[DFG] Drop unknown use of CheckCell's child2 to work ObjectAllocationSinking for...

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Drop unknown use of CheckCell's child2 to work ObjectAllocationSinking for Array iterator object
        https://bugs.webkit.org/show_bug.cgi?id=170940

        Reviewed by Filip Pizlo.

        The second argument of CheckCell is not used in meaningful way. It is just *use* the node.
        The problem is that it effectively *use* the child2 in ObjectAllocationSinking phase, and
        prevent us from eliminating object allocations. Actually, it materializes Array iterator
        when inlining `next()`. Instead, we should use Phantom in such a case.

        It improves destructuring.es6 in SixSpeed 2.5x.

        destructuring.es6      308.5184+-25.3490    ^    119.5680+-15.0520       ^ definitely 2.5803x faster

        Note that SixSpeed tested in arewefastyet executes all the tests in one process while our SixSpeed
        tests each one in isolated way.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        (JSC::DFG::ByteCodeParser::handleGetById):

2017-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC][GTK] glib RunLoop does not accept negative start interval
        https://bugs.webkit.org/show_bug.cgi?id=170775

        Reviewed by Saam Barati.

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::scheduleTimer):

2017-04-17  Saam Barati  <sbarati@apple.com>

        BytecodeGenerator ".call" and ".apply" is exponential in nesting depth
        https://bugs.webkit.org/show_bug.cgi?id=139847
        <rdar://problem/19321122>

        Reviewed by Oliver Hunt.

        The BytecodeGenerator's .apply(...) and .call(...) code would
        emit bytecode for the evaluation of its arguments twice. This
        is exponential, specifically, 2^n, where n is the nesting depth of
        .call(...) or .apply(...) inside other .call(...) or .apply(...).
        
        The reason we emit code for the arguments twice is that we try
        to emit efficient code for when .call or .apply is Function.prototype.call
        or Function.prototype.apply. Because of this, we compare .call/.apply to
        Function.prototype.call/.apply, and if they're the same, we emit a specialized
        function call in bytecode. Otherwise, we emit the generalized version.
        
        This patch makes it so that each .call(...) and .apply(...) records
        its max inner nesting depth. Then, we only perform the optimization
        for the bottom k (where k = 6) layers of the nesting tree. The reason we
        apply the optimization to the bottom k layers instead of top k layers
        is that we'll produce less code this way.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/NodeConstructors.h:
        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::recordCallOrApplyDepth):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::CallOrApplyDepth::CallOrApplyDepth):
        (JSC::Parser::CallOrApplyDepth::maxChildDepth):
        (JSC::Parser::CallOrApplyDepth::~CallOrApplyDepth):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::makeFunctionCallNode):

2017-04-17  Mark Lam  <mark.lam@apple.com>

        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
        https://bugs.webkit.org/show_bug.cgi?id=170896
        <rdar://problem/31651319>

        Reviewed by JF Bastien and Keith Miller.

        * runtime/JSArray.cpp:
        (JSC::JSArray::appendMemcpy):

2017-04-17  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Doesn't show size of compressed content correctly
        https://bugs.webkit.org/show_bug.cgi?id=155112
        <rdar://problem/25006728>

        Reviewed by Alex Christensen and Timothy Hatcher.

        * inspector/protocol/Network.json:
        New, exact size metrics, available after the load completes.

2017-04-17  Youenn Fablet  <youenn@apple.com>

        Disable outdated WritableStream API
        https://bugs.webkit.org/show_bug.cgi?id=170749
        <rdar://problem/31446233>

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:

2017-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSCOnly] Fix build failures in macOS
        https://bugs.webkit.org/show_bug.cgi?id=170887

        Reviewed by Alex Christensen.

        Align ICU header configuration to MacCMake port.

        * PlatformJSCOnly.cmake:

2017-04-17  JF Bastien  <jfbastien@apple.com>

        B3: don't allow unsigned offsets in Value
        https://bugs.webkit.org/show_bug.cgi?id=170692

        Reviewed by Filip Pizlo.

        MemoryValue and similar B3 opcode classes always expects a signed
        offset. Giving it an out-of-bounds unsigned offset causes
        implementation-defined behavior, which can cause badness as I just
        fixed in WebAssembly.  This patch makes it impossible to create a
        Value opcodes with an unsigned value, or with an overly-large
        value.

        * b3/B3AtomicValue.cpp:
        (JSC::B3::AtomicValue::AtomicValue):
        * b3/B3AtomicValue.h:
        * b3/B3Common.h:
        (JSC::B3::isRepresentableAs):
        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::scaleForShl):
        (JSC::B3::Air::LowerToAir::effectiveAddr):
        (JSC::B3::Air::LowerToAir::addr):
        (JSC::B3::Air::LowerToAir::tryAppendLea):
        * b3/B3MemoryValue.cpp:
        (JSC::B3::MemoryValue::isLegalOffsetImpl):
        (JSC::B3::MemoryValue::MemoryValue):
        * b3/B3MemoryValue.h:
        * b3/B3MemoryValueInlines.h:
        (JSC::B3::MemoryValue::isLegalOffsetImpl):
        * b3/B3MoveConstants.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::repForArg):
        * b3/B3Value.h:
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::stackAddrImpl):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::addr):
        (JSC::B3::Air::Arg::stack):
        (JSC::B3::Air::Arg::callArg):
        (JSC::B3::Air::Arg::stackAddr):
        (JSC::B3::Air::Arg::index):
        (JSC::B3::Air::Arg::offset):
        (JSC::B3::Air::Arg::isValidAddrForm):
        (JSC::B3::Air::Arg::isValidIndexForm):
        (JSC::B3::Air::Arg::asTrustedImm32):
        (JSC::B3::Air::Arg::asAddress):
        (JSC::B3::Air::Arg::asBaseIndex):
        * b3/air/AirLowerStackArgs.cpp:
        (JSC::B3::Air::lowerStackArgs):
        * b3/testb3.cpp:
        (JSC::B3::testMulArgStore):
        (JSC::B3::testStore32):
        (JSC::B3::testStoreConstant):
        (JSC::B3::testStoreConstantPtr):
        (JSC::B3::testStoreAddLoad32):
        (JSC::B3::testStoreAddLoadImm32):
        (JSC::B3::testStoreAddLoad8):
        (JSC::B3::testStoreAddLoadImm8):
        (JSC::B3::testStoreAddLoad16):
        (JSC::B3::testStoreAddLoadImm16):
        (JSC::B3::testStoreAddLoad64):
        (JSC::B3::testStoreAddLoadImm64):
        (JSC::B3::testStoreAddLoad32Index):
        (JSC::B3::testStoreAddLoadImm32Index):
        (JSC::B3::testStoreAddLoad64Index):
        (JSC::B3::testStoreAddLoadImm64Index):
        (JSC::B3::testStoreSubLoad):
        (JSC::B3::testStoreAddLoadInterference):
        (JSC::B3::testStoreAddAndLoad):
        (JSC::B3::testStoreNegLoad32):
        (JSC::B3::testStoreNegLoadPtr):
        (JSC::B3::testLoadOffset):
        (JSC::B3::testLoadOffsetNotConstant):
        (JSC::B3::testLoadOffsetUsingAdd):
        (JSC::B3::testLoadOffsetUsingAddInterference):
        (JSC::B3::testLoadOffsetUsingAddNotConstant):
        (JSC::B3::testStoreLoadStackSlot):
        (JSC::B3::testLoad):
        (JSC::B3::testInterpreter):
        (JSC::B3::testTrappingStore):
        (JSC::B3::testTrappingLoadAddStore):
        (JSC::B3::testWasmAddress):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffset):
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::B3IRGenerator::emitLoadOp):
        (JSC::Wasm::B3IRGenerator::emitStoreOp):

2017-04-16  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js
        https://bugs.webkit.org/show_bug.cgi?id=170882

        Reviewed by Saam Barati.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToLocaleString):
        We should be using the this value without ToObject conversion both when
        getting the potential accessor and calling it. In strict mode, the this
        value will remain its simple value, in non-strict it is still converted.

2017-04-16  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/built-ins/isNaN/toprimitive-not-callable-throws.js
        https://bugs.webkit.org/show_bug.cgi?id=170888

        Reviewed by Saam Barati.

        * runtime/ExceptionHelpers.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction):
        Fix up this function name.

        * runtime/JSObject.cpp:
        (JSC::callToPrimitiveFunction):
        When called with @@isPrimitive, bail on undefined or null and
        throw a type error if the value is not callable.

        (JSC::JSObject::toPrimitive):
        Use throw scope to check for exception.

2017-04-16  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/language/expressions/tagged-template/template-object.js
        https://bugs.webkit.org/show_bug.cgi?id=170878

        Reviewed by Saam Barati.

        * runtime/JSArray.cpp:
        (JSC::JSArray::put):
        The fast path for setting an Array's length should check if length is
        writable before checking for and possibly throwing a RangeError.

2017-04-16  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/built-ins/Object/getOwnPropertyNames/15.2.3.4-4-44.js
        https://bugs.webkit.org/show_bug.cgi?id=170879

        Reviewed by Saam Barati.

        * runtime/StringObject.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertyNames):
        (JSC::StringObject::getOwnNonIndexPropertyNames):
        Ensure 'length' comes after all indexed properties by moving
        it out to the getOwnNonIndexPropertyNames method which is called
        inside of getOwnPropertyNames after JSObject handles indices.

2017-04-16  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/built-ins/Date/prototype/Symbol.toPrimitive/name.js
        https://bugs.webkit.org/show_bug.cgi?id=170884

        Reviewed by Yusuke Suzuki.

        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        Give symbol property functions proper function names.
        This addresses function.name but not function.toString().

2017-04-15  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/language/global-code/new.target-arrow.js
        https://bugs.webkit.org/show_bug.cgi?id=170872

        Reviewed by Saam Barati.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        Mark the global code scope.

        (JSC::Parser<LexerType>::parseMemberExpression):
        If new.target is detected in an arrow function defined in global scope
        throw a SyntaxError.

        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::setIsGlobalCodeScope):
        (JSC::Scope::isGlobalCodeScope):
        Marker for a global code scope.

        * parser/ParserModes.h:
        (JSC::isModuleParseMode):
        (JSC::isProgramParseMode):
        (JSC::isProgramOrModuleParseMode):
        Helper for detecting global code based on parse mode.

2017-04-14  Nikita Vasilyev  <nvasilyev@apple.com>

        Web Inspector: WebSockets: messages with non-latin letters are displayed incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=170760

        Reviewed by Joseph Pecoraro.

        Add payloadLength property, which is used to display size. When payloadLength is unavailable,
        it is calculated from payloadData by Web Inspector frontend.

        This fixes <webkit.org/b/170609> Web Inspector: WebSockets: Transferred size is incorrect.

        * inspector/protocol/Network.json:

2017-04-14  Saam Barati  <sbarati@apple.com>

        ParseInt intrinsic in DFG backend doesn't properly flush its operands
        https://bugs.webkit.org/show_bug.cgi?id=170865

        Reviewed by Mark Lam and Geoffrey Garen.

        The DFG backend code needed to first call .gpr()/.jsValueRegs()
        before calling flushRegisters(), or the input JSValueOperand would
        not be flushed.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileParseInt):

2017-04-14  Mark Lam  <mark.lam@apple.com>

        Update architectures in xcconfig files.
        https://bugs.webkit.org/show_bug.cgi?id=170867
        <rdar://problem/31628104>

        Reviewed by Joseph Pecoraro.

        * Configurations/Base.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig:

2017-04-14  Keith Miller  <keith_miller@apple.com>

        WebAssembly: B3IRGenerator should use phis for result types
        https://bugs.webkit.org/show_bug.cgi?id=170863

        Reviewed by Filip Pizlo.

        Currently, we use variables for the result types of control flow in
        Wasm. We did this originally since we weren't sure that the phis we
        generated would be optimal. Since then, we have verified that the edges
        in wasm control flow ensure that each upsilon will dominate its phi
        so we don't need to use variables.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
        (JSC::Wasm::B3IRGenerator::addTopLevel):
        (JSC::Wasm::B3IRGenerator::addBlock):
        (JSC::Wasm::B3IRGenerator::addLoop):
        (JSC::Wasm::B3IRGenerator::unify):

2017-04-14  Alex Christensen  <achristensen@webkit.org>

        Fix Windows build after r215368.
        https://bugs.webkit.org/show_bug.cgi?id=170641

        * CMakeLists.txt:
        Add new directory containing files needed in WebCore.

2017-04-14  Caitlin Potter  <caitp@igalia.com>

        [JSC] use ExpressionErrorClassifier for AwaitExpression operand
        https://bugs.webkit.org/show_bug.cgi?id=170844

        Reviewed by Saam Barati.

        In parseAssignmentExpression(), several cover grammars are handled, and
        use ExpressionErrorClassifier to record hints about which grammars to
        try.

        In parseAwaitExpression(), the hints recorded during parsing of the
        operand need to be discarded, because if they propagate to the outer
        parseAssignmentExpression(), the hints will lead the parser down invalid
        branches that should be skipped.

        This change adds an additional ExpressionErrorClassifier to
        parseAwaitExpression(), in order to discard hints recorded trying to
        parse the operand.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseAwaitExpression):

2017-04-14  Saam Barati  <sbarati@apple.com>

        WebAssembly: There is a short window of time where a CodeBlock could be destroyed before all of its async compilation callbacks are called
        https://bugs.webkit.org/show_bug.cgi?id=170641

        Reviewed by Keith Miller.

        There is an unlikely race when a CodeBlock compilation fails,
        the module compiles a new CodeBlock for that memory mode, all while
        the CodeBlock is notifying its callbacks that it has finished.
        There is a chance that the Module could deref its failed CodeBlock 
        at that point, destroying it, before the callbacks were able to
        grab a Ref to the CodeBlock. This patch fixes the race by having the
        callbacks ref the CodeBlock.

        This patch also has the Plan clear out all of its callbacks
        once it gets completed. This adds an extra defense to anybody
        that grabs refs to the Plan in the callback.

        * wasm/WasmCodeBlock.cpp:
        (JSC::Wasm::CodeBlock::CodeBlock):
        (JSC::Wasm::CodeBlock::compileAsync):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::complete):

2017-04-13  Filip Pizlo  <fpizlo@apple.com>

        Air::RegLiveness should be constraint-based
        https://bugs.webkit.org/show_bug.cgi?id=170817

        Reviewed by Saam Barati.
        
        Previously, I changed the Air liveness analyses based on Air::Liveness<> to be
        constraint-based and this was a significant speed-up. Now I'm adding the same
        functionality to RegLiveness.
        
        This is a 1% speed-up on wasm B3 -O1 compile times.
        
        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
        * b3/air/AirLivenessAdapter.h:
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::prepareToCompute):
        (JSC::B3::Air::LivenessAdapter::actionsAt):
        * b3/air/AirRegLiveness.cpp:
        (JSC::B3::Air::RegLiveness::RegLiveness):
        (JSC::B3::Air::RegLiveness::LocalCalcForUnifiedTmpLiveness::LocalCalcForUnifiedTmpLiveness):
        (JSC::B3::Air::RegLiveness::LocalCalcForUnifiedTmpLiveness::execute):
        (JSC::B3::Air::RegLiveness::LocalCalc::execute): Deleted.
        * b3/air/AirRegLiveness.h:
        (JSC::B3::Air::RegLiveness::Actions::Actions):
        (JSC::B3::Air::RegLiveness::LocalCalcBase::LocalCalcBase):
        (JSC::B3::Air::RegLiveness::LocalCalcBase::live):
        (JSC::B3::Air::RegLiveness::LocalCalcBase::isLive):
        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
        (JSC::B3::Air::RegLiveness::LocalCalc::execute):
        (JSC::B3::Air::RegLiveness::LocalCalc::live): Deleted.
        (JSC::B3::Air::RegLiveness::LocalCalc::isLive): Deleted.

2017-04-13  JF Bastien  <jfbastien@apple.com>

        WebAssembly: fix windows build
        https://bugs.webkit.org/show_bug.cgi?id=170832

        Reviewed by Mark Lam.

        My previous patch re-declared isIOS which AssemblerCommon.h
        already provided, and which was already included by Options.cpp.

        * runtime/Options.cpp:

2017-04-13  Saam Barati  <sbarati@apple.com>

        WebAssembly: We should be able to postMessage a JSWebAssemblyModule
        https://bugs.webkit.org/show_bug.cgi?id=170573

        Reviewed by Filip Pizlo.

        This patch adds a callback to JSRunLoopTimer to notify
        clients that a timer has been set. This is used inside
        WorkerRunLoop in WebCore so that its RunLoop can perform
        an iteration when it sees that a timer got set.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::scheduleTimer):
        (JSC::JSRunLoopTimer::addTimerSetNotification):
        (JSC::JSRunLoopTimer::removeTimerSetNotification):
        * runtime/JSRunLoopTimer.h:
        * wasm/WasmCodeBlock.cpp:
        (JSC::Wasm::CodeBlock::~CodeBlock):
        * wasm/WasmCodeBlock.h:
        * wasm/WasmModule.cpp:
        (JSC::Wasm::Module::~Module):
        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace):
        (JSC::Wasm::makeValidationCallback):
        (JSC::Wasm::Module::validateSync):
        (JSC::Wasm::Module::validateAsync):
        (JSC::Wasm::Module::validateSyncImpl): Deleted.
        (JSC::Wasm::Module::makeValidationCallback): Deleted.
        * wasm/WasmModule.h:
        (JSC::Wasm::Module::validateSync): Deleted.
        (JSC::Wasm::Module::validateAsync): Deleted.
        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace): Deleted.
        (JSC::Wasm::Module::nonNullCodeBlock): Deleted.
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::create):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create): Deleted.
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::source):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::source): Deleted.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyModulePrototype.cpp:

2017-04-13  Mark Lam  <mark.lam@apple.com>

        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
        https://bugs.webkit.org/show_bug.cgi?id=170661
        <rdar://problem/31579046>

        Reviewed by Filip Pizlo.

        Previously, we were using flush() to flush the outermost frame's scopeRegister.
        This is incorrect because flush() expects the VirtualRegister value passed to
        it to be that of the top most inlined frame.  In the event that we reach a
        terminal condition while inside an inlined frame, flush() will end up flushing
        the wrong register.  The fix is simply to use flushDirect() instead.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flush):

2017-04-13  Andy VanWagoner  <thetalecrafter@gmail.com>

        Change Intl prototypes to plain objects
        https://bugs.webkit.org/show_bug.cgi?id=168178

        Reviewed by JF Bastien.

        * builtins/StringPrototype.js:
        (localeCompare): Create default Collator once instead of using prototype.
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
        * runtime/IntlCollatorPrototype.h:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
        * runtime/IntlDateTimeFormatPrototype.h:
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
        * runtime/IntlNumberFormatPrototype.h:
        * runtime/IntlObject.cpp:
        (JSC::IntlObject::finishCreation): Don't set constructor on each prototype.

2017-04-13  Oliver Hunt  <oliver@apple.com>

        allocationSize should use safe arithmetic by default
        https://bugs.webkit.org/show_bug.cgi?id=170804

        Reviewed by JF Bastien.

        Make all allocationSize() functions work in terms
        of Checked<size_t>

        * runtime/DirectArguments.h:
        (JSC::DirectArguments::offsetOfSlot):
        (JSC::DirectArguments::allocationSize):
        * runtime/HashMapImpl.h:
        (JSC::HashMapBuffer::allocationSize):
        * runtime/JSArray.h:
        (JSC::JSArray::allocationSize):
        * runtime/JSArrayBufferView.h:
        (JSC::JSArrayBufferView::allocationSize):
        * runtime/JSAsyncFunction.h:
        (JSC::JSAsyncFunction::allocationSize):
        * runtime/JSFixedArray.h:
        (JSC::JSFixedArray::allocationSize):
        * runtime/JSFunction.h:
        (JSC::JSFunction::allocationSize):
        * runtime/JSGeneratorFunction.h:
        (JSC::JSGeneratorFunction::allocationSize):
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSObject.h:
        (JSC::JSFinalObject::allocationSize):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::allocationSize):
        * runtime/ScopedArguments.h:
        (JSC::ScopedArguments::allocationSize):
        * runtime/VM.h:
        (JSC::ScratchBuffer::allocationSize):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
        (JSC::JSWebAssemblyCodeBlock::allocationSize):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::allocationSize):

2017-04-13  JF Bastien  <jfbastien@apple.com>

        WebAssembly: manage memory better
        https://bugs.webkit.org/show_bug.cgi?id=170628

        Reviewed by Keith Miller, Michael Saboff.

        WebAssembly fast memories weren't managed very well. This patch
        refactors it and puts us in a good position to further improve our
        fast memory handling in the future.

        We now cache fast memories at a process granularity, but make sure
        that they don't consume dirty pages. We add a cap to the total
        number of allocated fast memories to avoid ASLR degradation.

        We teach the GC about memories as a kind of resource it should
        care about because it didn't have visibility into the amount of
        memory each represented. This allows benchmarks which allocate
        memories back-to-back to reliably get fast memories 100% of the
        time, even on a system under load, which wasn't the case
        before. This reliability yields roughly 8% perf bump on x86-64
        WasmBench.

        The GC heuristic is as follows: each time we allocate a fast
        memory we notify the GC, which then keeps track of the total
        number of fast memories allocated since it last GC'd. We
        separately keep track of the total number of fast memories which
        have ever existed at any point in time (cached + allocated). This
        is a monotonically-increasing high watermark. The GC will force a
        full collection if, since it last ran, half or more of the high
        watermark of fast memories was allocated.

        At the same time, if we fail obtaining a fast memory from the
        cache we do a GC to try to find one. If that fails we'll allocate
        a new one (this can also fail, then we go to slow memory). This
        can also be improved, but it's a good start.

        This currently disables fast memories on iOS because getting fast
        memories isn't a guaranteed thing. Rather, we get quite a few of
        them and achieve significant speedups, but benchmarks which
        allocate memories back-to-back end up falling behind because the
        GC can conservatively hold onto memories, which then yields a perf
        cliff. That cliff isn't reliable, WasmBench gets roughly 10 of 18
        fast memories when in theory it should get all of them fast (as
        MacOS does). The patch significantly improves the state of iOS
        though, and in a follow-up we could re-enable fast memories.

        Part of this good positioning is a facility to pre-allocate fast
        memories very early at startup, before any fragmentation
        occurs. This is currently disabled but worked extremely reliably
        on iOS. Once we fix the above issues we'll want to re-visit and
        turn on pre-allocation.

        We also avoid locking for fast memory identification when
        performing signal handling. I'm very nervous about acquiring locks
        in a signal handler because in general signals can happen when
        we've messed up. This isn't the case with fast memories: we're
        raising a signal on purpose and handling it. However this doesn't
        mean we won't mess up elsewhere! This will get more complicated
        once we add support for multiple threads sharing memories and
        being able to grow their memories. One example: the code calls
        CRASH(), which executes the following code in release:

            *(int *)(uintptr_t)0xbbadbeef = 0;

        This is a segfault, which our fast memory signal handler tries to
        handle. It does so by first figuring out whether 0xbbadbeef is in
        a fast memory region, reqiring a lock. If we CRASH() while holding
        the lock then our thread self-deadlocks, giving us no crash report
        and a bad user experience.

        Avoiding a lock therefore it's not about speed or reduced
        contention. In fact, I'd use something else than a FIFO if these
        were a concern. We're also doing syscalls, which dwarf any locking
        cost.

        We now only allocate 4GiB + redzone of 64k * 128 for fast memories
        instead of 8GiB. This patch reuses the logic from
        B3::WasmBoundsCheck to perform bounds checks when accesses could
        exceed the redzone. We'll therefore benefit from CSE goodness when
        it reaches WasmBoundsCheck. See bug #163469.

        * b3/B3LowerToAir.cpp: fix a baaaaddd bug where unsigned->signed
        conversion allowed out-of-bounds reads by -2GiB. I'll follow-up in
        bug #170692 to prevent this type of bug once and for all.
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Validate.cpp: update WasmBoundsCheck validation.
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects): update WasmBoundsCheck effects.
        * b3/B3WasmBoundsCheckValue.cpp:
        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
        (JSC::B3::WasmBoundsCheckValue::redzoneLimit):
        (JSC::B3::WasmBoundsCheckValue::dumpMeta):
        * b3/B3WasmBoundsCheckValue.h:
        (JSC::B3::WasmBoundsCheckValue::maximum):
        * b3/air/AirCustom.cpp:
        (JSC::B3::Air::WasmBoundsCheckCustom::isValidForm):
        * b3/testb3.cpp:
        (JSC::B3::testWasmBoundsCheck):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportWebAssemblyFastMemoriesAllocated):
        (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didAllocateWebAssemblyFastMemories):
        (JSC::Heap::shouldDoFullCollection):
        (JSC::Heap::collectIfNecessaryOrDefer):
        * heap/Heap.h:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/Options.cpp:
        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffset):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::B3IRGenerator::emitLoadOp):
        (JSC::Wasm::B3IRGenerator::emitStoreOp):
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        * wasm/WasmMemory.cpp: Rewrite.
        (JSC::Wasm::makeString):
        (JSC::Wasm::Memory::initializePreallocations):
        (JSC::Wasm::Memory::createImpl):
        (JSC::Wasm::Memory::create):
        (JSC::Wasm::Memory::~Memory):
        (JSC::Wasm::Memory::fastMappedRedzoneBytes):
        (JSC::Wasm::Memory::fastMappedBytes):
        (JSC::Wasm::Memory::maxFastMemoryCount):
        (JSC::Wasm::Memory::addressIsInActiveFastMemory):
        (JSC::Wasm::Memory::grow):
        * wasm/WasmMemory.h:
        (Memory::maxFastMemoryCount):
        (Memory::addressIsInActiveFastMemory):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finishCreation):
        (JSC::JSWebAssemblyInstance::visitChildren):
        (JSC::JSWebAssemblyInstance::globalMemoryByteSize):
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::grow):
        (JSC::JSWebAssemblyMemory::finishCreation):
        (JSC::JSWebAssemblyMemory::visitChildren):

2017-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use proper ifdef guard for code using MachineContext
        https://bugs.webkit.org/show_bug.cgi?id=170800

        Reviewed by Carlos Alberto Lopez Perez.

        This patch drops MachineContext use if it is not available.
        This situation can be considered like, building WebKit with musl.
        In that case, we simply disable features that rely on MachineContext.
        Examples are wasm fast memory, sampling profiler, and code profiling.

        * runtime/Options.cpp:
        (JSC::overrideDefaults):
        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):
        Previously, PLATFORM(GTK) is excluded. But it is not obvious why it is excluded.
        This patch just includes such platforms.

        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::enableFastMemory):

2017-04-12  Dan Bernstein  <mitz@apple.com>

        [Mac] Future-proof .xcconfig files
        https://bugs.webkit.org/show_bug.cgi?id=170802

        Reviewed by Tim Horton.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2017-04-12  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/built-ins/NativeErrors/EvalError/proto.js
        https://bugs.webkit.org/show_bug.cgi?id=170668

        Reviewed by Keith Miller.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        The [[Prototype]] of NativeError Constructor's should be the %Error%.
        https://tc39.github.io/ecma262/#sec-properties-of-the-nativeerror-constructors

2017-04-12  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/language/literals/regexp/u-dec-esc.js
        https://bugs.webkit.org/show_bug.cgi?id=170687

        Reviewed by Michael Saboff.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::parseEscape):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::errorMessage):
        (JSC::Yarr::YarrPattern::compile):
        * yarr/YarrPattern.h:
        In unicoe patterns, invalid backreferences are an error.

2017-04-12  Filip Pizlo  <fpizlo@apple.com>

        Move common stack allocation utilities out of AirAllocateStackByGraphColoring.cpp
        https://bugs.webkit.org/show_bug.cgi?id=170799

        Reviewed by Michael Saboff and Keith Miller.
        
        When I added stack allocation to allocateRegistersByLinearScan, I reused a handful of
        utility functions from AirAllocateStackByGraphColoring.cpp. I accomplished this by
        putting their declarations in AirAllocateStackByGraphColoring.h.
        
        That was pretty weird.
        
        This patch moves a family of stack allocation helper functions out of
        AirAllocateStackByGraphColoring.cpp and into the new AirStackAllocation.h|cpp. The
        linear scan stack allocator no longer has to include the other stack allocator's
        header, which addresses my OCD.
        
        I moved the functions transitively reachable from the two functions that the linear
        scan allocator needed. This forced me to give them better names (i.e. no "fooBarImpl")
        and short descriptive comments. I think that such comments are useful in code that is
        doing a convoluted version of some theoretical concept.
        
        No behavior change.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
        * b3/air/AirAllocateStackByGraphColoring.cpp:
        (JSC::B3::Air::allocateStackByGraphColoring):
        (JSC::B3::Air::allocateEscapedStackSlots): Deleted.
        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots): Deleted.
        * b3/air/AirAllocateStackByGraphColoring.h:
        * b3/air/AirStackAllocation.cpp: Added.
        (JSC::B3::Air::attemptAssignment):
        (JSC::B3::Air::assign):
        (JSC::B3::Air::allocateAndGetEscapedStackSlotsWithoutChangingFrameSize):
        (JSC::B3::Air::allocateEscapedStackSlots):
        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots):
        * b3/air/AirStackAllocation.h: Added.

2017-04-12  Filip Pizlo  <fpizlo@apple.com>

        B3 -O1 should not allocateStackByGraphColoring
        https://bugs.webkit.org/show_bug.cgi?id=170742

        Reviewed by Keith Miller.
        
        One of B3 -O1's longest running phases is allocateStackByGraphColoring. One approach to
        this would be to make that phase cheaper. But it's weird that this phase reruns
        liveness after register allocation already ran liveness. If only it could reuse the
        liveness computed by register allocation then it would run a lot faster. At -O2, we do
        not want this, since we run phases between register allocation and stack allocation,
        and those phases are free to change the liveness of spill slots (in fact,
        fixObviousSpills will both shorten and lengthen live ranges because of load and store
        elimination, respectively). But at -O1, we don't really need to run any phases between
        register and stack allocation.
        
        This changes Air's backend in the following ways:
        
        - Linear scan does stack allocation. This means that we don't need to run
          allocateStackByGraphColoring at all. In reality, we reuse some of its innards, but
          we don't run the expensive part of it (liveness->interference->coalescing->coloring).
          This is a speed-up because we only run liveness once and reuse it for both register
          and stack allocation.
        
        - Phases that previously ran between register and stack allocation are taken care of,
          each in its own special way:
          
          -> handleCalleSaves: this is now a utility function called by both
             allocateStackByGraphColoring and allocateRegistersAndStackByLinearScan.
          
          -> fixObviousSpills: we didn't run this at -O1, so nothing needs to be done.
          
          -> lowerAfterRegAlloc: this needed to be able to run before stack allocation because
             it could change register usage (vis a vis callee saves) and it could introduce
             spill slots. I changed this phase to have a secondary mode for when it runs after
             stack allocation.
        
        - The part of allocateStackByGraphColoring that lowered stack addresses and took care
          of the call arg area is now a separate phase called lowerStackArgs. We run this phase
          regardless of optimization level. It's a cheap and general lowering.
        
        This also removes spillEverything, because we never use that phase, we never test it,
        and it got in the way in this refactoring.
        
        This is a 21% speed-up on wasm -O1 compile times. This does not significantly change
        -O1 throughput. We had already disabled allocateStack's most important optimization
        (spill coalescing). This probably regresses average stack frame size, but I didn't
        measure by how much. Stack frame size is really not that important. The algorithm in
        allocateStackByGraphColoring is about much more than optimal frame size; it also
        tries to avoid having to zero-extend 32-bit spills, it kills dead code, and of course
        it coalesces.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::calleeSaveRegisterAtOffsetList):
        (JSC::B3::Procedure::calleeSaveRegisters): Deleted.
        * b3/B3Procedure.h:
        * b3/B3StackmapGenerationParams.cpp:
        (JSC::B3::StackmapGenerationParams::unavailableRegisters):
        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Copied from Source/JavaScriptCore/b3/air/AirAllocateRegistersByLinearScan.cpp.
        (JSC::B3::Air::allocateRegistersAndStackByLinearScan):
        (JSC::B3::Air::allocateRegistersByLinearScan): Deleted.
        * b3/air/AirAllocateRegistersAndStackByLinearScan.h: Copied from Source/JavaScriptCore/b3/air/AirAllocateRegistersByLinearScan.h.
        * b3/air/AirAllocateRegistersByLinearScan.cpp: Removed.
        * b3/air/AirAllocateRegistersByLinearScan.h: Removed.
        * b3/air/AirAllocateStackByGraphColoring.cpp:
        (JSC::B3::Air::allocateEscapedStackSlots):
        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots):
        (JSC::B3::Air::allocateStackByGraphColoring):
        * b3/air/AirAllocateStackByGraphColoring.h:
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::stackAddr):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::stackAddr): Deleted.
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::addStackSlot):
        (JSC::B3::Air::Code::setCalleeSaveRegisterAtOffsetList):
        (JSC::B3::Air::Code::calleeSaveRegisterAtOffsetList):
        (JSC::B3::Air::Code::dump):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::setStackIsAllocated):
        (JSC::B3::Air::Code::stackIsAllocated):
        (JSC::B3::Air::Code::calleeSaveRegisters):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        (JSC::B3::Air::generate):
        * b3/air/AirHandleCalleeSaves.cpp:
        (JSC::B3::Air::handleCalleeSaves):
        * b3/air/AirHandleCalleeSaves.h:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerStackArgs.cpp: Added.
        (JSC::B3::Air::lowerStackArgs):
        * b3/air/AirLowerStackArgs.h: Added.
        * b3/testb3.cpp:
        (JSC::B3::testPinRegisters):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * jit/RegisterAtOffsetList.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):

2017-04-12  Michael Saboff  <msaboff@apple.com>

        Implement Object.isFrozen() and Object.isSealed() per ECMA spec
        https://bugs.webkit.org/show_bug.cgi?id=170753

        Reviewed by Mark Lam.

        * runtime/ObjectConstructor.cpp:
        (JSC::testIntegrityLevel): Added local helper as described in the ECMA standard.

        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        Eliminated incomplete special handling of JSFinalObjects.

        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        Refactored to use the new testIntegrityLevel() helper.

2017-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        Use HAVE(MACHINE_CONTEXT) instead of USE(MACHINE_CONTEXT)
        https://bugs.webkit.org/show_bug.cgi?id=170770

        Rubber stamped by Mark Lam.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThread::Registers::framePointer):
        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
        (JSC::MachineThreads::MachineThread::Registers::llintPC):
        * runtime/MachineContext.h:
        (JSC::MachineContext::stackPointer):
        (JSC::MachineContext::framePointer):
        (JSC::MachineContext::instructionPointer):
        (JSC::MachineContext::argumentPointer<1>):
        (JSC::MachineContext::llintInstructionPointer):

2017-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Clean up heap/MachineStackMarker by introducing USE(MACHINE_CONTEXT)
        https://bugs.webkit.org/show_bug.cgi?id=170770

        Reviewed by Mark Lam.

        We use USE(MACHINE_CONTEXT) to clean up runtime/MachineContext.h. And
        we clean up heap/MachineStackMarker.cpp by using MachineContext functions.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThread::Registers::stackPointer):
        (JSC::MachineThreads::MachineThread::Registers::framePointer):
        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
        (JSC::MachineThreads::MachineThread::Registers::llintPC):
        * heap/MachineStackMarker.h:
        * runtime/MachineContext.h:
        (JSC::MachineContext::stackPointer):
        (JSC::MachineContext::framePointer):
        (JSC::MachineContext::instructionPointer):
        (JSC::MachineContext::argumentPointer<1>):
        (JSC::MachineContext::llintInstructionPointer):

2017-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Introduce Thread class and use RefPtr<Thread> and align Windows Threading implementation semantics to Pthread one
        https://bugs.webkit.org/show_bug.cgi?id=170502

        Reviewed by Mark Lam.

        * API/tests/CompareAndSwapTest.cpp:
        (testCompareAndSwap):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/testair.cpp:
        * b3/testb3.cpp:
        (JSC::B3::run):
        * bytecode/SuperSampler.cpp:
        (JSC::initializeSuperSampler):
        * dfg/DFGWorklist.cpp:
        * disassembler/Disassembler.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::notifyIsSafeToCollect):
        * heap/Heap.h:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeThread):
        (JSC::MachineThreads::removeThreadIfFound):
        (JSC::MachineThreads::MachineThread::MachineThread):
        (JSC::MachineThreads::MachineThread::getRegisters):
        (JSC::MachineThreads::MachineThread::Registers::stackPointer):
        (JSC::MachineThreads::MachineThread::Registers::framePointer):
        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
        (JSC::MachineThreads::MachineThread::Registers::llintPC):
        (JSC::MachineThreads::MachineThread::captureStack):
        (JSC::MachineThreads::tryCopyOtherThreadStack):
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        (pthreadSignalHandlerSuspendResume): Deleted.
        (JSC::threadData): Deleted.
        (JSC::MachineThreads::Thread::Thread): Deleted.
        (JSC::MachineThreads::Thread::createForCurrentThread): Deleted.
        (JSC::MachineThreads::Thread::operator==): Deleted.
        (JSC::MachineThreads::machineThreadForCurrentThread): Deleted.
        (JSC::MachineThreads::ThreadData::ThreadData): Deleted.
        (JSC::MachineThreads::ThreadData::~ThreadData): Deleted.
        (JSC::MachineThreads::ThreadData::suspend): Deleted.
        (JSC::MachineThreads::ThreadData::resume): Deleted.
        (JSC::MachineThreads::ThreadData::getRegisters): Deleted.
        (JSC::MachineThreads::ThreadData::Registers::stackPointer): Deleted.
        (JSC::MachineThreads::ThreadData::Registers::framePointer): Deleted.
        (JSC::MachineThreads::ThreadData::Registers::instructionPointer): Deleted.
        (JSC::MachineThreads::ThreadData::Registers::llintPC): Deleted.
        (JSC::MachineThreads::ThreadData::freeRegisters): Deleted.
        (JSC::MachineThreads::ThreadData::captureStack): Deleted.
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::MachineThread::suspend):
        (JSC::MachineThreads::MachineThread::resume):
        (JSC::MachineThreads::MachineThread::threadID):
        (JSC::MachineThreads::MachineThread::stackBase):
        (JSC::MachineThreads::MachineThread::stackEnd):
        (JSC::MachineThreads::threadsListHead):
        (JSC::MachineThreads::Thread::operator!=): Deleted.
        (JSC::MachineThreads::Thread::suspend): Deleted.
        (JSC::MachineThreads::Thread::resume): Deleted.
        (JSC::MachineThreads::Thread::getRegisters): Deleted.
        (JSC::MachineThreads::Thread::freeRegisters): Deleted.
        (JSC::MachineThreads::Thread::captureStack): Deleted.
        (JSC::MachineThreads::Thread::platformThread): Deleted.
        (JSC::MachineThreads::Thread::stackBase): Deleted.
        (JSC::MachineThreads::Thread::stackEnd): Deleted.
        * jit/ICStats.cpp:
        (JSC::ICStats::ICStats):
        (JSC::ICStats::~ICStats):
        * jit/ICStats.h:
        * jsc.cpp:
        (functionDollarAgentStart):
        (startTimeoutThreadIfNeeded):
        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        * runtime/JSLock.h:
        (JSC::JSLock::ownerThread):
        (JSC::JSLock::currentThreadIsHoldingLock):
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::isValidFramePointer):
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::createThreadIfNecessary):
        (JSC::SamplingProfiler::takeSample):
        * runtime/SamplingProfiler.h:
        * runtime/VM.h:
        (JSC::VM::ownerThread):
        * runtime/VMTraps.cpp:
        (JSC::findActiveVMAndStackBounds):
        (JSC::VMTraps::SignalSender::send):
        (JSC::VMTraps::fireTrap):

2017-04-11  Dean Jackson  <dino@apple.com>

        Disable outdated WritableStream API
        https://bugs.webkit.org/show_bug.cgi?id=170749
        <rdar://problem/31446233>

        Reviewed by Tim Horton.

        The API we implement is no longer accurate. Disable it until we
        are compatible with the new specification

        * Configurations/FeatureDefines.xcconfig:

2017-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for CF ports after r215241
        https://bugs.webkit.org/show_bug.cgi?id=170725

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::nextFireTime):

2017-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebCore][JSC] ResourceUsageData.{timeOfNextEdenCollection,timeOfNextFullCollection} should be MonotonicTime
        https://bugs.webkit.org/show_bug.cgi?id=170725

        Reviewed by Sam Weinig.

        This patch makes GCActivityCallback return MonotonicTime instead of raw double value.

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::nextFireTime):
        * heap/GCActivityCallback.h:

2017-04-11  Guillaume Emont  <guijemont@igalia.com>

        [jsc] Add missing MacroAssemblerMIPS::or32() implementation
        https://bugs.webkit.org/show_bug.cgi?id=169714

        Reviewed by Michael Catanzaro.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::or32):
        Added or32(TrustedImm32, Address).

2017-04-11  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/annexB/language/comments/multi-line-html-close.js
        https://bugs.webkit.org/show_bug.cgi?id=170648

        Reviewed by Keith Miller.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):
        A multi-line comment that contains a line terminator is itself treated
        like a line terminator. An HTML Close Comment that comes after it can
        therefore treat it like it is at the start of a line, because it was
        immediately preceeded by the equivalent of a line terminator.

2017-04-11  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/built-ins/Array/S15.4.3_A2.2.js
        https://bugs.webkit.org/show_bug.cgi?id=170652

        Reviewed by Michael Saboff.

        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        * runtime/SymbolConstructor.cpp:
        (JSC::SymbolConstructor::finishCreation):
        Ensure the "length" property on these native constructors is configurable (deletable).

2017-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for Windows after r215228 part 2
        https://bugs.webkit.org/show_bug.cgi?id=170723

        Since GCActivityCallback class is annotated exported, we do not need to annotate each member.

        * heap/GCActivityCallback.h:

2017-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC][GTK] Use RunLoop::Timer in GTK port
        https://bugs.webkit.org/show_bug.cgi?id=170723

        Reviewed by Carlos Garcia Campos.

        This patch makes GTK port use RunLoop::Timer for JSRunLoopTimer.
        Only Cocoa-based ports use platform-specific Timer because it
        has additional feature that changes RunLoop to the WebThread one.

        And we enable Heap timers in all the ports including JSCOnly port.

        * heap/EdenGCActivityCallback.cpp:
        (JSC::EdenGCActivityCallback::lastGCLength):
        * heap/EdenGCActivityCallback.h:
        * heap/FullGCActivityCallback.cpp:
        (JSC::FullGCActivityCallback::lastGCLength):
        * heap/FullGCActivityCallback.h:
        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::nextFireTime):
        (JSC::GCActivityCallback::didAllocate):
        * heap/GCActivityCallback.h:
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::doWork):
        (JSC::IncrementalSweeper::doSweep):
        * heap/IncrementalSweeper.h:
        * heap/StopIfNecessaryTimer.cpp:
        (JSC::StopIfNecessaryTimer::scheduleSoon):
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::setRunLoop):
        (JSC::JSRunLoopTimer::scheduleTimer):
        (JSC::JSRunLoopTimer::cancelTimer):
        (JSC::JSRunLoopTimer::JSRunLoopTimer):
        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
        (JSC::JSRunLoopTimer::timerDidFireCallback):
        * runtime/JSRunLoopTimer.h:
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::scheduleWorkSoon):

2017-04-11  Guillaume Emont  <guijemont@igalia.com>

        [jsc][mips] Add missing MacroAssembler functions after r214187
        https://bugs.webkit.org/show_bug.cgi?id=170089

        Reviewed by Yusuke Suzuki.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::loadFloat): Added.
        (JSC::MacroAssemblerMIPS::storeFloat): Added.

2017-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Enable JSRunLoopTimer for JSCOnly and Windows
        https://bugs.webkit.org/show_bug.cgi?id=170655

        Reviewed by Carlos Garcia Campos.

        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::JSRunLoopTimer):
        (JSC::JSRunLoopTimer::scheduleTimer):
        (JSC::JSRunLoopTimer::cancelTimer):
        * runtime/JSRunLoopTimer.h:

2017-04-10  Alex Christensen  <achristensen@webkit.org>

        Revert r215217
        https://bugs.webkit.org/show_bug.cgi?id=170703

        * Configurations/FeatureDefines.xcconfig:

2017-04-10  Alex Christensen  <achristensen@webkit.org>

        Continue enabling WebRTC
        https://bugs.webkit.org/show_bug.cgi?id=170703

        Reviewed by Youenn Fablet.

        * Configurations/FeatureDefines.xcconfig:

2017-04-10  Mark Lam  <mark.lam@apple.com>

        Move ProbeContext and ProbeFunction out of AbstractMacroAssembler.
        https://bugs.webkit.org/show_bug.cgi?id=170681

        Reviewed by Michael Saboff.

        This is a refactoring step towards enabling custom probe printers the way printInternal() works for dataLog.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::ProbeContext::gpr): Deleted.
        (JSC::AbstractMacroAssembler::ProbeContext::fpr): Deleted.
        (JSC::AbstractMacroAssembler::ProbeContext::gprName): Deleted.
        (JSC::AbstractMacroAssembler::ProbeContext::fprName): Deleted.
        * assembler/MacroAssembler.cpp:
        (JSC::stdFunctionCallback):
        (JSC::MacroAssembler::probe):
        * assembler/MacroAssembler.h:
        (JSC::ProbeContext::gpr):
        (JSC::ProbeContext::fpr):
        (JSC::ProbeContext::gprName):
        (JSC::ProbeContext::fprName):
        * assembler/MacroAssemblerARM.cpp:
        (JSC::MacroAssemblerARM::probe):
        * assembler/MacroAssemblerARM64.cpp:
        (JSC::arm64ProbeTrampoline):
        (JSC::MacroAssemblerARM64::probe):
        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssemblerARMv7::probe):
        * assembler/MacroAssemblerPrinter.cpp:
        * assembler/MacroAssemblerPrinter.h:
        * assembler/MacroAssemblerX86Common.cpp:
        (JSC::MacroAssemblerX86Common::probe):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::abstractStructure):
        (JSC::FTL::DFG::LowerDFGToB3::probe): Deleted.
        - Deleted because this became a useless place-holder after the transition to B3.

2017-04-10  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Fix B3IRGenerator for BrTable
        https://bugs.webkit.org/show_bug.cgi?id=170685

        Reviewed by JF Bastien.

        For some reason this didn't get included in r215141.

        This fixes an issue with BrTable and loops where we would use the loop's return type
        as the branch target type.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch):
        (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock):

2017-04-08  Oliver Hunt  <oliver@apple.com>

        Remove use of strcpy from JSC
        https://bugs.webkit.org/show_bug.cgi?id=170646

        Reviewed by Mark Lam.

        Replace the use of strcpy with memcpy as strcpy keeps
        on tripping various analyser warnings even though its
        trivially safe in this case.

        Essentially code hygiene, no change in behaviour, no
        perf impact.

        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpDisassembly):

2017-04-09  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/annexB/language/expressions/object/__proto__-fn-name.js
        https://bugs.webkit.org/show_bug.cgi?id=170650

        Reviewed by Saam Barati.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseProperty):
        There needs to be special handling of:
        
          PropertyDefinition :  PropertyName ':' AssignmentExpression
         
        When the property name is __proto__. In this case the
        SetFunctionName path does not happen, so the name "__proto__"
        is not inferred on any anonymous function. See:
        https://tc39.github.io/ecma262/#sec-__proto__-property-names-in-object-initializers

        * parser/Parser.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createProperty):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createProperty):
        Add an extra parameter to see if inferring / setting names are allowed.

2017-04-09  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/annexB/language/literals/regexp/identity-escape.js
        https://bugs.webkit.org/show_bug.cgi?id=170651

        Reviewed by Saam Barati.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::parseEscape):
        For \8 and \9 match just the number "8" or "9" instead of both "\\" and the number.
        See: https://tc39.github.io/ecma262/#sec-decimalescape

2017-04-08  Youenn Fablet  <youenn@apple.com>

        WebRTC tests gardening
        https://bugs.webkit.org/show_bug.cgi?id=170508

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2017-04-07  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Fix issue with BrTable targeting a Loop
        https://bugs.webkit.org/show_bug.cgi?id=170638

        Reviewed by Saam Barati.

        This fixes the same issue V8 had in: https://github.com/WebAssembly/spec/pull/456#event-1033547537

        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::ControlData::branchTargetSignature):

2017-04-07  Keith Miller  <keith_miller@apple.com>

        Add a PriorityQueue class
        https://bugs.webkit.org/show_bug.cgi?id=170579

        Reviewed by Saam Barati.

        Update Wasm::Worklist to use WTF::PriorityQueue.

        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::Worklist::enqueue):
        (JSC::Wasm::Worklist::completePlanSynchronously):
        (JSC::Wasm::Worklist::stopAllPlansForVM):
        (JSC::Wasm::Worklist::~Worklist):
        (JSC::Wasm::Worklist::iterate): Deleted.
        * wasm/WasmWorklist.h:
        (JSC::Wasm::Worklist::isHigherPriority):
        (JSC::Wasm::Worklist::Comparator::operator()): Deleted.

2017-04-07  Yuichiro Kikura  <y.kikura@gmail.com>

        WebGPU: implement ComputeCommandEncoder and related components
        https://bugs.webkit.org/show_bug.cgi?id=170444

        Reviewed by Alex Christensen.

        I added some identifiers related with WebGPUComputeCommandEncoder based on the proposal.
        https://webkit.org/wp-content/uploads/webgpu-api-proposal.html

        * runtime/CommonIdentifiers.h:

2017-04-07  Saam Barati  <sbarati@apple.com>

        WebAssembly: Module::getOrCreateCodeBlock is wrong
        https://bugs.webkit.org/show_bug.cgi?id=170612

        Reviewed by Keith Miller.

        When we were getting a module's CodeBlock, we were checking if !runnable(),
        and if !runnable(), we were re-creating the CodeBlock. This is wrong, since
        !runnable() is true while the CodeBlock is compiling. Instead, we should check
        if we've finished compiling, and if so, if that compilation failed.

        * wasm/WasmModule.cpp:
        (JSC::Wasm::Module::getOrCreateCodeBlock):

2017-04-07  Saam Barati  <sbarati@apple.com>

        WebAssembly: Make to a compilation API that allows for multi-VM concurrent compilations of Wasm Modules
        https://bugs.webkit.org/show_bug.cgi?id=170488

        Reviewed by JF Bastien.

        This patch adds a class called Wasm::Module. It contains the bits from
        JSWebAssemblyModule that were not VM specific. JSWebAssemblyModule
        now has a Ref<Wasm::Module>. Similarly, there is now a Wasm::CodeBlock,
        which owns the non-VM-specific bits that JSWebAssemblyCodeBlock used
        to own.
        
        This patch also simplifies how we verify and compile code. Wasm::Module
        now has an API for both sync/async validation and compilation. This
        API abstracts away how Wasm::Plan works.
        
        This is hopefully the last patch needed before we can implement
        window.postMessage for a JSWebAssemblyModule. I think all that's
        needed now to implement postMessage is simply creating a new
        JSWebAssemblyModule with the underlying Wasm::Module.
        
        This patch is neutral on WasmBench.
        
        Finally, this patch changes the promise deferred timer to
        allow for new tasks to be added while we're executing
        a task. Before, we'd deadlock if this happened.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (functionTestWasmModuleFunctions):
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::doWork):
        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
        * runtime/PromiseDeferredTimer.h:
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        (JSC::Wasm::wasmToWasm):
        (JSC::Wasm::exitStubGenerator): Deleted.
        * wasm/WasmBinding.h:
        * wasm/WasmCodeBlock.cpp: Added.
        (JSC::Wasm::CodeBlock::CodeBlock):
        (JSC::Wasm::CodeBlock::waitUntilFinished):
        (JSC::Wasm::CodeBlock::compileAsync):
        (JSC::Wasm::CodeBlock::isSafeToRun):
        * wasm/WasmCodeBlock.h: Added.
        (JSC::Wasm::CodeBlock::create):
        (JSC::Wasm::CodeBlock::compilationFinished):
        (JSC::Wasm::CodeBlock::runnable):
        (JSC::Wasm::CodeBlock::errorMessage):
        (JSC::Wasm::CodeBlock::functionImportCount):
        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
        * wasm/WasmModule.cpp: Added.
        (JSC::Wasm::Module::Module):
        (JSC::Wasm::makeValidationResult):
        (JSC::Wasm::Module::validateSyncImpl):
        (JSC::Wasm::Module::getOrCreateCodeBlock):
        (JSC::Wasm::Module::compileSync):
        (JSC::Wasm::Module::makeValidationCallback):
        (JSC::Wasm::Module::compileAsync):
        * wasm/WasmModule.h: Added.
        (JSC::Wasm::Module::create):
        (JSC::Wasm::Module::validateSync):
        (JSC::Wasm::Module::validateAsync):
        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace):
        (JSC::Wasm::Module::moduleInformation):
        (JSC::Wasm::Module::nonNullCodeBlock):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::addCompletionTask):
        (JSC::Wasm::Plan::prepare):
        (JSC::Wasm::Plan::compileFunctions):
        (JSC::Wasm::Plan::complete):
        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
        (JSC::Wasm::Plan::cancel): Deleted.
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::dontFinalize):
        (JSC::Wasm::Plan::takeWasmToWasmExitStubs):
        (JSC::Wasm::Plan::mode):
        (JSC::Wasm::Plan::takeWasmExitStubs): Deleted.
        (JSC::Wasm::Plan::vm): Deleted.
        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::Worklist::stopAllPlansForVM):
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
        (JSC::JSWebAssemblyCodeBlock::initialize): Deleted.
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::functionImportCount):
        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
        (JSC::JSWebAssemblyCodeBlock::mode): Deleted.
        (JSC::JSWebAssemblyCodeBlock::initialized): Deleted.
        (JSC::JSWebAssemblyCodeBlock::plan): Deleted.
        (JSC::JSWebAssemblyCodeBlock::runnable): Deleted.
        (JSC::JSWebAssemblyCodeBlock::errorMessage): Deleted.
        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee): Deleted.
        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee): Deleted.
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finalizeCreation):
        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock): Deleted.
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::initialized): Deleted.
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::createStub):
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
        (JSC::JSWebAssemblyModule::finishCreation):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::moduleInformation):
        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
        (JSC::JSWebAssemblyModule::module):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::create):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::reject):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::webAssemblyValidateFunc):

2017-04-07  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Update the priorities used in glib main loop sources
        https://bugs.webkit.org/show_bug.cgi?id=170457

        Reviewed by Žan Doberšek.

        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::JSRunLoopTimer):

2017-04-06  Filip Pizlo  <fpizlo@apple.com>

        Rename allocateStack to allocateStackByGraphColoring.

        Rubber stamped by Saam Barati.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirAllocateStack.cpp: Removed.
        * b3/air/AirAllocateStack.h: Removed.
        * b3/air/AirAllocateStackByGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirAllocateStack.cpp.
        (JSC::B3::Air::allocateStackByGraphColoring):
        (JSC::B3::Air::allocateStack): Deleted.
        * b3/air/AirAllocateStackByGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirAllocateStack.h.
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):

2017-04-06  Michael Saboff  <msaboff@apple.com>

        Cannot Object.seal() or Object.freeze() global "this"
        https://bugs.webkit.org/show_bug.cgi?id=170549

        Reviewed by Mark Lam.

        Needed to implement JSProxy::isExtensible() which returns the results of calling
        the same on wrapped object.

        Implemented step 11 of Runtime Semantics: EvalDeclarationInstantiation from the ECMAScript
        spec to properly return a TypeError object when attempting to add properties to a
        non-extensible global object.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::isExtensible):
        * runtime/JSProxy.h:

2017-04-06  Filip Pizlo  <fpizlo@apple.com>

        Linear scan should run liveness only once
        https://bugs.webkit.org/show_bug.cgi?id=170569

        Reviewed by Keith Miller.
        
        Air has a longstanding design bug that Tmps from different banks are indexed independently. This
        means that all of our analyses over Tmps do separate GP and FP passes. This does have some
        marginal benefits (the rest of the algorithm is specialized for Bank) but it's probably net bad.
        However, I don't want to think about solving that general problem.
        
        Instead, this just makes linear scan use a UnifiedTmpLiveness that uses a single "linear"
        indexing for GP and FP. This lets me avoid the much larger refactoring (which would involve
        substantial changes in graph coloring) while getting the bulk of the benefit (liveness runs once,
        instead of twice, for linear scan).
        
        This patch implements a lot of plumbing to make it possible for Liveness<> to view Tmps as having
        a unified indexing scheme. Tmp calls this LinearlyIndexed (to match the naming convention of
        AbsolutelyIndexed and Indexed), while AirLiveness calls this UnifiedTmpLiveness. With this
        change, -O1 never does any liveness analysis that uses separate GP and FP passes. I think this
        eliminates any urgency from the larger Tmp indexing bug. We can probably live with graph coloring
        doing separate passes.
        
        This is a ~6% speed-up for wasm -O1 compile times. I think this means that linear scan is no
        longer the longest pole in the tent.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3VariableLiveness.h:
        (JSC::B3::VariableLivenessAdapter::prepareToCompute):
        * b3/air/AirAllocateRegistersByLinearScan.cpp:
        (JSC::B3::Air::allocateRegistersByLinearScan):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::forEachTmp):
        * b3/air/AirLiveness.h:
        * b3/air/AirLivenessAdapter.h:
        (JSC::B3::Air::LivenessAdapter::Actions::Actions):
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::adapter):
        (JSC::B3::Air::LivenessAdapter::prepareToCompute):
        (JSC::B3::Air::LivenessAdapter::actionsAt):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
        (JSC::B3::Air::UnifiedTmpLivenessAdapter::UnifiedTmpLivenessAdapter):
        (JSC::B3::Air::UnifiedTmpLivenessAdapter::numIndices):
        (JSC::B3::Air::UnifiedTmpLivenessAdapter::acceptsBank):
        (JSC::B3::Air::UnifiedTmpLivenessAdapter::acceptsRole):
        (JSC::B3::Air::UnifiedTmpLivenessAdapter::valueToIndex):
        (JSC::B3::Air::UnifiedTmpLivenessAdapter::indexToValue):
        * b3/air/AirLivenessConstraints.h: Removed.
        * b3/air/AirRegLiveness.h:
        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
        * b3/air/AirTmp.cpp:
        * b3/air/AirTmp.h:
        * b3/air/AirTmpInlines.h:
        (JSC::B3::Air::Tmp::LinearlyIndexed::LinearlyIndexed):
        (JSC::B3::Air::Tmp::LinearlyIndexed::index):
        (JSC::B3::Air::Tmp::linearlyIndexed):
        (JSC::B3::Air::Tmp::indexEnd):
        (JSC::B3::Air::Tmp::absoluteIndexEnd):
        (JSC::B3::Air::Tmp::linearIndexEnd):
        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
        (JSC::B3::Air::Tmp::tmpForLinearIndex):
        * b3/air/AirTmpMap.h: Added.
        (JSC::B3::Air::TmpMap::TmpMap):
        (JSC::B3::Air::TmpMap::resize):
        (JSC::B3::Air::TmpMap::clear):
        (JSC::B3::Air::TmpMap::operator[]):
        (JSC::B3::Air::TmpMap::append):

2017-04-06  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r215046.

        This change broke internal builds.

        Reverted changeset:

        "WebRTC tests gardening"
        https://bugs.webkit.org/show_bug.cgi?id=170508
        http://trac.webkit.org/changeset/215046

2017-04-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Show all headers in the Request Headers section of the Resource details sidebar
        https://bugs.webkit.org/show_bug.cgi?id=16531
        <rdar://problem/5712895>

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Network.json:
        Optional refined list of request headers in Metrics.

2017-04-06  Filip Pizlo  <fpizlo@apple.com>

        B3 -O1 should generate better code than -O0
        https://bugs.webkit.org/show_bug.cgi?id=170563

        Reviewed by Michael Saboff.
        
        Prior to this change, code generated by -O1 ran slower than code generated by -O0. This turned
        out to be because of reduceStrength optimizations that increase live ranges and create register
        pressure, which then creates problems for linear scan.
        
        It seemed obvious that canonicalizations that help isel, constant folding, and one-for-one
        strength reductions should stay. It also seemed obvious that SSA and CFG simplification are fast
        and harmless. So, I focused on removing:
        
        - CSE, which increases live ranges. This is a risky optimization when we know that we've chosen
          to use a bad register allocator.
        
        - Sophisticated strength reductions that create more code, like the insane division optimization.
        
        - Anything that inserts basic blocks.
        
        CSE appeared to be the cause of half of the throughput regression of -O1 but none of the compile
        time. This change also reduces the running time of reduceStrength by making it not a fixpoint at
        optLevel<2.
        
        This makes wasm -O1 compile 17% faster. This makes wasm -O1 run 19% faster. This makes -O1 code
        run 3% faster than -O0, and compile about 4% slower than -O0. We may yet end up choosing to use
        -O0, but at least now -O1 isn't totally useless.

        * b3/B3ReduceStrength.cpp:

2017-04-06  Jon Davis  <jond@apple.com>

        Updates feature status for recently shipped features
        https://bugs.webkit.org/show_bug.cgi?id=170359

        Reviewed by Brian Burg.

        Changed "Done" status to "Supported".

        * features.json:

2017-04-06  Youenn Fablet  <youenn@apple.com>

        WebRTC tests gardening
        https://bugs.webkit.org/show_bug.cgi?id=170508

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2017-04-06  Guillaume Emont  <guijemont@igalia.com>

        [JSC][MIPS][DFG] Use x86 generic HasOwnProperty
        https://bugs.webkit.org/show_bug.cgi?id=170222

        Reviewed by Yusuke Suzuki.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        use the X86 special version for HasOwnProperty on MIPS too.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        use the X86 special version for HasOwnProperty on MIPS too.

2017-04-05  Saam Barati  <sbarati@apple.com>

        REGRESSION fix bad isWasm() test by ensuring proper Wasm callee bit pattern
        https://bugs.webkit.org/show_bug.cgi?id=170494
        <rdar://problem/31446485>

        Reviewed by Yusuke Suzuki and Mark Lam.

        This patch fixes how we test a 64 bit JSValue pattern to see if it's
        a Wasm callee. We now tag Wasm::Callee's with 0b011 in their lower 3 bits.
        The new test is for a Wasm Callee is as follows:
        isWasm(uint64_t x)
        {
            return x & 0xffff000000000007 == 3;
        }
        
        This test works because the lower 3 bits of the non-number immediate values are as follows:
        undefined: 0b010
        null:      0b010
        true:      0b111
        false:     0b110
        The test rejects all of these because none have just the value 3 in their lower 3 bits.
        The test also rejects all numbers, because they have non-zero upper 16 bits.
        The test also rejects normal cells because they won't have the number 3 as
        their lower 3 bits. Note, this bit pattern also allows the normal JSValue isCell(), etc,
        predicates to work on a Wasm::Callee because the various tests will fail if you
        bit casted a boxed Wasm::Callee* to a JSValue. isCell() would fail since it sees
        TagBitTypeOther. The other tests also trivially fail, since it won't be a number,
        and it won't be equal to null, undefined, true, or false. The isBoolean() predicate
        will fail because we won't have TagBitBool set.

        * interpreter/CallFrame.h:
        (JSC::ExecState::guaranteedJSValueCallee):
        (JSC::ExecState::calleeAsValue): Deleted.
        * interpreter/CalleeBits.h:
        (JSC::CalleeBits::boxWasm):
        (JSC::CalleeBits::isWasm):
        (JSC::CalleeBits::asWasmCallee):
        * jit/JITOperations.cpp:
        * runtime/JSCJSValue.h:

2017-04-05  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Plans should be able to have more than one completion task.
        https://bugs.webkit.org/show_bug.cgi?id=170516

        Reviewed by Saam Barati.

        This patch also eliminates the need for blocked tasks on the
        PromiseDeferredTimer and pendingPromise on Wasm::Plan.

        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::doWork):
        (JSC::PromiseDeferredTimer::cancelPendingPromise):
        (JSC::PromiseDeferredTimer::scheduleBlockedTask): Deleted.
        * runtime/PromiseDeferredTimer.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::addCompletionTask):
        (JSC::Wasm::Plan::complete):
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::setMode):
        (JSC::Wasm::Plan::mode):
        (JSC::Wasm::Plan::setModeAndPromise): Deleted.
        (JSC::Wasm::Plan::pendingPromise): Deleted.
        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::Worklist::enqueue):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::instantiate):

2017-04-05  Guilherme Iscaro  <iscaro@profusion.mobi>

        Do not use BLX for immediates (ARM-32)

        https://bugs.webkit.org/show_bug.cgi?id=170351

        Reviewed by Mark Lam.

        Currently the offline asm generator for 32-bit ARM code translates the
        'call' meta-instruction (which may be found in LowLevelInterpreter.asm
        and friends) to the ARM's BLX instrunction. The BLX instruction may be
        used for labels (immediates) and registers and one side effect of BLX
        is that it may switch the processor's instruction set.
        A 'BLX register' instruction will change/remain the processor state to
        ARM if the  register_bit[0] is set to 0 or change/remain to Thumb if
        register_bit[0] is set to 1. However, a 'BLX label' instruction will
        always switch the processor state. It switches ARM to thumb and vice-versa.
        This behaviour is unwanted, since the C++ code and the offlineasm generated code
        are both compiled using the same instruction set, thus a instruction
        set change will likely produce a crash. In order to fix the problem the
        BL instruction can be used for labels. It will branch just like BLX,
        but it won't change the instruction set. It's important to note that
        Darwin is not affected by this problem, thus to minimize the impact of
        this change the BL instruction will only be used on non-darwin targets.

        BLX reference: http://infocenter.arm.com/help/topic/com.arm.doc.dui0489i/CIHBJCDC.html?resultof=%22%62%6c%78%22%20

        * offlineasm/arm.rb:

2017-04-05  Keith Miller  <keith_miller@apple.com>

        WebAssembly: We shouldn't need to pin size registers if we have a fast memory.
        https://bugs.webkit.org/show_bug.cgi?id=170504

        Reviewed by Mark Lam.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::PinnedRegisterInfo::toSave):

2017-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Suppress warnings in GCC
        https://bugs.webkit.org/show_bug.cgi?id=170501

        Reviewed by Keith Miller.

        Should use ASSERT_NOT_REACHED since return-type pragma is only
        enabled under ASSERT_DISABLED environment. We shoud use
        ASSERT_NOTREACHED to emit assertions in debug build. It effectively
        catches bugs while keeping performance in release build.

        * b3/B3Opcode.cpp:
        (JSC::B3::storeOpcode):
        * b3/B3Width.h:
        (JSC::B3::mask):
        * runtime/Options.cpp:
        (JSC::parse):
        * wasm/WasmSections.h:
        (JSC::Wasm::makeString):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::SignatureInformation::tryCleanup):
        * wasm/generateWasmValidateInlinesHeader.py:

2017-04-05  Carlos Garcia Campos  <cgarcia@igalia.com>

        Implement PromiseDeferredTimer for non CF based ports
        https://bugs.webkit.org/show_bug.cgi?id=170391

        Reviewed by Yusuke Suzuki.

        RunLoop handling is only implemented for CF causing several wasm tests to fail for other ports.

        * jsc.cpp:
        (runJSC): Remove CF ifdefs.
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::doWork): Add non CF implementation using WTF RunLoop.
        (JSC::PromiseDeferredTimer::runRunLoop): Ditto.
        * runtime/PromiseDeferredTimer.h:

2017-04-05  Carlos Garcia Campos  <cgarcia@igalia.com>

        WebAssembly: several tests added in r214504 crash when building with GCC
        https://bugs.webkit.org/show_bug.cgi?id=170390

        Reviewed by Saam Barati.

        The pattern foo->bar([f = WTFMove(foo)]{}); crashes when building with GCC, I assume the move happens before the
        foo is used to invoke the function.

        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyCompileFunc): Use p.vm() instead of plan->vm(), because plan is moved by the lambda.
        (JSC::instantiate): Ditto.
        (JSC::compileAndInstantiate): Ditto.

2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Generate TemplateObjects at linking time
        https://bugs.webkit.org/show_bug.cgi?id=169743

        Reviewed by Keith Miller.

        Currently, the code calls getTemplateObject to get appropriate template objects at runtime.
        But this template object is constant value and never changed. So instead of creating it
        at runtime, we should create it at linking time and store it in the constant registers.

        * builtins/BuiltinNames.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::setConstantRegisters):
        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecode/UnlinkedCodeBlock.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
        (JSC::BytecodeGenerator::emitGetTemplateObject):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TaggedTemplateNode::emitBytecode):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::getTemplateObject): Deleted.
        * runtime/JSTemplateRegistryKey.cpp:
        * runtime/JSTemplateRegistryKey.h:
        (JSC::isTemplateRegistryKey):

2017-04-04  Mark Lam  <mark.lam@apple.com>

        On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.
        https://bugs.webkit.org/show_bug.cgi?id=170473
        <rdar://problem/29912391>

        Reviewed by Saam Barati.

        In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the
        divisor is 0, we want it to return 0.  The result is expected to be of
        DataFormatIn32.

        The ARM implementation just returns the value in the divisor register.  However,
        the divisor in this case can be of DataFormatJSInt32.  On ARM64, returning the
        divisor register yields the wrong result format because the same register also
        holds the upper 32-bit of the JSValue encoding.  The fix is to return an
        immediate 0 instead.

        Also turned on the assertion in jitAssertIsInt32 for ARM64.  This assertion being
        disabled may have contributed to this bug going unnoticed all this time.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsInt32):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Air::eliminateDeadCode should not repeatedly process the same live instructions
        https://bugs.webkit.org/show_bug.cgi?id=170490

        Reviewed by Keith Miller.
        
        This makes the eliminateDeadCode() fixpoint somewhat worklist-based: we track the set
        of Insts that might be dead. Every time we detect that one is live, we remove it from
        the set. This is a big (>2x) speed-up because lots of Insts are immediately found to
        be live.
        
        This is a ~1% wasm -O1 compile time progression.

        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Air::eliminateDeadCode() should not use a HashSet
        https://bugs.webkit.org/show_bug.cgi?id=170487

        Reviewed by Saam Barati.
        
        Introduce TmpSet, which is like a HashSet<Tmp>. Use this to make eliminateDeadCode()
        about 50% faster, resulting in a 1% wasm -O1 compile time progression.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode):
        * b3/air/AirTmpSet.h: Added.
        (JSC::B3::Air::TmpSet::TmpSet):
        (JSC::B3::Air::TmpSet::add):
        (JSC::B3::Air::TmpSet::remove):
        (JSC::B3::Air::TmpSet::contains):
        (JSC::B3::Air::TmpSet::size):
        (JSC::B3::Air::TmpSet::isEmpty):
        (JSC::B3::Air::TmpSet::iterator::iterator):
        (JSC::B3::Air::TmpSet::iterator::operator*):
        (JSC::B3::Air::TmpSet::iterator::operator++):
        (JSC::B3::Air::TmpSet::iterator::operator==):
        (JSC::B3::Air::TmpSet::iterator::operator!=):
        (JSC::B3::Air::TmpSet::begin):
        (JSC::B3::Air::TmpSet::end):

2017-04-04  Keith Miller  <keith_miller@apple.com>

        WebAssembly: ModuleInformation should be a ref counted thing that can be shared across threads.
        https://bugs.webkit.org/show_bug.cgi?id=170478

        Reviewed by Saam Barati.

        ModuleInformation has been moved to its own file and is now
        ThreadSafeRefCounted.  All the Strings we used to keep in the
        ModuleInformation have been switched to Vector<LChar> this has the
        advantage that it can be passed across threads. However, this does
        mean that we need to decode the utf8 strings in each thread. This
        is likely not a problem because:

        1) most modules have few imports/exports/custom sections.
        2) most of the time they are ascii so the conversion is cheap.
        3) we only have to do it once per thread, and there shouldn't be too many.

        This patch also removes
        moduleSignatureIndicesToUniquedSignatureIndices since that
        information can already be recovered from the
        SignatureInformation.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (functionTestWasmModuleFunctions):
        * runtime/Identifier.h:
        (JSC::Identifier::fromString):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmFormat.cpp:
        (JSC::Wasm::makeString):
        (JSC::Wasm::ModuleInformation::~ModuleInformation): Deleted.
        * wasm/WasmFormat.h:
        (JSC::Wasm::makeString):
        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize): Deleted.
        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace): Deleted.
        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace): Deleted.
        (JSC::Wasm::ModuleInformation::importFunctionCount): Deleted.
        (JSC::Wasm::ModuleInformation::internalFunctionCount): Deleted.
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleInformation.cpp: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
        (JSC::Wasm::ModuleInformation::~ModuleInformation):
        * wasm/WasmModuleInformation.h: Added.
        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
        (JSC::Wasm::ModuleInformation::importFunctionCount):
        (JSC::Wasm::ModuleInformation::internalFunctionCount):
        (JSC::Wasm::ModuleInformation::ModuleInformation):
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::ModuleParser):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::prepare):
        (JSC::Wasm::Plan::compileFunctions):
        (JSC::Wasm::Plan::complete):
        (JSC::Wasm::Plan::cancel):
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::internalFunctionCount):
        (JSC::Wasm::Plan::takeModuleInformation):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::SignatureInformation::get):
        * wasm/WasmSignature.h:
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::createSourceBufferFromValue):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::createStub):
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
        (JSC::JSWebAssemblyModule::finishCreation):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::moduleInformation):
        (JSC::JSWebAssemblyModule::source):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModulePrototype.cpp:
        (JSC::webAssemblyModuleProtoCustomSections):
        (JSC::webAssemblyModuleProtoImports):
        (JSC::webAssemblyModuleProtoExports):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyModuleRecord.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        B3::fixSSA() needs a tune-up
        https://bugs.webkit.org/show_bug.cgi?id=170485

        Reviewed by Saam Barati.
        
        After the various optimizations to liveness, register allocation, and other phases, the
        fixSSA() phase now looks like one of the top offenders. This includes a bunch of
        changes to make this phase run faster. This is a ~7% wasm -O1 compile time progression.
        
        Here's what I did:
        
        - We now use IndexSparseSet instead of IndexMap for tracking variable values. This
          makes it cheaper to chew through small blocks while there is a non-trivial number of
          total variables.
        
        - We now do a "local SSA conversion" pass before anything else. This eliminates
          obvious Get's. If we were using temporary Variables, it would eliminate many of
          those. That's useful for when we use demoteValues() and duplciateTails(). For wasm
          -O1, we mainly care about the fact that it makes a bunch of Set's dead.
        
        - We now do a Set DCE pass after the local SSA but before SSA conversion. This ensures
          that any block-local live intervals of Variables disappear and don't need further
          consideration.
        
        - We now cache the reaching defs calculation.
        
        - We now perform the reaching defs calculation lazily.

        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        (JSC::B3::fixSSA):
        * b3/B3SSACalculator.cpp:
        (JSC::B3::SSACalculator::reachingDefAtTail):
        * b3/B3VariableLiveness.cpp:
        (JSC::B3::VariableLiveness::VariableLiveness):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::Liveness::Liveness):
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase): Deleted.
        (JSC::DFG::LivenessAnalysisPhase::run): Deleted.
        (JSC::DFG::LivenessAnalysisPhase::processBlock): Deleted.

2017-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Remove stale LLVM Header Path includes from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=170483

        Reviewed by Mark Lam.

        * Configurations/Base.xcconfig:

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        B3::LowerToAir incorrectly selects BitXor(AtomicStrongCAS(...), $1)
        https://bugs.webkit.org/show_bug.cgi?id=169867

        Reviewed by Saam Barati.
        
        The BitXor(AtomicWeakCAS(...), $1) optimization makes a lot of sense because we an fold the
        BitXor into the CAS condition read-out. But there is no version of this that is profitable or
        correct for AtomicStrongCAS. The inversion case is handled by Equal(AtomicStrongCAS(...), ...)
        becoming NotEqual(AtomicStrongCAS(...), ...), and we alraedy handle that separately.
        
        So, the fix here is to make the BitXor CAS pattern only recognize AtomicWeakCAS.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/testb3.cpp:
        (JSC::B3::testAtomicStrongCAS):

2017-04-04  Saam Barati  <sbarati@apple.com>

        WebAssembly: JSWebAssemblyCallee should not be a JSCell
        https://bugs.webkit.org/show_bug.cgi?id=170135

        Reviewed by Michael Saboff.

        This patch is perhaps the last big change to the design of fundamental
        Wasm API to allow for PIC. It changes JSWebAssemblyCallee into a thing
        called Wasm::Callee. It serves the same purpose as before, except
        Wasm::Callee is not a JSCell. I had to refactor the various parts of the
        runtime that will see CallFrame's with Wasm::Callee's in the callee slot.
        Thankfully, the parts of the runtime that Wasm touches are limited. The
        main refactoring is changing the exception handling code, such as taking
        a stack trace, to be friendly to seeing a non JSCell callee.
        
        The callee() function on ExecState now returns a class I added in this
        patch called CalleeBits. CalleeBits will tell you if the callee is a
        JSCell or a Wasm::Callee. We tag Wasm::Callee's with a 1 in their lower
        bit so we can easily tell what is and isn't a Wasm::Callee.
        
        The stub that calls out from Wasm to JS still puts a JSCell callee
        into the call frame, even though the callee logically represents a
        Wasm frame. The reason for this is that we use the call IC infrastructure
        to make a call out to JS code, and the code that writes the IC expects
        a JSCell as the callee. This is knowingly part of our design. When we
        do structured cloning of Wasm Modules, we'll need to regenerate these
        JS call stubs.

        * API/JSContextRef.cpp:
        (BacktraceFunctor::operator()):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::currentDebuggerCallFrame):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::create):
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::currentPosition):
        (JSC::DebuggerCallFrame::positionForCallFrame):
        * debugger/DebuggerCallFrame.h:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::vmEntryGlobalObject):
        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
        (JSC::CallFrame::isAnyWasmCallee):
        (JSC::CallFrame::callerSourceOrigin):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        (JSC::ExecState::jsCallee):
        (JSC::ExecState::callee):
        (JSC::ExecState::unsafeCallee):
        (JSC::ExecState::scope):
        (JSC::ExecState::iterate):
        * interpreter/CalleeBits.h: Added.
        (JSC::CalleeBits::CalleeBits):
        (JSC::CalleeBits::operator=):
        (JSC::CalleeBits::boxWasm):
        (JSC::CalleeBits::isWasm):
        (JSC::CalleeBits::isCell):
        (JSC::CalleeBits::asCell):
        (JSC::CalleeBits::asWasmCallee):
        (JSC::CalleeBits::rawPtr):
        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::Interpreter::getStackTrace):
        (JSC::notifyDebuggerOfUnwinding):
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
        * interpreter/Interpreter.h:
        * interpreter/Register.h:
        (JSC::Register::pointer):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
        * interpreter/ShadowChickenInlines.h:
        (JSC::ShadowChicken::iterate):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::StackVisitor):
        (JSC::StackVisitor::readFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        (JSC::StackVisitor::readInlinedFrame):
        (JSC::StackVisitor::Frame::calleeSaveRegisters):
        (JSC::StackVisitor::Frame::functionName):
        (JSC::StackVisitor::Frame::dump):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::Frame::callee):
        (JSC::StackVisitor::visit):
        * jit/Repatch.cpp:
        (JSC::linkFor):
        (JSC::linkPolymorphicCall):
        * jsc.cpp:
        (callWasmFunction):
        (functionTestWasmModuleFunctions):
        * runtime/ArrayPrototype.cpp:
        * runtime/Error.cpp:
        (JSC::addErrorInfoAndGetBytecodeOffset):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
        * runtime/JSCell.cpp:
        (JSC::JSCell::isAnyWasmCallee): Deleted.
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::ExecState::vm):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveArgumentsFunctor::operator()):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        * runtime/JSGlobalObject.cpp:
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::recordJSFrame):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::sourceURL):
        (JSC::StackFrame::functionName):
        * runtime/StackFrame.h:
        (JSC::StackFrame::wasm):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::throwException):
        * runtime/VM.h:
        * wasm/JSWebAssembly.h:
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
        (JSC::Wasm::Callee::Callee):
        (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee): Deleted.
        (JSC::JSWebAssemblyCallee::finishCreation): Deleted.
        (JSC::JSWebAssemblyCallee::destroy): Deleted.
        * wasm/WasmCallee.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.h.
        (JSC::Wasm::Callee::create):
        (JSC::JSWebAssemblyCallee::create): Deleted.
        (JSC::JSWebAssemblyCallee::createStructure): Deleted.
        (JSC::JSWebAssemblyCallee::entrypoint): Deleted.
        (JSC::JSWebAssemblyCallee::calleeSaveRegisters): Deleted.
        * wasm/WasmContext.h:
        * wasm/WasmPlan.cpp:
        * wasm/WasmPlan.h:
        * wasm/WasmPlanInlines.h:
        (JSC::Wasm::Plan::initializeCallees):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        * wasm/js/JSWebAssemblyCallee.cpp: Removed.
        * wasm/js/JSWebAssemblyCallee.h: Removed.
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        (JSC::JSWebAssemblyCodeBlock::initialize):
        (JSC::JSWebAssemblyCodeBlock::visitChildren):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
        (JSC::JSWebAssemblyCodeBlock::allocationSize):
        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
        (JSC::JSWebAssemblyCodeBlock::callees): Deleted.
        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees): Deleted.
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
        * wasm/js/JSWebAssemblyModule.cpp:
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::create):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        (JSC::WebAssemblyFunction::visitChildren):
        (JSC::WebAssemblyFunction::finishCreation):
        * wasm/js/WebAssemblyFunction.h:
        (JSC::WebAssemblyFunction::wasmEntrypoint):
        (JSC::WebAssemblyFunction::jsEntrypoint):
        (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint):
        (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode): Deleted.
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):

2017-04-04  Keith Miller  <keith_miller@apple.com>

        WasmBench asserts in debug jsc
        https://bugs.webkit.org/show_bug.cgi?id=170462

        Reviewed by Saam Barati.

        The assertion should have been an if.

        * wasm/WasmWorklist.cpp:

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Air::lowerAfterRegAlloc should bail early if it finds no Shuffles or ColdCCalls
        https://bugs.webkit.org/show_bug.cgi?id=170305

        Reviewed by Saam Barati.
        
        This reduces and sometimes completely eliminates the need to run lowerAfterRegAlloc().
        
        This lowers the Shuffle for the arguments of a CCall before register allocation unless
        the CCall arguments require a real shuffle (like if the CCall arguments were argument
        registers). This lowers a ColdCCall like a CCall for optLevel<2.
        
        Finally, lowerAfterRegAlloc() now checks if there are any Shuffles or CCalls before it
        does anything else. For wasm at -O1, this means that the phase doesn't run at all. This
        is a ~3% wasm -O1 compile time progression.
        
        To make this easy, I changed optLevel into a property of Procedure and Code rather than
        an argument we thread through everything. I like how Procedure and Code are dumping
        ground classes. This does not bother me. Note that I cloned optLevel into Procedure and
        Code so that it's cheap to query inside Air phases.

        * b3/B3Compile.cpp:
        (JSC::B3::compile):
        * b3/B3Compile.h:
        * b3/B3Generate.cpp:
        (JSC::B3::prepareForGeneration):
        (JSC::B3::generateToAir):
        * b3/B3Generate.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::setOptLevel):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::optLevel):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::isPinned):
        (JSC::B3::Air::Code::setOptLevel):
        (JSC::B3::Air::Code::optLevel):
        * b3/air/AirEmitShuffle.cpp:
        (JSC::B3::Air::ShufflePair::bank):
        (JSC::B3::Air::ShufflePair::opcode):
        (JSC::B3::Air::ShufflePair::inst):
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirEmitShuffle.h:
        (JSC::B3::Air::moveFor):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirGenerate.h:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerMacros.cpp:
        (JSC::B3::Air::lowerMacros):
        * b3/testb3.cpp:
        (JSC::B3::compileProc):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):

2017-04-04  Filip Pizlo  <fpizlo@apple.com>

        Don't need to Air::reportUsedRegisters for wasm at -O1
        https://bugs.webkit.org/show_bug.cgi?id=170459

        Reviewed by Saam Barati.
        
        I did some refactorings to Liveness<> to try to understand its performance. Based on
        this I concluded that the bigger immediate issue is just removing unnecessary phases
        from -O1.
        
        This removes Air::reportUsedRegisters() from -O1 if the user has indicated that he is
        not interested in StackmapGenerationParams::usedRegisters(). The logic here is a bit
        weird because of how Air does spill code generation. The register allocator's spiller
        will emit spill code using identifiable spill slots, which allows subsequent phases to
        register-allocate the spill slots. We do this by a forward flow CSE phase called
        fixObviousSpills (which is a terrible name since there is no longer anything obvious
        about some of the spills that this phase can fix!). As is most natural for CSEs over
        3AC, it rewires the uses of redundant computations rather than removing the redundant
        computations. This means that if a spill got "fixed", there may be either or both of
        the following:
        
        - Dead loads from the stack.
        - Dead stores to the stack.
        
        We know that a load from the stack is dead if the register is dead at the point of the
        load. We know that a store to the stack is dead if the spill slot is dead at the point
        of the store.
        
        Unfortunately, liveness analysis - over either registers or spill slots - is expensive.
        
        Fortunately, allocateStack() already does liveness analysis over spill slots. So, we
        baked elimination of stores to the stack into that phase. That aspect of clean-up after
        the spill CSE comes for free.
        
        Also fortunately for the FTL, we have to do reportUsedRegisters() anyway. This is a
        phase that enables StackmapGenerationParams::usedRegisters() to work, which then
        enables the FTL's patchpoints to do crazy slow-path live range splitting. So, Air's
        strategy for the load fix-up after spill CSE is to do it as part of
        reportUsedRegisters().
        
        This patch introduces the Procedure::setNeedsUsedRegisters() API. But if you set
        needsUsedRegisters to false then we will still run reportUsedRegisters() at -O2 as an
        optimization - it removes dead loads from the stack that are left behind from
        fixObviousSpills().
        
        This is a ~6% compile time progression at -O1.

        * b3/B3Procedure.h:
        (JSC::B3::Procedure::setNeedsUsedRegisters):
        (JSC::B3::Procedure::needsUsedRegisters):
        * b3/B3StackmapGenerationParams.h:
        * b3/B3VariableLiveness.cpp:
        (JSC::B3::VariableLiveness::VariableLiveness):
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::needsUsedRegisters):
        * b3/air/AirCode.h:
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::Liveness::Liveness):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        Air liveness should build constraints and solve them rather than repeatedly parsing IR
        https://bugs.webkit.org/show_bug.cgi?id=170421

        Reviewed by Saam Barati.
        
        Inst::forEach<> is expensive. The LivenessAdapter uses forEach with a particularly
        gnarly lambda that has many extra checks. Therefore, a lot of the time spent in
        liveness analysis is just recomputing forEach<> and that lambda to get uses and defs.
        
        This introduces LivenessConstraints<>, which is a liveness constraint system based on
        Adapter. It basically caches the results of doing forEach. It'll give you the uses and
        defs at each instruction boundary.
        
        This is a ~5% compile time progression at optLevel=1. It's also a ~3% compile time
        progression at optLevel=2.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirLivenessAdapter.h:
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        * b3/air/AirLivenessConstraints.h: Added.
        (JSC::B3::Air::LivenessConstraints::Actions::Actions):
        (JSC::B3::Air::LivenessConstraints::LivenessConstraints):
        (JSC::B3::Air::LivenessConstraints::at):

2017-04-03  Mark Lam  <mark.lam@apple.com>

        Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add().
        https://bugs.webkit.org/show_bug.cgi?id=170412
        <rdar://problem/29697336>

        Reviewed by Filip Pizlo.

        Here's an example of code that will trigger underflow in the "deprecatedExtraMemory"
        reported by SparseArrayValueMap::add() that is added to Heap::m_deprecatedExtraMemorySize:
        
            arr = new Array;
            Object.defineProperty(arr, 18, ({writable: true, configurable: true}));
            for (var i = 0; i < 3; ++i) {
                Array.prototype.push.apply(arr, ["", () => {}, {}]);
                Array.prototype.sort.apply(arr, [() => {}, []]);
            }

        However, Heap::m_deprecatedExtraMemorySize is only 1 of 3 values that are added
        up to form the result of Heap::extraMemorySize().  Heap::m_extraMemorySize and
        Heap::m_arrayBuffers.size() are the other 2.

        While Heap::m_arrayBuffers.size() is bounded by actual allocated memory, both
        Heap::m_deprecatedExtraMemorySize and Heap::m_extraMemorySize are added to
        without any bounds checks, and they are only reset to 0 at the start of a full
        GC.  As a result, if we have a long sequence of eden GCs with a lot of additions
        to Heap::m_extraMemorySize and/or Heap::m_deprecatedExtraMemorySize, then these
        values could theoretically overflow.  Coupling this with the underflow from
        SparseArrayValueMap::add(), the result for Heap::extraMemorySize() can easily
        overflow.  Note: Heap::extraMemorySize() is used to compute the value
        currentHeapSize.

        If multiple conditions line up just right, the above overflows can result in this
        debug assertion failure during an eden GC:

            ASSERT(currentHeapSize >= m_sizeAfterLastCollect);

        Otherwise, the effects of the overflows will only result in the computed
        currentHeapSize not being representative of actual memory usage, and therefore,
        a full GC may be triggered earlier or later than is ideal.

        This patch ensures that SparseArrayValueMap::add() cannot underflow
        Heap::m_deprecatedExtraMemorySize.  It also adds overflows checks in the
        calculations of Heap::m_deprecatedExtraMemorySize, Heap::m_extraMemorySize, and
        Heap::extraMemorySize() so that their values are saturated appropriately to
        ensure that GC collections are triggered based on representative memory usage.

        * heap/Heap.cpp:
        (JSC::Heap::deprecatedReportExtraMemorySlowCase):
        (JSC::Heap::extraMemorySize):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::reportExtraMemoryVisited):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::add):

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        Move the Liveness<> adapters from AirLiveness.h to AirLivenessAdapter.h.

        Rubber stamped by Keith Miller.
        
        This will make it easier to write other code that uses those adapters.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter): Deleted.
        (JSC::B3::Air::LivenessAdapter::blockSize): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachUse): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachDef): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::numIndices): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex): Deleted.
        (JSC::B3::Air::TmpLivenessAdapter::indexToValue): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex): Deleted.
        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue): Deleted.
        * b3/air/AirLivenessAdapter.h: Added.
        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
        (JSC::B3::Air::LivenessAdapter::blockSize):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
        (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex):
        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        WTF::Liveness should have an API that focuses on actions at instruction boundaries
        https://bugs.webkit.org/show_bug.cgi?id=170407

        Reviewed by Keith Miller.
        
        Adopt changes to the WTF::Liveness<> API. Instead of having separate functions for the
        early/late versions of uses and defs, we now have just a use/def API. Those
        automatically take care of eary/late issues as needed.
        
        This reduces the API surface between WTF::Liveness<> and its clients, which makes it
        easier to implement some other optimizations I'm thinking about.

        * b3/B3VariableLiveness.h:
        (JSC::B3::VariableLivenessAdapter::forEachUse):
        (JSC::B3::VariableLivenessAdapter::forEachDef):
        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse): Deleted.
        (JSC::B3::VariableLivenessAdapter::forEachLateUse): Deleted.
        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef): Deleted.
        (JSC::B3::VariableLivenessAdapter::forEachLateDef): Deleted.
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::LivenessAdapter::blockSize):
        (JSC::B3::Air::LivenessAdapter::forEachUse):
        (JSC::B3::Air::LivenessAdapter::forEachDef):
        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachLateUse): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef): Deleted.
        (JSC::B3::Air::LivenessAdapter::forEachLateDef): Deleted.

2017-04-03  Filip Pizlo  <fpizlo@apple.com>

        Inst::forEachArg could compile to more compact code
        https://bugs.webkit.org/show_bug.cgi?id=170406

        Reviewed by Sam Weinig.
        
        Prior to this change, Inst::forEachArg compiled to a ginormous ALWAYS_INLINE switch statement.
        It had one case for each opcode, and then each of those cases would have a switch statement over
        the number of operands. Then the cases of that switch statement would have a sequence of calls to
        the passed lambda. This meant that every user of forEachArg would generate an insane amount of
        code. It also meant that the inlining achieved nothing, since the lambda would surely then not
        be inlined - and if it was, then the icache pressure due to code bloat would surely negate any
        benefits.
        
        This replaces that code with a loop over a compact look-up table. We use the opcode and number of
        operands as keys into that look-up table. The table only takes about 20KB. It has one byte for
        each argument in each overload of each opcode.
        
        I can't measure any reproducible change in performance, but the JavaScriptCore framework binary
        shrinks by 2.7 MB. This is a 15% reduction in JavaScriptCore binary size.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Width.h:
        * b3/air/AirCustom.h:
        (JSC::B3::Air::PatchCustom::forEachArg):
        * b3/air/AirFormTable.h: Added.
        (JSC::B3::Air::decodeFormRole):
        (JSC::B3::Air::decodeFormBank):
        (JSC::B3::Air::decodeFormWidth):
        * b3/air/AirInst.h:
        * b3/air/opcode_generator.rb:

2017-04-03  Keith Miller  <keith_miller@apple.com>

        WebAssembly: remove lastAllocatedMode from Memory
        https://bugs.webkit.org/show_bug.cgi?id=170405

        Reviewed by Mark Lam.

        It's not used anymore so there isn't any point in keeping it around.

        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::createImpl):
        (JSC::Wasm::Memory::lastAllocatedMode): Deleted.
        * wasm/WasmMemory.h:

2017-04-03  Zan Dobersek  <zdobersek@igalia.com>

        [jsc] Add patchableJumpSize() for MIPS
        https://bugs.webkit.org/show_bug.cgi?id=169716

        Reviewed by Yusuke Suzuki.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::patchableJumpSize): Added.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::patchableJumpSize): Added.

2017-04-03  Guillaume Emont  <guijemont@igalia.com>

        [jsc] implement MIPSAssembler::relinkJumpToNop()
        https://bugs.webkit.org/show_bug.cgi?id=169720

        Reviewed by Yusuke Suzuki.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::relinkJumpToNop): Added.

2017-04-02  Carlos Garcia Campos  <cgarcia@igalia.com>

        Share implementation of JSRunLoopTimer::timerDidFire
        https://bugs.webkit.org/show_bug.cgi?id=170392

        Reviewed by Michael Catanzaro.

        The code is cross-platform but it's duplicated in CF and GLib implementations, it could be shared instead.

        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::timerDidFire): Move common implementation here.
        (JSC::JSRunLoopTimer::setRunLoop): Use timerDidFireCallback.
        (JSC::JSRunLoopTimer::timerDidFireCallback): Call JSRunLoopTimer::timerDidFire().
        * runtime/JSRunLoopTimer.h:

2017-04-01  Oleksandr Skachkov  <gskachkov@gmail.com>

        Object with numerical keys with gaps gets filled by NaN values
        https://bugs.webkit.org/show_bug.cgi?id=164412

        Reviewed by Mark Lam.

        This patch fixes issue when object have two properties 
        with name as number. The issue appears when during invoking 
        convertDoubleToArrayStorage, array is filled by pNaN and 
        method converting it to real NaN. This happeneds because a 
        pNaN in a Double array is a hole, and Double arrays cannot 
        have NaN values. To fix issue we need to check value and 
        clear it if it pNaN.

        * runtime/JSObject.cpp:
        (JSC::JSObject::convertDoubleToArrayStorage):

2017-03-31  Saam Barati  <sbarati@apple.com>

        WebAssembly: Make our calls out to JS PIC friendly
        https://bugs.webkit.org/show_bug.cgi?id=170261

        Reviewed by Keith Miller.

        This patch removes a direct call from the module to the Wasm to JS stub.
        Instead, we do an indirect call to the stub by loading the stub's executable
        address off of the CodeBlock. This is to make the code we emit for comply with
        requirements needed for PIC.
        
        Adding this indirection is not ideal. Although this patch is neutral on
        WasmBench, we really want to get back to a world where we have an IC
        call infrastructure. This patch is obviously a regression on some
        types of programs. I've filed this bug to make sure we implement a
        PIC compliant Wasm to JS call IC:
        https://bugs.webkit.org/show_bug.cgi?id=170375

        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFormat.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::complete):
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::initialize):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
        (JSC::JSWebAssemblyCodeBlock::allocationSize):
        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfCodeBlock):

2017-03-31  Keith Miller  <keith_miller@apple.com>

        WebAssembly: webAssemblyB3OptimizationLevel should use defaultB3OptLevel by default
        https://bugs.webkit.org/show_bug.cgi?id=170378

        Reviewed by Saam Barati.

        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.h:

2017-03-31  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Add compilation level option
        https://bugs.webkit.org/show_bug.cgi?id=170374

        Reviewed by Mark Lam.

        This patch adds an option, webAssemblyB3OptimizationLevel, which
        changes the optimization mode wasm passes to B3.

        * runtime/Options.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::compileFunctions):

2017-03-31  Saam Barati  <sbarati@apple.com>

        WebAssembly: Strip WasmParser and WasmFunctionParser from knowing about VM
        https://bugs.webkit.org/show_bug.cgi?id=170312

        Reviewed by Mark Lam.

        This is another step towards PIC-ifying Wasm. This patch removes
        the VM field that is no longer used.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::ModuleParser):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::Parser):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::compileFunctions):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:

2017-03-31  Saam Barati  <sbarati@apple.com>

        WebAssembly: Ref count Signature and SignatureInformation should not care about VM
        https://bugs.webkit.org/show_bug.cgi?id=170316

        Reviewed by Keith Miller.

        This is yet again another step towards PIC-ifying Wasm.
        Signature should be ref counted so we can tell when
        no code is holding onto a Signature. This makes it easy
        to free unused Signatures. Also, this patch rids SignatureInfo
        of any VM knowledge. Now, there is just a single SignatureInfo that
        lives in a process.

        * runtime/VM.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::loadArguments):
        * wasm/WasmFormat.h:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::compileFunctions):
        (JSC::Wasm::Plan::complete):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::Signature::hash):
        (JSC::Wasm::Signature::tryCreate):
        (JSC::Wasm::SignatureInformation::SignatureInformation):
        (JSC::Wasm::SignatureInformation::singleton):
        (JSC::Wasm::SignatureInformation::adopt):
        (JSC::Wasm::SignatureInformation::get):
        (JSC::Wasm::SignatureInformation::tryCleanup):
        (JSC::Wasm::Signature::create): Deleted.
        (JSC::Wasm::Signature::createInvalid): Deleted.
        (JSC::Wasm::Signature::destroy): Deleted.
        (JSC::Wasm::SignatureInformation::~SignatureInformation): Deleted.
        * wasm/WasmSignature.h:
        (JSC::Wasm::Signature::allocatedSize):
        (JSC::Wasm::Signature::operator==):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::destroy):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):
        * wasm/js/WebAssemblyWrapperFunction.h:

2017-03-31  Mark Lam  <mark.lam@apple.com>

        Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
        https://bugs.webkit.org/show_bug.cgi?id=170303
        <rdar://problem/31358281>

        Reviewed by Filip Pizlo.

        This is because it needs to call getProperty() later to get the values for
        initializing the array.  getProperty() can execute arbitrary code and potentially
        trigger the GC.  This is not allowed for clients of JSArray::tryCreateForInitializationPrivate().

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):
        (JSC::copySplicedArrayElements): Deleted.

2017-03-31  Oleksandr Skachkov  <gskachkov@gmail.com>

        String.prototype.replace incorrectly applies "special replacement parameters" when passed a function
        https://bugs.webkit.org/show_bug.cgi?id=170151

        Reviewed by Saam Barati.

        This patch fixes issue for String.prototype.replace when passed a function 
        with special symbols "$$". It happeneds because substituteBackreferences applies 
        unconditionally, but according to the spec it should be applied only for text 
        21.1.3.16.8 https://tc39.github.io/ecma262/#sec-string.prototype.replace

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2017-03-30  Saam Barati  <sbarati@apple.com>

        WebAssembly: When Wasm calls to C, it should use Wasm::Context* instead of ExecState* to get VM
        https://bugs.webkit.org/show_bug.cgi?id=170185

        Reviewed by Michael Saboff.

        This is one more step in the direction of PIC-ified Wasm.
        When we lift WasmCallee above VM, we will no longer be
        able to get VM from ExecState*. This patch ensures that
        we don't do that from within the Wasm runtime. Instead,
        we use the Wasm::Context* to get the VM.

        This patch also adds a new class, Wasm::Thunks. There
        is a single Wasm::Thunks that lives in the process. It
        is responsible for generating a thunk that Wasm relies on.
        The only such thunk right now is the exception throwing
        thunk.

        This patch also rids WasmFaultSignalHandler from any knowledge
        of VM. Previously, it relied on VM to get the exception handling
        thunk.

        The only part of the Wasm runtime that will be allowed
        to get VM& from ExecState will be WasmBinding. In the
        future, we plan to keep the calls out to JS to keep
        a JSCell as the callee.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBufferImpl):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromWasmThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::getAllCalleeSaveRegisterOffsets):
        * runtime/VM.h:
        (JSC::VM::topVMEntryFrameOffset):
        (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::tryGetFastMemory):
        * wasm/WasmThunks.cpp: Added.
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        (JSC::Wasm::Thunks::initialize):
        (JSC::Wasm::Thunks::singleton):
        (JSC::Wasm::Thunks::stub):
        (JSC::Wasm::Thunks::existingStub):
        * wasm/WasmThunks.h: Added.
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfVM):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::grow):
        * wasm/js/JSWebAssemblyMemory.h:
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::webAssemblyMemoryProtoFuncGrow):

2017-03-30  Mark Lam  <mark.lam@apple.com>

        IntlObject should not be using JSArray::initializeIndex().
        https://bugs.webkit.org/show_bug.cgi?id=170302
        <rdar://problem/31356918>

        Reviewed by Saam Barati.

        JSArray::initializeIndex() is only meant to be used with arrays created using
        JSArray::tryCreateForInitializationPrivate() under very constrained conditions.

        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLocaleList):
        (JSC::intlObjectFuncGetCanonicalLocales):

2017-03-30  Filip Pizlo  <fpizlo@apple.com>

        Air should support linear scan for optLevel<2
        https://bugs.webkit.org/show_bug.cgi?id=170161

        Reviewed by Saam Barati.
        
        This changes the default opt level of B3 to 2. It makes the other opt levels useful by adding a
        new register allocator. This new linear scan allocator will produce significantly worse code.
        But it will produce that code a lot faster than IRC or Briggs.
        
        The opt levels are:
            0: no optimizations, linear scan
            1: some optimizations, linear scan
            2: full optimizations, graph coloring (IRC or Briggs based on CPU)
        
        What we used to call optLevel=1 is not called optLevel=2, or better yet,
        optLevel=B3::defaultOptLevel(). We no longer have anything like the old optLevel=0 (which did no
        optimizations but ran graph coloring).
        
        allocateRegistersByLinearScan() faithfully implements Massimiliano Poletto and Vivek Sarkar's
        famous algorithm. It uses the variant that handles clobbered registers by avoiding assigning
        ranges to those registers if the range overlaps a clobber. It's engineered to allocate registers
        very quickly and generate inefficient code without falling off a cliff.
        
        The new optLevel=1 speeds up B3 by a factor of 2, and results in a 80% throughput regression.
        Linear scan runs 4.7x faster than graph coloring on average.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3BasicBlockUtils.h:
        (JSC::B3::blocksInPreOrder):
        (JSC::B3::blocksInPostOrder):
        * b3/B3BlockWorklist.h:
        * b3/B3CFG.h:
        (JSC::B3::CFG::newMap):
        * b3/B3Common.h:
        (JSC::B3::defaultOptLevel):
        * b3/B3Compile.h:
        * b3/B3DuplicateTails.cpp:
        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        (JSC::B3::fixSSA):
        * b3/B3FixSSA.h:
        * b3/B3Generate.cpp:
        (JSC::B3::prepareForGeneration):
        (JSC::B3::generateToAir):
        * b3/B3Generate.h:
        * b3/B3HeapRange.cpp: Removed.
        * b3/B3HeapRange.h:
        (JSC::B3::HeapRange::HeapRange): Deleted.
        (JSC::B3::HeapRange::top): Deleted.
        (JSC::B3::HeapRange::operator==): Deleted.
        (JSC::B3::HeapRange::operator!=): Deleted.
        (JSC::B3::HeapRange::operator|): Deleted.
        (JSC::B3::HeapRange::operator bool): Deleted.
        (JSC::B3::HeapRange::begin): Deleted.
        (JSC::B3::HeapRange::end): Deleted.
        (JSC::B3::HeapRange::overlaps): Deleted.
        * b3/B3LowerToAir.cpp:
        * b3/B3MoveConstants.cpp:
        * b3/B3PhiChildren.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::dump):
        (JSC::B3::Procedure::deleteOrphans):
        (JSC::B3::Procedure::setBlockOrderImpl):
        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/B3SSACalculator.h:
        * b3/B3UseCounts.h:
        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
        * b3/air/AirAllocateRegistersByLinearScan.cpp: Added.
        (JSC::B3::Air::allocateRegistersByLinearScan):
        * b3/air/AirAllocateRegistersByLinearScan.h: Added.
        * b3/air/AirAllocateStack.cpp:
        (JSC::B3::Air::allocateStack):
        * b3/air/AirArg.cpp:
        (WTF::printInternal):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::activeAt):
        (JSC::B3::Air::Arg::timing):
        (JSC::B3::Air::Arg::forEachPhase):
        * b3/air/AirBasicBlock.h:
        * b3/air/AirBlockWorklist.h:
        * b3/air/AirCFG.h:
        (JSC::B3::Air::CFG::newMap):
        * b3/air/AirEliminateDeadCode.cpp:
        (JSC::B3::Air::eliminateDeadCode):
        * b3/air/AirFixObviousSpills.cpp:
        * b3/air/AirFixPartialRegisterStalls.cpp:
        (JSC::B3::Air::fixPartialRegisterStalls):
        * b3/air/AirFixSpillsAfterTerminals.cpp: Added.
        (JSC::B3::Air::fixSpillsAfterTerminals):
        * b3/air/AirFixSpillsAfterTerminals.h: Added.
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        (JSC::B3::Air::generate):
        * b3/air/AirGenerate.h:
        * b3/air/AirGenerationContext.h:
        * b3/air/AirInsertionSet.h:
        * b3/air/AirInst.cpp:
        (JSC::B3::Air::Inst::needsPadding):
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirLowerEntrySwitch.cpp:
        (JSC::B3::Air::lowerEntrySwitch):
        * b3/air/AirOpcode.opcodes:
        * b3/air/AirPhaseInsertionSet.cpp: Added.
        (JSC::B3::Air::PhaseInsertionSet::execute):
        * b3/air/AirPhaseInsertionSet.h: Added.
        (JSC::B3::Air::PhaseInsertion::PhaseInsertion):
        (JSC::B3::Air::PhaseInsertion::phase):
        (JSC::B3::Air::PhaseInsertion::operator<):
        (JSC::B3::Air::PhaseInsertionSet::PhaseInsertionSet):
        (JSC::B3::Air::PhaseInsertionSet::appendInsertion):
        (JSC::B3::Air::PhaseInsertionSet::insertInst):
        (JSC::B3::Air::PhaseInsertionSet::insert):
        * b3/air/AirRegLiveness.h:
        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
        * b3/air/AirSpillEverything.cpp:
        (JSC::B3::Air::spillEverything):
        * b3/air/AirTmp.cpp:
        * b3/air/AirTmp.h:
        (JSC::B3::Air::Tmp::tmpForIndex):
        * b3/air/AirTmpInlines.h:
        (JSC::B3::Air::Tmp::Indexed::Indexed):
        (JSC::B3::Air::Tmp::Indexed::index):
        (JSC::B3::Air::Tmp::AbsolutelyIndexed::AbsolutelyIndexed):
        (JSC::B3::Air::Tmp::AbsolutelyIndexed::index):
        (JSC::B3::Air::Tmp::indexed):
        (JSC::B3::Air::Tmp::absolutelyIndexed):
        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
        * b3/testb3.cpp:
        (JSC::B3::compile):
        (JSC::B3::testMulLoadTwice):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::add):
        (JSC::RegisterSet::remove):
        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.h:

2017-03-30  Youenn Fablet  <youenn@apple.com>

        Clean up RTCDataChannel
        https://bugs.webkit.org/show_bug.cgi?id=169732

        Reviewed by Chris Dumez.

        * runtime/CommonIdentifiers.h: Adding RTCDataChannelEvent.

2017-03-30  Saam Barati  <sbarati@apple.com>

        WebAssembly: pass Wasm::Context* to vmEntryToWasm when not using fast TLS
        https://bugs.webkit.org/show_bug.cgi?id=170182

        Reviewed by Mark Lam.

        This is one more step in the direction of PIC-ified Wasm.
        I'm removing assumptions that a wasm callee is a cell. We used to use
        the callee to get the WasmContext off the callee's VM. Instead,
        this patch makes it so that we pass in the context as a parameter
        to the JS entrypoint.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::offsetOfVM): Deleted.
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::loadWasmContext):
        (JSC::AssemblyHelpers::storeWasmContext):
        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
        * jsc.cpp:
        (functionTestWasmModuleFunctions):
        * runtime/VM.h:
        (JSC::VM::wasmContextOffset): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/WasmContext.cpp:
        (JSC::Wasm::loadContext):
        (JSC::Wasm::storeContext):
        (JSC::loadWasmContext): Deleted.
        (JSC::storeWasmContext): Deleted.
        * wasm/WasmContext.h:
        (JSC::Wasm::useFastTLS):
        (JSC::Wasm::useFastTLSForContext):
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::PinnedRegisterInfo::get):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::useFastTLS): Deleted.
        (JSC::Wasm::useFastTLSForWasmContext): Deleted.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2017-03-30  JF Bastien  <jfbastien@apple.com>

        WebAssembly: fix misc JS API implementation inconsistencies
        https://bugs.webkit.org/show_bug.cgi?id=170187

        Reviewed by Keith Miller.

        Auto-generate lookup tables.
        Methods should be on prototype.
        Exception returns should be idiomatic.

        * wasm/JSWebAssembly.cpp: validate / compile / instantiate should
        be on the prototype
        (JSC::JSWebAssembly::create):
        (JSC::JSWebAssembly::finishCreation):
        (JSC::reject): Deleted.
        (JSC::webAssemblyCompileFunc): Deleted.
        (JSC::resolve): Deleted.
        (JSC::instantiate): Deleted.
        (JSC::compileAndInstantiate): Deleted.
        (JSC::webAssemblyInstantiateFunc): Deleted.
        (JSC::webAssemblyValidateFunc): Deleted.
        * wasm/JSWebAssembly.h:
        * wasm/js/WebAssemblyMemoryPrototype.cpp: move from JSWebAssembly.cpp
        (JSC::webAssemblyMemoryProtoFuncBuffer):
        (JSC::WebAssemblyMemoryPrototype::create):
        (JSC::WebAssemblyMemoryPrototype::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::reject):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyFunctionValidate): Deleted.
        (JSC::webAssemblyFunctionCompile): Deleted.
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncGrow):
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):
        (JSC::WebAssemblyTablePrototype::create):
        (JSC::WebAssemblyTablePrototype::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.h:

2017-03-29  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix the build, again. Hopefully for the last time, again!

        * runtime/Options.cpp:

2017-03-29  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix the build, again. Hopefully for the last time!

        * runtime/Options.cpp:
        (JSC::parse):

2017-03-29  Keith Miller  <keith_miller@apple.com>

        Unreviewed, windows build fix.

        * runtime/Options.cpp:
        (JSC::parse):

2017-03-29  Keith Miller  <keith_miller@apple.com>

        WebAssembly: B3IRGenerator should pool constants
        https://bugs.webkit.org/show_bug.cgi?id=170266

        Reviewed by Filip Pizlo.

        This patch adds a HashMap to B3IRGenerator that contains all the constants used in a function.
        B3IRGenerator then uses an InsertionSet to add all those constants to the root BB. This doesn't
        appear to be a compile time improvement but it could be valuable in the future.

        * b3/B3Opcode.h:
        (JSC::B3::opcodeForConstant):
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::addConstant):
        * b3/B3Procedure.h: