[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-01-13  Joseph Pecoraro  <pecoraro@apple.com>

        Remove ENABLE(DETAILS_ELEMENT) guards
        https://bugs.webkit.org/show_bug.cgi?id=167042

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:

2017-01-11  Darin Adler  <darin@apple.com>

        Remove PassRefPtr from more of "platform"
        https://bugs.webkit.org/show_bug.cgi?id=166809

        Reviewed by Sam Weinig.

        * inspector/JSInjectedScriptHost.h:
        (Inspector::JSInjectedScriptHost::impl): Simplified code since we don't need a
        const_cast here any more.
        * runtime/PrivateName.h:
        (JSC::PrivateName::uid): Ditto.

2017-01-13  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r210735.

        This change introduced LayoutTest and JSC test flakiness.

        Reverted changeset:

        "Reserve capacity for StringBuilder in unescape"
        https://bugs.webkit.org/show_bug.cgi?id=167008
        http://trac.webkit.org/changeset/210735

2017-01-13  Saam Barati  <sbarati@apple.com>

        Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time
        https://bugs.webkit.org/show_bug.cgi?id=167017
        <rdar://problem/30019309>

        Reviewed by Keith Miller and Filip Pizlo.

        This patch is to reverse the JSBench regression from r210695.
        
        The new state diagram for the array species watchpoint is as
        follows:
        
        1. On GlobalObject construction, it starts life out as ClearWatchpoint.
        2. When slice is called for the first time, we observe the state
        of the world, and either transition it to IsWatched if we were able
        to set up the object property conditions, or to IsInvalidated if we
        were not.
        3. The DFG compiler will now only lower slice as an intrinsic if
        it observed the speciesWatchpoint.state() as IsWatched.
        4. The IsWatched => IsInvalidated transition happens only when
        one of the object property condition watchpoints fire.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * runtime/ArrayPrototype.cpp:
        (JSC::speciesWatchpointIsValid):
        (JSC::speciesConstructArray):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
        (JSC::ArrayPrototype::initializeSpeciesWatchpoint): Deleted.
        * runtime/ArrayPrototype.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):

2017-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        Reserve capacity for StringBuilder in unescape
        https://bugs.webkit.org/show_bug.cgi?id=167008

        Reviewed by Sam Weinig.

        `unescape` function is frequently called in Kraken sha256-iterative.
        This patch just reserves the capacity for the StringBuilder.

        Currently, we select the length of the string for the reserved capacity.
        It improves the performance 2.73%.

            Benchmark report for Kraken on sakura-trick.

            VMs tested:
            "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
            "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc

            Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
            sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
            function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
            milliseconds.

                                                       baseline                  patched

            stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster

            <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncUnescape):

2017-01-12  Saam Barati  <sbarati@apple.com>

        Add a slice intrinsic to the DFG/FTL
        https://bugs.webkit.org/show_bug.cgi?id=166707
        <rdar://problem/29913445>

        Reviewed by Filip Pizlo.

        The gist of this patch is to inline Array.prototype.slice
        into the DFG/FTL. The implementation in the DFG-backend
        and FTLLowerDFGToB3 is just a straight forward implementation
        of what the C function is doing. The more interesting bits
        of this patch are setting up the proper watchpoints and conditions
        in the executing code to prove that its safe to skip all of the
        observable JS actions that Array.prototype.slice normally does.
        
        We perform the following proofs:
        1. Array.prototype.constructor has not changed (via a watchpoint).
        2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
        3. The global object is not having a bad time.
        4. The array that is being sliced has an original array structure.
        5. Array.prototype/Object.prototype have not transitioned.
        
        Conditions 1, 2, and 3 are strictly required.
        
        4 is ensuring a couple things:
        1. That a "constructor" property hasn't been added to the array
        we're slicing since we're supposed to perform a Get(array, "constructor").
        2. That we're not slicing an instance of a subclass of Array.
        
        We could relax 4.1 in the future if we find other ways to test if
        the incoming array hasn't changed the "constructor" property. We
        would probably use TryGetById to do this.
        
        I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
        the total benchmark (the results are sometimes noisy).

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
        (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
        (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitLoadStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::speciesWatchpointIsValid):
        (JSC::speciesConstructArray):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
        (JSC::speciesWatchpointsValid): Deleted.
        (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
        (): Deleted.
        * runtime/Intrinsic.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arraySpeciesWatchpoint):
        * runtime/Structure.h:

2017-01-12  Saam Barati  <sbarati@apple.com>

        Concurrent GC has a bug where we would detect a race but fail to rescan the object
        https://bugs.webkit.org/show_bug.cgi?id=166960
        <rdar://problem/29983526>

        Reviewed by Filip Pizlo and Mark Lam.

        We have code like this in JSC:
        
        ```
        Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
        nukeStructureAndSetButterfly(vm, structureID, butterfly);
        structure->setLastOffset(newLastOffset);
        WTF::storeStoreFence();
        setStructureIDDirectly(structureID);
        ```
        
        Note that the collector could detect a race here, which sometimes
        incorrectly caused us to not visit the object again.
        
        Mutator Thread: M, Collector Thread: C, assuming sequential consistency via
        proper barriers:
        
        M: allocate new butterfly
        M: Set nuked structure ID
        M: Set butterfly (this does a barrier)
        C: Start scanning O
        C: load structure ID
        C: See it's nuked and bail, (we used to rely on a write barrier to rescan).
        
        We sometimes never rescanned here because we were calling
        setStructureIDDirectly which doesn't do a write barrier.
        (Note, the places that do this but call setStructure were
        OK because setStructure will perform a write barrier.)
        
        (This same issue also existed in places where the collector thread
        detected races for Structure::m_offset, but places that changed
        Structure::m_offset didn't perform a write barrier on the object
        after changing its Structure's m_offset.)
        
        To prevent such code from requiring every call site to perform
        a write barrier on the object, I've changed the collector code
        to keep a stack of cells to be revisited due to races. This stack
        is then consulted when we do marking. Because such races are rare,
        we have a single stack on Heap that is guarded by a lock.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::markToFixpoint):
        (JSC::Heap::endMarking):
        (JSC::Heap::buildConstraintSet):
        (JSC::Heap::addToRaceMarkStack):
        * heap/Heap.h:
        (JSC::Heap::collectorSlotVisitor):
        (JSC::Heap::mutatorMarkStack): Deleted.
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didRace):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::didRace):
        (JSC::SlotVisitor::didNotRace): Deleted.
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::didNotRace): Deleted.
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::visitButterflyImpl):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::prepareToPutDirectWithoutTransition):
        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):

2017-01-12  Chris Dumez  <cdumez@apple.com>

        Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=166995

        Reviewed by Jer Noble.

        Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
        as some people are having trouble building without it.

        * Configurations/FeatureDefines.xcconfig:

2017-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        Implement InlineClassicScript
        https://bugs.webkit.org/show_bug.cgi?id=166925

        Reviewed by Ryosuke Niwa.

        Add ScriptFetcher field for SourceOrigin.

        * runtime/SourceOrigin.h:
        (JSC::SourceOrigin::SourceOrigin):
        (JSC::SourceOrigin::fetcher):

2017-01-11  Andreas Kling  <akling@apple.com>

        Crash when WebCore's GC heap grows way too large.
        <https://webkit.org/b/166875>
        <rdar://problem/27896585>

        Reviewed by Mark Lam.

        Add a simple API to JSC::Heap that allows setting a hard limit on the amount
        of live bytes. If this is exceeded, we crash with a recognizable signature.
        By default there is no limit.

        * heap/Heap.cpp:
        (JSC::Heap::didExceedMaxLiveSize):
        (JSC::Heap::updateAllocationLimits):
        * heap/Heap.h:
        (JSC::Heap::setMaxLiveSize):

2017-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Decouple module loading initiator from ScriptElement
        https://bugs.webkit.org/show_bug.cgi?id=166888

        Reviewed by Saam Barati and Ryosuke Niwa.

        Add ScriptFetcher and JSScriptFetcher.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ModuleLoaderPrototype.js:
        (requestFetch):
        (requestInstantiate):
        (requestSatisfy):
        (requestInstantiateAll):
        (requestLink):
        (moduleEvaluation):
        (loadAndEvaluateModule):
        (importModule):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/Completion.cpp:
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        (JSC::linkAndEvaluateModule):
        * runtime/Completion.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::resolve):
        (JSC::JSModuleLoader::fetch):
        (JSC::JSModuleLoader::instantiate):
        (JSC::JSModuleLoader::evaluate):
        * runtime/JSModuleLoader.h:
        * runtime/JSScriptFetcher.cpp: Copied from Source/WebCore/dom/LoadableScript.cpp.
        (JSC::JSScriptFetcher::destroy):
        * runtime/JSScriptFetcher.h: Added.
        (JSC::JSScriptFetcher::createStructure):
        (JSC::JSScriptFetcher::create):
        (JSC::JSScriptFetcher::fetcher):
        (JSC::JSScriptFetcher::JSScriptFetcher):
        * runtime/JSType.h:
        * runtime/ScriptFetcher.h: Copied from Source/WebCore/dom/LoadableScript.cpp.
        (JSC::ScriptFetcher::~ScriptFetcher):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        Implement JSSourceCode to propagate SourceCode in module pipeline
        https://bugs.webkit.org/show_bug.cgi?id=166861

        Reviewed by Saam Barati.

        Instead of propagating source code string, we propagate JSSourceCode
        cell in the module pipeline. This allows us to attach a metadata
        to the propagated source code string. In particular, it propagates
        SourceOrigin through the module pipeline.

        And it also fixes JSC shell to use Module source type for module source code.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ModuleLoaderPrototype.js:
        (fulfillFetch):
        (requestFetch):
        * jsc.cpp:
        (GlobalObject::moduleLoaderFetch):
        (runWithScripts):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/Completion.cpp:
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::provide):
        * runtime/JSModuleLoader.h:
        * runtime/JSSourceCode.cpp: Added.
        (JSC::JSSourceCode::destroy):
        * runtime/JSSourceCode.h: Added.
        (JSC::JSSourceCode::createStructure):
        (JSC::JSSourceCode::create):
        (JSC::JSSourceCode::sourceCode):
        (JSC::JSSourceCode::JSSourceCode):
        * runtime/JSType.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeParseModule):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-01-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r210052.
        https://bugs.webkit.org/show_bug.cgi?id=166915

        "breaks web compatability" (Requested by keith_miller on
        #webkit).

        Reverted changeset:

        "Add support for global"
        https://bugs.webkit.org/show_bug.cgi?id=165171
        http://trac.webkit.org/changeset/210052

2017-01-10  Sam Weinig  <sam@webkit.org>

        [WebIDL] Remove most of the custom bindings for the WebGL code
        https://bugs.webkit.org/show_bug.cgi?id=166834

        Reviewed by Alex Christensen.

        * runtime/ArrayPrototype.h:
        * runtime/ObjectPrototype.h:
        Export the ClassInfo so it can be used from WebCore.

2017-01-09  Filip Pizlo  <fpizlo@apple.com>

        Streamline the GC barrier slowpath
        https://bugs.webkit.org/show_bug.cgi?id=166878

        Reviewed by Geoffrey Garen and Saam Barati.
        
        This implements two optimizations to the barrier:
        
        - Removes the write barrier buffer. This was just overhead.
        
        - Teaches the slow path how to white an object that was black but unmarked, ensuring that
          we don't take slow path for this object again.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        * heap/CellState.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markToFixpoint):
        (JSC::Heap::addToRememberedSet):
        (JSC::Heap::stopTheWorld):
        (JSC::Heap::writeBarrierSlowPath):
        (JSC::Heap::buildConstraintSet):
        (JSC::Heap::flushWriteBarrierBuffer): Deleted.
        * heap/Heap.h:
        (JSC::Heap::writeBarrierBuffer): Deleted.
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        * heap/WriteBarrierBuffer.cpp: Removed.
        * heap/WriteBarrierBuffer.h: Removed.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        * runtime/StructureIDBlob.h:
        (JSC::StructureIDBlob::StructureIDBlob):

2017-01-10  Mark Lam  <mark.lam@apple.com>

        Property setters should not be called for bound arguments list entries.
        https://bugs.webkit.org/show_bug.cgi?id=165631

        Reviewed by Filip Pizlo.

        * builtins/FunctionPrototype.js:
        (bind):
        - use @putByValDirect to set the bound arguments so that we don't consult the
          prototype chain for setters.

        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        - no need to create a bound arguments array because these bound functions binds
          no arguments according to the spec.

2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>

        Calling async arrow function which is in a class's member function will cause error
        https://bugs.webkit.org/show_bug.cgi?id=166879

        Reviewed by Saam Barati.

        Current patch fixed loading 'super' in async arrow function. Errored appear becuase 
        super was loaded always nevertherless if it used in async arrow function or not, but bytecompiler
        put to arrow function context only if it used within arrow function. So to fix this issue we need to 
        check if super was used in arrow function. 

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionNode::emitBytecode):

2017-01-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r210537.
        https://bugs.webkit.org/show_bug.cgi?id=166903

        This change introduced JSC test failures (Requested by
        ryanhaddad on #webkit).

        Reverted changeset:

        "Implement JSSourceCode to propagate SourceCode in module
        pipeline"
        https://bugs.webkit.org/show_bug.cgi?id=166861
        http://trac.webkit.org/changeset/210537

2017-01-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r210540.
        https://bugs.webkit.org/show_bug.cgi?id=166896

        too crude for non-WebCore clients (Requested by kling on
        #webkit).

        Reverted changeset:

        "Crash when GC heap grows way too large."
        https://bugs.webkit.org/show_bug.cgi?id=166875
        http://trac.webkit.org/changeset/210540

2017-01-09  Filip Pizlo  <fpizlo@apple.com>

        JSArray has some object scanning races
        https://bugs.webkit.org/show_bug.cgi?id=166874

        Reviewed by Mark Lam.
        
        This fixes two separate bugs, both of which I detected by running
        array-splice-contiguous.js in extreme anger:
        
        1) Some of the paths of shifting and unshifting were not grabbing the internal cell
           lock. This was causing the array storage scan to crash, even though it was well
           synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
           that memmoves the innards of the butterfly.
        
        2) Out of line property scanning was synchronized using double collect snapshot. Array
           storage scanning was synchronized using locks. But what if array storage
           transformations messed up the out of line properties? It turns out that we actually
           need to hoist the array storage scanner's locking up into the double collect
           snapshot.
        
        I don't know how to write a test that does any better of a job of catching this than
        array-splice-contiguous.js.

        * heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterflyImpl):

2017-01-10  Andreas Kling  <akling@apple.com>

        Crash when GC heap grows way too large.
        <https://webkit.org/b/166875>
        <rdar://problem/27896585>

        Reviewed by Mark Lam.

        Hard cap the JavaScript heap at 4GB of live objects (determined post-GC.)
        If we go past this limit, crash with a recognizable signature.

        * heap/Heap.cpp:
        (JSC::Heap::didExceedHeapSizeLimit):
        (JSC::Heap::updateAllocationLimits):

2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        Implement JSSourceCode to propagate SourceCode in module pipeline
        https://bugs.webkit.org/show_bug.cgi?id=166861

        Reviewed by Saam Barati.

        Instead of propagating source code string, we propagate JSSourceCode
        cell in the module pipeline. This allows us to attach a metadata
        to the propagated source code string. In particular, it propagates
        SourceOrigin through the module pipeline.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ModuleLoaderPrototype.js:
        (fulfillFetch):
        (requestFetch):
        * jsc.cpp:
        (GlobalObject::moduleLoaderFetch):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/Completion.cpp:
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::provide):
        * runtime/JSModuleLoader.h:
        * runtime/JSSourceCode.cpp: Added.
        (JSC::JSSourceCode::destroy):
        * runtime/JSSourceCode.h: Added.
        (JSC::JSSourceCode::createStructure):
        (JSC::JSSourceCode::create):
        (JSC::JSSourceCode::sourceCode):
        (JSC::JSSourceCode::JSSourceCode):
        * runtime/JSType.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeParseModule):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION (r210522): ASSERTION FAILED: divot.offset >= divotStart.offset seen with stress/import-basic.js and stress/import-from-eval.js
        https://bugs.webkit.org/show_bug.cgi?id=166873

        Reviewed by Saam Barati.

        The divot should be the end of `import` token.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2017-01-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop.

        * dfg/DFGPlanInlines.h:

2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Prototype dynamic-import
        https://bugs.webkit.org/show_bug.cgi?id=165724

        Reviewed by Saam Barati.

        In this patch, we implement stage3 dynamic-import proposal[1].
        This patch adds a new special operator `import`. And by using it, we can import
        the module dynamically from modules and scripts. Before this feature, the module
        is always imported statically and before executing the modules, importing the modules
        needs to be done. And especially, the module can only be imported from the module.
        So the classic script cannot import and use the modules. This dynamic-import relaxes
        the above restrictions.

        The typical dynamic-import form is the following.

            import("...").then(function (namespace) { ... });

        You can pass any AssignmentExpression for the import operator. So you can determine
        the importing modules dynamically.

            import(value).then(function (namespace) { ... });

        And previously the module import declaration is only allowed in the top level statements.
        But this import operator is just an expression. So you can use it in the function.
        And you can use it conditionally.

            async function go(cond)
            {
                if (cond)
                    return import("...");
                return undefined;
            }
            await go(true);

        Currently, this patch just implements this feature only for the JSC shell.
        JSC module loader requires a new hook, `importModule`. And the JSC shell implements
        this hook. So, for now, this dynamic-import is not available in the browser side.
        If you write this `import` call, it always returns the rejected promise.

        import is implemented like a special operator similar to `super`.
        This is because import is context-sensitive. If you call the `import`, the module
        key resolution is done based on the caller's running context.

        For example, if you are running the script which filename is "./ok/hello.js", the module
        key for the call`import("./resource/syntax.js")` becomes `"./ok/resource/syntax.js"`.
        But if you write the completely same import form in the script "./error/hello.js", the
        key becomes "./error/resource/syntax.js". So exposing this feature as the `import`
        function is misleading: this function becomes caller's context-sensitive. That's why
        dynamic-import is specified as a special operator.

        To resolve the module key, we need the caller's context information like the filename of
        the caller. This is provided by the SourceOrigin implemented in r210149.
        In the JSC shell implementation, this SourceOrigin holds the filename of the caller. So
        based on this implementation, the module loader resolve the module key.
        In the near future, we will extend this SourceOrigin to hold more information needed for
        the browser-side import implementation.

        [1]: https://tc39.github.io/proposal-dynamic-import/

        * builtins/ModuleLoaderPrototype.js:
        (importModule):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetTemplateObject):
        (JSC::BytecodeGenerator::emitGetGlobalPrivate):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ImportNode::emitBytecode):
        * jsc.cpp:
        (absolutePath):
        (GlobalObject::moduleLoaderImportModule):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createImportExpr):
        * parser/NodeConstructors.h:
        (JSC::ImportNode::ImportNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isImportNode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createImportExpr):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncImportModule):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::importModule):
        (JSC::JSModuleLoader::getModuleNamespaceObject):
        * runtime/JSModuleLoader.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):

2017-01-08  Filip Pizlo  <fpizlo@apple.com>

        Make the collector's fixpoint smart about scheduling work
        https://bugs.webkit.org/show_bug.cgi?id=165910

        Reviewed by Keith Miller.
        
        Prior to this change, every time the GC would run any constraints in markToFixpoint, it
        would run all of the constraints. It would always run them in the same order. That means
        that so long as any one constraint was generating new work, we'd pay the price of all
        constraints. This is usually OK because most constraints are cheap but it artificially
        inflates the cost of slow constraints - especially ones that are expensive but usually
        generate no new work.
        
        This patch redoes how the GC runs constraints by applying ideas from data flow analysis.
        The GC now builds a MarkingConstraintSet when it boots up, and this contains all of the
        constraints as well as some meta-data about them. Now, markToFixpoint just calls into
        MarkingConstraintSet to execute constraints. Because constraint execution and scheduling
        need to be aware of each other, I rewrote markToFixpoint in such a way that it's more
        obvious how the GC goes between constraint solving, marking with stopped mutator, and
        marking with resumed mutator. This also changes the scheduler API in such a way that a
        synchronous stop-the-world collection no longer needs to do fake stop/resume - instead we
        just swap the space-time scheduler for the stop-the-world scheduler.
        
        This is a big streamlining of the GC. This is a speed-up in GC-heavy tests because we
        now execute most constraints exactly twice regardless of how many total fixpoint
        iterations we do. Now, when we run out of marking work, the constraint solver will just
        run the constraint that is most likely to generate new visiting work, and if it does
        generate work, then the GC now goes back to marking. Before, it would run *all*
        constraints and then go back to marking. The constraint solver is armed with three
        information signals that it uses to sort the constraints in order of descending likelihood
        to generate new marking work. Then it runs them in that order until it there is new
        marking work. The signals are:
        
        1) Whether the constraint is greyed by marking or execution. We call this the volatility
           of the constraint. For example, weak reference constraints have GreyedByMarking as
           their volatility because they are most likely to have something to say after we've done
           some marking. On the other hand, conservative roots have GreyedByExecution as their
           volatility because they will give new information anytime we let the mutator run. The
           constraint solver will only run GreyedByExecution constraints as roots and after the
           GreyedByMarking constraints go silent. This ensures that we don't try to scan
           conservative roots every time we need to re-run weak references and vice-versa.
           
           Another way to look at it is that the constraint solver tries to predict if the
           wavefront is advancing or retreating. The wavefront is almost certainly advancing so
           long as the mark stacks are non-empty or so long as at least one of the GreyedByMarking
           constraints is still producing work. Otherwise the wavefront is almost certainly
           retreating. It's most profitable to run GreyedByMarking constraints when the wavefront
           is advancing, and most profitable to run GreyedByExecution constraints when the
           wavefront is retreating.
           
           We use the predicted wavefront direction and the volatility of constraints as a
           first-order signal of constraint profitability.
        
        2) How much visiting work was created the last time the constraint ran. The solver
           remembers the lastVisitCount, and uses it to predict how much work the constraint will
           generate next time. In practice this means we will keep re-running the one interesting
           constraint until it shuts up.
        
        3) Optional work predictors for some constraints. The constraint that shuffles the mutator
           mark stack into the main SlotVisitor's mutator mark stack always knows exactly how much
           work it will create.
           
           The sum of (2) and (3) are used as a second-order signal of constraint profitability.
        
        The constraint solver will always run all of the GreyedByExecution constraints at GC
        start, since these double as the GC's roots. The constraint solver will always run all of
        the GreyedByMarking constraints the first time that marking stalls. Other than that, the
        solver will keep running constraints, sorted according to their likelihood to create work,
        until either work is created or we run out of constraints to run. GC termination happens
        when we run out of constraints to run.
        
        This new infrastructure means that we have a much better chance of dealing with worst-case
        DOM pathologies. If we can intelligently factor different evil DOM things into different
        constraints with the right work predictions then this could reduce the cost of those DOM
        things by a factor of N where N is the number of fixpoint iterations the GC typically
        does. N is usually around 5-6 even for simple heaps.
        
        My perf measurements say:
        
        PLT3: 0.02% faster with 5.3% confidence.
        JetStream: 0.15% faster with 17% confidence.
        Speedometer: 0.58% faster with 82% confidence.
        
        Here are the details from JetStream:
        
        splay: 1.02173x faster with 0.996841 confidence
        splay-latency: 1.0617x faster with 0.987462 confidence
        towers.c: 1.01852x faster with 0.92128 confidence
        crypto-md5: 1.06058x faster with 0.482363 confidence
        score: 1.00152x faster with 0.16892 confidence
        
        I think that Speedometer is legitimately benefiting from this change based on looking at
        --logGC=true output. We are now spending less time reexecuting expensive constraints. I
        think that JetStream/splay is also benefiting, because although the constraints it sees
        are cheap, it spends 30% of its time in GC so even small improvements matter.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::markCodeBlocks): Deleted.
        (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
        * dfg/DFGPlan.h:
        * dfg/DFGPlanInlines.h: Added.
        (JSC::DFG::Plan::iterateCodeBlocksForGC):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::markCodeBlocks): Deleted.
        (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
        (JSC::DFG::rememberCodeBlocks): Deleted.
        * dfg/DFGWorklist.h:
        * dfg/DFGWorklistInlines.h: Added.
        (JSC::DFG::iterateCodeBlocksForGC):
        (JSC::DFG::Worklist::iterateCodeBlocksForGC):
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting): Deleted.
        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate): Deleted.
        * heap/CodeBlockSetInlines.h:
        (JSC::CodeBlockSet::iterate):
        (JSC::CodeBlockSet::iterateCurrentlyExecuting):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
        (JSC::Heap::iterateExecutingAndCompilingCodeBlocksWithoutHoldingLocks):
        (JSC::Heap::assertSharedMarkStacksEmpty):
        (JSC::Heap::markToFixpoint):
        (JSC::Heap::endMarking):
        (JSC::Heap::collectInThread):
        (JSC::Heap::stopIfNecessarySlow):
        (JSC::Heap::acquireAccessSlow):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::buildConstraintSet):
        (JSC::Heap::notifyIsSafeToCollect):
        (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope): Deleted.
        (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope): Deleted.
        (JSC::Heap::harvestWeakReferences): Deleted.
        (JSC::Heap::visitConservativeRoots): Deleted.
        (JSC::Heap::visitCompilerWorklistWeakReferences): Deleted.
        * heap/Heap.h:
        * heap/MarkingConstraint.cpp: Added.
        (JSC::MarkingConstraint::MarkingConstraint):
        (JSC::MarkingConstraint::~MarkingConstraint):
        (JSC::MarkingConstraint::resetStats):
        (JSC::MarkingConstraint::execute):
        * heap/MarkingConstraint.h: Added.
        (JSC::MarkingConstraint::index):
        (JSC::MarkingConstraint::abbreviatedName):
        (JSC::MarkingConstraint::name):
        (JSC::MarkingConstraint::lastVisitCount):
        (JSC::MarkingConstraint::quickWorkEstimate):
        (JSC::MarkingConstraint::workEstimate):
        (JSC::MarkingConstraint::volatility):
        * heap/MarkingConstraintSet.cpp: Added.
        (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext):
        (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething):
        (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut):
        (JSC::MarkingConstraintSet::ExecutionContext::drain):
        (JSC::MarkingConstraintSet::ExecutionContext::didExecute):
        (JSC::MarkingConstraintSet::ExecutionContext::execute):
        (JSC::MarkingConstraintSet::MarkingConstraintSet):
        (JSC::MarkingConstraintSet::~MarkingConstraintSet):
        (JSC::MarkingConstraintSet::resetStats):
        (JSC::MarkingConstraintSet::add):
        (JSC::MarkingConstraintSet::executeBootstrap):
        (JSC::MarkingConstraintSet::executeConvergence):
        (JSC::MarkingConstraintSet::isWavefrontAdvancing):
        (JSC::MarkingConstraintSet::executeConvergenceImpl):
        (JSC::MarkingConstraintSet::executeAll):
        * heap/MarkingConstraintSet.h: Added.
        (JSC::MarkingConstraintSet::isWavefrontRetreating):
        * heap/MutatorScheduler.cpp: Added.
        (JSC::MutatorScheduler::MutatorScheduler):
        (JSC::MutatorScheduler::~MutatorScheduler):
        (JSC::MutatorScheduler::didStop):
        (JSC::MutatorScheduler::willResume):
        (JSC::MutatorScheduler::didExecuteConstraints):
        (JSC::MutatorScheduler::log):
        (JSC::MutatorScheduler::shouldStop):
        (JSC::MutatorScheduler::shouldResume):
        * heap/MutatorScheduler.h: Added.
        * heap/OpaqueRootSet.h:
        (JSC::OpaqueRootSet::add):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::visitAsConstraint):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::didReachTermination):
        (JSC::SlotVisitor::hasWork):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::drainInParallelPassively):
        (JSC::SlotVisitor::addOpaqueRoot):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::addToVisitCount):
        * heap/SpaceTimeMutatorScheduler.cpp: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.cpp.
        (JSC::SpaceTimeMutatorScheduler::Snapshot::Snapshot):
        (JSC::SpaceTimeMutatorScheduler::Snapshot::now):
        (JSC::SpaceTimeMutatorScheduler::Snapshot::bytesAllocatedThisCycle):
        (JSC::SpaceTimeMutatorScheduler::SpaceTimeMutatorScheduler):
        (JSC::SpaceTimeMutatorScheduler::~SpaceTimeMutatorScheduler):
        (JSC::SpaceTimeMutatorScheduler::state):
        (JSC::SpaceTimeMutatorScheduler::beginCollection):
        (JSC::SpaceTimeMutatorScheduler::didStop):
        (JSC::SpaceTimeMutatorScheduler::willResume):
        (JSC::SpaceTimeMutatorScheduler::didExecuteConstraints):
        (JSC::SpaceTimeMutatorScheduler::timeToStop):
        (JSC::SpaceTimeMutatorScheduler::timeToResume):
        (JSC::SpaceTimeMutatorScheduler::log):
        (JSC::SpaceTimeMutatorScheduler::endCollection):
        (JSC::SpaceTimeMutatorScheduler::bytesAllocatedThisCycleImpl):
        (JSC::SpaceTimeMutatorScheduler::bytesSinceBeginningOfCycle):
        (JSC::SpaceTimeMutatorScheduler::maxHeadroom):
        (JSC::SpaceTimeMutatorScheduler::headroomFullness):
        (JSC::SpaceTimeMutatorScheduler::mutatorUtilization):
        (JSC::SpaceTimeMutatorScheduler::collectorUtilization):
        (JSC::SpaceTimeMutatorScheduler::elapsedInPeriod):
        (JSC::SpaceTimeMutatorScheduler::phase):
        (JSC::SpaceTimeMutatorScheduler::shouldBeResumed):
        (JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization): Deleted.
        (JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization): Deleted.
        (JSC::SpaceTimeScheduler::Decision::elapsedInPeriod): Deleted.
        (JSC::SpaceTimeScheduler::Decision::phase): Deleted.
        (JSC::SpaceTimeScheduler::Decision::shouldBeResumed): Deleted.
        (JSC::SpaceTimeScheduler::Decision::timeToResume): Deleted.
        (JSC::SpaceTimeScheduler::Decision::timeToStop): Deleted.
        (JSC::SpaceTimeScheduler::SpaceTimeScheduler): Deleted.
        (JSC::SpaceTimeScheduler::snapPhase): Deleted.
        (JSC::SpaceTimeScheduler::currentDecision): Deleted.
        * heap/SpaceTimeMutatorScheduler.h: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.h.
        (JSC::SpaceTimeScheduler::Decision::operator bool): Deleted.
        * heap/SpaceTimeScheduler.cpp: Removed.
        * heap/SpaceTimeScheduler.h: Removed.
        * heap/SynchronousStopTheWorldMutatorScheduler.cpp: Added.
        (JSC::SynchronousStopTheWorldMutatorScheduler::SynchronousStopTheWorldMutatorScheduler):
        (JSC::SynchronousStopTheWorldMutatorScheduler::~SynchronousStopTheWorldMutatorScheduler):
        (JSC::SynchronousStopTheWorldMutatorScheduler::state):
        (JSC::SynchronousStopTheWorldMutatorScheduler::beginCollection):
        (JSC::SynchronousStopTheWorldMutatorScheduler::timeToStop):
        (JSC::SynchronousStopTheWorldMutatorScheduler::timeToResume):
        (JSC::SynchronousStopTheWorldMutatorScheduler::endCollection):
        * heap/SynchronousStopTheWorldMutatorScheduler.h: Added.
        * heap/VisitingTimeout.h: Added.
        (JSC::VisitingTimeout::VisitingTimeout):
        (JSC::VisitingTimeout::visitCount):
        (JSC::VisitingTimeout::didVisitSomething):
        (JSC::VisitingTimeout::shouldTimeOut):
        * runtime/Options.h:

2017-01-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r210476.
        https://bugs.webkit.org/show_bug.cgi?id=166859

        "4% JSBench regression" (Requested by keith_mi_ on #webkit).

        Reverted changeset:

        "Add a slice intrinsic to the DFG/FTL"
        https://bugs.webkit.org/show_bug.cgi?id=166707
        http://trac.webkit.org/changeset/210476

2017-01-08  Andreas Kling  <akling@apple.com>

        Inject MarkedSpace size classes for a few more high-volume objects.
        <https://webkit.org/b/166815>

        Reviewed by Darin Adler.

        Add the following classes to the list of manually injected size classes:

            - JSString
            - JSFunction
            - PropertyTable
            - Structure

        Only Structure actually ends up with a new size class, the others already
        can't get any tighter due to the current MarkedBlock::atomSize being 16.
        I've put them in anyway to ensure that we have optimally carved-out cells
        for them in the future, should they grow.

        With this change, Structures get allocated in 128-byte cells instead of
        160-byte cells, giving us 25% more Structures per MarkedBlock.

        * heap/MarkedSpace.cpp:

2017-01-06  Saam Barati  <sbarati@apple.com>

        Add a slice intrinsic to the DFG/FTL
        https://bugs.webkit.org/show_bug.cgi?id=166707

        Reviewed by Filip Pizlo.

        The gist of this patch is to inline Array.prototype.slice
        into the DFG/FTL. The implementation in the DFG-backend
        and FTLLowerDFGToB3 is just a straight forward implementation
        of what the C function is doing. The more interesting bits
        of this patch are setting up the proper watchpoints and conditions
        in the executing code to prove that its safe to skip all of the
        observable JS actions that Array.prototype.slice normally does.
        
        We perform the following proofs:
        1. Array.prototype.constructor has not changed (via a watchpoint).
        2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
        3. The global object is not having a bad time.
        3. The array that is being sliced has an original array structure.
        5. Array.prototype/Object.prototype have not transitioned.
        
        Conditions 1, 2, and 3 are strictly required.
        
        4 is ensuring a couple things:
        1. That a "constructor" property hasn't been added to the array
        we're slicing since we're supposed to perform a Get(array, "constructor").
        2. That we're not slicing an instance of a subclass of Array.
        
        We could relax 4.1 in the future if we find other ways to test if
        the incoming array hasn't changed the "constructor" property.
        
        I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
        the total benchmark (the results are sometimes noisy).

        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitLoadStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::speciesWatchpointIsValid):
        (JSC::speciesConstructArray):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
        (JSC::speciesWatchpointsValid): Deleted.
        (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
        (): Deleted.
        * runtime/Intrinsic.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arraySpeciesWatchpoint):

2017-01-06  Mark Lam  <mark.lam@apple.com>

        The ObjC API's JSVirtualMachine's map tables need to be guarded by a lock.
        https://bugs.webkit.org/show_bug.cgi?id=166778
        <rdar://problem/29761198>

        Reviewed by Filip Pizlo.

        Now that we have a concurrent GC, access to JSVirtualMachine's
        m_externalObjectGraph and m_externalRememberedSet need to be guarded by a lock
        since both the GC marker thread and the mutator thread may access them at the
        same time.

        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine addExternalRememberedObject:]):
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        (-[JSVirtualMachine externalDataMutex]):
        (scanExternalObjectGraph):
        (scanExternalRememberedSet):

        * API/JSVirtualMachineInternal.h:
        - Deleted externalObjectGraph method.  There's no need to expose this.

2017-01-06  Michael Saboff  <msaboff@apple.com>

        @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
        https://bugs.webkit.org/show_bug.cgi?id=153486

        Reviewed by Saam Barati.

        Moved read only check in putDirect() to all paths.

        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putDirect):

2016-12-30  Filip Pizlo  <fpizlo@apple.com>

        DeferGC::~DeferGC should be super cheap
        https://bugs.webkit.org/show_bug.cgi?id=166626

        Reviewed by Saam Barati.
        
        Right now, ~DeferGC requires running the collector's full collectIfNecessaryOrDefer()
        hook, which is super big. Normally, that hook would only be called from GC slow paths,
        so it ought to be possible to add complex logic to it. It benefits the GC algorithm to
        make that code smart, not necessarily fast.

        The right thing for it to do is to have ~DeferGC check a boolean to see if
        collectIfNecessaryOrDefer() had previously deferred anything, and only call it if that
        is true. That's what this patch does.
        
        Unfortunately, this means that we lose the collectAccordingToDeferGCProbability mode,
        which we used for two tests. Since I could only see two tests that used this mode, I
        felt that it was better to enhance the GC than to keep the tests. I filed bug 166627 to
        bring back something like that mode.
        
        Although this patch does make some paths faster, its real goal is to ensure that bug
        165963 can add more logic to collectIfNecessaryOrDefer() without introducing a big
        regression. Until then, I wouldn't be surprised if this patch was a progression, but I'm
        not betting on it.

        * heap/Heap.cpp:
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeededSlow):
        (JSC::Heap::canCollect): Deleted.
        (JSC::Heap::shouldCollectHeuristic): Deleted.
        (JSC::Heap::shouldCollect): Deleted.
        (JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
        (JSC::Heap::mayNeedToStop):
        (JSC::Heap::stopIfNecessary):
        * runtime/Options.h:

2017-01-05  Filip Pizlo  <fpizlo@apple.com>

        AutomaticThread timeout shutdown leaves a small window where notify() would think that the thread is still running
        https://bugs.webkit.org/show_bug.cgi?id=166742

        Reviewed by Geoffrey Garen.
        
        Update to new AutomaticThread API.

        * dfg/DFGWorklist.cpp:

2017-01-05  Per Arne Vollan  <pvollan@apple.com>

        [Win] Compile error.
        https://bugs.webkit.org/show_bug.cgi?id=166726

        Reviewed by Alex Christensen.

        Add include folder.

        * CMakeLists.txt:

2016-12-21  Brian Burg  <bburg@apple.com>

        Web Inspector: teach the protocol generator about platform-specific types, events, and commands
        https://bugs.webkit.org/show_bug.cgi?id=166003
        <rdar://problem/28718990>

        Reviewed by Joseph Pecoraro.

        This patch implements parser, model, and generator-side changes to account for
        platform-specific types, events, and commands. The 'platform' property is parsed
        for top-level definitions and assumed to be the 'generic' platform if none is specified.

        Since the generator's platform setting acts to filter definitions with an incompatible platform,
        all generators must be modified to consult a list of filtered types/commands/events for
        a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
        accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
        are still accessible if truly necessary, but not used by default and caused an error if not migrated.

        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
        (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.domains_to_generate):
        (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.domains_to_generate):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
        (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
        (_generate_typedefs_for_domain):
        (_generate_builders_for_domain):
        (_generate_forward_declarations_for_binding_traits):
        (_generate_declarations_for_enum_conversion_methods):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
        (CppProtocolTypesImplementationGenerator._generate_open_field_names):
        (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
        * inspector/scripts/codegen/generate_js_backend_commands.py:
        (JSBackendCommandsGenerator.should_generate_domain):
        (JSBackendCommandsGenerator.domains_to_generate):
        (JSBackendCommandsGenerator.generate_domain):
        (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator):
        (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
        (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
        (ObjCConfigurationImplementationGenerator): Deleted.
        (ObjCConfigurationImplementationGenerator.__init__): Deleted.
        (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
        (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
        (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
        * inspector/scripts/codegen/generate_objc_configuration_header.py:
        (ObjCConfigurationHeaderGenerator.generate_output):
        (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
        * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
        (ObjCConfigurationImplementationGenerator):
        (ObjCConfigurationImplementationGenerator.generate_output):
        (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
        (ObjCConfigurationImplementationGenerator._generate_ivars):
        (ObjCConfigurationImplementationGenerator._generate_dealloc):
        (ObjCBackendDispatcherImplementationGenerator): Deleted.
        (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
        (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
        (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.generate_output):
        (ObjCHeaderGenerator._generate_forward_declarations):
        (ObjCHeaderGenerator._generate_enums):
        (ObjCHeaderGenerator._generate_types):
        (ObjCHeaderGenerator._generate_command_protocols):
        (ObjCHeaderGenerator._generate_event_interfaces):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.generate_output):
        (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
        (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
        (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
        (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
        (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
        (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):

        * inspector/scripts/codegen/generator.py:
        (Generator.can_generate_platform):
        (Generator):
        (Generator.type_declarations_for_domain):
        (Generator.commands_for_domain):
        (Generator.events_for_domain):
        These are the core methods for computing whether a definition can be used given a target platform.

        (Generator.calculate_types_requiring_shape_assertions):
        (Generator._traverse_and_assign_enum_values):
        * inspector/scripts/codegen/models.py:
        (Protocol.parse_type_declaration):
        (Protocol.parse_command):
        (Protocol.parse_event):
        (Protocol.resolve_types):

        (Domain.__init__):
        (Domain):
        (Domain.all_type_declarations):
        (Domain.all_commands):
        (Domain.all_events):
        Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.

        (Domain.resolve_type_references):
        (TypeDeclaration.__init__):
        (Command.__init__):
        (Event.__init__):
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.should_generate_types_for_domain):
        (ObjCGenerator):
        (ObjCGenerator.should_generate_commands_for_domain):
        (ObjCGenerator.should_generate_events_for_domain):
        (ObjCGenerator.should_generate_domain_types_filter): Deleted.
        (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
        (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
        (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
        (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
        (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
        Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
        This will be enhanced in a future patch so that platform filtering will take priority over the target framework.

        The results above need rebaselining because the class names for two generators were swapped by accident.
        Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
        generated file includes the same copyright block at the top.

        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:

        * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Added.
        * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Added.
        * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Added.
        * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Added.

        Add error test cases for invalid platforms in commands, types, and events.

        * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Added.
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Added.
        * inspector/scripts/tests/all/definitions-with-mac-platform.json: Added.
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Added.
        * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Added.
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Added.
        * inspector/scripts/tests/mac/definitions-with-mac-platform.json: Added.
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Added.

        Add a basic 4-way test that generates code for each platform from the same specification.
        With 'macos' platform for each definition, only 'all' and 'mac' generate anything interesting.

2017-01-03  Brian Burg  <bburg@apple.com>

        Web Inspector: teach the protocol generator about platform-specific types, events, and commands
        https://bugs.webkit.org/show_bug.cgi?id=166003
        <rdar://problem/28718990>

        Reviewed by Joseph Pecoraro.

        This patch implements parser, model, and generator-side changes to account for
        platform-specific types, events, and commands. The 'platform' property is parsed
        for top-level definitions and assumed to be the 'generic' platform if none is specified.

        Since the generator's platform setting acts to filter definitions with an incompatible platform,
        all generators must be modified to consult a list of filtered types/commands/events for
        a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
        accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
        are still accessible if truly necessary, but not used by default and caused an error if not migrated.

        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
        (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.domains_to_generate):
        (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.domains_to_generate):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
        (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
        (_generate_typedefs_for_domain):
        (_generate_builders_for_domain):
        (_generate_forward_declarations_for_binding_traits):
        (_generate_declarations_for_enum_conversion_methods):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
        (CppProtocolTypesImplementationGenerator._generate_open_field_names):
        (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
        * inspector/scripts/codegen/generate_js_backend_commands.py:
        (JSBackendCommandsGenerator.should_generate_domain):
        (JSBackendCommandsGenerator.domains_to_generate):
        (JSBackendCommandsGenerator.generate_domain):
        (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator):
        (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
        (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
        (ObjCConfigurationImplementationGenerator): Deleted.
        (ObjCConfigurationImplementationGenerator.__init__): Deleted.
        (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
        (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
        (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
        (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
        * inspector/scripts/codegen/generate_objc_configuration_header.py:
        (ObjCConfigurationHeaderGenerator.generate_output):
        (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
        * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
        (ObjCConfigurationImplementationGenerator):
        (ObjCConfigurationImplementationGenerator.generate_output):
        (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
        (ObjCConfigurationImplementationGenerator._generate_ivars):
        (ObjCConfigurationImplementationGenerator._generate_dealloc):
        (ObjCBackendDispatcherImplementationGenerator): Deleted.
        (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
        (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
        (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
        (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.generate_output):
        (ObjCHeaderGenerator._generate_forward_declarations):
        (ObjCHeaderGenerator._generate_enums):
        (ObjCHeaderGenerator._generate_types):
        (ObjCHeaderGenerator._generate_command_protocols):
        (ObjCHeaderGenerator._generate_event_interfaces):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.generate_output):
        (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
        (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
        (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
        (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
        (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
        (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):

        * inspector/scripts/codegen/generator.py:
        (Generator.can_generate_platform):
        (Generator):
        (Generator.type_declarations_for_domain):
        (Generator.commands_for_domain):
        (Generator.events_for_domain):
        These are the core methods for computing whether a definition can be used given a target platform.

        (Generator.calculate_types_requiring_shape_assertions):
        (Generator._traverse_and_assign_enum_values):
        * inspector/scripts/codegen/models.py:
        (Protocol.parse_type_declaration):
        (Protocol.parse_command):
        (Protocol.parse_event):
        (Protocol.resolve_types):

        (Domain.__init__):
        (Domain):
        (Domain.all_type_declarations):
        (Domain.all_commands):
        (Domain.all_events):
        Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.

        (Domain.resolve_type_references):
        (TypeDeclaration.__init__):
        (Command.__init__):
        (Event.__init__):
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.should_generate_types_for_domain):
        (ObjCGenerator):
        (ObjCGenerator.should_generate_commands_for_domain):
        (ObjCGenerator.should_generate_events_for_domain):
        (ObjCGenerator.should_generate_domain_types_filter): Deleted.
        (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
        (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
        (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
        (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
        (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
        Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
        This will be enhanced in a future patch so that platform filtering will take priority over the target framework.

        The following results need rebaselining because the class names for two generators were swapped by accident.
        Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
        generated file includes the same copyright block at the top.

        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:

2017-01-03  Brian Burg  <bburg@apple.com>

        Web Inspector: teach the protocol generator about platform-specific types, events, and commands
        https://bugs.webkit.org/show_bug.cgi?id=166003
        <rdar://problem/28718990>

        Reviewed by Joseph Pecoraro.

        Make it possible to test inspector protocol generator output for different platforms.

        Move existing tests to the generic/ subdirectory, as they are to be generated
        without any specific platform. Later, platform-specific generator behavior will be
        tested by cloning the same test to multiple platform directories.

        * inspector/scripts/tests{/ => /generic/}commands-with-async-attribute.json
        * inspector/scripts/tests{/ => /generic/}commands-with-optional-call-return-parameters.json
        * inspector/scripts/tests{/ => /generic/}domains-with-varying-command-sizes.json
        * inspector/scripts/tests{/ => /generic/}enum-values.json
        * inspector/scripts/tests{/ => /generic/}events-with-optional-parameters.json
        * inspector/scripts/tests{/ => /generic/}expected/commands-with-async-attribute.json-result
        * inspector/scripts/tests{/ => /generic/}expected/commands-with-optional-call-return-parameters.json-result
        * inspector/scripts/tests{/ => /generic/}expected/domains-with-varying-command-sizes.json-result
        * inspector/scripts/tests{/ => /generic/}expected/enum-values.json-result
        * inspector/scripts/tests{/ => /generic/}expected/events-with-optional-parameters.json-result
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-domain-availability.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-call-parameter-names.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-return-parameter-names.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-event-parameter-names.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-declarations.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-member-names.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-enum-with-no-values.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-parameter-flag.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-type-member.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-parameter-flag.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-type-member.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-declaration-using-type-reference.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-reference-as-primitive-type.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-with-lowercase-name.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-declaration.json-error
        * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-member.json-error
        * inspector/scripts/tests{/ => /generic/}expected/generate-domains-with-feature-guards.json-result
        * inspector/scripts/tests{/ => /generic/}expected/same-type-id-different-domain.json-result
        * inspector/scripts/tests{/ => /generic/}expected/shadowed-optional-type-setters.json-result
        * inspector/scripts/tests{/ => /generic/}expected/type-declaration-aliased-primitive-type.json-result
        * inspector/scripts/tests{/ => /generic/}expected/type-declaration-array-type.json-result
        * inspector/scripts/tests{/ => /generic/}expected/type-declaration-enum-type.json-result
        * inspector/scripts/tests{/ => /generic/}expected/type-declaration-object-type.json-result
        * inspector/scripts/tests{/ => /generic/}expected/type-requiring-runtime-casts.json-result
        * inspector/scripts/tests{/ => /generic/}fail-on-domain-availability.json
        * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-call-parameter-names.json
        * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-return-parameter-names.json
        * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-event-parameter-names.json
        * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-declarations.json
        * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-member-names.json
        * inspector/scripts/tests{/ => /generic/}fail-on-enum-with-no-values.json
        * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-parameter-flag.json
        * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-type-member.json
        * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-parameter-flag.json
        * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-type-member.json
        * inspector/scripts/tests{/ => /generic/}fail-on-type-declaration-using-type-reference.json
        * inspector/scripts/tests{/ => /generic/}fail-on-type-reference-as-primitive-type.json
        * inspector/scripts/tests{/ => /generic/}fail-on-type-with-lowercase-name.json
        * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-declaration.json
        * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-member.json
        * inspector/scripts/tests{/ => /generic/}generate-domains-with-feature-guards.json
        * inspector/scripts/tests{/ => /generic/}same-type-id-different-domain.json
        * inspector/scripts/tests{/ => /generic/}shadowed-optional-type-setters.json
        * inspector/scripts/tests{/ => /generic/}type-declaration-aliased-primitive-type.json
        * inspector/scripts/tests{/ => /generic/}type-declaration-array-type.json
        * inspector/scripts/tests{/ => /generic/}type-declaration-enum-type.json
        * inspector/scripts/tests{/ => /generic/}type-declaration-object-type.json
        * inspector/scripts/tests{/ => /generic/}type-requiring-runtime-casts.json

2017-01-03  Brian Burg  <bburg@apple.com>

        Web Inspector: teach the protocol generator about platform-specific types, events, and commands
        https://bugs.webkit.org/show_bug.cgi?id=166003
        <rdar://problem/28718990>

        Reviewed by Joseph Pecoraro.

        Add a --platform argument to generate-inspector-protocol-bindings.py and propagate
        the specified platform to each generator. This will be used in the next few patches
        to exclude types, events, and commands that are unsupported by the backend platform.

        Covert all subclasses of Generator to pass along their positional arguments so that we
        can easily change base class arguments without editing all generator constructors.

        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
        (CppAlternateBackendDispatcherHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_js_backend_commands.py:
        (JSBackendCommandsGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_configuration_header.py:
        (ObjCConfigurationHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
        (ObjCProtocolTypeConversionsHeaderGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
        (ObjCProtocolTypeConversionsImplementationGenerator.__init__):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.__init__):
        Pass along *args instead of single positional arguments.

        * inspector/scripts/codegen/generator.py:
        (Generator.__init__):
        Save the target platform and add a getter.

        * inspector/scripts/codegen/models.py:
        (Platform):
        (Platform.__init__):
        (Platform.fromString):
        (Platforms):
        Define the allowed Platform instances (iOS, macOS, and Any).

        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.and.__init__):
        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification):
        Pass along *args instead of single positional arguments.

2017-01-04  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: add Module.sections
        https://bugs.webkit.org/show_bug.cgi?id=165159
        <rdar://problem/29760326>

        Reviewed by Mark Lam.

        As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections

        This was added for Emscripten, and is likely to be used soon.

        * wasm/WasmFormat.h: custom sections are just name + bytes
        * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
        * wasm/WasmModuleParser.h:
        * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
        ArrayBuffer as described in the spec
        (JSC::webAssemblyModuleProtoCustomSections):

2017-01-04  Saam Barati  <sbarati@apple.com>

        We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=163720

        Reviewed by Mark Lam.

        In the LLInt, we were incorrectly doing the exception check after the call.
        Before the exception check, we were unwinding to our caller's
        frame under the assumption that our caller was always a JS frame.
        This is incorrect, however, because our caller might be a C frame.
        One way that it can be a C frame is when C calls to JS, and JS tail
        calls to native. This patch fixes this bug by doing unwinding from
        the native callee's frame instead of its callers.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2017-01-03  JF Bastien  <jfbastien@apple.com>

        REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
        https://bugs.webkit.org/show_bug.cgi?id=166669
        <rdar://problem/29856455>

        Reviewed by Saam Barati.

        Bug #165282 added wasm -> wasm calls, but caused crashes in
        release builds because the pinned registers are also callee-saved
        and were being clobbered. B3 didn't see itself clobbering them
        when no memory was used, and therefore omitted a restore.

        This was causing the C++ code in callWebAssemblyFunction to crash
        because $r12 was 0, and it expected it to have its value prior to
        the call.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::createJSToWasmWrapper):

2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
        https://bugs.webkit.org/show_bug.cgi?id=166300

        Reviewed by Brian Burg.

        * debugger/Debugger.cpp:
        (JSC::Debugger::continueProgram):
        When continuing, clear states that would have had us pause again.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didBecomeIdle):
        When resuming after becoming idle, be sure to clear Debugger state.

2017-01-03  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: check and test in-call / out-call values
        https://bugs.webkit.org/show_bug.cgi?id=164876
        <rdar://problem/29844107>

        Reviewed by Saam Barati.

        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
        f64 which the assotiated tests inadvertently tripped on: the
        previous code wasn't correctly performing JSValue boxing for
        "double" values. This change is slightly involved because it
        requires two scratch registers to materialize the
        `DoubleEncodeOffset` value. This change therefore reorganizes the
        code to first generate traps, then handle all integers (freeing
        all GPRs), and then all the floating-point values.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction): Implement the defined semantics
        for mismatched arities when JS calls wasm:
        https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
          - i32 is 0, f32 / f64 are NaN.
          - wasm functions which return "void" are "undefined" in JS.

2017-01-03  Per Arne Vollan  <pvollan@apple.com>

        [Win] jsc.exe sometimes never exits.
        https://bugs.webkit.org/show_bug.cgi?id=158073

        Reviewed by Darin Adler.

        On Windows the thread specific destructor is also called when the main thread is exiting.
        This may lead to the main thread waiting forever for the machine thread lock when exiting,
        if the sampling profiler thread was terminated by the system while holding the machine
        thread lock.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::removeThread):

2017-01-02  Julien Brianceau  <jbriance@cisco.com>

        Remove sh4 specific code from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=166640

        Reviewed by Filip Pizlo.

        sh4-specific code does not compile for a while (r189884 at least).
        As nobody seems to have interest in this architecture anymore, let's
        remove this dead code and thus ease the burden for JSC maintainers.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerSH4.h: Removed.
        * assembler/MaxFrameExtentForSlowPathCall.h:
        * assembler/SH4Assembler.h: Removed.
        * bytecode/DOMJITAccessCasePatchpointParams.cpp:
        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::debugCall):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/CallFrameShuffler.cpp:
        (JSC::CallFrameShuffler::prepareForTailCall):
        * jit/ExecutableAllocator.h:
        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOperations.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        (JSC::RegisterSet::dfgCalleeSaveRegisters):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/sh4.rb: Removed.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):

2017-01-02  JF Bastien  <jfbastien@apple.com>

        WebAssembly: handle and optimize wasm export → wasm import calls
        https://bugs.webkit.org/show_bug.cgi?id=165282

        Reviewed by Saam Barati.

          - Add a new JSType for WebAssemblyFunction, and use it when creating its
            structure. This will is used to quickly detect from wasm whether the import
            call is to another wasm module, or whether it's to JS.
          - Generate two stubs from the import stub generator: one for wasm->JS and one
            for wasm -> wasm. This is done at Module time. Which is called will only be
            known at Instance time, once we've received the import object. We want to
            avoid codegen at Instance time, so having both around is great.
          - Restore the WebAssembly global state (VM top Instance, and pinned registers)
            after call / call_indirect, and in the JS->wasm entry stub.
          - Pinned registers are now a global thing, not per-Memory, because the wasm ->
            wasm stubs are generated at Module time where we don't really have enough
            information to do the right thing (doing so would generate too much code).

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
        * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
        could be external work, and how we save / restore global state:
        VM's top Instance, and pinned registers
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::getMemoryBaseAndSize):
        (JSC::Wasm::restoreWebAssemblyGlobalState):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::materializeImportJSCell):
        (JSC::Wasm::wasmToJS):
        (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
        (JSC::Wasm::exitStubGenerator):
        * wasm/WasmBinding.h:
        * wasm/WasmFormat.h: Get rid of much of the function index space:
        we already have all of its information elsewhere, and as-is it
        provides no extra efficiency.
        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmMemory.cpp: Add some logging.
        (JSC::Wasm::Memory::dump): this was nice when debugging
        (JSC::Wasm::Memory::makeString):
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::~Memory):
        (JSC::Wasm::Memory::grow):
        * wasm/WasmMemory.h: don't use extra indirection, it wasn't
        needed. Reorder some of the fields which are looked up at runtime
        so they're more cache-friendly.
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::mode):
        (JSC::Wasm::Memory::offsetOfSize):
        * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
        global thing for all of JSC, not a per-Memory thing
        anymore. wasm->wasm calls are more complex otherwise: they have to
        figure out how to bridge between the caller and callee's
        special-snowflake pinning.
        (JSC::Wasm::PinnedRegisterInfo::get):
        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
        (JSC::Wasm::MemoryInformation::MemoryInformation):
        * wasm/WasmMemoryInformation.h:
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        * wasm/WasmPageCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
        (JSC::Wasm::PageCount::dump): nice for debugging
        * wasm/WasmPageCount.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::run):
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::takeWasmExitStubs):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::Signature::toString):
        (JSC::Wasm::Signature::dump):
        * wasm/WasmSignature.h:
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfTable):
        (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
        (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::create):
        (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
        (JSC::JSWebAssemblyMemory::buffer):
        (JSC::JSWebAssemblyMemory::grow):
        * wasm/js/JSWebAssemblyMemory.h:
        (JSC::JSWebAssemblyMemory::memory):
        (JSC::JSWebAssemblyMemory::offsetOfMemory):
        (JSC::JSWebAssemblyMemory::offsetOfSize):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::create):
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
        (JSC::JSWebAssemblyModule::functionImportCount):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::create):
        (JSC::WebAssemblyFunction::createStructure):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        (JSC::WebAssemblyFunction::finishCreation):
        * wasm/js/WebAssemblyFunction.h:
        (JSC::WebAssemblyFunction::wasmEntrypoint):
        (JSC::WebAssemblyFunction::offsetOfInstance):
        (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance): always start with a dummy
        memory, so wasm->wasm calls don't need to null-check
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyModuleRecord.h:

2017-01-02  Saam Barati  <sbarati@apple.com>

        WebAssembly: Some loads don't take into account the offset
        https://bugs.webkit.org/show_bug.cgi?id=166616
        <rdar://problem/29841541>

        Reviewed by Keith Miller.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitLoadOp):

2017-01-01  Jeff Miller  <jeffm@apple.com>

        Update user-visible copyright strings to include 2017
        https://bugs.webkit.org/show_bug.cgi?id=166278

        Reviewed by Dan Bernstein.

        * Info.plist:

2016-12-28  Saam Barati  <sbarati@apple.com>

        WebAssembly: Don't allow duplicate export names
        https://bugs.webkit.org/show_bug.cgi?id=166490
        <rdar://problem/29815000>

        Reviewed by Keith Miller.

        * wasm/WasmModuleParser.cpp:

2016-12-28  Saam Barati  <sbarati@apple.com>

        Unreviewed. Fix jsc.cpp build error.

        * jsc.cpp:
        (functionTestWasmModuleFunctions):

2016-12-28  Saam Barati  <sbarati@apple.com>

        WebAssembly: Implement grow_memory and current_memory
        https://bugs.webkit.org/show_bug.cgi?id=166448
        <rdar://problem/29803676>

        Reviewed by Keith Miller.

        This patch implements grow_memory, current_memory, and WebAssembly.prototype.grow.
        See relevant spec texts here:
        
        https://github.com/WebAssembly/design/blob/master/Semantics.md#linear-memory-accesses
        https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymemoryprototypegrow
        
        I also fix a couple miscellaneous bugs:
        
        1. Data section now understands full init_exprs. 
        2. parseVarUint1 no longer has a bug where we allow values larger than 1 if
        their bottom 8 bits are zero.
        
        Since the JS API can now grow memory, we need to make calling an import
        and call_indirect refresh the base memory register and the size registers.

        * jsc.cpp:
        (functionTestWasmModuleFunctions):
        * runtime/Options.h:
        * runtime/VM.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::reloadPinnedRegisters):
        (JSC::Wasm::B3IRGenerator::emitReloadPinnedRegisters):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmFormat.cpp:
        (JSC::Wasm::Segment::create):
        * wasm/WasmFormat.h:
        (JSC::Wasm::I32InitExpr::I32InitExpr):
        (JSC::Wasm::I32InitExpr::globalImport):
        (JSC::Wasm::I32InitExpr::constValue):
        (JSC::Wasm::I32InitExpr::isConst):
        (JSC::Wasm::I32InitExpr::isGlobalImport):
        (JSC::Wasm::I32InitExpr::globalImportIndex):
        (JSC::Wasm::Segment::byte):
        (JSC::Wasm::ModuleInformation::importFunctionCount):
        (JSC::Wasm::ModuleInformation::hasMemory):
        * wasm/WasmFunctionParser.h:
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::grow):
        * wasm/WasmMemory.h:
        (JSC::Wasm::Memory::size):
        (JSC::Wasm::Memory::sizeInPages):
        (JSC::Wasm::Memory::offsetOfMemory):
        (JSC::Wasm::Memory::isValid): Deleted.
        (JSC::Wasm::Memory::grow): Deleted.
        * wasm/WasmModuleParser.cpp:
        (JSC::Wasm::makeI32InitExpr):
        * wasm/WasmModuleParser.h:
        * wasm/WasmPageCount.h:
        (JSC::Wasm::PageCount::bytes):
        (JSC::Wasm::PageCount::pageCount):
        (JSC::Wasm::PageCount::fromBytes):
        (JSC::Wasm::PageCount::operator+):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
        * wasm/WasmValidate.cpp:
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfMemory):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::~JSWebAssemblyMemory):
        (JSC::JSWebAssemblyMemory::grow):
        * wasm/js/JSWebAssemblyMemory.h:
        (JSC::JSWebAssemblyMemory::offsetOfMemory):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::functionImportCount):
        (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace):
        (JSC::JSWebAssemblyModule::importCount): Deleted.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::getMemory):
        (JSC::webAssemblyMemoryProtoFuncBuffer):
        (JSC::webAssemblyMemoryProtoFuncGrow):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::dataSegmentFail):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/wasm.json:

2016-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        Use variadic templates in JSC Parser to clean up
        https://bugs.webkit.org/show_bug.cgi?id=166482

        Reviewed by Saam Barati.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::logError):
        * parser/Parser.h:

2016-12-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        Propagate the source origin as much as possible
        https://bugs.webkit.org/show_bug.cgi?id=166348

        Reviewed by Darin Adler.

        This patch introduces CallFrame::callerSourceOrigin, SourceOrigin class
        and SourceProvider::m_sourceOrigin. CallFrame::callerSourceOrigin returns
        an appropriate SourceOrigin if possible. If we cannot find the appropriate
        one, we just return null SourceOrigin.

        This paves the way for implementing the module dynamic-import[1].
        When the import operator is evaluated, it will resolve the module
        specifier with this propagated source origin of the caller function.

        To support import operator inside the dynamic code generation
        functions (like `eval`, `new Function`, indirect call to `eval`),
        we need to propagate the caller's source origin to the generated
        source code.

        We do not use sourceURL for that purpose. This is because we
        would like to keep sourceURL for `eval` / `new Function` null.
        This sourceURL will be used for the stack dump for errors with line/column
        numbers. Dumping the caller's sourceURL with line/column numbers are
        meaningless. So we would like to keep it null while we would like
        to propagate SourceOrigin for dynamic imports.

        [1]: https://github.com/tc39/proposal-dynamic-import

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        * API/JSScriptRef.cpp:
        (OpaqueJSScript::create):
        (OpaqueJSScript::vm):
        (OpaqueJSScript::OpaqueJSScript):
        (parseScript):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/builtins/builtins_templates.py:
        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::BuiltinExecutables):
        (JSC::BuiltinExecutables::createDefaultConstructor):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::parse):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::callerSourceOrigin):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * jsc.cpp:
        (jscSource):
        (GlobalObject::finishCreation):
        (extractDirectoryName):
        (currentWorkingDirectory):
        (GlobalObject::moduleLoaderResolve):
        (functionRunString):
        (functionLoadString):
        (functionCallerSourceOrigin):
        (functionCreateBuiltin):
        (functionCheckModuleSyntax):
        (runInteractive):
        * parser/SourceCode.h:
        (JSC::makeSource):
        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::SourceProvider):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::sourceOrigin):
        (JSC::StringSourceProvider::create):
        (JSC::StringSourceProvider::StringSourceProvider):
        (JSC::WebAssemblySourceProvider::create):
        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeParseModule):
        * runtime/ScriptExecutable.h:
        (JSC::ScriptExecutable::sourceOrigin):
        * runtime/SourceOrigin.h: Added.
        (JSC::SourceOrigin::SourceOrigin):
        (JSC::SourceOrigin::string):
        (JSC::SourceOrigin::isNull):
        * tools/FunctionOverrides.cpp:
        (JSC::initializeOverrideInfo):

2016-12-24  Caio Lima  <ticaiolima@gmail.com>

        [test262] Fixing mapped arguments object property test case
        https://bugs.webkit.org/show_bug.cgi?id=159398

        Reviewed by Saam Barati.

        This patch changes GenericArguments' override mechanism to
        implement corret behavior on ECMAScript test262 suite test cases of
        mapped arguments object with non-configurable and non-writable
        property. Also it is ensuring that arguments[i]
        cannot be deleted when argument "i" is {configurable: false}.
        
        The previous implementation is against to the specification for 2 reasons:

        1. Every argument in arguments object are {writable: true} by default
           (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject).
           It means that we have to stop mapping a defined property index
           if the new property descriptor contains writable (i.e writable is
           present) and its value is false (also check
           https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
           Previous implementation considers {writable: false} if writable is
           not present.

        2. When a property is overriden, "delete" operation is always returning true. However
           delete operations should follow the specification.

        We created an auxilary boolean array named m_modifiedArgumentsDescriptor
        to store which arguments[i] descriptor was changed from its default
        property descriptor. This modification was necessary because m_overrides
        was responsible to keep this information at the same time
        of keeping information about arguments mapping. The problem of this apporach was
        that we needed to call overridesArgument(i) as soon as the ith argument's property
        descriptor was changed and it stops the argument's mapping as sideffect, producing
        wrong behavior.
        To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
        DirectArguments::m_mappedArguments and now we it is responsible to manage if an
        argument[i] is mapped or not.
        With these 2 structures, now it is possible to an argument[i] have its property 
        descriptor modified and don't stop the mapping as soon as it happens. One example
        of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
        test case, that now is fixed by this new mechanism.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateWithGuard):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        * jit/JITOperations.cpp:
        (JSC::canAccessArgumentIndexQuickly):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitDirectArgumentsGetByVal):
        * runtime/DirectArguments.cpp:
        (JSC::DirectArguments::estimatedSize):
        (JSC::DirectArguments::visitChildren):
        (JSC::DirectArguments::overrideThings):
        (JSC::DirectArguments::overrideThingsIfNecessary):
        (JSC::DirectArguments::unmapArgument):
        (JSC::DirectArguments::copyToArguments):
        (JSC::DirectArguments::overridesSize):
        (JSC::DirectArguments::overrideArgument): Deleted.
        * runtime/DirectArguments.h:
        (JSC::DirectArguments::length):
        (JSC::DirectArguments::isMappedArgument):
        (JSC::DirectArguments::isMappedArgumentInDFG):
        (JSC::DirectArguments::getIndexQuickly):
        (JSC::DirectArguments::setIndexQuickly):
        (JSC::DirectArguments::overrodeThings):
        (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
        (JSC::DirectArguments::setModifiedArgumentDescriptor):
        (JSC::DirectArguments::isModifiedArgumentDescriptor):
        (JSC::DirectArguments::offsetOfMappedArguments):
        (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
        (JSC::DirectArguments::canAccessIndexQuickly): Deleted.
        (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
        (JSC::DirectArguments::offsetOfOverrides): Deleted.
        * runtime/GenericArguments.h:
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::visitChildren):
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        (JSC::GenericArguments<Type>::put):
        (JSC::GenericArguments<Type>::putByIndex):
        (JSC::GenericArguments<Type>::deleteProperty):
        (JSC::GenericArguments<Type>::deletePropertyByIndex):
        (JSC::GenericArguments<Type>::defineOwnProperty):
        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
        (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
        (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
        (JSC::GenericArguments<Type>::copyToArguments):
        * runtime/ScopedArguments.cpp:
        (JSC::ScopedArguments::visitChildren):
        (JSC::ScopedArguments::unmapArgument):
        (JSC::ScopedArguments::overrideArgument): Deleted.
        * runtime/ScopedArguments.h:
        (JSC::ScopedArguments::isMappedArgument):
        (JSC::ScopedArguments::isMappedArgumentInDFG):
        (JSC::ScopedArguments::getIndexQuickly):
        (JSC::ScopedArguments::setIndexQuickly):
        (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
        (JSC::ScopedArguments::setModifiedArgumentDescriptor):
        (JSC::ScopedArguments::isModifiedArgumentDescriptor):
        (JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
        (JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.

2016-12-23  Mark Lam  <mark.lam@apple.com>

        Using Option::breakOnThrow() shouldn't crash while printing a null CodeBlock.
        https://bugs.webkit.org/show_bug.cgi?id=166466

        Reviewed by Keith Miller.

        * runtime/VM.cpp:
        (JSC::VM::throwException):

2016-12-23  Mark Lam  <mark.lam@apple.com>

        Enhance LLInt tracing to dump the codeBlock signature instead of just a pointer where appropriate.
        https://bugs.webkit.org/show_bug.cgi?id=166465

        Reviewed by Keith Miller.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):

2016-12-23  Keith Miller  <keith_miller@apple.com>

        WebAssembly: trap on bad division.
        https://bugs.webkit.org/show_bug.cgi?id=164786

        Reviewed by Mark Lam.

        This patch adds traps for division / modulo by zero and for
        division by int_min / -1.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
        * wasm/WasmExceptionType.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::run):
        * wasm/wasm.json:

2016-12-23  Mark Lam  <mark.lam@apple.com>

        Fix broken LLINT_SLOW_PATH_TRACING build.
        https://bugs.webkit.org/show_bug.cgi?id=166463

        Reviewed by Keith Miller.

        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):

2016-12-22  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Make spec-tests/f32.wast.js and spec-tests/f64.wast.js pass
        https://bugs.webkit.org/show_bug.cgi?id=166447

        Reviewed by Saam Barati.

        We needed to treat -0.0 < 0.0 for floating point min/max. For min,
        the algorithm works because if a == b then a and b are not NaNs so
        either they are the same or they are some zero. When we or a and b
        either we get the same number back or we get -0.0. Similarly for
        max we use an and and the sign bit gets dropped if one is 0.0 and
        the other is -0.0, otherwise, we get the same number back.

        * wasm/wasm.json:

2016-12-22  Saam Barati  <sbarati@apple.com>

        WebAssembly: Make calling Wasm functions that returns or takes an i64 as a parameter an early exception
        https://bugs.webkit.org/show_bug.cgi?id=166437
        <rdar://problem/29793949>

        Reviewed by Keith Miller.

        This patch makes it so that we throw an exception before we do
        anything else if we call a wasm function that either takes an
        i64 as an argument or returns an i64.

        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        (JSC::WebAssemblyFunction::call): Deleted.
        * wasm/js/WebAssemblyFunction.h:
        (JSC::WebAssemblyFunction::signatureIndex):
        (JSC::WebAssemblyFunction::jsEntrypoint):

2016-12-22  Keith Miller  <keith_miller@apple.com>

        Add BitOr for floating points to B3
        https://bugs.webkit.org/show_bug.cgi?id=166446

        Reviewed by Saam Barati.

        This patch does some slight refactoring to the ARM assembler,
        which groups all the vector floating point instructions together.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::vand):
        (JSC::ARM64Assembler::vorr):
        (JSC::ARM64Assembler::vectorDataProcessingLogical):
        (JSC::ARM64Assembler::vectorDataProcessing2Source): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::orDouble):
        (JSC::MacroAssemblerARM64::orFloat):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::orDouble):
        (JSC::MacroAssemblerX86Common::orFloat):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::orps_rr):
        * b3/B3ConstDoubleValue.cpp:
        (JSC::B3::ConstDoubleValue::bitOrConstant):
        (JSC::B3::ConstDoubleValue::bitXorConstant):
        * b3/B3ConstDoubleValue.h:
        * b3/B3ConstFloatValue.cpp:
        (JSC::B3::ConstFloatValue::bitOrConstant):
        (JSC::B3::ConstFloatValue::bitXorConstant):
        * b3/B3ConstFloatValue.h:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Validate.cpp:
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::shouldTryAliasingDef):
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::bitOrDouble):
        (JSC::B3::testBitOrArgDouble):
        (JSC::B3::testBitOrArgsDouble):
        (JSC::B3::testBitOrArgImmDouble):
        (JSC::B3::testBitOrImmsDouble):
        (JSC::B3::bitOrFloat):
        (JSC::B3::testBitOrArgFloat):
        (JSC::B3::testBitOrArgsFloat):
        (JSC::B3::testBitOrArgImmFloat):
        (JSC::B3::testBitOrImmsFloat):
        (JSC::B3::testBitOrArgsFloatWithUselessDoubleConversion):
        (JSC::B3::run):

2016-12-22  Mark Lam  <mark.lam@apple.com>

        BytecodeGenerator::m_finallyDepth should be unsigned.
        https://bugs.webkit.org/show_bug.cgi?id=166438

        Reviewed by Saam Barati.

        Also removed FinallyContext::m_finallyDepth because it is not used.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
        (JSC::BytecodeGenerator::labelScopeDepth):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::FinallyContext::FinallyContext):
        (JSC::FinallyContext::finallyLabel):
        (JSC::FinallyContext::depth): Deleted.

2016-12-22  Mark Lam  <mark.lam@apple.com>

        De-duplicate finally blocks.
        https://bugs.webkit.org/show_bug.cgi?id=160168

        Reviewed by Saam Barati.

        JS execution can arrive at a finally block when there are abrupt completions from
        its try or catch block.  The abrupt completion types include Break,
        Continue, Return, and Throw.  The non-abrupt completion type is called Normal
        (i.e. the case of a try block falling through to the finally block).

        Previously, we enable each of these paths for abrupt completion (except for Throw)
        to run the finally block code by duplicating the finally block code at each of
        the sites that trigger those completions.  This patch fixes the implementation so
        that each of these abrupt completions will set a completionTypeRegister (plus a
        completionValueRegister for CompletionType::Return) and then jump to the
        relevant finally blocks, and continue to thread through subsequent outer finally
        blocks until execution reaches the outermost finally block that the completion
        type dictates.  We no longer duplicate the finally block code.

        The implementation details:
        1. We allocate a pair of registers (completionTypeRegister and completionValueRegister)
           just before entering the outermost try-catch-finally scope.

           On allocating the registers, we initialize the completionTypeRegister to
           CompletionType::Normal, and set the completionValueRegister to the empty
           JSValue.

        2. The completionTypeRegister will hold a CompletionType value.  This is how we
           encode the CompletionType value to be set:

           a. For Normal, Return, and Throw completion types: 
              - The completionTypeRegister is set to CompletionType::Normal,
                CompletionType::Return, and CompletionType::Throw respectively.

           b. For Break and Continue completion types:
              - The completionTypeRegister is set to a unique jumpID where the jumpID is
                computed as:

                jumpID = CompletionType::NumberOfTypes + bytecodeOffset

                The bytecodeOffset used here is the bytecodeOffset of the break or continue
                statement that triggered this completion.

        3. Each finally block will have 2 entries:
           a. the catch entry.
           b. the normal entry.

           The catch entry is recorded in the codeBlock's exception handler table,
           and can only be jumped to by the VM's exception handling mechanism.

           The normal entry is recorded in a FinallyContext (at bytecode generation time
           only) and is jumped to when we want enter the finally block due any of the
           other CompletionTypes.

        4. How each completion type works?

           CompletionType::Normal
           ======================
           We normally encounter this when falling through from a try or catch block to
           the finally block.  
          
           For the try block case, since completionTypeRegister is set to Normal by default,
           there's nothing more that needs to be done.

           For the catch block case, since we entered the catch block with an exception,
           completionTypeRegister may be set to Throw.  We'll need to set it to Normal
           before jumping to the finally block's normal entry.

           CompletionType::Break
           =====================
           When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
           that we need to service before jumping to the breakTarget.  If we don't, then
           emit op_jump to the breakTarget as usual.  Otherwise:

           a. we'll register a jumpID and the breakTarget with the FinallyContext for the
              outermost finally block that we're supposed to run through.
           b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
              from the innermost to the one for that outermost finally block.
           c. emit bytecode to set the completionTypeRegister to the jumpID.
           d. emit bytecode to jump to the normal entry of the innermost finally block.

           Each finally block will take care of cascading to the next outer finally block
           as needed (see (5) below).

           CompletionType::Continue
           ========================
           Since continues and breaks work the same way (i.e. with a jump), we handle this
           exactly the same way as CompletionType::Break, except that we use the
           continueTarget instead of the breakTarget.

           CompletionType::Return
           ======================
           When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
           at all on the m_controlFlowScopeStack.  If we don't, then emit op_ret as usual.
           Otherwise:

           a. emit bytecode to set the completionTypeRegister to CompletionType::Return.
           b. emit bytecode to move the return value into the completionValueRegister.
           c. emit bytecode to jump to the normal entry of the innermost finally block.

           Each finally block will take care of cascading to the next outer finally block
           as needed (see (5) below).

           CompletionType::Throw
           ======================
           At the catch entry a finally block, we:
           1. emit an op_catch that stores the caught Exception object in the
              completionValueRegister.
           2. emit bytecode to set the completionTypeRegister to CompletionType::Throw.
           3. Fall through or jump to the finally block's normal entry.

        5. What happens in each finally block?
           ==================================
           For details on the finally block's catch entry, see "CompletionType::Throw" in
           (4) above.

           The finally block's normal entry will:
           1. restore the scope of the finally block.
           2. save the completionTypeRegister in a savedCompletionTypeRegister.
           3. proceed to execute the body of the finally block.

           At the end of the finally block, we will emit bytecode check the
           savedCompletionTypeRegister for each completion type see emitFinallyCompletion())
           in the following order:
          
           a. Check for CompletionType::Normal
              ================================
              If savedCompletionTypeRegister is CompletionType::Normal, jump to the
              designated normalCompletion label.  We only need this check this finally
              block also needs to check for Break, Continue, or Return.  If not, the
              completion type check for CompletionType::Throw below will make this check
              redundant.

           b. Check for CompletionType::Break and Continue
              ============================================
              If the FinallyContext for this block has registered FinallyJumps, we'll
              check the jumpIDs against the savedCompletionTypeRegister.  If the jumpID
              matches, jump to the corresponding jumpTarget.

              If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
              greater than the number of registered FinallyJumps, then this means that
              we have a Break or Continue that needs to be handled by an outer finally
              block.  In that case, jump to the next outer finally block's normal entry.
             
           c. Check for CompletionType::Return
              ================================
              If this finally block is not the outermost and the savedCompletionTypeRegister
              is set to CompletionType::Return, then jump to the next outer finally
              block's normal entry.

              Otherwise, if this finally block is the outermost and the savedCompletionTypeRegister
              is set to CompletionType::Return, then execute op_ret and return the value
              in the completionValueRegister.

           d. CompletionType::Throw
              =====================
              If savedCompletionTypeRegister is CompletionType::Throw, then just re-throw the
              Exception object in the completionValueRegister.

           Detail 1: that we check the savedCompletionTypeRegister (and not the
           completionTypeRegister).  This is because the finally block may itself contain
           a try-finally, and this inner try-finally may have trashed the completionTypeRegister.
           Here's an example:

               try {
                   return "r1"; // Sets completionTypeRegister to CompletionType::Return;
               } finally {
                   // completionTypeRegister is CompletionType::Return here.

                   try {
                       ... // do stuff.
                   } finally {
                       ... // do more stuff.
                   }

                   // completionTypeRegister may be anything here depending on what
                   // was executed in the inner try-finally block above.

                   // Hence, finally completion here must be based on a saved copy of the
                   // completionTypeRegister when we entered this finally block.
               }

           Detail 2: the finally completion for CompletionType::Throw must always explicitly
           check if the savedCompletionTypeRegister is CompletionType::Throw before throwing.
           We cannot imply that it is so from the Throw case being last.  Here's why:

               // completionTypeRegister is CompletionType::Normal here.
               try {
                   return "r1"; // Sets completionTypeRegister to CompletionType::Return;
               } finally {
                   // completionTypeRegister is CompletionType::Return here.

                   try {
                       ... // do stuff.  No abrupt completions.
                   } finally {
                       // completionTypeRegister is CompletionType::Return here (from the outer try-finally).
                       // savedCompletionTypeRegister is set to completionTypeRegister (i.e. CompletionType::Return) here.

                       ... // do more stuff.  No abrupt completions.

                       // Unless there's an abrupt completion since entering the outer
                       // finally block, the savedCompletionTypeRegister will remain set
                       // to CompletionType::Return.  If we don't explicitly check if the
                       // savedCompletionTypeRegister is CompletionType::Throw before
                       // throwing here, we'll end up erroneously throwing "r1".
                   }

                   ...
               }

        6. restoreScopeRegister()
       
           Since the needed scope objects are always stored in a local, we can restore
           the scope register by simply moving from that local instead of going through
           op_get_parent_scope.

        7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
           This makes it easier to keep a pointer to the FinallyContext on that stack,
           and not have to worry about the vector being realloc'ed due to resizing. 

        Performance appears to be neutral both on ES6SampleBench (run via cli) and the
        JSC benchmarks.

        Relevant spec references:
        https://tc39.github.io/ecma262/#sec-completion-record-specification-type
        https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation

        * bytecode/HandlerInfo.h:
        (JSC::HandlerInfoBase::typeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitReturn):
        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
        (JSC::BytecodeGenerator::popFinallyControlFlowScope):
        (JSC::BytecodeGenerator::allocateAndEmitScope):
        (JSC::BytecodeGenerator::pushTry):
        (JSC::BytecodeGenerator::popTry):
        (JSC::BytecodeGenerator::emitCatch):
        (JSC::BytecodeGenerator::restoreScopeRegister):
        (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
        (JSC::BytecodeGenerator::labelScopeDepth):
        (JSC::BytecodeGenerator::pushLocalControlFlowScope):
        (JSC::BytecodeGenerator::popLocalControlFlowScope):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitIsNumber):
        (JSC::BytecodeGenerator::emitYield):
        (JSC::BytecodeGenerator::emitDelegateYield):
        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitFinallyCompletion):
        (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
        (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
        (JSC::BytecodeGenerator::emitJumpIf):
        (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
        (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
        (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
        (JSC::BytecodeGenerator::emitPopScopes): Deleted.
        (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::bytecodeOffsetToJumpID):
        (JSC::FinallyJump::FinallyJump):
        (JSC::FinallyContext::FinallyContext):
        (JSC::FinallyContext::outerContext):
        (JSC::FinallyContext::finallyLabel):
        (JSC::FinallyContext::depth):
        (JSC::FinallyContext::numberOfBreaksOrContinues):
        (JSC::FinallyContext::incNumberOfBreaksOrContinues):
        (JSC::FinallyContext::handlesReturns):
        (JSC::FinallyContext::setHandlesReturns):
        (JSC::FinallyContext::registerJump):
        (JSC::FinallyContext::numberOfJumps):
        (JSC::FinallyContext::jumps):
        (JSC::ControlFlowScope::ControlFlowScope):
        (JSC::ControlFlowScope::isLabelScope):
        (JSC::ControlFlowScope::isFinallyScope):
        (JSC::BytecodeGenerator::currentLexicalScopeIndex):
        (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
        (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
        (JSC::BytecodeGenerator::completionTypeRegister):
        (JSC::BytecodeGenerator::completionValueRegister):
        (JSC::BytecodeGenerator::emitSetCompletionType):
        (JSC::BytecodeGenerator::emitSetCompletionValue):
        (JSC::BytecodeGenerator::isInFinallyBlock): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::TryNode::emitBytecode):

2016-12-22  Saam Barati  <sbarati@apple.com>

        WebAssembly: Make the spec-tests/address.wast.js test pass
        https://bugs.webkit.org/show_bug.cgi?id=166429
        <rdar://problem/29793220>

        Reviewed by Keith Miller.

        Right now, provably out of bound loads/stores (given a load/store's constant
        offset) are not a validation error. However, we were failing to catch uint32_t
        overflows in release builds (we did have a debug assertion). To fix this,
        I now detect when uint32_t addition will overflow, and instead of emitting
        a normal load/store, I emit code that throws an out of bounds memory exception.

        * wasm/WasmB3IRGenerator.cpp:

2016-12-22  Keith Miller  <keith_miller@apple.com>

        WebAssembly: The validator should not allow unused stack entries at the end of a block
        https://bugs.webkit.org/show_bug.cgi?id=166411

        Reviewed by Saam Barati.

        This patch also cleans up some of the verbose mode logging.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::dumpExpressionStack):
        (JSC::Wasm::B3IRGenerator::dump):
        * wasm/WasmFunctionParser.h:
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::dumpExpressionStack):
        (JSC::Wasm::Validate::dump):

2016-12-22  Saam Barati  <sbarati@apple.com>

        WebAssembly: Make the spec-tests/start.wast.js test pass
        https://bugs.webkit.org/show_bug.cgi?id=166416
        <rdar://problem/29784532>

        Reviewed by Yusuke Suzuki.

        To make the test run, I had to fix two bugs:
        
        1. We weren't properly finding the start function. There was code
        that would try to find the start function from the list of *exported*
        functions. This is wrong; the start function is an index into the
        function index space, which is the space for *imports* and *local*
        functions. So the code was just wrong in this respect, and I've
        fixed it do the right thing. We weren't sure if this was originally
        allowed or not in the spec, but it has been decided that it is allowed
        and the spec-tests test for it: https://github.com/WebAssembly/design/issues/896
        
        2. We were emitting a breakpoint for Unreachable. Instead of crashing,
        this opcode needs to throw an exception when executing.

        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmExceptionType.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyModuleRecord.h:

2016-12-21  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Fix decode floating point constants in unreachable code
        https://bugs.webkit.org/show_bug.cgi?id=166400

        Reviewed by Saam Barati.

        We decoded these as variable length but they should be fixed length.

        * wasm/WasmFunctionParser.h:

2016-12-21  Keith Miller  <keith_miller@apple.com>

        WebAssembly: Allow br, br_if, and br_table to act as a return
        https://bugs.webkit.org/show_bug.cgi?id=166393

        Reviewed by Saam Barati.

        This patch allows br, br_if, and br_table to treat branching to
        the size of the control stack to act as a return. This change was
        made by adding a new block type to the wasm function parser,
        TopLevel. Adding this new block eliminates a lot of the special
        case code we had in the parser previously. The only special case
        we need is when the end opcode is parsed from the top level.  The
        B3 IR generator needs to automatically emit a return at that
        point.

        Also, this patch adds the function number to validation errors
        in the function parser. The current error message is not helpful
        otherwise.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::ControlData::dump):
        (JSC::Wasm::B3IRGenerator::addTopLevel):
        * wasm/WasmFunctionParser.h:
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::run):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::ControlData::dump):
        (JSC::Wasm::Validate::Validate):
        (JSC::Wasm::Validate::addTopLevel):
        (JSC::Wasm::validateFunction):

2016-12-21  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: cleanup & pass VM around to {Compile/Runtime}Error
        https://bugs.webkit.org/show_bug.cgi?id=166295
        <rdar://problem/29762017>

        Reviewed by Mark Lam.

        Rename the create* functions, and pass VM around, as suggested for
        LinkError in #165805.

        At the same time, use the default source appender when
        constructing these error types, which gives a nice map back to the
        original source as part of the error message. This is clearer when
        using the current frame, so add that as well.

        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromWasmThunkGenerator):
        * wasm/js/JSWebAssemblyCompileError.cpp:
        (JSC::JSWebAssemblyCompileError::create):
        (JSC::createJSWebAssemblyCompileError):
        (JSC::createWebAssemblyCompileError): Deleted.
        * wasm/js/JSWebAssemblyCompileError.h:
        (JSC::JSWebAssemblyCompileError::create):
        * wasm/js/JSWebAssemblyRuntimeError.cpp:
        (JSC::JSWebAssemblyRuntimeError::create):
        * wasm/js/JSWebAssemblyRuntimeError.h:
        (JSC::JSWebAssemblyRuntimeError::create):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyCompileError):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyRuntimeError):

2016-12-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Fix modules document in features.json
        https://bugs.webkit.org/show_bug.cgi?id=166313

        Reviewed by Saam Barati.

        * features.json:

2016-12-20  Taras Tsugrii  <ttsugrii@fb.com>

        Fix undefined behavior caused by macro expansion producing 'defined'
        https://bugs.webkit.org/show_bug.cgi?id=166047

        Reviewed by Darin Adler.

        * API/JSBase.h:

2016-12-20  Keith Miller  <keith_miller@apple.com>

        Add support for global
        https://bugs.webkit.org/show_bug.cgi?id=165171

        Reviewed by Filip Pizlo.

        This patch adds spport for the global property on the global object.
        The global property spec is in stage three and is quite simple.
        For reference: http://tc39.github.io/proposal-global/

        * runtime/JSGlobalObject.cpp:

2016-12-20  Saam Barati  <sbarati@apple.com>

        WebAssembly: We should compile wasm functions in parallel
        https://bugs.webkit.org/show_bug.cgi?id=165993

        Reviewed by Keith Miller.

        This patch adds a very simple parallel compiler for Wasm code.
        This patch speeds up compiling the Unity headless benchmark by
        slightly more than 4x on my MBP. To make this safe, I perform
        all linking on the main thread. I also had to change some code
        inside Wasmb3IRGenerator to be thread safe.

        * b3/air/AirCustom.h:
        (JSC::B3::Air::WasmBoundsCheckCustom::generate):
        * b3/air/AirGenerationContext.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::setupFrameInPrologue):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::run):
        * wasm/WasmPlan.h:

2016-12-20  Brent Fulgham  <bfulgham@apple.com>

        Address some style problems found by static analysis
        https://bugs.webkit.org/show_bug.cgi?id=165975

        Reviewed by Alex Christensen.

        Correct the const-correctness of functions that are implemented using stricter
        const declarations.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorHeapAgent.cpp:
        * inspector/agents/InspectorHeapAgent.h:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        * inspector/agents/InspectorScriptProfilerAgent.h:
        * inspector/scripts/codegen/cpp_generator.py:
        (cpp_type_for_unchecked_formal_in_parameter): Update to match const declarations of
        implementation files.
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        Rebaselined results for "const Ptr* const" syntax.

2016-12-20  JF Bastien  <jfbastien@apple.com>

        WebAssembly: construct 32-bit encodedJSValue properly
        https://bugs.webkit.org/show_bug.cgi?id=166199

        Reviewed by Mark Lam.

        Constructing an encodedJSValue using `{ }` yields the wrong value
        on 32-bit platforms. WebAssembly doesn't currently target 32-bit
        platforms, but we may as well get it right.

        * wasm/JSWebAssembly.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::webAssemblyValidateFunc):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toNonWrappingUint32):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyCompileError):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::constructJSWebAssemblyModule):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyRuntimeError):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncLength):
        (JSC::webAssemblyTableProtoFuncGrow):
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):

2016-12-20  Dean Jackson  <dino@apple.com>

        Remove INDIE_UI
        https://bugs.webkit.org/show_bug.cgi?id=165881
        <rdar://problem/29672532>

        Reviewed by Simon Fraser.

        The Indie UI work has been discontinued.

        * Configurations/FeatureDefines.xcconfig:

2016-12-20  JF Bastien  <jfbastien@apple.com>

        WebAssembly API: implement WebAssembly.LinkError
        https://bugs.webkit.org/show_bug.cgi?id=165805
        <rdar://problem/29747874>

        Reviewed by Mark Lam.

        As described here: https://github.com/WebAssembly/design/pull/901
        Some TypeError and RangeError are now converted to WebAssembly.LinkError.

        * CMakeLists.txt: add files
        * DerivedSources.make: add autoget .lut.h files
        * JavaScriptCore.xcodeproj/project.pbxproj: add files
        * builtins/BuiltinNames.h: new name LinkError
        * runtime/JSGlobalObject.h: auto-register LinkError using existing macro magic
        * wasm/JSWebAssembly.h: make the new includes available
        * wasm/js/JSWebAssemblyLinkError.cpp: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.cpp.
        (JSC::JSWebAssemblyLinkError::create):
        (JSC::JSWebAssemblyLinkError::JSWebAssemblyLinkError):
        (JSC::createWebAssemblyLinkError):
        * wasm/js/JSWebAssemblyLinkError.h: Copied from Source/JavaScriptCore/wasm/JSWebAssemblyCompileError.h.
        (JSC::JSWebAssemblyLinkError::create):
        * wasm/js/WebAssemblyInstanceConstructor.cpp: update as per spec change
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.cpp.
        (JSC::constructJSWebAssemblyLinkError):
        (JSC::callJSWebAssemblyLinkError):
        (JSC::WebAssemblyLinkErrorConstructor::create):
        (JSC::WebAssemblyLinkErrorConstructor::createStructure):
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
        (JSC::WebAssemblyLinkErrorConstructor::getConstructData):
        (JSC::WebAssemblyLinkErrorConstructor::getCallData):
        * wasm/js/WebAssemblyLinkErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorConstructor.h.
        * wasm/js/WebAssemblyLinkErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.cpp.
        (JSC::WebAssemblyLinkErrorPrototype::create):
        (JSC::WebAssemblyLinkErrorPrototype::createStructure):
        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
        (JSC::WebAssemblyLinkErrorPrototype::WebAssemblyLinkErrorPrototype):
        * wasm/js/WebAssemblyLinkErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyCompileErrorPrototypr.h.
        * wasm/js/WebAssemblyModuleRecord.cpp: update as per spec change
        (JSC::dataSegmentFail):
        (JSC::WebAssemblyModuleRecord::evaluate):

2016-12-20  JF Bastien  <jfbastien@apple.com>

        WebAssembly: unique function signatures
        https://bugs.webkit.org/show_bug.cgi?id=165957
        <rdar://problem/29735737>

        Reviewed by Saam Barati.

        Signatures in a Module's Type section can be duplicated, we
        therefore need to unique them so that call_indirect only needs to
        do a single integer compare to check that a callee's Signature is
        the same as the Signature declared at the call site. Without
        uniquing we'd either trap when duplicate Signatures are used, or
        we'd need to do multiple comparisons. This patch makes that narrow
        usecase function correctly.

        There's further complication when calling from wasm to
        wasm, in which case the Signatures must also match. Such
        cross-instance calls will be improved in bug #165282, but this
        patch sets the groundwork for it:

        - Signatures are now owned by SignatureInformation which lives on
          VM, and is shared by all Modules.
        - When parsing a Module, a Signature is created for every Type
          entry, and then uniqued by SignatureInformation's adopt
          method. Duplicate Signatures are dropped and the previous
          SignatureIndex is returned, new Signatures are adopted and a new
          SignatureIndex is created.
        - The SignatureIndex values are monotonic. 0 is used to represent
          invalid indices, which trap. This can only occur through Table.
        - SignatureInformation is used while generating code to map a
          SignatureIndex back to the Signature* when return / argument
          information is needed. This is a simple lookup into a Vector. It
          isn't used at runtime.
        - These Signatures live forever on VM because the bookkeeping
          likely isn't worth it. We may want to empty things out if all
          Modules die, this is tracked in bug #166037.
        - We can further improve things by bit-packing SignatureIndex with
          Code*, which is tracked by bug #165511.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/VM.h: wasm signatures are uniqued here, but aren't accessed frequently (only during parsing) so indirection is fine
        * wasm/WasmB3IRGenerator.cpp: use SignatureIndex instead of Signature* when appropriate, and when still using Signature* do so with its new API
        (JSC::Wasm::createJSToWasmWrapper):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::importStubGenerator): use SignatureIndex
        * wasm/WasmBinding.h:
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::loadArguments):
        * wasm/WasmFormat.cpp: drive-by move of alloc/free functions to the implementation file, allows the .h file to drop an FastMalloc.h
        (JSC::Wasm::Segment::create):
        (JSC::Wasm::Segment::destroy):
        (JSC::Wasm::Segment::createPtr):
        * wasm/WasmFormat.h: move Signature to its own file
        (JSC::Wasm::CallableFunction::CallableFunction):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        (JSC::Wasm::ModuleParser::ModuleParser):
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::Parser):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::run):
        * wasm/WasmSignature.cpp: Added.
        (JSC::Wasm::Signature::dump):
        (JSC::Wasm::Signature::hash):
        (JSC::Wasm::Signature::create):
        (JSC::Wasm::Signature::createInvalid):
        (JSC::Wasm::Signature::destroy):
        (JSC::Wasm::SignatureInformation::~SignatureInformation):
        (JSC::Wasm::SignatureInformation::adopt):
        (JSC::Wasm::SignatureInformation::get):
        * wasm/WasmSignature.h: Added.
        (JSC::Wasm::Signature::Signature):
        (JSC::Wasm::Signature::storage):
        (JSC::Wasm::Signature::allocatedSize):
        (JSC::Wasm::Signature::returnType):
        (JSC::Wasm::Signature::returnCount):
        (JSC::Wasm::Signature::argumentCount):
        (JSC::Wasm::Signature::argument):
        (JSC::Wasm::Signature::operator==):
        (JSC::Wasm::SignatureHash::empty):
        (JSC::Wasm::SignatureHash::deleted):
        (JSC::Wasm::SignatureHash::SignatureHash):
        (JSC::Wasm::SignatureHash::operator==):
        (JSC::Wasm::SignatureHash::equal):
        (JSC::Wasm::SignatureHash::hash):
        (JSC::Wasm::SignatureHash::isHashTableDeletedValue):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h:
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyModule.h:
        (JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
        (JSC::JSWebAssemblyTable::clearFunction):
        (JSC::JSWebAssemblyTable::setFunction):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::call):
        (JSC::WebAssemblyFunction::create):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        (JSC::WebAssemblyFunction::finishCreation):
        * wasm/js/WebAssemblyFunction.h:
        (JSC::WebAssemblyFunction::signatureIndex):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):

2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>

        Modernize for loops in JSC
        https://bugs.webkit.org/show_bug.cgi?id=166060

        Reviewed by Yusuke Suzuki.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::stronglyVisitWeakReferences):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::getArrayProfile):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (JSC::CodeBlock::nameForRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ObjectPatternNode::bindValue):
        * debugger/Debugger.cpp:
        (JSC::Debugger::applyBreakpoints):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        * dfg/DFGClobberSet.cpp:
        (JSC::DFG::ClobberSet::setOf):
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::visitChildren):
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):
        * dfg/DFGMaximalFlushInsertionPhase.cpp:
        (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
        * dfg/DFGPutStackSinkingPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::linkBranches):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * dfg/DFGValidate.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * heap/HeapVerifier.cpp:
        (JSC::trimDeadObjectsFromList):
        (JSC::HeapVerifier::trimDeadObjects):
        * heap/LiveObjectList.cpp:
        (JSC::LiveObjectList::findObject):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::isPagedOut):
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * parser/VariableEnvironment.cpp:
        (JSC::VariableEnvironment::markAllVariablesAsCaptured):
        (JSC::VariableEnvironment::hasCapturedVariables):
        * runtime/FunctionHasExecutedCache.cpp:
        (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
        (JSC::FunctionHasExecutedCache::getFunctionRanges):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::visitChildren):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::findLocation):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        (JSC::TypeSet::dumpTypes):
        * runtime/VM.cpp:
        (JSC::VM::gatherConservativeRoots):
        * runtime/WeakMapData.cpp:
        (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
        (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::dumpInternal):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):

2016-12-20  Konstantin Tokarev  <annulen@yandex.ru>

        __cpuid() requires <intrin.h> to be included
        https://bugs.webkit.org/show_bug.cgi?id=166051

        Reviewed by Yusuke Suzuki.

        * assembler/MacroAssemblerX86Common.h:

2016-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Enable ES6 Modules
        https://bugs.webkit.org/show_bug.cgi?id=165849

        Reviewed by Geoffrey Garen.

        * features.json:

2016-12-19  Mark Lam  <mark.lam@apple.com>

        Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 2: Rollout r209952.
        https://bugs.webkit.org/show_bug.cgi?id=166049

        Not reviewed.

        * bytecode/HandlerInfo.h:
        (JSC::HandlerInfoBase::typeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitReturn):
        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
        (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope):
        (JSC::BytecodeGenerator::popFinallyControlFlowScope):
        (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope):
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        (JSC::BytecodeGenerator::emitPopScopes):
        (JSC::BytecodeGenerator::pushTry):
        (JSC::BytecodeGenerator::popTryAndEmitCatch):
        (JSC::BytecodeGenerator::labelScopeDepth):
        (JSC::BytecodeGenerator::pushLocalControlFlowScope):
        (JSC::BytecodeGenerator::popLocalControlFlowScope):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitYield):
        (JSC::BytecodeGenerator::emitDelegateYield):
        (JSC::BytecodeGenerator::popTry): Deleted.
        (JSC::BytecodeGenerator::emitCatch): Deleted.
        (JSC::BytecodeGenerator::restoreScopeRegister): Deleted.
        (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex): Deleted.
        (JSC::BytecodeGenerator::emitIsNumber): Deleted.
        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded): Deleted.
        (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded): Deleted.
        (JSC::BytecodeGenerator::emitFinallyCompletion): Deleted.
        (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
        (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
        (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::isInFinallyBlock):
        (JSC::FinallyJump::FinallyJump): Deleted.
        (JSC::FinallyContext::FinallyContext): Deleted.
        (JSC::FinallyContext::outerContext): Deleted.
        (JSC::FinallyContext::finallyLabel): Deleted.
        (JSC::FinallyContext::depth): Deleted.
        (JSC::FinallyContext::numberOfBreaksOrContinues): Deleted.
        (JSC::FinallyContext::incNumberOfBreaksOrContinues): Deleted.
        (JSC::FinallyContext::handlesReturns): Deleted.
        (JSC::FinallyContext::setHandlesReturns): Deleted.
        (JSC::FinallyContext::registerJump): Deleted.
        (JSC::FinallyContext::numberOfJumps): Deleted.
        (JSC::FinallyContext::jumps): Deleted.
        (JSC::ControlFlowScope::ControlFlowScope): Deleted.
        (JSC::ControlFlowScope::isLabelScope): Deleted.
        (JSC::ControlFlowScope::isFinallyScope): Deleted.
        (JSC::BytecodeGenerator::currentLexicalScopeIndex): Deleted.
        (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
        (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
        (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
        (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
        (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::TryNode::emitBytecode):

2016-12-19  Mark Lam  <mark.lam@apple.com>

        Rolling out r209974 and r209952. They break some websites in mysterious ways. Step 1: Rollout r209974.
        https://bugs.webkit.org/show_bug.cgi?id=166049

        Not reviewed.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitFinallyCompletion):
        (JSC::BytecodeGenerator::allocateFinallyRegisters):
        (JSC::BytecodeGenerator::releaseFinallyRegisters):
        (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf):
        (JSC::BytecodeGenerator::allocateCompletionRecordRegisters): Deleted.
        (JSC::BytecodeGenerator::releaseCompletionRecordRegisters): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfCompletionType): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::FinallyJump::FinallyJump):
        (JSC::FinallyContext::registerJump):
        (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope):
        (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope):
        (JSC::BytecodeGenerator::finallyActionRegister):
        (JSC::BytecodeGenerator::finallyReturnValueRegister):
        (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion):
        (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion):
        (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID):
        (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister):
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion):
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump):
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion):
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion):
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion):
        (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow):
        (JSC::BytecodeGenerator::bytecodeOffsetToJumpID):
        (JSC::bytecodeOffsetToJumpID): Deleted.
        (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope): Deleted.
        (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope): Deleted.
        (JSC::BytecodeGenerator::completionTypeRegister): Deleted.
        (JSC::BytecodeGenerator::completionValueRegister): Deleted.
        (JSC::BytecodeGenerator::emitSetCompletionType): Deleted.
        (JSC::BytecodeGenerator::emitSetCompletionValue): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):

2016-12-19  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Assertion seen in InspectorDebuggerAgent::refAsyncCallData with Inspector open
        https://bugs.webkit.org/show_bug.cgi?id=166034
        <rdar://problem/29554366>

        Reviewed by Brian Burg.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::refAsyncCallData):
        Remove assertion. This assert can happen if the currently executing callback
        was just explicitly cancelled by script. Existing code already handles if
        no async data was found for the given identifier.

2016-12-18  Saam Barati  <sbarati@apple.com>

        WebAssembly: Implement the WebAssembly.compile and WebAssembly.validate
        https://bugs.webkit.org/show_bug.cgi?id=165936

        Reviewed by Mark Lam.

        The APIs are documented here:
        - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblycompile
        - https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyvalidate

        * wasm/JSWebAssembly.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::JSWebAssembly::finishCreation):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::parseAndValidateModule):
        (JSC::Wasm::Plan::run):
        * wasm/WasmPlan.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::getWasmBufferFromValue):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::constructJSWebAssemblyModule):
        (JSC::callJSWebAssemblyModule):
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModuleConstructor.h:

2016-12-18  Mark Lam  <mark.lam@apple.com>

        Rename finallyActionRegister to completionTypeRegister and only store int JSValues in it.
        https://bugs.webkit.org/show_bug.cgi?id=165979

        Reviewed by Saam Barati.

        This patch makes it so that we only store int JSValues in the finallyActionRegister
        thereby making type prediction on this register more successful for JITs.  In so
        doing, we are able to get some additional benefits:

        1. Renamed the following:
           FinallyRegistersScope => CompletionRecordScope
           finallyActionRegister => completionTypeRegister
           finallyReturnValueRegister => completionValueRegister

           These new names are more in line with the ES spec, which describes these
           values as the completion record and its type and value properties.
           https://tc39.github.io/ecma262/#sec-completion-record-specification-type

        2. We now think of the Break and Continue jumpIDs as encodings of CompletionType
           (in our implementation of completion type).  As a result, we only need one of
           each of the emitter methods for getting, setting, and compare-and-jump on the
           completion type.  The code using these methods also reads much clearer now.  

        3. Finally blocks' op_catch should now always pop the caught Exception object into
           the completionValueRegister instead of the completionTypeRegister (formerly
           finallyActionRegister). 

        Also removed the restoreScopeRegister() call in the IteratorClose catch block
        because that is an implementation specific synthesized catch block, and we
        can guarantee that it never needs to resolve any symbols from the scope.  Hence,
        there is no need to restore the scope register.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
        (JSC::BytecodeGenerator::emitFinallyCompletion):
        (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
        (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
        (JSC::BytecodeGenerator::emitJumpIfCompletionType):
        (JSC::BytecodeGenerator::allocateFinallyRegisters): Deleted.
        (JSC::BytecodeGenerator::releaseFinallyRegisters): Deleted.
        (JSC::BytecodeGenerator::emitCompareFinallyActionAndJumpIf): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::bytecodeOffsetToJumpID):
        (JSC::FinallyJump::FinallyJump):
        (JSC::FinallyContext::registerJump):
        (JSC::BytecodeGenerator::CompletionRecordScope::CompletionRecordScope):
        (JSC::BytecodeGenerator::CompletionRecordScope::~CompletionRecordScope):
        (JSC::BytecodeGenerator::completionTypeRegister):
        (JSC::BytecodeGenerator::completionValueRegister):
        (JSC::BytecodeGenerator::emitSetCompletionType):
        (JSC::BytecodeGenerator::emitSetCompletionValue):
        (JSC::BytecodeGenerator::FinallyRegistersScope::FinallyRegistersScope): Deleted.
        (JSC::BytecodeGenerator::FinallyRegistersScope::~FinallyRegistersScope): Deleted.
        (JSC::BytecodeGenerator::finallyActionRegister): Deleted.
        (JSC::BytecodeGenerator::finallyReturnValueRegister): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyActionToNormalCompletion): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyActionToReturnCompletion): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyActionToJumpID): Deleted.
        (JSC::BytecodeGenerator::emitSetFinallyReturnValueRegister): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNormalCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotJump): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsReturnCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotReturnCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfFinallyActionIsNotThrowCompletion): Deleted.
        (JSC::BytecodeGenerator::emitJumpIfCompletionTypeIsThrow): Deleted.
        (JSC::BytecodeGenerator::bytecodeOffsetToJumpID): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):

2016-12-17  Saam Barati  <sbarati@apple.com>

        WebAssembly: WasmB3IRGenerator uses WarmAny as a ValueRep but expects the incoming value to be a register
        https://bugs.webkit.org/show_bug.cgi?id=165989

        Reviewed by Mark Lam.

        The input should be constrained to a register to match what
        the patchpoint code expects.

        * wasm/WasmB3IRGenerator.cpp:

2016-12-17  Saam Barati  <sbarati@apple.com>

        WebAssembly: Change a RELEASE_ASSERT_NOT_REACHED to a jit.breakpoint() for now to allow us to run some wasm benchmarks
        https://bugs.webkit.org/show_bug.cgi?id=165990

        Reviewed by Mark Lam.

        * wasm/WasmBinding.cpp:
        (JSC::Wasm::importStubGenerator):

2016-12-16  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Avoid some possible exceptions inspecting a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=165986
        <rdar://problem/29551379>

        Reviewed by Matt Baker.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.processProperties):
        Prefer String.prototype.endsWith now that it is available.

        (InjectedScript.prototype._describe):
        Prefer Function.prototype.toString for converting functions to String.
        Previously we were doing String(f) which would to Symbol.toPrimitive
        conversion which seems unnecessary here.

2016-12-16  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, fix GCC 6 build failure after r209952

        Return false, not nullptr, in function returning bool.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):

2016-12-16  Saam Barati  <sbarati@apple.com>

        WebAssembly: We still have some incorrect parsing productions inside unreachable code
        https://bugs.webkit.org/show_bug.cgi?id=165981

        Reviewed by Keith Miller.

        This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.
        
        It also fixes a more nefarious bug in which we were decoding an extra varuint32
        for Br/BrIf inside unreachable code.

        * wasm/WasmFunctionParser.h:

2016-12-16  Filip Pizlo  <fpizlo@apple.com>

        CellState should have members with accurate names
        https://bugs.webkit.org/show_bug.cgi?id=165969

        Reviewed by Mark Lam.
        
        This once again renames the members in CellState. I wanted to convey the following
        pieces of information in the names:
        
        - What does the state mean for Generational GC?
        - What does the state mean for Concurrent GC?
        - Does the state guarantee what it means, or is there some contingency?
        
        The names I came up with are:
        
        PossiblyOldOrBlack: An object in this state may be old, or may be black, depending on
            other things. If the mark bit is set then the object is either black or being
            blackened as we speak. It's going to survive the GC, so it will be old, but may be
            new now. In between GCs, objects in this state are definitely old. If the mark bit
            is not set, then the object is actually old and white.
        
        DefinitelyNewAndWhite: The object was just allocated so it is white (not marked) and
            new.
        
        DefinitelyGrey: The object is definitely grey - it will be rescanned in the future. It
            may be new or old depending on other things.

        * heap/CellState.h:
        * heap/Heap.cpp:
        (JSC::Heap::addToRememberedSet):
        (JSC::Heap::writeBarrierSlowPath):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        * runtime/StructureIDBlob.h:
        (JSC::StructureIDBlob::StructureIDBlob):

2016-12-16  Saam Barati  <sbarati@apple.com>

        B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi)
        https://bugs.webkit.org/show_bug.cgi?id=165946

        Reviewed by Keith Miller.

        This was happening because the phase will convert some Phi nodes
        from Double to Float. However, one place that did this conversion
        forgot to first check if the Phi was already a Float. If it's already
        a Float, a later part of the phase will be buggy if the phase claims that it has
        converted it from Double->Float. The reason is that at the end of the
        phase, we'll look for all uses of former Double Phi nodes and make them
        be a use of ConvertFloatToDouble on the Phi, instead of a use of the Phi itself.
        This is clearly wrong if the Phi were Float to begin with (and
        therefore, the uses were Float uses to begin with).

        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testReduceFloatToDoubleValidates):
        (JSC::B3::run):

2016-12-16  Mark Lam  <mark.lam@apple.com>

        De-duplicate finally blocks.
        https://bugs.webkit.org/show_bug.cgi?id=160168

        Reviewed by Keith Miller.

        JS execution can arrive at a finally block when there are abrupt completions from
        its try or catch block.  The abrupt completion types include Break,
        Continue, Return, and Throw.  The non-abrupt completion type is called Normal
        (i.e. the case of a try block falling through to the finally block).

        Previously, we enable each of these paths for abrupt completion (except for Throw)
        to run the finally block code by duplicating the finally block code at each of
        the sites that trigger those completions.  This patch fixes the implementation so
        that each of these abrupt completions will set a finallyActionRegister (plus a
        finallyReturnValueRegister for CompletionType::Return) and then jump to the
        relevant finally blocks, and continue to thread through subsequent outer finally
        blocks until execution reaches the outermost finally block that the completion
        type dictates.  We no longer duplicate the finally block code.

        The implementation details:
        1. We allocate a pair of finallyActionRegister and finallyReturnValueRegister
           just before entering the outermost try-catch-finally scope.

           On allocating the registers, we set them to the empty JSValue.  This serves
           to set the completion type to CompletionType::Normal (see (2) below).

        2. The finallyActionRegister serves 2 purpose:
           a. indicates the CompletionType that triggered entry into the finally block.

              This is how we encode the completion type in the finallyActionRegister:
              1. CompletionType::Normal
                 - finallyActionRegister is set to the empty JSValue.
              2. CompletionType::Break
                 - finallyActionRegister is set to the int jumpID for the site of the break statement.
              3. CompletionType::Continue
                 - finallyActionRegister is set to the int jumpID for the site of the continue statement.
              4. CompletionType::Return
                 - finallyActionRegister is set to CompletionType::Return as an int JSValue.
                 - finallyReturnValueRegister is set to the value to be returned. 
              5. CompletionType::Throw
                 - finallyActionRegister is set to the exception object that was caught by the finally block.

              Hence, if the finallyActionRegister can either be:
              1. empty i.e. we're handling CompletionType::Normal.
              2. an int JSValue i.e. we're handling CompletionType::Break, Continue, or Return.
              3. an object i.e. we're handling CompletionType::Throw.

           b. stores the exception caught in the finally block if we're handing
              CompletionType::Throw.

        3. Each finally block will have 2 entries:
           a. the entry via throw.
           b. the normal entry.