9dbda172f994a00be7e080bfaf04ef85e76da82b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-02-19  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r212466.
4         https://bugs.webkit.org/show_bug.cgi?id=168577
5
6         causes crashes on AArch64 on linux, maybe it's causing crashes
7         on iOS too (Requested by pizlo on #webkit).
8
9         Reverted changeset:
10
11         "The collector thread should only start when the mutator
12         doesn't have heap access"
13         https://bugs.webkit.org/show_bug.cgi?id=167737
14         http://trac.webkit.org/changeset/212466
15
16 2017-02-17  Michael Saboff  <msaboff@apple.com>
17
18         Improve ARM64 disassembler handling of pseudo ops, unsupported opcodes and zero reg
19         https://bugs.webkit.org/show_bug.cgi?id=168527
20
21         Reviewed by Filip Pizlo.
22
23         Added support for data processing 1 source instructions like rbit, rev, clz and cls.
24         Added support for the FP conditional select instruction, fcsel.  Consolidated the
25         two classes for handling dmb instructions into one class.  Fixed the instruction
26         selection mask in the integer conditional select class, A64DOpcodeConditionalSelect.
27         Fixed the processing of extract instruction (extr) including the rotate right (ror)
28         pseudo instruction.  Changed the printing of x31 and w31 to xzr and wzr as operands
29         according to the spec.  Added support for common pseudo instructions.  This includes:
30         - mvn x1, X2 in place of orn x1, xzr, x2
31         - lsl x3, x4, #count in place of ubfiz x3, x4, #count, #count
32         - smull x5, w6, w7 in place of smaddl x5, w6, w7, XZR
33         - More understandable mov x8, #-304 in place of movn x8, #0x12f
34         - Eliminated xzr from register index loads and stores, outputing
35           ldr x10, [x11] instead of ldr x10, [x11, xzr]
36
37         Changed the move wide instructions to use hex literals for movz and movk.
38         This makes it much easier to decifer sequences of wide moves for large literals.
39                 Before                       After
40           movz   x17, #26136           movz   x17, #0x6618
41           movk   x17, #672, lsl #16    movk   x17, #0x2a0, lsl #16
42           movk   x17, #1, lsl #32      movk   x17, #0x1, lsl #32
43
44         Verified that all instructions currently generated by the JSC stress tests are
45         disassembled.
46
47         * disassembler/ARM64/A64DOpcode.cpp:
48         (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
49         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
50         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
51         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::format):
52         (JSC::ARM64Disassembler::A64DOpcodeExtract::format):
53         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::format):
54         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::format):
55         (JSC::ARM64Disassembler::A64DOpcodeDmb::format):
56         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::format):
57         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::format):
58         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterPair::format):
59         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::format):
60         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::format):
61         (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
62         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::format): Deleted.
63         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::format): Deleted.
64         * disassembler/ARM64/A64DOpcode.h:
65         (JSC::ARM64Disassembler::A64DOpcode::appendSignedImmediate64):
66         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedHexImmediate):
67         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opName):
68         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::sBit):
69         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode):
70         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode2):
71         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opNameIndex):
72         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opName):
73         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::opName):
74         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::condition):
75         (JSC::ARM64Disassembler::A64DOpcodeDmb::option):
76         (JSC::ARM64Disassembler::A64DOpcodeDmb::crM):
77         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isMov):
78         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::opName): Deleted.
79         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::opName): Deleted.
80
81 2017-02-17  Zan Dobersek  <zdobersek@igalia.com>
82
83         [GLib] GCActivityCallback::scheduleTimer() keeps pushing dispatch into the future
84         https://bugs.webkit.org/show_bug.cgi?id=168363
85
86         Reviewed by Carlos Garcia Campos.
87
88         Mimic the USE(CF) implementation of GCActivityCallback and HeapTimer by
89         scheduling the timer a decade into the future instead of completely
90         cancelling it. That way new dispatch times for GCActivityCallback can be
91         computed by simply deducting the difference in the new and previous
92         delay from the GSource's current dispatch time. Previously we handled an
93         extra 'paused' state (where m_delay was -1) and allowed for a delay of
94         an infinite value to be valid, complicating the next dispatch time
95         computation.
96
97         HeapTimer gains the static s_decade variable. The dispatch function in
98         heapTimerSourceFunctions only dispatches the callback, which now delays
99         the GSource by a decade. HeapTimer::scheduleTimer() simply schedules the
100         source to dispatch in the specified amount of time, and cancelTimer()
101         'cancels' the source by setting the dispatch time to a decade.
102
103         GCActivityCallback constructor initializes the delay to the s_decade
104         value and immediately sets the ready time for GSource a decade into the
105         future, avoiding the default -1 value as the ready time that would cause
106         problems in scheduleTimer(). scheduleTimer() doesn't special-case the
107         zero-delay value anymore, instead it just computes the difference
108         between the old and the new delay and rolls back the GSource's ready
109         time for that amount. cancelTimer() sets m_delay to the decade value and
110         delays the GSource for that same amount.
111
112         * heap/GCActivityCallback.cpp:
113         (JSC::GCActivityCallback::GCActivityCallback):
114         (JSC::GCActivityCallback::scheduleTimer):
115         (JSC::GCActivityCallback::cancelTimer):
116         * heap/GCActivityCallback.h:
117         * heap/HeapTimer.cpp:
118         (JSC::HeapTimer::HeapTimer):
119         (JSC::HeapTimer::scheduleTimer):
120         (JSC::HeapTimer::cancelTimer):
121         * heap/HeapTimer.h:
122
123 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
124
125         [JSC] Drop PassRefPtr from ArrayBuffer
126         https://bugs.webkit.org/show_bug.cgi?id=168455
127
128         Reviewed by Geoffrey Garen.
129
130         This patch finally drops all the PassRefPtr in JSC.
131         We changed PassRefPtr<ArrayBuffer> to RefPtr<ArrayBuffer>&&.
132         Since ArrayBuffer may be nullptr if the array is neutered,
133         we hold it as RefPtr<> instead of Ref<>.
134
135         And we also drops 2 files, TypedArrayBase.h and IntegralTypedArrayBase.h.
136         They are not used (and they are not referenced from the project file).
137
138         * inspector/JavaScriptCallFrame.h:
139         * jsc.cpp:
140         (functionDollarAgentReceiveBroadcast):
141         * runtime/ArrayBufferView.cpp:
142         (JSC::ArrayBufferView::ArrayBufferView):
143         * runtime/ArrayBufferView.h:
144         (JSC::ArrayBufferView::possiblySharedBuffer):
145         (JSC::ArrayBufferView::unsharedBuffer):
146         (JSC::ArrayBufferView::verifySubRangeLength):
147         (JSC::ArrayBufferView::clampOffsetAndNumElements):
148         * runtime/ClassInfo.h:
149         * runtime/DataView.cpp:
150         (JSC::DataView::DataView):
151         (JSC::DataView::create):
152         * runtime/DataView.h:
153         * runtime/GenericTypedArrayView.h:
154         * runtime/GenericTypedArrayViewInlines.h:
155         (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
156         (JSC::GenericTypedArrayView<Adaptor>::create):
157         (JSC::GenericTypedArrayView<Adaptor>::subarray):
158         * runtime/IntegralTypedArrayBase.h: Removed.
159         * runtime/JSArrayBuffer.cpp:
160         (JSC::JSArrayBuffer::JSArrayBuffer):
161         (JSC::JSArrayBuffer::create):
162         * runtime/JSArrayBuffer.h:
163         * runtime/JSArrayBufferPrototype.cpp:
164         (JSC::arrayBufferProtoFuncSlice):
165         * runtime/JSArrayBufferView.cpp:
166         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
167         * runtime/JSArrayBufferView.h:
168         * runtime/JSArrayBufferViewInlines.h:
169         (JSC::JSArrayBufferView::possiblySharedImpl):
170         (JSC::JSArrayBufferView::unsharedImpl):
171         * runtime/JSCell.cpp:
172         (JSC::JSCell::slowDownAndWasteMemory):
173         (JSC::JSCell::getTypedArrayImpl):
174         * runtime/JSCell.h:
175         * runtime/JSDataView.cpp:
176         (JSC::JSDataView::create):
177         (JSC::JSDataView::possiblySharedTypedImpl):
178         (JSC::JSDataView::unsharedTypedImpl):
179         (JSC::JSDataView::getTypedArrayImpl):
180         * runtime/JSDataView.h:
181         * runtime/JSGenericTypedArrayView.h:
182         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
183         (JSC::constructGenericTypedArrayViewWithArguments):
184         * runtime/JSGenericTypedArrayViewInlines.h:
185         (JSC::JSGenericTypedArrayView<Adaptor>::create):
186         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
187         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
188         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl):
189         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
190         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
191         * runtime/JSTypedArrays.cpp:
192         (JSC::createUint8TypedArray):
193         * runtime/TypedArrayBase.h: Removed.
194
195 2017-02-16  Keith Miller  <keith_miller@apple.com>
196
197         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
198         https://bugs.webkit.org/show_bug.cgi?id=168354
199
200         Reviewed by Geoffrey Garen.
201
202         Instead of adding a custom vmEntryGlobalObject for the debugger
203         we can just have it use vmEntryScope instead.
204
205         * debugger/Debugger.cpp:
206         (JSC::Debugger::detach):
207         * interpreter/CallFrame.cpp:
208         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach): Deleted.
209         * interpreter/CallFrame.h:
210
211 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
212
213         Unreviewed, fix cloop build.
214
215         * heap/Heap.cpp:
216         (JSC::Heap::stopThePeriphery):
217         * runtime/JSLock.cpp:
218
219 2017-02-10  Filip Pizlo  <fpizlo@apple.com>
220
221         The collector thread should only start when the mutator doesn't have heap access
222         https://bugs.webkit.org/show_bug.cgi?id=167737
223
224         Reviewed by Keith Miller.
225         
226         This turns the collector thread's workflow into a state machine, so that the mutator thread can
227         run it directly. This reduces the amount of synchronization we do with the collector thread, and
228         means that most apps will never start the collector thread. The collector thread will still start
229         when we need to finish collecting and we don't have heap access.
230         
231         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
232         This means tracking who is conducting collection. I use the GCConductor enum to say who is
233         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
234         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
235         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
236         collector the conn.
237         
238         This meant bringing back the conservative scan of the calling thread. It turns out that this
239         scan was too slow to be called on each GC increment because apparently setjmp() now does system
240         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
241         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
242         state. I think we still want to use my register saving code instead of setjmp because setjmp
243         seems to save things we don't need, and that could make us overly conservative.
244         
245         It turns out that this new scheduling discipline makes the old space-time scheduler perform
246         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
247         because the mutator having the conn enables us to time the mutator<->collector context switches
248         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
249         space-time schduler to shine like it hadn't before.
250         
251         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
252         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
253         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
254         effect.
255
256         * CMakeLists.txt:
257         * JavaScriptCore.xcodeproj/project.pbxproj:
258         * dfg/DFGWorklist.cpp:
259         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
260         (JSC::DFG::Worklist::dump):
261         (JSC::DFG::numberOfWorklists):
262         (JSC::DFG::ensureWorklistForIndex):
263         (JSC::DFG::existingWorklistForIndexOrNull):
264         (JSC::DFG::existingWorklistForIndex):
265         * dfg/DFGWorklist.h:
266         (JSC::DFG::numberOfWorklists): Deleted.
267         (JSC::DFG::ensureWorklistForIndex): Deleted.
268         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
269         (JSC::DFG::existingWorklistForIndex): Deleted.
270         * heap/CollectingScope.h: Added.
271         (JSC::CollectingScope::CollectingScope):
272         (JSC::CollectingScope::~CollectingScope):
273         * heap/CollectorPhase.cpp: Added.
274         (JSC::worldShouldBeSuspended):
275         (WTF::printInternal):
276         * heap/CollectorPhase.h: Added.
277         * heap/EdenGCActivityCallback.cpp:
278         (JSC::EdenGCActivityCallback::lastGCLength):
279         * heap/FullGCActivityCallback.cpp:
280         (JSC::FullGCActivityCallback::doCollection):
281         (JSC::FullGCActivityCallback::lastGCLength):
282         * heap/GCConductor.cpp: Added.
283         (JSC::gcConductorShortName):
284         (WTF::printInternal):
285         * heap/GCConductor.h: Added.
286         * heap/Heap.cpp:
287         (JSC::Heap::Thread::Thread):
288         (JSC::Heap::Heap):
289         (JSC::Heap::lastChanceToFinalize):
290         (JSC::Heap::gatherStackRoots):
291         (JSC::Heap::updateObjectCounts):
292         (JSC::Heap::shouldCollectInCollectorThread):
293         (JSC::Heap::collectInCollectorThread):
294         (JSC::Heap::checkConn):
295         (JSC::Heap::runCurrentPhase):
296         (JSC::Heap::runNotRunningPhase):
297         (JSC::Heap::runBeginPhase):
298         (JSC::Heap::runFixpointPhase):
299         (JSC::Heap::runConcurrentPhase):
300         (JSC::Heap::runReloopPhase):
301         (JSC::Heap::runEndPhase):
302         (JSC::Heap::changePhase):
303         (JSC::Heap::finishChangingPhase):
304         (JSC::Heap::stopThePeriphery):
305         (JSC::Heap::resumeThePeriphery):
306         (JSC::Heap::stopTheMutator):
307         (JSC::Heap::resumeTheMutator):
308         (JSC::Heap::stopIfNecessarySlow):
309         (JSC::Heap::collectInMutatorThread):
310         (JSC::Heap::collectInMutatorThreadImpl):
311         (JSC::Heap::waitForCollector):
312         (JSC::Heap::acquireAccessSlow):
313         (JSC::Heap::releaseAccessSlow):
314         (JSC::Heap::relinquishConn):
315         (JSC::Heap::finishRelinquishingConn):
316         (JSC::Heap::handleNeedFinalize):
317         (JSC::Heap::notifyThreadStopping):
318         (JSC::Heap::finalize):
319         (JSC::Heap::requestCollection):
320         (JSC::Heap::waitForCollection):
321         (JSC::Heap::updateAllocationLimits):
322         (JSC::Heap::didFinishCollection):
323         (JSC::Heap::collectIfNecessaryOrDefer):
324         (JSC::Heap::preventCollection):
325         (JSC::Heap::performIncrement):
326         (JSC::Heap::markToFixpoint): Deleted.
327         (JSC::Heap::shouldCollectInThread): Deleted.
328         (JSC::Heap::collectInThread): Deleted.
329         (JSC::Heap::stopTheWorld): Deleted.
330         (JSC::Heap::resumeTheWorld): Deleted.
331         * heap/Heap.h:
332         (JSC::Heap::machineThreads):
333         (JSC::Heap::lastFullGCLength):
334         (JSC::Heap::lastEdenGCLength):
335         (JSC::Heap::increaseLastFullGCLength):
336         * heap/HeapInlines.h:
337         (JSC::Heap::mutatorIsStopped): Deleted.
338         * heap/HeapStatistics.cpp: Removed.
339         * heap/HeapStatistics.h: Removed.
340         * heap/HelpingGCScope.h: Removed.
341         * heap/MachineStackMarker.cpp:
342         (JSC::MachineThreads::gatherFromCurrentThread):
343         (JSC::MachineThreads::gatherConservativeRoots):
344         * heap/MachineStackMarker.h:
345         * heap/MarkedBlock.cpp:
346         (JSC::MarkedBlock::Handle::sweep):
347         * heap/MutatorState.cpp:
348         (WTF::printInternal):
349         * heap/MutatorState.h:
350         * heap/RegisterState.h: Added.
351         * heap/SlotVisitor.cpp:
352         (JSC::SlotVisitor::drainFromShared):
353         (JSC::SlotVisitor::drainInParallelPassively):
354         (JSC::SlotVisitor::donateAll):
355         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
356         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
357         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
358         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
359         * heap/SweepingScope.h: Added.
360         (JSC::SweepingScope::SweepingScope):
361         (JSC::SweepingScope::~SweepingScope):
362         * jit/JITWorklist.cpp:
363         (JSC::JITWorklist::Thread::Thread):
364         * jsc.cpp:
365         (GlobalObject::finishCreation):
366         (functionFlashHeapAccess):
367         * runtime/InitializeThreading.cpp:
368         (JSC::initializeThreading):
369         * runtime/JSCellInlines.h:
370         (JSC::JSCell::classInfo):
371         * runtime/Options.cpp:
372         (JSC::overrideDefaults):
373         * runtime/Options.h:
374         * runtime/TestRunnerUtils.cpp:
375         (JSC::finalizeStatsAtEndOfTesting):
376
377 2017-02-16  Anders Carlsson  <andersca@apple.com>
378
379         Remove EFL from JavaScriptCore
380         https://bugs.webkit.org/show_bug.cgi?id=168459
381
382         Reviewed by Geoffrey Garen.
383
384         * heap/GCActivityCallback.cpp:
385         (JSC::GCActivityCallback::GCActivityCallback):
386         (JSC::GCActivityCallback::cancelTimer):
387         (JSC::GCActivityCallback::didAllocate):
388         * heap/GCActivityCallback.h:
389         * heap/HeapTimer.cpp:
390         (JSC::HeapTimer::add): Deleted.
391         (JSC::HeapTimer::stop): Deleted.
392         (JSC::HeapTimer::timerEvent): Deleted.
393         * heap/HeapTimer.h:
394         * inspector/EventLoop.cpp:
395         (Inspector::EventLoop::cycle):
396         * jsc.cpp:
397         (main):
398         * tools/CodeProfiling.cpp:
399         (JSC::CodeProfiling::begin):
400         (JSC::CodeProfiling::end):
401
402 2017-02-15  Brian Burg  <bburg@apple.com>
403
404         [Cocoa] Web Inspector: Inspector::fromProtocolString<T> should return std::optional<T>
405         https://bugs.webkit.org/show_bug.cgi?id=168018
406         <rdar://problem/30468779>
407
408         Reviewed by Joseph Pecoraro.
409
410         These methods parse untrusted string inputs, so they should return an optional instead
411         of asserting or crashing when the input is not usable.
412
413         Update various pieces of generated code to handle the error case gracefully.
414
415         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
416         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
417         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
418         The local variable holding the ObjC-friendly converted value should take a std::optional
419         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
420         is not optional, then send a response with a command failure message and return.
421
422         The optional enum parameter case is not handled correctly, but no existing code requires it.
423
424         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
425         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_from_protocol_string):
426         Fix signature and remove default case ASSERT_NOT_REACHED.
427
428         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
429         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation):
430         Since this code assumes all inputs to be valid and throws an exception otherwise, we
431         try to convert the enum and throw an exception if it's nullopt. If it's valid, write to outValue.
432
433         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
434         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
435         The local variable holding the ObjC-friendly converted value should take a std::optional
436         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
437         is not optional, then throw an exception if the value is nullopt. Otherwise, allow it to be empty.
438
439         * inspector/scripts/codegen/objc_generator.py:
440         (ObjCGenerator.protocol_to_objc_expression_for_member):
441         Unconditionally unwrap the optional. This expression is only used inside the typechecked
442         ObjC protocol objects. In this case we are guaranteed to have already initialized the enum with a valid
443         value, but must store it as a string inside a wrapped InspectorObject. The getter needs to
444         re-convert the stored string into an NS_ENUM value.
445
446         * inspector/scripts/codegen/objc_generator_templates.py:
447         Update type template for fromProtocolString<T>().
448
449         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
450         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
451         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
452         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
453         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
454         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
455         * inspector/scripts/tests/generic/expected/enum-values.json-result:
456         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
457         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
458         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
459         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
460         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
461         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
462         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
463         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
464         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
465         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
466         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
467         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
468         Rebaseline tests.
469
470 2017-02-16  Keith Miller  <keith_miller@apple.com>
471
472         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
473         https://bugs.webkit.org/show_bug.cgi?id=168354
474
475         Reviewed by Filip Pizlo.
476
477         Add a new vmEntryGlobalObject method for the debugger so that
478         the debugger does not crash in debug builds when trying to
479         detach itself from a global object.
480
481         * debugger/Debugger.cpp:
482         (JSC::Debugger::detach):
483         * interpreter/CallFrame.cpp:
484         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach):
485         * interpreter/CallFrame.h:
486
487 2017-02-16  Keith Miller  <keith_miller@apple.com>
488
489         Refactor AccessCase to be more like B3Value
490         https://bugs.webkit.org/show_bug.cgi?id=168408
491
492         Reviewed by Filip Pizlo.
493
494         This patch makes AccessCase (and new subclasses) more like B3Value. In the new system each
495         type has an associated AccessCase subclass. For instance any getter should use the
496         GetterSetterAccessCase subclass. The new system is easier to follow since you no longer need
497         to know exactly which members are used by which types. The subclass to AccessType mapping is:
498
499         GetterSetterAccessCase:
500             Getter
501             CustomAccessorGetter
502             CustomValueGetter
503             Setter
504
505         ProxyableAccessCase:
506             Load
507             Miss
508             GetGetter
509
510         IntrinsicGetterAccessCase:
511             IntrinsicGetter
512
513         AccessCase:
514             Everything else
515
516         It also has the additional advantage that it uses less memory for the cases where we would have needed
517         rare data in the past but that case would only use a small bit of it.
518
519         This patch also removes megamorphic loads and renames some TryGetById related enum values from Pure to Try.
520
521         * CMakeLists.txt:
522         * JavaScriptCore.xcodeproj/project.pbxproj:
523         * bytecode/AccessCase.cpp: Added.
524         (JSC::AccessCase::AccessCase):
525         (JSC::AccessCase::create):
526         (JSC::AccessCase::~AccessCase):
527         (JSC::AccessCase::fromStructureStubInfo):
528         (JSC::AccessCase::clone):
529         (JSC::AccessCase::commit):
530         (JSC::AccessCase::guardedByStructureCheck):
531         (JSC::AccessCase::doesCalls):
532         (JSC::AccessCase::couldStillSucceed):
533         (JSC::AccessCase::canReplace):
534         (JSC::AccessCase::dump):
535         (JSC::AccessCase::visitWeak):
536         (JSC::AccessCase::propagateTransitions):
537         (JSC::AccessCase::generateWithGuard):
538         (JSC::AccessCase::generate):
539         (JSC::AccessCase::generateImpl):
540         * bytecode/AccessCase.h: Added.
541         (JSC::AccessCase::as):
542         (JSC::AccessCase::create):
543         (JSC::AccessCase::type):
544         (JSC::AccessCase::state):
545         (JSC::AccessCase::offset):
546         (JSC::AccessCase::structure):
547         (JSC::AccessCase::newStructure):
548         (JSC::AccessCase::conditionSet):
549         (JSC::AccessCase::alternateBase):
550         (JSC::AccessCase::additionalSet):
551         (JSC::AccessCase::viaProxy):
552         (JSC::AccessCase::isGetter):
553         (JSC::AccessCase::isAccessor):
554         (JSC::AccessCase::dumpImpl):
555         (JSC::AccessCase::resetState):
556         * bytecode/GetByIdStatus.cpp:
557         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
558         * bytecode/GetterSetterAccessCase.cpp: Added.
559         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
560         (JSC::GetterSetterAccessCase::create):
561         (JSC::GetterSetterAccessCase::~GetterSetterAccessCase):
562         (JSC::GetterSetterAccessCase::clone):
563         (JSC::GetterSetterAccessCase::alternateBase):
564         (JSC::GetterSetterAccessCase::dumpImpl):
565         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
566         * bytecode/GetterSetterAccessCase.h: Added.
567         (JSC::GetterSetterAccessCase::callLinkInfo):
568         (JSC::GetterSetterAccessCase::customSlotBase):
569         (JSC::GetterSetterAccessCase::domJIT):
570         * bytecode/IntrinsicGetterAccessCase.cpp: Added.
571         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
572         (JSC::IntrinsicGetterAccessCase::create):
573         (JSC::IntrinsicGetterAccessCase::~IntrinsicGetterAccessCase):
574         (JSC::IntrinsicGetterAccessCase::clone):
575         * bytecode/IntrinsicGetterAccessCase.h: Added.
576         (JSC::IntrinsicGetterAccessCase::intrinsicFunction):
577         (JSC::IntrinsicGetterAccessCase::intrinsic):
578         * bytecode/PolymorphicAccess.cpp:
579         (JSC::PolymorphicAccess::regenerate):
580         (WTF::printInternal):
581         (JSC::AccessCase::AccessCase): Deleted.
582         (JSC::AccessCase::tryGet): Deleted.
583         (JSC::AccessCase::get): Deleted.
584         (JSC::AccessCase::megamorphicLoad): Deleted.
585         (JSC::AccessCase::replace): Deleted.
586         (JSC::AccessCase::transition): Deleted.
587         (JSC::AccessCase::setter): Deleted.
588         (JSC::AccessCase::in): Deleted.
589         (JSC::AccessCase::getLength): Deleted.
590         (JSC::AccessCase::getIntrinsic): Deleted.
591         (JSC::AccessCase::~AccessCase): Deleted.
592         (JSC::AccessCase::fromStructureStubInfo): Deleted.
593         (JSC::AccessCase::clone): Deleted.
594         (JSC::AccessCase::commit): Deleted.
595         (JSC::AccessCase::guardedByStructureCheck): Deleted.
596         (JSC::AccessCase::alternateBase): Deleted.
597         (JSC::AccessCase::doesCalls): Deleted.
598         (JSC::AccessCase::couldStillSucceed): Deleted.
599         (JSC::AccessCase::canBeReplacedByMegamorphicLoad): Deleted.
600         (JSC::AccessCase::canReplace): Deleted.
601         (JSC::AccessCase::dump): Deleted.
602         (JSC::AccessCase::visitWeak): Deleted.
603         (JSC::AccessCase::propagateTransitions): Deleted.
604         (JSC::AccessCase::generateWithGuard): Deleted.
605         (JSC::AccessCase::generate): Deleted.
606         (JSC::AccessCase::generateImpl): Deleted.
607         (JSC::AccessCase::emitDOMJITGetter): Deleted.
608         * bytecode/PolymorphicAccess.h:
609         (JSC::AccessCase::type): Deleted.
610         (JSC::AccessCase::state): Deleted.
611         (JSC::AccessCase::offset): Deleted.
612         (JSC::AccessCase::viaProxy): Deleted.
613         (JSC::AccessCase::structure): Deleted.
614         (JSC::AccessCase::newStructure): Deleted.
615         (JSC::AccessCase::conditionSet): Deleted.
616         (JSC::AccessCase::intrinsicFunction): Deleted.
617         (JSC::AccessCase::intrinsic): Deleted.
618         (JSC::AccessCase::domJIT): Deleted.
619         (JSC::AccessCase::additionalSet): Deleted.
620         (JSC::AccessCase::customSlotBase): Deleted.
621         (JSC::AccessCase::isGetter): Deleted.
622         (JSC::AccessCase::callLinkInfo): Deleted.
623         (JSC::AccessCase::RareData::RareData): Deleted.
624         * bytecode/ProxyableAccessCase.cpp: Added.
625         (JSC::ProxyableAccessCase::ProxyableAccessCase):
626         (JSC::ProxyableAccessCase::create):
627         (JSC::ProxyableAccessCase::~ProxyableAccessCase):
628         (JSC::ProxyableAccessCase::clone):
629         (JSC::ProxyableAccessCase::dumpImpl):
630         * bytecode/ProxyableAccessCase.h: Added.
631         * bytecode/PutByIdStatus.cpp:
632         (JSC::PutByIdStatus::computeForStubInfo):
633         * bytecode/StructureStubInfo.cpp:
634         (JSC::StructureStubInfo::reset):
635         * bytecode/StructureStubInfo.h:
636         * dfg/DFGByteCodeParser.cpp:
637         (JSC::DFG::ByteCodeParser::parseBlock):
638         * dfg/DFGSpeculativeJIT.cpp:
639         (JSC::DFG::SpeculativeJIT::compileTryGetById):
640         * ftl/FTLLowerDFGToB3.cpp:
641         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
642         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
643         * jit/IntrinsicEmitter.cpp:
644         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
645         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
646         (JSC::AccessCase::canEmitIntrinsicGetter): Deleted.
647         (JSC::AccessCase::emitIntrinsicGetter): Deleted.
648         * jit/JITOperations.cpp:
649         * jit/JITPropertyAccess.cpp:
650         (JSC::JIT::emit_op_try_get_by_id):
651         * jit/JITPropertyAccess32_64.cpp:
652         (JSC::JIT::emit_op_try_get_by_id):
653         * jit/Repatch.cpp:
654         (JSC::tryCacheGetByID):
655         (JSC::tryCachePutByID):
656         (JSC::tryRepatchIn):
657         * jit/Repatch.h:
658         * runtime/Options.h:
659
660 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
661
662         JSONParseTest needs to hold the lock when the VM is destroyed
663         https://bugs.webkit.org/show_bug.cgi?id=168450
664
665         Rubber stamped by Alex Christensen.
666
667         * API/tests/JSONParseTest.cpp:
668         (testJSONParse):
669
670 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
671
672         [JSC] Drop PassRefPtr in inspector/
673         https://bugs.webkit.org/show_bug.cgi?id=168420
674
675         Reviewed by Alex Christensen.
676
677         Drop PassRefPtr uses.
678         And use Ref<Inspector::ScriptArguments> and Ref<ScriptCallStack> as much as possible.
679         It drops some unnecessary null checks.
680
681         * debugger/Debugger.cpp:
682         (JSC::Debugger::hasBreakpoint):
683         (JSC::Debugger::currentDebuggerCallFrame):
684         * debugger/Debugger.h:
685         * inspector/AsyncStackTrace.cpp:
686         (Inspector::AsyncStackTrace::create):
687         (Inspector::AsyncStackTrace::AsyncStackTrace):
688         (Inspector::AsyncStackTrace::buildInspectorObject):
689         (Inspector::AsyncStackTrace::truncate):
690         * inspector/AsyncStackTrace.h:
691         * inspector/ConsoleMessage.cpp:
692         (Inspector::ConsoleMessage::ConsoleMessage):
693         * inspector/ConsoleMessage.h:
694         * inspector/InjectedScriptManager.cpp:
695         (Inspector::InjectedScriptManager::InjectedScriptManager):
696         (Inspector::InjectedScriptManager::injectedScriptHost):
697         * inspector/InjectedScriptManager.h:
698         * inspector/JSGlobalObjectConsoleClient.cpp:
699         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
700         (Inspector::JSGlobalObjectConsoleClient::count):
701         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
702         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
703         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
704         * inspector/JSGlobalObjectConsoleClient.h:
705         ConsoleClient now takes Ref<ScriptArgument>&& instead of RefPtr<ScriptArgument>&&.
706
707         * inspector/JSGlobalObjectInspectorController.cpp:
708         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
709         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
710         * inspector/JSGlobalObjectInspectorController.h:
711         * inspector/JSJavaScriptCallFrame.cpp:
712         (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
713         (Inspector::toJS):
714         * inspector/JSJavaScriptCallFrame.h:
715         (Inspector::JSJavaScriptCallFrame::create):
716         * inspector/JavaScriptCallFrame.cpp:
717         (Inspector::JavaScriptCallFrame::JavaScriptCallFrame):
718         (Inspector::JavaScriptCallFrame::caller):
719         * inspector/JavaScriptCallFrame.h:
720         (Inspector::JavaScriptCallFrame::create):
721         * inspector/ScriptDebugServer.cpp:
722         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
723         (Inspector::ScriptDebugServer::dispatchDidPause):
724         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
725         * inspector/agents/InspectorConsoleAgent.cpp:
726         (Inspector::InspectorConsoleAgent::stopTiming):
727         (Inspector::InspectorConsoleAgent::count):
728         * inspector/agents/InspectorConsoleAgent.h:
729         * inspector/agents/InspectorDebuggerAgent.cpp:
730         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
731         * runtime/ConsoleClient.cpp:
732         (JSC::ConsoleClient::printConsoleMessageWithArguments):
733         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
734         (JSC::ConsoleClient::logWithLevel):
735         (JSC::ConsoleClient::dir):
736         (JSC::ConsoleClient::dirXML):
737         (JSC::ConsoleClient::table):
738         (JSC::ConsoleClient::trace):
739         (JSC::ConsoleClient::assertion):
740         (JSC::ConsoleClient::group):
741         (JSC::ConsoleClient::groupCollapsed):
742         (JSC::ConsoleClient::groupEnd):
743         * runtime/ConsoleClient.h:
744         * runtime/ConsoleObject.cpp:
745         (JSC::consoleLogWithLevel):
746         (JSC::consoleProtoFuncDir):
747         (JSC::consoleProtoFuncDirXML):
748         (JSC::consoleProtoFuncTable):
749         (JSC::consoleProtoFuncTrace):
750         (JSC::consoleProtoFuncAssert):
751         (JSC::consoleProtoFuncCount):
752         (JSC::consoleProtoFuncTimeStamp):
753         (JSC::consoleProtoFuncGroup):
754         (JSC::consoleProtoFuncGroupCollapsed):
755         (JSC::consoleProtoFuncGroupEnd):
756
757 2017-02-15  Keith Miller  <keith_miller@apple.com>
758
759         Weak should not use jsCast in its accessors
760         https://bugs.webkit.org/show_bug.cgi?id=168406
761
762         Reviewed by Filip Pizlo.
763
764         This can cause assertion failures in WebCore where classes might remove themselves
765         from a data structure in a weak reference, if that reference is still alive.
766
767         * heap/WeakInlines.h:
768         (JSC::>):
769         (JSC::Weak<T>::operator):
770         (JSC::Weak<T>::get):
771
772 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
773
774         Web Inspector: allow import() inside the inspector
775         https://bugs.webkit.org/show_bug.cgi?id=167457
776
777         Reviewed by Ryosuke Niwa.
778
779         We relax import module hook to accept null SourceOrigin.
780         Such a script can be evaluated from the inspector console.
781
782         * jsc.cpp:
783         (GlobalObject::moduleLoaderImportModule):
784         * runtime/JSGlobalObjectFunctions.cpp:
785         (JSC::globalFuncImportModule):
786
787 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
788
789         [JSC] Update module namespace object according to the latest ECMA262
790         https://bugs.webkit.org/show_bug.cgi?id=168280
791
792         Reviewed by Saam Barati.
793
794         Reflect updates to the module namespace object.
795
796         1. @@iterator property is dropped[1].
797         2. @@toStringTag property becomes non-configurable[1].
798         3. delete with Symbol should be delegated to the JSObject's one[2].
799
800         [1]: https://tc39.github.io/ecma262/#sec-module-namespace-objects
801         [2]: https://github.com/tc39/ecma262/pull/767
802
803         * runtime/JSModuleNamespaceObject.cpp:
804         (JSC::JSModuleNamespaceObject::finishCreation):
805         (JSC::JSModuleNamespaceObject::deleteProperty):
806         (JSC::moduleNamespaceObjectSymbolIterator): Deleted.
807
808 2017-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>
809
810         Unreviewed. Fix the build after r212424.
811
812         Add missing file.
813
814         * inspector/remote/RemoteInspector.cpp: Added.
815         (Inspector::RemoteInspector::startDisabled):
816         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
817         (Inspector::RemoteInspector::registerTarget):
818         (Inspector::RemoteInspector::unregisterTarget):
819         (Inspector::RemoteInspector::updateTarget):
820         (Inspector::RemoteInspector::updateClientCapabilities):
821         (Inspector::RemoteInspector::setRemoteInspectorClient):
822         (Inspector::RemoteInspector::setupFailed):
823         (Inspector::RemoteInspector::setupCompleted):
824         (Inspector::RemoteInspector::waitingForAutomaticInspection):
825         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
826         (Inspector::RemoteInspector::stop):
827         (Inspector::RemoteInspector::listingForTarget):
828         (Inspector::RemoteInspector::updateHasActiveDebugSession):
829
830 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
831
832         [JSC] Drop PassRefPtr in bytecompiler/
833         https://bugs.webkit.org/show_bug.cgi?id=168374
834
835         Reviewed by Sam Weinig.
836
837         This patch drops PassRefPtr in bytecompiler directory.
838         We carefully change this to Ref<>. And we use Ref<Label>
839         as much as possible instead of using RefPtr<Label>.
840         And use Label& instead of Label* as much as possible.
841
842         Currently we do not apply this change for RefPtr<RegisterID>,
843         to reduce the size of this patch.
844
845         * bytecompiler/BytecodeGenerator.cpp:
846         (JSC::BytecodeGenerator::BytecodeGenerator):
847         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
848         (JSC::BytecodeGenerator::newLabelScope):
849         (JSC::BytecodeGenerator::newLabel):
850         (JSC::BytecodeGenerator::newEmittedLabel):
851         Introduce a new helper function, which returns new label that is emitted right here.
852
853         (JSC::BytecodeGenerator::emitLabel):
854         (JSC::BytecodeGenerator::emitJump):
855         (JSC::BytecodeGenerator::emitJumpIfTrue):
856         (JSC::BytecodeGenerator::emitJumpIfFalse):
857         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
858         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
859         Drop returning Ref<Label> since nobody uses it.
860
861         (JSC::BytecodeGenerator::emitGetByVal):
862         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
863         (JSC::BytecodeGenerator::emitCall):
864         (JSC::BytecodeGenerator::emitReturn):
865         (JSC::BytecodeGenerator::emitConstruct):
866         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
867         (JSC::BytecodeGenerator::breakTarget):
868         (JSC::BytecodeGenerator::pushTry):
869         (JSC::BytecodeGenerator::popTry):
870         (JSC::prepareJumpTableForSwitch):
871         (JSC::prepareJumpTableForStringSwitch):
872         (JSC::BytecodeGenerator::endSwitch):
873         (JSC::BytecodeGenerator::emitEnumeration):
874         (JSC::BytecodeGenerator::emitIteratorNext):
875         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
876         (JSC::BytecodeGenerator::emitIteratorClose):
877         (JSC::BytecodeGenerator::pushIndexedForInScope):
878         (JSC::BytecodeGenerator::pushStructureForInScope):
879         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
880         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
881         (JSC::BytecodeGenerator::emitYieldPoint):
882         (JSC::BytecodeGenerator::emitYield):
883         (JSC::BytecodeGenerator::emitDelegateYield):
884         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
885         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
886         (JSC::BytecodeGenerator::emitFinallyCompletion):
887         (JSC::BytecodeGenerator::emitJumpIf):
888         * bytecompiler/BytecodeGenerator.h:
889         FinallyJump, FinallyContext, TryData, TryContext and TryRange hold Ref<Label>
890         instead of RefPtr<Label>. They are never nullptr.
891
892         (JSC::FinallyJump::FinallyJump):
893         (JSC::FinallyContext::FinallyContext):
894         (JSC::FinallyContext::registerJump):
895         (JSC::BytecodeGenerator::emitNodeInConditionContext):
896         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
897         * bytecompiler/Label.h:
898         Make Label noncopyable.
899
900         * bytecompiler/LabelScope.h:
901         (JSC::LabelScope::LabelScope):
902         (JSC::LabelScope::breakTarget):
903         breakTarget always returns Label&. On the other hand, continueTarget may be nullptr.
904         So it returns Label*.
905
906         * bytecompiler/NodesCodegen.cpp:
907         (JSC::ExpressionNode::emitBytecodeInConditionContext):
908         (JSC::ConstantNode::emitBytecodeInConditionContext):
909         (JSC::FunctionCallValueNode::emitBytecode):
910         (JSC::CallFunctionCallDotNode::emitBytecode):
911         (JSC::ApplyFunctionCallDotNode::emitBytecode):
912         (JSC::LogicalNotNode::emitBytecodeInConditionContext):
913         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
914         (JSC::InstanceOfNode::emitBytecode):
915         (JSC::LogicalOpNode::emitBytecode):
916         (JSC::LogicalOpNode::emitBytecodeInConditionContext):
917         (JSC::ConditionalNode::emitBytecode):
918         (JSC::IfElseNode::emitBytecode):
919         (JSC::DoWhileNode::emitBytecode):
920         (JSC::WhileNode::emitBytecode):
921         (JSC::ForNode::emitBytecode):
922         (JSC::ForInNode::emitBytecode):
923         (JSC::ContinueNode::trivialTarget):
924         (JSC::ContinueNode::emitBytecode):
925         (JSC::BreakNode::trivialTarget):
926         (JSC::CaseBlockNode::emitBytecodeForBlock):
927         (JSC::TryNode::emitBytecode):
928         (JSC::FunctionNode::emitBytecode):
929         (JSC::ClassExprNode::emitBytecode):
930         (JSC::assignDefaultValueIfUndefined):
931         (JSC::ArrayPatternNode::bindValue):
932         Use Ref<Label> and Label&.
933
934         * parser/Nodes.h:
935
936 2017-02-15  Alex Christensen  <achristensen@webkit.org>
937
938         Unreviewed, rolling out r212394.
939
940         Fixed iOS WebInspector
941
942         Reverted changeset:
943
944         "Unreviewed, rolling out r212169."
945         https://bugs.webkit.org/show_bug.cgi?id=166681
946         http://trac.webkit.org/changeset/212394
947
948 2017-02-15  Guillaume Emont  <guijemont@igalia.com>
949
950         MIPS: add missing implementations of load8SignedExtendTo32()
951
952         JSC: missing implementations of MacroAssemblerMIPS::load8SignedExtendTo32()
953         https://bugs.webkit.org/show_bug.cgi?id=168350
954
955         Reviewed by Yusuke Suzuki.
956
957         * assembler/MacroAssemblerMIPS.h:
958         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
959         Add missing implementations
960
961 2017-02-15  Alex Christensen  <achristensen@webkit.org>
962
963         Unreviewed, rolling out r212169.
964
965         Broke iOS WebInspector
966
967         Reverted changeset:
968
969         "WebInspector: refactor RemoteInspector to move cocoa specific
970         code to their own files"
971         https://bugs.webkit.org/show_bug.cgi?id=166681
972         http://trac.webkit.org/changeset/212169
973
974 2017-02-15  Chris Dumez  <cdumez@apple.com>
975
976         Expose Symbol.toPrimitive / valueOf on Location instances
977         https://bugs.webkit.org/show_bug.cgi?id=168295
978
979         Reviewed by Geoffrey Garen, Keith Miller and Mark Lam.
980
981         Cache origin objectProtoValueOf function on JSGlobalObject.
982
983         * runtime/JSGlobalObject.cpp:
984         (JSC::JSGlobalObject::init):
985         * runtime/JSGlobalObject.h:
986         (JSC::JSGlobalObject::objectProtoValueOfFunction):
987
988 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
989
990         [JSC] Drop PassRefPtr
991         https://bugs.webkit.org/show_bug.cgi?id=168320
992
993         Reviewed by Saam Barati.
994
995         * API/JSContextRef.cpp:
996         (JSGlobalContextCreateInGroup):
997         Use Ref<VM> from the factory function.
998
999         * API/JSScriptRef.cpp:
1000         (OpaqueJSScript::create):
1001         Return Ref<> instead.
1002
1003         * API/tests/JSONParseTest.cpp:
1004         (testJSONParse):
1005         Use Ref<VM>.
1006
1007         * assembler/LinkBuffer.cpp:
1008         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1009         Use reference since we already perform null check.
1010
1011         * assembler/MacroAssemblerCodeRef.h:
1012         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1013         Take Ref<>&& instead of PassRefPtr<>.
1014
1015         * bytecode/CallLinkInfo.h:
1016         (JSC::CallLinkInfo::setStub):
1017         (JSC::CallLinkInfo::setSlowStub):
1018         Take Ref<>&& instead of PassRefPtr<>.
1019
1020         * bytecode/CodeBlock.cpp:
1021         (JSC::CodeBlock::CodeBlock):
1022         Take RefPtr<SourceProvider>. Currently, the SourceProvider would be nullptr.
1023         We will change it to Ref<SourceProvider> in https://bugs.webkit.org/show_bug.cgi?id=168325.
1024
1025         (JSC::CodeBlock::finishCreation):
1026         Take Ref<TypeSet>&&.
1027
1028         * bytecode/CodeBlock.h:
1029         (JSC::CodeBlock::setJITCode):
1030         Take Ref<>&& instead.
1031
1032         (JSC::CodeBlock::jitCode):
1033         Return RefPtr<> instead.
1034
1035         * bytecode/EvalCodeBlock.h:
1036         (JSC::EvalCodeBlock::create):
1037         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1038
1039         (JSC::EvalCodeBlock::EvalCodeBlock):
1040         * bytecode/FunctionCodeBlock.h:
1041         (JSC::FunctionCodeBlock::create):
1042         (JSC::FunctionCodeBlock::FunctionCodeBlock):
1043         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1044
1045         * bytecode/GlobalCodeBlock.h:
1046         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1047         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1048
1049         * bytecode/ModuleProgramCodeBlock.h:
1050         (JSC::ModuleProgramCodeBlock::create):
1051         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
1052         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1053
1054         * bytecode/ProgramCodeBlock.h:
1055         (JSC::ProgramCodeBlock::create):
1056         (JSC::ProgramCodeBlock::ProgramCodeBlock):
1057         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1058
1059         * debugger/DebuggerParseData.cpp:
1060         (JSC::gatherDebuggerParseDataForSource):
1061         Ensure the provider is not nullptr. It is OK because we already
1062         touch `provider->xxx` values.
1063
1064         * dfg/DFGBlockInsertionSet.cpp:
1065         (JSC::DFG::BlockInsertionSet::insert):
1066         Take Ref<>&& instead.
1067
1068         * dfg/DFGBlockInsertionSet.h:
1069         * dfg/DFGByteCodeParser.cpp:
1070         (JSC::DFG::ByteCodeParser::inlineCall):
1071         (JSC::DFG::ByteCodeParser::handleInlining):
1072         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1073         Pass Ref<>&& to appendBlock.
1074
1075         * dfg/DFGDriver.cpp:
1076         (JSC::DFG::compileImpl):
1077         (JSC::DFG::compile):
1078         Pass Ref<Plan>&&. And take Ref<>&& callback.
1079
1080         * dfg/DFGDriver.h:
1081         * dfg/DFGGraph.h:
1082         appendBlock takes Ref<>&&.
1083
1084         (JSC::DFG::Graph::appendBlock):
1085         * dfg/DFGJITCompiler.cpp:
1086         (JSC::DFG::JITCompiler::compile):
1087         (JSC::DFG::JITCompiler::compileFunction):
1088         * dfg/DFGJITCompiler.h:
1089         (JSC::DFG::JITCompiler::jitCode):
1090         * dfg/DFGJITFinalizer.cpp:
1091         (JSC::DFG::JITFinalizer::JITFinalizer):
1092         Take Ref<JITCode>&&.
1093
1094         (JSC::DFG::JITFinalizer::finalize):
1095         (JSC::DFG::JITFinalizer::finalizeFunction):
1096         (JSC::DFG::JITFinalizer::finalizeCommon):
1097         Pass compilation reference since we already perform null check.
1098
1099         * dfg/DFGJITFinalizer.h:
1100         * dfg/DFGWorklist.cpp:
1101         (JSC::DFG::Worklist::enqueue):
1102         Take Ref<Plan>&&.
1103
1104         * dfg/DFGWorklist.h:
1105         * ftl/FTLJITFinalizer.cpp:
1106         (JSC::FTL::JITFinalizer::finalizeFunction):
1107         Dereference and pass jitCode & compilation references.
1108
1109         * jit/GCAwareJITStubRoutine.cpp:
1110         (JSC::createJITStubRoutine):
1111         Return Ref<> instead.
1112
1113         * jit/GCAwareJITStubRoutine.h:
1114         (JSC::createJITStubRoutine):
1115         * jit/JIT.cpp:
1116         (JSC::JIT::link):
1117         Pass compilation reference since we already perform null check.
1118
1119         * jit/JITStubRoutine.h:
1120         (JSC::JITStubRoutine::asCodePtr):
1121         Take Ref<>&& instead. And this drops unnecessary null check.
1122
1123         * jit/JITThunks.cpp:
1124         (JSC::JITThunks::hostFunctionStub):
1125         Pass Ref<> to NativeExecutable::create.
1126
1127         * llint/LLIntEntrypoint.cpp:
1128         (JSC::LLInt::setFunctionEntrypoint):
1129         (JSC::LLInt::setEvalEntrypoint):
1130         (JSC::LLInt::setProgramEntrypoint):
1131         (JSC::LLInt::setModuleProgramEntrypoint):
1132         Use Ref<>&& instead.
1133
1134         * parser/SourceCode.h:
1135         (JSC::SourceCode::SourceCode):
1136         (JSC::SourceCode::subExpression):
1137         Add constructors taking Ref<>&&.
1138         We still have constructors that take RefPtr<>&&.
1139         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
1140
1141         * parser/UnlinkedSourceCode.h:
1142         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
1143         Add constructors taking Ref<>&&.
1144         We still have constructors that take RefPtr<>&&.
1145         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
1146
1147         * profiler/ProfilerDatabase.cpp:
1148         (JSC::Profiler::Database::addCompilation):
1149         Take Ref<Compilation>&&.
1150
1151         * profiler/ProfilerDatabase.h:
1152         Change data structures to hold Ref<> instead of RefPtr<>.
1153
1154         * runtime/EvalExecutable.h:
1155         (JSC::EvalExecutable::generatedJITCode):
1156         Return Ref<> instead.
1157
1158         * runtime/ExecutableBase.h:
1159         (JSC::ExecutableBase::generatedJITCodeForCall):
1160         (JSC::ExecutableBase::generatedJITCodeForConstruct):
1161         (JSC::ExecutableBase::generatedJITCodeFor):
1162         Return Ref<> instead.
1163
1164         * runtime/Identifier.cpp:
1165         (JSC::Identifier::add):
1166         (JSC::Identifier::add8):
1167         * runtime/Identifier.h:
1168         (JSC::Identifier::add):
1169         * runtime/JSGlobalObject.cpp:
1170         (JSC::JSGlobalObject::setInputCursor):
1171         And take Ref<> in this method.
1172
1173         * runtime/JSGlobalObject.h:
1174         (JSC::JSGlobalObject::inputCursor):
1175         Change m_inputCursor from RefPtr<> to Ref<>.
1176
1177         * runtime/JSPropertyNameEnumerator.cpp:
1178         (JSC::JSPropertyNameEnumerator::create):
1179         (JSC::JSPropertyNameEnumerator::finishCreation):
1180         Take Ref<PropertyNameArray>&&.
1181
1182         * runtime/JSPropertyNameEnumerator.h:
1183         (JSC::propertyNameEnumerator):
1184         * runtime/JSString.h:
1185         (JSC::JSString::JSString):
1186         Take Ref<StringImpl>&& since we do not allow nullptr in this constructor.
1187
1188         (JSC::JSString::create):
1189         (JSC::JSString::createHasOtherOwner):
1190         Take Ref<StringImpl>&& in these factory functions. And drop unnecessary assertions.
1191
1192         (JSC::jsSingleCharacterString):
1193         Use StringImpl::create() which returns Ref<>.
1194
1195         (JSC::jsNontrivialString):
1196         Dereference impl() since we ensure that `s.length() > 1`.
1197
1198         (JSC::jsString):
1199         Use releaseNonNull() since we ensure that `s.length() > 1`.
1200
1201         (JSC::jsOwnedString):
1202         Use releaseNonNull() since we ensure that `s.length() > 1`.
1203
1204         * runtime/ModuleProgramExecutable.h:
1205         * runtime/NativeExecutable.cpp:
1206         (JSC::NativeExecutable::create):
1207         (JSC::NativeExecutable::finishCreation):
1208         Take Ref<JITCode>&&.
1209
1210         * runtime/NativeExecutable.h:
1211         * runtime/ProgramExecutable.h:
1212         Return Ref<JITCode>.
1213
1214         * runtime/PropertyNameArray.h:
1215         (JSC::PropertyNameArray::releaseData):
1216         (JSC::PropertyNameArray::setData): Deleted.
1217         This is not used.
1218
1219         * runtime/RegExpKey.h:
1220         (JSC::RegExpKey::RegExpKey):
1221         Take RefPtr<>&&.
1222
1223         * runtime/SmallStrings.cpp:
1224         (JSC::SmallStringsStorage::rep):
1225         Return StringImpl& since m_reps is already initialized in the constructor.
1226
1227         (JSC::SmallStrings::createEmptyString):
1228         Dereference StringImpl::empty().
1229
1230         (JSC::SmallStrings::createSingleCharacterString):
1231         Use StringImpl&.
1232
1233         (JSC::SmallStrings::singleCharacterStringRep):
1234         Return StringImpl&.
1235
1236         (JSC::SmallStrings::initialize):
1237         Use AtomicStringImpl::add instead.
1238
1239         * runtime/SmallStrings.h:
1240         * runtime/Structure.cpp:
1241         (JSC::Structure::toStructureShape):
1242         Return Ref<>.
1243
1244         * runtime/Structure.h:
1245         * runtime/TypeLocationCache.cpp:
1246         (JSC::TypeLocationCache::getTypeLocation):
1247         Take RefPtr<TypeSet>&&.
1248
1249         * runtime/TypeLocationCache.h:
1250         * runtime/TypeProfilerLog.cpp:
1251         Pass Ref<>&&.
1252
1253         (JSC::TypeProfilerLog::processLogEntries):
1254         * runtime/TypeSet.cpp:
1255         (JSC::TypeSet::addTypeInformation):
1256         Take RefPtr<>&& since it can be nullptr.
1257         And clean up "not found" code.
1258
1259         (JSC::TypeSet::allStructureRepresentations):
1260         Use range based iteration.
1261
1262         (JSC::StructureShape::leastCommonAncestor):
1263         We found that this method accidentally takes `const Vector<>` instead of `const Vector<>&`.
1264         And internally, we just use raw pointers since these StructureShapes are owned by the m_proto trees which starts from the given Vector<>.
1265
1266         (JSC::StructureShape::hasSamePrototypeChain):
1267         Take const reference instead. And use raw pointers internally.
1268
1269         (JSC::StructureShape::merge):
1270         Take Ref<>&&.
1271
1272         * runtime/TypeSet.h:
1273         (JSC::StructureShape::setProto):
1274         Take Ref<>&&.
1275
1276         * runtime/VM.cpp:
1277         (JSC::VM::getHostFunction):
1278         Pass Ref<>&&.
1279
1280         (JSC::VM::queueMicrotask):
1281         Take and pass Ref<>&&.
1282
1283         * runtime/VM.h:
1284         (JSC::QueuedTask::QueuedTask):
1285         Take Ref<>&&.
1286
1287         * tools/FunctionOverrides.cpp:
1288         (JSC::initializeOverrideInfo):
1289         We need this change due to Ref<>&& and RefPtr<>&& ambiguity of SourceCode constructors.
1290         Once SourceCode is fixed to only take Ref<>&&, this change is unnecessary.
1291
1292 2017-02-15  Csaba Osztrogonác  <ossy@webkit.org>
1293
1294         [Mac][cmake] Unreviewed trivial buildfix after r212169.
1295         https://bugs.webkit.org/show_bug.cgi?id=166681
1296
1297         * PlatformMac.cmake: Removed inspector/remote/RemoteInspectorXPCConnection.mm.
1298
1299 2017-02-14  Mark Lam  <mark.lam@apple.com>
1300
1301         Add JSC_sweepSynchronously and fix JSC_useZombieMode options.
1302         https://bugs.webkit.org/show_bug.cgi?id=168257
1303         <rdar://problem/30451496>
1304
1305         Reviewed by Filip Pizlo.
1306
1307         JSC_useZombieMode now basically enables JSC_sweepSynchronously and
1308         JSC_scribbleFreeCells, which together does the job of zombifying dead objects
1309         immediately after a GC.
1310
1311         * heap/Heap.cpp:
1312         (JSC::Heap::sweepSynchronously):
1313         (JSC::Heap::collectAllGarbage):
1314         (JSC::Heap::finalize):
1315         (JSC::Heap::didFinishCollection):
1316         (JSC::Zombify::visit): Deleted.
1317         (JSC::Zombify::operator()): Deleted.
1318         (JSC::Heap::zombifyDeadObjects): Deleted.
1319         * heap/Heap.h:
1320         (JSC::Heap::isZombified): Deleted.
1321         * runtime/Options.cpp:
1322         (JSC::recomputeDependentOptions):
1323         * runtime/Options.h:
1324
1325 2017-02-13  Michael Saboff  <msaboff@apple.com>
1326
1327         asyncDisassembly crashes on iOS
1328         https://bugs.webkit.org/show_bug.cgi?id=168259
1329
1330         Reviewed by Filip Pizlo.
1331
1332         Eliminated the dumping of  the disassembly for the JIT write thunk.
1333         Not only does it fix the crash, but given the nature of the JIT
1334         write thunk, we probably don't want to disassemble it anyway.
1335         
1336         * jit/ExecutableAllocatorFixedVMPool.cpp:
1337         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1338
1339 2017-02-12  Ryosuke Niwa  <rniwa@webkit.org>
1340
1341         C loop build fix attempt after r212207.
1342
1343         * runtime/Lookup.h:
1344
1345 2017-02-11  Sam Weinig  <sam@webkit.org>
1346
1347         Remove the remaining functions out of JSDOMBinding
1348         https://bugs.webkit.org/show_bug.cgi?id=168179
1349
1350         Reviewed by Darin Adler.
1351
1352         Move utility functions into more appropriate locations.
1353         - Move hasIteratorMethod to IteratorOperations.
1354         - Move nonCachingStaticFunctionGetter to Lookup
1355
1356         * runtime/IteratorOperations.cpp:
1357         (JSC::hasIteratorMethod):
1358         * runtime/IteratorOperations.h:
1359         * runtime/Lookup.h:
1360         (JSC::nonCachingStaticFunctionGetter):
1361
1362 2017-02-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1363
1364         [JSC] Implement (Shared)ArrayBuffer.prototype.byteLength
1365         https://bugs.webkit.org/show_bug.cgi?id=166476
1366
1367         Reviewed by Saam Barati.
1368
1369         `byteLength` becomes getter and is set in ArrayBuffer.prototype
1370         and SharedArrayBuffer.prototype. This patch implements the
1371         above getter in native function. We do not have any optimization
1372         path for that for now since ArrayBuffer.prototype.byteLength is
1373         not considered a hot function: while TypedArrays have [] accesses,
1374         ArrayBuffer does not have that. Thus byteLength getter is not so
1375         meaningful for a hot paths like iterations.
1376
1377         * runtime/JSArrayBuffer.cpp:
1378         (JSC::JSArrayBuffer::getOwnPropertySlot): Deleted.
1379         (JSC::JSArrayBuffer::put): Deleted.
1380         (JSC::JSArrayBuffer::defineOwnProperty): Deleted.
1381         (JSC::JSArrayBuffer::deleteProperty): Deleted.
1382         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): Deleted.
1383         * runtime/JSArrayBuffer.h:
1384         (JSC::JSArrayBuffer::impl): Deleted.
1385         * runtime/JSArrayBufferPrototype.cpp:
1386         (JSC::arrayBufferProtoGetterFuncByteLength):
1387         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1388         (JSC::JSArrayBufferPrototype::finishCreation):
1389
1390 2017-02-10  Saam Barati  <sbarati@apple.com>
1391
1392         Object allocation sinking phase doesn't properly handle control flow when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object
1393         https://bugs.webkit.org/show_bug.cgi?id=168140
1394         <rdar://problem/30205880>
1395
1396         Reviewed by Filip Pizlo.
1397
1398         This patch fixes a bug in allocation sinking phase where
1399         we don't properly handle control flow when materializing
1400         an object and also PutHinting that materialization into
1401         a still sunken object. We were performing the PutHint
1402         for the materialization at the point of materialization,
1403         however, we may have materialized along both edges
1404         of a control flow diamond, in which case, we need to
1405         also PutHint at the join point. Consider this program:
1406         
1407         ```
1408         bb#0:
1409         b: PhantomActivation()
1410         a: PhantomNewFunction()
1411         c: PutHint(@a, @b, ActivationLoc)
1412         Branch(#1, #2)
1413         
1414         bb#1:
1415         d: MaterializeActivation()
1416         e: PutHint(@a, @d, ActivationLoc)
1417         f: Upsilon(@d, ^p)
1418         Jump(#3)
1419         
1420         bb#2:
1421         g: MaterializeActivation()
1422         h: PutHint(@a, @g, ActivationLoc)
1423         i: Upsilon(@d, ^p)
1424         Jump(#3)
1425         
1426         bb#3:
1427         p: Phi()
1428         // What is PromotedHeapLocation(@a, ActivationLoc) here?
1429         // What would we do if we exited?
1430         ```
1431         Before this patch, we didn't perform a PutHint of the Phi.
1432         However, we need to, otherwise when exit, we won't know
1433         the value of PromotedHeapLocation(@a, ActivationLoc)
1434         
1435         The program we need then, for correctness, is this:
1436         ```
1437         bb#0:
1438         b: PhantomActivation()
1439         a: PhantomNewFunction()
1440         c: PutHint(@a, @b, ActivationLoc)
1441         Branch(#1, #2)
1442         
1443         bb#1:
1444         d: MaterializeActivation()
1445         e: PutHint(@a, @d, ActivationLoc)
1446         f: Upsilon(@d, ^p)
1447         Jump(#3)
1448         
1449         bb#2:
1450         g: MaterializeActivation()
1451         h: PutHint(@a, @g, ActivationLoc)
1452         i: Upsilon(@d, ^p)
1453         Jump(#3)
1454         
1455         bb#3:
1456         p: Phi()
1457         j: PutHint(@a, @p, ActivationLoc)
1458         ```
1459         
1460         This patch makes it so that we emit the necessary PutHint at node `j`.
1461         I've also added more validation to the OSRAvailabilityAnalysisPhase
1462         to catch this problem during validation.
1463
1464         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1465         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1466         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1467         * ftl/FTLOperations.cpp:
1468         (JSC::FTL::operationMaterializeObjectInOSR):
1469
1470 2017-02-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1471
1472         WebInspector: refactor RemoteInspector to move cocoa specific code to their own files
1473         https://bugs.webkit.org/show_bug.cgi?id=166681
1474
1475         Reviewed by Michael Catanzaro.
1476
1477         Move RemoteConnectionToTarget.mm and RemoteInspector.mm to a cocoa directory renamed with a Cocoa prefix,
1478         because those are now the cocoa implementation of RemoteConnectionToTarget and RemoteInspector. The
1479         cross-platform parts of RemoteInspector have been moced to a new RemoteInspector.cpp file. Also moved to cocoa
1480         directory RemoteInspectorXPCConnection.h and RemoteInspectorXPCConnection.mm keeping the same name. Other than
1481         that there aren't important code changes, only some cocoa specific types like NSString used in common headers,
1482         and some other platform ifdefs needed. This is in preparation for adding a remote inspector implementation for
1483         the GTK+ port.
1484
1485         * API/JSRemoteInspector.cpp:
1486         (JSRemoteInspectorSetParentProcessInformation): Add PLATFORM(COCOA) to the ifdef.
1487         * JavaScriptCore.xcodeproj/project.pbxproj:
1488         * PlatformMac.cmake:
1489         * inspector/remote/RemoteConnectionToTarget.h: Add platform ifdefs for cocoa specific parts and change
1490         sendMessageToTarget to receive a WTF String instead of an NSString.
1491         * inspector/remote/RemoteControllableTarget.h: Add platform ifdefs for CF specific parts.
1492         * inspector/remote/RemoteInspectionTarget.h:
1493         * inspector/remote/RemoteInspector.cpp: Added.
1494         (Inspector::RemoteInspector::startDisabled):
1495         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
1496         (Inspector::RemoteInspector::registerTarget):
1497         (Inspector::RemoteInspector::unregisterTarget):
1498         (Inspector::RemoteInspector::updateTarget):
1499         (Inspector::RemoteInspector::updateClientCapabilities):
1500         (Inspector::RemoteInspector::setRemoteInspectorClient):
1501         (Inspector::RemoteInspector::setupFailed):
1502         (Inspector::RemoteInspector::setupCompleted):
1503         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1504         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
1505         (Inspector::RemoteInspector::stop):
1506         (Inspector::RemoteInspector::listingForTarget):
1507         (Inspector::RemoteInspector::updateHasActiveDebugSession):
1508         * inspector/remote/RemoteInspector.h: Add platform ifdefs for cocoa specific parts. Also add TargetListing
1509         typedef to define platform specific types for the listings without more ifdefs.
1510         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.mm.
1511         (Inspector::RemoteTargetInitializeGlobalQueue):
1512         (Inspector::RemoteConnectionToTarget::setup):
1513         (Inspector::RemoteConnectionToTarget::close):
1514         (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
1515         (Inspector::RemoteConnectionToTarget::setupRunLoop):
1516         * inspector/remote/cocoa/RemoteInspectorCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspector.mm.
1517         (Inspector::canAccessWebInspectorMachPort):
1518         (Inspector::RemoteInspector::singleton):
1519         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
1520         (Inspector::RemoteInspector::start):
1521         (Inspector::RemoteInspector::pushListingsSoon):
1522         (Inspector::RemoteInspector::receivedIndicateMessage):
1523         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1524         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.h.
1525         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.mm.
1526         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
1527
1528 2017-02-10  Brian Burg  <bburg@apple.com>
1529
1530         [Cocoa] Web Inspector: payload initializers for ObjC protocol types handles special-cased property names incorrectly
1531         https://bugs.webkit.org/show_bug.cgi?id=168141
1532
1533         Reviewed by Joseph Pecoraro.
1534
1535         The generated code erroneously uses the ObjC variable name as the payload key,
1536         rather than the raw type member name. For example, 'identifier' would be used instead of 'id'.
1537
1538         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1539         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
1540
1541         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1542         Rebaseline an affected test.
1543
1544 2017-02-10  Mark Lam  <mark.lam@apple.com>
1545
1546         StructureStubInfo::considerCaching() should write barrier its owner CodeBlock when buffering a new Structure.
1547         https://bugs.webkit.org/show_bug.cgi?id=168137
1548         <rdar://problem/28656664>
1549
1550         Reviewed by Filip Pizlo.
1551
1552         If we're adding a new structure to StructureStubInfo's bufferedStructures, we
1553         should write barrier the StubInfo's owner CodeBlock because that structure may be
1554         collected during the next GC.  Write barrier-ing the owner CodeBlock ensures that
1555         CodeBlock::finalizeBaselineJITInlineCaches() is called on it during the GC,
1556         which, in turn, gives the StructureStubInfo the opportunity to filter out the
1557         dead structure.
1558
1559         * bytecode/StructureStubInfo.h:
1560         (JSC::StructureStubInfo::considerCaching):
1561         * jit/JITOperations.cpp:
1562
1563 2017-02-10  Brian Burg  <bburg@apple.com>
1564
1565         [Cocoa] Web Inspector: generate an NS_ENUM containing platforms supported by the protocol code generator
1566         https://bugs.webkit.org/show_bug.cgi?id=168019
1567         <rdar://problem/28718990>
1568
1569         Reviewed by Joseph Pecoraro.
1570
1571         It's useful to have an symbolic value (not a string) for each of the supported platform values.
1572         Generate this once per protocol for the Objective-C bindings. Covered by existing tests.
1573
1574         * inspector/scripts/codegen/generate_objc_header.py:
1575         (ObjCHeaderGenerator.generate_output):
1576         (ObjCHeaderGenerator._generate_enum_for_platforms):
1577         Create an NS_ENUM for Platform values in Platforms.
1578
1579         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1580         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
1581         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_for_platforms):
1582         Add type conversion/parsing methods for the newly added enum.
1583
1584         * inspector/scripts/codegen/generator.py:
1585         (Generator.stylized_name_for_enum_value):
1586         (Generator.stylized_name_for_enum_value.replaceCallback):
1587         Support arbitrary special-cased substrings in enums, not just all-caps. Add 'IOS' and 'MacOS'.
1588
1589         * inspector/scripts/codegen/models.py:
1590         (Platforms):
1591         Use lower-case string values for platform names, to avoid guesswork.
1592
1593         (Platforms.__metaclass__):
1594         (Platforms.__metaclass__.__iter__):
1595         Make it possible to iterate over Platform instances of Platforms.
1596
1597         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1598         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1599         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1600         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1601         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1602         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1603         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1604         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1605         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1606         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1607         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1608         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1609         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1610         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1611         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1612         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1613         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1614         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1615         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1616         Rebaseline results.
1617
1618 2017-02-09  Filip Pizlo  <fpizlo@apple.com>
1619
1620         SharedArrayBuffer does not need to be in the transfer list
1621         https://bugs.webkit.org/show_bug.cgi?id=168079
1622
1623         Reviewed by Geoffrey Garen and Keith Miller.
1624         
1625         Exposes a simple shareWith() API for when you know you want to share the contents of
1626         a shared buffer. Also a useful explicit operator bool.
1627
1628         * runtime/ArrayBuffer.cpp:
1629         (JSC::ArrayBuffer::shareWith):
1630         * runtime/ArrayBuffer.h:
1631         (JSC::ArrayBufferContents::operator bool):
1632
1633 2017-02-09  Mark Lam  <mark.lam@apple.com>
1634
1635         B3::Procedure::deleteOrphans() should neutralize upsilons with dead phis.
1636         https://bugs.webkit.org/show_bug.cgi?id=167437
1637         <rdar://problem/30198083>
1638
1639         Reviewed by Filip Pizlo.
1640
1641         * b3/B3Procedure.cpp:
1642         (JSC::B3::Procedure::deleteOrphans):
1643
1644 2017-02-09  Saam Barati  <sbarati@apple.com>
1645
1646         Sloppy mode: We don't properly hoist functions names "arguments" when we have a non-simple parameter list
1647         https://bugs.webkit.org/show_bug.cgi?id=167319
1648         <rdar://problem/30149432>
1649
1650         Reviewed by Mark Lam.
1651
1652         When hoisting a function inside sloppy mode, we were assuming all "var"s are inside
1653         what we call the "var" SymbolTableEntry. This was almost true, execpt for "arguments",
1654         which has sufficiently weird behavior. "arguments" can be visible to the default
1655         parameter expressions inside a function, therefore can't go inside the "var"
1656         SymbolTableEntry since the parameter SymbolTableEntry comes before the "var"
1657         SymbolTableEntry in the scope chain.  Therefore, if we hoist a function named
1658         "arguments", then we must also look for that variable inside the parameter scope
1659         stack entry.
1660
1661         * bytecompiler/BytecodeGenerator.cpp:
1662         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
1663
1664 2017-02-09  Mark Lam  <mark.lam@apple.com>
1665
1666         Fix max length check in ArrayPrototype.js' concatSlowPath().
1667         https://bugs.webkit.org/show_bug.cgi?id=167270
1668         <rdar://problem/30128133>
1669
1670         Reviewed by Filip Pizlo.
1671
1672         1. Fixed concatSlowPath() to ensure that the result array length does not exceed
1673            @MAX_ARRAY_INDEX.  The old code was checking against @MAX_SAFE_INTEGER in some
1674            cases, but this is overly permissive.
1675
1676         2. Changed concatSlowPath() to throw a RangeError instead of a TypeError to be
1677            consistent with the C++ runtime functions in JSArray.cpp.
1678
1679         3. Changed the RangeError message in concatSlowPath() and JSArray.cpp to "Length
1680            exceeded the maximum array length" when the error is that the result length
1681            exceeds MAX_ARRAY_INDEX.  We do this for 2 reasons:
1682            a. "Length exceeded the maximum array length" is more informative than
1683               "Invalid array length".
1684            b. We want to use the same string consistently for the same error.
1685
1686            There are still 2 places in JSArray.cpp that still throws a RangeError with
1687            message "Invalid array length".  In those cases, the error is not necessarily
1688            due to the result length exceeding MAX_ARRAY_INDEX, but is due to attempting to
1689            set a length value that is not an integer that fits in MAX_ARRAY_INDEX e.g.
1690            an attempt to set a fractional length value.  Hence, "Invalid array length" is
1691            appropriate for those cases.
1692
1693         4. Fixed JSArray::appendMemcpy() to handle overflows when computing the result
1694            array length.
1695
1696         * builtins/ArrayPrototype.js:
1697         (concatSlowPath):
1698         * bytecode/BytecodeIntrinsicRegistry.cpp:
1699         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1700         * bytecode/BytecodeIntrinsicRegistry.h:
1701         * runtime/ArrayPrototype.cpp:
1702         (JSC::concatAppendOne):
1703         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1704         * runtime/JSArray.cpp:
1705         (JSC::JSArray::appendMemcpy):
1706         (JSC::JSArray::push):
1707
1708 2017-02-09  Mark Lam  <mark.lam@apple.com>
1709
1710         Constructed object's global object should be the global object of the constructor.
1711         https://bugs.webkit.org/show_bug.cgi?id=167121
1712         <rdar://problem/30054759>
1713
1714         Reviewed by Filip Pizlo and Geoffrey Garen.
1715
1716         The realm (i.e. globalObject) of any object should be the same as the constructor
1717         that instantiated the object.  Changed PrototypeMap::createEmptyStructure() to
1718         be passed the correct globalObject to use instead of assuming it's the same one
1719         as the prototype object.
1720
1721         * bytecode/CodeBlock.cpp:
1722         (JSC::CodeBlock::finishCreation):
1723         * bytecode/InternalFunctionAllocationProfile.h:
1724         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
1725         * bytecode/ObjectAllocationProfile.h:
1726         (JSC::ObjectAllocationProfile::initialize):
1727         * runtime/FunctionRareData.cpp:
1728         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1729         * runtime/FunctionRareData.h:
1730         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
1731         * runtime/InternalFunction.cpp:
1732         (JSC::InternalFunction::createSubclassStructure):
1733         * runtime/IteratorOperations.cpp:
1734         (JSC::createIteratorResultObjectStructure):
1735         * runtime/JSBoundFunction.cpp:
1736         (JSC::getBoundFunctionStructure):
1737         * runtime/JSFunction.cpp:
1738         (JSC::JSFunction::allocateAndInitializeRareData):
1739         (JSC::JSFunction::initializeRareData):
1740         * runtime/JSGlobalObject.cpp:
1741         (JSC::JSGlobalObject::init):
1742         * runtime/JSProxy.cpp:
1743         (JSC::JSProxy::setTarget):
1744         * runtime/ObjectConstructor.h:
1745         (JSC::constructEmptyObject):
1746         * runtime/PrototypeMap.cpp:
1747         (JSC::PrototypeMap::createEmptyStructure):
1748         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1749         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1750         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1751         * runtime/PrototypeMap.h:
1752
1753 2017-02-09  Keith Miller  <keith_miller@apple.com>
1754
1755         We should not allow Function.caller to be used on native functions
1756         https://bugs.webkit.org/show_bug.cgi?id=165628
1757
1758         Reviewed by Mark Lam.
1759
1760         Also remove unneeded dynamic cast.
1761
1762         * runtime/JSFunction.cpp:
1763         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
1764         (JSC::JSFunction::callerGetter):
1765
1766 2017-02-08  Keith Miller  <keith_miller@apple.com>
1767
1768         [JSC] op_in should have ArrayProfile
1769         https://bugs.webkit.org/show_bug.cgi?id=164581
1770
1771         Reviewed by Filip Pizlo.
1772
1773         This patch adds an ArrayProfile to the op_in bytecode. In the
1774         DFG, if we see that we the key is an int32 we will convert the In
1775         DFG node to a HasIndexedProperty node instead.
1776
1777         This patch also flips the two arguments of op_in and the In node
1778         to reflect the other property lookup bytecodes.
1779
1780         * bytecode/BytecodeList.json:
1781         * bytecode/CodeBlock.cpp:
1782         (JSC::CodeBlock::dumpBytecode):
1783         (JSC::CodeBlock::finishCreation):
1784         * bytecompiler/BytecodeGenerator.cpp:
1785         (JSC::BytecodeGenerator::emitIn):
1786         * bytecompiler/BytecodeGenerator.h:
1787         (JSC::BytecodeGenerator::emitIn): Deleted.
1788         * bytecompiler/NodesCodegen.cpp:
1789         (JSC::InNode::emitBytecode):
1790         * dfg/DFGByteCodeParser.cpp:
1791         (JSC::DFG::ByteCodeParser::parseBlock):
1792         * dfg/DFGFixupPhase.cpp:
1793         (JSC::DFG::FixupPhase::fixupNode):
1794         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1795         * dfg/DFGNode.h:
1796         (JSC::DFG::Node::hasArrayMode):
1797         (JSC::DFG::Node::hasInternalMethodType):
1798         (JSC::DFG::Node::internalMethodType):
1799         (JSC::DFG::Node::setInternalMethodType):
1800         * dfg/DFGSpeculativeJIT.cpp:
1801         (JSC::DFG::SpeculativeJIT::compileIn):
1802         * dfg/DFGSpeculativeJIT.h:
1803         (JSC::DFG::SpeculativeJIT::callOperation):
1804         * dfg/DFGSpeculativeJIT32_64.cpp:
1805         (JSC::DFG::SpeculativeJIT::compile):
1806         * dfg/DFGSpeculativeJIT64.cpp:
1807         (JSC::DFG::SpeculativeJIT::compile):
1808         * ftl/FTLLowerDFGToB3.cpp:
1809         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1810         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1811         * jit/JITOperations.cpp:
1812         * jit/JITOperations.h:
1813         * llint/LowLevelInterpreter.asm:
1814         * parser/Nodes.h:
1815         * runtime/CommonSlowPaths.cpp:
1816         (JSC::SLOW_PATH_DECL):
1817         * runtime/CommonSlowPaths.h:
1818         (JSC::CommonSlowPaths::opIn):
1819
1820 2017-02-08  Saam Barati  <sbarati@apple.com>
1821
1822         Air IRC might spill a terminal that produces a value after the terminal
1823         https://bugs.webkit.org/show_bug.cgi?id=167919
1824         <rdar://problem/29754721>
1825
1826         Reviewed by Filip Pizlo.
1827
1828         IRC may spill a value-producing terminal (a patchpoint can be a value-producing terminal).
1829         It used to do this by placing the spill *after* the terminal. This produces an invalid
1830         graph because no instructions are allowed after the terminal.
1831         
1832         I fixed this bug by having a cleanup pass over the IR after IRC is done.
1833         The pass detects this problem, and fixes it by moving the spill into the
1834         successors. However, it is careful to detect when the edge to the
1835         successor is a critical edge. If the value-producing patchpoint is
1836         the only predecessor of the successor, it just moves the spill
1837         code to the beginning of the successor. Otherwise, it's a critical
1838         edge and it breaks it by adding a block that does the spilling then
1839         jumps to the successor.
1840
1841         * b3/air/AirInsertionSet.cpp:
1842         * b3/air/AirInsertionSet.h:
1843         (JSC::B3::Air::InsertionSet::insertInsts):
1844         * b3/air/AirIteratedRegisterCoalescing.cpp:
1845         * b3/testb3.cpp:
1846         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
1847         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
1848         (JSC::B3::run):
1849
1850 2017-02-07  Mark Lam  <mark.lam@apple.com>
1851
1852         SigillCrashAnalyzer::analyze() should use a do-while loop instead of a lambda.
1853         https://bugs.webkit.org/show_bug.cgi?id=167950
1854
1855         Reviewed by Michael Saboff.
1856
1857         Lambdas aren't free (apparently, the compiler isn't able to detect that the
1858         lambda does not escape and can be inlined completely).  So, use a do-while loop
1859         instead since we don't really need a lambda here.
1860
1861         * tools/SigillCrashAnalyzer.cpp:
1862
1863 2017-02-05  Mark Lam  <mark.lam@apple.com>
1864
1865         The SigillCrashAnalyzer should play nicer with client code that may install its own SIGILL handler.
1866         https://bugs.webkit.org/show_bug.cgi?id=167858
1867
1868         Reviewed by Michael Saboff.
1869
1870         Here are the scenarios that may come up:
1871
1872         1. Client code did not install a SIGILL handler.
1873            - In this case, once we're done analyzing the SIGILL, we can just restore the
1874              default handler and return to let the OS do the default action i.e. capture
1875              a core dump.
1876
1877         2. Client code installed a SIGILL handler before JSC does.
1878            - In this case, we will see a non-null handler returned as the old signal
1879              handler when we install ours.
1880            - In our signal handler, after doing our crash analysis, we should invoke the
1881              client handler to let it do its work.
1882            - Our analyzer can also tell us if the SIGILL source is from JSC code in
1883              general (right now, this would just mean JIT code).
1884            - If the SIGILL source is not from JSC, we'll just let the client handler
1885              decided how to proceed.  We assume that the client handler will do the right
1886              thing (which is how the old behavior is before the SigillCrashAnalyzer was
1887              introduced).
1888            - If the SIGILL source is from JSC, then we know the SIGILL is an unrecoverable
1889              condition.  Hence, after we have given the client handler a chance to run,
1890              we should restore the default handler and let the OS capture a core dump.
1891              This intentionally overrides whatever signal settings the client handler may
1892              have set.
1893
1894         3. Client code installed a SIGILL handler after JSC does.
1895            - In this case, we are dependent on the client handler to call our handler
1896              after it does its work.  This is compatible with the old behavior before
1897              SigillCrashAnalyzer was introduced.
1898            - In our signal handler, if we determine that the SIGILL source is from JSC
1899              code, then the SIGILL is not recoverable.  We should then restore the
1900              default handler and get a core dump.
1901            - If the SIGILL source is not from JSC, we check to see if there's a client
1902              handler installed after us.
1903            - If we detect a client handler installed after us, we defer judgement on what
1904              to do to the client handler.  Since the client handler did not uninstall
1905              itself, it must have considered itself to have recovered from the SIGILL.
1906              We'll trust the client handler and take no restore action of our own (which
1907              is compatible with old code behavior).
1908            - If we detect no client handler and we have no previous handler, then we
1909              should restore the default handler and get a core dump.
1910
1911         * tools/SigillCrashAnalyzer.cpp:
1912         (JSC::handleCrash):
1913         (JSC::installCrashHandler):
1914         (JSC::SigillCrashAnalyzer::analyze): Deleted.
1915
1916 2017-02-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1917
1918         Unreviewed, manual roll out of r211777
1919         https://bugs.webkit.org/show_bug.cgi?id=167457
1920
1921         * jsc.cpp:
1922         (GlobalObject::moduleLoaderImportModule):
1923         * runtime/JSGlobalObjectFunctions.cpp:
1924         (JSC::globalFuncImportModule):
1925
1926 2017-02-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1927
1928         Web Inspector: allow import() inside the inspector
1929         https://bugs.webkit.org/show_bug.cgi?id=167457
1930
1931         Reviewed by Ryosuke Niwa.
1932
1933         We relax import module hook to accept null SourceOrigin.
1934         Such a script can be evaluated from the inspector console.
1935
1936         * jsc.cpp:
1937         (GlobalObject::moduleLoaderImportModule):
1938         * runtime/JSGlobalObjectFunctions.cpp:
1939         (JSC::globalFuncImportModule):
1940
1941 2017-02-06  Joseph Pecoraro  <pecoraro@apple.com>
1942
1943         Web Inspector: Do not use RunLoop when dispatching inspector GC event
1944         https://bugs.webkit.org/show_bug.cgi?id=167683
1945         <rdar://problem/30167791>
1946
1947         Reviewed by Brian Burg.
1948
1949         Move the RunLoop deferred implementation to WebCore. It is not needed
1950         for JSContext inspection, and in JSContext inspection we are not
1951         guarenteed a RunLoop to defer to.
1952
1953         * inspector/agents/InspectorHeapAgent.h:
1954         * inspector/agents/InspectorHeapAgent.cpp:
1955         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1956         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
1957         (Inspector::InspectorHeapAgent::disable):
1958         (Inspector::InspectorHeapAgent::didGarbageCollect):
1959         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask): Deleted.
1960         (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection): Deleted.
1961         (Inspector::SendGarbageCollectionEventsTask::reset): Deleted.
1962         (Inspector::SendGarbageCollectionEventsTask::timerFired): Deleted.
1963
1964         (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
1965         Make a virtual method so that WebCore implementations of this agent can choose
1966         to dispatch this event asynchronously.
1967
1968         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1969         Remove unnecessary RunLoop include.
1970
1971 2017-02-06  Joseph Pecoraro  <pecoraro@apple.com>
1972
1973         Static Analyzer: JSContext.mm: Incorrect decrement of the reference count of an object
1974         https://bugs.webkit.org/show_bug.cgi?id=167848
1975
1976         Reviewed by Saam Barati.
1977
1978         Source/JavaScriptCore/API/JSContext.mm:87:5: warning: Incorrect decrement of the reference count of an object that is not owned at this point by the caller
1979             [self.exceptionHandler release];
1980             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1981         1 warning generated.
1982
1983         * API/JSContext.mm:
1984         (-[JSContext dealloc]):
1985         Use the ivar in dealloc instead of going through the getter.
1986
1987 2017-02-05  Mark Lam  <mark.lam@apple.com>
1988
1989         The VMInspector should use an RAII Locker.
1990         https://bugs.webkit.org/show_bug.cgi?id=167854
1991
1992         Reviewed by Saam Barati.
1993
1994         Previously, VMInspector::lock() was returning an expected LockToken, and there's
1995         no way to unlock it when we're done with it.  This was not a problem before
1996         because the VMInspector had only one client, the SigillCrashAnalyzer, that
1997         expected the process to crash due to a SIGILL shortly thereafter.
1998
1999         However, the VMInspector is useful as a debugging tool that we can apply in other
2000         debugging tasks.  Fixing VMInspector::lock() to return an RAII locker will enable
2001         other use cases.  Plus it's just bad form to be able to lock something and never
2002         be able to unlock it.
2003
2004         * tools/SigillCrashAnalyzer.cpp:
2005         (JSC::SigillCrashAnalyzer::analyze):
2006         * tools/VMInspector.cpp:
2007         * tools/VMInspector.h:
2008
2009 2017-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2010
2011         Static Analyzer: Value stored to 'recordedMachineThreads' during its initialization is never read
2012         https://bugs.webkit.org/show_bug.cgi?id=167845
2013
2014         Reviewed by Saam Barati.
2015
2016         Source/JavaScriptCore/heap/MachineStackMarker.cpp:151:14: warning: Value stored to 'recordedMachineThreads' during its initialization is never read
2017                 auto recordedMachineThreads = m_set.take(machineThreads);
2018                      ^~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~~~~~~~~
2019
2020         * heap/MachineStackMarker.cpp:
2021         (JSC::ActiveMachineThreadsManager::remove):
2022
2023 2017-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2024
2025         Static Analyzer: Value stored to 'prev' is never read
2026         https://bugs.webkit.org/show_bug.cgi?id=167844
2027
2028         Reviewed by Saam Barati.
2029
2030         Source/JavaScriptCore/runtime/JSMapIterator.h:60:13: warning: Value stored to 'prev' is never read
2031                     prev = bucket;
2032                     ^      ~~~~~~
2033         Source/JavaScriptCore/runtime/JSSetIterator.h:60:13: warning: Value stored to 'prev' is never read
2034                     prev = bucket;
2035                     ^      ~~~~~~
2036
2037         * runtime/JSMapIterator.h:
2038         (JSC::JSMapIterator::advanceIter):
2039         * runtime/JSSetIterator.h:
2040         (JSC::JSSetIterator::advanceIter):
2041
2042 2017-02-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2043
2044         [JSC] Add operationToInt32SensibleSlow to optimize kraken pbkdf2 and sha256
2045         https://bugs.webkit.org/show_bug.cgi?id=167736
2046
2047         Reviewed by Saam Barati.
2048
2049         Add a new function operationToInt32SensibleSlow. This function is only
2050         called after x86 cvttss2si_rr is failed. This means that the
2051         given double number never in range of int32 truncatable numbers.
2052
2053         As a result, exp in operationToInt32 always becomes >= 31. So
2054         we can change the condition from `exp < 32` to `exp == 31`.
2055         This makes missingOne constant. And it leads significantly good
2056         code generation.
2057
2058         The original operationToInt32 code.
2059
2060             170:   66 48 0f 7e c1          movq   %xmm0,%rcx
2061             175:   31 c0                   xor    %eax,%eax
2062             177:   66 48 0f 7e c6          movq   %xmm0,%rsi
2063             17c:   48 c1 f9 34             sar    $0x34,%rcx
2064             180:   81 e1 ff 07 00 00       and    $0x7ff,%ecx
2065             186:   8d 91 01 fc ff ff       lea    -0x3ff(%rcx),%edx
2066             18c:   83 fa 53                cmp    $0x53,%edx
2067             18f:   77 37                   ja     1c8 <_ZN3JSC16operationToInt32Ed+0x58>
2068             191:   83 fa 34                cmp    $0x34,%edx
2069             194:   7f 3a                   jg     1d0 <_ZN3JSC16operationToInt32Ed+0x60>
2070             196:   b9 34 00 00 00          mov    $0x34,%ecx
2071             19b:   66 48 0f 7e c7          movq   %xmm0,%rdi
2072             1a0:   29 d1                   sub    %edx,%ecx
2073             1a2:   48 d3 ff                sar    %cl,%rdi
2074             1a5:   83 fa 1f                cmp    $0x1f,%edx
2075             1a8:   89 f8                   mov    %edi,%eax
2076             1aa:   7f 12                   jg     1be <_ZN3JSC16operationToInt32Ed+0x4e>
2077             1ac:   89 d1                   mov    %edx,%ecx
2078             1ae:   b8 01 00 00 00          mov    $0x1,%eax
2079             1b3:   d3 e0                   shl    %cl,%eax
2080             1b5:   89 c2                   mov    %eax,%edx
2081             1b7:   8d 40 ff                lea    -0x1(%rax),%eax
2082             1ba:   21 f8                   and    %edi,%eax
2083             1bc:   01 d0                   add    %edx,%eax
2084             1be:   89 c2                   mov    %eax,%edx
2085             1c0:   f7 da                   neg    %edx
2086             1c2:   48 85 f6                test   %rsi,%rsi
2087             1c5:   0f 48 c2                cmovs  %edx,%eax
2088             1c8:   f3 c3                   repz retq
2089             1ca:   66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
2090             1d0:   66 48 0f 7e c0          movq   %xmm0,%rax
2091             1d5:   81 e9 33 04 00 00       sub    $0x433,%ecx
2092             1db:   48 d3 e0                shl    %cl,%rax
2093             1de:   eb de                   jmp    1be <_ZN3JSC16operationToInt32Ed+0x4e>
2094
2095         The operationToInt32SensibleSlow code.
2096
2097             1e0:   66 48 0f 7e c1          movq   %xmm0,%rcx
2098             1e5:   66 48 0f 7e c2          movq   %xmm0,%rdx
2099             1ea:   48 c1 f9 34             sar    $0x34,%rcx
2100             1ee:   81 e1 ff 07 00 00       and    $0x7ff,%ecx
2101             1f4:   8d b1 01 fc ff ff       lea    -0x3ff(%rcx),%esi
2102             1fa:   83 fe 34                cmp    $0x34,%esi
2103             1fd:   7e 21                   jle    220 <_ZN3JSC28operationToInt32SensibleSlowEd+0x40>
2104             1ff:   66 48 0f 7e c0          movq   %xmm0,%rax
2105             204:   81 e9 33 04 00 00       sub    $0x433,%ecx
2106             20a:   48 d3 e0                shl    %cl,%rax
2107             20d:   89 c1                   mov    %eax,%ecx
2108             20f:   f7 d9                   neg    %ecx
2109             211:   48 85 d2                test   %rdx,%rdx
2110             214:   0f 48 c1                cmovs  %ecx,%eax
2111             217:   c3                      retq
2112             218:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
2113             21f:   00
2114             220:   66 48 0f 7e c0          movq   %xmm0,%rax
2115             225:   b9 34 00 00 00          mov    $0x34,%ecx
2116             22a:   29 f1                   sub    %esi,%ecx
2117             22c:   48 d3 f8                sar    %cl,%rax
2118             22f:   89 c1                   mov    %eax,%ecx
2119             231:   81 c9 00 00 00 80       or     $0x80000000,%ecx
2120             237:   83 fe 1f                cmp    $0x1f,%esi
2121             23a:   0f 44 c1                cmove  %ecx,%eax
2122             23d:   89 c1                   mov    %eax,%ecx
2123             23f:   f7 d9                   neg    %ecx
2124             241:   48 85 d2                test   %rdx,%rdx
2125             244:   0f 48 c1                cmovs  %ecx,%eax
2126             247:   c3                      retq
2127             248:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
2128             24f:   00
2129
2130         This improves kraken pbkdf2 by 10.8% and sha256 by 7.5%.
2131
2132                                                        baseline                  patched
2133
2134             stanford-crypto-pbkdf2                 153.195+-2.745      ^     138.204+-2.513         ^ definitely 1.1085x faster
2135             stanford-crypto-sha256-iterative        49.047+-1.038      ^      45.610+-1.235         ^ definitely 1.0754x faster
2136
2137             <arithmetic>                           101.121+-1.379      ^      91.907+-1.500         ^ definitely 1.1003x faster
2138
2139         * assembler/CPU.h:
2140         (JSC::hasSensibleDoubleToInt):
2141         * dfg/DFGSpeculativeJIT.cpp:
2142         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2143         * ftl/FTLLowerDFGToB3.cpp:
2144         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
2145         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
2146         * ftl/FTLOutput.cpp:
2147         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
2148         * ftl/FTLOutput.h:
2149         * runtime/MathCommon.cpp:
2150         (JSC::operationToInt32SensibleSlow):
2151         * runtime/MathCommon.h:
2152
2153 2017-02-03  Joseph Pecoraro  <pecoraro@apple.com>
2154
2155         Unreviewed rollout of r211486, r211629.
2156
2157         Original change is not ideal and is causing issues.
2158
2159         * inspector/agents/InspectorHeapAgent.cpp:
2160         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
2161         * runtime/InitializeThreading.cpp:
2162         (JSC::initializeThreading):
2163
2164 2017-02-03  JF Bastien  <jfbastien@apple.com>
2165
2166         OSR entry: delay outer-loop compilation when at inner-loop
2167         https://bugs.webkit.org/show_bug.cgi?id=167149
2168
2169         Reviewed by Filip Pizlo.
2170
2171         r211224 and r211461 were reverted because they caused massive
2172         kraken/ai-astar regressions. This patch instead does the
2173         minimally-disruptive change to fix the original bug as described
2174         below, but omits extra tuning and refactoring which I had
2175         before. I'll commit tuning and refactoring separately, if this
2176         sticks. This patch is therefore very minimal, and layers carefully
2177         on top of the complex spaghetti-logic. The only change it makes is
2178         that it uses triggers to indicate to outer loops that they should
2179         compile, which fixes the immediate bug and seems roughly perf
2180         neutral (maybe a small gain on kraken sometimes, other times a
2181         small regression as would be expected from slightly compiling
2182         later). As opposed to r211461 this patch doesn't unconditionally
2183         unset the trigger because it prevents further DFG executions from
2184         entering. It therefore makes the trigger a tri-state enum class:
2185         don't trigger, compilation done, start compilation. Only "start
2186         compilation" gets reset to "don't trigger". "Compilation done"
2187         does not (unless there's a problem compiling, then it gets set
2188         back to "don't trigger").
2189
2190         As of https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
2191         compilation can be kicked off for an entry into an outer-loop,
2192         while executing an inner-loop. This is desirable because often the
2193         codegen from an inner-entry isn't as good as the codegen from an
2194         outer-entry, but execution from an inner-loop is often pretty hot
2195         and likely to kick off compilation. This approach provided nice
2196         speedups on Kraken because we'd select to enter to the outer-loop
2197         very reliably, which reduces variability (the inner-loop was
2198         selected roughly 1/5 times from my unscientific measurements).
2199
2200         When compilation starts we take a snapshot of the JSValues at the
2201         current execution state using OSR's recovery mechanism. These
2202         values are passed to the compiler and are used as way to perform
2203         type profiling, and could be used to observe cell types as well as
2204         to perform predictions such as through constant propagation.
2205
2206         It's therefore desired to enter from the outer-loop when we can,
2207         but we need to be executing from that location to capture the
2208         right JSValues, otherwise we're confusing the compiler and giving
2209         it inaccurate JSValues which can lead it to predict the wrong
2210         things, leading to suboptimal code or recompilation due to
2211         misprediction, or in super-corner-cases a crash.
2212
2213         DFG tier-up was added here:
2214         https://bugs.webkit.org/show_bug.cgi?id=112838
2215
2216         * dfg/DFGJITCode.h:
2217         * dfg/DFGJITCompiler.cpp:
2218         (JSC::DFG::JITCompiler::JITCompiler):
2219         * dfg/DFGOperations.cpp:
2220         * dfg/DFGSpeculativeJIT64.cpp:
2221         (JSC::DFG::SpeculativeJIT::compile):
2222         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2223         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
2224         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
2225         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
2226         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2227         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2228
2229 2017-02-03  Saam Barati  <sbarati@apple.com>
2230
2231         When OSR entering to the baseline JIT from the LLInt for a ProgramCodeBlock we can skip compiling a lot of the program
2232         https://bugs.webkit.org/show_bug.cgi?id=167725
2233         <rdar://problem/30339082>
2234
2235         Reviewed by Michael Saboff.
2236
2237         We often want to baseline compile ProgramCode once we hit a loop in the LLInt.
2238         However, some programs execute a non-trivial amount of code before the loop.
2239         This code can never be executed again because ProgramCodeBlocks never run more
2240         than once. We're wasting time and memory by compiling code that is unreachable
2241         from the OSR entry destination. This patch fixes this by only compiling code
2242         that is reachable from the OSR entry destination.
2243
2244         This is a speedup on Kraken/ai-astar for devices with limited CPUs (I've been
2245         testing on devices with 2 CPUs). On ai-astar, we were spending 50-100ms compiling
2246         a huge ProgramCodeBlock in the baseline JIT where the majority of the code
2247         would never execute. If this compilation was kicked off on the main thread,
2248         then we'd be stalled for a long time. If it were started on the baseline JITs
2249         background compilation thread, we'd still waste 50-100ms in that thread, causing
2250         all other baseline compilations to happen on the main thread.
2251
2252         * interpreter/Interpreter.cpp:
2253         (JSC::Interpreter::executeProgram):
2254         * interpreter/Interpreter.h:
2255         * jit/JIT.cpp:
2256         (JSC::JIT::JIT):
2257         (JSC::JIT::privateCompileMainPass):
2258         * jit/JIT.h:
2259         (JSC::JIT::compile):
2260         * jit/JITWorklist.cpp:
2261         (JSC::JITWorklist::Plan::Plan):
2262         (JSC::JITWorklist::Plan::compileNow):
2263         (JSC::JITWorklist::compileLater):
2264         (JSC::JITWorklist::compileNow):
2265         * jit/JITWorklist.h:
2266         * llint/LLIntSlowPaths.cpp:
2267         (JSC::LLInt::jitCompileAndSetHeuristics):
2268         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2269         * runtime/Completion.cpp:
2270         (JSC::evaluate):
2271
2272 2017-02-03  Csaba Osztrogonác  <ossy@webkit.org>
2273
2274         Unreviewed typo fix after r211630.
2275
2276         * CMakeLists.txt:
2277
2278 2017-02-03  Carlos Garcia Campos  <cgarcia@igalia.com>
2279
2280         [GTK] Add initial implementation of resource usage overlay
2281         https://bugs.webkit.org/show_bug.cgi?id=167731
2282
2283         Reviewed by Michael Catanzaro.
2284
2285         Also expose nextFireTime() for GTK+ port.
2286
2287         * heap/GCActivityCallback.cpp:
2288         (JSC::GCActivityCallback::scheduleTimer):
2289         (JSC::GCActivityCallback::cancelTimer):
2290         * heap/GCActivityCallback.h:
2291
2292 2017-02-03  Csaba Osztrogonác  <ossy@webkit.org>
2293
2294         [cmake] Unreviewed AArch64 buildfix after r211603.
2295         https://bugs.webkit.org/show_bug.cgi?id=167714
2296
2297         * CMakeLists.txt:
2298
2299 2017-02-02  Andreas Kling  <akling@apple.com>
2300
2301         [Mac] In-process memory pressure monitor for WebContent processes AKA websam
2302         <https://webkit.org/b/167491>
2303         <rdar://problem/30116072>
2304
2305         Reviewed by Antti Koivisto.
2306
2307         Remove the sloppy "max live heap size" mechanism from JSC in favor of the new
2308         WebCore-side memory footprint monitor.
2309
2310         * heap/Heap.cpp:
2311         (JSC::Heap::updateAllocationLimits):
2312         (JSC::Heap::didExceedMaxLiveSize): Deleted.
2313         * heap/Heap.h:
2314         (JSC::Heap::setMaxLiveSize): Deleted.
2315
2316 2017-02-02  Mark Lam  <mark.lam@apple.com>
2317
2318         Add a SIGILL crash analyzer to make debugging SIGILLs easier.
2319         https://bugs.webkit.org/show_bug.cgi?id=167714
2320         <rdar://problem/30318237>
2321
2322         Not reviewed.
2323
2324         Build fix for CLOOP build.
2325
2326         * tools/VMInspector.cpp:
2327
2328 2017-02-02  Mark Lam  <mark.lam@apple.com>
2329
2330         Add a SIGILL crash analyzer to make debugging SIGILLs easier.
2331         https://bugs.webkit.org/show_bug.cgi?id=167714
2332         <rdar://problem/30318237>
2333
2334         Reviewed by Filip Pizlo.
2335
2336         The current implementation is only for X86_64 and ARM64 on OS(DARWIN).  The
2337         analyzer is not enabled for all other ports.
2338
2339         * CMakeLists.txt:
2340         * JavaScriptCore.xcodeproj/project.pbxproj:
2341         * API/JSVirtualMachine.mm:
2342         * assembler/ARM64Assembler.h:
2343         (JSC::ARM64Assembler::illegalInstruction):
2344         * assembler/MacroAssemblerARM64.h:
2345         (JSC::MacroAssemblerARM64::illegalInstruction):
2346         * assembler/MacroAssemblerX86Common.h:
2347         (JSC::MacroAssemblerX86Common::illegalInstruction):
2348         * assembler/X86Assembler.h:
2349         (JSC::X86Assembler::illegalInstruction):
2350         * heap/Heap.cpp:
2351         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
2352         * heap/Heap.h:
2353         * heap/HeapInlines.h:
2354         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
2355         * runtime/Options.cpp:
2356         (JSC::Options::isAvailable):
2357         (JSC::recomputeDependentOptions):
2358         * runtime/Options.h:
2359         * runtime/VM.cpp:
2360         (JSC::VM::VM):
2361         (JSC::VM::~VM):
2362         * runtime/VM.h:
2363         * tools/SigillCrashAnalyzer.cpp: Added.
2364         (JSC::SignalContext::SignalContext):
2365         (JSC::SignalContext::dump):
2366         (JSC::handleCrash):
2367         (JSC::initializeCrashHandler):
2368         (JSC::ensureSigillCrashAnalyzer):
2369         (JSC::SigillCrashAnalyzer::analyze):
2370         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
2371         * tools/SigillCrashAnalyzer.h: Added.
2372         * tools/VMInspector.cpp: Added.
2373         (JSC::VMInspector::instance):
2374         (JSC::VMInspector::add):
2375         (JSC::VMInspector::remove):
2376         (JSC::ensureIsSafeToLock):
2377         * tools/VMInspector.h: Added.
2378         (JSC::VMInspector::iterate):
2379
2380 2017-02-02  Chris Dumez  <cdumez@apple.com>
2381
2382         {}.toString.call(crossOriginWindow) should return "[object Object]"
2383         https://bugs.webkit.org/show_bug.cgi?id=167701
2384         <rdar://problem/30330797>
2385
2386         Reviewed by Keith Miller.
2387
2388         Have JSProxy forward toStringName calls to its target so Window
2389         can override it.
2390
2391         * runtime/JSProxy.cpp:
2392         (JSC::JSProxy::toStringName):
2393         * runtime/JSProxy.h:
2394
2395 2017-02-02  Commit Queue  <commit-queue@webkit.org>
2396
2397         Unreviewed, rolling out r211571 and r211582.
2398         https://bugs.webkit.org/show_bug.cgi?id=167751
2399
2400         This change caused API test WebKit1.MemoryPressureHandler to
2401         fail with an assertion. (Requested by ryanhaddad on #webkit).
2402
2403         Reverted changesets:
2404
2405         "[Mac] In-process memory pressure monitor for WebContent
2406         processes."
2407         https://bugs.webkit.org/show_bug.cgi?id=167491
2408         http://trac.webkit.org/changeset/211571
2409
2410         "Unreviewed attempt to fix the Windows build after r211571."
2411         http://trac.webkit.org/changeset/211582
2412
2413 2017-02-02  Andreas Kling  <akling@apple.com>
2414
2415         [Mac] In-process memory pressure monitor for WebContent processes.
2416         <https://webkit.org/b/167491>
2417         <rdar://problem/30116072>
2418
2419         Reviewed by Antti Koivisto.
2420
2421         Remove the sloppy "max live heap size" mechanism from JSC in favor of the new
2422         WebCore-side memory footprint monitor.
2423
2424         * heap/Heap.cpp:
2425         (JSC::Heap::updateAllocationLimits):
2426         (JSC::Heap::didExceedMaxLiveSize): Deleted.
2427         * heap/Heap.h:
2428         (JSC::Heap::setMaxLiveSize): Deleted.
2429
2430 2017-02-02  Joseph Pecoraro  <pecoraro@apple.com>
2431
2432         Removed unused m_errorHandlingModeReentry from Interpreter
2433         https://bugs.webkit.org/show_bug.cgi?id=167726
2434
2435         Reviewed by Yusuke Suzuki.
2436
2437         * interpreter/Interpreter.cpp:
2438         (JSC::Interpreter::Interpreter):
2439         * interpreter/Interpreter.h:
2440
2441 2017-02-01  Commit Queue  <commit-queue@webkit.org>
2442
2443         Unreviewed, rolling out r211461.
2444         https://bugs.webkit.org/show_bug.cgi?id=167721
2445
2446         Big regression on kraken (Requested by jfbastien on #webkit).
2447
2448         Reverted changeset:
2449
2450         "OSR entry: delay outer-loop compilation when at inner-loop"
2451         https://bugs.webkit.org/show_bug.cgi?id=167149
2452         http://trac.webkit.org/changeset/211461
2453
2454 2017-02-01  Keith Miller  <keith_miller@apple.com>
2455
2456         Unreviewed, fix unintended change.
2457
2458         * runtime/SamplingProfiler.cpp:
2459         (JSC::SamplingProfiler::StackFrame::displayName):
2460
2461 2017-02-01  Keith Miller  <keith_miller@apple.com>
2462
2463         The sampling profile should have an option to sample from C frames.
2464         https://bugs.webkit.org/show_bug.cgi?id=167614
2465
2466         Reviewed by Saam Barati.
2467
2468         We should be able to use the sampling profiler, at least
2469         internally, to trace C calls.  This patch only modifies the JSC
2470         shell although it would be nice to add it to the Web Inspector in
2471         a future patch.
2472
2473         * runtime/Options.h:
2474         * runtime/SamplingProfiler.cpp:
2475         (JSC::FrameWalker::FrameWalker):
2476         (JSC::FrameWalker::walk):
2477         (JSC::FrameWalker::recordJSFrame):
2478         (JSC::CFrameWalker::CFrameWalker):
2479         (JSC::CFrameWalker::walk):
2480         (JSC::CFrameWalker::isCFrame):
2481         (JSC::CFrameWalker::advanceToParentFrame):
2482         (JSC::CFrameWalker::frame):
2483         (JSC::SamplingProfiler::takeSample):
2484         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2485         (JSC::SamplingProfiler::StackFrame::displayName):
2486         * runtime/SamplingProfiler.h:
2487         (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
2488
2489 2017-02-01  Joseph Pecoraro  <pecoraro@apple.com>
2490
2491         Web Inspector: Use guaranteed RunLoop instead of RunLoop::current for dispatching inspector GC event
2492         https://bugs.webkit.org/show_bug.cgi?id=167683
2493         <rdar://problem/30167791>
2494
2495         Reviewed by Timothy Hatcher.
2496
2497         * inspector/agents/InspectorHeapAgent.cpp:
2498         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
2499         Use RunLoop::main instead of RunLoop::current which may go away.
2500
2501         * runtime/InitializeThreading.cpp:
2502         (JSC::initializeThreading):
2503         Ensure RunLoop::main is initialized when using JSC APIs.
2504
2505 2017-02-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2506
2507         ArityFixup should adjust SP first
2508         https://bugs.webkit.org/show_bug.cgi?id=167239
2509
2510         Reviewed by Michael Saboff.
2511
2512         Arity fixup extends the stack and copy/fill the stack with
2513         the values. At that time, we accidentally read/write stack
2514         space below the stack pointer. As a result, we touch the area
2515         of the stack space below the x64 red zone. These areas are unsafe.
2516         OS may corrupt this space when constructing a signal stack.
2517         The Linux kernel could not populate the pages for this space
2518         and causes segmentation fault. This patch changes the stack
2519         pointer before performing the arity fixup.
2520
2521         * jit/ThunkGenerators.cpp:
2522         (JSC::arityFixupGenerator):
2523         * llint/LowLevelInterpreter32_64.asm:
2524         * llint/LowLevelInterpreter64.asm:
2525
2526 2017-01-31  Filip Pizlo  <fpizlo@apple.com>
2527
2528         Make verifyEdge a RELEASE_ASSERT
2529         <rdar://problem/30296879>
2530
2531         Rubber stamped by Saam Barati.
2532
2533         * dfg/DFGAbstractInterpreterInlines.h:
2534         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2535
2536 2017-01-31  JF Bastien  <jfbastien@apple.com>
2537
2538         OSR entry: delay outer-loop compilation when at inner-loop
2539         https://bugs.webkit.org/show_bug.cgi?id=167149
2540
2541         Reviewed by Filip Pizlo.
2542
2543         r211224 was reverted because it caused a massive kraken/ai-astar
2544         regression. This patch instead does the minimally-disruptive
2545         change to fix the original bug as described below, but omits extra
2546         tuning and refactoring which I had before. I'll commit tuning and
2547         refactoring separately, if this sticks. This patch is therefore
2548         very minimal, and layers carefully on top of the complex
2549         spaghetti-logic. The only change it makes is that it uses triggers
2550         to indicate to outer loops that they should compile, which fixes
2551         the immediate bug and seems roughly perf neutral (maybe a small
2552         gain on kraken sometimes, other times a small regression as would
2553         be expected from compiling later).
2554
2555         As of https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
2556         compilation can be kicked off for an entry into an outer-loop,
2557         while executing an inner-loop. This is desirable because often the
2558         codegen from an inner-entry isn't as good as the codegen from an
2559         outer-entry, but execution from an inner-loop is often pretty hot
2560         and likely to kick off compilation. This approach provided nice
2561         speedups on Kraken because we'd select to enter to the outer-loop
2562         very reliably, which reduces variability (the inner-loop was
2563         selected roughly 1/5 times from my unscientific measurements).
2564
2565         When compilation starts we take a snapshot of the JSValues at the
2566         current execution state using OSR's recovery mechanism. These
2567         values are passed to the compiler and are used as way to perform
2568         type profiling, and could be used to observe cell types as well as
2569         to perform predictions such as through constant propagation.
2570
2571         It's therefore desired to enter from the outer-loop when we can,
2572         but we need to be executing from that location to capture the
2573         right JSValues, otherwise we're confusing the compiler and giving
2574         it inaccurate JSValues which can lead it to predict the wrong
2575         things, leading to suboptimal code or recompilation due to
2576         misprediction, or in super-corner-cases a crash.
2577
2578         These effects are pretty hard to measure: Fil points out that
2579         marsalis-osr-entry really needs mustHandleValues (the JSValues
2580         from the point of execution) because right now it just happens to
2581         correctly guess int32. I tried removing mustHandleValues entirely
2582         and saw no slowdowns, but our benchmarks probably aren't
2583         sufficient to reliably find issues, sometimes because we happen to
2584         have sufficient mitigations.
2585
2586         DFG tier-up was added here:
2587         https://bugs.webkit.org/show_bug.cgi?id=112838
2588
2589         * dfg/DFGOperations.cpp:
2590
2591 2017-01-31  Filip Pizlo  <fpizlo@apple.com>
2592
2593         The mutator should be able to perform increments of GC work
2594         https://bugs.webkit.org/show_bug.cgi?id=167528
2595
2596         Reviewed by Keith Miller and Geoffrey Garen.
2597
2598         The cool thing about having a concurrent and parallel collector is that it's easy to also make
2599         it incremental, because the load balancer can also hand over work to anyone (including the
2600         mutator) and since the collector is running concurrently anyway, the mutator can usually rely
2601         on the balancer having some spare work.
2602
2603         This change adds a classic work-based incremental mode to the GC. When you allocate K bytes,
2604         you have to do Options::gcIncrementScale() * K "bytes" of draining. This is ammortized so that
2605         it only happens in allocation slow paths.
2606
2607         On computers that have a lot of CPUs, this mode is not profitable and we set gcIncrementScale
2608         to zero. On such computers, Riptide was already performing great because there was no way that
2609         one mutator thread could outpace many GC threads. But on computers with fewer CPUs, there were
2610         problems having to do with making the collector progress quickly enough so that the heap
2611         doesn't grow too much. The stochastic scheduler actually made things worse, because it relies
2612         a lot on the fact that the GC will simply be faster than the mutator anyway. The old scheduler
2613         claimed to address the problem of GC pace, but it used a time-based scheduler, which is not as
2614         precise at keeping pase as the new work-based incremental mode.
2615
2616         In theory, the work-based mode guarantees a bound on how much the heap can grow during a
2617         collection just because each byte allocated means some number of bytes visited. We don't try
2618         to create such a theoretical bound. We're just trying to give the collector an unfair advantage
2619         in any race with the mutator.
2620
2621         Turning on incremental mode, the stochastic scheduler, and passive draining in combination with
2622         each other is a huge splay-latency speed-up on my iPad. It's also a CDjs progression. It does
2623         regress splay-throughput, but I think that's fine (the regression is 11%, the progression is
2624         3x).
2625
2626         * heap/Heap.cpp:
2627         (JSC::Heap::Heap):
2628         (JSC::Heap::~Heap):
2629         (JSC::Heap::markToFixpoint):
2630         (JSC::Heap::updateObjectCounts):
2631         (JSC::Heap::endMarking):
2632         (JSC::Heap::finalize):
2633         (JSC::Heap::didAllocate):
2634         (JSC::Heap::visitCount):
2635         (JSC::Heap::bytesVisited):
2636         (JSC::Heap::forEachSlotVisitor):
2637         (JSC::Heap::performIncrement):
2638         (JSC::Heap::threadVisitCount): Deleted.
2639         (JSC::Heap::threadBytesVisited): Deleted.
2640         * heap/Heap.h:
2641         * heap/MarkStack.cpp:
2642         (JSC::MarkStackArray::transferTo):
2643         * heap/MarkStack.h:
2644         * heap/SlotVisitor.cpp:
2645         (JSC::SlotVisitor::didStartMarking):
2646         (JSC::SlotVisitor::clearMarkStacks):
2647         (JSC::SlotVisitor::appendToMarkStack):
2648         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
2649         (JSC::SlotVisitor::donateKnownParallel):
2650         (JSC::SlotVisitor::drain):
2651         (JSC::SlotVisitor::performIncrementOfDraining):
2652         (JSC::SlotVisitor::didReachTermination):
2653         (JSC::SlotVisitor::hasWork):
2654         (JSC::SlotVisitor::drainFromShared):
2655         (JSC::SlotVisitor::drainInParallelPassively):
2656         (JSC::SlotVisitor::donateAll):
2657         (JSC::SlotVisitor::correspondingGlobalStack):
2658         * heap/SlotVisitor.h:
2659         * heap/SlotVisitorInlines.h:
2660         (JSC::SlotVisitor::reportExtraMemoryVisited):
2661         (JSC::SlotVisitor::forEachMarkStack):
2662         * heap/SpaceTimeMutatorScheduler.cpp:
2663         (JSC::SpaceTimeMutatorScheduler::log):
2664         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
2665         (JSC::StochasticSpaceTimeMutatorScheduler::log):
2666         * jsc.cpp:
2667         (GlobalObject::finishCreation):
2668         (functionHeapCapacity):
2669         * runtime/Options.cpp:
2670         (JSC::overrideDefaults):
2671         * runtime/Options.h:
2672
2673 2017-01-31  Tomas Popela  <tpopela@redhat.com>
2674
2675         Compilation error in JSArrayBufferView.h
2676         https://bugs.webkit.org/show_bug.cgi?id=167642
2677
2678         Reviewed by Alex Christensen.
2679
2680         * runtime/JSArrayBufferView.h:
2681         (JSC::JSArrayBufferView::vector):
2682
2683 2017-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2684
2685         [JSC] Do not reject WebAssembly.compile() with Exception
2686         https://bugs.webkit.org/show_bug.cgi?id=167585
2687
2688         Reviewed by Mark Lam.
2689
2690         We accidentally reject the promise with Exception instead of Exception::value()
2691         for the result of WebAssembly::compile().
2692
2693         * wasm/JSWebAssembly.cpp:
2694         (JSC::webAssemblyCompileFunc):
2695
2696 2017-01-30  Joseph Pecoraro  <pecoraro@apple.com>
2697
2698         Implement PerformanceObserver
2699         https://bugs.webkit.org/show_bug.cgi?id=167546
2700         <rdar://problem/30247959>
2701
2702         Reviewed by Ryosuke Niwa.
2703
2704         * runtime/CommonIdentifiers.h:
2705
2706 2017-01-30  Matt Baker  <mattbaker@apple.com>
2707
2708         Web Inspector: Need some limit on Async Call Stacks for async loops (rAF loops)
2709         https://bugs.webkit.org/show_bug.cgi?id=165633
2710         <rdar://problem/29738502>
2711
2712         Reviewed by Joseph Pecoraro.
2713
2714         This patch limits the memory used by the Inspector backend to store async
2715         stack trace data.
2716
2717         Asynchronous stack traces are stored as a disjoint set of parent pointer
2718         trees. Tree nodes represent asynchronous operations, and hold a copy of
2719         the stack trace at the time the operation was scheduled. Each tree can
2720         be regarded as a set of stack traces, stored as singly linked lists that
2721         share part of their structure (specifically their tails). Traces belonging
2722         to the same tree will at least share a common root. A stack trace begins
2723         at a leaf node and follows the chain of parent pointers to the root of
2724         of the tree. Leaf nodes always contain pending asynchronous calls.
2725
2726         When an asynchronous operation is scheduled with requestAnimationFrame,
2727         setInterval, etc, a node is created containing the current call stack and
2728         some bookkeeping data for the operation. An unique identifier comprised
2729         of an operation type and callback identifier is mapped to the node. If
2730         scheduling the callback was itself the result of an asynchronous call,
2731         the node becomes a child of the node associated with that call, otherwise
2732         it becomes the root of a new tree.
2733
2734         A node is either `pending`, `active`, `dispatched`, or `canceled`. Nodes
2735         start out as pending. After a callback for a pending node is dispatched
2736         the node is marked as such, unless it is a repeating callback such as
2737         setInterval, in which case it remains pending. Once a node is no longer
2738         pending it is removed, as long as it has no children. Since nodes are
2739         reference counted, it is a property of the stack trace tree that nodes
2740         that are no longer pending and have no children pointing to them will be
2741         automatically pruned from the tree.
2742
2743         If an async operation is canceled (e.g. cancelTimeout), the associated
2744         node is marked as such. If the callback is not being dispatched at the
2745         time, and has no children, it is removed.
2746
2747         Because async operations can be chained indefinitely, stack traces are
2748         limited to a maximum depth. The depth of a stack trace is equal to the
2749         sum of the depths of its nodes, with a node's depth equal to the number
2750         of frames in its associated call stack. For any stack trace,
2751
2752             S = { s𝟶, s𝟷, …, s𝑘 }, with endpoints s𝟶, s𝑘
2753             depth(S) = depth(s𝟶) + depth(s𝟷) + … + depth(s𝑘)
2754
2755         A stack trace is truncated when it exceeds the maximum depth. Truncation
2756         occurs on node boundaries, not call frames, consequently the maximum depth
2757         is more of a target than a guarantee:
2758
2759             d = maximum stack trace depth
2760             for all S, depth(S) ≤ d + depth(s𝑘)
2761
2762         Because nodes can belong to multiple stack traces, it may be necessary
2763         to clone the tail of a stack trace being truncated to prevent other traces
2764         from being effected.
2765
2766         * CMakeLists.txt:
2767         * JavaScriptCore.xcodeproj/project.pbxproj:
2768         * inspector/AsyncStackTrace.cpp: Added.
2769         (Inspector::AsyncStackTrace::create):
2770         (Inspector::AsyncStackTrace::AsyncStackTrace):
2771         (Inspector::AsyncStackTrace::~AsyncStackTrace):
2772         (Inspector::AsyncStackTrace::isPending):
2773         (Inspector::AsyncStackTrace::isLocked):
2774         (Inspector::AsyncStackTrace::willDispatchAsyncCall):
2775         (Inspector::AsyncStackTrace::didDispatchAsyncCall):
2776         (Inspector::AsyncStackTrace::didCancelAsyncCall):
2777         (Inspector::AsyncStackTrace::buildInspectorObject):
2778         (Inspector::AsyncStackTrace::truncate):
2779         (Inspector::AsyncStackTrace::remove):
2780         * inspector/AsyncStackTrace.h:
2781         * inspector/agents/InspectorDebuggerAgent.cpp:
2782         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2783         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2784         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2785         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
2786         (Inspector::InspectorDebuggerAgent::didPause):
2787         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2788         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace): Deleted.
2789         (Inspector::InspectorDebuggerAgent::refAsyncCallData): Deleted.
2790         (Inspector::InspectorDebuggerAgent::derefAsyncCallData): Deleted.
2791         * inspector/agents/InspectorDebuggerAgent.h:
2792         * inspector/protocol/Console.json:
2793
2794 2017-01-30  Ryan Haddad  <ryanhaddad@apple.com>
2795
2796         Unreviewed, rolling out r211345.
2797
2798         The LayoutTest for this change is failing an assertion.
2799
2800         Reverted changeset:
2801
2802         "Web Inspector: Need some limit on Async Call Stacks for async
2803         loops (rAF loops)"
2804         https://bugs.webkit.org/show_bug.cgi?id=165633
2805         http://trac.webkit.org/changeset/211345
2806
2807 2017-01-28  Matt Baker  <mattbaker@apple.com>
2808
2809         Web Inspector: Need some limit on Async Call Stacks for async loops (rAF loops)
2810         https://bugs.webkit.org/show_bug.cgi?id=165633
2811         <rdar://problem/29738502>
2812
2813         Reviewed by Joseph Pecoraro.
2814
2815         This patch limits the memory used by the Inspector backend to store async
2816         stack trace data.
2817
2818         Asynchronous stack traces are stored as a disjoint set of parent pointer
2819         trees. Tree nodes represent asynchronous operations, and hold a copy of
2820         the stack trace at the time the operation was scheduled. Each tree can
2821         be regarded as a set of stack traces, stored as singly linked lists that
2822         share part of their structure (specifically their tails). Traces belonging
2823         to the same tree will at least share a common root. A stack trace begins
2824         at a leaf node and follows the chain of parent pointers to the root of
2825         of the tree. Leaf nodes always contain pending asynchronous calls.
2826
2827         When an asynchronous operation is scheduled with requestAnimationFrame,
2828         setInterval, etc, a node is created containing the current call stack and
2829         some bookkeeping data for the operation. An unique identifier comprised
2830         of an operation type and callback identifier is mapped to the node. If
2831         scheduling the callback was itself the result of an asynchronous call,
2832         the node becomes a child of the node associated with that call, otherwise
2833         it becomes the root of a new tree.
2834
2835         A node is either `pending`, `active`, `dispatched`, or `canceled`. Nodes
2836         start out as pending. After a callback for a pending node is dispatched
2837         the node is marked as such, unless it is a repeating callback such as
2838         setInterval, in which case it remains pending. Once a node is no longer
2839         pending it is removed, as long as it has no children. Since nodes are
2840         reference counted, it is a property of the stack trace tree that nodes
2841         that are no longer pending and have no children pointing to them will be
2842         automatically pruned from the tree.
2843
2844         If an async operation is canceled (e.g. cancelTimeout), the associated
2845         node is marked as such. If the callback is not being dispatched at the
2846         time, and has no children, it is removed.
2847
2848         Because async operations can be chained indefinitely, stack traces are
2849         limited to a maximum depth. The depth of a stack trace is equal to the
2850         sum of the depths of its nodes, with a node's depth equal to the number
2851         of frames in its associated call stack. For any stack trace,
2852
2853             S = { s𝟶, s𝟷, …, s𝑘 }, with endpoints s𝟶, s𝑘
2854             depth(S) = depth(s𝟶) + depth(s𝟷) + … + depth(s𝑘)
2855
2856         A stack trace is truncated when it exceeds the maximum depth. Truncation
2857         occurs on node boundaries, not call frames, consequently the maximum depth
2858         is more of a target than a guarantee:
2859
2860             d = maximum stack trace depth
2861             for all S, depth(S) ≤ d + depth(s𝑘)
2862
2863         Because nodes can belong to multiple stack traces, it may be necessary
2864         to clone the tail of a stack trace being truncated to prevent other traces
2865         from being effected.
2866
2867         * CMakeLists.txt:
2868         * JavaScriptCore.xcodeproj/project.pbxproj:
2869         * inspector/AsyncStackTrace.cpp: Added.
2870         (Inspector::AsyncStackTrace::create):
2871         (Inspector::AsyncStackTrace::AsyncStackTrace):
2872         (Inspector::AsyncStackTrace::~AsyncStackTrace):
2873         (Inspector::AsyncStackTrace::isPending):
2874         (Inspector::AsyncStackTrace::isLocked):
2875         (Inspector::AsyncStackTrace::willDispatchAsyncCall):
2876         (Inspector::AsyncStackTrace::didDispatchAsyncCall):
2877         (Inspector::AsyncStackTrace::didCancelAsyncCall):
2878         (Inspector::AsyncStackTrace::buildInspectorObject):
2879         (Inspector::AsyncStackTrace::truncate):
2880         (Inspector::AsyncStackTrace::remove):
2881         * inspector/AsyncStackTrace.h:
2882         * inspector/agents/InspectorDebuggerAgent.cpp:
2883         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2884         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2885         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2886         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
2887         (Inspector::InspectorDebuggerAgent::didPause):
2888         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2889         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace): Deleted.
2890         (Inspector::InspectorDebuggerAgent::refAsyncCallData): Deleted.
2891         (Inspector::InspectorDebuggerAgent::derefAsyncCallData): Deleted.
2892         * inspector/agents/InspectorDebuggerAgent.h:
2893         * inspector/protocol/Console.json:
2894
2895 2017-01-28  Joseph Pecoraro  <pecoraro@apple.com>
2896
2897         Remote Inspector: Listing should be updated when a target gains or loses a debugger session
2898         https://bugs.webkit.org/show_bug.cgi?id=167449
2899
2900         Reviewed by Brian Burg.
2901
2902         * inspector/remote/RemoteInspector.h:
2903         * inspector/remote/RemoteInspector.mm:
2904         (Inspector::RemoteInspector::setupFailed):
2905         (Inspector::RemoteInspector::updateTargetListing):
2906         (Inspector::RemoteInspector::receivedSetupMessage):
2907         (Inspector::RemoteInspector::receivedDidCloseMessage):
2908         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2909         Whenever we add/remove a connection we should update the listing properties
2910         for that target that corresponded to that connection. In this way group
2911         updating active sessions, the target, and pushing listing together.
2912
2913 2017-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2914
2915         Lift template escape sequence restrictions in tagged templates
2916         https://bugs.webkit.org/show_bug.cgi?id=166871
2917
2918         Reviewed by Saam Barati.
2919
2920         This patch implements stage 3 Lifting Template Literal Restriction[1].
2921         Prior to this patch, template literal becomes syntax error if it contains
2922         invalid escape sequences. But it is too restricted; Template literal
2923         can have cooked and raw representations and only cooked representation
2924         can escape sequences. So even if invalid escape sequences are included,
2925         the raw representation can be valid.
2926
2927         Lifting Template Literal Restriction relaxes the above restriction.
2928         When invalid escape sequence is included, if target template literals
2929         are used as tagged templates, we make the result of the template including
2930         the invalid escape sequence `undefined` instead of making it SyntaxError
2931         immediately. It allows us to accept the templates including invalid
2932         escape sequences in the raw representations in tagged templates.
2933
2934         On the other hand, the raw representation is only used in tagged templates.
2935         So if invalid escape sequences are included in the usual template literals,
2936         we just make it SyntaxError as before.
2937
2938         [1]: https://github.com/tc39/proposal-template-literal-revision
2939
2940         * bytecompiler/BytecodeGenerator.cpp:
2941         (JSC::BytecodeGenerator::emitGetTemplateObject):
2942         * bytecompiler/NodesCodegen.cpp:
2943         (JSC::TemplateStringNode::emitBytecode):
2944         (JSC::TemplateLiteralNode::emitBytecode):
2945         * parser/ASTBuilder.h:
2946         (JSC::ASTBuilder::createTemplateString):
2947         * parser/Lexer.cpp:
2948         (JSC::Lexer<CharacterType>::parseUnicodeEscape):
2949         (JSC::Lexer<T>::parseTemplateLiteral):
2950         (JSC::Lexer<T>::lex):
2951         (JSC::Lexer<T>::scanTemplateString):
2952         (JSC::Lexer<T>::scanTrailingTemplateString): Deleted.
2953         * parser/Lexer.h:
2954         * parser/NodeConstructors.h:
2955         (JSC::TemplateStringNode::TemplateStringNode):
2956         * parser/Nodes.h:
2957         (JSC::TemplateStringNode::cooked):
2958         (JSC::TemplateStringNode::raw):
2959         * parser/Parser.cpp:
2960         (JSC::Parser<LexerType>::parseAssignmentElement):
2961         (JSC::Parser<LexerType>::parseTemplateString):
2962         (JSC::Parser<LexerType>::parseTemplateLiteral):
2963         (JSC::Parser<LexerType>::parsePrimaryExpression):
2964         (JSC::Parser<LexerType>::parseMemberExpression):
2965         * parser/ParserTokens.h:
2966         * parser/SyntaxChecker.h:
2967         (JSC::SyntaxChecker::createTemplateString):
2968         * runtime/TemplateRegistry.cpp:
2969         (JSC::TemplateRegistry::getTemplateObject):
2970         * runtime/TemplateRegistryKey.h:
2971         (JSC::TemplateRegistryKey::cookedStrings):
2972         (JSC::TemplateRegistryKey::create):
2973         (JSC::TemplateRegistryKey::TemplateRegistryKey):
2974         * runtime/TemplateRegistryKeyTable.cpp:
2975         (JSC::TemplateRegistryKeyTable::createKey):
2976         * runtime/TemplateRegistryKeyTable.h:
2977
2978 2017-01-27  Saam Barati  <sbarati@apple.com>
2979
2980         Make the CLI for the sampling profiler better for inlined call site indices
2981         https://bugs.webkit.org/show_bug.cgi?id=167482
2982
2983         Reviewed by Mark Lam.
2984
2985         This patches changes the command line interface for the sampling
2986         profiler to also dump the machine frame that the semantic code
2987         origin is in if the semantic code origin is inlined. This helps
2988         when doing performance work because it's helpful to know the
2989         context that an inlined frame is in. Before, we used to just
2990         say it was in the baseline JIT if it didn't have its own optimized
2991         compile. Now, we can tell that its inlined into a DFG or FTL frame.
2992
2993         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2994         (Inspector::buildSamples):
2995         * runtime/Options.h:
2996         * runtime/SamplingProfiler.cpp:
2997         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2998         (JSC::SamplingProfiler::reportTopFunctions):
2999         (JSC::SamplingProfiler::reportTopBytecodes):
3000         * runtime/SamplingProfiler.h:
3001         (JSC::SamplingProfiler::StackFrame::CodeLocation::hasCodeBlockHash):
3002         (JSC::SamplingProfiler::StackFrame::CodeLocation::hasBytecodeIndex):
3003         (JSC::SamplingProfiler::StackFrame::CodeLocation::hasExpressionInfo):
3004         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
3005         (JSC::SamplingProfiler::StackFrame::lineNumber):
3006         (JSC::SamplingProfiler::StackFrame::columnNumber):
3007         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex): Deleted.
3008         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash): Deleted.
3009
3010 2017-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3011
3012         Extend create_hash_table to specify Intrinsic
3013         https://bugs.webkit.org/show_bug.cgi?id=167505
3014
3015         Reviewed by Sam Weinig.
3016
3017         This patch extends create_hash_table to specify Intrinsic.
3018         We can set Intrinsic in the static property table definition
3019         in runtime/XXX.h.
3020
3021         And drop the adhoc code for String.fromCharCode in create_hash_table.
3022
3023         * create_hash_table:
3024         * runtime/StringConstructor.cpp:
3025
3026 2017-01-27  Filip Pizlo  <fpizlo@apple.com>
3027
3028         scanExternalRememberedSet needs to mergeIfNecessary
3029         https://bugs.webkit.org/show_bug.cgi?id=167523
3030
3031         Reviewed by Keith Miller.
3032         
3033         The protocol for opaque roots is that if you add to them outside of draining, then you need to call
3034         mergeIfNecessary.
3035         
3036         This means that every MarkingConstraint that adds opaque roots needs to mergeIfNecessary after.
3037         
3038         scanExternalRememberedSet transitively calls addOpaqueRoot, is called from a MarkingConstraint, and
3039         was missing a call to mergeIfNecessary. This fixes it.
3040
3041         * API/JSVirtualMachine.mm:
3042         (scanExternalRememberedSet):
3043
3044 2017-01-27  Carlos Garcia Campos  <cgarcia@igalia.com>
3045
3046         Unreviewed. Fix GTK+ debug build after r211247.
3047
3048         * heap/GCAssertions.h:
3049
3050 2017-01-26  Keith Miller  <keith_miller@apple.com>
3051
3052         classInfo should take a VM so it is not materialized from the object on each call
3053         https://bugs.webkit.org/show_bug.cgi?id=167424
3054
3055         Rubber Stamped by Michael Saboff.
3056
3057         Previously, classInfo() would get the VM from the target's
3058         MarkedBlock.  Most callers already have a VM on hand, so it is
3059         wasteful to compute the VM from the marked block every time. This
3060         patch refactors some of the most common callers of classInfo(),
3061         jsDynamicCast and inherits to take a VM as well.
3062
3063         * API/JSCallbackConstructor.cpp:
3064         (JSC::JSCallbackConstructor::finishCreation):
3065         * API/JSCallbackFunction.cpp:
3066         (JSC::JSCallbackFunction::finishCreation):
3067         * API/JSCallbackObjectFunctions.h:
3068         (JSC::JSCallbackObject<Parent>::asCallbackObject):
3069         (JSC::JSCallbackObject<Parent>::finishCreation):
3070         * API/JSObjectRef.cpp:
3071         (JSObjectSetPrototype):
3072         (classInfoPrivate):
3073         (JSObjectGetPrivate):
3074         (JSObjectSetPrivate):
3075         (JSObjectGetPrivateProperty):
3076         (JSObjectSetPrivateProperty):
3077         (JSObjectDeletePrivateProperty):
3078         * API/JSTypedArray.cpp:
3079         (JSValueGetTypedArrayType):
3080         (JSObjectMakeTypedArrayWithArrayBuffer):
3081         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
3082         (JSObjectGetTypedArrayBytesPtr):
3083         (JSObjectGetTypedArrayLength):
3084         (JSObjectGetTypedArrayByteLength):
3085         (JSObjectGetTypedArrayByteOffset):
3086         (JSObjectGetTypedArrayBuffer):
3087         (JSObjectGetArrayBufferBytesPtr):
3088         (JSObjectGetArrayBufferByteLength):
3089         * API/JSValue.mm:
3090         (isDate):
3091         (isArray):
3092         (valueToObjectWithoutCopy):
3093         * API/JSValueRef.cpp:
3094         (JSValueIsArray):
3095         (JSValueIsDate):
3096         (JSValueIsObjectOfClass):
3097         * API/JSWeakObjectMapRefPrivate.cpp:
3098         * API/JSWrapperMap.mm:
3099         (tryUnwrapObjcObject):
3100         * API/ObjCCallbackFunction.h:
3101         * API/ObjCCallbackFunction.mm:
3102         (tryUnwrapConstructor):
3103         * bindings/ScriptFunctionCall.cpp:
3104         (Deprecated::ScriptFunctionCall::call):
3105         * bytecode/CallVariant.h:
3106         (JSC::CallVariant::internalFunction):
3107         (JSC::CallVariant::function):
3108         (JSC::CallVariant::isClosureCall):
3109         (JSC::CallVariant::executable):
3110         (JSC::CallVariant::functionExecutable):
3111         (JSC::CallVariant::nativeExecutable):
3112         * bytecode/CodeBlock.cpp:
3113         (JSC::CodeBlock::finishCreation):
3114         (JSC::CodeBlock::setConstantRegisters):
3115         (JSC::CodeBlock::replacement):
3116         (JSC::CodeBlock::computeCapabilityLevel):
3117         (JSC::CodeBlock::nameForRegister):
3118         * bytecode/ObjectAllocationProfile.h:
3119         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
3120         * bytecode/ObjectPropertyCondition.cpp:
3121         (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
3122         * bytecode/ObjectPropertyCondition.h:
3123         (JSC::ObjectPropertyCondition::isValidValueForPresence):
3124         * bytecode/PropertyCondition.cpp:
3125         (JSC::PropertyCondition::isValidValueForAttributes):
3126         (JSC::PropertyCondition::isValidValueForPresence):
3127         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
3128         * bytecode/PropertyCondition.h:
3129         * bytecode/SpeculatedType.cpp:
3130         (JSC::speculationFromCell):
3131         * debugger/Debugger.cpp:
3132         * debugger/DebuggerCallFrame.cpp:
3133         (JSC::DebuggerCallFrame::functionName):
3134         (JSC::DebuggerCallFrame::scope):
3135         (JSC::DebuggerCallFrame::type):
3136         * debugger/DebuggerScope.cpp:
3137         (JSC::DebuggerScope::name):
3138         (JSC::DebuggerScope::location):
3139         * dfg/DFGAbstractInterpreter.h:
3140         * dfg/DFGAbstractInterpreterInlines.h:
3141         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
3142         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3143         * dfg/DFGByteCodeParser.cpp:
3144         (JSC::DFG::ByteCodeParser::get):
3145         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3146         (JSC::DFG::ByteCodeParser::planLoad):
3147         (JSC::DFG::ByteCodeParser::checkPresenceLike):
3148         (JSC::DFG::ByteCodeParser::load):
3149         (JSC::DFG::ByteCodeParser::parseBlock):
3150         * dfg/DFGConstantFoldingPhase.cpp:
3151         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3152         * dfg/DFGDesiredWeakReferences.cpp:
3153         (JSC::DFG::DesiredWeakReferences::reallyAdd):
3154         * dfg/DFGFixupPhase.cpp:
3155         (JSC::DFG::FixupPhase::fixupMakeRope):
3156         * dfg/DFGFrozenValue.h:
3157         (JSC::DFG::FrozenValue::FrozenValue):
3158         (JSC::DFG::FrozenValue::dynamicCast):
3159         * dfg/DFGGraph.cpp:
3160         (JSC::DFG::Graph::dump):
3161         (JSC::DFG::Graph::tryGetConstantClosureVar):
3162         (JSC::DFG::Graph::tryGetFoldableView):
3163         (JSC::DFG::Graph::getRegExpPrototypeProperty):
3164         (JSC::DFG::Graph::isStringPrototypeMethodSane):
3165         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
3166         * dfg/DFGLazyJSValue.cpp:
3167         (JSC::DFG::LazyJSValue::tryGetStringImpl):
3168         (JSC::DFG::LazyJSValue::tryGetString):
3169         * dfg/DFGLazyJSValue.h:
3170         * dfg/DFGNode.cpp:
3171         (JSC::DFG::Node::convertToPutStructureHint):
3172         * dfg/DFGNode.h:
3173         (JSC::DFG::Node::dynamicCastConstant):
3174         (JSC::DFG::Node::castConstant):
3175         * dfg/DFGOperations.cpp:
3176         * dfg/DFGSafeToExecute.h:
3177         (JSC::DFG::safeToExecute):
3178         * dfg/DFGSpeculativeJIT.cpp:
3179         (JSC::DFG::SpeculativeJIT::compileIn):
3180         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
3181         * dfg/DFGSpeculativeJIT32_64.cpp:
3182         (JSC::DFG::SpeculativeJIT::emitCall):
3183         (JSC::DFG::SpeculativeJIT::compile):
3184         * dfg/DFGSpeculativeJIT64.cpp:
3185         (JSC::DFG::SpeculativeJIT::emitCall):
3186         (JSC::DFG::SpeculativeJIT::compile):
3187         * dfg/DFGStrengthReductionPhase.cpp:
3188         (JSC::DFG::StrengthReductionPhase::handleNode):
3189         * ftl/FTLLowerDFGToB3.cpp:
3190         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3192         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3193         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3194         * ftl/FTLOperations.cpp:
3195         (JSC::FTL::operationMaterializeObjectInOSR):
3196         * heap/CodeBlockSet.cpp:
3197         (JSC::CodeBlockSet::lastChanceToFinalize):
3198         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3199         * heap/CodeBlockSet.h:
3200         * heap/GCAssertions.h:
3201         * heap/Heap.cpp:
3202         (JSC::Heap::lastChanceToFinalize):
3203         (JSC::Heap::protectedObjectTypeCounts):
3204         (JSC::Heap::objectTypeCounts):
3205         (JSC::Heap::deleteUnmarkedCompiledCode):
3206         * heap/HeapSnapshotBuilder.cpp:
3207         (JSC::HeapSnapshotBuilder::json):
3208         * heap/SlotVisitor.cpp:
3209         (JSC::validate):
3210         * inspector/InjectedScriptHost.h:
3211         * inspector/JSGlobalObjectInspectorController.cpp:
3212         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3213         * inspector/JSInjectedScriptHost.cpp:
3214         (Inspector::JSInjectedScriptHost::finishCreation):
3215         (Inspector::JSInjectedScriptHost::isHTMLAllCollection):
3216         (Inspector::JSInjectedScriptHost::subtype):
3217         (Inspector::JSInjectedScriptHost::functionDetails):
3218         (Inspector::JSInjectedScriptHost::getInternalProperties):
3219         (Inspector::JSInjectedScriptHost::proxyTargetValue):
3220         (Inspector::JSInjectedScriptHost::weakMapSize):
3221         (Inspector::JSInjectedScriptHost::weakMapEntries):
3222         (Inspector::JSInjectedScriptHost::weakSetSize):
3223         (Inspector::JSInjectedScriptHost::weakSetEntries):
3224         (Inspector::JSInjectedScriptHost::iteratorEntries):
3225         * inspector/JSInjectedScriptHostPrototype.cpp:
3226         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3227         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
3228         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
3229         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
3230         (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue):
3231         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
3232         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
3233         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
3234         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
3235         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
3236         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
3237         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
3238         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
3239         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
3240         * inspector/JSJavaScriptCallFrame.cpp:
3241         (Inspector::JSJavaScriptCallFrame::finishCreation):
3242         (Inspector::toJSJavaScriptCallFrame): Deleted.
3243         * inspector/JSJavaScriptCallFrame.h:
3244         * inspector/JSJavaScriptCallFramePrototype.cpp:
3245         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3246         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3247         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
3248         (Inspector::jsJavaScriptCallFrameAttributeCaller):
3249         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
3250         (Inspector::jsJavaScriptCallFrameAttributeLine):
3251         (Inspector::jsJavaScriptCallFrameAttributeColumn):
3252         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
3253         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
3254         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
3255         (Inspector::jsJavaScriptCallFrameAttributeType):
3256         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
3257         * inspector/ScriptArguments.cpp:
3258         (Inspector::ScriptArguments::getFirstArgumentAsString):
3259         * inspector/agents/InspectorHeapAgent.cpp:
3260         (Inspector::InspectorHeapAgent::getPreview):
3261         * interpreter/Interpreter.cpp:
3262         (JSC::notifyDebuggerOfUnwinding):
3263         (JSC::Interpreter::unwind):
3264         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
3265         (JSC::Interpreter::execute):
3266         * interpreter/ShadowChicken.cpp:
3267         (JSC::ShadowChicken::update):
3268         * interpreter/StackVisitor.cpp:
3269         (JSC::StackVisitor::readFrame):
3270         (JSC::StackVisitor::readNonInlinedFrame):
3271         (JSC::StackVisitor::Frame::calleeSaveRegisters):
3272         * jit/JITCode.cpp:
3273         (JSC::JITCode::execute):
3274         * jit/JITOperations.cpp:
3275         (JSC::operationNewFunctionCommon):
3276         * jit/Repatch.cpp:
3277         (JSC::tryCacheGetByID):
3278         * jsc.cpp:
3279         (WTF::CustomGetter::customGetter):
3280         (WTF::RuntimeArray::finishCreation):
3281         (WTF::RuntimeArray::lengthGetter):
3282         (WTF::DOMJITGetter::customGetter):
3283         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall):
3284         (WTF::DOMJITGetterComplex::functionEnableException):
3285         (WTF::DOMJITGetterComplex::customGetter):
3286         (WTF::DOMJITFunctionObject::safeFunction):
3287         (functionDescribeArray):
3288         (functionCreateElement):
3289         (functionGetElement):
3290         (functionSetElementRoot):
3291         (functionGetHiddenValue):
3292         (functionSetHiddenValue):
3293         (functionSetImpureGetterDelegate):
3294         (functionNoFTL):
3295         (functionDollarEvalScript):
3296         (functionDollarAgentBroadcast):
3297         (functionTransferArrayBuffer):
3298         (functionFindTypeForExpression):
3299         (functionReturnTypeFor):
3300         (functionHasBasicBlockExecuted):
3301         (functionBasicBlockExecutionCount):
3302         (functionEnsureArrayStorage):
3303         * llint/LLIntSlowPaths.cpp:
3304         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3305         * runtime/AbstractModuleRecord.cpp:
3306         (JSC::AbstractModuleRecord::finishCreation):
3307         * runtime/ArrayBuffer.cpp:
3308         (JSC::ArrayBuffer::transferTo):
3309         * runtime/ArrayBuffer.h:
3310         * runtime/ArrayConstructor.cpp:
3311         (JSC::ArrayConstructor::finishCreation):
3312         (JSC::arrayConstructorPrivateFuncIsArraySlow):
3313         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3314         * runtime/ArrayConstructor.h:
3315         (JSC::isArrayConstructor): Deleted.
3316         * runtime/ArrayIteratorPrototype.cpp:
3317         (JSC::ArrayIteratorPrototype::finishCreation):
3318         * runtime/ArrayPrototype.cpp:
3319         (JSC::ArrayPrototype::finishCreation):
3320         * runtime/AsyncFunctionPrototype.cpp:
3321         (JSC::AsyncFunctionPrototype::finishCreation):
3322         * runtime/AtomicsObject.cpp:
3323         (JSC::AtomicsObject::finishCreation):
3324         (JSC::atomicsFuncWait):
3325         (JSC::atomicsFuncWake):
3326         * runtime/BooleanObject.cpp:
3327         (JSC::BooleanObject::finishCreation):
3328         * runtime/BooleanObject.h:
3329         (JSC::asBooleanObject):
3330         * runtime/BooleanPrototype.cpp:
3331         (JSC::BooleanPrototype::finishCreation):
3332         (JSC::booleanProtoFuncToString):
3333         (JSC::booleanProtoFuncValueOf):
3334         * runtime/ConsoleObject.cpp:
3335         (JSC::ConsoleObject::finishCreation):
3336         * runtime/DateConstructor.cpp:
3337         (JSC::constructDate):
3338         * runtime/DateInstance.cpp:
3339         (JSC::DateInstance::finishCreation):
3340         * runtime/DateInstance.h:
3341         (JSC::asDateInstance):
3342         * runtime/DatePrototype.cpp:
3343         (JSC::formateDateInstance):
3344         (JSC::DatePrototype::finishCreation):
3345         (JSC::dateProtoFuncToISOString):
3346         (JSC::dateProtoFuncToLocaleString):
3347         (JSC::dateProtoFuncToLocaleDateString):
3348         (JSC::dateProtoFuncToLocaleTimeString):
3349         (JSC::dateProtoFuncGetTime):
3350         (JSC::dateProtoFuncGetFullYear):
3351         (JSC::dateProtoFuncGetUTCFullYear):
3352         (JSC::dateProtoFuncGetMonth):
3353         (JSC::dateProtoFuncGetUTCMonth):
3354         (JSC::dateProtoFuncGetDate):
3355         (JSC::dateProtoFuncGetUTCDate):
3356         (JSC::dateProtoFuncGetDay):
3357         (JSC::dateProtoFuncGetUTCDay):
3358         (JSC::dateProtoFuncGetHours):
3359         (JSC::dateProtoFuncGetUTCHours):
3360         (JSC::dateProtoFuncGetMinutes):
3361         (JSC::dateProtoFuncGetUTCMinutes):
3362         (JSC::dateProtoFuncGetSeconds):
3363         (JSC::dateProtoFuncGetUTCSeconds):
3364         (JSC::dateProtoFuncGetMilliSeconds):
3365         (JSC::dateProtoFuncGetUTCMilliseconds):
3366         (JSC::dateProtoFuncGetTimezoneOffset):
3367         (JSC::dateProtoFuncSetTime):
3368         (JSC::setNewValueFromTimeArgs):
3369         (JSC::setNewValueFromDateArgs):
3370         (JSC::dateProtoFuncSetYear):
3371         (JSC::dateProtoFuncGetYear):
3372         * runtime/ErrorInstance.cpp:
3373         (JSC::ErrorInstance::finishCreation):
3374         * runtime/ErrorPrototype.cpp:
3375         (JSC::ErrorPrototype::finishCreation):
3376         * runtime/ExceptionHelpers.cpp:
3377         (JSC::isTerminatedExecutionException):
3378         * runtime/ExceptionHelpers.h:
3379         * runtime/ExecutableBase.cpp:
3380         (JSC::ExecutableBase::clearCode):
3381         (JSC::ExecutableBase::dump):
3382         (JSC::ExecutableBase::hashFor):
3383         * runtime/FunctionPrototype.cpp:
3384         (JSC::functionProtoFuncToString):
3385         * runtime/GeneratorFunctionPrototype.cpp:
3386         (JSC::GeneratorFunctionPrototype::finishCreation):
3387         * runtime/GeneratorPrototype.cpp:
3388         (JSC::GeneratorPrototype::finishCreation):
3389         * runtime/GetterSetter.h:
3390         * runtime/InspectorInstrumentationObject.cpp:
3391         (JSC::InspectorInstrumentationObject::finishCreation):
3392         * runtime/InternalFunction.cpp:
3393         (JSC::InternalFunction::finishCreation):
3394         (JSC::InternalFunction::createSubclassStructure):
3395         * runtime/InternalFunction.h:
3396         (JSC::asInternalFunction):
3397         * runtime/IntlCollator.cpp:
3398         (JSC::IntlCollator::finishCreation):
3399         * runtime/IntlCollatorPrototype.cpp:
3400         (JSC::IntlCollatorPrototypeGetterCompare):
3401         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
3402         * runtime/IntlDateTimeFormat.cpp:
3403         (JSC::IntlDateTimeFormat::finishCreation):
3404         * runtime/IntlDateTimeFormatPrototype.cpp:
3405         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3406         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3407         * runtime/IntlNumberFormat.cpp:
3408         (JSC::IntlNumberFormat::finishCreation):
3409         * runtime/IntlNumberFormatPrototype.cpp:
3410         (JSC::IntlNumberFormatPrototypeGetterFormat):
3411         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3412         * runtime/IntlObject.cpp:
3413         (JSC::IntlObject::finishCreation):
3414         * runtime/IntlObjectInlines.h:
3415         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
3416         * runtime/IteratorPrototype.cpp:
3417         (JSC::IteratorPrototype::finishCreation):
3418         * runtime/JSArray.h:
3419         (JSC::asArray):
3420         (JSC::isJSArray):
3421         * runtime/JSArrayBuffer.h:
3422         (JSC::toPossiblySharedArrayBuffer):
3423         (JSC::toUnsharedArrayBuffer):
3424         (JSC::JSArrayBuffer::toWrapped):
3425         * runtime/JSArrayBufferConstructor.cpp:
3426         (JSC::arrayBufferFuncIsView):
3427         * runtime/JSArrayBufferPrototype.cpp:
3428         (JSC::arrayBufferProtoFuncSlice):
3429         * runtime/JSArrayBufferView.h:
3430         * runtime/JSArrayBufferViewInlines.h:
3431         (JSC::JSArrayBufferView::toWrapped):
3432         * runtime/JSBoundFunction.cpp:
3433         (JSC::isBoundFunction):
3434         (JSC::getBoundFunctionStructure):
3435         (JSC::JSBoundFunction::finishCreation):
3436         * runtime/JSCJSValue.cpp:
3437         (JSC::JSValue::dumpForBacktrace):
3438         * runtime/JSCJSValue.h:
3439         * runtime/JSCJSValueInlines.h:
3440         (JSC::JSValue::inherits):
3441         (JSC::JSValue::classInfoOrNull):
3442         * runtime/JSCallee.cpp:
3443         (JSC::JSCallee::finishCreation):
3444         * runtime/JSCell.cpp:
3445         (JSC::JSCell::dumpToStream):
3446         (JSC::JSCell::className):
3447         (JSC::JSCell::isAnyWasmCallee):
3448         * runtime/JSCell.h:
3449         (JSC::jsCast):
3450         (JSC::jsDynamicCast):
3451         * runtime/JSCellInlines.h:
3452         (JSC::JSCell::methodTable):
3453         (JSC::JSCell::inherits):
3454         (JSC::JSCell::classInfo):
3455         * runtime/JSCustomGetterSetterFunction.cpp:
3456         (JSC::JSCustomGetterSetterFunction::finishCreation):
3457         * runtime/JSDataViewPrototype.cpp:
3458         (JSC::getData):
3459         (JSC::setData):
3460         (JSC::dataViewProtoGetterBuffer):
3461         (JSC::dataViewProtoGetterByteLength):
3462         (JSC::dataViewProtoGetterByteOffset):
3463         * runtime/JSFunction.cpp:
3464         (JSC::JSFunction::finishCreation):
3465         (JSC::JSFunction::allocateAndInitializeRareData):
3466         (JSC::JSFunction::initializeRareData):
3467         (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
3468         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3469         (JSC::RetrieveCallerFunctionFunctor::operator()):
3470         (JSC::JSFunction::callerGetter):
3471         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3472         (JSC::getCalculatedDisplayName):
3473         (JSC::JSFunction::reifyBoundNameIfNeeded):
3474         * runtime/JSGenericTypedArrayView.h:
3475         (JSC::toPossiblySharedNativeTypedView):
3476         (JSC::toUnsharedNativeTypedView):
3477         (JSC::JSGenericTypedArrayView<Adaptor>::toWrapped):
3478         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3479         (JSC::constructGenericTypedArrayViewWithArguments):
3480         (JSC::constructGenericTypedArrayView):
3481         * runtime/JSGenericTypedArrayViewInlines.h:
3482         (JSC::JSGenericTypedArrayView<Adaptor>::set):
3483         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3484         (JSC::speciesConstruct):
3485         (JSC::genericTypedArrayViewProtoFuncSet):
3486         (JSC::genericTypedArrayViewProtoFuncSlice):
3487         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3488         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
3489         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
3490         * runtime/JSGlobalObject.cpp:
3491         (JSC::getTemplateObject):
3492         (JSC::enqueueJob):
3493         (JSC::JSGlobalObject::init):
3494         * runtime/JSGlobalObjectFunctions.cpp:
3495         (JSC::globalFuncProtoGetter):
3496         (JSC::globalFuncProtoSetter):
3497         * runtime/JSInternalPromiseDeferred.cpp:
3498         (JSC::JSInternalPromiseDeferred::create):
3499         * runtime/JSLexicalEnvironment.h:
3500         (JSC::asActivation):
3501         * runtime/JSModuleLoader.cpp:
3502         (JSC::JSModuleLoader::finishCreation):
3503         (JSC::JSModuleLoader::evaluate):
3504         (JSC::JSModuleLoader::getModuleNamespaceObject):
3505         * runtime/JSModuleNamespaceObject.cpp:
3506         (JSC::JSModuleNamespaceObject::finishCreation):
3507         (JSC::moduleNamespaceObjectSymbolIterator):
3508         * runtime/JSModuleRecord.cpp:
3509         (JSC::JSModuleRecord::finishCreation):
3510         * runtime/JSNativeStdFunction.cpp:
3511         (JSC::JSNativeStdFunction::finishCreation):
3512         * runtime/JSONObject.cpp:
3513         (JSC::JSONObject::finishCreation):
3514         (JSC::unwrapBoxedPrimitive):
3515         (JSC::Stringifier::Stringifier):
3516         (JSC::Walker::walk):
3517         * runtime/JSObject.cpp:
3518         (JSC::JSObject::className):
3519         (JSC::JSObject::toStringName):
3520         (JSC::JSObject::calculatedClassName):
3521         (JSC::JSObject::putInlineSlow):
3522         (JSC::JSObject::ensureInt32Slow):
3523         (JSC::JSObject::ensureDoubleSlow):
3524         (JSC::JSObject::ensureContiguousSlow):
3525         (JSC::JSObject::ensureArrayStorageSlow):
3526         (JSC::JSObject::deleteProperty):
3527         (JSC::JSObject::getOwnStaticPropertySlot):
3528         (JSC::JSObject::findPropertyHashEntry):
3529         (JSC::JSObject::getOwnNonIndexPropertyNames):
3530         (JSC::JSObject::reifyAllStaticProperties):
3531         (JSC::JSObject::getOwnPropertyDescriptor):
3532         * runtime/JSObject.h:
3533         (JSC::JSObject::finishCreation):
3534         (JSC::JSNonFinalObject::finishCreation):
3535         (JSC::JSFinalObject::finishCreation):
3536         * runtime/JSPromiseDeferred.cpp:
3537         (JSC::JSPromiseDeferred::create):
3538         * runtime/JSPropertyNameIterator.cpp:
3539         (JSC::JSPropertyNameIterator::finishCreation):
3540         (JSC::propertyNameIteratorFuncNext):
3541         * runtime/JSScope.cpp:
3542         (JSC::JSScope::symbolTable):
3543         * runtime/JSScope.h:
3544         * runtime/JSString.cpp:
3545         (JSC::JSString::dumpToStream):
3546         * runtime/JSStringIterator.cpp:
3547         (JSC::JSStringIterator::finishCreation):
3548         * runtime/JSTypedArrayViewPrototype.cpp:
3549         (JSC::typedArrayViewPrivateFuncIsTypedArrayView):
3550         (JSC::typedArrayViewPrivateFuncLength):
3551         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
3552         (JSC::typedArrayViewProtoGetterFuncToStringTag):
3553         (JSC::JSTypedArrayViewPrototype::finishCreation):
3554         * runtime/LazyClassStructure.cpp:
3555         (JSC::LazyClassStructure::Initializer::setConstructor):
3556         * runtime/Lookup.h:
3557         (JSC::putEntry):
3558         * runtime/MapConstructor.cpp:
3559         (JSC::MapConstructor::finishCreation):
3560         * runtime/MapIteratorPrototype.cpp:
3561         (JSC::MapIteratorPrototype::finishCreation):
3562         (JSC::MapIteratorPrototypeFuncNext):
3563         * runtime/MapPrototype.cpp:
3564         (JSC::MapPrototype::finishCreation):
3565         (JSC::mapProtoFuncValues):
3566         (JSC::mapProtoFuncEntries):
3567         (JSC::mapProtoFuncKeys):
3568         (JSC::privateFuncMapIterator):
3569         (JSC::privateFuncMapIteratorNext):
3570         * runtime/MathObject.cpp:
3571         (JSC::MathObject::finishCreation):
3572         * runtime/ModuleLoaderPrototype.cpp:
3573         (JSC::moduleLoaderPrototypeParseModule):
3574         (JSC::moduleLoaderPrototypeRequestedModules):
3575         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
3576         (JSC::moduleLoaderPrototypeResolve):
3577         (JSC::moduleLoaderPrototypeFetch):
3578         (JSC::moduleLoaderPrototypeInstantiate):
3579         (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):
3580         (JSC::moduleLoaderPrototypeEvaluate):
3581         * runtime/NativeErrorConstructor.cpp:
3582         (JSC::NativeErrorConstructor::finishCreation):
3583         * runtime/NumberConstructor.cpp:
3584         (JSC::NumberConstructor::finishCreation):
3585         * runtime/NumberObject.cpp:
3586         (JSC::NumberObject::finishCreation):
3587         * runtime/NumberPrototype.cpp:
3588         (JSC::NumberPrototype::finishCreation):
3589         * runtime/ObjectConstructor.cpp:
3590         (JSC::ObjectConstructor::finishCreation):
3591         * runtime/ObjectPrototype.cpp:
3592         (JSC::ObjectPrototype::finishCreation):
3593         * runtime/ProxyObject.cpp:
3594         (JSC::ProxyObject::toStringName):
3595         (JSC::ProxyObject::finishCreation):
3596         * runtime/ReflectObject.cpp:
3597         (JSC::ReflectObject::finishCreation):
3598         (JSC::reflectObjectConstruct):
3599         * runtime/RegExpConstructor.cpp:
3600         (JSC::RegExpConstructor::finishCreation):
3601         (JSC::setRegExpConstructorInput):
3602         (JSC::setRegExpConstructorMultiline):
3603         (JSC::constructRegExp):
3604         * runtime/RegExpConstructor.h:
3605         (JSC::asRegExpConstructor):
3606         (JSC::isRegExp):
3607         * runtime/RegExpObject.cpp:
3608         (JSC::RegExpObject::finishCreation):
3609         * runtime/RegExpObject.h:
3610         (JSC::asRegExpObject):
3611         * runtime/RegExpPrototype.cpp:
3612         (JSC::RegExpPrototype::finishCreation):
3613         (JSC::regExpProtoFuncTestFast):
3614         (JSC::regExpProtoFuncExec):
3615         (JSC::regExpProtoFuncMatchFast):
3616         (JSC::regExpProtoFuncCompile):
3617         (JSC::regExpProtoGetterGlobal):
3618         (JSC::regExpProtoGetterIgnoreCase):
3619         (JSC::regExpProtoGetterMultiline):
3620         (JSC::regExpProtoGetterSticky):
3621         (JSC::regExpProtoGetterUnicode):
3622         (JSC::regExpProtoGetterSource):
3623         * runtime/SamplingProfiler.cpp:
3624         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3625         * runtime/ScriptExecutable.cpp:
3626         (JSC::ScriptExecutable::newCodeBlockFor):
3627         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3628         * runtime/SetConstructor.cpp:
3629         (JSC::SetConstructor::finishCreation):
3630         * runtime/SetIteratorPrototype.cpp:
3631         (JSC::SetIteratorPrototype::finishCreation):
3632         (JSC::SetIteratorPrototypeFuncNext):
3633         * runtime/SetPrototype.cpp:
3634         (JSC::SetPrototype::finishCreation):
3635         (JSC::setProtoFuncValues):
3636         (JSC::setProtoFuncEntries):
3637         (JSC::privateFuncSetIterator):
3638         (JSC::privateFuncSetIteratorNext):
3639         * runtime/StackFrame.cpp:
3640         (JSC::StackFrame::sourceURL):
3641         (JSC::StackFrame::functionName):
3642         * runtime/StringIteratorPrototype.cpp:
3643         (JSC::StringIteratorPrototype::finishCreation):
3644         * runtime/StringObject.cpp:
3645         (JSC::StringObject::finishCreation):
3646         * runtime/StringObject.h:
3647         (JSC::asStringObject):
3648         * runtime/StringPrototype.cpp:
3649         (JSC::StringPrototype::finishCreation):
3650         (JSC::replace):
3651         (JSC::stringProtoFuncReplaceUsingRegExp):
3652         (JSC::stringProtoFuncToString):
3653         * runtime/StructureRareData.cpp:
3654         (JSC::StructureRareData::setObjectToStringValue):
3655         * runtime/Symbol.cpp:
3656         (JSC::Symbol::finishCreation):
3657         * runtime/SymbolConstructor.cpp:
3658         (JSC::SymbolConstructor::finishCreation):
3659         * runtime/SymbolObject.cpp:
3660         (JSC::SymbolObject::finishCreation):
3661         * runtime/SymbolPrototype.cpp:
3662         (JSC::SymbolPrototype::finishCreation):
3663         (JSC::symbolProtoFuncToString):
3664         (JSC::symbolProtoFuncValueOf):
3665         * runtime/TestRunnerUtils.cpp:
3666         (JSC::getExecutableForFunction):
3667         * runtime/ThrowScope.cpp:
3668         (JSC::ThrowScope::throwException):
3669         * runtime/VM.cpp:
3670         (JSC::VM::throwException):
3671         * runtime/WeakMapConstructor.cpp:
3672         (JSC::WeakMapConstructor::finishCreation):
3673         * runtime/WeakMapPrototype.cpp:
3674         (JSC::WeakMapPrototype::finishCreation):
3675         (JSC::getWeakMapData):
3676         * runtime/WeakSetConstructor.cpp:
3677         (JSC::WeakSetConstructor::finishCreation):
3678         * runtime/WeakSetPrototype.cpp:
3679         (JSC::WeakSetPrototype::finishCreation):
3680         (JSC::getWeakMapData):
3681         * tools/JSDollarVMPrototype.cpp:
3682         (JSC::codeBlockFromArg):
3683         * wasm/JSWebAssembly.cpp:
3684         (JSC::JSWebAssembly::finishCreation):
3685         * wasm/js/JSWebAssemblyHelpers.h:
3686         (JSC::getWasmBufferFromValue):
3687         * wasm/js/JSWebAssemblyInstance.cpp:
3688         (JSC::JSWebAssemblyInstance::finishCreation):
3689         * wasm/js/JSWebAssemblyMemory.cpp:
3690         (JSC::JSWebAssemblyMemory::grow):
3691         (JSC::JSWebAssemblyMemory::finishCreation):
3692         (JSC::JSWebAssemblyMemory::destroy):
3693         (JSC::JSWebAssemblyMemory::~JSWebAssemblyMemory): Deleted.
3694         * wasm/js/JSWebAssemblyMemory.h:
3695         * wasm/js/JSWebAssemblyModule.cpp:
3696         (JSC::JSWebAssemblyModule::finishCreation):
3697         * wasm/js/JSWebAssemblyTable.cpp:
3698         (JSC::JSWebAssemblyTable::finishCreation):
3699         * wasm/js/WebAssemblyFunction.cpp:
3700         (JSC::callWebAssemblyFunction):
3701         (JSC::WebAssemblyFunction::finishCreation):
3702         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3703         (JSC::constructJSWebAssemblyInstance):
3704         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3705         (JSC::getMemory):
3706         * wasm/js/WebAssemblyModulePrototype.cpp:
3707         (JSC::webAssemblyModuleProtoCustomSections):
3708         * wasm/js/WebAssemblyModuleRecord.cpp:
3709         (JSC::WebAssemblyModuleRecord::finishCreation):
3710         * wasm/js/WebAssemblyTablePrototype.cpp:
3711         (JSC::getTable):
3712         (JSC::webAssemblyTableProtoFuncSet):
3713
3714 2017-01-26  Mark Lam  <mark.lam@apple.com>
3715
3716         Fix missing exception check in genericTypedArrayViewProtoFuncSet().
3717         https://bugs.webkit.org/show_bug.cgi?id=166812
3718         <rdar://problem/29916672>
3719
3720         Reviewed by Saam Barati.
3721
3722         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3723         (JSC::genericTypedArrayViewProtoFuncSet):
3724
3725 2017-01-26  Commit Queue  <commit-queue@webkit.org>
3726
3727         Unreviewed, rolling out r211224.
3728         https://bugs.webkit.org/show_bug.cgi?id=167479
3729
3730         "It was a Kraken performance regression" (Requested by
3731         saamyjoon on #webkit).
3732
3733         Reverted changeset:
3734
3735         "OSR entry: delay outer-loop compilation when at inner-loop"
3736         https://bugs.webkit.org/show_bug.cgi?id=167149
3737         http://trac.webkit.org/changeset/211224
3738
3739 2017-01-26  Saam Barati  <sbarati@apple.com>
3740
3741         Harden how the compiler references GC objects
3742         https://bugs.webkit.org/show_bug.cgi?id=167277
3743         <rdar://problem/30179506>
3744
3745         Reviewed by Filip Pizlo.
3746
3747         Since r210971, the DFG/FTL will flash safepoints before
3748         each phase. This means that there are more opportunities for
3749         a GC to happen while the compiler is running. Because of this,
3750         the compiler must keep track of all the heap pointers that are part
3751         of the Graph data structure. To accomplish this, I've designed
3752         a new type called RegisteredStructure that can only be constructed
3753         after the Graph becomes aware of its underlying Structure*. I
3754         designed this new type to have the type system in C++ help us catch
3755         errors where we're not informing the graph/plan of a heap pointer.
3756         I've made it a compile error to create an OpInfo with a pointer
3757         T* where T inherits from HeapCell. This encourages an OpInfo
3758         to be created with either a FrozenValue* or a RegisteredStructure.
3759         I've added similar compile time assertions for TrustedImmPtr in DFG::SpeculativeJIT
3760         and FTL::Output::constIntPtr. These static asserts don't save us from all bad
3761         programs because there are ways to write code that's incorrect that compiles,
3762         but the new types do help us ensure that the most obvious way of writing the
3763         code is correct.
3764         
3765         The reason this patch is so big is that I've strung RegisteredStructure and
3766         RegisteredStructureSet through the entire DFG/FTL.
3767
3768         * CMakeLists.txt:
3769         * JavaScriptCore.xcodeproj/project.pbxproj:
3770         * bytecode/CodeBlock.cpp:
3771         (JSC::CodeBlock::determineLiveness):
3772         * bytecode/StructureSet.cpp:
3773         (JSC::StructureSet::filter): Deleted.
3774         (JSC::StructureSet::filterArrayModes): Deleted.
3775         (JSC::StructureSet::speculationFromStructures): Deleted.
3776         (JSC::StructureSet::arrayModesFromStructures): Deleted.
3777         (JSC::StructureSet::validateReferences): Deleted.
3778         * bytecode/StructureSet.h:
3779         * dfg/DFGAbstractInterpreter.h:
3780         (JSC::DFG::AbstractInterpreter::filter):
3781         * dfg/DFGAbstractInterpreterInlines.h:
3782         (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
3783         (JSC::DFG::isToThisAnIdentity):
3784         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3785         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3786         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filter):
3787         * dfg/DFGAbstractValue.cpp:
3788         (JSC::DFG::AbstractValue::set):
3789         (JSC::DFG::AbstractValue::setType):
3790         (JSC::DFG::AbstractValue::mergeOSREntryValue):
3791         (JSC::DFG::AbstractValue::filter):
3792         (JSC::DFG::AbstractValue::changeStructure):
3793         (JSC::DFG::AbstractValue::contains):
3794         * dfg/DFGAbstractValue.h:
3795         (JSC::DFG::AbstractValue::observeTransition):
3796         (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
3797         * dfg/DFGArgumentsEliminationPhase.cpp:
3798         * dfg/DFGArrayMode.cpp:
3799         (JSC::DFG::ArrayMode::alreadyChecked):
3800         * dfg/DFGArrayifySlowPathGenerator.h:
3801         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
3802         * dfg/DFGByteCodeParser.cpp:
3803         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3804         (JSC::DFG::ByteCodeParser::load):
3805         (JSC::DFG::ByteCodeParser::handleGetById):
3806         (JSC::DFG::ByteCodeParser::handlePutById):
3807         (JSC::DFG::ByteCodeParser::parseBlock):
3808         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3809         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3810         (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
3811         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
3812         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3813         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3814         * dfg/DFGCommonData.cpp:
3815         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3816         * dfg/DFGConstantFoldingPhase.cpp:
3817         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3818         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3819         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3820         (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
3821         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3822         * dfg/DFGDesiredWeakReferences.cpp:
3823         (JSC::DFG::DesiredWeakReferences::reallyAdd):
3824         * dfg/DFGFixupPhase.cpp:
3825         (JSC::DFG::FixupPhase::checkArray):
3826         * dfg/DFGGraph.cpp:
3827         (JSC::DFG::Graph::Graph):
3828         (JSC::DFG::Graph::dump):
3829         (JSC::DFG::Graph::tryGetConstantProperty):
3830         (JSC::DFG::Graph::inferredValueForProperty):
3831         (JSC::DFG::Graph::visitChildren):
3832         (JSC::DFG::Graph::freeze):
3833         (JSC::DFG::Graph::registerStructure):
3834         (JSC::DFG::Graph::assertIsRegistered):
3835         * dfg/DFGGraph.h:
3836         (JSC::DFG::Graph::registerStructure):
3837         (JSC::DFG::Graph::addStructureSet):
3838         * dfg/DFGJITCompiler.h:
3839         (JSC::DFG::JITCompiler::branchWeakStructure):
3840         * dfg/DFGMultiGetByOffsetData.cpp:
3841         (JSC::DFG::MultiGetByOffsetCase::dumpInContext):
3842         * dfg/DFGMultiGetByOffsetData.h:
3843         (JSC::DFG::MultiGetByOffsetCase::MultiGetByOffsetCase):
3844         (JSC::DFG::MultiGetByOffsetCase::set):
3845         * dfg/DFGNode.cpp:
3846         (JSC::DFG::Node::convertToPutStructureHint):
3847         * dfg/DFGNode.h:
3848         (JSC::DFG::Node::convertToCheckStructure):
3849         (JSC::DFG::Node::structureSet):
3850         (JSC::DFG::Node::structure):
3851         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
3852         (JSC::DFG::Node::OpInfoWrapper::operator=):
3853         (JSC::DFG::Node::OpInfoWrapper::asRegisteredStructure):
3854         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3855         * dfg/DFGOpInfo.h: