>

        [ES6] Implement tail calls in the LLInt and Baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=148661

        Reviewed by Filip Pizlo.

        This patch introduces two new opcodes, op_tail_call and
        op_tail_call_varargs, to perform tail calls, and implements them in the
        LLInt and baseline JIT. Their use prevents DFG and FTL compilation for
        now. They are currently implemented by sliding the call frame and
        masquerading as our own caller right before performing an actual call.

        This required to change the operationLink family of operation to return
        a SlowPathReturnType instead of a char* in order to distinguish between
        exception cases and actual call cases. We introduce a new FrameAction
        enum that indicates whether to reuse (non-exceptional tail call) or
        keep the current call frame (non-tail call, and exceptional cases).

        This is also a semantics change, since the Function.caller property is
        now leaking tail calls. Since tail calls are only used in strict mode,
        which poisons this property, the only way of seeing this semantics
        change is when a sloppy function calls a strict function that then
        tail-calls a sloppy function. Previously, the second sloppy function's
        caller would have been the strict function (i.e. raises a TypeError
        when the .caller attribute is accessed), while it is now the first
        sloppy function. Tests have been updated to reflect that.

        This also changes the assumptions we make about call frames. In order
        to be relatively efficient, we want to be able to compute the frame
        size based only on the argument count, which was not possible
        previously. To enable this, we now enforce at the bytecode generator,
        DFG and FTL level that any space reserved for a call frame is
        stack-aligned, which allows to easily compute its size when performing
        a tail call. In all the "special call cases" (calls from native code,
        inlined cache calls, etc.), we are starting the frame at the current
        stack pointer and thus will always have a stack-aligned frame size.

        Finally, this patch adds a couple of tests to check that tail calls run
        in constant stack space, as well as tests checking that tail calls are
        recognized correctly. Those tests use the handy aforementioned leaking
        of tail calls through Function.caller to detect tail calls. 

        Given that this patch only implements tail calls for the LLInt and
        Baseline JIT, tail calls are disabled by default.  Until changes are
        landed for all tiers, tail call testing and use requires the
        --enableTailCalls=true or equivalent.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Call::Call):
        (JSC::AbstractMacroAssembler::repatchNearCall):
        (JSC::AbstractMacroAssembler::repatchCompact):
        * assembler/CodeLocation.h:
        (JSC::CodeLocationNearCall::CodeLocationNearCall):
        (JSC::CodeLocationNearCall::callMode):
        (JSC::CodeLocationCommon::callAtOffset):
        (JSC::CodeLocationCommon::nearCallAtOffset):
        (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::locationOfNearCall):
        (JSC::LinkBuffer::locationOf):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::nearCall):
        (JSC::MacroAssemblerARM::nearTailCall):
        (JSC::MacroAssemblerARM::call):
        (JSC::MacroAssemblerARM::linkCall):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::nearCall):
        (JSC::MacroAssemblerARM64::nearTailCall):
        (JSC::MacroAssemblerARM64::ret):
        (JSC::MacroAssemblerARM64::linkCall):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::nearTailCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::linkCall):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::nearCall):
        (JSC::MacroAssemblerMIPS::nearTailCall):
        (JSC::MacroAssemblerMIPS::call):
        (JSC::MacroAssemblerMIPS::linkCall):
        (JSC::MacroAssemblerMIPS::repatchCall):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::call):
        (JSC::MacroAssemblerSH4::nearTailCall):
        (JSC::MacroAssemblerSH4::nearCall):
        (JSC::MacroAssemblerSH4::linkCall):
        (JSC::MacroAssemblerSH4::repatchCall):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::linkCall):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::breakpoint):
        (JSC::MacroAssemblerX86Common::nearTailCall):
        (JSC::MacroAssemblerX86Common::nearCall):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::linkCall):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::isVarargsCallType):
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::specializationKind):
        (JSC::CallLinkInfo::callModeFor):
        (JSC::CallLinkInfo::callMode):
        (JSC::CallLinkInfo::isTailCall):
        (JSC::CallLinkInfo::isVarargs):
        (JSC::CallLinkInfo::registerPreservationMode):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CallMode.cpp: Added.
        (WTF::printInternal):
        * bytecode/CallMode.h: Added.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCallInTailPosition):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::LabelNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::isCallBytecode):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_tail_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_tail_call_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_tail_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_tail_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_tail_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_tail_call_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlines.h:
        (JSC::JIT::emitNakedCall):
        (JSC::JIT::emitNakedTailCall):
        (JSC::JIT::updateTopCallFrame):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/Repatch.cpp:
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::arityFixupGenerator):
        (JSC::unreachableGenerator):
        (JSC::baselineGetterReturnThunkGenerator):
        * jit/ThunkGenerators.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (JSC::CommonSlowPaths::opIn):
        * runtime/Options.h:
        * tests/stress/mutual-tail-call-no-stack-overflow.js: Added.
        (shouldThrow):
        (sloppyCountdown.even):
        (sloppyCountdown.odd):
        (strictCountdown.even):
        (strictCountdown.odd):
        (strictCountdown):
        (odd):
        (even):
        * tests/stress/tail-call-no-stack-overflow.js: Added.
        (shouldThrow):
        (strictLoop):
        (strictLoopArityFixup1):
        (strictLoopArityFixup2):
        * tests/stress/tail-call-recognize.js: Added.
        (callerMustBeRun):
        (callerMustBeStrict):
        (runTests):
        * tests/stress/tail-call-varargs-no-stack-overflow.js: Added.
        (shouldThrow):
        (strictLoop):
        * tests/stress/tail-calls-dont-overwrite-live-stack.js: Added.
        (tail):
        (obj.method):
        (obj.get fromNative):
        (getThis):

2015-09-14  Filip Pizlo  <fpizlo@apple.com>

        LLInt get/put inline caches shouldn't use tons of opcodes
        https://bugs.webkit.org/show_bug.cgi?id=149106

        Reviewed by Geoffrey Garen.

        Our LLInt get/put inline caches currently use separate opcodes to reduce branching. For
        example, instead of having get_by_id branch on the kind of offset (inline or
        out-of-line), we have two get_by_id instructions: get_by_id and get_by_id_out_of_line.
        But the problem with this approach is that it doesn't scale. In the property type
        inference work (https://bugs.webkit.org/show_bug.cgi?id=148610), we need each kind of put
        inline cache to support 11 different kinds of type checks. It seemed ridiculous to add 60
        new put_by_id opcodes (there are currently 6 variants of put_by_id, so after adding type
        checks, we'd have 6 * 11 = 66 variants of put_by_id).

        So, this patch completely changes the strategy to mostly using branching inside the
        opcode implementation. It's unlikely to have a performance effect. For example, the long
        road to generational GC caused a seemingly prohibitive regression in LLInt inline caches,
        and yet nobody noticed. The regression was because the inline cache was in terms of the
        structure, not the structure ID, so the code was doing a structure ID table lookup. If we
        didn't notice that, then we probably won't notice a couple new branches. (Also, this
        patch fixes that regression - the code no longer does such lookups except in the one
        unavoidable case in put_by_id transition chain checking.)

        This patch also turns the isDirect operand of put_by_id into a flags field. I will use
        this flags field to encode the desired type check in bug 148610.

        This patch has no effect on performance according to run-jsc-benchmarks.

        Relanding this patch with LLInt fixes for non-x86. Previous attempts to fix non-x86 LLInt
        build also caused every 64-bit test to crash on every platform. So the patch got rolled
        out. This fixes the non-x86 LLInt build while also ensuring that 64-bit platforms don't
        crash.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/PutByIdFlags.cpp: Added.
        (WTF::printInternal):
        * bytecode/PutByIdFlags.h: Added.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedInstruction::UnlinkedInstruction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_id):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2015-09-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r189751, r189752, and r189754.
        https://bugs.webkit.org/show_bug.cgi?id=149143

        caused crashes everywhere (Requested by alexchristensen on
        #webkit).

        Reverted changesets:

        "LLInt get/put inline caches shouldn't use tons of opcodes"
        https://bugs.webkit.org/show_bug.cgi?id=149106
        http://trac.webkit.org/changeset/189751

        "Unreviewed, fix non-x86 LLInt build."
        http://trac.webkit.org/changeset/189752

        "Unreviewed, really fix non-x86 LLInt build without also
        breaking everything else."
        http://trac.webkit.org/changeset/189754

2015-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, really fix non-x86 LLInt build without also breaking everything else.

        * llint/LowLevelInterpreter64.asm:

2015-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix non-x86 LLInt build.

        * llint/LowLevelInterpreter64.asm:

2015-09-13  Filip Pizlo  <fpizlo@apple.com>

        LLInt get/put inline caches shouldn't use tons of opcodes
        https://bugs.webkit.org/show_bug.cgi?id=149106

        Reviewed by Geoffrey Garen.

        Our LLInt get/put inline caches currently use separate opcodes to reduce branching. For
        example, instead of having get_by_id branch on the kind of offset (inline or
        out-of-line), we have two get_by_id instructions: get_by_id and get_by_id_out_of_line.
        But the problem with this approach is that it doesn't scale. In the property type
        inference work (https://bugs.webkit.org/show_bug.cgi?id=148610), we need each kind of put
        inline cache to support 11 different kinds of type checks. It seemed ridiculous to add 60
        new put_by_id opcodes (there are currently 6 variants of put_by_id, so after adding type
        checks, we'd have 6 * 11 = 66 variants of put_by_id).

        So, this patch completely changes the strategy to mostly using branching inside the
        opcode implementation. It's unlikely to have a performance effect. For example, the long
        road to generational GC caused a seemingly prohibitive regression in LLInt inline caches,
        and yet nobody noticed. The regression was because the inline cache was in terms of the
        structure, not the structure ID, so the code was doing a structure ID table lookup. If we
        didn't notice that, then we probably won't notice a couple new branches. (Also, this
        patch fixes that regression - the code no longer does such lookups except in the one
        unavoidable case in put_by_id transition chain checking.)

        This patch also turns the isDirect operand of put_by_id into a flags field. I will use
        this flags field to encode the desired type check in bug 148610.

        This patch has no effect on performance according to run-jsc-benchmarks.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/PutByIdFlags.cpp: Added.
        (WTF::printInternal):
        * bytecode/PutByIdFlags.h: Added.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedInstruction::UnlinkedInstruction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_id):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2015-09-14  Alex Christensen  <achristensen@webkit.org>

        Progress towards CMake on Mac.
        https://bugs.webkit.org/show_bug.cgi?id=149123

        Reviewed by Chris Dumez.

        * CMakeLists.txt:
        Make forwarding headers for the replay subdirectory.
        * PlatformMac.cmake:
        Make forwarding headers for the generated inspector headers. 
        They should eventually either be packaged correctly with JavaScriptCore headers and included correctly.

2015-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Cache the resolution result in JSModuleRecord
        https://bugs.webkit.org/show_bug.cgi?id=148896

        Reviewed by Saam Barati.

        The resolveExport operation is frequently called. For example,
        1. When instantiating the module environment, we call it for each exported name and imported
           name.
        2. When linking the imported module environment to the code block, we call it to resolve the
           resolution.
        3. When looking up the property from the namespace object, we call it to look up the original
           module for the imported binding.
        4. When creating the namespace object, we need to collect all the exported names from the module
           and need to resolve them by calling resolveExport.

        However, resolveExport takes some cost. It traces the imported modules and resolves the reference
        queried by the original module.

        The resolveExport operation is pure function; given a module record and an export name,
        it always returns the same result. So we cache resolution results in the module record to avoid
        repeated resolveExport calls with the same arguments.
        Here, we only cache the correctly resolved references, since,
        1. We rarely looked up the non-correctly-resolved ones. In the linking phase, attempting to
           resolve non-correctly-resolved ones throws a syntax error. So only namespace object creation
           phase does it in a syntax valid script.
        2. This strategy limits the size of the cache map. The number of the correctly exported bindings
           is defined by the modules' code. So the size does not become infinitely large.

        Currently, the all modules cannot be linked twice. For example,

          graph 1

          -> (A) -> (B)

          graph 2

          -> (C) -> (A) -> (B)

        We cannot test the behavior now because when executing the graph 2, (A) and (B) are already linked,
        it raises an error in the current loader spec. But it should be allowed[1] since it will occur when
        there is multiple module tag in WebCore.

        [1]: https://github.com/whatwg/loader/issues/41

        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::ResolveQuery::Hash::hash):
        (JSC::JSModuleRecord::ResolveQuery::Hash::equal):
        (JSC::JSModuleRecord::cacheResolution):
        (JSC::ResolveQueryHash::hash): Deleted.
        (JSC::ResolveQueryHash::equal): Deleted.
        (JSC::resolveExportLoop): Deleted.
        * runtime/JSModuleRecord.h:
        * tests/modules/caching-should-not-make-ambiguous.js: Added.
        * tests/modules/caching-should-not-make-ambiguous/A.js: Added.
        * tests/modules/caching-should-not-make-ambiguous/B.js: Added.
        * tests/modules/caching-should-not-make-ambiguous/C.js: Added.
        * tests/modules/caching-should-not-make-ambiguous/D.js: Added.
        * tests/modules/caching-should-not-make-ambiguous/main.js: Added.
        * tests/modules/different-view.js: Added.
        (from.string_appeared_here.shouldThrow):
        * tests/modules/different-view/A.js: Added.
        * tests/modules/different-view/B.js: Added.
        * tests/modules/different-view/C.js: Added.
        * tests/modules/different-view/D.js: Added.
        * tests/modules/different-view/E.js: Added.
        * tests/modules/different-view/main.js: Added.
        * tests/modules/fallback-ambiguous.js: Added.
        (from.string_appeared_here.shouldThrow):
        * tests/modules/fallback-ambiguous/A.js: Added.
        * tests/modules/fallback-ambiguous/B.js: Added.
        * tests/modules/fallback-ambiguous/C.js: Added.
        * tests/modules/fallback-ambiguous/D.js: Added.
        * tests/modules/fallback-ambiguous/E.js: Added.
        * tests/modules/fallback-ambiguous/main.js: Added.
        * tests/modules/self-star-link.js: Added.
        * tests/modules/self-star-link/A.js: Added.
        * tests/modules/self-star-link/B.js: Added.
        * tests/modules/self-star-link/C.js: Added.
        * tests/modules/self-star-link/D.js: Added.
        * tests/modules/self-star-link/E.js: Added.
        * tests/modules/uncacheable-when-see-star.js: Added.
        * tests/modules/uncacheable-when-see-star/A-pre.js: Added.
        * tests/modules/uncacheable-when-see-star/A.js: Added.
        * tests/modules/uncacheable-when-see-star/B.js: Added.
        * tests/modules/uncacheable-when-see-star/C.js: Added.
        * tests/modules/uncacheable-when-see-star/D.js: Added.
        * tests/modules/uncacheable-when-see-star/E-pre.js: Added.
        * tests/modules/uncacheable-when-see-star/E.js: Added.
        * tests/modules/uncacheable-when-see-star/main1.js: Added.
        * tests/modules/uncacheable-when-see-star/main2.js: Added.

2015-09-14  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement the arithmetic instructions for floats in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149102

        Reviewed by Geoffrey Garen.

        This patch implements the arithmetic instructions for floats (float32)
        in WebAssembly by converting the float operands to doubles, performing
        the equivalent double instructions, and converting the result back to
        float. The asm.js spec says that "As proved in 'When is double rounding
        innocuous?' (Figueroa 1995), both the 32- and 64-bit versions of
        standard arithmetic operations produce equivalent results when given
        32-bit inputs and coerced to 32-bit outputs."
        (http://asmjs.org/spec/latest/#floatish)

        This patch also pads WebAssembly call frames by maxFrameExtentForSlowPathCall,
        so that there is no need to adjust the stack pointer every time we make
        a slow path call.

        * tests/stress/wasm-arithmetic-float32.js:
        * tests/stress/wasm/arithmetic-float32.wasm:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::startFunction):
        (JSC::WASMFunctionCompiler::buildUnaryF32):
        (JSC::WASMFunctionCompiler::buildBinaryF32):
        (JSC::WASMFunctionCompiler::callOperation):
        (JSC::WASMFunctionCompiler::callAndUnboxResult):
        (JSC::WASMFunctionCompiler::endFunction): Deleted.
        (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionF32):
        (JSC::WASMFunctionParser::parseUnaryExpressionF32):
        (JSC::WASMFunctionParser::parseBinaryExpressionF32):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildUnaryF32):
        (JSC::WASMFunctionSyntaxChecker::buildBinaryF32):

2015-09-13  Geoffrey Garen  <ggaren@apple.com>

        Eden GC should not try to jettison old CodeBlocks in the remembered set
        https://bugs.webkit.org/show_bug.cgi?id=149108

        Reviewed by Saam Barati.

        All we know about objects in the remembered set is that they must be
        visited. We don't know whether they're referenced or not because we
        won't mark the objects that point to them.

        Therefore, it's incorrect for a CodeBlock to consider jettisoning
        itself when it's marked as a part of the remembered set: Some
        old object might have visited the CodeBlock strongly if given the chance.

        I believe this doesn't cause any problems currently because we happen
        to visit all strong references to all CodeBlocks elligible for jettison
        during every GC.

        However, this behavior is a logical oddity that tripped me up, and I
        believe it will start causing real problems once we start to jettison
        baseline CodeBlocks, since we do not visit all strong references to all
        baseline CodeBlocks during every GC.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::clearMarksForEdenCollection):
        (JSC::CodeBlockSet::traceMarked): Be sure to visit the remembered set
        strongly, in order to prohibit jettisoning.

        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
        * heap/CodeBlockSet.h: Track the remembered set during eden GCs.

2015-09-11  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r189585): run-perf-tests Speedometer fails with a console error
        https://bugs.webkit.org/show_bug.cgi?id=149066

        Reviewed by Michael Saboff.

        The bug here was that the new IC code was calling actionForCell() more than once. That's
        illegal, since when actionForCell() returns RetryCacheLater, it means that it changed some
        object's Structure. The Repatch code was doing things like "if (actionForCell(blah) ==
        AttemptToCache)" in more than one place, so that if the first such expression was false, then
        we'd fall through to the next one. It's possible for the first call to return RetryCacheLater,
        in which case our view of the world just got clobbered and we need to return, and then the
        second call will probably return AttemptToCache because it *thinks* that we had bailed the last
        time and we're now in a future IC invocation.

        The solution is to cache the actionForCell() result. This is a bit tricky, because we need to
        do this after we check if we're in a proxy.

        Debugging bugs like these requires adding ad hoc bisection code in various places. We already
        had the basic hooks for this. This patch makes those hooks a bit more useful. In the case of
        the LLInt->JIT tier-up hooks, it adds a CodeBlock* argument so that we can bisect based on the
        CodeBlock. In the case of Repatch, it puts the Options::forceICFailure() check in a helper
        function that also takes ExecState*, which allows us to bisect on either CodeBlock or
        CodeOrigin.

        * jit/Repatch.cpp:
        (JSC::actionForCell):
        (JSC::forceICFailure):
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::shouldJIT):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * tests/stress/retry-cache-later.js:

2015-09-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement the relational instructions for floats in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149080

        Reviewed by Geoffrey Garen.

        This patch implements the relational instructions for floats (float32)
        in WebAssembly by converting float operands to doubles and then
        comparing them using the existing double comparison instructions in the
        macro assembler.

        * tests/stress/wasm-relational.js:
        * tests/stress/wasm/relational.wasm:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildRelationalF32):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildRelationalF32):

2015-09-11  Nan Wang  <n_wang@apple.com>

        AX: ARIA 1.1 @aria-current
        https://bugs.webkit.org/show_bug.cgi?id=146012

        Reviewed by Chris Fleizach.

        Updated inspector to support aria-current.

        * inspector/protocol/DOM.json:

2015-09-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Add initial support for floats in WebAsssembly
        https://bugs.webkit.org/show_bug.cgi?id=149062

        Reviewed by Geoffrey Garen.

        Implement the ConstantPoolIndex, Immediate, GetLocal, and GetGlobal
        instructions for floats (float32) in WebAssembly.

        * tests/stress/wasm-arithmetic-float32.js: Added.
        (shouldBe):
        * tests/stress/wasm-globals.js:
        * tests/stress/wasm-type-conversion.js:
        * tests/stress/wasm/arithmetic-float32.wasm: Added.
        * tests/stress/wasm/globals.wasm:
        * tests/stress/wasm/type-conversion.wasm:
        * wasm/WASMConstants.h:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildSetLocal):
        (JSC::WASMFunctionCompiler::buildReturn):
        (JSC::WASMFunctionCompiler::buildImmediateF32):
        (JSC::WASMFunctionCompiler::buildGetLocal):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpression):
        (JSC::WASMFunctionParser::parseExpressionF32):
        (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32):
        (JSC::WASMFunctionParser::parseImmediateExpressionF32):
        (JSC::WASMFunctionParser::parseGetLocalExpressionF32):
        (JSC::WASMFunctionParser::parseGetGlobalExpressionF32):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildImmediateF32):
        * wasm/WASMReader.cpp:
        (JSC::WASMReader::readOpExpressionF32):
        * wasm/WASMReader.h:

2015-09-11  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the CLOOP build.

        Unreviewed.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
        (JSC::CodeBlock::finalizeUnconditionally):

2015-09-11  Csaba Osztrogonác  <ossy@webkit.org>

        [EFL] Fix WASM build
        https://bugs.webkit.org/show_bug.cgi?id=149065

        Reviewed by Darin Adler.

        * wasm/WASMFunctionParser.cpp:

2015-09-11  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore should discard optimized code after some time
        https://bugs.webkit.org/show_bug.cgi?id=149048

        Reviewed by Michael Saboff.

        This patch adds a new jettison type -- JettisonDueToOldAge -- and starts
        using it for DFG and FTL code. Baseline and LLInt code will come in a
        follow-up patch.

        The primary goal is to save memory. Some popular websites leave about 10MB
        of dead code sitting around immediately after they finish loading.

        Throwing away code periodically might also save us from profiling
        pathologies that lead to performance dead ends.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate): Updated for rename, and removed a
        stale comment.

        (JSC::CodeBlock::shouldVisitStrongly): Renamed to shouldVisitStrongly
        because the practical effect of this function is to trigger a call to
        visitStrongly.

        (JSC::CodeBlock::isKnownToBeLiveDuringGC): Check the
        m_visitStronglyHasBeenCalled flag instead of
        shouldImmediatelyAssumeLivenessDuringScan / shouldVisitStrongly because
        m_visitStronglyHasBeenCalled can be set by anybody even if the CodeBlock
        would not otherwise visit itself strongly.

        (JSC::CodeBlock::shouldJettisonDueToWeakReference): New helper function
        for readability.

        (JSC::CodeBlock::shouldJettisonDueToOldAge): New helper function that
        tells if a CodeBlock is old enough for deletion.

        (JSC::CodeBlock::determineLiveness): There's no need to check
        shouldImmediatelyAssumeLivenessDuringScan here because we will not call
        this function if shouldImmediatelyAssumeLivenessDuringScan is true.
        Also, it's just not clear -- if someone chooses to call this function --
        that it would be safe to ignore them simply because
        shouldImmediatelyAssumeLivenessDuringScan was true.

        (JSC::CodeBlock::finalizeLLIntInlineCaches): Moved code out into a helper
        function to make the main function more readable.

        (JSC::CodeBlock::finalizeBaselineJITInlineCaches): Ditto.

        (JSC::CodeBlock::finalizeUnconditionally): Added code for jettisoning a
        CodeBlock if it is too old. Moved large sections of code into helper
        functions to aid readability in this function.

        (JSC::CodeBlock::jettison): Account for the fact that we might jettison
        a CodeBlock without OSR exit and without requiring a stack shoot-down.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setInstallTime):
        (JSC::CodeBlock::timeSinceInstall): Track CodeBlock age to help us
        decide when to delete.

        * jit/JITCode.h:
        (JSC::JITCode::timeToLive): Static limits on CodeBlock lifetime. I got
        these numbers from the place where numbers come from. 

        * profiler/ProfilerJettisonReason.cpp:
        (WTF::printInternal):
        * profiler/ProfilerJettisonReason.h: Updated for new jettison type.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode): Record install time so that we
        can measure how old a CodeBlock is.

2015-09-11  Andreas Kling  <akling@apple.com>

        [JSC] Weak should only accept cell pointees.
        <https://webkit.org/b/148955>

        Reviewed by Geoffrey Garen.

        Since WeakImpls only support pointing to JSCell derived objects,
        enforce that at compile time by having the API use JSCell* instead of JSValue.

        WeakHandleOwner callbacks now get JSCell& and JSCell*& respectively instead
        of wrapping the cell pointer in a Handle<Unknown>.

        Also added a static_assert so Weak<T> can't be instantiated with a T that's
        not convertible to JSCell.

        * API/JSAPIWrapperObject.mm:
        (JSAPIWrapperObjectHandleOwner::finalize):
        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
        (JSC::JSAPIWrapperObject::finishCreation):
        * API/JSManagedValue.mm:
        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
        (JSManagedValueHandleOwner::finalize):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::finalize):
        * builtins/BuiltinExecutables.h:
        * heap/Heap.cpp:
        (JSC::Heap::addFinalizer):
        (JSC::Heap::FinalizerOwner::finalize):
        * heap/Heap.h:
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::visit):
        (JSC::WeakBlock::reap):
        * heap/WeakHandleOwner.cpp:
        (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
        (JSC::WeakHandleOwner::finalize):
        * heap/WeakHandleOwner.h:
        * heap/WeakImpl.h:
        (JSC::WeakImpl::WeakImpl):
        (JSC::WeakImpl::state):
        (JSC::WeakImpl::cell):
        (JSC::WeakImpl::asWeakImpl):
        (JSC::WeakImpl::jsValue): Deleted.
        * heap/WeakInlines.h:
        (JSC::Weak<T>::Weak):
        (JSC::>):
        (JSC::Weak<T>::operator):
        (JSC::Weak<T>::get):
        (JSC::Weak<T>::was):
        * heap/WeakSet.h:
        * heap/WeakSetInlines.h:
        (JSC::WeakSet::allocate):
        (JSC::WeakBlock::finalize):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::finalize):
        * jit/JITThunks.h:
        * jsc.cpp:
        (WTF::ElementHandleOwner::isReachableFromOpaqueRoots): Deleted.
        * runtime/JSCell.h:
        (JSC::jsCast):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::finalize):
        * runtime/RegExpCache.h:
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::singleTransition):
        (JSC::StructureTransitionTable::setSingleTransition):

2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement switch statements in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149051

        Reviewed by Geoffrey Garen.

        This patch implements switch statements in WebAssembly using the
        JSC::BinarySwitch class.

        * tests/stress/wasm-control-flow.js:
        * tests/stress/wasm/control-flow.wasm:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildSwitch):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseSwitchStatement):
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildSwitch):

2015-09-10  Filip Pizlo  <fpizlo@apple.com>

        Structure should be able to tell you if it had ever been a dictionary
        https://bugs.webkit.org/show_bug.cgi?id=149047

        Reviewed by Mark Lam.

        Introduces the hasBeenDictionary flag to Structure, which tells you if this structure or
        any of its ancestors is a dictionary. We already implicitly tracked this for DFG
        watchpoint optimizations, so this is mainly just decoupling that existing logic from
        watchpoints. Having Structure::hasBeenDictionary() enables some of the heuristics in the
        property type inference work (https://bugs.webkit.org/show_bug.cgi?id=148610).

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::dump):
        * runtime/Structure.h:

2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix Windows file loading in JSC shell after r189583
        https://bugs.webkit.org/show_bug.cgi?id=148917

        Should load the script files with the binary mode.
        Since these loading functions are only used for the simple test scripts,
        we just use ftell / fseek now.

        * jsc.cpp:
        (fillBufferWithContentsOfFile):

2015-09-10  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r189575): Appears to break ARM64 linux builds
        https://bugs.webkit.org/show_bug.cgi?id=149044

        Reviewed by Filip Pizlo.

        Changed the use of the ARM64 "fp", a register alias, to be "x29", the real register name.

        * llint/LowLevelInterpreter.asm:

2015-09-09  Filip Pizlo  <fpizlo@apple.com>

        There should be one stub hanging off an inline cache that contains code for all of the cases, rather than forming a linked list consisting of one stub per case
        https://bugs.webkit.org/show_bug.cgi?id=148717

        Reviewed by Michael Saboff.

        This is a major rewrite of the JSC get/put/in inline caches (ICs), motivated by the need to add
        fancy new kinds of inline caches for property type inference (https://webkit.org/b/148610).

        Previously, our inline caches had some problems that made them difficult to work with. It was
        impossible to change any code that was previously generated by the IC except by blowing the
        whole IC away, the ICs scaled poorly if there were many cases, and there was a lot of duplicate
        and ad hoc code.

        Impossible to regenerate a previously generated stub: Say that some access (o.f = v) causes our
        IC code to emit some stub; let's call it stub1. Then later we find that we need to emit a
        different stub, stub2, where we think that stub2 might subsume stub1. We say that stub2
        subsumes stub1 if failing to execute stub2 to completion means that we are guaranteed to fail
        to execute stub1 to completion. This could happen in trunk if stub2 has the same base structure
        as stub1 but different prototype conditions. It could happen with property type inference if
        stub2 has a looser type check on v than stub1 did. Currently, if this happened, we would emit
        stub2 and have its slow path jump to stub1. Hence, we would still end up executing the checks
        of stub1 before falling through to the slow path. This gets bad when there are many stubs.
        Stub1 might be in front of a bunch of other stubs, so when we add stub2, we will end up
        executing both stub2's and stub1's checks before falling through to the other stubs. It would
        be better if we could remove stub1 from the list at this point. But since stub1 could be linked
        to from a different stub that we had already generated, we'd have to have a way of patching
        stubs or regenerating them from scratch. This is currenty impossible because we just don't keep
        around enough meta-data to mess with a stub after it's generated. After this change, we never
        link new stubs onto a linked list of pre-existing stubs; instead each IC will have one stub
        hanging off of it and we always regenerate that one stub from scratch. That one stub contains
        either a BinarySwitch or a branch cascade to select one of the AccessCases. Each AccessCase is
        an object that describes everything we need to regenerate it in the future. This means that
        when we add a new case to an IC stub, we can figure out which previous cases this one subsumes.

        Poor scalability when there are many cases: Previously, the cases of a polymorphic inline cache
        formed a linked list of branches. This meant that the complexity of an inline cache grew
        linearly with the number of cases. This change turns this into a BinarySwitch in most cases,
        leading to logarithmic scaling.

        Duplicate code between get, put, and in: The code for op_get_by_id, op_put_by_id, and op_in
        inline caches grew independently and ended up having a lot of duplicate code. We had the worst
        kinds of duplicate code. In some cases, the code was copy-pasted. In other cases, we wrote code
        that felt like it was new despite the fact that it was logically identical to code that was
        already written elsewhere. The main sources of duplication were in selecting a scratch
        register, checking all of the ObjectPropertyConditions and the base structure, the pro forma
        involved in generating a stub, and the data structures needed to describe all of the access
        cases. This change deduplicates all of that code. Now, all of those ICs use the same classes:
        the PolymorphicAccess and AccessCase. There is code in those classes that handles all of the
        common things, and for the most part the only code that actually specializes for the kind of
        access is in some switch statement in AccessCase::generate().

        Special-casing of array length and string length: Previously, array.length and string.length
        were handled in an ad hoc manner in the get_by_id repatching code. The handling was separate
        from the polymorphic get_by_id handling, which meant that we could not handle polymorphic
        length accesses if one of the length cases was either array or string length. For example, if
        you had "o.length" where the length was either array length or a vanilla length property, then
        the get_by_id inline cache would either emit a monomorphic stub for array length, or a
        monomorphic stub for the vanilla length property, but never a polymorphic stub (or list) that
        could do both. This change addresses this problem by folding array length and string length
        into the polymorphic get_by_id code.

        This was meant to be a perf-neutral change to enable property type inference, but it ended up
        being a 1% Octane speed-up, mainly because of a 14% speed-up in raytrace. This isn't too
        surprising, since that test does use inline caches a lot and this change makes inline caches
        more scalable.

        This also fixes and adds a test for a BinarySwitch bug. BinarySwitch had an optimization for
        consecutive integer cases. Using it on typed array structures triggers this bug. It's a hard
        bug to trigger any other way because our other switch optimizations will usually use a jump
        table in case of consecutive integers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::dumpWithName):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::getByValInfoMap):
        (JSC::CodeBlock::addStubInfo):
        (JSC::CodeBlock::findStubInfo):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::stubInfoBegin):
        (JSC::CodeBlock::stubInfoEnd):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/PolymorphicAccess.cpp: Copied from Source/JavaScriptCore/bytecode/PolymorphicGetByIdList.cpp.
        (JSC::AccessGenerationState::addWatchpoint):
        (JSC::AccessGenerationState::restoreScratch):
        (JSC::AccessGenerationState::succeed):
        (JSC::AccessCase::AccessCase):
        (JSC::AccessCase::get):
        (JSC::AccessCase::replace):
        (JSC::AccessCase::transition):
        (JSC::AccessCase::setter):
        (JSC::AccessCase::in):
        (JSC::AccessCase::getLength):
        (JSC::AccessCase::~AccessCase):
        (JSC::AccessCase::fromStructureStubInfo):
        (JSC::AccessCase::clone):
        (JSC::AccessCase::guardedByStructureCheck):
        (JSC::AccessCase::alternateBase):
        (JSC::AccessCase::canReplace):
        (JSC::AccessCase::dump):
        (JSC::AccessCase::visitWeak):
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generate):
        (JSC::PolymorphicAccess::PolymorphicAccess):
        (JSC::PolymorphicAccess::~PolymorphicAccess):
        (JSC::PolymorphicAccess::regenerateWithCases):
        (JSC::PolymorphicAccess::regenerateWithCase):
        (JSC::PolymorphicAccess::visitWeak):
        (JSC::PolymorphicAccess::dump):
        (JSC::PolymorphicAccess::regenerate):
        (WTF::printInternal):
        (JSC::GetByIdAccess::GetByIdAccess): Deleted.
        (JSC::GetByIdAccess::~GetByIdAccess): Deleted.
        (JSC::GetByIdAccess::fromStructureStubInfo): Deleted.
        (JSC::GetByIdAccess::visitWeak): Deleted.
        (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList): Deleted.
        (JSC::PolymorphicGetByIdList::from): Deleted.
        (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList): Deleted.
        (JSC::PolymorphicGetByIdList::currentSlowPathTarget): Deleted.
        (JSC::PolymorphicGetByIdList::addAccess): Deleted.
        (JSC::PolymorphicGetByIdList::isFull): Deleted.
        (JSC::PolymorphicGetByIdList::isAlmostFull): Deleted.
        (JSC::PolymorphicGetByIdList::didSelfPatching): Deleted.
        (JSC::PolymorphicGetByIdList::visitWeak): Deleted.
        * bytecode/PolymorphicAccess.h: Copied from Source/JavaScriptCore/bytecode/PolymorphicGetByIdList.h.
        (JSC::AccessCase::isGet):
        (JSC::AccessCase::isPut):
        (JSC::AccessCase::isIn):
        (JSC::AccessCase::type):
        (JSC::AccessCase::offset):
        (JSC::AccessCase::viaProxy):
        (JSC::AccessCase::structure):
        (JSC::AccessCase::newStructure):
        (JSC::AccessCase::conditionSet):
        (JSC::AccessCase::additionalSet):
        (JSC::AccessCase::customSlotBase):
        (JSC::AccessCase::doesCalls):
        (JSC::AccessCase::callLinkInfo):
        (JSC::AccessCase::RareData::RareData):
        (JSC::PolymorphicAccess::isEmpty):
        (JSC::PolymorphicAccess::size):
        (JSC::PolymorphicAccess::at):
        (JSC::PolymorphicAccess::operator[]):
        (JSC::GetByIdAccess::GetByIdAccess): Deleted.
        (JSC::GetByIdAccess::isSet): Deleted.
        (JSC::GetByIdAccess::operator!): Deleted.
        (JSC::GetByIdAccess::type): Deleted.
        (JSC::GetByIdAccess::structure): Deleted.
        (JSC::GetByIdAccess::conditionSet): Deleted.
        (JSC::GetByIdAccess::stubRoutine): Deleted.
        (JSC::GetByIdAccess::doesCalls): Deleted.
        (JSC::PolymorphicGetByIdList::isEmpty): Deleted.
        (JSC::PolymorphicGetByIdList::size): Deleted.
        (JSC::PolymorphicGetByIdList::at): Deleted.
        (JSC::PolymorphicGetByIdList::operator[]): Deleted.
        * bytecode/PolymorphicAccessStructureList.h: Removed.
        * bytecode/PolymorphicGetByIdList.cpp: Removed.
        * bytecode/PolymorphicGetByIdList.h: Removed.
        * bytecode/PolymorphicPutByIdList.cpp: Removed.
        * bytecode/PolymorphicPutByIdList.h: Removed.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::addAccessCase):
        (JSC::StructureStubInfo::reset):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::StructureStubInfo):
        (JSC::StructureStubInfo::initGetByIdSelf):
        (JSC::StructureStubInfo::initPutByIdReplace):
        (JSC::StructureStubInfo::initStub):
        (JSC::StructureStubInfo::setSeen):
        (JSC::getStructureStubInfoCodeOrigin):
        (JSC::isGetByIdAccess): Deleted.
        (JSC::isPutByIdAccess): Deleted.
        (JSC::isInAccess): Deleted.
        (JSC::StructureStubInfo::initGetByIdList): Deleted.
        (JSC::StructureStubInfo::initPutByIdTransition): Deleted.
        (JSC::StructureStubInfo::initPutByIdList): Deleted.
        (JSC::StructureStubInfo::initInList): Deleted.
        (JSC::StructureStubInfo::addWatchpoint): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * jit/AccessorCallJITStubRoutine.cpp: Removed.
        * jit/AccessorCallJITStubRoutine.h: Removed.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfEmpty):
        (JSC::AssemblyHelpers::branchStructure):
        (JSC::AssemblyHelpers::boxBooleanPayload):
        (JSC::AssemblyHelpers::boxBoolean):
        (JSC::AssemblyHelpers::boxInt32):
        * jit/BinarySwitch.cpp:
        (JSC::BinarySwitch::BinarySwitch):
        (JSC::BinarySwitch::build):
        (JSC::BinarySwitch::Case::dump):
        (JSC::BinarySwitch::BranchCode::dump):
        * jit/BinarySwitch.h:
        (JSC::BinarySwitch::Case::operator<):
        (JSC::BinarySwitch::BranchCode::BranchCode):
        * jit/JIT.h:
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::garbageStubInfo):
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITInlineCacheGenerator::stubInfo):
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITByIdGenerator::reportSlowPathCall):
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::repatchCall):
        (JSC::repatchByIdSelfAccess):
        (JSC::resetGetByIDCheckAndLoad):
        (JSC::resetPutByIDCheckAndLoad):
        (JSC::replaceWithJump):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::appropriateGenericPutByIdFunction):
        (JSC::appropriateOptimizingPutByIdFunction):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        (JSC::checkObjectPropertyCondition): Deleted.
        (JSC::checkObjectPropertyConditions): Deleted.
        (JSC::emitRestoreScratch): Deleted.
        (JSC::linkRestoreScratch): Deleted.
        (JSC::toString): Deleted.
        (JSC::kindFor): Deleted.
        (JSC::customFor): Deleted.
        (JSC::generateByIdStub): Deleted.
        (JSC::patchJumpToGetByIdStub): Deleted.
        (JSC::tryBuildGetByIDList): Deleted.
        (JSC::buildGetByIDList): Deleted.
        (JSC::appropriateListBuildingPutByIdFunction): Deleted.
        (JSC::emitPutReplaceStub): Deleted.
        (JSC::emitPutTransitionStub): Deleted.
        (JSC::tryBuildPutByIdList): Deleted.
        (JSC::buildPutByIdList): Deleted.
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        * jit/ScratchRegisterAllocator.h:
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionQuit):
        (functionAbort):
        (functionFalse1):
        (functionFalse2):
        * runtime/Options.h:
        * tests/stress/array-message-passing.js: Added.
        (window.addEventListener):
        (window.postMessage):
        (window._handleEvents):
        (testPassed):
        (testFailed):
        (classCompare):
        (bufferCompare):
        (viewCompare):
        (typedArrayCompare):
        (dataViewCompare):
        (dataViewCompare2):
        (dataViewCompare3):
        (createBuffer):
        (createTypedArray):
        (createTypedArrayOverBuffer):
        (new.DataView):
        (testList.testList.concat.basicBufferTypes.map):
        (doneTest):

2015-09-10  Geoffrey Garen  <ggaren@apple.com>

        CodeBlock::codeType() doesn't need to compute anything
        https://bugs.webkit.org/show_bug.cgi?id=149039

        Reviewed by Michael Saboff.

        CodeBlock already has an m_codeType data member.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeType):
        (JSC::CodeBlock::putByIdContext):

2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement global variables in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=149031

        Reviewed by Geoffrey Garen.

        This patch implements global variables in WebAssembly. There are two
        types of global variables in the current format that we use (the format
        used by <https://github.com/WebAssembly/polyfill-prototype-1>): internal
        global variables and imported global variables. This patch does not yet
        import values for imported global variables. It will be done in a
        subsequent patch.

        * tests/stress/wasm-globals.js: Added.
        (shouldBe):
        * tests/stress/wasm/globals.wasm: Added.
        * wasm/JSWASMModule.h:
        (JSC::JSWASMModule::globalVariables):
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildSetGlobal):
        (JSC::WASMFunctionCompiler::buildGetGlobal):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseStatement):
        (JSC::WASMFunctionParser::parseSetGlobalStatement):
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseGetGlobalExpressionI32):
        (JSC::WASMFunctionParser::parseExpressionF64):
        (JSC::WASMFunctionParser::parseGetGlobalExpressionF64):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildSetGlobal):
        (JSC::WASMFunctionSyntaxChecker::buildGetGlobal):
        * wasm/WASMModuleParser.cpp:
        (JSC::WASMModuleParser::parseGlobalSection):

2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        Consider long module path name case in Windows
        https://bugs.webkit.org/show_bug.cgi?id=148917

        Reviewed by Alex Christensen.

        The local file system module loader in the JSC shell manages the module files by the absolute path.
        However, in Windows, _MAX_PATH is defined as 260. So if the path like the current working directory or the path to the module is long,
        it will be truncated by the API and it fail to open the file.
        In JSC tests in Apple Windows buildbot, since the current working directory is long enough, the tests failed.

        This patch introduces the following 3 tweaks.

        1. When retrieving the current working path, we use GetCurrentDirectoryW instead of _getcwd.
           GetCurrentDirectoryW allows the long path while _getcwd automatically truncate the result by the _MAX_PATH.

        2. Before opening the module file, we prepend "\\?\" to the path. It converts the local file path to the long UNC path
           which allows longer path names.

        3. Since Windows ASCII API accepts the characters in the current code page, we use the Unicode APIs like _wfopen instead.

        And enable the once disabled module tests in Windows.

        Since this functionality is the part of the JSC shell to run the module tests, it is now implemented in jsc.cpp.

        * jsc.cpp:
        (stringFromUTF):
        (jscSource):
        (extractDirectoryName):
        (currentWorkingDirectory):
        (convertShebangToJSComment):
        (fillBufferWithContentsOfFile):
        (fetchScriptFromLocalFileSystem):
        (fetchModuleFromLocalFileSystem):
        (GlobalObject::moduleLoaderFetch):
        (functionRun):
        (functionLoad):
        (functionReadFile):
        (functionCheckSyntax):
        (functionLoadModule):
        (runWithScripts):
        (runInteractive):
        * tests/modules.yaml:

2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Convert arguments to WebAssembly functions to the declared types
        https://bugs.webkit.org/show_bug.cgi?id=149033

        Reviewed by Geoffrey Garen.

        This patch checks the types of arguments to WebAssembly functions and
        converts them to the declared types. This is necessary because:
        - For example, if a function expects an argument of type double and we
          pass 1.0 to it, it will get a JSValue of an integer, not a double.
        - We should follow asm.js's behavior for now, because we want to be able
          to test WebAssembly apps against asm.js apps. asm.js does type
          coercion on arguments by using int|0, Math.fround(float), and +double.

        * jit/JITOperations.h:
        * tests/stress/wasm-type-conversion.js: Added.
        (shouldBe):
        (two.valueOf):
        * tests/stress/wasm/type-conversion.wasm: Added.
        * wasm/WASMFunctionCompiler.h:
        (JSC::operationConvertJSValueToInt32):
        (JSC::operationConvertJSValueToDouble):
        (JSC::WASMFunctionCompiler::startFunction):
        (JSC::WASMFunctionCompiler::appendCallSetResult):
        (JSC::WASMFunctionCompiler::callOperation):
        (JSC::WASMFunctionCompiler::loadValueAndConvertToInt32):
        (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble):

2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        JSInternalPromiseDeferred should inherit JSPromiseDeferred
        https://bugs.webkit.org/show_bug.cgi?id=149027

        Reviewed by Darin Adler.

        JSInternalPromiseDeferred is constructed by using JSPromiseDeferred implementation.
        So the class info of JSInternalPromiseDeferred should inherit JSPromiseDeferred.

        * runtime/JSInternalPromiseDeferred.cpp:

2015-09-10  Michael Saboff  <msaboff@apple.com>

        Add support for Callee-Saves registers
        https://bugs.webkit.org/show_bug.cgi?id=148666

        Reviewed by Filip Pizlo.

        We save platform callee save registers right below the call frame header,
        in the location(s) starting with VirtualRegister 0.  This local space is
        allocated in the bytecode compiler.  This space is the maximum space
        needed for the callee registers that the LLInt and baseline JIT use,
        rounded up to a stack aligned number of VirtualRegisters.
        The LLInt explicitly saves and restores the registers in the macros
        preserveCalleeSavesUsedByLLInt and restoreCalleeSavesUsedByLLInt.
        The JITs saves and restores callee saves registers by what registers
        are included in m_calleeSaveRegisters in the code block.

        Added handling of callee save register restoration to exception handling.
        The basic flow is when an exception is thrown or one is recognized to
        have been generated in C++ code, we save the current state of all
        callee save registers to VM::calleeSaveRegistersBuffer.  As we unwind
        looking for the corresponding catch, we copy the callee saves from call 
        frames to the same VM::calleeSaveRegistersBuffer.  This is done for all
        call frames on the stack up to but not including the call frame that has
        the corresponding catch block.  When we process the catch, we restore
        the callee save registers with the contents of VM::calleeSaveRegistersBuffer.
        If there isn't a catch, then handleUncaughtException will restore callee
        saves before it returns back to the calling C++.

        Eliminated callee saves registers as free registers for various thunk
        generators as the callee saves may not have been saved by the function
        calling the thunk.

        Added code to transition callee saves from one VM's format to the another
        as part of OSR entry and OSR exit.

        Cleaned up the static RegisterSet's including adding one for LLInt and 
        baseline JIT callee saves and one to be used to allocate local registers
        not including the callee saves or other special registers.

        Moved ftl/FTLRegisterAtOffset.{cpp,h} to jit/RegisterAtOffset.{cpp,h}.
        Factored out the vector of RegisterAtOffsets in ftl/FTLUnwindInfo.{cpp,h}
        into a new class in jit/RegisterAtOffsetList.{cpp,h}.
        Eliminted UnwindInfo and changed UnwindInfo::parse() into a standalone
        function named parseUnwindInfo.  That standalone function now returns
        the callee saves RegisterAtOffsetList.  This is stored in the CodeBlock
        and used instead of UnwindInfo.

        Turned off register preservation thunks for outgoing calls from FTL
        generated code.  THey'll be removed in a subsequent patch.

        Changed specialized thinks to save and restore the contents of
        tagTypeNumberRegister and tagMaskRegister as they can be called by FTL
        compiled functions.  We materialize those tag registers for the thunk's
        use and then restore the prior contents on function exit.

        Also removed the arity check fail return thunk since it is now the
        caller's responsibility to restore the stack pointer.

        Removed saving of callee save registers and materialization of special
        tag registers for 64 bit platforms from vmEntryToJavaScript and
        vmEntryToNative.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLJITCode.h:
        * ftl/FTLRegisterAtOffset.cpp: Removed.
        * ftl/FTLRegisterAtOffset.h: Removed.
        * ftl/FTLUnwindInfo.cpp:
        (JSC::FTL::parseUnwindInfo):
        (JSC::FTL::UnwindInfo::UnwindInfo): Deleted.
        (JSC::FTL::UnwindInfo::~UnwindInfo): Deleted.
        (JSC::FTL::UnwindInfo::parse): Deleted.
        (JSC::FTL::UnwindInfo::dump): Deleted.
        (JSC::FTL::UnwindInfo::find): Deleted.
        (JSC::FTL::UnwindInfo::indexOf): Deleted.
        * ftl/FTLUnwindInfo.h:
        (JSC::RegisterAtOffset::dump):
        * jit/RegisterAtOffset.cpp: Added.
        * jit/RegisterAtOffset.h: Added.
        (JSC::RegisterAtOffset::RegisterAtOffset):
        (JSC::RegisterAtOffset::operator!):
        (JSC::RegisterAtOffset::reg):
        (JSC::RegisterAtOffset::offset):
        (JSC::RegisterAtOffset::offsetAsIndex):
        (JSC::RegisterAtOffset::operator==):
        (JSC::RegisterAtOffset::operator<):
        (JSC::RegisterAtOffset::getReg):
        * jit/RegisterAtOffsetList.cpp: Added.
        (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
        (JSC::RegisterAtOffsetList::sort):
        (JSC::RegisterAtOffsetList::dump):
        (JSC::RegisterAtOffsetList::find):
        (JSC::RegisterAtOffsetList::indexOf):
        * jit/RegisterAtOffsetList.h: Added.
        (JSC::RegisterAtOffsetList::clear):
        (JSC::RegisterAtOffsetList::size):
        (JSC::RegisterAtOffsetList::at):
        (JSC::RegisterAtOffsetList::append):
        Move and refactored use of FTLRegisterAtOffset to RegisterAtOffset.
        Added RegisterAtOffset and RegisterAtOffsetList to build configurations.
        Remove FTLRegisterAtOffset files.

        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setUpCallFromFTL):
        Turned off FTL register preservation thunks.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::setCalleeSaveRegisters):
        (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
        (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
        (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
        (JSC::CodeBlock::calleeSaveRegisters):
        (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::numberOfDFGCompiles):
        Methods to manage a set of callee save registers.  Also to allocate the appropriate
        number of VirtualRegisters for callee saves.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::allocateCalleeSaveSpace):
        * bytecompiler/BytecodeGenerator.h:
        Allocate the appropriate number of VirtualRegisters for callee saves needed by LLInt or baseline JIT.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()):
        (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::usedRegisters):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        (JSC::FTL::compile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        * jit/ArityCheckFailReturnThunks.cpp: Removed.
        * jit/ArityCheckFailReturnThunks.h: Removed.
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompile):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        * jit/ThunkGenerators.cpp:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::arityFixupGenerator):
        * runtime/CommonSlowPaths.cpp:
        (JSC::setupArityCheckData):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        Emit code to save and restore callee save registers and materialize tagTypeNumberRegister
        and tagMaskRegister.
        Handle callee saves when tiering up.
        Copy callee saves register contents to VM::calleeSaveRegistersBuffer at beginning of
        exception processing.
        Process callee save registers in frames when unwinding from an exception.
        Restore callee saves register contents from VM::calleeSaveRegistersBuffer on catch.
        Use appropriate register set to make sure we don't allocate a callee save register when
        compiling a thunk.
        Helper to populate tagTypeNumberRegister and tagMaskRegister with the appropriate
        constants.
        Removed arity fixup return thunks.

        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        Restore callee saves from the DFG and save the appropriate ones for the baseline JIT.
        Materialize the tag registers on 64 bit platforms.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
        (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
        (JSC::AssemblyHelpers::emitSaveCalleeSaves):
        (JSC::AssemblyHelpers::emitRestoreCalleeSaves):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
        (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
        New helpers to save and restore callee saves as well as materialize the tag registers
        contents.

        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        Updated to include FP callee save registers.  Added number of callee saves registers and
        cleanup register aliases that collide with callee save registers.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitPutByValWithCachedId):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitPutByValWithCachedId):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        Uses new stubUnavailableRegisters register set to limit what registers are available for 
        temporaries.

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::stubUnavailableRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        (JSC::RegisterSet::dfgCalleeSaveRegisters):
        (JSC::RegisterSet::ftlCalleeSaveRegisters):
        * jit/RegisterSet.h:
        New register sets with the callee saves used by various tiers as well as one listing registers
        not availble to stub code.

        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::loadDoubleArgument):
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):
        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
        (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters):
        (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters):
        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        Changed to save and restore existing tag register contents as the may contain other values.
        After saving the existing values, we materialize the tag constants.

        * jit/TempRegisterSet.h:
        (JSC::TempRegisterSet::getFPRByIndex):
        (JSC::TempRegisterSet::getFreeFPR):
        (JSC::TempRegisterSet::setByIndex):
        * offlineasm/arm64.rb:
        * offlineasm/registers.rb:
        Added methods for floating point registers to support callee save FP registers.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        Removed unnecessary #if CPU(X86_64) check to this 32 bit only file.

        * offlineasm/x86.rb:
        Fixed Windows callee saves naming.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::calleeSaveRegistersBufferOffset):
        (JSC::VM::getAllCalleeSaveRegistersMap):
        Provide a RegisterSaveMap that has all registers that might be saved.  Added a callee save buffer to be
        used for OSR exit and for exception processing in a future patch.

2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        ModuleProgramExecutable should provide CodeBlock to ScriptExecutable::forEachCodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=149028

        Reviewed by Michael Saboff.

        ModuleProgramExecutable should provide CodeBlock since ModuleProgramExecutable inherits
        ScriptExecutable.

        * bytecode/CodeBlock.h:
        (JSC::ScriptExecutable::forEachCodeBlock):

2015-09-09  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement internal calls in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148998

        Reviewed by Filip Pizlo.

        This patch implements internal calls to functions that return a 32-bit
        integer in WebAssembly.

        * tests/stress/wasm-calls.js: Added.
        (shouldBe):
        * tests/stress/wasm/calls.wasm: Added.
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::WASMFunctionCompiler):
        (JSC::WASMFunctionCompiler::endFunction):
        (JSC::WASMFunctionCompiler::buildCallInternal):
        (JSC::WASMFunctionCompiler::appendExpressionList):
        (JSC::WASMFunctionCompiler::emitNakedCall):
        (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
        (JSC::WASMFunctionCompiler::callAndUnboxResult):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::compile):
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseCallInternalExpressionI32):
        (JSC::WASMFunctionParser::parseCallArguments):
        (JSC::WASMFunctionParser::parseCallInternal):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildCallInternal):
        (JSC::WASMFunctionSyntaxChecker::appendExpressionList):

2015-09-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r189522.
        https://bugs.webkit.org/show_bug.cgi?id=149020

        "Caused a ~4% Speedometer regression" (Requested by cdumez on
        #webkit).

        Reverted changeset:

        "Function.prototype.bind: Bound functions must use the
        [[Prototype]] of their target function instead of
        Function.prototype"
        https://bugs.webkit.org/show_bug.cgi?id=145605
        http://trac.webkit.org/changeset/189522

2015-09-09  Geoffrey Garen  <ggaren@apple.com>

        Fix the no-DFG build.

        Unreviewed.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitOSRExitTargets):
        (JSC::CodeBlock::stronglyVisitStrongReferences):

2015-09-09  Geoffrey Garen  <ggaren@apple.com>

        CodeBlocks should strongly visit their OSR exit targets
        https://bugs.webkit.org/show_bug.cgi?id=148988

        Reviewed by Saam Barati.

        CodeBlocks jump to their OSR exit targets, so we need to keep them alive
        explicitly.

        This is a step toward throwing away CodeBlocks, which is only safe
        if we keep alive logically in-use CodeBlocks.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitStrongly): Added a flag to indicate if visit
        strongly had been performed yet, since we are likely to revisit
        the same CodeBlock many times now.

        (JSC::CodeBlock::visitOSRExitTargets):
        (JSC::CodeBlock::stronglyVisitStrongReferences): Do the visiting.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearMarks):
        (JSC::CodeBlockSet::mark): Added a helper function for clearing out
        two flags.

2015-09-09  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling back in r189516.
        https://bugs.webkit.org/show_bug.cgi?id=148989

        Restored changeset:

        "GC should be able to discover new strong CodeBlock references
        during marking"
        https://bugs.webkit.org/show_bug.cgi?id=148981
        http://trac.webkit.org/changeset/189516

        This patch caused infinite recursion on Windows because of a pre-existing
        logical error in the non-parallel GC configuration. Even in non-parallel
        GC, we must set the mark bit on a CodeBlock to avoid marking it twice
        (or, in the case of our crash, infinitely recursively).

2015-09-09  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement the relational instructions for doubles in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148999

        Reviewed by Filip Pizlo.

        Implements the relational instructions for doubles (float64) in
        WebAssembly. Also pass the values into the test functions as Mark Lam
        suggested in https://bugs.webkit.org/show_bug.cgi?id=148882#c3

        * tests/stress/wasm-relational.js:
        * tests/stress/wasm/relational.wasm:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildRelationalF64):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildRelationalI32):
        (JSC::WASMFunctionSyntaxChecker::buildRelationalF64):

2015-09-09  Saam barati  <sbarati@apple.com>

        DFG should have a debugging option that runs a phase that flushes all locals
        https://bugs.webkit.org/show_bug.cgi?id=148916

        Reviewed by Filip Pizlo.

        There is now an option to enable the DFG's new MaximalFlushInsertionPhase
        phase to run. This phase ensures that we keep all locals and arguments flushed
        to the stack at all places in the CFG. This phase is helpful for finding
        a class of bugs where enabling this phase to run removes the bug.
        This may also be useful in the development of a faster debugger
        that doesn't capture all variables.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGMaximalFlushInsertionPhase.cpp: Added.
        (JSC::DFG::MaximalFlushInsertionPhase::MaximalFlushInsertionPhase):
        (JSC::DFG::MaximalFlushInsertionPhase::run):
        (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
        (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
        (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData):
        (JSC::DFG::performMaximalFlushInsertion):
        * dfg/DFGMaximalFlushInsertionPhase.h: Added.
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Refactor the test for the arithmetic instructions in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148983

        Reviewed by Mark Lam.

        Pass the values into the test functions as Mark Lam suggested in
        https://bugs.webkit.org/show_bug.cgi?id=148882#c3

        * tests/stress/wasm-arithmetic-int32.js: Added.
        (shouldBe):
        (shouldThrow):
        * tests/stress/wasm-arithmetic.js: Removed.
        (shouldBe): Deleted.
        (shouldThrow): Deleted.
        * tests/stress/wasm/arithmetic-int32.wasm: Added.
        * tests/stress/wasm/arithmetic.wasm: Removed.

2015-09-08  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] reduce the amount of memory access needed for LivenessAnalysisPhase
        https://bugs.webkit.org/show_bug.cgi?id=148414

        Reviewed by Mark Lam.

        LivenessAnalysisPhase still causes a huge number of cache miss.
        This patch reduces the amount of accesses needed by the HashTables.

        * dfg/DFGBasicBlock.h:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::run):
        (JSC::DFG::LivenessAnalysisPhase::process):

2015-09-08  Myles C. Maxfield  <mmaxfield@apple.com>

        Prospective build fix after r189517

        Unreviewed.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::captureStack):

2015-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unify symbolTableGet and Put in JSLexicalEnvironment and JSSymbolTableObject
        https://bugs.webkit.org/show_bug.cgi?id=148783

        Reviewed by Geoffrey Garen.

        Unify the symbolTableGet and symbolTablePut into JSSymbolTableObject's one.
        Since symbolTablePutWithAttributes in JSLexicalEnvironment is not used, we drop that function.

        * runtime/JSEnvironmentRecord.h:
        (JSC::JSEnvironmentRecord::isValidScopeOffset):
        (JSC::JSEnvironmentRecord::variableAt):
        (JSC::JSEnvironmentRecord::isValid): Deleted.
        * runtime/JSGlobalLexicalEnvironment.cpp:
        (JSC::JSGlobalLexicalEnvironment::put):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        (JSC::JSLexicalEnvironment::put):
        (JSC::JSLexicalEnvironment::symbolTableGet): Deleted.
        (JSC::JSLexicalEnvironment::symbolTablePut): Deleted.
        (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes): Deleted.
        * runtime/JSLexicalEnvironment.h:
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSSegmentedVariableObject.h:
        (JSC::JSSegmentedVariableObject::isValidScopeOffset):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutTouchWatchpointSet):
        (JSC::symbolTablePutInvalidateWatchpointSet):
        (JSC::symbolTablePutWithAttributesTouchWatchpointSet):
        (JSC::symbolTablePutWithAttributes): Deleted.

2015-09-08  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r189516.
        https://bugs.webkit.org/show_bug.cgi?id=148989

        broke tests on windows (Requested by alexchristensen on
        #webkit).

        Reverted changeset:

        "GC should be able to discover new strong CodeBlock references
        during marking"
        https://bugs.webkit.org/show_bug.cgi?id=148981
        http://trac.webkit.org/changeset/189516

2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Remove unused DFG::dfgConvertJSValueToInt32()
        https://bugs.webkit.org/show_bug.cgi?id=148986

        Reviewed by Geoffrey Garen.

        Remove unused DFG::dfgConvertJSValueToInt32() and also remove
        DFG::JITCompiler::callOperation(D_JITOperation_EJ operation, ...) which
        was introduced in Bug 69806 for dfgConvertJSValueToNumber() and is no
        longer used.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): Deleted.

2015-09-08  Matthew Hill  <matthew.jh@outlook.com>

        Function.prototype.bind: Bound functions must use the [[Prototype]] of their target function instead of Function.prototype
        https://bugs.webkit.org/show_bug.cgi?id=145605

        Reviewed by Geoffrey Garen.

        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * tests/es6.yaml:

2015-09-08  Mark Lam  <mark.lam@apple.com>

        Fixed a bad comment r189517.

        Not reviewed.

        * heap/MachineStackMarker.cpp:
        (JSC::osRedZoneAdjustment):

2015-09-08  Geoffrey Garen  <ggaren@apple.com>

        InlineCallFrames shouldn't be strongly marked by CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=146613

        Reviewed by Saam Barati.

        This code was vestigial an unnecessary, so I removed it.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/InlineCallFrame.cpp:
        (JSC::InlineCallFrame::calleeConstant):
        (JSC::InlineCallFrame::calleeForCallFrame):
        (JSC::InlineCallFrame::visitAggregate): Deleted.
        * bytecode/InlineCallFrame.h:
        (JSC::InlineCallFrame::specializationKind):
        * bytecode/InlineCallFrameSet.cpp:
        (JSC::InlineCallFrameSet::add):
        (JSC::InlineCallFrameSet::visitAggregate): Deleted.
        * bytecode/InlineCallFrameSet.h:
        (JSC::InlineCallFrameSet::begin):
        (JSC::InlineCallFrameSet::end):

2015-09-08  Mark Lam  <mark.lam@apple.com>

        GC stack scan should include ABI red zone.
        https://bugs.webkit.org/show_bug.cgi?id=148976

        Reviewed by Geoffrey Garen and Benjamin Poulain.

        The x86_64 ABI section 3.2.2[1] and ARM64 ABI[2] both state that there is a
        128 byte red zone below the stack pointer (reserved by the OS), and that
        "functions may use this area for temporary data that is not needed across
        function calls".

        Hence, it is possible for a thread to store JSCell pointers in the red zone
        area, and the conservative GC thread scanner needs to scan that area as well.

        Note: the red zone should not be scanned for the GC thread itself (in
        gatherFromCurrentThread()).  This because we're guaranteed that there will
        be GC frames below the lowest (top of stack) frame that we need to scan.
        Hence, we are guaranteed that there are no red zone areas there containing
        JSObject pointers of relevance.

        No test added for this issue because the issue relies on:
        1. the compiler tool chain generating code that stores local variables
           containing the sole reference to a JS object (that needs to be kept
           alive) in the stack red zone, and
        2. GC has to run on another thread while that red zone containing the
           JS object reference is in use. 

        These conditions require a race that cannot be reliably reproduced.

        [1]: http://people.freebsd.org/~obrien/amd64-elf-abi.pdf
        [2]: https://developer.apple.com/library/ios/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html#//apple_ref/doc/uid/TP40013702-SW7

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::Thread):
        (JSC::MachineThreads::Thread::createForCurrentThread):
        (JSC::MachineThreads::Thread::freeRegisters):
        (JSC::osRedZoneAdjustment):
        (JSC::MachineThreads::Thread::captureStack):

2015-09-08  Geoffrey Garen  <ggaren@apple.com>

        GC should be able to discover new strong CodeBlock references during marking
        https://bugs.webkit.org/show_bug.cgi?id=148981

        Reviewed by Mark Lam.

        Previously, we required a strong reference to register itself before the
        first visit to a CodeBlock. Now, we can discover a strong reference at
        any time during the marking phase.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock): Remove the two strong reference state
        variables from CodeBlock. Now, a strong reference immediately marks
        the CodeBlock and its references at the moment of its discovery, and no
        separate state is required.

        (JSC::CodeBlock::visitStrongly): New helper function for establishing
        a strong reference to a CodeBlock.

        (JSC::CodeBlock::visitAggregate): Adopt helper function above.

        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Updated
        for state removal.

        (JSC::CodeBlock::isKnownToBeLiveDuringGC): Ditto.

        (JSC::CodeBlock::stronglyVisitWeakReferences): Be sure to record that
        we have proven liveness (by virtue of marking all the references the
        proof would check). This is required so that the CodeBlock knows itself
        to be live, and it is also an optimization to avoid testing weak references
        after we have already visited them.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearMarks):
        (JSC::CodeBlockSet::mark):
        (JSC::CodeBlockSet::clearMarks): Deleted. Updated for state removal.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::clearCodeBlockMarks):
        (JSC::DFG::Plan::checkLivenessAndVisitChildren):
        * dfg/DFGPlan.h: No need to use a CodeBlockSet in order to mark anymore.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::completeAllPlansForVM):
        (JSC::DFG::Worklist::clearCodeBlockMarks):
        (JSC::DFG::Worklist::resumeAllThreads):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::completeAllPlansForVM):
        (JSC::DFG::clearCodeBlockMarks):
        * dfg/DFGWorklist.h:
        (JSC::DFG::worklistForIndexOrNull): No need to use a CodeBlockSet in order
        to mark anymore.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::clearMarksForFullCollection):
        (JSC::CodeBlockSet::clearMarksForEdenCollection):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        (JSC::CodeBlockSet::traceMarked):
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
        (JSC::CodeBlockSet::dump):
        * heap/CodeBlockSet.h: Keep the currently executing CodeBlocks in RefPtrs
        since we can no longer rely on the m_currentlyExecuting bit to keep them
        alive. (A currently executing CodeBlock may not be referenced by its
        Executable because it may since have been replaced by another CodeBlock.
        This is common in the cases of OSR entry and exit.)

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitCompilerWorklistWeakReferences):
        (JSC::Heap::visitWeakHandles): No need to trace the list of CodeBlocks
        on the stack in the weak reference fixpoint because we no longer overload
        "on the stack" to include CodeBlocks referenced by the compiler.

2015-09-08  Andreas Kling  <akling@apple.com>

        [JSC] Remove unused Heap::getConservativeRegisterRoots().
        <https://webkit.org/b/148974>

        Reviewed by Geoffrey Garen.

        Spotted this unused stack root gathering helper in Heap. Let's lose it.

        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots): Deleted.
        * interpreter/JSStack.cpp:
        (JSC::JSStack::gatherConservativeRoots): Deleted.
        * interpreter/JSStack.h:
        (JSC::JSStack::gatherConservativeRoots): Deleted.

2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement control flow statements in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148934

        Reviewed by Geoffrey Garen.

        This patch implements if, while, do, label, break, and continue
        statements in WebAssembly. Switches will be implemented in a subsequent
        patch.

        * tests/stress/wasm-control-flow.js: Added.
        (shouldBe):
        * tests/stress/wasm/control-flow.wasm: Added.
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::linkTarget):
        (JSC::WASMFunctionCompiler::jumpToTarget):
        (JSC::WASMFunctionCompiler::jumpToTargetIf):
        (JSC::WASMFunctionCompiler::startLoop):
        (JSC::WASMFunctionCompiler::endLoop):
        (JSC::WASMFunctionCompiler::startSwitch):
        (JSC::WASMFunctionCompiler::endSwitch):
        (JSC::WASMFunctionCompiler::startLabel):
        (JSC::WASMFunctionCompiler::endLabel):
        (JSC::WASMFunctionCompiler::breakTarget):
        (JSC::WASMFunctionCompiler::continueTarget):
        (JSC::WASMFunctionCompiler::breakLabelTarget):
        (JSC::WASMFunctionCompiler::continueLabelTarget):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseIfStatement):
        (JSC::WASMFunctionParser::parseIfElseStatement):
        (JSC::WASMFunctionParser::parseWhileStatement):
        (JSC::WASMFunctionParser::parseDoStatement):
        (JSC::WASMFunctionParser::parseLabelStatement):
        (JSC::WASMFunctionParser::parseBreakStatement):
        (JSC::WASMFunctionParser::parseBreakLabelStatement):
        (JSC::WASMFunctionParser::parseContinueStatement):
        (JSC::WASMFunctionParser::parseContinueLabelStatement):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::linkTarget):
        (JSC::WASMFunctionSyntaxChecker::jumpToTarget):
        (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf):
        (JSC::WASMFunctionSyntaxChecker::startLoop):
        (JSC::WASMFunctionSyntaxChecker::endLoop):
        (JSC::WASMFunctionSyntaxChecker::startSwitch):
        (JSC::WASMFunctionSyntaxChecker::endSwitch):
        (JSC::WASMFunctionSyntaxChecker::startLabel):
        (JSC::WASMFunctionSyntaxChecker::endLabel):
        (JSC::WASMFunctionSyntaxChecker::breakTarget):
        (JSC::WASMFunctionSyntaxChecker::continueTarget):
        (JSC::WASMFunctionSyntaxChecker::breakLabelTarget):
        (JSC::WASMFunctionSyntaxChecker::continueLabelTarget):

2015-09-08  Per Arne Vollan  <peavo@outlook.com>

        [Win] Compile errors in inspector code.
        https://bugs.webkit.org/show_bug.cgi?id=148977

        Reviewed by Alex Christensen.

        Include definition of class FrontendRouter before use.

        * inspector/InspectorBackendDispatcher.h:
        * inspector/JSGlobalObjectInspectorController.h:

2015-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement computed accessors
        https://bugs.webkit.org/show_bug.cgi?id=147883

        Reviewed by Geoffrey Garen.

        Patch by Yusuke Suzuki <utatane.tea@gmail.com> and Matthew Mirman <mmirman@apple.com>.

        Implement the computed accessors functionality for class syntax and object literal syntax.
        Added new opcodes, op_put_getter_by_val and op_put_setter_by_val. LLInt and baseline JIT support them.
        As the same to the other accessor opcodes (like op_put_getter_by_id etc.), DFG / FTL does not support
        them. This is handled here[1].

        [1]: https://bugs.webkit.org/show_bug.cgi?id=148860

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutGetterByVal):
        (JSC::BytecodeGenerator::emitPutSetterByVal):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_getter_by_val):
        (JSC::JIT::emit_op_put_setter_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_getter_by_val):
        (JSC::JIT::emit_op_put_setter_by_val):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseGetterSetter):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createGetterOrSetterProperty):
        * tests/es6.yaml:
        * tests/stress/computed-accessor-parsing.js: Added.
        (testShouldNotThrow):
        (testShouldThrow):
        (Val.prototype.get string_appeared_here):
        (Val):
        * tests/stress/computed-accessor.js: Added.
        (shouldBe):
        (.):
        * tests/stress/duplicate-computed-accessors.js: Added.
        (shouldBe):

2015-09-08  Saam barati  <sbarati@apple.com>

        baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope
        https://bugs.webkit.org/show_bug.cgi?id=148895

        Reviewed by Geoffrey Garen.

        Previously, if a resolve_scope/get_from_scope/put_to_scope with
        UnresolvedProperty made it to the baseline JIT, we would hard compile
        a jump to the slow path. This is bad and slow. Because UnresolvedProperty
        tries to update itself to something more useful, and succeeds at doing so
        with high probability, we should be emitting code that checks to see if the 
        slow path has performed an update, and if it has, execute more efficient code 
        and not go to the slow path (unless it needs to for var injection check failure, 
        or other check failures). This increases the speed of this code greatly because 
        we may decide to compile a program/function before certain resolve_scope/get_from_scope/put_to_scope 
        operations ever execute. And now, the baseline JIT code better adapts to such
        compilation scenarios.

        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::isBeingWatched):
        (JSC::WatchpointSet::addressOfState):
        (JSC::WatchpointSet::offsetOfState):
        (JSC::WatchpointSet::addressOfSetIsNotEmpty):
        * jit/JIT.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::assertStackPointerOffset):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emitSlow_op_resolve_scope):
        (JSC::JIT::emitGetGlobalProperty):
        (JSC::JIT::emitGetVarFromPointer):
        (JSC::JIT::emitGetVarFromIndirectPointer):
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitPutGlobalProperty):
        (JSC::JIT::emitPutGlobalVariable):
        (JSC::JIT::emitPutGlobalVariableIndirect):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emitSlow_op_resolve_scope):
        (JSC::JIT::emitGetGlobalProperty):
        (JSC::JIT::emitGetVarFromPointer):
        (JSC::JIT::emitGetVarFromIndirectPointer):
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitPutGlobalProperty):
        (JSC::JIT::emitPutGlobalVariable):
        (JSC::JIT::emitPutGlobalVariableIndirect):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * tests/stress/multiple-files-tests/global-lexical-variable-unresolved-property/first.js:
        (foo):

2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement all the arithmetic and logical instructions in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148882

        Reviewed by Mark Lam.

        This patch implements all the arithmetic and logical instructions for
        32-bit integers in WebAssembly.

        * tests/stress/wasm-arithmetic.js:
        * tests/stress/wasm/arithmetic.wasm:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildUnaryI32):
        (JSC::WASMFunctionCompiler::buildBinaryI32):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseUnaryExpressionI32):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildUnaryI32):

2015-09-08  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix debug by removing an assertion that is not correct anymore.

        * jit/Repatch.cpp:
        (JSC::linkFor):

2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Add initial support for doubles in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148913

        Reviewed by Filip Pizlo.

        Implement the ConstantPoolIndex, Immediate, and GetLocal instructions
        for doubles (float64) in WebAssembly.

        * tests/stress/wasm-arithmetic-float64.js: Added.
        (shouldBe):
        * tests/stress/wasm/arithmetic-float64.wasm: Added.
        * wasm/WASMConstants.h:
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildSetLocal):
        (JSC::WASMFunctionCompiler::buildReturn):
        (JSC::WASMFunctionCompiler::buildImmediateI32):
        (JSC::WASMFunctionCompiler::buildImmediateF64):
        (JSC::WASMFunctionCompiler::buildGetLocal):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpression):
        (JSC::WASMFunctionParser::parseExpressionF64):
        (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64):
        (JSC::WASMFunctionParser::parseImmediateExpressionF64):
        (JSC::WASMFunctionParser::parseGetLocalExpressionF64):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildImmediateF64):
        * wasm/WASMReader.cpp:
        (JSC::WASMReader::readOpExpressionF64):
        * wasm/WASMReader.h:

2015-09-06  Filip Pizlo  <fpizlo@apple.com>

        CallLinkInfo inside StructureStubInfo should not use polymorphic stubs
        https://bugs.webkit.org/show_bug.cgi?id=148915

        Reviewed by Mark Lam.

        There is a subtle bug where if we reset a get_by_id IC that had a getter stub that in
        turn had a polymorphic call stub, then the GC won't know to keep the getter stub alive.
        This patch documents the bug in a FIXME and disables polymorphic call optimizations for
        getters. It also just so happens that the polymorphic call optimizations usually don't
        benefit getters, since it's hard to create polymorphism at the point of call without also
        introducing polymorphism in the base object's structure.

        The added test doesn't reproduce the problem, because it's hard to get the GC to delete
        all of the stubs.

        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::setCallLocations):
        (JSC::CallLinkInfo::allowStubs):
        (JSC::CallLinkInfo::disallowStubs):
        (JSC::CallLinkInfo::setUpCallFromFTL):
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::linkFor):
        (JSC::linkPolymorphicCall):
        * tests/stress/poly-call-stub-in-getter-stub.js: Added.
        (foo):
        (makeGetter):

2015-09-07  Filip Pizlo  <fpizlo@apple.com>

        The put_by_id IC store barrier contract should benefit transition over replace
        https://bugs.webkit.org/show_bug.cgi?id=148943

        Reviewed by Mark Lam.

        Previously, we would only emit a barrier if the value being stored was possibly a cell, so
        the transition stub code generator would have to emit a barrier for the store of the
        structure, just in case the structure was newer than the base object.

        This changes the contract so that the put_by_id callsite would always have a barrier on the
        base (except if it proved that the base was brand new). That way, the transition doesn't have
        to have a barrier unless it allocates.

        This is meant to be a perf-neutral change that I need for the IC refactoring in
        https://bugs.webkit.org/show_bug.cgi?id=148717.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub):

2015-09-07  Alex Christensen  <achristensen@webkit.org>

        Windows non-cygwin build fix after r189333.

        SVN on Windows (non-cygwin) doesn't like having the * character in file names.
        I replaced "*" with "star" in some of Geoff's new tests.

        * tests/es6.yaml:
        Changed all _*_ to _star_
        * tests/es6/generators_yield_*_arrays.js: Removed.
        * tests/es6/generators_yield_*_astral_plane_strings.js: Removed.
        * tests/es6/generators_yield_*_generator_instances.js: Removed.
        * tests/es6/generators_yield_*_generic_iterables.js: Removed.
        * tests/es6/generators_yield_*_instances_of_iterables.js: Removed.
        * tests/es6/generators_yield_*_iterator_closing.js: Removed.
        * tests/es6/generators_yield_*_iterator_closing_via_throw.js: Removed.
        * tests/es6/generators_yield_*_on_non-iterables_is_a_runtime_error.js: Removed.
        * tests/es6/generators_yield_*_sparse_arrays.js: Removed.
        * tests/es6/generators_yield_*_strings.js: Removed.
        * tests/es6/generators_yield_star_arrays.js: Copied from tests/es6/generators_yield_*_arrays.js.
        * tests/es6/generators_yield_star_astral_plane_strings.js: Copied from tests/es6/generators_yield_*_astral_plane_strings.js.
        * tests/es6/generators_yield_star_generator_instances.js: Copied from tests/es6/generators_yield_*_generator_instances.js.
        * tests/es6/generators_yield_star_generic_iterables.js: Copied from tests/es6/generators_yield_*_generic_iterables.js.
        * tests/es6/generators_yield_star_instances_of_iterables.js: Copied from tests/es6/generators_yield_*_instances_of_iterables.js.
        * tests/es6/generators_yield_star_iterator_closing.js: Copied from tests/es6/generators_yield_*_iterator_closing.js.
        * tests/es6/generators_yield_star_iterator_closing_via_throw.js: Copied from tests/es6/generators_yield_*_iterator_closing_via_throw.js.
        * tests/es6/generators_yield_star_on_non-iterables_is_a_runtime_error.js: Copied from tests/es6/generators_yield_*_on_non-iterables_is_a_runtime_error.js.
        * tests/es6/generators_yield_star_sparse_arrays.js: Copied from tests/es6/generators_yield_*_sparse_arrays.js.
        * tests/es6/generators_yield_star_strings.js: Copied from tests/es6/generators_yield_*_strings.js.

2015-09-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix broken Windows build after r189454.

        Not reviewed.

        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:

2015-09-06  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement the relational instructions in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148838

        Reviewed by Saam Barati.

        This patch implements the relational instructions for 32-bit integers in
        WebAssembly.

        * tests/stress/wasm-arithmetic.js:
        * tests/stress/wasm-locals.js:
        * tests/stress/wasm-relational.js: Added.
        (shouldBe):
        * tests/stress/wasm/arithmetic.wasm: Renamed from Source/JavaScriptCore/tests/stress/wasm-arithmetic.wasm.
        * tests/stress/wasm/locals.wasm: Renamed from Source/JavaScriptCore/tests/stress/wasm-locals.wasm.
        * tests/stress/wasm/relational.wasm: Added.
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::buildRelationalI32):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32):
        * wasm/WASMFunctionParser.h:
        * wasm/WASMFunctionSyntaxChecker.h:
        (JSC::WASMFunctionSyntaxChecker::buildRelationalI32):

2015-09-06  Mark Lam  <mark.lam@apple.com>

        StackOverflow stack unwinding should stop at native frames.
        https://bugs.webkit.org/show_bug.cgi?id=148749

        Reviewed by Michael Saboff.

        In the present code, after ping-pong'ing back and forth between native and JS
        code a few times, if we have a stack overflow on re-entry into the VM to run
        JS code's whose stack frame would overflow the JS stack, the code will end up
        unwinding past the native function that is making the call to re-enter the VM.
        As a result, any clean up code (e.g. destructors for stack variables) in the
        skipped native function frame (and its chain of native function callers) will
        not be called.

        This patch is based on the Michael Saboff's fix of this issue landed on the
        jsc-tailcall branch: http://trac.webkit.org/changeset/188555

        We now check for the case where there are no JS frames to unwind since the
        last native frame, and treat the exception as an unhandled exception.  The
        native function is responsible for further propagating the exception if needed.

        Other supporting work:
        1. Remove vm->vmEntryFrameForThrow.  It should always be the same as
           vm->topVMEntryFrame.
        2. Change operationThrowStackOverflowError() to use the throwStackOverflowError()
           helper function instead of rolling its own.
        3. Added a test that exercises this edge case.  The test should not hang or crash.

        * API/tests/PingPongStackOverflowTest.cpp: Added.
        (PingPongStackOverflowObject_hasInstance):
        (testPingPongStackOverflow):
        * API/tests/PingPongStackOverflowTest.h: Added.
        * API/tests/testapi.c:
        (main):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/CallFrame.h:
        (JSC::ExecState::operator=):
        (JSC::ExecState::callerFrame):
        (JSC::ExecState::callerFrameOrVMEntryFrame):
        (JSC::ExecState::argIndexForRegister):
        (JSC::ExecState::callerFrameAndPC):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::unwind):
        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        (JSC::Interpreter::sampler):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:
        (JSC::VM::exceptionOffset):
        (JSC::VM::callFrameForThrowOffset):
        (JSC::VM::vmEntryFrameForThrowOffset): Deleted.
        (JSC::VM::topVMEntryFrameOffset): Deleted.

2015-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, disable module tests in Windows until name resolution is fixed
        https://bugs.webkit.org/show_bug.cgi?id=148689

        Until bug[1] is fixed, we disable the module tests.
        Since the local file system name resolution is just implemented in jsc.cpp and
        is intended to be used for the module tests, it does not affect JSC framework
        and WebKit itself.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=148917

        * tests/modules.yaml:

2015-09-06  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Simplify JIT::emit_op_mod()
        https://bugs.webkit.org/show_bug.cgi?id=148908

        Reviewed by Michael Saboff.

        The IDIV instruction on x86 divides the value in the EDX:EAX registers
        by the source operand and stores the quotient in EAX and the remainder
        in EDX. Therefore, we store the values that we don't want to be
        overwritten by IDIV in registers that are not EAX or EDX. This patch
        makes the intention clearer and makes the code easier to read.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_mod):

2015-09-05  Mark Lam  <mark.lam@apple.com>

        Fix JSDollarVMPrototype after r189160.
        https://bugs.webkit.org/show_bug.cgi?id=148900

        Reviewed by Michael Saboff.

        JSDollarVMPrototype needs to be updated to match http://trac.webkit.org/changeset/189160 i.e.
        remove the use of JSC::Function bit in its property attributes.

        * tools/JSDollarVMPrototype.cpp:
        (JSC::JSDollarVMPrototype::finishCreation):

2015-09-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix the module name resolution in Windows
        https://bugs.webkit.org/show_bug.cgi?id=148689

        Attempt to fix the module name resolution in Windows.
        A module name is represented as the UNIX path under the current module tests.
        This fix split the module name with '/' instead of pathSeparator().

        This is only utilized by the jsc.cpp for the local module tests.
        So, WebKit production and JavaScriptCore framework are not affected by this change.

        * jsc.cpp:
        (ModuleName::startsWithRoot):
        (ModuleName::ModuleName):
        (resolvePath):
        (GlobalObject::moduleLoaderResolve):

2015-09-05  Brian Burg  <bburg@apple.com>

        Web Inspector: tighten up lifetimes for Agent-owned objects, and initialize agents using contexts
        https://bugs.webkit.org/show_bug.cgi?id=148625

        Reviewed by Joseph Pecoraro.

        All agents own their domain-specific frontend and backend dispatchers. Change so that
        they are initialized in constructors rather than when a frontend connects or disconnects.
        This may cause additional memory use, but this can be counteracted by lazily creating
        some agents that are not required for other agents to function (i.e., runtime and page agents).

        To avoid adding frontend/backend dispatcher arguments to every single agent constructor,
        change agent construction to take a AgentContext or a subclass of it. This provides agents with
        references to objects in the owning InspectorEnvironment subclass that are guaranteed to
        outlive all agents. AgentContext and its subclasses follow the existing Agent class hierarchy.

        * inspector/InspectorAgentBase.h:
        (Inspector::JSAgentContext::JSAgentContext):
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends):
        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::InspectorAgent):
        (Inspector::InspectorAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
        (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
        (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
        (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent):
        (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/augmentable/AlternateDispatchableAgent.h:
        * inspector/augmentable/AugmentableInspectorController.h: Alternate agents should
        have access to frontend router and backend dispatcher at construction time.
        
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/objc_generator_templates.py:

2015-09-04  Brian Burg  <bburg@apple.com>

        Web Inspector: agents should send messages through FrontendRouter instead of FrontendChannel
        https://bugs.webkit.org/show_bug.cgi?id=148492

        Reviewed by Joseph Pecoraro.

        Replace uses of FrontendChannel with FrontendRouter. Minor cleanups along the way.  

        Make AgentRegistry automatically signal discardAgent() in its destructor, since it always
        gets executed in the owning controller's destructor anyway.

        * inspector/InspectorAgentBase.h:
        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::AgentRegistry::~AgentRegistry):
        (Inspector::AgentRegistry::didCreateFrontendAndBackend):
        (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
        (Inspector::AgentRegistry::discardAgents): Deleted.
        * inspector/InspectorAgentRegistry.h:
        * inspector/InspectorBackendDispatcher.cpp:
        * inspector/InspectorFrontendRouter.cpp:
        (Inspector::FrontendRouter::leakChannel): Deleted, no longer necessary.
        * inspector/InspectorFrontendRouter.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
        (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::didCreateFrontendAndBackend):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/augmentable/AlternateDispatchableAgent.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.generate_output.FrontendRouter):
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator.generate_output):
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.generate_output):

2015-09-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Enable ES6 Module in JSC shell by default
        https://bugs.webkit.org/show_bug.cgi?id=148689

        Reviewed by Geoffrey Garen.

        Enable ES6 Modules in JSC shell by default. Compile time flag is left for WebCore.
        Since the entry point to evaluate the modules are completely separated from the usual
        entry point to evaluate the script, we can safely enable ES6 modules in JSC shell.

        And add bunch of tests for ES6 Modules.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionLoadModule):
        (runWithScripts):
        (printUsageStatement): Deleted.
        (CommandLine::parseArguments): Deleted.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner): Deleted.
        * tests/modules.yaml: Added.
        * tests/modules/aliasing.js: Added.
        * tests/modules/aliasing/drink-2.js: Added.
        (export.let.Cappuccino.string_appeared_here.export.changeCappuccino):
        * tests/modules/aliasing/drink.js: Added.
        (export.changeCocoa):
        * tests/modules/cyclic-may-produce-tdz.js: Added.
        * tests/modules/cyclic-may-produce-tdz/1.js: Added.
        * tests/modules/cyclic-may-produce-tdz/2.js: Added.
        * tests/modules/default-error/main.js: Added.
        * tests/modules/default-value-case-should-be-copied.js: Added.
        * tests/modules/default-value-case-should-be-copied/module.js: Added.
        (export.changeValue):
        * tests/modules/defaults.js: Added.
        * tests/modules/defaults/Cappuccino.js: Added.
        * tests/modules/defaults/Cocoa.js: Added.
        (export.default.Cocoa):
        * tests/modules/defaults/Matcha.js: Added.
        * tests/modules/destructuring-export.js: Added.
        * tests/modules/destructuring-export/array.js: Added.
        * tests/modules/destructuring-export/main.js: Added.
        * tests/modules/execution-order-cyclic.js: Added.
        * tests/modules/execution-order-cyclic/1.js: Added.
        * tests/modules/execution-order-cyclic/10.js: Added.
        * tests/modules/execution-order-cyclic/11.js: Added.
        * tests/modules/execution-order-cyclic/2.js: Added.
        * tests/modules/execution-order-cyclic/3.js: Added.
        * tests/modules/execution-order-cyclic/4.js: Added.
        * tests/modules/execution-order-cyclic/5.js: Added.
        * tests/modules/execution-order-cyclic/6.js: Added.
        * tests/modules/execution-order-cyclic/7.js: Added.
        * tests/modules/execution-order-cyclic/8.js: Added.
        * tests/modules/execution-order-cyclic/9.js: Added.
        * tests/modules/execution-order-dag.js: Added.
        * tests/modules/execution-order-dag/1.js: Added.
        * tests/modules/execution-order-dag/10.js: Added.
        * tests/modules/execution-order-dag/2.js: Added.
        * tests/modules/execution-order-dag/3.js: Added.
        * tests/modules/execution-order-dag/4.js: Added.
        * tests/modules/execution-order-dag/5.js: Added.
        * tests/modules/execution-order-dag/6.js: Added.
        * tests/modules/execution-order-dag/7.js: Added.
        * tests/modules/execution-order-dag/8.js: Added.
        * tests/modules/execution-order-dag/9.js: Added.
        * tests/modules/execution-order-depth.js: Added.
        * tests/modules/execution-order-depth/1.js: Added.
        * tests/modules/execution-order-depth/2.js: Added.
        * tests/modules/execution-order-depth/3.js: Added.
        * tests/modules/execution-order-self.js: Added.
        * tests/modules/execution-order-sibling.js: Added.
        * tests/modules/execution-order-sibling/1.js: Added.
        * tests/modules/execution-order-sibling/2.js: Added.
        * tests/modules/execution-order-sibling/3.js: Added.
        * tests/modules/execution-order-tree.js: Added.
        * tests/modules/execution-order-tree/1.js: Added.
        * tests/modules/execution-order-tree/10.js: Added.
        * tests/modules/execution-order-tree/11.js: Added.
        * tests/modules/execution-order-tree/2.js: Added.
        * tests/modules/execution-order-tree/3.js: Added.
        * tests/modules/execution-order-tree/4.js: Added.
        * tests/modules/execution-order-tree/5.js: Added.
        * tests/modules/execution-order-tree/6.js: Added.
        * tests/modules/execution-order-tree/7.js: Added.
        * tests/modules/execution-order-tree/8.js: Added.
        * tests/modules/execution-order-tree/9.js: Added.
        * tests/modules/export-conflict-ok.js: Added.
        * tests/modules/export-conflict-ok/A.js: Added.
        * tests/modules/export-conflict-ok/B.js: Added.
        * tests/modules/export-conflict-ok/main.js: Added.
        * tests/modules/export-from.js: Added.
        * tests/modules/export-from/main.js: Added.
        * tests/modules/export-from/second.js: Added.
        * tests/modules/export-with-declarations-list.js: Added.
        * tests/modules/export-with-declarations-list/main.js: Added.
        * tests/modules/exported-function-may-be-called-before-module-is-executed.js: Added.
        * tests/modules/exported-function-may-be-called-before-module-is-executed/1.js: Added.
        * tests/modules/exported-function-may-be-called-before-module-is-executed/2.js: Added.
        (export.add):
        (export.raise):
        * tests/modules/import-error.js: Added.
        * tests/modules/import-error/export-ambiguous-1.js: Added.
        * tests/modules/import-error/export-ambiguous-2.js: Added.
        * tests/modules/import-error/export-ambiguous.js: Added.
        * tests/modules/import-error/export-default-from-star-2.js: Added.
        (export.default.Cocoa):
        * tests/modules/import-error/export-default-from-star.js: Added.
        * tests/modules/import-error/export-not-found.js: Added.
        * tests/modules/import-error/import-ambiguous.js: Added.
        * tests/modules/import-error/import-default-from-star.js: Added.
        * tests/modules/import-error/import-not-found.js: Added.
        * tests/modules/imported-bindings-are-immutable.js: Added.
        * tests/modules/imported-bindings-are-immutable/bindings.js: Added.
        (export.functionDeclaration):
        (export.classDeclaration):
        * tests/modules/imported-bindings-can-be-changed-in-original-module.js: Added.
        * tests/modules/imported-bindings-can-be-changed-in-original-module/bindings.js: Added.
        * tests/modules/indirect-export-error.js: Added.
        * tests/modules/indirect-export-error/indirect-export-ambiguous-2.js: Added.
        * tests/modules/indirect-export-error/indirect-export-ambiguous-3.js: Added.
        * tests/modules/indirect-export-error/indirect-export-ambiguous-4.js: Added.
        * tests/modules/indirect-export-error/indirect-export-ambiguous.js: Added.
        * tests/modules/indirect-export-error/indirect-export-default-2.js: Added.
        * tests/modules/indirect-export-error/indirect-export-default-3.js: Added.
        (export.default.Cocoa):
        * tests/modules/indirect-export-error/indirect-export-default.js: Added.
        * tests/modules/indirect-export-error/indirect-export-not-found-2.js: Added.
        * tests/modules/indirect-export-error/indirect-export-not-found.js: Added.
        * tests/modules/module-eval.js: Added.
        * tests/modules/module-eval/A.js: Added.
        * tests/modules/module-eval/B.js: Added.
        * tests/modules/module-eval/drink.js: Added.
        * tests/modules/module-is-strict-code.js: Added.
        * tests/modules/namespace-ambiguous.js: Added.
        * tests/modules/namespace-ambiguous/ambiguous-2.js: Added.
        * tests/modules/namespace-ambiguous/ambiguous-3.js: Added.
        * tests/modules/namespace-ambiguous/ambiguous-4.js: Added.
        * tests/modules/namespace-ambiguous/ambiguous.js: Added.
        * tests/modules/namespace-error.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity-2.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity-3.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity-4.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity-5.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity-6.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity-7.js: Added.
        * tests/modules/namespace-error/namespace-local-error-should-hide-global-ambiguity.js: Added.
        * tests/modules/namespace-tdz.js: Added.
        * tests/modules/namespace-tdz/A.js: Added.
        * tests/modules/namespace-tdz/B.js: Added.
        (export.later):
        * tests/modules/namespace-tdz/main.js: Added.
        * tests/modules/namespace.js: Added.
        * tests/modules/namespace/additional-drink.js: Added.
        * tests/modules/namespace/drink.js: Added.
        (export.default.changeCappuccino):
        * tests/modules/namespace/more-additional-drink.js: Added.
        * tests/modules/resources/assert.js: Added.
        (export.shouldBe):
        (export.shouldThrow):
        * tests/modules/scopes.js: Added.
        * tests/modules/scopes/additional-drink.js: Added.
        * tests/modules/scopes/drink.js: Added.
        (export.default.changeCappuccino):
        * tests/modules/scopes/more-additional-drink.js: Added.
        * tests/modules/this-should-be-undefined.js: Added.
        * tests/stress/modules-syntax-error-with-names.js:
        * tests/stress/modules-syntax-error.js:
        * tests/stress/modules-syntax.js:

2015-09-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement ModuleNamespaceObject
        https://bugs.webkit.org/show_bug.cgi?id=148705

        Reviewed by Geoffrey Garen.

        Implement Module namespace object.
        That is used when importing the module with the form `import * as namespace from "mod"`.
        The module namespace object is non-extensible object that has the bindings to the original module
        as the property.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
        * runtime/JSModuleNamespaceObject.cpp: Added.
        (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
        (JSC::JSModuleNamespaceObject::finishCreation):
        (JSC::JSModuleNamespaceObject::destroy):
        (JSC::JSModuleNamespaceObject::visitChildren):
        (JSC::callbackGetter):
        (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
        (JSC::JSModuleNamespaceObject::put):
        (JSC::JSModuleNamespaceObject::putByIndex):
        (JSC::JSModuleNamespaceObject::deleteProperty):
        (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
        (JSC::JSModuleNamespaceObject::defineOwnProperty):
        (JSC::moduleNamespaceObjectSymbolIterator):
        * runtime/JSModuleNamespaceObject.h: Added.
        (JSC::JSModuleNamespaceObject::create):
        (JSC::JSModuleNamespaceObject::createStructure):
        (JSC::JSModuleNamespaceObject::moduleRecord):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::visitChildren):
        (JSC::getExportedNames):
        (JSC::JSModuleRecord::getModuleNamespace):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSModuleRecord.h:

2015-09-04  Mark Lam  <mark.lam@apple.com>

        Rollout r189411, r189413: Broke JSC tests.

        Not reviewed.

        * API/tests/PingPongStackOverflowTest.cpp: Removed.
        * API/tests/PingPongStackOverflowTest.h: Removed.
        * API/tests/testapi.c:
        (main):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/CallFrame.h:
        (JSC::ExecState::operator=):
        (JSC::ExecState::callerFrame):
        (JSC::ExecState::argIndexForRegister):
        (JSC::ExecState::callerFrameOrVMEntryFrame):
        (JSC::ExecState::callerFrameAndPC):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::unwind):
        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        (JSC::Interpreter::sampler):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:
        (JSC::VM::exceptionOffset):
        (JSC::VM::vmEntryFrameForThrowOffset):
        (JSC::VM::topVMEntryFrameOffset):
        (JSC::VM::callFrameForThrowOffset):

2015-09-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Test Runtime.saveResult and $n values
        https://bugs.webkit.org/show_bug.cgi?id=148837

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._evaluateOn):
        We don't need to be in the console object group to put the value
        in the saved results list. That strong reference will ensure $n
        values are always alive even if other object groups were used
        when creating and subsequently released.

2015-09-04  Mark Lam  <mark.lam@apple.com>

        [Follow up] StackOverflow stack unwinding should stop at native frames.
        https://bugs.webkit.org/show_bug.cgi?id=148749

        Rubber stamped by Michael Saboff.

        Speculative fix for jsc test failure.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind):

2015-09-04  Mark Lam  <mark.lam@apple.com>

        StackOverflow stack unwinding should stop at native frames.
        https://bugs.webkit.org/show_bug.cgi?id=148749

        Reviewed by Michael Saboff.

        In the present code, after ping-pong'ing back and forth between native and JS
        code a few times, if we have a stack overflow on re-entry into the VM to run
        JS code's whose stack frame would overflow the JS stack, the code will end up
        unwinding past the native function that is making the call to re-enter the VM.
        As a result, any clean up code (e.g. destructors for stack variables) in the
        skipped native function frame (and its chain of native function callers) will
        not be called.

        This patch is based on the Michael Saboff's fix of this issue landed on the
        jsc-tailcall branch: http://trac.webkit.org/changeset/188555

        We now check for the case where there are no JS frames to unwind since the
        last native frame, and treat the exception as an unhandled exception.  The
        native function is responsible for further propagating the exception if needed.

        Other supporting work:
        1. Remove vm->vmEntryFrameForThrow.  It should always be the same as
           vm->topVMEntryFrame.
        2. Change operationThrowStackOverflowError() to use the throwStackOverflowError()
           helper function instead of rolling its own.
        3. In the LLINT vm entry, set vm->topVMEntryFrame as soon as the entry frame is
           fully initialized (instead of waiting).  With this, we can always reliably
           tell which VMEntryFrame is on top.
        4. Added a test that exercises this edge case.  The test should not hang or crash.

        * API/tests/PingPongStackOverflowTest.cpp: Added.
        (PingPongStackOverflowObject_hasInstance):
        (testPingPongStackOverflow):
        * API/tests/PingPongStackOverflowTest.h: Added.
        * API/tests/testapi.c:
        (main):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::unwind):
        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
        (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
        (JSC::Interpreter::sampler):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:
        (JSC::VM::exceptionOffset):
        (JSC::VM::callFrameForThrowOffset):
        (JSC::VM::vmEntryFrameForThrowOffset): Deleted.
        (JSC::VM::topVMEntryFrameOffset): Deleted.

2015-09-04  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement the division and modulo instructions in WebAssembly
        https://bugs.webkit.org/show_bug.cgi?id=148791

        Reviewed by Geoffrey Garen.

        This patch implements the unsigned division, signed modulo, and unsigned
        modulo instructions for 32-bit integers in WebAssembly. It also
        implements the context pool index instructions, which are needed for
        testing. (pack-asmjs puts numbers that are used more than once in the
        constant pool.)

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::divl_r):
        * tests/stress/wasm-arithmetic.js:
        * tests/stress/wasm-arithmetic.wasm:
        * wasm/WASMFunctionCompiler.h:
        (JSC::operationMod):
        (JSC::operationUnsignedDiv):
        (JSC::operationUnsignedMod):
        (JSC::WASMFunctionCompiler::buildBinaryI32):
        (JSC::WASMFunctionCompiler::callOperation):
        * wasm/WASMFunctionParser.cpp:
        (JSC::WASMFunctionParser::parseExpressionI32):
        (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32):
 &nbs