a07ac081f5993546695fd6d3066b9541d1f31293
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Remove ENABLE(DETAILS_ELEMENT) guards
4         https://bugs.webkit.org/show_bug.cgi?id=167042
5
6         Reviewed by Alex Christensen.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2017-01-11  Darin Adler  <darin@apple.com>
11
12         Remove PassRefPtr from more of "platform"
13         https://bugs.webkit.org/show_bug.cgi?id=166809
14
15         Reviewed by Sam Weinig.
16
17         * inspector/JSInjectedScriptHost.h:
18         (Inspector::JSInjectedScriptHost::impl): Simplified code since we don't need a
19         const_cast here any more.
20         * runtime/PrivateName.h:
21         (JSC::PrivateName::uid): Ditto.
22
23 2017-01-13  Ryan Haddad  <ryanhaddad@apple.com>
24
25         Unreviewed, rolling out r210735.
26
27         This change introduced LayoutTest and JSC test flakiness.
28
29         Reverted changeset:
30
31         "Reserve capacity for StringBuilder in unescape"
32         https://bugs.webkit.org/show_bug.cgi?id=167008
33         http://trac.webkit.org/changeset/210735
34
35 2017-01-13  Saam Barati  <sbarati@apple.com>
36
37         Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time
38         https://bugs.webkit.org/show_bug.cgi?id=167017
39         <rdar://problem/30019309>
40
41         Reviewed by Keith Miller and Filip Pizlo.
42
43         This patch is to reverse the JSBench regression from r210695.
44         
45         The new state diagram for the array species watchpoint is as
46         follows:
47         
48         1. On GlobalObject construction, it starts life out as ClearWatchpoint.
49         2. When slice is called for the first time, we observe the state
50         of the world, and either transition it to IsWatched if we were able
51         to set up the object property conditions, or to IsInvalidated if we
52         were not.
53         3. The DFG compiler will now only lower slice as an intrinsic if
54         it observed the speciesWatchpoint.state() as IsWatched.
55         4. The IsWatched => IsInvalidated transition happens only when
56         one of the object property condition watchpoints fire.
57
58         * dfg/DFGByteCodeParser.cpp:
59         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
60         * runtime/ArrayPrototype.cpp:
61         (JSC::speciesWatchpointIsValid):
62         (JSC::speciesConstructArray):
63         (JSC::arrayProtoPrivateFuncConcatMemcpy):
64         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
65         (JSC::ArrayPrototype::initializeSpeciesWatchpoint): Deleted.
66         * runtime/ArrayPrototype.h:
67         * runtime/JSGlobalObject.cpp:
68         (JSC::JSGlobalObject::JSGlobalObject):
69         (JSC::JSGlobalObject::init):
70
71 2017-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
72
73         Reserve capacity for StringBuilder in unescape
74         https://bugs.webkit.org/show_bug.cgi?id=167008
75
76         Reviewed by Sam Weinig.
77
78         `unescape` function is frequently called in Kraken sha256-iterative.
79         This patch just reserves the capacity for the StringBuilder.
80
81         Currently, we select the length of the string for the reserved capacity.
82         It improves the performance 2.73%.
83
84             Benchmark report for Kraken on sakura-trick.
85
86             VMs tested:
87             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
88             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
89
90             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
91             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
92             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
93             milliseconds.
94
95                                                        baseline                  patched
96
97             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
98
99             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
100
101         * runtime/JSGlobalObjectFunctions.cpp:
102         (JSC::globalFuncUnescape):
103
104 2017-01-12  Saam Barati  <sbarati@apple.com>
105
106         Add a slice intrinsic to the DFG/FTL
107         https://bugs.webkit.org/show_bug.cgi?id=166707
108         <rdar://problem/29913445>
109
110         Reviewed by Filip Pizlo.
111
112         The gist of this patch is to inline Array.prototype.slice
113         into the DFG/FTL. The implementation in the DFG-backend
114         and FTLLowerDFGToB3 is just a straight forward implementation
115         of what the C function is doing. The more interesting bits
116         of this patch are setting up the proper watchpoints and conditions
117         in the executing code to prove that its safe to skip all of the
118         observable JS actions that Array.prototype.slice normally does.
119         
120         We perform the following proofs:
121         1. Array.prototype.constructor has not changed (via a watchpoint).
122         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
123         3. The global object is not having a bad time.
124         4. The array that is being sliced has an original array structure.
125         5. Array.prototype/Object.prototype have not transitioned.
126         
127         Conditions 1, 2, and 3 are strictly required.
128         
129         4 is ensuring a couple things:
130         1. That a "constructor" property hasn't been added to the array
131         we're slicing since we're supposed to perform a Get(array, "constructor").
132         2. That we're not slicing an instance of a subclass of Array.
133         
134         We could relax 4.1 in the future if we find other ways to test if
135         the incoming array hasn't changed the "constructor" property. We
136         would probably use TryGetById to do this.
137         
138         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
139         the total benchmark (the results are sometimes noisy).
140
141         * dfg/DFGAbstractInterpreterInlines.h:
142         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
143         * dfg/DFGByteCodeParser.cpp:
144         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
145         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
146         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
147         * dfg/DFGClobberize.h:
148         (JSC::DFG::clobberize):
149         * dfg/DFGDoesGC.cpp:
150         (JSC::DFG::doesGC):
151         * dfg/DFGFixupPhase.cpp:
152         (JSC::DFG::FixupPhase::fixupNode):
153         * dfg/DFGNodeType.h:
154         * dfg/DFGPredictionPropagationPhase.cpp:
155         * dfg/DFGSafeToExecute.h:
156         (JSC::DFG::safeToExecute):
157         * dfg/DFGSpeculativeJIT.cpp:
158         (JSC::DFG::SpeculativeJIT::compileArraySlice):
159         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
160         * dfg/DFGSpeculativeJIT.h:
161         * dfg/DFGSpeculativeJIT32_64.cpp:
162         (JSC::DFG::SpeculativeJIT::compile):
163         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
164         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
165         * dfg/DFGSpeculativeJIT64.cpp:
166         (JSC::DFG::SpeculativeJIT::compile):
167         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
168         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
169         * ftl/FTLAbstractHeapRepository.h:
170         * ftl/FTLCapabilities.cpp:
171         (JSC::FTL::canCompile):
172         * ftl/FTLLowerDFGToB3.cpp:
173         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
174         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
175         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
176         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
177         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
178         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
179         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
180         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
181         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
182         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
183         * jit/AssemblyHelpers.cpp:
184         (JSC::AssemblyHelpers::emitLoadStructure):
185         * runtime/ArrayPrototype.cpp:
186         (JSC::ArrayPrototype::finishCreation):
187         (JSC::speciesWatchpointIsValid):
188         (JSC::speciesConstructArray):
189         (JSC::arrayProtoFuncSlice):
190         (JSC::arrayProtoPrivateFuncConcatMemcpy):
191         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
192         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
193         (JSC::speciesWatchpointsValid): Deleted.
194         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
195         * runtime/ArrayPrototype.h:
196         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
197         (): Deleted.
198         * runtime/Intrinsic.h:
199         * runtime/JSGlobalObject.cpp:
200         (JSC::JSGlobalObject::JSGlobalObject):
201         (JSC::JSGlobalObject::init):
202         * runtime/JSGlobalObject.h:
203         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
204         * runtime/Structure.h:
205
206 2017-01-12  Saam Barati  <sbarati@apple.com>
207
208         Concurrent GC has a bug where we would detect a race but fail to rescan the object
209         https://bugs.webkit.org/show_bug.cgi?id=166960
210         <rdar://problem/29983526>
211
212         Reviewed by Filip Pizlo and Mark Lam.
213
214         We have code like this in JSC:
215         
216         ```
217         Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
218         nukeStructureAndSetButterfly(vm, structureID, butterfly);
219         structure->setLastOffset(newLastOffset);
220         WTF::storeStoreFence();
221         setStructureIDDirectly(structureID);
222         ```
223         
224         Note that the collector could detect a race here, which sometimes
225         incorrectly caused us to not visit the object again.
226         
227         Mutator Thread: M, Collector Thread: C, assuming sequential consistency via
228         proper barriers:
229         
230         M: allocate new butterfly
231         M: Set nuked structure ID
232         M: Set butterfly (this does a barrier)
233         C: Start scanning O
234         C: load structure ID
235         C: See it's nuked and bail, (we used to rely on a write barrier to rescan).
236         
237         We sometimes never rescanned here because we were calling
238         setStructureIDDirectly which doesn't do a write barrier.
239         (Note, the places that do this but call setStructure were
240         OK because setStructure will perform a write barrier.)
241         
242         (This same issue also existed in places where the collector thread
243         detected races for Structure::m_offset, but places that changed
244         Structure::m_offset didn't perform a write barrier on the object
245         after changing its Structure's m_offset.)
246         
247         To prevent such code from requiring every call site to perform
248         a write barrier on the object, I've changed the collector code
249         to keep a stack of cells to be revisited due to races. This stack
250         is then consulted when we do marking. Because such races are rare,
251         we have a single stack on Heap that is guarded by a lock.
252
253         * heap/Heap.cpp:
254         (JSC::Heap::Heap):
255         (JSC::Heap::~Heap):
256         (JSC::Heap::markToFixpoint):
257         (JSC::Heap::endMarking):
258         (JSC::Heap::buildConstraintSet):
259         (JSC::Heap::addToRaceMarkStack):
260         * heap/Heap.h:
261         (JSC::Heap::collectorSlotVisitor):
262         (JSC::Heap::mutatorMarkStack): Deleted.
263         * heap/SlotVisitor.cpp:
264         (JSC::SlotVisitor::didRace):
265         * heap/SlotVisitor.h:
266         (JSC::SlotVisitor::didRace):
267         (JSC::SlotVisitor::didNotRace): Deleted.
268         * heap/SlotVisitorInlines.h:
269         (JSC::SlotVisitor::didNotRace): Deleted.
270         * runtime/JSObject.cpp:
271         (JSC::JSObject::visitButterfly):
272         (JSC::JSObject::visitButterflyImpl):
273         * runtime/JSObjectInlines.h:
274         (JSC::JSObject::prepareToPutDirectWithoutTransition):
275         * runtime/Structure.cpp:
276         (JSC::Structure::flattenDictionaryStructure):
277
278 2017-01-12  Chris Dumez  <cdumez@apple.com>
279
280         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
281         https://bugs.webkit.org/show_bug.cgi?id=166995
282
283         Reviewed by Jer Noble.
284
285         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
286         as some people are having trouble building without it.
287
288         * Configurations/FeatureDefines.xcconfig:
289
290 2017-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
291
292         Implement InlineClassicScript
293         https://bugs.webkit.org/show_bug.cgi?id=166925
294
295         Reviewed by Ryosuke Niwa.
296
297         Add ScriptFetcher field for SourceOrigin.
298
299         * runtime/SourceOrigin.h:
300         (JSC::SourceOrigin::SourceOrigin):
301         (JSC::SourceOrigin::fetcher):
302
303 2017-01-11  Andreas Kling  <akling@apple.com>
304
305         Crash when WebCore's GC heap grows way too large.
306         <https://webkit.org/b/166875>
307         <rdar://problem/27896585>
308
309         Reviewed by Mark Lam.
310
311         Add a simple API to JSC::Heap that allows setting a hard limit on the amount
312         of live bytes. If this is exceeded, we crash with a recognizable signature.
313         By default there is no limit.
314
315         * heap/Heap.cpp:
316         (JSC::Heap::didExceedMaxLiveSize):
317         (JSC::Heap::updateAllocationLimits):
318         * heap/Heap.h:
319         (JSC::Heap::setMaxLiveSize):
320
321 2017-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
322
323         Decouple module loading initiator from ScriptElement
324         https://bugs.webkit.org/show_bug.cgi?id=166888
325
326         Reviewed by Saam Barati and Ryosuke Niwa.
327
328         Add ScriptFetcher and JSScriptFetcher.
329
330         * CMakeLists.txt:
331         * JavaScriptCore.xcodeproj/project.pbxproj:
332         * builtins/ModuleLoaderPrototype.js:
333         (requestFetch):
334         (requestInstantiate):
335         (requestSatisfy):
336         (requestInstantiateAll):
337         (requestLink):
338         (moduleEvaluation):
339         (loadAndEvaluateModule):
340         (importModule):
341         * llint/LLIntData.cpp:
342         (JSC::LLInt::Data::performAssertions):
343         * llint/LowLevelInterpreter.asm:
344         * runtime/Completion.cpp:
345         (JSC::loadAndEvaluateModule):
346         (JSC::loadModule):
347         (JSC::linkAndEvaluateModule):
348         * runtime/Completion.h:
349         * runtime/JSModuleLoader.cpp:
350         (JSC::JSModuleLoader::loadAndEvaluateModule):
351         (JSC::JSModuleLoader::loadModule):
352         (JSC::JSModuleLoader::linkAndEvaluateModule):
353         (JSC::JSModuleLoader::resolve):
354         (JSC::JSModuleLoader::fetch):
355         (JSC::JSModuleLoader::instantiate):
356         (JSC::JSModuleLoader::evaluate):
357         * runtime/JSModuleLoader.h:
358         * runtime/JSScriptFetcher.cpp: Copied from Source/WebCore/dom/LoadableScript.cpp.
359         (JSC::JSScriptFetcher::destroy):
360         * runtime/JSScriptFetcher.h: Added.
361         (JSC::JSScriptFetcher::createStructure):
362         (JSC::JSScriptFetcher::create):
363         (JSC::JSScriptFetcher::fetcher):
364         (JSC::JSScriptFetcher::JSScriptFetcher):
365         * runtime/JSType.h:
366         * runtime/ScriptFetcher.h: Copied from Source/WebCore/dom/LoadableScript.cpp.
367         (JSC::ScriptFetcher::~ScriptFetcher):
368         * runtime/VM.cpp:
369         (JSC::VM::VM):
370         * runtime/VM.h:
371
372 2017-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
373
374         Implement JSSourceCode to propagate SourceCode in module pipeline
375         https://bugs.webkit.org/show_bug.cgi?id=166861
376
377         Reviewed by Saam Barati.
378
379         Instead of propagating source code string, we propagate JSSourceCode
380         cell in the module pipeline. This allows us to attach a metadata
381         to the propagated source code string. In particular, it propagates
382         SourceOrigin through the module pipeline.
383
384         And it also fixes JSC shell to use Module source type for module source code.
385
386         * CMakeLists.txt:
387         * JavaScriptCore.xcodeproj/project.pbxproj:
388         * builtins/ModuleLoaderPrototype.js:
389         (fulfillFetch):
390         (requestFetch):
391         * jsc.cpp:
392         (GlobalObject::moduleLoaderFetch):
393         (runWithScripts):
394         * llint/LLIntData.cpp:
395         (JSC::LLInt::Data::performAssertions):
396         * llint/LowLevelInterpreter.asm:
397         * runtime/Completion.cpp:
398         (JSC::loadAndEvaluateModule):
399         (JSC::loadModule):
400         * runtime/JSModuleLoader.cpp:
401         (JSC::JSModuleLoader::provide):
402         * runtime/JSModuleLoader.h:
403         * runtime/JSSourceCode.cpp: Added.
404         (JSC::JSSourceCode::destroy):
405         * runtime/JSSourceCode.h: Added.
406         (JSC::JSSourceCode::createStructure):
407         (JSC::JSSourceCode::create):
408         (JSC::JSSourceCode::sourceCode):
409         (JSC::JSSourceCode::JSSourceCode):
410         * runtime/JSType.h:
411         * runtime/ModuleLoaderPrototype.cpp:
412         (JSC::moduleLoaderPrototypeParseModule):
413         * runtime/VM.cpp:
414         (JSC::VM::VM):
415         * runtime/VM.h:
416
417 2017-01-10  Commit Queue  <commit-queue@webkit.org>
418
419         Unreviewed, rolling out r210052.
420         https://bugs.webkit.org/show_bug.cgi?id=166915
421
422         "breaks web compatability" (Requested by keith_miller on
423         #webkit).
424
425         Reverted changeset:
426
427         "Add support for global"
428         https://bugs.webkit.org/show_bug.cgi?id=165171
429         http://trac.webkit.org/changeset/210052
430
431 2017-01-10  Sam Weinig  <sam@webkit.org>
432
433         [WebIDL] Remove most of the custom bindings for the WebGL code
434         https://bugs.webkit.org/show_bug.cgi?id=166834
435
436         Reviewed by Alex Christensen.
437
438         * runtime/ArrayPrototype.h:
439         * runtime/ObjectPrototype.h:
440         Export the ClassInfo so it can be used from WebCore.
441
442 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
443
444         Streamline the GC barrier slowpath
445         https://bugs.webkit.org/show_bug.cgi?id=166878
446
447         Reviewed by Geoffrey Garen and Saam Barati.
448         
449         This implements two optimizations to the barrier:
450         
451         - Removes the write barrier buffer. This was just overhead.
452         
453         - Teaches the slow path how to white an object that was black but unmarked, ensuring that
454           we don't take slow path for this object again.
455
456         * JavaScriptCore.xcodeproj/project.pbxproj:
457         * dfg/DFGSpeculativeJIT.cpp:
458         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
459         * ftl/FTLLowerDFGToB3.cpp:
460         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
461         * heap/CellState.h:
462         * heap/Heap.cpp:
463         (JSC::Heap::Heap):
464         (JSC::Heap::markToFixpoint):
465         (JSC::Heap::addToRememberedSet):
466         (JSC::Heap::stopTheWorld):
467         (JSC::Heap::writeBarrierSlowPath):
468         (JSC::Heap::buildConstraintSet):
469         (JSC::Heap::flushWriteBarrierBuffer): Deleted.
470         * heap/Heap.h:
471         (JSC::Heap::writeBarrierBuffer): Deleted.
472         * heap/SlotVisitor.cpp:
473         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
474         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
475         (JSC::SlotVisitor::appendToMarkStack):
476         (JSC::SlotVisitor::visitChildren):
477         * heap/WriteBarrierBuffer.cpp: Removed.
478         * heap/WriteBarrierBuffer.h: Removed.
479         * jit/JITOperations.cpp:
480         * jit/JITOperations.h:
481         * runtime/JSCellInlines.h:
482         (JSC::JSCell::JSCell):
483         * runtime/StructureIDBlob.h:
484         (JSC::StructureIDBlob::StructureIDBlob):
485
486 2017-01-10  Mark Lam  <mark.lam@apple.com>
487
488         Property setters should not be called for bound arguments list entries.
489         https://bugs.webkit.org/show_bug.cgi?id=165631
490
491         Reviewed by Filip Pizlo.
492
493         * builtins/FunctionPrototype.js:
494         (bind):
495         - use @putByValDirect to set the bound arguments so that we don't consult the
496           prototype chain for setters.
497
498         * runtime/IntlDateTimeFormatPrototype.cpp:
499         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
500         * runtime/IntlNumberFormatPrototype.cpp:
501         (JSC::IntlNumberFormatPrototypeGetterFormat):
502         - no need to create a bound arguments array because these bound functions binds
503           no arguments according to the spec.
504
505 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
506
507         Calling async arrow function which is in a class's member function will cause error
508         https://bugs.webkit.org/show_bug.cgi?id=166879
509
510         Reviewed by Saam Barati.
511
512         Current patch fixed loading 'super' in async arrow function. Errored appear becuase 
513         super was loaded always nevertherless if it used in async arrow function or not, but bytecompiler
514         put to arrow function context only if it used within arrow function. So to fix this issue we need to 
515         check if super was used in arrow function. 
516
517         * bytecompiler/BytecodeGenerator.h:
518         * bytecompiler/NodesCodegen.cpp:
519         (JSC::FunctionNode::emitBytecode):
520
521 2017-01-10  Commit Queue  <commit-queue@webkit.org>
522
523         Unreviewed, rolling out r210537.
524         https://bugs.webkit.org/show_bug.cgi?id=166903
525
526         This change introduced JSC test failures (Requested by
527         ryanhaddad on #webkit).
528
529         Reverted changeset:
530
531         "Implement JSSourceCode to propagate SourceCode in module
532         pipeline"
533         https://bugs.webkit.org/show_bug.cgi?id=166861
534         http://trac.webkit.org/changeset/210537
535
536 2017-01-10  Commit Queue  <commit-queue@webkit.org>
537
538         Unreviewed, rolling out r210540.
539         https://bugs.webkit.org/show_bug.cgi?id=166896
540
541         too crude for non-WebCore clients (Requested by kling on
542         #webkit).
543
544         Reverted changeset:
545
546         "Crash when GC heap grows way too large."
547         https://bugs.webkit.org/show_bug.cgi?id=166875
548         http://trac.webkit.org/changeset/210540
549
550 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
551
552         JSArray has some object scanning races
553         https://bugs.webkit.org/show_bug.cgi?id=166874
554
555         Reviewed by Mark Lam.
556         
557         This fixes two separate bugs, both of which I detected by running
558         array-splice-contiguous.js in extreme anger:
559         
560         1) Some of the paths of shifting and unshifting were not grabbing the internal cell
561            lock. This was causing the array storage scan to crash, even though it was well
562            synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
563            that memmoves the innards of the butterfly.
564         
565         2) Out of line property scanning was synchronized using double collect snapshot. Array
566            storage scanning was synchronized using locks. But what if array storage
567            transformations messed up the out of line properties? It turns out that we actually
568            need to hoist the array storage scanner's locking up into the double collect
569            snapshot.
570         
571         I don't know how to write a test that does any better of a job of catching this than
572         array-splice-contiguous.js.
573
574         * heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
575         * runtime/JSArray.cpp:
576         (JSC::JSArray::unshiftCountSlowCase):
577         (JSC::JSArray::shiftCountWithArrayStorage):
578         (JSC::JSArray::unshiftCountWithArrayStorage):
579         * runtime/JSObject.cpp:
580         (JSC::JSObject::visitButterflyImpl):
581
582 2017-01-10  Andreas Kling  <akling@apple.com>
583
584         Crash when GC heap grows way too large.
585         <https://webkit.org/b/166875>
586         <rdar://problem/27896585>
587
588         Reviewed by Mark Lam.
589
590         Hard cap the JavaScript heap at 4GB of live objects (determined post-GC.)
591         If we go past this limit, crash with a recognizable signature.
592
593         * heap/Heap.cpp:
594         (JSC::Heap::didExceedHeapSizeLimit):
595         (JSC::Heap::updateAllocationLimits):
596
597 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
598
599         Implement JSSourceCode to propagate SourceCode in module pipeline
600         https://bugs.webkit.org/show_bug.cgi?id=166861
601
602         Reviewed by Saam Barati.
603
604         Instead of propagating source code string, we propagate JSSourceCode
605         cell in the module pipeline. This allows us to attach a metadata
606         to the propagated source code string. In particular, it propagates
607         SourceOrigin through the module pipeline.
608
609         * CMakeLists.txt:
610         * JavaScriptCore.xcodeproj/project.pbxproj:
611         * builtins/ModuleLoaderPrototype.js:
612         (fulfillFetch):
613         (requestFetch):
614         * jsc.cpp:
615         (GlobalObject::moduleLoaderFetch):
616         * llint/LLIntData.cpp:
617         (JSC::LLInt::Data::performAssertions):
618         * llint/LowLevelInterpreter.asm:
619         * runtime/Completion.cpp:
620         (JSC::loadAndEvaluateModule):
621         (JSC::loadModule):
622         * runtime/JSModuleLoader.cpp:
623         (JSC::JSModuleLoader::provide):
624         * runtime/JSModuleLoader.h:
625         * runtime/JSSourceCode.cpp: Added.
626         (JSC::JSSourceCode::destroy):
627         * runtime/JSSourceCode.h: Added.
628         (JSC::JSSourceCode::createStructure):
629         (JSC::JSSourceCode::create):
630         (JSC::JSSourceCode::sourceCode):
631         (JSC::JSSourceCode::JSSourceCode):
632         * runtime/JSType.h:
633         * runtime/ModuleLoaderPrototype.cpp:
634         (JSC::moduleLoaderPrototypeParseModule):
635         * runtime/VM.cpp:
636         (JSC::VM::VM):
637         * runtime/VM.h:
638
639 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
640
641         REGRESSION (r210522): ASSERTION FAILED: divot.offset >= divotStart.offset seen with stress/import-basic.js and stress/import-from-eval.js
642         https://bugs.webkit.org/show_bug.cgi?id=166873
643
644         Reviewed by Saam Barati.
645
646         The divot should be the end of `import` token.
647
648         * parser/Parser.cpp:
649         (JSC::Parser<LexerType>::parseMemberExpression):
650
651 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
652
653         Unreviewed, fix cloop.
654
655         * dfg/DFGPlanInlines.h:
656
657 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
658
659         [JSC] Prototype dynamic-import
660         https://bugs.webkit.org/show_bug.cgi?id=165724
661
662         Reviewed by Saam Barati.
663
664         In this patch, we implement stage3 dynamic-import proposal[1].
665         This patch adds a new special operator `import`. And by using it, we can import
666         the module dynamically from modules and scripts. Before this feature, the module
667         is always imported statically and before executing the modules, importing the modules
668         needs to be done. And especially, the module can only be imported from the module.
669         So the classic script cannot import and use the modules. This dynamic-import relaxes
670         the above restrictions.
671
672         The typical dynamic-import form is the following.
673
674             import("...").then(function (namespace) { ... });
675
676         You can pass any AssignmentExpression for the import operator. So you can determine
677         the importing modules dynamically.
678
679             import(value).then(function (namespace) { ... });
680
681         And previously the module import declaration is only allowed in the top level statements.
682         But this import operator is just an expression. So you can use it in the function.
683         And you can use it conditionally.
684
685             async function go(cond)
686             {
687                 if (cond)
688                     return import("...");
689                 return undefined;
690             }
691             await go(true);
692
693         Currently, this patch just implements this feature only for the JSC shell.
694         JSC module loader requires a new hook, `importModule`. And the JSC shell implements
695         this hook. So, for now, this dynamic-import is not available in the browser side.
696         If you write this `import` call, it always returns the rejected promise.
697
698         import is implemented like a special operator similar to `super`.
699         This is because import is context-sensitive. If you call the `import`, the module
700         key resolution is done based on the caller's running context.
701
702         For example, if you are running the script which filename is "./ok/hello.js", the module
703         key for the call`import("./resource/syntax.js")` becomes `"./ok/resource/syntax.js"`.
704         But if you write the completely same import form in the script "./error/hello.js", the
705         key becomes "./error/resource/syntax.js". So exposing this feature as the `import`
706         function is misleading: this function becomes caller's context-sensitive. That's why
707         dynamic-import is specified as a special operator.
708
709         To resolve the module key, we need the caller's context information like the filename of
710         the caller. This is provided by the SourceOrigin implemented in r210149.
711         In the JSC shell implementation, this SourceOrigin holds the filename of the caller. So
712         based on this implementation, the module loader resolve the module key.
713         In the near future, we will extend this SourceOrigin to hold more information needed for
714         the browser-side import implementation.
715
716         [1]: https://tc39.github.io/proposal-dynamic-import/
717
718         * builtins/ModuleLoaderPrototype.js:
719         (importModule):
720         * bytecompiler/BytecodeGenerator.cpp:
721         (JSC::BytecodeGenerator::emitGetTemplateObject):
722         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
723         * bytecompiler/BytecodeGenerator.h:
724         * bytecompiler/NodesCodegen.cpp:
725         (JSC::ImportNode::emitBytecode):
726         * jsc.cpp:
727         (absolutePath):
728         (GlobalObject::moduleLoaderImportModule):
729         (functionRun):
730         (functionLoad):
731         (functionCheckSyntax):
732         (runWithScripts):
733         * parser/ASTBuilder.h:
734         (JSC::ASTBuilder::createImportExpr):
735         * parser/NodeConstructors.h:
736         (JSC::ImportNode::ImportNode):
737         * parser/Nodes.h:
738         (JSC::ExpressionNode::isImportNode):
739         * parser/Parser.cpp:
740         (JSC::Parser<LexerType>::parseMemberExpression):
741         * parser/SyntaxChecker.h:
742         (JSC::SyntaxChecker::createImportExpr):
743         * runtime/JSGlobalObject.cpp:
744         (JSC::JSGlobalObject::init):
745         * runtime/JSGlobalObject.h:
746         * runtime/JSGlobalObjectFunctions.cpp:
747         (JSC::globalFuncImportModule):
748         * runtime/JSGlobalObjectFunctions.h:
749         * runtime/JSModuleLoader.cpp:
750         (JSC::JSModuleLoader::importModule):
751         (JSC::JSModuleLoader::getModuleNamespaceObject):
752         * runtime/JSModuleLoader.h:
753         * runtime/ModuleLoaderPrototype.cpp:
754         (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):
755
756 2017-01-08  Filip Pizlo  <fpizlo@apple.com>
757
758         Make the collector's fixpoint smart about scheduling work
759         https://bugs.webkit.org/show_bug.cgi?id=165910
760
761         Reviewed by Keith Miller.
762         
763         Prior to this change, every time the GC would run any constraints in markToFixpoint, it
764         would run all of the constraints. It would always run them in the same order. That means
765         that so long as any one constraint was generating new work, we'd pay the price of all
766         constraints. This is usually OK because most constraints are cheap but it artificially
767         inflates the cost of slow constraints - especially ones that are expensive but usually
768         generate no new work.
769         
770         This patch redoes how the GC runs constraints by applying ideas from data flow analysis.
771         The GC now builds a MarkingConstraintSet when it boots up, and this contains all of the
772         constraints as well as some meta-data about them. Now, markToFixpoint just calls into
773         MarkingConstraintSet to execute constraints. Because constraint execution and scheduling
774         need to be aware of each other, I rewrote markToFixpoint in such a way that it's more
775         obvious how the GC goes between constraint solving, marking with stopped mutator, and
776         marking with resumed mutator. This also changes the scheduler API in such a way that a
777         synchronous stop-the-world collection no longer needs to do fake stop/resume - instead we
778         just swap the space-time scheduler for the stop-the-world scheduler.
779         
780         This is a big streamlining of the GC. This is a speed-up in GC-heavy tests because we
781         now execute most constraints exactly twice regardless of how many total fixpoint
782         iterations we do. Now, when we run out of marking work, the constraint solver will just
783         run the constraint that is most likely to generate new visiting work, and if it does
784         generate work, then the GC now goes back to marking. Before, it would run *all*
785         constraints and then go back to marking. The constraint solver is armed with three
786         information signals that it uses to sort the constraints in order of descending likelihood
787         to generate new marking work. Then it runs them in that order until it there is new
788         marking work. The signals are:
789         
790         1) Whether the constraint is greyed by marking or execution. We call this the volatility
791            of the constraint. For example, weak reference constraints have GreyedByMarking as
792            their volatility because they are most likely to have something to say after we've done
793            some marking. On the other hand, conservative roots have GreyedByExecution as their
794            volatility because they will give new information anytime we let the mutator run. The
795            constraint solver will only run GreyedByExecution constraints as roots and after the
796            GreyedByMarking constraints go silent. This ensures that we don't try to scan
797            conservative roots every time we need to re-run weak references and vice-versa.
798            
799            Another way to look at it is that the constraint solver tries to predict if the
800            wavefront is advancing or retreating. The wavefront is almost certainly advancing so
801            long as the mark stacks are non-empty or so long as at least one of the GreyedByMarking
802            constraints is still producing work. Otherwise the wavefront is almost certainly
803            retreating. It's most profitable to run GreyedByMarking constraints when the wavefront
804            is advancing, and most profitable to run GreyedByExecution constraints when the
805            wavefront is retreating.
806            
807            We use the predicted wavefront direction and the volatility of constraints as a
808            first-order signal of constraint profitability.
809         
810         2) How much visiting work was created the last time the constraint ran. The solver
811            remembers the lastVisitCount, and uses it to predict how much work the constraint will
812            generate next time. In practice this means we will keep re-running the one interesting
813            constraint until it shuts up.
814         
815         3) Optional work predictors for some constraints. The constraint that shuffles the mutator
816            mark stack into the main SlotVisitor's mutator mark stack always knows exactly how much
817            work it will create.
818            
819            The sum of (2) and (3) are used as a second-order signal of constraint profitability.
820         
821         The constraint solver will always run all of the GreyedByExecution constraints at GC
822         start, since these double as the GC's roots. The constraint solver will always run all of
823         the GreyedByMarking constraints the first time that marking stalls. Other than that, the
824         solver will keep running constraints, sorted according to their likelihood to create work,
825         until either work is created or we run out of constraints to run. GC termination happens
826         when we run out of constraints to run.
827         
828         This new infrastructure means that we have a much better chance of dealing with worst-case
829         DOM pathologies. If we can intelligently factor different evil DOM things into different
830         constraints with the right work predictions then this could reduce the cost of those DOM
831         things by a factor of N where N is the number of fixpoint iterations the GC typically
832         does. N is usually around 5-6 even for simple heaps.
833         
834         My perf measurements say:
835         
836         PLT3: 0.02% faster with 5.3% confidence.
837         JetStream: 0.15% faster with 17% confidence.
838         Speedometer: 0.58% faster with 82% confidence.
839         
840         Here are the details from JetStream:
841         
842         splay: 1.02173x faster with 0.996841 confidence
843         splay-latency: 1.0617x faster with 0.987462 confidence
844         towers.c: 1.01852x faster with 0.92128 confidence
845         crypto-md5: 1.06058x faster with 0.482363 confidence
846         score: 1.00152x faster with 0.16892 confidence
847         
848         I think that Speedometer is legitimately benefiting from this change based on looking at
849         --logGC=true output. We are now spending less time reexecuting expensive constraints. I
850         think that JetStream/splay is also benefiting, because although the constraints it sees
851         are cheap, it spends 30% of its time in GC so even small improvements matter.
852
853         * CMakeLists.txt:
854         * JavaScriptCore.xcodeproj/project.pbxproj:
855         * dfg/DFGPlan.cpp:
856         (JSC::DFG::Plan::markCodeBlocks): Deleted.
857         (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
858         * dfg/DFGPlan.h:
859         * dfg/DFGPlanInlines.h: Added.
860         (JSC::DFG::Plan::iterateCodeBlocksForGC):
861         * dfg/DFGWorklist.cpp:
862         (JSC::DFG::Worklist::markCodeBlocks): Deleted.
863         (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
864         (JSC::DFG::rememberCodeBlocks): Deleted.
865         * dfg/DFGWorklist.h:
866         * dfg/DFGWorklistInlines.h: Added.
867         (JSC::DFG::iterateCodeBlocksForGC):
868         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
869         * heap/CodeBlockSet.cpp:
870         (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting): Deleted.
871         * heap/CodeBlockSet.h:
872         (JSC::CodeBlockSet::iterate): Deleted.
873         * heap/CodeBlockSetInlines.h:
874         (JSC::CodeBlockSet::iterate):
875         (JSC::CodeBlockSet::iterateCurrentlyExecuting):
876         * heap/Heap.cpp:
877         (JSC::Heap::Heap):
878         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
879         (JSC::Heap::iterateExecutingAndCompilingCodeBlocksWithoutHoldingLocks):
880         (JSC::Heap::assertSharedMarkStacksEmpty):
881         (JSC::Heap::markToFixpoint):
882         (JSC::Heap::endMarking):
883         (JSC::Heap::collectInThread):
884         (JSC::Heap::stopIfNecessarySlow):
885         (JSC::Heap::acquireAccessSlow):
886         (JSC::Heap::collectIfNecessaryOrDefer):
887         (JSC::Heap::buildConstraintSet):
888         (JSC::Heap::notifyIsSafeToCollect):
889         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope): Deleted.
890         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope): Deleted.
891         (JSC::Heap::harvestWeakReferences): Deleted.
892         (JSC::Heap::visitConservativeRoots): Deleted.
893         (JSC::Heap::visitCompilerWorklistWeakReferences): Deleted.
894         * heap/Heap.h:
895         * heap/MarkingConstraint.cpp: Added.
896         (JSC::MarkingConstraint::MarkingConstraint):
897         (JSC::MarkingConstraint::~MarkingConstraint):
898         (JSC::MarkingConstraint::resetStats):
899         (JSC::MarkingConstraint::execute):
900         * heap/MarkingConstraint.h: Added.
901         (JSC::MarkingConstraint::index):
902         (JSC::MarkingConstraint::abbreviatedName):
903         (JSC::MarkingConstraint::name):
904         (JSC::MarkingConstraint::lastVisitCount):
905         (JSC::MarkingConstraint::quickWorkEstimate):
906         (JSC::MarkingConstraint::workEstimate):
907         (JSC::MarkingConstraint::volatility):
908         * heap/MarkingConstraintSet.cpp: Added.
909         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext):
910         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething):
911         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut):
912         (JSC::MarkingConstraintSet::ExecutionContext::drain):
913         (JSC::MarkingConstraintSet::ExecutionContext::didExecute):
914         (JSC::MarkingConstraintSet::ExecutionContext::execute):
915         (JSC::MarkingConstraintSet::MarkingConstraintSet):
916         (JSC::MarkingConstraintSet::~MarkingConstraintSet):
917         (JSC::MarkingConstraintSet::resetStats):
918         (JSC::MarkingConstraintSet::add):
919         (JSC::MarkingConstraintSet::executeBootstrap):
920         (JSC::MarkingConstraintSet::executeConvergence):
921         (JSC::MarkingConstraintSet::isWavefrontAdvancing):
922         (JSC::MarkingConstraintSet::executeConvergenceImpl):
923         (JSC::MarkingConstraintSet::executeAll):
924         * heap/MarkingConstraintSet.h: Added.
925         (JSC::MarkingConstraintSet::isWavefrontRetreating):
926         * heap/MutatorScheduler.cpp: Added.
927         (JSC::MutatorScheduler::MutatorScheduler):
928         (JSC::MutatorScheduler::~MutatorScheduler):
929         (JSC::MutatorScheduler::didStop):
930         (JSC::MutatorScheduler::willResume):
931         (JSC::MutatorScheduler::didExecuteConstraints):
932         (JSC::MutatorScheduler::log):
933         (JSC::MutatorScheduler::shouldStop):
934         (JSC::MutatorScheduler::shouldResume):
935         * heap/MutatorScheduler.h: Added.
936         * heap/OpaqueRootSet.h:
937         (JSC::OpaqueRootSet::add):
938         * heap/SlotVisitor.cpp:
939         (JSC::SlotVisitor::visitAsConstraint):
940         (JSC::SlotVisitor::drain):
941         (JSC::SlotVisitor::didReachTermination):
942         (JSC::SlotVisitor::hasWork):
943         (JSC::SlotVisitor::drainFromShared):
944         (JSC::SlotVisitor::drainInParallelPassively):
945         (JSC::SlotVisitor::addOpaqueRoot):
946         * heap/SlotVisitor.h:
947         (JSC::SlotVisitor::addToVisitCount):
948         * heap/SpaceTimeMutatorScheduler.cpp: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.cpp.
949         (JSC::SpaceTimeMutatorScheduler::Snapshot::Snapshot):
950         (JSC::SpaceTimeMutatorScheduler::Snapshot::now):
951         (JSC::SpaceTimeMutatorScheduler::Snapshot::bytesAllocatedThisCycle):
952         (JSC::SpaceTimeMutatorScheduler::SpaceTimeMutatorScheduler):
953         (JSC::SpaceTimeMutatorScheduler::~SpaceTimeMutatorScheduler):
954         (JSC::SpaceTimeMutatorScheduler::state):
955         (JSC::SpaceTimeMutatorScheduler::beginCollection):
956         (JSC::SpaceTimeMutatorScheduler::didStop):
957         (JSC::SpaceTimeMutatorScheduler::willResume):
958         (JSC::SpaceTimeMutatorScheduler::didExecuteConstraints):
959         (JSC::SpaceTimeMutatorScheduler::timeToStop):
960         (JSC::SpaceTimeMutatorScheduler::timeToResume):
961         (JSC::SpaceTimeMutatorScheduler::log):
962         (JSC::SpaceTimeMutatorScheduler::endCollection):
963         (JSC::SpaceTimeMutatorScheduler::bytesAllocatedThisCycleImpl):
964         (JSC::SpaceTimeMutatorScheduler::bytesSinceBeginningOfCycle):
965         (JSC::SpaceTimeMutatorScheduler::maxHeadroom):
966         (JSC::SpaceTimeMutatorScheduler::headroomFullness):
967         (JSC::SpaceTimeMutatorScheduler::mutatorUtilization):
968         (JSC::SpaceTimeMutatorScheduler::collectorUtilization):
969         (JSC::SpaceTimeMutatorScheduler::elapsedInPeriod):
970         (JSC::SpaceTimeMutatorScheduler::phase):
971         (JSC::SpaceTimeMutatorScheduler::shouldBeResumed):
972         (JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization): Deleted.
973         (JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization): Deleted.
974         (JSC::SpaceTimeScheduler::Decision::elapsedInPeriod): Deleted.
975         (JSC::SpaceTimeScheduler::Decision::phase): Deleted.
976         (JSC::SpaceTimeScheduler::Decision::shouldBeResumed): Deleted.
977         (JSC::SpaceTimeScheduler::Decision::timeToResume): Deleted.
978         (JSC::SpaceTimeScheduler::Decision::timeToStop): Deleted.
979         (JSC::SpaceTimeScheduler::SpaceTimeScheduler): Deleted.
980         (JSC::SpaceTimeScheduler::snapPhase): Deleted.
981         (JSC::SpaceTimeScheduler::currentDecision): Deleted.
982         * heap/SpaceTimeMutatorScheduler.h: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.h.
983         (JSC::SpaceTimeScheduler::Decision::operator bool): Deleted.
984         * heap/SpaceTimeScheduler.cpp: Removed.
985         * heap/SpaceTimeScheduler.h: Removed.
986         * heap/SynchronousStopTheWorldMutatorScheduler.cpp: Added.
987         (JSC::SynchronousStopTheWorldMutatorScheduler::SynchronousStopTheWorldMutatorScheduler):
988         (JSC::SynchronousStopTheWorldMutatorScheduler::~SynchronousStopTheWorldMutatorScheduler):
989         (JSC::SynchronousStopTheWorldMutatorScheduler::state):
990         (JSC::SynchronousStopTheWorldMutatorScheduler::beginCollection):
991         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToStop):
992         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToResume):
993         (JSC::SynchronousStopTheWorldMutatorScheduler::endCollection):
994         * heap/SynchronousStopTheWorldMutatorScheduler.h: Added.
995         * heap/VisitingTimeout.h: Added.
996         (JSC::VisitingTimeout::VisitingTimeout):
997         (JSC::VisitingTimeout::visitCount):
998         (JSC::VisitingTimeout::didVisitSomething):
999         (JSC::VisitingTimeout::shouldTimeOut):
1000         * runtime/Options.h:
1001
1002 2017-01-09  Commit Queue  <commit-queue@webkit.org>
1003
1004         Unreviewed, rolling out r210476.
1005         https://bugs.webkit.org/show_bug.cgi?id=166859
1006
1007         "4% JSBench regression" (Requested by keith_mi_ on #webkit).
1008
1009         Reverted changeset:
1010
1011         "Add a slice intrinsic to the DFG/FTL"
1012         https://bugs.webkit.org/show_bug.cgi?id=166707
1013         http://trac.webkit.org/changeset/210476
1014
1015 2017-01-08  Andreas Kling  <akling@apple.com>
1016
1017         Inject MarkedSpace size classes for a few more high-volume objects.
1018         <https://webkit.org/b/166815>
1019
1020         Reviewed by Darin Adler.
1021
1022         Add the following classes to the list of manually injected size classes:
1023
1024             - JSString
1025             - JSFunction
1026             - PropertyTable
1027             - Structure
1028
1029         Only Structure actually ends up with a new size class, the others already
1030         can't get any tighter due to the current MarkedBlock::atomSize being 16.
1031         I've put them in anyway to ensure that we have optimally carved-out cells
1032         for them in the future, should they grow.
1033
1034         With this change, Structures get allocated in 128-byte cells instead of
1035         160-byte cells, giving us 25% more Structures per MarkedBlock.
1036
1037         * heap/MarkedSpace.cpp:
1038
1039 2017-01-06  Saam Barati  <sbarati@apple.com>
1040
1041         Add a slice intrinsic to the DFG/FTL
1042         https://bugs.webkit.org/show_bug.cgi?id=166707
1043
1044         Reviewed by Filip Pizlo.
1045
1046         The gist of this patch is to inline Array.prototype.slice
1047         into the DFG/FTL. The implementation in the DFG-backend
1048         and FTLLowerDFGToB3 is just a straight forward implementation
1049         of what the C function is doing. The more interesting bits
1050         of this patch are setting up the proper watchpoints and conditions
1051         in the executing code to prove that its safe to skip all of the
1052         observable JS actions that Array.prototype.slice normally does.
1053         
1054         We perform the following proofs:
1055         1. Array.prototype.constructor has not changed (via a watchpoint).
1056         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
1057         3. The global object is not having a bad time.
1058         3. The array that is being sliced has an original array structure.
1059         5. Array.prototype/Object.prototype have not transitioned.
1060         
1061         Conditions 1, 2, and 3 are strictly required.
1062         
1063         4 is ensuring a couple things:
1064         1. That a "constructor" property hasn't been added to the array
1065         we're slicing since we're supposed to perform a Get(array, "constructor").
1066         2. That we're not slicing an instance of a subclass of Array.
1067         
1068         We could relax 4.1 in the future if we find other ways to test if
1069         the incoming array hasn't changed the "constructor" property.
1070         
1071         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
1072         the total benchmark (the results are sometimes noisy).
1073
1074         * bytecode/ExitKind.cpp:
1075         (JSC::exitKindToString):
1076         * bytecode/ExitKind.h:
1077         * dfg/DFGAbstractInterpreterInlines.h:
1078         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1079         * dfg/DFGByteCodeParser.cpp:
1080         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1081         * dfg/DFGClobberize.h:
1082         (JSC::DFG::clobberize):
1083         * dfg/DFGDoesGC.cpp:
1084         (JSC::DFG::doesGC):
1085         * dfg/DFGFixupPhase.cpp:
1086         (JSC::DFG::FixupPhase::fixupNode):
1087         * dfg/DFGNode.h:
1088         (JSC::DFG::Node::hasHeapPrediction):
1089         (JSC::DFG::Node::hasArrayMode):
1090         * dfg/DFGNodeType.h:
1091         * dfg/DFGPredictionPropagationPhase.cpp:
1092         * dfg/DFGSafeToExecute.h:
1093         (JSC::DFG::safeToExecute):
1094         * dfg/DFGSpeculativeJIT.cpp:
1095         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1096         * dfg/DFGSpeculativeJIT.h:
1097         * dfg/DFGSpeculativeJIT32_64.cpp:
1098         (JSC::DFG::SpeculativeJIT::compile):
1099         * dfg/DFGSpeculativeJIT64.cpp:
1100         (JSC::DFG::SpeculativeJIT::compile):
1101         * ftl/FTLCapabilities.cpp:
1102         (JSC::FTL::canCompile):
1103         * ftl/FTLLowerDFGToB3.cpp:
1104         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1105         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1106         * jit/AssemblyHelpers.cpp:
1107         (JSC::AssemblyHelpers::emitLoadStructure):
1108         * runtime/ArrayPrototype.cpp:
1109         (JSC::ArrayPrototype::finishCreation):
1110         (JSC::speciesWatchpointIsValid):
1111         (JSC::speciesConstructArray):
1112         (JSC::arrayProtoFuncSlice):
1113         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1114         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
1115         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1116         (JSC::speciesWatchpointsValid): Deleted.
1117         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
1118         * runtime/ArrayPrototype.h:
1119         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
1120         (): Deleted.
1121         * runtime/Intrinsic.h:
1122         * runtime/JSGlobalObject.cpp:
1123         (JSC::JSGlobalObject::JSGlobalObject):
1124         (JSC::JSGlobalObject::init):
1125         * runtime/JSGlobalObject.h:
1126         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
1127
1128 2017-01-06  Mark Lam  <mark.lam@apple.com>
1129
1130         The ObjC API's JSVirtualMachine's map tables need to be guarded by a lock.
1131         https://bugs.webkit.org/show_bug.cgi?id=166778
1132         <rdar://problem/29761198>
1133
1134         Reviewed by Filip Pizlo.
1135
1136         Now that we have a concurrent GC, access to JSVirtualMachine's
1137         m_externalObjectGraph and m_externalRememberedSet need to be guarded by a lock
1138         since both the GC marker thread and the mutator thread may access them at the
1139         same time.
1140
1141         * API/JSVirtualMachine.mm:
1142         (-[JSVirtualMachine addExternalRememberedObject:]):
1143         (-[JSVirtualMachine addManagedReference:withOwner:]):
1144         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1145         (-[JSVirtualMachine externalDataMutex]):
1146         (scanExternalObjectGraph):
1147         (scanExternalRememberedSet):
1148
1149         * API/JSVirtualMachineInternal.h:
1150         - Deleted externalObjectGraph method.  There's no need to expose this.
1151
1152 2017-01-06  Michael Saboff  <msaboff@apple.com>
1153
1154         @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
1155         https://bugs.webkit.org/show_bug.cgi?id=153486
1156
1157         Reviewed by Saam Barati.
1158
1159         Moved read only check in putDirect() to all paths.
1160
1161         * runtime/SparseArrayValueMap.cpp:
1162         (JSC::SparseArrayValueMap::putDirect):
1163
1164 2016-12-30  Filip Pizlo  <fpizlo@apple.com>
1165
1166         DeferGC::~DeferGC should be super cheap
1167         https://bugs.webkit.org/show_bug.cgi?id=166626
1168
1169         Reviewed by Saam Barati.
1170         
1171         Right now, ~DeferGC requires running the collector's full collectIfNecessaryOrDefer()
1172         hook, which is super big. Normally, that hook would only be called from GC slow paths,
1173         so it ought to be possible to add complex logic to it. It benefits the GC algorithm to
1174         make that code smart, not necessarily fast.
1175
1176         The right thing for it to do is to have ~DeferGC check a boolean to see if
1177         collectIfNecessaryOrDefer() had previously deferred anything, and only call it if that
1178         is true. That's what this patch does.
1179         
1180         Unfortunately, this means that we lose the collectAccordingToDeferGCProbability mode,
1181         which we used for two tests. Since I could only see two tests that used this mode, I
1182         felt that it was better to enhance the GC than to keep the tests. I filed bug 166627 to
1183         bring back something like that mode.
1184         
1185         Although this patch does make some paths faster, its real goal is to ensure that bug
1186         165963 can add more logic to collectIfNecessaryOrDefer() without introducing a big
1187         regression. Until then, I wouldn't be surprised if this patch was a progression, but I'm
1188         not betting on it.
1189
1190         * heap/Heap.cpp:
1191         (JSC::Heap::collectIfNecessaryOrDefer):
1192         (JSC::Heap::decrementDeferralDepthAndGCIfNeededSlow):
1193         (JSC::Heap::canCollect): Deleted.
1194         (JSC::Heap::shouldCollectHeuristic): Deleted.
1195         (JSC::Heap::shouldCollect): Deleted.
1196         (JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
1197         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
1198         * heap/Heap.h:
1199         * heap/HeapInlines.h:
1200         (JSC::Heap::incrementDeferralDepth):
1201         (JSC::Heap::decrementDeferralDepth):
1202         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1203         (JSC::Heap::mayNeedToStop):
1204         (JSC::Heap::stopIfNecessary):
1205         * runtime/Options.h:
1206
1207 2017-01-05  Filip Pizlo  <fpizlo@apple.com>
1208
1209         AutomaticThread timeout shutdown leaves a small window where notify() would think that the thread is still running
1210         https://bugs.webkit.org/show_bug.cgi?id=166742
1211
1212         Reviewed by Geoffrey Garen.
1213         
1214         Update to new AutomaticThread API.
1215
1216         * dfg/DFGWorklist.cpp:
1217
1218 2017-01-05  Per Arne Vollan  <pvollan@apple.com>
1219
1220         [Win] Compile error.
1221         https://bugs.webkit.org/show_bug.cgi?id=166726
1222
1223         Reviewed by Alex Christensen.
1224
1225         Add include folder.
1226
1227         * CMakeLists.txt:
1228
1229 2016-12-21  Brian Burg  <bburg@apple.com>
1230
1231         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
1232         https://bugs.webkit.org/show_bug.cgi?id=166003
1233         <rdar://problem/28718990>
1234
1235         Reviewed by Joseph Pecoraro.
1236
1237         This patch implements parser, model, and generator-side changes to account for
1238         platform-specific types, events, and commands. The 'platform' property is parsed
1239         for top-level definitions and assumed to be the 'generic' platform if none is specified.
1240
1241         Since the generator's platform setting acts to filter definitions with an incompatible platform,
1242         all generators must be modified to consult a list of filtered types/commands/events for
1243         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
1244         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
1245         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
1246
1247         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
1248         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1249         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1250         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
1251         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1252         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1253         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1254         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
1255         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1256         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1257         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1258         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1259         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
1260         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1261         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1262         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
1263         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1264         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1265         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
1266         (_generate_typedefs_for_domain):
1267         (_generate_builders_for_domain):
1268         (_generate_forward_declarations_for_binding_traits):
1269         (_generate_declarations_for_enum_conversion_methods):
1270         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1271         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
1272         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
1273         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
1274         * inspector/scripts/codegen/generate_js_backend_commands.py:
1275         (JSBackendCommandsGenerator.should_generate_domain):
1276         (JSBackendCommandsGenerator.domains_to_generate):
1277         (JSBackendCommandsGenerator.generate_domain):
1278         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
1279         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1280         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
1281         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1282         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1283         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1284         (ObjCBackendDispatcherImplementationGenerator):
1285         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
1286         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
1287         (ObjCConfigurationImplementationGenerator): Deleted.
1288         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
1289         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
1290         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
1291         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
1292         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
1293         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
1294         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
1295         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
1296         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
1297         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
1298         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
1299         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1300         (ObjCConfigurationHeaderGenerator.generate_output):
1301         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1302         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1303         (ObjCConfigurationImplementationGenerator):
1304         (ObjCConfigurationImplementationGenerator.generate_output):
1305         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
1306         (ObjCConfigurationImplementationGenerator._generate_ivars):
1307         (ObjCConfigurationImplementationGenerator._generate_dealloc):
1308         (ObjCBackendDispatcherImplementationGenerator): Deleted.
1309         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
1310         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
1311         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
1312         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
1313         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
1314         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
1315         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
1316         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
1317         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
1318         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1319         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
1320         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1321         * inspector/scripts/codegen/generate_objc_header.py:
1322         (ObjCHeaderGenerator.generate_output):
1323         (ObjCHeaderGenerator._generate_forward_declarations):
1324         (ObjCHeaderGenerator._generate_enums):
1325         (ObjCHeaderGenerator._generate_types):
1326         (ObjCHeaderGenerator._generate_command_protocols):
1327         (ObjCHeaderGenerator._generate_event_interfaces):
1328         * inspector/scripts/codegen/generate_objc_internal_header.py:
1329         (ObjCInternalHeaderGenerator.generate_output):
1330         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1331         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1332         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
1333         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
1334         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1335         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
1336         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1337         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1338         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1339         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
1340         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
1341
1342         * inspector/scripts/codegen/generator.py:
1343         (Generator.can_generate_platform):
1344         (Generator):
1345         (Generator.type_declarations_for_domain):
1346         (Generator.commands_for_domain):
1347         (Generator.events_for_domain):
1348         These are the core methods for computing whether a definition can be used given a target platform.
1349
1350         (Generator.calculate_types_requiring_shape_assertions):
1351         (Generator._traverse_and_assign_enum_values):
1352         * inspector/scripts/codegen/models.py:
1353         (Protocol.parse_type_declaration):
1354         (Protocol.parse_command):
1355         (Protocol.parse_event):
1356         (Protocol.resolve_types):
1357
1358         (Domain.__init__):
1359         (Domain):
1360         (Domain.all_type_declarations):
1361         (Domain.all_commands):
1362         (Domain.all_events):
1363         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
1364
1365         (Domain.resolve_type_references):
1366         (TypeDeclaration.__init__):
1367         (Command.__init__):
1368         (Event.__init__):
1369         * inspector/scripts/codegen/objc_generator.py:
1370         (ObjCGenerator.should_generate_types_for_domain):
1371         (ObjCGenerator):
1372         (ObjCGenerator.should_generate_commands_for_domain):
1373         (ObjCGenerator.should_generate_events_for_domain):
1374         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
1375         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
1376         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
1377         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
1378         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
1379         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
1380         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
1381         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
1382
1383         The results above need rebaselining because the class names for two generators were swapped by accident.
1384         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
1385         generated file includes the same copyright block at the top.
1386
1387         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1388         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1389         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1390         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1391         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1392         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1393         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1394         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1395         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1396         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1397         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1398         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1399         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1400
1401         * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Added.
1402         * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Added.
1403         * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Added.
1404         * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Added.
1405
1406         Add error test cases for invalid platforms in commands, types, and events.
1407
1408         * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Added.
1409         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Added.
1410         * inspector/scripts/tests/all/definitions-with-mac-platform.json: Added.
1411         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Added.
1412         * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Added.
1413         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Added.
1414         * inspector/scripts/tests/mac/definitions-with-mac-platform.json: Added.
1415         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Added.
1416
1417         Add a basic 4-way test that generates code for each platform from the same specification.
1418         With 'macos' platform for each definition, only 'all' and 'mac' generate anything interesting.
1419
1420 2017-01-03  Brian Burg  <bburg@apple.com>
1421
1422         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
1423         https://bugs.webkit.org/show_bug.cgi?id=166003
1424         <rdar://problem/28718990>
1425
1426         Reviewed by Joseph Pecoraro.
1427
1428         This patch implements parser, model, and generator-side changes to account for
1429         platform-specific types, events, and commands. The 'platform' property is parsed
1430         for top-level definitions and assumed to be the 'generic' platform if none is specified.
1431
1432         Since the generator's platform setting acts to filter definitions with an incompatible platform,
1433         all generators must be modified to consult a list of filtered types/commands/events for
1434         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
1435         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
1436         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
1437
1438         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
1439         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1440         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1441         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
1442         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1443         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1444         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1445         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
1446         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1447         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1448         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1449         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1450         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
1451         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1452         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1453         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
1454         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1455         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1456         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
1457         (_generate_typedefs_for_domain):
1458         (_generate_builders_for_domain):
1459         (_generate_forward_declarations_for_binding_traits):
1460         (_generate_declarations_for_enum_conversion_methods):
1461         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1462         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
1463         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
1464         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
1465         * inspector/scripts/codegen/generate_js_backend_commands.py:
1466         (JSBackendCommandsGenerator.should_generate_domain):
1467         (JSBackendCommandsGenerator.domains_to_generate):
1468         (JSBackendCommandsGenerator.generate_domain):
1469         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
1470         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1471         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
1472         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1473         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1474         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1475         (ObjCBackendDispatcherImplementationGenerator):
1476         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
1477         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
1478         (ObjCConfigurationImplementationGenerator): Deleted.
1479         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
1480         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
1481         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
1482         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
1483         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
1484         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
1485         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
1486         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
1487         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
1488         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
1489         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
1490         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1491         (ObjCConfigurationHeaderGenerator.generate_output):
1492         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1493         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1494         (ObjCConfigurationImplementationGenerator):
1495         (ObjCConfigurationImplementationGenerator.generate_output):
1496         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
1497         (ObjCConfigurationImplementationGenerator._generate_ivars):
1498         (ObjCConfigurationImplementationGenerator._generate_dealloc):
1499         (ObjCBackendDispatcherImplementationGenerator): Deleted.
1500         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
1501         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
1502         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
1503         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
1504         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
1505         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
1506         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
1507         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
1508         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
1509         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1510         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
1511         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1512         * inspector/scripts/codegen/generate_objc_header.py:
1513         (ObjCHeaderGenerator.generate_output):
1514         (ObjCHeaderGenerator._generate_forward_declarations):
1515         (ObjCHeaderGenerator._generate_enums):
1516         (ObjCHeaderGenerator._generate_types):
1517         (ObjCHeaderGenerator._generate_command_protocols):
1518         (ObjCHeaderGenerator._generate_event_interfaces):
1519         * inspector/scripts/codegen/generate_objc_internal_header.py:
1520         (ObjCInternalHeaderGenerator.generate_output):
1521         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1522         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1523         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
1524         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
1525         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1526         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
1527         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1528         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1529         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1530         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
1531         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
1532
1533         * inspector/scripts/codegen/generator.py:
1534         (Generator.can_generate_platform):
1535         (Generator):
1536         (Generator.type_declarations_for_domain):
1537         (Generator.commands_for_domain):
1538         (Generator.events_for_domain):
1539         These are the core methods for computing whether a definition can be used given a target platform.
1540
1541         (Generator.calculate_types_requiring_shape_assertions):
1542         (Generator._traverse_and_assign_enum_values):
1543         * inspector/scripts/codegen/models.py:
1544         (Protocol.parse_type_declaration):
1545         (Protocol.parse_command):
1546         (Protocol.parse_event):
1547         (Protocol.resolve_types):
1548
1549         (Domain.__init__):
1550         (Domain):
1551         (Domain.all_type_declarations):
1552         (Domain.all_commands):
1553         (Domain.all_events):
1554         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
1555
1556         (Domain.resolve_type_references):
1557         (TypeDeclaration.__init__):
1558         (Command.__init__):
1559         (Event.__init__):
1560         * inspector/scripts/codegen/objc_generator.py:
1561         (ObjCGenerator.should_generate_types_for_domain):
1562         (ObjCGenerator):
1563         (ObjCGenerator.should_generate_commands_for_domain):
1564         (ObjCGenerator.should_generate_events_for_domain):
1565         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
1566         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
1567         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
1568         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
1569         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
1570         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
1571         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
1572         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
1573
1574         The following results need rebaselining because the class names for two generators were swapped by accident.
1575         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
1576         generated file includes the same copyright block at the top.
1577
1578         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1579         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1580         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1581         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1582         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1583         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1584         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1585         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1586         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1587         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1588         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1589         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1590         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1591
1592 2017-01-03  Brian Burg  <bburg@apple.com>
1593
1594         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
1595         https://bugs.webkit.org/show_bug.cgi?id=166003
1596         <rdar://problem/28718990>
1597
1598         Reviewed by Joseph Pecoraro.
1599
1600         Make it possible to test inspector protocol generator output for different platforms.
1601
1602         Move existing tests to the generic/ subdirectory, as they are to be generated
1603         without any specific platform. Later, platform-specific generator behavior will be
1604         tested by cloning the same test to multiple platform directories.
1605
1606         * inspector/scripts/tests{/ => /generic/}commands-with-async-attribute.json
1607         * inspector/scripts/tests{/ => /generic/}commands-with-optional-call-return-parameters.json
1608         * inspector/scripts/tests{/ => /generic/}domains-with-varying-command-sizes.json
1609         * inspector/scripts/tests{/ => /generic/}enum-values.json
1610         * inspector/scripts/tests{/ => /generic/}events-with-optional-parameters.json
1611         * inspector/scripts/tests{/ => /generic/}expected/commands-with-async-attribute.json-result
1612         * inspector/scripts/tests{/ => /generic/}expected/commands-with-optional-call-return-parameters.json-result
1613         * inspector/scripts/tests{/ => /generic/}expected/domains-with-varying-command-sizes.json-result
1614         * inspector/scripts/tests{/ => /generic/}expected/enum-values.json-result
1615         * inspector/scripts/tests{/ => /generic/}expected/events-with-optional-parameters.json-result
1616         * inspector/scripts/tests{/ => /generic/}expected/fail-on-domain-availability.json-error
1617         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-call-parameter-names.json-error
1618         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-return-parameter-names.json-error
1619         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-event-parameter-names.json-error
1620         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-declarations.json-error
1621         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-member-names.json-error
1622         * inspector/scripts/tests{/ => /generic/}expected/fail-on-enum-with-no-values.json-error
1623         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-parameter-flag.json-error
1624         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-type-member.json-error
1625         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-parameter-flag.json-error
1626         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-type-member.json-error
1627         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-declaration-using-type-reference.json-error
1628         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-reference-as-primitive-type.json-error
1629         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-with-lowercase-name.json-error
1630         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-declaration.json-error
1631         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-member.json-error
1632         * inspector/scripts/tests{/ => /generic/}expected/generate-domains-with-feature-guards.json-result
1633         * inspector/scripts/tests{/ => /generic/}expected/same-type-id-different-domain.json-result
1634         * inspector/scripts/tests{/ => /generic/}expected/shadowed-optional-type-setters.json-result
1635         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-aliased-primitive-type.json-result
1636         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-array-type.json-result
1637         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-enum-type.json-result
1638         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-object-type.json-result
1639         * inspector/scripts/tests{/ => /generic/}expected/type-requiring-runtime-casts.json-result
1640         * inspector/scripts/tests{/ => /generic/}fail-on-domain-availability.json
1641         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-call-parameter-names.json
1642         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-return-parameter-names.json
1643         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-event-parameter-names.json
1644         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-declarations.json
1645         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-member-names.json
1646         * inspector/scripts/tests{/ => /generic/}fail-on-enum-with-no-values.json
1647         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-parameter-flag.json
1648         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-type-member.json
1649         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-parameter-flag.json
1650         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-type-member.json
1651         * inspector/scripts/tests{/ => /generic/}fail-on-type-declaration-using-type-reference.json
1652         * inspector/scripts/tests{/ => /generic/}fail-on-type-reference-as-primitive-type.json
1653         * inspector/scripts/tests{/ => /generic/}fail-on-type-with-lowercase-name.json
1654         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-declaration.json
1655         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-member.json
1656         * inspector/scripts/tests{/ => /generic/}generate-domains-with-feature-guards.json
1657         * inspector/scripts/tests{/ => /generic/}same-type-id-different-domain.json
1658         * inspector/scripts/tests{/ => /generic/}shadowed-optional-type-setters.json
1659         * inspector/scripts/tests{/ => /generic/}type-declaration-aliased-primitive-type.json
1660         * inspector/scripts/tests{/ => /generic/}type-declaration-array-type.json
1661         * inspector/scripts/tests{/ => /generic/}type-declaration-enum-type.json
1662         * inspector/scripts/tests{/ => /generic/}type-declaration-object-type.json
1663         * inspector/scripts/tests{/ => /generic/}type-requiring-runtime-casts.json
1664
1665 2017-01-03  Brian Burg  <bburg@apple.com>
1666
1667         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
1668         https://bugs.webkit.org/show_bug.cgi?id=166003
1669         <rdar://problem/28718990>
1670
1671         Reviewed by Joseph Pecoraro.
1672
1673         Add a --platform argument to generate-inspector-protocol-bindings.py and propagate
1674         the specified platform to each generator. This will be used in the next few patches
1675         to exclude types, events, and commands that are unsupported by the backend platform.
1676
1677         Covert all subclasses of Generator to pass along their positional arguments so that we
1678         can easily change base class arguments without editing all generator constructors.
1679
1680         * inspector/scripts/codegen/cpp_generator.py:
1681         (CppGenerator.__init__):
1682         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
1683         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
1684         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1685         (CppBackendDispatcherHeaderGenerator.__init__):
1686         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1687         (CppBackendDispatcherImplementationGenerator.__init__):
1688         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1689         (CppFrontendDispatcherHeaderGenerator.__init__):
1690         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1691         (CppFrontendDispatcherImplementationGenerator.__init__):
1692         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1693         (CppProtocolTypesHeaderGenerator.__init__):
1694         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1695         (CppProtocolTypesImplementationGenerator.__init__):
1696         * inspector/scripts/codegen/generate_js_backend_commands.py:
1697         (JSBackendCommandsGenerator.__init__):
1698         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1699         (ObjCBackendDispatcherHeaderGenerator.__init__):
1700         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1701         (ObjCConfigurationImplementationGenerator.__init__):
1702         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1703         (ObjCConfigurationHeaderGenerator.__init__):
1704         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1705         (ObjCBackendDispatcherImplementationGenerator.__init__):
1706         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1707         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1708         * inspector/scripts/codegen/generate_objc_header.py:
1709         (ObjCHeaderGenerator.__init__):
1710         * inspector/scripts/codegen/generate_objc_internal_header.py:
1711         (ObjCInternalHeaderGenerator.__init__):
1712         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1713         (ObjCProtocolTypeConversionsHeaderGenerator.__init__):
1714         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1715         (ObjCProtocolTypeConversionsImplementationGenerator.__init__):
1716         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1717         (ObjCProtocolTypesImplementationGenerator.__init__):
1718         Pass along *args instead of single positional arguments.
1719
1720         * inspector/scripts/codegen/generator.py:
1721         (Generator.__init__):
1722         Save the target platform and add a getter.
1723
1724         * inspector/scripts/codegen/models.py:
1725         (Platform):
1726         (Platform.__init__):
1727         (Platform.fromString):
1728         (Platforms):
1729         Define the allowed Platform instances (iOS, macOS, and Any).
1730
1731         * inspector/scripts/codegen/objc_generator.py:
1732         (ObjCGenerator.and.__init__):
1733         * inspector/scripts/generate-inspector-protocol-bindings.py:
1734         (generate_from_specification):
1735         Pass along *args instead of single positional arguments.
1736
1737 2017-01-04  JF Bastien  <jfbastien@apple.com>
1738
1739         WebAssembly JS API: add Module.sections
1740         https://bugs.webkit.org/show_bug.cgi?id=165159
1741         <rdar://problem/29760326>
1742
1743         Reviewed by Mark Lam.
1744
1745         As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections
1746
1747         This was added for Emscripten, and is likely to be used soon.
1748
1749         * wasm/WasmFormat.h: custom sections are just name + bytes
1750         * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
1751         * wasm/WasmModuleParser.h:
1752         * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
1753         ArrayBuffer as described in the spec
1754         (JSC::webAssemblyModuleProtoCustomSections):
1755
1756 2017-01-04  Saam Barati  <sbarati@apple.com>
1757
1758         We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
1759         https://bugs.webkit.org/show_bug.cgi?id=163720
1760
1761         Reviewed by Mark Lam.
1762
1763         In the LLInt, we were incorrectly doing the exception check after the call.
1764         Before the exception check, we were unwinding to our caller's
1765         frame under the assumption that our caller was always a JS frame.
1766         This is incorrect, however, because our caller might be a C frame.
1767         One way that it can be a C frame is when C calls to JS, and JS tail
1768         calls to native. This patch fixes this bug by doing unwinding from
1769         the native callee's frame instead of its callers.
1770
1771         * llint/LowLevelInterpreter32_64.asm:
1772         * llint/LowLevelInterpreter64.asm:
1773
1774 2017-01-03  JF Bastien  <jfbastien@apple.com>
1775
1776         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
1777         https://bugs.webkit.org/show_bug.cgi?id=166669
1778         <rdar://problem/29856455>
1779
1780         Reviewed by Saam Barati.
1781
1782         Bug #165282 added wasm -> wasm calls, but caused crashes in
1783         release builds because the pinned registers are also callee-saved
1784         and were being clobbered. B3 didn't see itself clobbering them
1785         when no memory was used, and therefore omitted a restore.
1786
1787         This was causing the C++ code in callWebAssemblyFunction to crash
1788         because $r12 was 0, and it expected it to have its value prior to
1789         the call.
1790
1791         * wasm/WasmB3IRGenerator.cpp:
1792         (JSC::Wasm::createJSToWasmWrapper):
1793
1794 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
1795
1796         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
1797         https://bugs.webkit.org/show_bug.cgi?id=166300
1798
1799         Reviewed by Brian Burg.
1800
1801         * debugger/Debugger.cpp:
1802         (JSC::Debugger::continueProgram):
1803         When continuing, clear states that would have had us pause again.
1804
1805         * inspector/agents/InspectorDebuggerAgent.cpp:
1806         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
1807         When resuming after becoming idle, be sure to clear Debugger state.
1808
1809 2017-01-03  JF Bastien  <jfbastien@apple.com>
1810
1811         WebAssembly JS API: check and test in-call / out-call values
1812         https://bugs.webkit.org/show_bug.cgi?id=164876
1813         <rdar://problem/29844107>
1814
1815         Reviewed by Saam Barati.
1816
1817         * wasm/WasmBinding.cpp:
1818         (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
1819         f64 which the assotiated tests inadvertently tripped on: the
1820         previous code wasn't correctly performing JSValue boxing for
1821         "double" values. This change is slightly involved because it
1822         requires two scratch registers to materialize the
1823         `DoubleEncodeOffset` value. This change therefore reorganizes the
1824         code to first generate traps, then handle all integers (freeing
1825         all GPRs), and then all the floating-point values.
1826         * wasm/js/WebAssemblyFunction.cpp:
1827         (JSC::callWebAssemblyFunction): Implement the defined semantics
1828         for mismatched arities when JS calls wasm:
1829         https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
1830           - i32 is 0, f32 / f64 are NaN.
1831           - wasm functions which return "void" are "undefined" in JS.
1832
1833 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
1834
1835         [Win] jsc.exe sometimes never exits.
1836         https://bugs.webkit.org/show_bug.cgi?id=158073
1837
1838         Reviewed by Darin Adler.
1839
1840         On Windows the thread specific destructor is also called when the main thread is exiting.
1841         This may lead to the main thread waiting forever for the machine thread lock when exiting,
1842         if the sampling profiler thread was terminated by the system while holding the machine
1843         thread lock.
1844
1845         * heap/MachineStackMarker.cpp:
1846         (JSC::MachineThreads::removeThread):
1847
1848 2017-01-02  Julien Brianceau  <jbriance@cisco.com>
1849
1850         Remove sh4 specific code from JavaScriptCore
1851         https://bugs.webkit.org/show_bug.cgi?id=166640
1852
1853         Reviewed by Filip Pizlo.
1854
1855         sh4-specific code does not compile for a while (r189884 at least).
1856         As nobody seems to have interest in this architecture anymore, let's
1857         remove this dead code and thus ease the burden for JSC maintainers.
1858
1859         * CMakeLists.txt:
1860         * JavaScriptCore.xcodeproj/project.pbxproj:
1861         * assembler/AbstractMacroAssembler.h:
1862         (JSC::AbstractMacroAssembler::Jump::Jump):
1863         (JSC::AbstractMacroAssembler::Jump::link):
1864         * assembler/MacroAssembler.h:
1865         * assembler/MacroAssemblerSH4.h: Removed.
1866         * assembler/MaxFrameExtentForSlowPathCall.h:
1867         * assembler/SH4Assembler.h: Removed.
1868         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
1869         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1870         * dfg/DFGSpeculativeJIT.h:
1871         (JSC::DFG::SpeculativeJIT::callOperation):
1872         * jit/AssemblyHelpers.h:
1873         (JSC::AssemblyHelpers::debugCall):
1874         * jit/CCallHelpers.h:
1875         (JSC::CCallHelpers::setupArgumentsWithExecState):
1876         (JSC::CCallHelpers::prepareForTailCallSlow):
1877         * jit/CallFrameShuffler.cpp:
1878         (JSC::CallFrameShuffler::prepareForTailCall):
1879         * jit/ExecutableAllocator.h:
1880         * jit/FPRInfo.h:
1881         * jit/GPRInfo.h:
1882         * jit/JITInlines.h:
1883         (JSC::JIT::callOperation):
1884         * jit/JITOpcodes32_64.cpp:
1885         (JSC::JIT::privateCompileCTINativeCall):
1886         * jit/JITOperations.cpp:
1887         * jit/RegisterSet.cpp:
1888         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1889         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1890         * jit/ThunkGenerators.cpp:
1891         (JSC::nativeForGenerator):
1892         * llint/LLIntData.cpp:
1893         (JSC::LLInt::Data::performAssertions):
1894         * llint/LLIntOfflineAsmConfig.h:
1895         * llint/LowLevelInterpreter.asm:
1896         * llint/LowLevelInterpreter32_64.asm:
1897         * offlineasm/backends.rb:
1898         * offlineasm/instructions.rb:
1899         * offlineasm/sh4.rb: Removed.
1900         * yarr/YarrJIT.cpp:
1901         (JSC::Yarr::YarrGenerator::generateEnter):
1902         (JSC::Yarr::YarrGenerator::generateReturn):
1903
1904 2017-01-02  JF Bastien  <jfbastien@apple.com>
1905
1906         WebAssembly: handle and optimize wasm export → wasm import calls
1907         https://bugs.webkit.org/show_bug.cgi?id=165282
1908
1909         Reviewed by Saam Barati.
1910
1911           - Add a new JSType for WebAssemblyFunction, and use it when creating its
1912             structure. This will is used to quickly detect from wasm whether the import
1913             call is to another wasm module, or whether it's to JS.
1914           - Generate two stubs from the import stub generator: one for wasm->JS and one
1915             for wasm -> wasm. This is done at Module time. Which is called will only be
1916             known at Instance time, once we've received the import object. We want to
1917             avoid codegen at Instance time, so having both around is great.
1918           - Restore the WebAssembly global state (VM top Instance, and pinned registers)
1919             after call / call_indirect, and in the JS->wasm entry stub.
1920           - Pinned registers are now a global thing, not per-Memory, because the wasm ->
1921             wasm stubs are generated at Module time where we don't really have enough
1922             information to do the right thing (doing so would generate too much code).
1923
1924         * CMakeLists.txt:
1925         * JavaScriptCore.xcodeproj/project.pbxproj:
1926         * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
1927         * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
1928         could be external work, and how we save / restore global state:
1929         VM's top Instance, and pinned registers
1930         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1931         (JSC::Wasm::getMemoryBaseAndSize):
1932         (JSC::Wasm::restoreWebAssemblyGlobalState):
1933         (JSC::Wasm::createJSToWasmWrapper):
1934         (JSC::Wasm::parseAndCompile):
1935         * wasm/WasmB3IRGenerator.h:
1936         * wasm/WasmBinding.cpp:
1937         (JSC::Wasm::materializeImportJSCell):
1938         (JSC::Wasm::wasmToJS):
1939         (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
1940         (JSC::Wasm::exitStubGenerator):
1941         * wasm/WasmBinding.h:
1942         * wasm/WasmFormat.h: Get rid of much of the function index space:
1943         we already have all of its information elsewhere, and as-is it
1944         provides no extra efficiency.
1945         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
1946         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
1947         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
1948         * wasm/WasmFunctionParser.h:
1949         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
1950         * wasm/WasmMemory.cpp: Add some logging.
1951         (JSC::Wasm::Memory::dump): this was nice when debugging
1952         (JSC::Wasm::Memory::makeString):
1953         (JSC::Wasm::Memory::Memory):
1954         (JSC::Wasm::Memory::~Memory):
1955         (JSC::Wasm::Memory::grow):
1956         * wasm/WasmMemory.h: don't use extra indirection, it wasn't
1957         needed. Reorder some of the fields which are looked up at runtime
1958         so they're more cache-friendly.
1959         (JSC::Wasm::Memory::Memory):
1960         (JSC::Wasm::Memory::mode):
1961         (JSC::Wasm::Memory::offsetOfSize):
1962         * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
1963         global thing for all of JSC, not a per-Memory thing
1964         anymore. wasm->wasm calls are more complex otherwise: they have to
1965         figure out how to bridge between the caller and callee's
1966         special-snowflake pinning.
1967         (JSC::Wasm::PinnedRegisterInfo::get):
1968         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1969         (JSC::Wasm::MemoryInformation::MemoryInformation):
1970         * wasm/WasmMemoryInformation.h:
1971         * wasm/WasmModuleParser.cpp:
1972         * wasm/WasmModuleParser.h:
1973         * wasm/WasmPageCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
1974         (JSC::Wasm::PageCount::dump): nice for debugging
1975         * wasm/WasmPageCount.h:
1976         * wasm/WasmPlan.cpp:
1977         (JSC::Wasm::Plan::parseAndValidateModule):
1978         (JSC::Wasm::Plan::run):
1979         * wasm/WasmPlan.h:
1980         (JSC::Wasm::Plan::takeWasmExitStubs):
1981         * wasm/WasmSignature.cpp:
1982         (JSC::Wasm::Signature::toString):
1983         (JSC::Wasm::Signature::dump):
1984         * wasm/WasmSignature.h:
1985         * wasm/WasmValidate.cpp:
1986         (JSC::Wasm::validateFunction):
1987         * wasm/WasmValidate.h:
1988         * wasm/js/JSWebAssemblyInstance.h:
1989         (JSC::JSWebAssemblyInstance::offsetOfTable):
1990         (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
1991         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
1992         * wasm/js/JSWebAssemblyMemory.cpp:
1993         (JSC::JSWebAssemblyMemory::create):
1994         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
1995         (JSC::JSWebAssemblyMemory::buffer):
1996         (JSC::JSWebAssemblyMemory::grow):
1997         * wasm/js/JSWebAssemblyMemory.h:
1998         (JSC::JSWebAssemblyMemory::memory):
1999         (JSC::JSWebAssemblyMemory::offsetOfMemory):
2000         (JSC::JSWebAssemblyMemory::offsetOfSize):
2001         * wasm/js/JSWebAssemblyModule.cpp:
2002         (JSC::JSWebAssemblyModule::create):
2003         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
2004         * wasm/js/JSWebAssemblyModule.h:
2005         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
2006         (JSC::JSWebAssemblyModule::functionImportCount):
2007         * wasm/js/WebAssemblyFunction.cpp:
2008         (JSC::callWebAssemblyFunction):
2009         (JSC::WebAssemblyFunction::create):
2010         (JSC::WebAssemblyFunction::createStructure):
2011         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2012         (JSC::WebAssemblyFunction::finishCreation):
2013         * wasm/js/WebAssemblyFunction.h:
2014         (JSC::WebAssemblyFunction::wasmEntrypoint):
2015         (JSC::WebAssemblyFunction::offsetOfInstance):
2016         (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode):
2017         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2018         (JSC::constructJSWebAssemblyInstance): always start with a dummy
2019         memory, so wasm->wasm calls don't need to null-check
2020         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2021         (JSC::constructJSWebAssemblyMemory):
2022         * wasm/js/WebAssemblyModuleConstructor.cpp:
2023         (JSC::WebAssemblyModuleConstructor::createModule):
2024         * wasm/js/WebAssemblyModuleRecord.cpp:
2025         (JSC::WebAssemblyModuleRecord::link):
2026         (JSC::WebAssemblyModuleRecord::evaluate):
2027         * wasm/js/WebAssemblyModuleRecord.h:
2028
2029 2017-01-02  Saam Barati  <sbarati@apple.com>
2030
2031         WebAssembly: Some loads don't take into account the offset
2032         https://bugs.webkit.org/show_bug.cgi?id=166616
2033         <rdar://problem/29841541>
2034
2035         Reviewed by Keith Miller.
2036
2037         * wasm/WasmB3IRGenerator.cpp:
2038         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2039
2040 2017-01-01  Jeff Miller  <jeffm@apple.com>
2041
2042         Update user-visible copyright strings to include 2017
2043         https://bugs.webkit.org/show_bug.cgi?id=166278
2044
2045         Reviewed by Dan Bernstein.
2046
2047         * Info.plist:
2048
2049 2016-12-28  Saam Barati  <sbarati@apple.com>
2050
2051         WebAssembly: Don't allow duplicate export names
2052         https://bugs.webkit.org/show_bug.cgi?id=166490
2053         <rdar://problem/29815000>
2054
2055         Reviewed by Keith Miller.
2056
2057         * wasm/WasmModuleParser.cpp:
2058
2059 2016-12-28  Saam Barati  <sbarati@apple.com>
2060
2061         Unreviewed. Fix jsc.cpp build error.
2062
2063         * jsc.cpp:
2064         (functionTestWasmModuleFunctions):
2065
2066 2016-12-28  Saam Barati  <sbarati@apple.com>
2067
2068         WebAssembly: Implement grow_memory and current_memory
2069         https://bugs.webkit.org/show_bug.cgi?id=166448
2070         <rdar://problem/29803676>
2071
2072         Reviewed by Keith Miller.
2073
2074         This patch implements grow_memory, current_memory, and WebAssembly.prototype.grow.
2075         See relevant spec texts here:
2076         
2077         https://github.com/WebAssembly/design/blob/master/Semantics.md#linear-memory-accesses
2078         https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymemoryprototypegrow
2079         
2080         I also fix a couple miscellaneous bugs:
2081         
2082         1. Data section now understands full init_exprs. 
2083         2. parseVarUint1 no longer has a bug where we allow values larger than 1 if
2084         their bottom 8 bits are zero.
2085         
2086         Since the JS API can now grow memory, we need to make calling an import
2087         and call_indirect refresh the base memory register and the size registers.
2088
2089         * jsc.cpp:
2090         (functionTestWasmModuleFunctions):
2091         * runtime/Options.h:
2092         * runtime/VM.h:
2093         * wasm/WasmB3IRGenerator.cpp:
2094         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2095         (JSC::Wasm::reloadPinnedRegisters):
2096         (JSC::Wasm::B3IRGenerator::emitReloadPinnedRegisters):
2097         (JSC::Wasm::createJSToWasmWrapper):
2098         (JSC::Wasm::parseAndCompile):
2099         * wasm/WasmFormat.cpp:
2100         (JSC::Wasm::Segment::create):
2101         * wasm/WasmFormat.h:
2102         (JSC::Wasm::I32InitExpr::I32InitExpr):
2103         (JSC::Wasm::I32InitExpr::globalImport):
2104         (JSC::Wasm::I32InitExpr::constValue):
2105         (JSC::Wasm::I32InitExpr::isConst):
2106         (JSC::Wasm::I32InitExpr::isGlobalImport):
2107         (JSC::Wasm::I32InitExpr::globalImportIndex):
2108         (JSC::Wasm::Segment::byte):
2109         (JSC::Wasm::ModuleInformation::importFunctionCount):
2110         (JSC::Wasm::ModuleInformation::hasMemory):
2111         * wasm/WasmFunctionParser.h:
2112         * wasm/WasmMemory.cpp:
2113         (JSC::Wasm::Memory::Memory):
2114         (JSC::Wasm::Memory::grow):
2115         * wasm/WasmMemory.h:
2116         (JSC::Wasm::Memory::size):
2117         (JSC::Wasm::Memory::sizeInPages):
2118         (JSC::Wasm::Memory::offsetOfMemory):
2119         (JSC::Wasm::Memory::isValid): Deleted.
2120         (JSC::Wasm::Memory::grow): Deleted.
2121         * wasm/WasmModuleParser.cpp:
2122         (JSC::Wasm::makeI32InitExpr):
2123         * wasm/WasmModuleParser.h:
2124         * wasm/WasmPageCount.h:
2125         (JSC::Wasm::PageCount::bytes):
2126         (JSC::Wasm::PageCount::pageCount):
2127         (JSC::Wasm::PageCount::fromBytes):
2128         (JSC::Wasm::PageCount::operator+):
2129         * wasm/WasmParser.h:
2130         (JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
2131         * wasm/WasmValidate.cpp:
2132         * wasm/js/JSWebAssemblyInstance.h:
2133         (JSC::JSWebAssemblyInstance::offsetOfMemory):
2134         * wasm/js/JSWebAssemblyMemory.cpp:
2135         (JSC::JSWebAssemblyMemory::~JSWebAssemblyMemory):
2136         (JSC::JSWebAssemblyMemory::grow):
2137         * wasm/js/JSWebAssemblyMemory.h:
2138         (JSC::JSWebAssemblyMemory::offsetOfMemory):
2139         * wasm/js/JSWebAssemblyModule.h:
2140         (JSC::JSWebAssemblyModule::functionImportCount):
2141         (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace):
2142         (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace):
2143         (JSC::JSWebAssemblyModule::importCount): Deleted.
2144         * wasm/js/WebAssemblyFunction.cpp:
2145         (JSC::callWebAssemblyFunction):
2146         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2147         (JSC::constructJSWebAssemblyInstance):
2148         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2149         (JSC::constructJSWebAssemblyMemory):
2150         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2151         (JSC::getMemory):
2152         (JSC::webAssemblyMemoryProtoFuncBuffer):
2153         (JSC::webAssemblyMemoryProtoFuncGrow):
2154         * wasm/js/WebAssemblyModuleRecord.cpp:
2155         (JSC::WebAssemblyModuleRecord::link):
2156         (JSC::dataSegmentFail):
2157         (JSC::WebAssemblyModuleRecord::evaluate):
2158         * wasm/wasm.json:
2159
2160 2016-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2161
2162         Use variadic templates in JSC Parser to clean up
2163         https://bugs.webkit.org/show_bug.cgi?id=166482
2164
2165         Reviewed by Saam Barati.
2166
2167         * parser/Parser.cpp:
2168         (JSC::Parser<LexerType>::logError):
2169         * parser/Parser.h:
2170
2171 2016-12-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2172
2173         Propagate the source origin as much as possible
2174         https://bugs.webkit.org/show_bug.cgi?id=166348
2175
2176         Reviewed by Darin Adler.
2177
2178         This patch introduces CallFrame::callerSourceOrigin, SourceOrigin class
2179         and SourceProvider::m_sourceOrigin. CallFrame::callerSourceOrigin returns
2180         an appropriate SourceOrigin if possible. If we cannot find the appropriate
2181         one, we just return null SourceOrigin.
2182
2183         This paves the way for implementing the module dynamic-import[1].
2184         When the import operator is evaluated, it will resolve the module
2185         specifier with this propagated source origin of the caller function.
2186
2187         To support import operator inside the dynamic code generation
2188         functions (like `eval`, `new Function`, indirect call to `eval`),
2189         we need to propagate the caller's source origin to the generated
2190         source code.
2191
2192         We do not use sourceURL for that purpose. This is because we
2193         would like to keep sourceURL for `eval` / `new Function` null.
2194         This sourceURL will be used for the stack dump for errors with line/column
2195         numbers. Dumping the caller's sourceURL with line/column numbers are
2196         meaningless. So we would like to keep it null while we would like
2197         to propagate SourceOrigin for dynamic imports.
2198
2199         [1]: https://github.com/tc39/proposal-dynamic-import
2200
2201         * API/JSBase.cpp:
2202         (JSEvaluateScript):
2203         (JSCheckScriptSyntax):
2204         * API/JSObjectRef.cpp:
2205         (JSObjectMakeFunction):
2206         * API/JSScriptRef.cpp:
2207         (OpaqueJSScript::create):
2208         (OpaqueJSScript::vm):
2209         (OpaqueJSScript::OpaqueJSScript):
2210         (parseScript):
2211         * JavaScriptCore.xcodeproj/project.pbxproj:
2212         * Scripts/builtins/builtins_templates.py:
2213         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2214         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2215         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2216         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2217         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2218         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2219         * builtins/BuiltinExecutables.cpp:
2220         (JSC::BuiltinExecutables::BuiltinExecutables):
2221         (JSC::BuiltinExecutables::createDefaultConstructor):
2222         * debugger/DebuggerCallFrame.cpp:
2223         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2224         * inspector/InjectedScriptManager.cpp:
2225         (Inspector::InjectedScriptManager::createInjectedScript):
2226         * inspector/JSInjectedScriptHost.cpp:
2227         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2228         * inspector/agents/InspectorRuntimeAgent.cpp:
2229         (Inspector::InspectorRuntimeAgent::parse):
2230         * interpreter/CallFrame.cpp:
2231         (JSC::CallFrame::callerSourceOrigin):
2232         * interpreter/CallFrame.h:
2233         * interpreter/Interpreter.cpp:
2234         (JSC::eval):
2235         * jsc.cpp:
2236         (jscSource):
2237         (GlobalObject::finishCreation):
2238         (extractDirectoryName):
2239         (currentWorkingDirectory):
2240         (GlobalObject::moduleLoaderResolve):
2241         (functionRunString):
2242         (functionLoadString):
2243         (functionCallerSourceOrigin):
2244         (functionCreateBuiltin):
2245         (functionCheckModuleSyntax):
2246         (runInteractive):
2247         * parser/SourceCode.h:
2248         (JSC::makeSource):
2249         * parser/SourceProvider.cpp:
2250         (JSC::SourceProvider::SourceProvider):
2251         * parser/SourceProvider.h:
2252         (JSC::SourceProvider::sourceOrigin):
2253         (JSC::StringSourceProvider::create):
2254         (JSC::StringSourceProvider::StringSourceProvider):
2255         (JSC::WebAssemblySourceProvider::create):
2256         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2257         * runtime/FunctionConstructor.cpp:
2258         (JSC::constructFunction):
2259         (JSC::constructFunctionSkippingEvalEnabledCheck):
2260         * runtime/FunctionConstructor.h:
2261         * runtime/JSGlobalObjectFunctions.cpp:
2262         (JSC::globalFuncEval):
2263         * runtime/ModuleLoaderPrototype.cpp:
2264         (JSC::moduleLoaderPrototypeParseModule):
2265         * runtime/ScriptExecutable.h:
2266         (JSC::ScriptExecutable::sourceOrigin):
2267         * runtime/SourceOrigin.h: Added.
2268         (JSC::SourceOrigin::SourceOrigin):
2269         (JSC::SourceOrigin::string):
2270         (JSC::SourceOrigin::isNull):
2271         * tools/FunctionOverrides.cpp:
2272         (JSC::initializeOverrideInfo):
2273
2274 2016-12-24  Caio Lima  <ticaiolima@gmail.com>
2275
2276         [test262] Fixing mapped arguments object property test case
2277         https://bugs.webkit.org/show_bug.cgi?id=159398
2278
2279         Reviewed by Saam Barati.
2280
2281         This patch changes GenericArguments' override mechanism to
2282         implement corret behavior on ECMAScript test262 suite test cases of
2283         mapped arguments object with non-configurable and non-writable
2284         property. Also it is ensuring that arguments[i]
2285         cannot be deleted when argument "i" is {configurable: false}.
2286         
2287         The previous implementation is against to the specification for 2 reasons:
2288
2289         1. Every argument in arguments object are {writable: true} by default
2290            (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject).
2291            It means that we have to stop mapping a defined property index
2292            if the new property descriptor contains writable (i.e writable is
2293            present) and its value is false (also check
2294            https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
2295            Previous implementation considers {writable: false} if writable is
2296            not present.
2297
2298         2. When a property is overriden, "delete" operation is always returning true. However
2299            delete operations should follow the specification.
2300
2301         We created an auxilary boolean array named m_modifiedArgumentsDescriptor
2302         to store which arguments[i] descriptor was changed from its default
2303         property descriptor. This modification was necessary because m_overrides
2304         was responsible to keep this information at the same time
2305         of keeping information about arguments mapping. The problem of this apporach was
2306         that we needed to call overridesArgument(i) as soon as the ith argument's property
2307         descriptor was changed and it stops the argument's mapping as sideffect, producing
2308         wrong behavior.
2309         To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
2310         DirectArguments::m_mappedArguments and now we it is responsible to manage if an
2311         argument[i] is mapped or not.
2312         With these 2 structures, now it is possible to an argument[i] have its property 
2313         descriptor modified and don't stop the mapping as soon as it happens. One example
2314         of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
2315         test case, that now is fixed by this new mechanism.
2316
2317         * bytecode/PolymorphicAccess.cpp:
2318         (JSC::AccessCase::generateWithGuard):
2319         * dfg/DFGSpeculativeJIT.cpp:
2320         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2321         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2322         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2323         * ftl/FTLAbstractHeapRepository.h:
2324         * ftl/FTLLowerDFGToB3.cpp:
2325         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2326         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2327         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2328         * jit/JITOperations.cpp:
2329         (JSC::canAccessArgumentIndexQuickly):
2330         * jit/JITPropertyAccess.cpp:
2331         (JSC::JIT::emitDirectArgumentsGetByVal):
2332         * runtime/DirectArguments.cpp:
2333         (JSC::DirectArguments::estimatedSize):
2334         (JSC::DirectArguments::visitChildren):
2335         (JSC::DirectArguments::overrideThings):
2336         (JSC::DirectArguments::overrideThingsIfNecessary):
2337         (JSC::DirectArguments::unmapArgument):
2338         (JSC::DirectArguments::copyToArguments):
2339         (JSC::DirectArguments::overridesSize):
2340         (JSC::DirectArguments::overrideArgument): Deleted.
2341         * runtime/DirectArguments.h:
2342         (JSC::DirectArguments::length):
2343         (JSC::DirectArguments::isMappedArgument):
2344         (JSC::DirectArguments::isMappedArgumentInDFG):
2345         (JSC::DirectArguments::getIndexQuickly):
2346         (JSC::DirectArguments::setIndexQuickly):
2347         (JSC::DirectArguments::overrodeThings):
2348         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
2349         (JSC::DirectArguments::setModifiedArgumentDescriptor):
2350         (JSC::DirectArguments::isModifiedArgumentDescriptor):
2351         (JSC::DirectArguments::offsetOfMappedArguments):
2352         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
2353         (JSC::DirectArguments::canAccessIndexQuickly): Deleted.
2354         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
2355         (JSC::DirectArguments::offsetOfOverrides): Deleted.
2356         * runtime/GenericArguments.h:
2357         * runtime/GenericArgumentsInlines.h:
2358         (JSC::GenericArguments<Type>::visitChildren):
2359         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2360         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2361         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2362         (JSC::GenericArguments<Type>::put):
2363         (JSC::GenericArguments<Type>::putByIndex):
2364         (JSC::GenericArguments<Type>::deleteProperty):
2365         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2366         (JSC::GenericArguments<Type>::defineOwnProperty):
2367         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
2368         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
2369         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
2370         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
2371         (JSC::GenericArguments<Type>::copyToArguments):
2372         * runtime/ScopedArguments.cpp:
2373         (JSC::ScopedArguments::visitChildren):
2374         (JSC::ScopedArguments::unmapArgument):
2375         (JSC::ScopedArguments::overrideArgument): Deleted.
2376         * runtime/ScopedArguments.h:
2377         (JSC::ScopedArguments::isMappedArgument):
2378         (JSC::ScopedArguments::isMappedArgumentInDFG):
2379         (JSC::ScopedArguments::getIndexQuickly):
2380         (JSC::ScopedArguments::setIndexQuickly):
2381         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
2382         (JSC::ScopedArguments::setModifiedArgumentDescriptor):
2383         (JSC::ScopedArguments::isModifiedArgumentDescriptor):
2384         (JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
2385         (JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
2386
2387 2016-12-23  Mark Lam  <mark.lam@apple.com>
2388
2389         Using Option::breakOnThrow() shouldn't crash while printing a null CodeBlock.
2390         https://bugs.webkit.org/show_bug.cgi?id=166466
2391
2392         Reviewed by Keith Miller.
2393
2394         * runtime/VM.cpp:
2395         (JSC::VM::throwException):
2396
2397 2016-12-23  Mark Lam  <mark.lam@apple.com>
2398
2399         Enhance LLInt tracing to dump the codeBlock signature instead of just a pointer where appropriate.
2400         https://bugs.webkit.org/show_bug.cgi?id=166465
2401
2402         Reviewed by Keith Miller.
2403
2404         * llint/LLIntSlowPaths.cpp:
2405         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2406         (JSC::LLInt::traceFunctionPrologue):
2407
2408 2016-12-23  Keith Miller  <keith_miller@apple.com>
2409
2410         WebAssembly: trap on bad division.
2411         https://bugs.webkit.org/show_bug.cgi?id=164786
2412
2413         Reviewed by Mark Lam.
2414
2415         This patch adds traps for division / modulo by zero and for
2416         division by int_min / -1.
2417
2418         * wasm/WasmB3IRGenerator.cpp:
2419         (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
2420         * wasm/WasmExceptionType.h:
2421         * wasm/WasmPlan.cpp:
2422         (JSC::Wasm::Plan::run):
2423         * wasm/wasm.json:
2424
2425 2016-12-23  Mark Lam  <mark.lam@apple.com>
2426
2427         Fix broken LLINT_SLOW_PATH_TRACING build.
2428         https://bugs.webkit.org/show_bug.cgi?id=166463
2429
2430         Reviewed by Keith Miller.
2431
2432         * llint/LLIntExceptions.cpp:
2433         (JSC::LLInt::returnToThrow):
2434         (JSC::LLInt::callToThrow):
2435         * runtime/CommonSlowPathsExceptions.cpp:
2436         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2437
2438 2016-12-22  Keith Miller  <keith_miller@apple.com>
2439
2440         WebAssembly: Make spec-tests/f32.wast.js and spec-tests/f64.wast.js pass
2441         https://bugs.webkit.org/show_bug.cgi?id=166447
2442
2443         Reviewed by Saam Barati.
2444
2445         We needed to treat -0.0 < 0.0 for floating point min/max. For min,
2446         the algorithm works because if a == b then a and b are not NaNs so
2447         either they are the same or they are some zero. When we or a and b
2448         either we get the same number back or we get -0.0. Similarly for
2449         max we use an and and the sign bit gets dropped if one is 0.0 and
2450         the other is -0.0, otherwise, we get the same number back.
2451
2452         * wasm/wasm.json:
2453
2454 2016-12-22  Saam Barati  <sbarati@apple.com>
2455
2456         WebAssembly: Make calling Wasm functions that returns or takes an i64 as a parameter an early exception
2457         https://bugs.webkit.org/show_bug.cgi?id=166437
2458         <rdar://problem/29793949>
2459
2460         Reviewed by Keith Miller.
2461
2462         This patch makes it so that we throw an exception before we do
2463         anything else if we call a wasm function that either takes an
2464         i64 as an argument or returns an i64.
2465
2466         * wasm/js/WebAssemblyFunction.cpp:
2467         (JSC::callWebAssemblyFunction):
2468         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2469         (JSC::WebAssemblyFunction::call): Deleted.
2470         * wasm/js/WebAssemblyFunction.h:
2471         (JSC::WebAssemblyFunction::signatureIndex):
2472         (JSC::WebAssemblyFunction::jsEntrypoint):
2473
2474 2016-12-22  Keith Miller  <keith_miller@apple.com>
2475
2476         Add BitOr for floating points to B3
2477         https://bugs.webkit.org/show_bug.cgi?id=166446
2478
2479         Reviewed by Saam Barati.
2480
2481         This patch does some slight refactoring to the ARM assembler,
2482         which groups all the vector floating point instructions together.
2483
2484         * assembler/ARM64Assembler.h:
2485         (JSC::ARM64Assembler::vand):
2486         (JSC::ARM64Assembler::vorr):
2487         (JSC::ARM64Assembler::vectorDataProcessingLogical):
2488         (JSC::ARM64Assembler::vectorDataProcessing2Source): Deleted.
2489         * assembler/MacroAssemblerARM64.h:
2490         (JSC::MacroAssemblerARM64::orDouble):
2491         (JSC::MacroAssemblerARM64::orFloat):
2492         * assembler/MacroAssemblerX86Common.h:
2493         (JSC::MacroAssemblerX86Common::orDouble):
2494         (JSC::MacroAssemblerX86Common::orFloat):
2495         * assembler/X86Assembler.h:
2496         (JSC::X86Assembler::orps_rr):
2497         * b3/B3ConstDoubleValue.cpp:
2498         (JSC::B3::ConstDoubleValue::bitOrConstant):
2499         (JSC::B3::ConstDoubleValue::bitXorConstant):
2500         * b3/B3ConstDoubleValue.h:
2501         * b3/B3ConstFloatValue.cpp:
2502         (JSC::B3::ConstFloatValue::bitOrConstant):
2503         (JSC::B3::ConstFloatValue::bitXorConstant):
2504         * b3/B3ConstFloatValue.h:
2505         * b3/B3LowerToAir.cpp:
2506         (JSC::B3::Air::LowerToAir::lower):
2507         * b3/B3Validate.cpp:
2508         * b3/air/AirInstInlines.h:
2509         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2510         * b3/air/AirOpcode.opcodes:
2511         * b3/testb3.cpp:
2512         (JSC::B3::bitOrDouble):
2513         (JSC::B3::testBitOrArgDouble):
2514         (JSC::B3::testBitOrArgsDouble):
2515         (JSC::B3::testBitOrArgImmDouble):
2516         (JSC::B3::testBitOrImmsDouble):
2517         (JSC::B3::bitOrFloat):
2518         (JSC::B3::testBitOrArgFloat):
2519         (JSC::B3::testBitOrArgsFloat):
2520         (JSC::B3::testBitOrArgImmFloat):
2521         (JSC::B3::testBitOrImmsFloat):
2522         (JSC::B3::testBitOrArgsFloatWithUselessDoubleConversion):
2523         (JSC::B3::run):
2524
2525 2016-12-22  Mark Lam  <mark.lam@apple.com>
2526
2527         BytecodeGenerator::m_finallyDepth should be unsigned.
2528         https://bugs.webkit.org/show_bug.cgi?id=166438
2529
2530         Reviewed by Saam Barati.
2531
2532         Also removed FinallyContext::m_finallyDepth because it is not used.
2533
2534         * bytecompiler/BytecodeGenerator.cpp:
2535         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2536         (JSC::BytecodeGenerator::labelScopeDepth):
2537         * bytecompiler/BytecodeGenerator.h:
2538         (JSC::FinallyContext::FinallyContext):
2539         (JSC::FinallyContext::finallyLabel):
2540         (JSC::FinallyContext::depth): Deleted.
2541
2542 2016-12-22  Mark Lam  <mark.lam@apple.com>
2543
2544         De-duplicate finally blocks.
2545         https://bugs.webkit.org/show_bug.cgi?id=160168
2546
2547         Reviewed by Saam Barati.
2548
2549         JS execution can arrive at a finally block when there are abrupt completions from
2550         its try or catch block.  The abrupt completion types include Break,
2551         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
2552         (i.e. the case of a try block falling through to the finally block).
2553
2554         Previously, we enable each of these paths for abrupt completion (except for Throw)
2555         to run the finally block code by duplicating the finally block code at each of
2556         the sites that trigger those completions.  This patch fixes the implementation so
2557         that each of these abrupt completions will set a completionTypeRegister (plus a
2558         completionValueRegister for CompletionType::Return) and then jump to the
2559         relevant finally blocks, and continue to thread through subsequent outer finally
2560         blocks until execution reaches the outermost finally block that the completion
2561         type dictates.  We no longer duplicate the finally block code.
2562
2563         The implementation details:
2564         1. We allocate a pair of registers (completionTypeRegister and completionValueRegister)
2565            just before entering the outermost try-catch-finally scope.
2566
2567            On allocating the registers, we initialize the completionTypeRegister to
2568            CompletionType::Normal, and set the completionValueRegister to the empty
2569            JSValue.
2570
2571         2. The completionTypeRegister will hold a CompletionType value.  This is how we
2572            encode the CompletionType value to be set:
2573
2574            a. For Normal, Return, and Throw completion types: 
2575               - The completionTypeRegister is set to CompletionType::Normal,
2576                 CompletionType::Return, and CompletionType::Throw respectively.
2577
2578            b. For Break and Continue completion types:
2579               - The completionTypeRegister is set to a unique jumpID where the jumpID is
2580                 computed as:
2581
2582                 jumpID = CompletionType::NumberOfTypes + bytecodeOffset
2583
2584                 The bytecodeOffset used here is the bytecodeOffset of the break or continue
2585                 statement that triggered this completion.
2586
2587         3. Each finally block will have 2 entries:
2588            a. the catch entry.
2589            b. the normal entry.
2590
2591            The catch entry is recorded in the codeBlock's exception handler table,
2592            and can only be jumped to by the VM's exception handling mechanism.
2593
2594            The normal entry is recorded in a FinallyContext (at bytecode generation time
2595            only) and is jumped to when we want enter the finally block due any of the
2596            other CompletionTypes.
2597
2598         4. How each completion type works?
2599
2600            CompletionType::Normal
2601            ======================
2602            We normally encounter this when falling through from a try or catch block to
2603            the finally block.  
2604           
2605            For the try block case, since completionTypeRegister is set to Normal by default,
2606            there's nothing more that needs to be done.
2607
2608            For the catch block case, since we entered the catch block with an exception,
2609            completionTypeRegister may be set to Throw.  We'll need to set it to Normal
2610            before jumping to the finally block's normal entry.
2611
2612            CompletionType::Break
2613            =====================
2614            When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
2615            that we need to service before jumping to the breakTarget.  If we don't, then
2616            emit op_jump to the breakTarget as usual.  Otherwise:
2617
2618            a. we'll register a jumpID and the breakTarget with the FinallyContext for the
2619               outermost finally block that we're supposed to run through.
2620            b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
2621               from the innermost to the one for that outermost finally block.
2622            c. emit bytecode to set the completionTypeRegister to the jumpID.
2623            d. emit bytecode to jump to the normal entry of the innermost finally block.
2624
2625            Each finally block will take care of cascading to the next outer finally block
2626            as needed (see (5) below).
2627
2628            CompletionType::Continue
2629            ========================
2630            Since continues and breaks work the same way (i.e. with a jump), we handle this
2631            exactly the same way as CompletionType::Break, except that we use the
2632            continueTarget instead of the breakTarget.
2633
2634            CompletionType::Return
2635            ======================
2636            When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
2637            at all on the m_controlFlowScopeStack.  If we don't, then emit op_ret as usual.
2638            Otherwise:
2639
2640            a. emit bytecode to set the completionTypeRegister to CompletionType::Return.
2641            b. emit bytecode to move the return value into the completionValueRegister.
2642            c. emit bytecode to jump to the normal entry of the innermost finally block.
2643
2644            Each finally block will take care of cascading to the next outer finally block
2645            as needed (see (5) below).
2646
2647            CompletionType::Throw
2648            ======================
2649            At the catch entry a finally block, we:
2650            1. emit an op_catch that stores the caught Exception object in the
2651               completionValueRegister.
2652            2. emit bytecode to set the completionTypeRegister to CompletionType::Throw.
2653            3. Fall through or jump to the finally block's normal entry.
2654
2655         5. What happens in each finally block?
2656            ==================================
2657            For details on the finally block's catch entry, see "CompletionType::Throw" in
2658            (4) above.
2659
2660            The finally block's normal entry will:
2661            1. restore the scope of the finally block.
2662            2. save the completionTypeRegister in a savedCompletionTypeRegister.
2663            3. proceed to execute the body of the finally block.
2664
2665            At the end of the finally block, we will emit bytecode check the
2666            savedCompletionTypeRegister for each completion type see emitFinallyCompletion())
2667            in the following order:
2668           
2669            a. Check for CompletionType::Normal
2670               ================================
2671               If savedCompletionTypeRegister is CompletionType::Normal, jump to the
2672               designated normalCompletion label.  We only need this check this finally
2673               block also needs to check for Break, Continue, or Return.  If not, the
2674               completion type check for CompletionType::Throw below will make this check
2675               redundant.
2676
2677            b. Check for CompletionType::Break and Continue
2678               ============================================
2679               If the FinallyContext for this block has registered FinallyJumps, we'll
2680               check the jumpIDs against the savedCompletionTypeRegister.  If the jumpID
2681               matches, jump to the corresponding jumpTarget.
2682
2683               If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
2684               greater than the number of registered FinallyJumps, then this means that
2685               we have a Break or Continue that needs to be handled by an outer finally
2686               block.  In that case, jump to the next outer finally block's normal entry.
2687              
2688            c. Check for CompletionType::Return
2689               ================================
2690               If this finally block is not the outermost and the savedCompletionTypeRegister
2691               is set to CompletionType::Return, then jump to the next outer finally
2692               block's normal entry.
2693
2694               Otherwise, if this finally block is the outermost and the savedCompletionTypeRegister
2695               is set to CompletionType::Return, then execute op_ret and return the value
2696               in the completionValueRegister.
2697
2698            d. CompletionType::Throw
2699               =====================
2700               If savedCompletionTypeRegister is CompletionType::Throw, then just re-throw the
2701               Exception object in the completionValueRegister.
2702
2703            Detail 1: that we check the savedCompletionTypeRegister (and not the
2704            completionTypeRegister).  This is because the finally block may itself contain
2705            a try-finally, and this inner try-finally may have trashed the completionTypeRegister.
2706            Here's an example:
2707
2708                try {
2709                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
2710                } finally {
2711                    // completionTypeRegister is CompletionType::Return here.
2712
2713                    try {
2714                        ... // do stuff.
2715                    } finally {
2716                        ... // do more stuff.
2717                    }
2718
2719                    // completionTypeRegister may be anything here depending on what
2720                    // was executed in the inner try-finally block above.
2721
2722                    // Hence, finally completion here must be based on a saved copy of the
2723                    // completionTypeRegister when we entered this finally block.
2724                }
2725
2726            Detail 2: the finally completion for CompletionType::Throw must always explicitly
2727            check if the savedCompletionTypeRegister is CompletionType::Throw before throwing.
2728            We cannot imply that it is so from the Throw case being last.  Here's why:
2729
2730                // completionTypeRegister is CompletionType::Normal here.
2731                try {
2732                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
2733                } finally {
2734                    // completionTypeRegister is CompletionType::Return here.
2735
2736                    try {
2737                        ... // do stuff.  No abrupt completions.
2738                    } finally {
2739                        // completionTypeRegister is CompletionType::Return here (from the outer try-finally).
2740                        // savedCompletionTypeRegister is set to completionTypeRegister (i.e. CompletionType::Return) here.
2741
2742                        ... // do more stuff.  No abrupt completions.
2743
2744                        // Unless there's an abrupt completion since entering the outer
2745                        // finally block, the savedCompletionTypeRegister will remain set
2746                        // to CompletionType::Return.  If we don't explicitly check if the
2747                        // savedCompletionTypeRegister is CompletionType::Throw before
2748                        // throwing here, we'll end up erroneously throwing "r1".
2749                    }
2750
2751                    ...
2752                }
2753
2754         6. restoreScopeRegister()
2755        
2756            Since the needed scope objects are always stored in a local, we can restore
2757            the scope register by simply moving from that local instead of going through
2758            op_get_parent_scope.
2759
2760         7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
2761            This makes it easier to keep a pointer to the FinallyContext on that stack,
2762            and not have to worry about the vector being realloc'ed due to resizing. 
2763
2764         Performance appears to be neutral both on ES6SampleBench (run via cli) and the
2765         JSC benchmarks.
2766
2767         Relevant spec references:
2768         https://tc39.github.io/ecma262/#sec-completion-record-specification-type
2769         https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
2770
2771         * bytecode/HandlerInfo.h:
2772         (JSC::HandlerInfoBase::typeName):
2773         * bytecompiler/BytecodeGenerator.cpp:
2774         (JSC::BytecodeGenerator::generate):
2775         (JSC::BytecodeGenerator::BytecodeGenerator):
2776         (JSC::BytecodeGenerator::emitReturn):
2777         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2778         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
2779         (JSC::BytecodeGenerator::allocateAndEmitScope):
2780         (JSC::BytecodeGenerator::pushTry):
2781         (JSC::BytecodeGenerator::popTry):
2782         (JSC::BytecodeGenerator::emitCatch):
2783         (JSC::BytecodeGenerator::restoreScopeRegister):
2784         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
2785         (JSC::BytecodeGenerator::labelScopeDepth):
2786         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
2787         (JSC::BytecodeGenerator::popLocalControlFlowScope):
2788         (JSC::BytecodeGenerator::emitEnumeration):
2789         (JSC::BytecodeGenerator::emitIsNumber):
2790         (JSC::BytecodeGenerator::emitYield):
2791         (JSC::BytecodeGenerator::emitDelegateYield):
2792         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2793         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
2794         (JSC::BytecodeGenerator::emitFinallyCompletion):
2795         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
2796         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
2797         (JSC::BytecodeGenerator::emitJumpIf):
2798         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
2799         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
2800         (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
2801         (JSC::BytecodeGenerator::emitPopScopes): Deleted.
2802         (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
2803         * bytecompiler/BytecodeGenerator.h:
2804         (JSC::bytecodeOffsetToJumpID):
2805         (JSC::FinallyJump::FinallyJump):
2806         (JSC::FinallyContext::FinallyContext):
2807         (JSC::FinallyContext::outerContext):
2808         (JSC::FinallyContext::finallyLabel):
2809         (JSC::FinallyContext::depth):
2810         (JSC::FinallyContext::numberOfBreaksOrContinues):
2811         (JSC::FinallyContext::incNumberOfBreaksOrContinues):
2812         (JSC::FinallyContext::handlesReturns):
2813         (JSC::FinallyContext::setHandlesReturns):
2814         (JSC::FinallyContext::registerJump):
2815         (JSC::FinallyContext::numberOfJumps):
2816         (JSC::FinallyContext::jumps):
2817         (JSC::ControlFlowScope::ControlFlowScope):
2818         (JSC::ControlFlowScope::isLabelScope):
2819         (JSC::ControlFlowScope::isFinallyScope):
2820         (JSC::BytecodeGenerator::currentLexicalScopeIndex):
2821         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
2822         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
2823         (JSC::BytecodeGenerator::completionTypeRegister):
2824         (JSC::BytecodeGenerator::completionValueRegister):
2825         (JSC::BytecodeGenerator::emitSetCompletionType):
2826         (JSC::BytecodeGenerator::emitSetCompletionValue):
2827         (JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
2828         * bytecompiler/NodesCodegen.cpp:
2829         (JSC::ContinueNode::emitBytecode):
2830         (JSC::BreakNode::emitBytecode):
2831         (JSC::ReturnNode::emitBytecode):
2832         (JSC::TryNode::emitBytecode):
2833
2834 2016-12-22  Saam Barati  <sbarati@apple.com>
2835
2836         WebAssembly: Make the spec-tests/address.wast.js test pass
2837         https://bugs.webkit.org/show_bug.cgi?id=166429
2838         <rdar://problem/29793220>
2839
2840         Reviewed by Keith Miller.
2841
2842         Right now, provably out of bound loads/stores (given a load/store's constant
2843         offset) are not a validation error. However, we were failing to catch uint32_t
2844         overflows in release builds (we did have a debug assertion). To fix this,
2845         I now detect when uint32_t addition will overflow, and instead of emitting
2846         a normal load/store, I emit code that throws an out of bounds memory exception.
2847
2848         * wasm/WasmB3IRGenerator.cpp:
2849
2850 2016-12-22  Keith Miller  <keith_miller@apple.com>
2851
2852         WebAssembly: The validator should not allow unused stack entries at the end of a block
2853         https://bugs.webkit.org/show_bug.cgi?id=166411
2854
2855         Reviewed by Saam Barati.
2856
2857         This patch also cleans up some of the verbose mode logging.
2858
2859         * wasm/WasmB3IRGenerator.cpp:
2860         (JSC::Wasm::dumpExpressionStack):
2861         (JSC::Wasm::B3IRGenerator::dump):
2862         * wasm/WasmFunctionParser.h:
2863         * wasm/WasmValidate.cpp:
2864         (JSC::Wasm::dumpExpressionStack):
2865         (JSC::Wasm::Validate::dump):
2866
2867 2016-12-22  Saam Barati  <sbarati@apple.com>
2868
2869         WebAssembly: Make the spec-tests/start.wast.js test pass
2870         https://bugs.webkit.org/show_bug.cgi?id=166416
2871         <rdar://problem/29784532>
2872
2873         Reviewed by Yusuke Suzuki.
2874
2875         To make the test run, I had to fix two bugs:
2876         
2877         1. We weren't properly finding the start function. There was code
2878         that would try to find the start function from the list of *exported*
2879         functions. This is wrong; the start function is an index into the
2880         function index space, which is the space for *imports* and *local*
2881         functions. So the code was just wrong in this respect, and I've
2882         fixed it do the right thing. We weren't sure if this was originally
2883         allowed or not in the spec, but it has been decided that it is allowed
2884         and the spec-tests test for it: https://github.com/WebAssembly/design/issues/896
2885         
2886         2. We were emitting a breakpoint for Unreachable. Instead of crashing,
2887         this opcode needs to throw an exception when executing.
2888
2889         * wasm/WasmB3IRGenerator.cpp:
2890         * wasm/WasmExceptionType.h:
2891         * wasm/js/WebAssemblyModuleRecord.cpp:
2892         (JSC::WebAssemblyModuleRecord::link):
2893         (JSC::WebAssemblyModuleRecord::evaluate):
2894         * wasm/js/WebAssemblyModuleRecord.h:
2895
2896 2016-12-21  Keith Miller  <keith_miller@apple.com>
2897
2898         WebAssembly: Fix decode floating point constants in unreachable code
2899         https://bugs.webkit.org/show_bug.cgi?id=166400
2900
2901         Reviewed by Saam Barati.
2902
2903         We decoded these as variable length but they should be fixed length.
2904
2905         * wasm/WasmFunctionParser.h:
2906
2907 2016-12-21  Keith Miller  <keith_miller@apple.com>
2908
2909         WebAssembly: Allow br, br_if, and br_table to act as a return
2910         https://bugs.webkit.org/show_bug.cgi?id=166393
2911
2912         Reviewed by Saam Barati.
2913
2914         This patch allows br, br_if, and br_table to treat branching to
2915         the size of the control stack to act as a return. This change was
2916         made by adding a new block type to the wasm function parser,
2917         TopLevel. Adding this new block eliminates a lot of the special
2918         case code we had in the parser previously. The only special case
2919         we need is when the end opcode is parsed from the top level.  The
2920         B3 IR generator needs to automatically emit a return at that
2921         point.
2922
2923         Also, this patch adds the function number to validation errors
2924         in the function parser. The current error message is not helpful
2925         otherwise.
2926
2927         * wasm/WasmB3IRGenerator.cpp:
2928         (JSC::Wasm::B3IRGenerator::ControlData::dump):
2929         (JSC::Wasm::B3IRGenerator::addTopLevel):
2930         * wasm/WasmFunctionParser.h:
2931         * wasm/WasmPlan.cpp:
2932         (JSC::Wasm::Plan::parseAndValidateModule):
2933         (JSC::Wasm::Plan::run):
2934         * wasm/WasmValidate.cpp:
2935         (JSC::Wasm::Validate::ControlData::dump):
2936         (JSC::Wasm::Validate::Validate):
2937         (JSC::Wasm::Validate::addTopLevel):
2938         (JSC::Wasm::validateFunction):
2939
2940 2016-12-21  JF Bastien  <jfbastien@apple.com>
2941
2942         WebAssembly JS API: cleanup & pass VM around to {Compile/Runtime}Error
2943         https://bugs.webkit.org/show_bug.cgi?id=166295
2944         <rdar://problem/29762017>
2945
2946         Reviewed by Mark Lam.
2947
2948         Rename the create* functions, and pass VM around, as suggested for
2949         LinkError in #165805.
2950
2951         At the same time, use the default source appender when
2952         constructing these error types, which gives a nice map back to the
2953         original source as part of the error message. This is clearer when
2954         using the current frame, so add that as well.
2955
2956         * jit/ThunkGenerators.cpp:
2957         (JSC::throwExceptionFromWasmThunkGenerator):
2958         * wasm/js/JSWebAssemblyCompileError.cpp:
2959         (JSC::JSWebAssemblyCompileError::create):
2960         (JSC::createJSWebAssemblyCompileError):
2961         (JSC::createWebAssemblyCompileError): Deleted.
2962         * wasm/js/JSWebAssemblyCompileError.h:
2963         (JSC::JSWebAssemblyCompileError::create):
2964         * wasm/js/JSWebAssemblyRuntimeError.cpp:
2965         (JSC::JSWebAssemblyRuntimeError::create):
2966         * wasm/js/JSWebAssemblyRuntimeError.h:
2967         (JSC::JSWebAssemblyRuntimeError::create):
2968         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2969         (JSC::constructJSWebAssemblyCompileError):
2970         * wasm/js/WebAssemblyModuleConstructor.cpp:
2971         (JSC::WebAssemblyModuleConstructor::createModule):
2972         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2973         (JSC::constructJSWebAssemblyRuntimeError):
2974
2975 2016-12-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2976
2977         [ES6] Fix modules document in features.json
2978         https://bugs.webkit.org/show_bug.cgi?id=166313
2979
2980         Reviewed by Saam Barati.
2981
2982         * features.json:
2983
2984 2016-12-20  Taras Tsugrii  <ttsugrii@fb.com>
2985
2986         Fix undefined behavior caused by macro expansion producing 'defined'
2987         https://bugs.webkit.org/show_bug.cgi?id=166047
2988
2989         Reviewed by Darin Adler.
2990
2991         * API/JSBase.h:
2992
2993 2016-12-20  Keith Miller  <keith_miller@apple.com>
2994
2995         Add support for global
2996         https://bugs.webkit.org/show_bug.cgi?id=165171
2997
2998         Reviewed by Filip Pizlo.
2999
3000         This patch adds spport for the global property on the global object.
3001         The global property spec is in stage three and is quite simple.
3002         For reference: http://tc39.github.io/proposal-global/
3003
3004         * runtime/JSGlobalObject.cpp:
3005
3006 2016-12-20  Saam Barati  <sbarati@apple.com>
3007
3008         WebAssembly: We should compile wasm functions in parallel
3009         https://bugs.webkit.org/show_bug.cgi?id=165993
3010
3011         Reviewed by Keith Miller.
3012
3013         This patch adds a very simple parallel compiler for Wasm code.
3014         This patch speeds up compiling the Unity headless benchmark by
3015         slightly more than 4x on my MBP. To make this safe, I perform
3016         all linking on the main thread. I also had to change some code
3017         inside Wasmb3IRGenerator to be thread safe.
3018
3019         * b3/air/AirCustom.h:
3020         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
3021         * b3/air/AirGenerationContext.h:
3022         * wasm/WasmB3IRGenerator.cpp:
3023         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3024         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
3025         (JSC::Wasm::createJSToWasmWrapper):
3026         (JSC::Wasm::parseAndCompile):
3027         * wasm/WasmB3IRGenerator.h:
3028         * wasm/WasmCallingConvention.h:
3029         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
3030         * wasm/WasmPlan.cpp:
3031         (JSC::Wasm::Plan::parseAndValidateModule):
3032         (JSC::Wasm::Plan::run):
3033         * wasm/WasmPlan.h:
3034
3035 2016-12-20  Brent Fulgham  <bfulgham@apple.com>
3036
3037         Address some style problems found by static analysis
3038         https://bugs.webkit.org/show_bug.cgi?id=165975
3039
3040         Reviewed by Alex Christensen.
3041
3042         Correct the const-correctness of functions that are implemented using stricter
3043         const declarations.
3044
3045         * inspector/agents/InspectorDebuggerAgent.h:
3046         * inspector/agents/InspectorHeapAgent.cpp:
3047         * inspector/agents/InspectorHeapAgent.h:
3048         * inspector/agents/InspectorRuntimeAgent.h:
3049         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3050         * inspector/agents/InspectorScriptProfilerAgent.h:
3051         * inspector/scripts/codegen/cpp_generator.py:
3052         (cpp_type_for_unchecked_formal_in_parameter): Update to match const declarations of
3053         implementation files.
3054         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3055         Rebaselined results for "const Ptr* const" syntax.
3056
3057 2016-12-20  JF Bastien  <jfbastien@apple.com>
3058
3059         WebAssembly: construct 32-bit encodedJSValue properly
3060         https://bugs.webkit.org/show_bug.cgi?id=166199
3061
3062         Reviewed by Mark Lam.
3063
3064         Constructing an encodedJSValue using `{ }` yields the wrong value
3065         on 32-bit platforms. WebAssembly doesn't currently target 32-bit
3066         platforms, but we may as well get it right.
3067
3068         * wasm/JSWebAssembly.cpp:
3069         (JSC::webAssemblyCompileFunc):
3070         (JSC::webAssemblyValidateFunc):
3071         * wasm/js/JSWebAssemblyHelpers.h:
3072         (JSC::toNonWrappingUint32):
3073         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3074         (JSC::constructJSWebAssemblyCompileError):
3075         * wasm/js/WebAssemblyFunction.cpp:
3076         (JSC::callWebAssemblyFunction):
3077         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3078         (JSC::constructJSWebAssemblyInstance):
3079         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3080         (JSC::constructJSWebAssemblyMemory):
3081         * wasm/js/WebAssemblyModuleConstructor.cpp:
3082         (JSC::constructJSWebAssemblyModule):
3083         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3084         (JSC::constructJSWebAssemblyRuntimeError):
3085         * wasm/js/WebAssemblyTableConstructor.cpp:
3086         (JSC::constructJSWebAssemblyTable):
3087         * wasm/js/WebAssemblyTablePrototype.cpp:
3088         (JSC::webAssemblyTableProtoFuncLength):
3089         (JSC::webAssemblyTableProtoFuncGrow):
3090         (JSC::webAssemblyTableProtoFuncGet):
3091         (JSC::webAssemblyTableProtoFuncSet):
3092
3093 2016-12-20  Dean Jackson  <dino@apple.com>
3094
3095         Remove INDIE_UI
3096         https://bugs.webkit.org/show_bug.cgi?id=165881
3097         <rdar://problem/29672532>
3098
3099         Reviewed by Simon Fraser.
3100
3101         The Indie UI work has been discontinued.
3102
3103         * Configurations/FeatureDefines.xcconfig:
3104
3105 2016-12-20  JF Bastien  <jfbastien@apple.com>
3106
3107         WebAssembly API: implement WebAssembly.LinkError
3108         https://bugs.webkit.org/show_bug.cgi?id=165805
3109         <rdar://problem/29747874>
3110
3111         Reviewed by Mark Lam.
3112
3113         As described here: https://github.com/WebAssembly/design/pull/901
3114         Some TypeError and RangeError are now converted to WebAssembly.LinkError.
3115
3116         * CMakeLists.txt: add files
3117         * DerivedSources.make: add autoget .lut.h files
3118         * JavaScriptCore.xcodeproj/project.pbxproj: add files
3119         * builtins/BuiltinNames.h: new name LinkError
3120         * runtime/JSGlobalObject.h: auto-register LinkError using existing macro magic
3121         * wasm/JSWebAssembly.h: make the new includes available
3122         * wasm/js/JSWebAssemblyLinkError.cpp: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.cpp.
3123         (JSC::JSWebAssemblyLinkError::create):
3124         (JSC::JSWebAssemblyLinkError::JSWebAssemblyLinkError):
3125         (JSC::createWebAssemblyLinkError):
3126         * wasm/js/JSWebAssemblyLinkError.h: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.h.
3127         (JSC::JSWebAssemblyLinkError::create):
3128         * wasm/js/WebAssemblyInstanceConstructor.cpp: update as per spec change
3129         (JSC::constructJSWebAssemblyInstance):
3130         * wasm/js/WebAssemblyLinkErrorConstructor.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.cpp.
3131         (JSC::constructJSWebAssemblyLinkError):
3132         (JSC::callJSWebAssemblyLinkError):
3133         (JSC::WebAssemblyLinkErrorConstructor::create):
3134         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
3135         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
3136         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
3137         (JSC::WebAssemblyLinkErrorConstructor::getConstructData):
3138         (JSC::WebAssemblyLinkErrorConstructor::getCallData):
3139         * wasm/js/WebAssemblyLinkErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.h.
3140         * wasm/js/WebAssemblyLinkErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.cpp.
3141         (JSC::WebAssemblyLinkErrorPrototype::create):
3142         (JSC::WebAssemblyLinkErrorPrototype::createStructure):
3143         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
3144         (JSC::WebAssemblyLinkErrorPrototype::WebAssemblyLinkErrorPrototype):
3145         * wasm/js/WebAssemblyLinkErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.h.
3146         * wasm/js/WebAssemblyModuleRecord.cpp: update as per spec change
3147         (JSC::dataSegmentFail):
3148         (JSC::WebAssemblyModuleRecord::evaluate):
3149
3150 2016-12-20  JF Bastien  <jfbastien@apple.com>
3151
3152         WebAssembly: unique function signatures
3153         https://bugs.webkit.org/show_bug.cgi?id=165957
3154         <rdar://problem/29735737>
3155
3156         Reviewed by Saam Barati.
3157
3158         Signatures in a Module's Type section can be duplicated, we
3159         therefore need to unique them so that call_indirect only needs to
3160         do a single integer compare to check that a callee's Signature is
3161         the same as the Signature declared at the call site. Without
3162         uniquing we'd either trap when duplicate Signatures are used, or
3163         we'd need to do multiple comparisons. This patch makes that narrow
3164         usecase function correctly.
3165
3166         There's further complication when calling from wasm to
3167         wasm, in which case the Signatures must also match. Such
3168         cross-instance calls will be improved in bug #165282, but this
3169         patch sets the groundwork for it:
3170
3171         - Signatures are now owned by SignatureInformation which lives on
3172           VM, and is shared by all Modules.
3173         - When parsing a Module, a Signature is created for every Type
3174           entry, and then uniqued by SignatureInformation's adopt
3175           method. Duplicate Signatures are dropped and the previous
3176           SignatureIndex is returned, new Signatures are adopted and a new
3177           SignatureIndex is created.
3178         - The SignatureIndex values are monotonic. 0 is used to represent
3179           invalid indices, which trap. This can only occur through Table.
3180         - SignatureInformation is used while generating code to map a
3181           SignatureIndex back to the Signature* when return / argument
3182           information is needed. This is a simple lookup into a Vector. It
3183           isn't used at runtime.
3184         - These Signatures live forever on VM because the bookkeeping
3185           likely isn't worth it. We may want to empty things out if all
3186           Modules die, this is tracked in bug #166037.
3187         - We can further improve things by bit-packing SignatureIndex with
3188           Code*, which is tracked by bug #165511.
3189
3190         * CMakeLists.txt:
3191         * JavaScriptCore.xcodeproj/project.pbxproj:
3192         * runtime/VM.h: wasm signatures are uniqued here, but aren't accessed frequently (only during parsing) so indirection is fine
3193         * wasm/WasmB3IRGenerator.cpp: use SignatureIndex instead of Signature* when appropriate, and when still using Signature* do so with its new API
3194         (JSC::Wasm::createJSToWasmWrapper):
3195         (JSC::Wasm::parseAndCompile):
3196         * wasm/WasmBinding.cpp:
3197         (JSC::Wasm::importStubGenerator): use SignatureIndex
3198         * wasm/WasmBinding.h:
3199         * wasm/WasmCallingConvention.h:
3200         (JSC::Wasm::CallingConvention::loadArguments):
3201         * wasm/WasmFormat.cpp: drive-by move of alloc/free functions to the implementation file, allows the .h file to drop an FastMalloc.h
3202         (JSC::Wasm::Segment::create):
3203         (JSC::Wasm::Segment::destroy):
3204         (JSC::Wasm::Segment::createPtr):
3205         * wasm/WasmFormat.h: move Signature to its own file
3206         (JSC::Wasm::CallableFunction::CallableFunction):
3207         * wasm/WasmFunctionParser.h:
3208         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
3209         * wasm/WasmModuleParser.cpp:
3210         * wasm/WasmModuleParser.h:
3211         (JSC::Wasm::ModuleParser::ModuleParser):
3212         * wasm/WasmParser.h:
3213         (JSC::Wasm::Parser<SuccessType>::Parser):
3214         * wasm/WasmPlan.cpp:
3215         (JSC::Wasm::Plan::parseAndValidateModule):
3216         (JSC::Wasm::Plan::run):
3217         * wasm/WasmSignature.cpp: Added.
3218         (JSC::Wasm::Signature::dump):
3219         (JSC::Wasm::Signature::hash):
3220         (JSC::Wasm::Signature::create):
3221         (JSC::Wasm::Signature::createInvalid):
3222         (JSC::Wasm::Signature::destroy):
3223         (JSC::Wasm::SignatureInformation::~SignatureInformation):
3224         (JSC::Wasm::SignatureInformation::adopt):
3225         (JSC::Wasm::SignatureInformation::get):
3226         * wasm/WasmSignature.h: Added.
3227         (JSC::Wasm::Signature::Signature):
3228         (JSC::Wasm::Signature::storage):
3229         (JSC::Wasm::Signature::allocatedSize):
3230         (JSC::Wasm::Signature::returnType):
3231         (JSC::Wasm::Signature::returnCount):
3232         (JSC::Wasm::Signature::argumentCount):
3233         (JSC::Wasm::Signature::argument):
3234         (JSC::Wasm::Signature::operator==):
3235         (JSC::Wasm::SignatureHash::empty):
3236         (JSC::Wasm::SignatureHash::deleted):
3237         (JSC::Wasm::SignatureHash::SignatureHash):
3238         (JSC::Wasm::SignatureHash::operator==):
3239         (JSC::Wasm::SignatureHash::equal):
3240         (JSC::Wasm::SignatureHash::hash):
3241         (JSC::Wasm::SignatureHash::isHashTableDeletedValue):
3242         * wasm/WasmValidate.cpp:
3243         (JSC::Wasm::validateFunction):
3244         * wasm/WasmValidate.h:
3245         * wasm/js/JSWebAssemblyInstance.cpp:
3246         (JSC::JSWebAssemblyInstance::create):
3247         * wasm/js/JSWebAssemblyModule.h:
3248         (JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
3249         * wasm/js/JSWebAssemblyTable.cpp:
3250         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
3251         (JSC::JSWebAssemblyTable::clearFunction):
3252         (JSC::JSWebAssemblyTable::setFunction):
3253         * wasm/js/WebAssemblyFunction.cpp:
3254         (JSC::callWebAssemblyFunction):
3255         (JSC::WebAssemblyFunction::call):
3256         (JSC::WebAssemblyFunction::create):
3257         (JSC::WebAssemblyFunction::WebAssemblyFunction):
3258         (JSC::WebAssemblyFunction::finishCreation):
3259         * wasm/js/WebAssemblyFunction.h:
3260         (JSC::WebAssemblyFunction::signatureIndex):
3261         * wasm/js/WebAssemblyModuleRecord.cpp:
3262         (JSC::WebAssemblyModuleRecord::link):
3263         (JSC::WebAssemblyModuleRecord::evaluate):
3264
3265 2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>
3266
3267         Modernize for loops in JSC
3268         https://bugs.webkit.org/show_bug.cgi?id=166060
3269
3270         Reviewed by Yusuke Suzuki.
3271
3272         * API/JSCallbackObject.h:
3273         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
3274         * bytecode/CodeBlock.cpp:
3275         (JSC::CodeBlock::dumpBytecode):
3276         (JSC::CodeBlock::propagateTransitions):
3277         (JSC::CodeBlock::stronglyVisitStrongReferences):
3278         (JSC::CodeBlock::stronglyVisitWeakReferences):
3279         (JSC::CodeBlock::jettison):
3280         (JSC::CodeBlock::getArrayProfile):
3281         (JSC::CodeBlock::tallyFrequentExitSites):
3282         (JSC::CodeBlock::nameForRegister):
3283         * bytecompiler/BytecodeGenerator.cpp:
3284         (JSC::BytecodeGenerator::generate):
3285         (JSC::BytecodeGenerator::BytecodeGenerator):
3286         * bytecompiler/NodesCodegen.cpp:
3287         (JSC::ObjectPatternNode::bindValue):
3288         * debugger/Debugger.cpp:
3289         (JSC::Debugger::applyBreakpoints):
3290         * dfg/DFGCPSRethreadingPhase.cpp:
3291         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3292         * dfg/DFGClobberSet.cpp:
3293         (JSC::DFG::ClobberSet::setOf):
3294         * dfg/DFGDesiredIdentifiers.cpp:
3295         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3296         * dfg/DFGGraph.cpp:
3297         (JSC::DFG::Graph::visitChildren):
3298         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3299         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
3300         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3301         * dfg/DFGJITCompiler.cpp:
3302         (JSC::DFG::JITCompiler::link):
3303         * dfg/DFGLICMPhase.cpp:
3304         (JSC::DFG::LICMPhase::run):
3305         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3306         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
3307         * dfg/DFGPutStackSinkingPhase.cpp:
3308         * dfg/DFGSpeculativeJIT.cpp:
3309         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3310         (JSC::DFG::SpeculativeJIT::linkBranches):
3311         * dfg/DFGStructureRegistrationPhase.cpp:
3312         (JSC::DFG::StructureRegistrationPhase::run):
3313         * dfg/DFGTypeCheckHoistingPhase.cpp:
3314         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3315         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3316         * dfg/DFGValidate.cpp:
3317         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3318         (JSC::DFG::VirtualRegisterAllocationPhase::run):
3319         * heap/HeapVerifier.cpp:
3320         (JSC::trimDeadObjectsFromList):
3321         (JSC::HeapVerifier::trimDeadObjects):
3322         * heap/LiveObjectList.cpp:
3323         (JSC::LiveObjectList::findObject):
3324         * heap/MarkedAllocator.cpp:
3325         (JSC::MarkedAllocator::isPagedOut):
3326         * inspector/ScriptCallStack.cpp:
3327         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3328         * jit/JIT.cpp:
3329         (JSC::JIT::link):
3330         * parser/VariableEnvironment.cpp:
3331         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
3332         (JSC::VariableEnvironment::hasCapturedVariables):
3333         * runtime/FunctionHasExecutedCache.cpp:
3334         (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
3335         (JSC::FunctionHasExecutedCache::getFunctionRanges):
3336         * runtime/JSPropertyNameEnumerator.cpp:
3337         (JSC::JSPropertyNameEnumerator::visitChildren):
3338         * runtime/TypeProfiler.cpp:
3339         (JSC::TypeProfiler::findLocation):
3340         * runtime/TypeSet.cpp:
3341         (JSC::TypeSet::addTypeInformation):
3342         (JSC::TypeSet::dumpTypes):
3343         * runtime/VM.cpp:
3344         (JSC::VM::gatherConservativeRoots):
3345         * runtime/WeakMapData.cpp:
3346         (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
3347         (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
3348         * tools/ProfileTreeNode.h:
3349         (JSC::ProfileTreeNode::dumpInternal):
3350         * yarr/YarrInterpreter.cpp:
3351         (JSC::Yarr::ByteCompiler::emitDisjunction):
3352
3353 2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>
3354
3355         __cpuid() requires <intrin.h> to be included
3356         https://bugs.webkit.org/show_bug.cgi?id=166051
3357
3358         Reviewed by Yusuke Suzuki.
3359
3360         * assembler/MacroAssemblerX86Common.h:
3361
3362 2016-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3363
3364         [ES6] Enable ES6 Modules
3365         https://bugs.webkit.org/show_bug.cgi?id=165849
3366
3367         Reviewed by Geoffrey Garen.
3368
3369         * features.json:
3370
3371 2016-12-19  Mark Lam  <mark.lam@apple.com>
3372
3373         Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 2: Rollout r209952.
3374         https://bugs.webkit.org/show_bug.cgi?id=166049
3375
3376         Not reviewed.
3377
3378         * bytecode/HandlerInfo.h:
3379         (JSC::HandlerInfoBase::typeName):
3380         * bytecompiler/BytecodeGenerator.cpp:
3381         (JSC::BytecodeGenerator::generate):
3382         (JSC::BytecodeGenerator::BytecodeGenerator):
3383         (JSC::BytecodeGenerator::emitReturn):
3384         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
3385         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope):
3386         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
3387         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope):
3388         (JSC::BytecodeGenerator::emitComplexPopScopes):
3389         (JSC::BytecodeGenerator::emitPopScopes):
3390         (JSC::BytecodeGenerator::pushTry):
3391         (JSC::BytecodeGenerator::popTryAndEmitCatch):
3392         (JSC::BytecodeGenerator::labelScopeDepth):
3393         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
3394         (JSC::BytecodeGenerator::popLocalControlFlowScope):
3395         (JSC::BytecodeGenerator::emitEnumeration):
3396         (JSC::BytecodeGenerator::emitYield):
3397         (JSC::BytecodeGenerator::emitDelegateYield):
3398         (JSC::BytecodeGenerator::popTry): Deleted.
3399         (JSC::BytecodeGenerator::emitCatch): Deleted.
3400         (JSC::BytecodeGenerator::restoreScopeRegister): Deleted.
3401         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex): Deleted.
3402         (JSC::BytecodeGenerator::emitIsNumber): Deleted.
3403         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded): Deleted.
3404         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded): Deleted.
3405         (JSC::BytecodeGenerator::emitFinallyCompletion): Deleted.
3406         (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
3407         (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
3408         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
3409         * bytecompiler/BytecodeGenerator.h:
3410         (JSC::BytecodeGenerator::isInFinallyBlock):
3411         (JSC::FinallyJump::FinallyJump): Deleted.
3412         (JSC::FinallyContext::FinallyContext): Deleted.
3413         (JSC::FinallyContext::outerContext): Deleted.
3414         (JSC::FinallyContext::finallyLabel): Deleted.
3415         (JSC::FinallyContext::depth): Deleted.
3416         (JSC::FinallyContext::numberOfBreaksOrContinues): Deleted.
3417         (JSC::FinallyContext::incNumberOfBreaksOrContinues): Deleted.
3418         (JSC::FinallyContext::handlesReturns): Deleted.
3419         (JSC::FinallyContext::setHandlesReturns): Deleted.
3420         (JSC::FinallyContext::registerJump): Deleted.
3421         (JSC::FinallyContext::numberOfJumps): Deleted.
3422         (JSC::FinallyContext::jumps): Deleted.
3423         (JSC::ControlFlowScope::ControlFlowScope): Deleted.
3424         (JSC::ControlFlowScope::isLabelScope): Deleted.
3425         (JSC::ControlFlowScope::isFinallyScope): Deleted.
3426         (JSC::BytecodeGenerator::currentLexicalScopeIndex): Deleted.
3427         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
3428         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
3429         (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
3430         (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
3431         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
3432         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
3433         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
3434         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
3435         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
3436         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
3437         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
3438         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
3439         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
3440         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
3441         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
3442         * bytecompiler/NodesCodegen.cpp:
3443         (JSC::ContinueNode::emitBytecode):
3444         (JSC::BreakNode::emitBytecode):
3445         (JSC::ReturnNode::emitBytecode):
3446         (JSC::TryNode::emitBytecode):
3447
3448 2016-12-19  Mark Lam  <mark.lam@apple.com>
3449
3450         Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 1: Rollout r209974.
3451         https://bugs.webkit.org/show_bug.cgi?id=166049
3452
3453         Not reviewed.
3454
3455         * bytecompiler/BytecodeGenerator.cpp:
3456         (JSC::BytecodeGenerator::emitEnumeration):
3457         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3458         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3459         (JSC::BytecodeGenerator::emitFinallyCompletion):
3460         (JSC::BytecodeGenerator::allocateFinallyRegisters):
3461         (JSC::BytecodeGenerator::releaseFinallyRegisters):
3462         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
3463         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters): Deleted.
3464         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters): Deleted.
3465         (JSC::BytecodeGenerator::emitJumpIfCompletionType): Deleted.
3466         * bytecompiler/BytecodeGenerator.h:
3467         (JSC::FinallyJump::FinallyJump):
3468         (JSC::FinallyContext::registerJump):
3469         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
3470         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
3471         (JSC::BytecodeGenerator::finallyActionRegister):
3472         (JSC::BytecodeGenerator::finallyReturnValueRegister):
3473         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
3474         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
3475         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
3476         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
3477         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
3478         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
3479         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
3480         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
3481         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
3482         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
3483         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
3484         (JSC::bytecodeOffsetToJumpID): Deleted.
3485         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope): Deleted.
3486         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope): Deleted.
3487         (JSC::BytecodeGenerator::completionTypeRegister): Deleted.
3488         (JSC::BytecodeGenerator::completionValueRegister): Deleted.
3489         (JSC::BytecodeGenerator::emitSetCompletionType): Deleted.
3490         (JSC::BytecodeGenerator::emitSetCompletionValue): Deleted.
3491         * bytecompiler/NodesCodegen.cpp:
3492         (JSC::TryNode::emitBytecode):
3493
3494 2016-12-19  Joseph Pecoraro  <pecoraro@apple.com>
3495
3496         Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open
3497         https://bugs.webkit.org/show_bug.cgi?id=166034
3498         <rdar://problem/29554366>
3499
3500         Reviewed by Brian Burg.
3501
3502         * inspector/agents/InspectorDebuggerAgent.cpp:
3503         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
3504         Remove assertion. This assert can happen if the currently executing callback
3505         was just explicitly cancelled by script. Existing code already handles if
3506         no async data was found for the given identifier.
3507
3508 2016-12-18  Saam Barati  <sbarati@apple.com>
3509
3510         WebAssembly: Implement the WebAssembly.compile and WebAssembly.validate
3511         https://bugs.webkit.org/show_bug.cgi?id=165936
3512
3513         Reviewed by Mark Lam.
3514
3515         The APIs are documented here:
3516         - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblycompile
3517         - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyvalidate
3518
3519         * wasm/JSWebAssembly.cpp:
3520         (JSC::webAssemblyCompileFunc):
3521         (JSC::webAssemblyValidateFunc):
3522         (JSC::JSWebAssembly::finishCreation):
3523         * wasm/WasmPlan.cpp:
3524         (JSC::Wasm::Plan::parseAndValidateModule):
3525         (JSC::Wasm::Plan::run):
3526         * wasm/WasmPlan.h:
3527         * wasm/js/JSWebAssemblyHelpers.h:
3528         (JSC::getWasmBufferFromValue):
3529         * wasm/js/WebAssemblyModuleConstructor.cpp:
3530         (JSC::constructJSWebAssemblyModule):
3531         (JSC::callJSWebAssemblyModule):
3532         (JSC::WebAssemblyModuleConstructor::createModule):
3533         * wasm/js/WebAssemblyModuleConstructor.h:
3534
3535 2016-12-18  Mark Lam  <mark.lam@apple.com>
3536
3537         Rename finallyActionRegister to completionTypeRegister and only store int JSValues in it.
3538         https://bugs.webkit.org/show_bug.cgi?id=165979
3539
3540         Reviewed by Saam Barati.
3541
3542         This patch makes it so that we only store int JSValues in the finallyActionRegister
3543         thereby making type prediction on this register more successful for JITs.  In so
3544         doing, we are able to get some additional benefits:
3545
3546         1. Renamed the following:
3547            FinallyRegistersScope => CompletionRecordScope
3548            finallyActionRegister => completionTypeRegister
3549            finallyReturnValueRegister => completionValueRegister
3550
3551            These new names are more in line with the ES spec, which describes these
3552            values as the completion record and its type and value properties.
3553            https://tc39.github.io/ecma262/#sec-completion-record-specification-type
3554
3555         2. We now think of the Break and Continue jumpIDs as encodings of CompletionType
3556            (in our implementation of completion type).  As a result, we only need one of
3557            each of the emitter methods for getting, setting, and compare-and-jump on the
3558            completion type.  The code using these methods also reads much clearer now.  
3559
3560         3. Finally blocks' op_catch should now always pop the caught Exception object into
3561            the completionValueRegister instead of the completionTypeRegister (formerly
3562            finallyActionRegister). 
3563
3564         Also removed the restoreScopeRegister() call in the IteratorClose catch block
3565         because that is an implementation specific synthesized catch block, and we
3566         can guarantee that it never needs to resolve any symbols from the scope.  Hence,
3567         there is no need to restore the scope register.
3568
3569         * bytecompiler/BytecodeGenerator.cpp:
3570         (JSC::BytecodeGenerator::emitEnumeration):
3571         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3572         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3573         (JSC::BytecodeGenerator::emitFinallyCompletion):
3574         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
3575         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
3576         (JSC::BytecodeGenerator::emitJumpIfCompletionType):
3577         (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
3578         (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
3579         (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
3580         * bytecompiler/BytecodeGenerator.h:
3581         (JSC::bytecodeOffsetToJumpID):
3582         (JSC::FinallyJump::FinallyJump):
3583         (JSC::FinallyContext::registerJump):
3584         (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
3585         (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
3586         (JSC::BytecodeGenerator::completionTypeRegister):
3587         (JSC::BytecodeGenerator::completionValueRegister):
3588         (JSC::BytecodeGenerator::emitSetCompletionType):
3589         (JSC::BytecodeGenerator::emitSetCompletionValue):
3590         (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
3591         (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
3592         (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
3593         (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
3594         (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
3595         (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
3596         (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
3597         (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
3598         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
3599         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
3600         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
3601         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
3602         (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
3603         (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
3604         (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
3605         * bytecompiler/NodesCodegen.cpp:
3606         (JSC::TryNode::emitBytecode):
3607
3608 2016-12-17  Saam Barati  <sbarati@apple.com>
3609
3610         WebAssembly: WasmB3IRGenerator uses WarmAny as a ValueRep but expects the incoming value to be a register
3611         https://bugs.webkit.org/show_bug.cgi?id=165989
3612
3613         Reviewed by Mark Lam.
3614
3615         The input should be constrained to a register to match what
3616         the patchpoint code expects.
3617
3618         * wasm/WasmB3IRGenerator.cpp:
3619
3620 2016-12-17  Saam Barati  <sbarati@apple.com>
3621
3622         WebAssembly: Change a RELEASE_ASSERT_NOT_REACHED to a jit.breakpoint() for now to allow us to run some wasm benchmarks
3623         https://bugs.webkit.org/show_bug.cgi?id=165990
3624
3625         Reviewed by Mark Lam.
3626
3627         * wasm/WasmBinding.cpp:
3628         (JSC::Wasm::importStubGenerator):
3629
3630 2016-12-16  Joseph Pecoraro  <pecoraro@apple.com>
3631
3632         JSContext Inspector: Avoid some possible exceptions inspecting a JSContext
3633         https://bugs.webkit.org/show_bug.cgi?id=165986
3634         <rdar://problem/29551379>
3635
3636         Reviewed by Matt Baker.
3637
3638         * inspector/InjectedScriptSource.js:
3639         (InjectedScript.prototype.processProperties):
3640         Prefer String.prototype.endsWith now that it is available.
3641
3642         (InjectedScript.prototype._describe):
3643         Prefer Function.prototype.toString for converting functions to String.
3644         Previously we were doing String(f) which would to Symbol.toPrimitive
3645         conversion which seems unnecessary here.
3646
3647 2016-12-16  Michael Catanzaro  <mcatanzaro@igalia.com>
3648
3649         Unreviewed, fix GCC 6 build failure after r209952
3650
3651         Return false, not nullptr, in function returning bool.
3652
3653         * bytecompiler/BytecodeGenerator.cpp:
3654         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3655
3656 2016-12-16  Saam Barati  <sbarati@apple.com>
3657
3658         WebAssembly: We still have some incorrect parsing productions inside unreachable code
3659         https://bugs.webkit.org/show_bug.cgi?id=165981
3660
3661         Reviewed by Keith Miller.
3662
3663         This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.
3664         
3665         It also fixes a more nefarious bug in which we were decoding an extra varuint32
3666         for Br/BrIf inside unreachable code.
3667
3668         * wasm/WasmFunctionParser.h:
3669
3670 2016-12-16  Filip Pizlo  <fpizlo@apple.com>
3671
3672         CellState should have members with accurate names
3673         https://bugs.webkit.org/show_bug.cgi?id=165969
3674
3675         Reviewed by Mark Lam.
3676         
3677         This once again renames the members in CellState. I wanted to convey the following
3678         pieces of information in the names:
3679         
3680         - What does the state mean for Generational GC?
3681         - What does the state mean for Concurrent GC?
3682         - Does the state guarantee what it means, or is there some contingency?
3683         
3684         The names I came up with are:
3685         
3686         PossiblyOldOrBlack: An object in this state may be old, or may be black, depending on
3687             other things. If the mark bit is set then the object is either black or being
3688             blackened as we speak. It's going to survive the GC, so it will be old, but may be
3689             new now. In between GCs, objects in this state are definitely old. If the mark bit
3690             is not set, then the object is actually old and white.
3691         
3692         DefinitelyNewAndWhite: The object was just allocated so it is white (not marked) and
3693             new.
3694         
3695         DefinitelyGrey: The object is definitely grey - it will be rescanned in the future. It
3696             may be new or old depending on other things.
3697
3698         * heap/CellState.h:
3699         * heap/Heap.cpp:
3700         (JSC::Heap::addToRememberedSet):
3701         (JSC::Heap::writeBarrierSlowPath):
3702         * heap/SlotVisitor.cpp:
3703         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3704         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3705         (JSC::SlotVisitor::appendToMarkStack):
3706         (JSC::SlotVisitor::visitChildren):
3707         * runtime/JSCellInlines.h:
3708         (JSC::JSCell::JSCell):
3709         * runtime/StructureIDBlob.h:
3710         (JSC::StructureIDBlob::StructureIDBlob):
3711
3712 2016-12-16  Saam Barati  <sbarati@apple.com>
3713
3714         B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi)
3715         https://bugs.webkit.org/show_bug.cgi?id=165946
3716
3717         Reviewed by Keith Miller.
3718
3719         This was happening because the phase will convert some Phi nodes
3720         from Double to Float. However, one place that did this conversion
3721         forgot to first check if the Phi was already a Float. If it's already
3722         a Float, a later part of the phase will be buggy if the phase claims that it has
3723         converted it from Double->Float. The reason is that at the end of the
3724         phase, we'll look for all uses of former Double Phi nodes and make them
3725         be a use of ConvertFloatToDouble on the Phi, instead of a use of the Phi itself.
3726         This is clearly wrong if the Phi were Float to begin with (and
3727         therefore, the uses were Float uses to begin with).
3728
3729         * b3/B3ReduceDoubleToFloat.cpp:
3730         * b3/testb3.cpp:
3731         (JSC::B3::testReduceFloatToDoubleValidates):
3732         (JSC::B3::run):
3733
3734 2016-12-16  Mark Lam  <mark.lam@apple.com>
3735
3736         De-duplicate finally blocks.
3737         https://bugs.webkit.org/show_bug.cgi?id=160168
3738
3739         Reviewed by Keith Miller.
3740
3741         JS execution can arrive at a finally block when there are abrupt completions from
3742         its try or catch block.  The abrupt completion types include Break,
3743         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
3744         (i.e. the case of a try block falling through to the finally block).
3745
3746         Previously, we enable each of these paths for abrupt completion (except for Throw)
3747         to run the finally block code by duplicating the finally block code at each of
3748         the sites that trigger those completions.  This patch fixes the implementation so
3749         that each of these abrupt completions will set a finallyActionRegister (plus a
3750         finallyReturnValueRegister for CompletionType::Return) and then jump to the
3751         relevant finally blocks, and continue to thread through subsequent outer finally
3752         blocks until execution reaches the outermost finally block that the completion
3753         type dictates.  We no longer duplicate the finally block code.
3754
3755         The implementation details:
3756         1. We allocate a pair of finallyActionRegister and finallyReturnValueRegister
3757            just before entering the outermost try-catch-finally scope.
3758
3759            On allocating the registers, we set them to the empty JSValue.  This serves
3760            to set the completion type to CompletionType::Normal (see (2) below).
3761
3762         2. The finallyActionRegister serves 2 purpose:
3763            a. indicates the CompletionType that triggered entry into the finally block.
3764
3765               This is how we encode the completion type in the finallyActionRegister:
3766               1. CompletionType::Normal
3767                  - finallyActionRegister is set to the empty JSValue.
3768               2. CompletionType::Break
3769                  - finallyActionRegister is set to the int jumpID for the site of the break statement.
3770               3. CompletionType::Continue
3771                  - finallyActionRegister is set to the int jumpID for the site of the continue statement.
3772               4. CompletionType::Return
3773                  - finallyActionRegister is set to CompletionType::Return as an int JSValue.
3774                  - finallyReturnValueRegister is set to the value to be returned. 
3775               5. CompletionType::Throw
3776                  - finallyActionRegister is set to the exception object that was caught by the finally block.
3777
3778               Hence, if the finallyActionRegister can either be:
3779               1. empty i.e. we're handling CompletionType::Normal.
3780               2. an int JSValue i.e. we're handling CompletionType::Break, Continue, or Return.
3781               3. an object i.e. we're handling CompletionType::Throw.
3782
3783            b. stores the exception caught in the finally block if we're handing
3784               CompletionType::Throw.
3785
3786         3. Each finally block will have 2 entries:
3787            a. the entry via throw.
3788            b. the normal entry.