[JSC] Specifying same module entry point multiple times cause TypeError
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Specifying same module entry point multiple times cause TypeError
4         https://bugs.webkit.org/show_bug.cgi?id=164858
5
6         Reviewed by Saam Barati.
7
8         Allow importing the same module multiple times. Previously, when specifying the same
9         module in the <script type="module" src="here">, it throws TypeError.
10
11         * builtins/ModuleLoaderPrototype.js:
12         (requestFetch):
13         (requestTranslate):
14         (requestInstantiate):
15         (requestSatisfy):
16
17 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
18
19         WebAssembly JS API: export a module namespace object instead of a module environment
20         https://bugs.webkit.org/show_bug.cgi?id=165121
21
22         Reviewed by Saam Barati.
23
24         This patch setup AbstractModuleRecord further for WebAssemblyModuleRecord.
25         For exported entries in a wasm instance, we set up exported entries for
26         AbstractModuleRecord. This allows us to export WASM exported functions in
27         the module handling code.
28
29         Since the exported entries in the abstract module record are correctly
30         instantiated, the module namespace object for WASM module also starts
31         working correctly. So we start exposing the module namespace object
32         as `instance.exports` instead of the module environment object.
33
34         And we move SourceCode, lexicalVariables, and declaredVariables fields to
35         JSModuleRecord since they are related to JS source code (in the spec words,
36         they are related to the source text module record).
37
38         * runtime/AbstractModuleRecord.cpp:
39         (JSC::AbstractModuleRecord::AbstractModuleRecord):
40         * runtime/AbstractModuleRecord.h:
41         (JSC::AbstractModuleRecord::sourceCode): Deleted.
42         (JSC::AbstractModuleRecord::declaredVariables): Deleted.
43         (JSC::AbstractModuleRecord::lexicalVariables): Deleted.
44         * runtime/JSModuleRecord.cpp:
45         (JSC::JSModuleRecord::JSModuleRecord):
46         * runtime/JSModuleRecord.h:
47         (JSC::JSModuleRecord::sourceCode):
48         (JSC::JSModuleRecord::declaredVariables):
49         (JSC::JSModuleRecord::lexicalVariables):
50         * wasm/WasmFormat.cpp:
51         * wasm/js/JSWebAssemblyInstance.cpp:
52         (JSC::JSWebAssemblyInstance::finishCreation):
53         * wasm/js/WebAssemblyFunction.cpp:
54         * wasm/js/WebAssemblyInstanceConstructor.cpp:
55         (JSC::constructJSWebAssemblyInstance):
56         * wasm/js/WebAssemblyModuleRecord.cpp:
57         (JSC::WebAssemblyModuleRecord::create):
58         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
59         (JSC::WebAssemblyModuleRecord::finishCreation):
60         WebAssemblyModuleRecord::link should perform linking things.
61         So allocating exported entries should be done here.
62         (JSC::WebAssemblyModuleRecord::link):
63         * wasm/js/WebAssemblyModuleRecord.h:
64
65 2016-11-30  Mark Lam  <mark.lam@apple.com>
66
67         TypeInfo::OutOfLineTypeFlags should be 16 bits in size.
68         https://bugs.webkit.org/show_bug.cgi?id=165224
69
70         Reviewed by Saam Barati.
71
72         There's no reason for OutOfLineTypeFlags to be constraint to 8 bits since the
73         space is available to us.  Making OutOfLineTypeFlags 16 bits brings TypeInfo up
74         to 32 bits in size from the current 24 bits.
75
76         * runtime/JSTypeInfo.h:
77         (JSC::TypeInfo::TypeInfo):
78
79 2016-11-30  Joseph Pecoraro  <pecoraro@apple.com>
80
81         REGRESSION: inspector/sampling-profiler/* LayoutTests are flaky timeouts
82         https://bugs.webkit.org/show_bug.cgi?id=164388
83         <rdar://problem/29101555>
84
85         Reviewed by Saam Barati.
86
87         There was a possibility of a deadlock between the main thread and the GC thread
88         with the SamplingProfiler lock when Inspector is processing samples to send to
89         the frontend. The Inspector (main thread) was holding the SamplingProfiler lock
90         while processing samples, which runs JavaScript that could trigger a GC, and
91         GC then tries to acquire the SamplingProfiler lock to process unprocessed samples.
92
93         A simple solution here is to tighten the bounds of when Inspector holds the
94         SamplingProfiler lock. It only needs the lock when extracting samples from
95         the SamplingProfiler. It doesn't need to hold the lock for processing those
96         samples, which is what can run script and cause a GC.
97
98         * inspector/agents/InspectorScriptProfilerAgent.cpp:
99         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
100         Tighten bounds of this lock to only where it is needed.
101
102 2016-11-30  Mark Lam  <mark.lam@apple.com>
103
104         Proxy is not allowed in the global prototype chain.
105         https://bugs.webkit.org/show_bug.cgi?id=165205
106
107         Reviewed by Geoffrey Garen.
108
109         * runtime/ProgramExecutable.cpp:
110         (JSC::ProgramExecutable::initializeGlobalProperties):
111         - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
112
113 2016-11-30  Commit Queue  <commit-queue@webkit.org>
114
115         Unreviewed, rolling out r209112.
116         https://bugs.webkit.org/show_bug.cgi?id=165208
117
118         "It regressed Octane/Raytrace and JetStream" (Requested by
119         saamyjoon on #webkit).
120
121         Reverted changeset:
122
123         "We should support CreateThis in the FTL"
124         https://bugs.webkit.org/show_bug.cgi?id=164904
125         http://trac.webkit.org/changeset/209112
126
127 2016-11-30  Darin Adler  <darin@apple.com>
128
129         Streamline and speed up tokenizer and segmented string classes
130         https://bugs.webkit.org/show_bug.cgi?id=165003
131
132         Reviewed by Sam Weinig.
133
134         * runtime/JSONObject.cpp:
135         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
136         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
137         no benefit in creating a String for that function if one doesn't already exist.
138
139 2016-11-29  JF Bastien  <jfbastien@apple.com>
140
141         WebAssembly JS API: improve Instance
142         https://bugs.webkit.org/show_bug.cgi?id=164757
143
144         Reviewed by Keith Miller.
145
146         An Instance's `exports` property wasn't populated with exports.
147
148         According to the spec [0], `exports` should present itself as a WebAssembly
149         Module Record. In order to do this we need to split JSModuleRecord into
150         AbstractModuleRecord (without the `link` and `evaluate` functions), and
151         JSModuleRecord (which implements link and evaluate). We can then have a separate
152         WebAssemblyModuleRecord which shares most of the implementation.
153
154         `exports` then maps function names to WebAssemblyFunction and
155         WebAssemblyFunctionCell, which call into the B3-generated WebAssembly code.
156
157         A follow-up patch will do imports.
158
159         A few things of note:
160
161          - Use Identifier instead of String. They get uniqued, we need them for the JSModuleNamespaceObject. This is safe because JSWebAssemblyModule creation is on the main thread.
162          - JSWebAssemblyInstance needs to refer to the JSWebAssemblyModule used to create it, because the module owns the code, identifiers, etc. The world would be very sad if it got GC'd.
163          - Instance.exports shouldn't use putWithoutTransition because it affects all Structures, whereas here each instance needs its own exports.
164          - Expose the compiled functions, and pipe them to the InstanceConstructor. Start moving things around to split JSModuleRecord out into JS and WebAssembly parts.
165
166           [0]: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-constructor
167
168         * CMakeLists.txt:
169         * JavaScriptCore.xcodeproj/project.pbxproj:
170         * runtime/AbstractModuleRecord.cpp: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.cpp, which I split in two
171         (JSC::AbstractModuleRecord::AbstractModuleRecord):
172         (JSC::AbstractModuleRecord::destroy):
173         (JSC::AbstractModuleRecord::finishCreation):
174         (JSC::AbstractModuleRecord::visitChildren):
175         (JSC::AbstractModuleRecord::appendRequestedModule):
176         (JSC::AbstractModuleRecord::addStarExportEntry):
177         (JSC::AbstractModuleRecord::addImportEntry):
178         (JSC::AbstractModuleRecord::addExportEntry):
179         (JSC::identifierToJSValue):
180         (JSC::AbstractModuleRecord::hostResolveImportedModule):
181         (JSC::AbstractModuleRecord::ResolveQuery::ResolveQuery):
182         (JSC::AbstractModuleRecord::ResolveQuery::isEmptyValue):
183         (JSC::AbstractModuleRecord::ResolveQuery::isDeletedValue):
184         (JSC::AbstractModuleRecord::ResolveQuery::Hash::hash):
185         (JSC::AbstractModuleRecord::ResolveQuery::Hash::equal):
186         (JSC::AbstractModuleRecord::cacheResolution):
187         (JSC::getExportedNames):
188         (JSC::AbstractModuleRecord::getModuleNamespace):
189         (JSC::printableName):
190         (JSC::AbstractModuleRecord::dump):
191         * runtime/AbstractModuleRecord.h: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.h.
192         (JSC::AbstractModuleRecord::ImportEntry::isNamespace):
193         (JSC::AbstractModuleRecord::sourceCode):
194         (JSC::AbstractModuleRecord::moduleKey):
195         (JSC::AbstractModuleRecord::requestedModules):
196         (JSC::AbstractModuleRecord::exportEntries):
197         (JSC::AbstractModuleRecord::importEntries):
198         (JSC::AbstractModuleRecord::starExportEntries):
199         (JSC::AbstractModuleRecord::declaredVariables):
200         (JSC::AbstractModuleRecord::lexicalVariables):
201         (JSC::AbstractModuleRecord::moduleEnvironment):
202         * runtime/JSGlobalObject.cpp:
203         (JSC::JSGlobalObject::init):
204         (JSC::JSGlobalObject::visitChildren):
205         * runtime/JSGlobalObject.h:
206         (JSC::JSGlobalObject::webAssemblyModuleRecordStructure):
207         (JSC::JSGlobalObject::webAssemblyFunctionStructure):
208         * runtime/JSModuleEnvironment.cpp:
209         (JSC::JSModuleEnvironment::create):
210         (JSC::JSModuleEnvironment::finishCreation):
211         (JSC::JSModuleEnvironment::getOwnPropertySlot):
212         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
213         (JSC::JSModuleEnvironment::put):
214         (JSC::JSModuleEnvironment::deleteProperty):
215         * runtime/JSModuleEnvironment.h:
216         (JSC::JSModuleEnvironment::create):
217         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
218         (JSC::JSModuleEnvironment::allocationSize):
219         (JSC::JSModuleEnvironment::moduleRecord):
220         (JSC::JSModuleEnvironment::moduleRecordSlot):
221         * runtime/JSModuleNamespaceObject.cpp:
222         (JSC::JSModuleNamespaceObject::finishCreation):
223         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
224         * runtime/JSModuleNamespaceObject.h:
225         (JSC::JSModuleNamespaceObject::create):
226         (JSC::JSModuleNamespaceObject::moduleRecord):
227         * runtime/JSModuleRecord.cpp:
228         (JSC::JSModuleRecord::createStructure):
229         (JSC::JSModuleRecord::create):
230         (JSC::JSModuleRecord::JSModuleRecord):
231         (JSC::JSModuleRecord::destroy):
232         (JSC::JSModuleRecord::finishCreation):
233         (JSC::JSModuleRecord::visitChildren):
234         (JSC::JSModuleRecord::instantiateDeclarations):
235         * runtime/JSModuleRecord.h:
236         * runtime/JSScope.cpp:
237         (JSC::abstractAccess):
238         (JSC::JSScope::collectClosureVariablesUnderTDZ):
239         * runtime/VM.cpp:
240         (JSC::VM::VM):
241         * runtime/VM.h:
242         * wasm/JSWebAssembly.h:
243         * wasm/WasmFormat.h: use Identifier instead of String
244         * wasm/WasmModuleParser.cpp:
245         (JSC::Wasm::ModuleParser::parse):
246         (JSC::Wasm::ModuleParser::parseType):
247         (JSC::Wasm::ModuleParser::parseImport): fix off-by-one
248         (JSC::Wasm::ModuleParser::parseFunction):
249         (JSC::Wasm::ModuleParser::parseExport):
250         * wasm/WasmModuleParser.h:
251         (JSC::Wasm::ModuleParser::ModuleParser):
252         * wasm/WasmPlan.cpp:
253         (JSC::Wasm::Plan::run):
254         * wasm/js/JSWebAssemblyInstance.cpp:
255         (JSC::JSWebAssemblyInstance::create):
256         (JSC::JSWebAssemblyInstance::finishCreation):
257         (JSC::JSWebAssemblyInstance::visitChildren):
258         * wasm/js/JSWebAssemblyInstance.h:
259         (JSC::JSWebAssemblyInstance::module):
260         * wasm/js/JSWebAssemblyModule.cpp:
261         (JSC::JSWebAssemblyModule::create):
262         (JSC::JSWebAssemblyModule::finishCreation):
263         (JSC::JSWebAssemblyModule::visitChildren):
264         * wasm/js/JSWebAssemblyModule.h:
265         (JSC::JSWebAssemblyModule::moduleInformation):
266         (JSC::JSWebAssemblyModule::compiledFunctions):
267         (JSC::JSWebAssemblyModule::exportSymbolTable):
268         * wasm/js/WebAssemblyFunction.cpp: Added.
269         (JSC::callWebAssemblyFunction):
270         (JSC::WebAssemblyFunction::create):
271         (JSC::WebAssemblyFunction::createStructure):
272         (JSC::WebAssemblyFunction::WebAssemblyFunction):
273         (JSC::WebAssemblyFunction::visitChildren):
274         (JSC::WebAssemblyFunction::finishCreation):
275         * wasm/js/WebAssemblyFunction.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
276         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction):
277         (JSC::WebAssemblyFunction::webAssemblyFunctionCell):
278         * wasm/js/WebAssemblyFunctionCell.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
279         (JSC::WebAssemblyFunctionCell::create):
280         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell):
281         (JSC::WebAssemblyFunctionCell::destroy):
282         (JSC::WebAssemblyFunctionCell::createStructure):
283         * wasm/js/WebAssemblyFunctionCell.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
284         (JSC::WebAssemblyFunctionCell::function):
285         * wasm/js/WebAssemblyInstanceConstructor.cpp:
286         (JSC::constructJSWebAssemblyInstance):
287         * wasm/js/WebAssemblyModuleConstructor.cpp:
288         (JSC::constructJSWebAssemblyModule):
289         * wasm/js/WebAssemblyModuleRecord.cpp: Added.
290         (JSC::WebAssemblyModuleRecord::createStructure):
291         (JSC::WebAssemblyModuleRecord::create):
292         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
293         (JSC::WebAssemblyModuleRecord::destroy):
294         (JSC::WebAssemblyModuleRecord::finishCreation):
295         (JSC::WebAssemblyModuleRecord::visitChildren):
296         (JSC::WebAssemblyModuleRecord::link):
297         (JSC::WebAssemblyModuleRecord::evaluate):
298         * wasm/js/WebAssemblyModuleRecord.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
299
300 2016-11-29  Saam Barati  <sbarati@apple.com>
301
302         We should be able optimize the pattern where we spread a function's rest parameter to another call
303         https://bugs.webkit.org/show_bug.cgi?id=163865
304
305         Reviewed by Filip Pizlo.
306
307         This patch optimizes the following patterns to prevent both the allocation
308         of the rest parameter, and the execution of the iterator protocol:
309         
310         ```
311         function foo(...args) {
312             let arr = [...args];
313         }
314         
315         and
316         
317         function foo(...args) {
318             bar(...args);
319         }
320         ```
321         
322         To do this, I've extended the arguments elimination phase to reason
323         about Spread and NewArrayWithSpread. I've added two new nodes, PhantomSpread
324         and PhantomNewArrayWithSpread. PhantomSpread is only allowed over rest
325         parameters that don't escape. If the rest parameter *does* escape, we can't
326         convert the spread into a phantom because it would not be sound w.r.t JS
327         semantics because we would be reading from the call frame even though
328         the rest array may have changed.
329         
330         Note that NewArrayWithSpread also understands what to do when one of its
331         arguments is PhantomSpread(@PhantomCreateRest) even if it itself is escaped.
332         
333         PhantomNewArrayWithSpread is only allowed over a series of
334         PhantomSpread(@PhantomCreateRest) nodes. Like with PhantomSpread, PhantomNewArrayWithSpread
335         is only allowed if none of its arguments that are being spread are escaped
336         and if it itself is not escaped.
337         
338         Because there is a dependency between a node being a candidate and
339         the escaped state of the node's children, I've extended the notion
340         of escaping a node inside the arguments elimination phase. Now, when
341         any node is escaped, we must consider all other candidates that are may
342         now no longer be valid.
343         
344         For example:
345         
346         ```
347         function foo(...args) {
348             escape(args);
349             bar(...args);
350         }
351         ```
352         
353         In the above program, we don't know if the function call to escape()
354         modifies args, therefore, the spread can not become phantom because
355         the execution of the spread may not be as simple as reading the
356         arguments from the call frame.
357         
358         Unfortunately, the arguments elimination phase does not consider control
359         flow when doing its escape analysis. It would be good to integrate this
360         phase with the object allocation sinking phase. To see why, consider
361         an example where we don't eliminate the spread and allocation of the rest
362         parameter even though we could:
363         
364         ```
365         function foo(rareCondition, ...args) {
366             bar(...args);
367             if (rareCondition)
368                 baz(args);
369         }
370         ```
371         
372         There are only a few users of the PhantomSpread and PhantomNewArrayWithSpread
373         nodes. PhantomSpread is only used by PhantomNewArrayWithSpread and NewArrayWithSpread.
374         PhantomNewArrayWithSpread is only used by ForwardVarargs and the various
375         *Call*ForwardVarargs nodes. The users of these phantoms know how to produce
376         what the phantom node would have produced. For example, NewArrayWithSpread
377         knows how to produce the values that would have been produced by PhantomSpread(@PhantomCreateRest)
378         by directly reading from the call frame.
379         
380         This patch is a 6% speedup on my MBP on ES6SampleBench.
381
382         * b3/B3LowerToAir.cpp:
383         (JSC::B3::Air::LowerToAir::tryAppendLea):
384         * b3/B3ValueRep.h:
385         * builtins/BuiltinExecutables.cpp:
386         (JSC::BuiltinExecutables::createDefaultConstructor):
387         * dfg/DFGAbstractInterpreterInlines.h:
388         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
389         * dfg/DFGArgumentsEliminationPhase.cpp:
390         * dfg/DFGClobberize.h:
391         (JSC::DFG::clobberize):
392         * dfg/DFGDoesGC.cpp:
393         (JSC::DFG::doesGC):
394         * dfg/DFGFixupPhase.cpp:
395         (JSC::DFG::FixupPhase::fixupNode):
396         * dfg/DFGForAllKills.h:
397         (JSC::DFG::forAllKillsInBlock):
398         * dfg/DFGNode.h:
399         (JSC::DFG::Node::hasConstant):
400         (JSC::DFG::Node::constant):
401         (JSC::DFG::Node::bitVector):
402         (JSC::DFG::Node::isPhantomAllocation):
403         * dfg/DFGNodeType.h:
404         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
405         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
406         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
407         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
408         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
409         * dfg/DFGObjectAllocationSinkingPhase.cpp:
410         * dfg/DFGPreciseLocalClobberize.h:
411         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
412         * dfg/DFGPredictionPropagationPhase.cpp:
413         * dfg/DFGPromotedHeapLocation.cpp:
414         (WTF::printInternal):
415         * dfg/DFGPromotedHeapLocation.h:
416         * dfg/DFGSafeToExecute.h:
417         (JSC::DFG::safeToExecute):
418         * dfg/DFGSpeculativeJIT32_64.cpp:
419         (JSC::DFG::SpeculativeJIT::compile):
420         * dfg/DFGSpeculativeJIT64.cpp:
421         (JSC::DFG::SpeculativeJIT::compile):
422         * dfg/DFGValidate.cpp:
423         * ftl/FTLCapabilities.cpp:
424         (JSC::FTL::canCompile):
425         * ftl/FTLLowerDFGToB3.cpp:
426         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
427         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
428         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
429         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
430         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
431         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
432         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
433         (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame):
434         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
435         * ftl/FTLOperations.cpp:
436         (JSC::FTL::operationPopulateObjectInOSR):
437         (JSC::FTL::operationMaterializeObjectInOSR):
438         * jit/SetupVarargsFrame.cpp:
439         (JSC::emitSetupVarargsFrameFastCase):
440         * jsc.cpp:
441         (GlobalObject::finishCreation):
442         (functionMaxArguments):
443         * runtime/JSFixedArray.h:
444         (JSC::JSFixedArray::createFromArray):
445
446 2016-11-29  Commit Queue  <commit-queue@webkit.org>
447
448         Unreviewed, rolling out r209058 and r209074.
449         https://bugs.webkit.org/show_bug.cgi?id=165188
450
451         These changes caused API test StringBuilderTest.Equal to crash
452         and/or fail. (Requested by ryanhaddad on #webkit).
453
454         Reverted changesets:
455
456         "Streamline and speed up tokenizer and segmented string
457         classes"
458         https://bugs.webkit.org/show_bug.cgi?id=165003
459         http://trac.webkit.org/changeset/209058
460
461         "REGRESSION (r209058): API test StringBuilderTest.Equal
462         crashing"
463         https://bugs.webkit.org/show_bug.cgi?id=165142
464         http://trac.webkit.org/changeset/209074
465
466 2016-11-29  Caitlin Potter  <caitp@igalia.com>
467
468         [JSC] always wrap AwaitExpression operand in a new Promise
469         https://bugs.webkit.org/show_bug.cgi?id=165181
470
471         Reviewed by Yusuke Suzuki.
472
473         Ensure operand of AwaitExpression is wrapped in a new Promise by
474         explicitly creating a new Promise Capability and invoking its
475         resolve callback. This avoids the specified short-circuit for
476         Promise.resolve().
477
478         * builtins/AsyncFunctionPrototype.js:
479         (globalPrivate.asyncFunctionResume):
480
481 2016-11-29  Saam Barati  <sbarati@apple.com>
482
483         We should support CreateThis in the FTL
484         https://bugs.webkit.org/show_bug.cgi?id=164904
485
486         Reviewed by Geoffrey Garen.
487
488         * ftl/FTLAbstractHeapRepository.h:
489         * ftl/FTLCapabilities.cpp:
490         (JSC::FTL::canCompile):
491         * ftl/FTLLowerDFGToB3.cpp:
492         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
493         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
494         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
495         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
496         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
497         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
498         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
499         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
500         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
501         * runtime/Structure.h:
502
503 2016-11-29  Mark Lam  <mark.lam@apple.com>
504
505         Fix exception scope verification failures in runtime/RegExp* files.
506         https://bugs.webkit.org/show_bug.cgi?id=165054
507
508         Reviewed by Saam Barati.
509
510         Also replaced returning JSValue() with returning { }.
511
512         * runtime/RegExpConstructor.cpp:
513         (JSC::toFlags):
514         (JSC::regExpCreate):
515         (JSC::constructRegExp):
516         * runtime/RegExpObject.cpp:
517         (JSC::RegExpObject::defineOwnProperty):
518         (JSC::collectMatches):
519         (JSC::RegExpObject::matchGlobal):
520         * runtime/RegExpObjectInlines.h:
521         (JSC::getRegExpObjectLastIndexAsUnsigned):
522         (JSC::RegExpObject::execInline):
523         (JSC::RegExpObject::matchInline):
524         * runtime/RegExpPrototype.cpp:
525         (JSC::regExpProtoFuncCompile):
526         (JSC::flagsString):
527         (JSC::regExpProtoFuncToString):
528         (JSC::regExpProtoFuncSplitFast):
529
530 2016-11-29  Andy Estes  <aestes@apple.com>
531
532         [Cocoa] Enable two clang warnings recommended by Xcode
533         https://bugs.webkit.org/show_bug.cgi?id=164498
534
535         Reviewed by Mark Lam.
536
537         * Configurations/Base.xcconfig: Enabled CLANG_WARN_INFINITE_RECURSION and CLANG_WARN_SUSPICIOUS_MOVE.
538
539 2016-11-29  Keith Miller  <keith_miller@apple.com>
540
541         Add simple way to implement Wasm ops that require more than one B3 opcode
542         https://bugs.webkit.org/show_bug.cgi?id=165129
543
544         Reviewed by Geoffrey Garen.
545
546         This patch adds a simple way to show the B3IRGenerator opcode script how
547         to generate code for Wasm opcodes that do not have a one to one mapping.
548         The syntax is pretty simple right now. There are only three things one
549         can use as of this patch (although more things might be added in the future)
550         1) Wasm opcode arguments: These are referred to as @<argument_number>. For example,
551            I32.sub would map to Sub(@0, @1).
552         2) 32-bit int constants: These are reffered to as i32(<value>). For example, i32.inc
553            would map to Add(@0, i32(1))
554         3) B3 opcodes: These are referred to as the B3 opcode name followed by the B3Value's constructor
555            arguments. A value may take the result of another value as an argument. For example, you can do
556            Div(Mul(@0, Add(@0, i32(1))), i32(2)) if there was a b3 opcode that computed the sum from 1 to n.
557
558         These scripts are used to implement Wasm's eqz and floating point max/min opcodes. This patch
559         also adds missing support for the Wasm Neg opcodes.
560
561         * jsc.cpp:
562         (box):
563         (functionTestWasmModuleFunctions):
564         * wasm/WasmB3IRGenerator.cpp:
565         (JSC::Wasm::toB3Op): Deleted.
566         * wasm/WasmFunctionParser.h:
567         (JSC::Wasm::FunctionParser<Context>::parseBody):
568         * wasm/WasmModuleParser.cpp:
569         (JSC::Wasm::ModuleParser::parseType):
570         * wasm/WasmParser.h:
571         (JSC::Wasm::Parser::parseUInt8):
572         (JSC::Wasm::Parser::parseValueType):
573         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
574         (Source):
575         (Source.__init__):
576         (read):
577         (lex):
578         (CodeGenerator):
579         (CodeGenerator.__init__):
580         (CodeGenerator.advance):
581         (CodeGenerator.token):
582         (CodeGenerator.parseError):
583         (CodeGenerator.consume):
584         (CodeGenerator.generateParameters):
585         (CodeGenerator.generateOpcode):
586         (CodeGenerator.generate):
587         (temp):
588         (generateB3OpCode):
589         (generateI32ConstCode):
590         (generateB3Code):
591         (generateSimpleCode):
592         * wasm/wasm.json:
593
594 2016-11-29  Mark Lam  <mark.lam@apple.com>
595
596         Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
597         https://bugs.webkit.org/show_bug.cgi?id=165053
598
599         Reviewed by Saam Barati.
600
601         Also replaced returning JSValue() with returning { }.
602
603         * runtime/ProxyConstructor.cpp:
604         (JSC::constructProxyObject):
605         * runtime/ProxyObject.cpp:
606         (JSC::ProxyObject::structureForTarget):
607         (JSC::performProxyGet):
608         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
609         (JSC::ProxyObject::performHasProperty):
610         (JSC::ProxyObject::getOwnPropertySlotCommon):
611         (JSC::ProxyObject::performPut):
612         (JSC::ProxyObject::putByIndexCommon):
613         (JSC::performProxyCall):
614         (JSC::performProxyConstruct):
615         (JSC::ProxyObject::performDelete):
616         (JSC::ProxyObject::performPreventExtensions):
617         (JSC::ProxyObject::performIsExtensible):
618         (JSC::ProxyObject::performDefineOwnProperty):
619         (JSC::ProxyObject::performGetOwnPropertyNames):
620         (JSC::ProxyObject::performSetPrototype):
621         (JSC::ProxyObject::performGetPrototype):
622
623 2016-11-28  Matt Baker  <mattbaker@apple.com>
624
625         Web Inspector: Debugger should have an option for showing asynchronous call stacks
626         https://bugs.webkit.org/show_bug.cgi?id=163230
627         <rdar://problem/28698683>
628
629         Reviewed by Joseph Pecoraro.
630
631         * inspector/ScriptCallFrame.cpp:
632         (Inspector::ScriptCallFrame::isNative):
633         Encapsulate check for native code source URL.
634
635         * inspector/ScriptCallFrame.h:
636         * inspector/ScriptCallStack.cpp:
637         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
638         (Inspector::ScriptCallStack::buildInspectorArray):
639         * inspector/ScriptCallStack.h:
640         Replace use of Console::StackTrace with Array<Console::CallFrame>.
641
642         * inspector/agents/InspectorDebuggerAgent.cpp:
643         (Inspector::InspectorDebuggerAgent::disable):
644         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
645         Set number of async frames to store (including boundary frames).
646         A value of zero disables recording of async call stacks.
647
648         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace):
649         Helper function for building a linked list StackTraces.
650         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
651         Store a call stack for the script that scheduled the async call.
652         If the call repeats (e.g. setInterval), the starting reference count is
653         set to 1. This ensures that dereffing after dispatch won't clear the stack.
654         If another async call is currently being dispatched, increment the
655         AsyncCallData reference count for that call.
656
657         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
658         Decrement the reference count for the canceled call.
659
660         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
661         Set the identifier for the async callback currently being dispatched,
662         so that if the debugger pauses during dispatch a stack trace can be
663         associated with the pause location. If an async call is already being
664         dispatched, which could be the case when a script schedules an async
665         call in a nested runloop, do nothing.
666
667         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
668         Decrement the reference count for the canceled call.
669         (Inspector::InspectorDebuggerAgent::didPause):
670         If a stored stack trace exists for this location, convert to a protocol
671         object and send to the frontend.
672
673         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
674         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
675         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
676         Increment AsyncCallData reference count.
677         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
678         Decrement AsyncCallData reference count. If zero, deref its parent
679         (if it exists) and remove the AsyncCallData entry.
680
681         * inspector/agents/InspectorDebuggerAgent.h:
682
683         * inspector/protocol/Console.json:
684         * inspector/protocol/Network.json:
685         Replace use of Console.StackTrace with array of Console.CallFrame.
686
687         * inspector/protocol/Debugger.json:
688         New protocol command and event data.
689
690 2016-11-28  Darin Adler  <darin@apple.com>
691
692         Streamline and speed up tokenizer and segmented string classes
693         https://bugs.webkit.org/show_bug.cgi?id=165003
694
695         Reviewed by Sam Weinig.
696
697         * runtime/JSONObject.cpp:
698         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
699         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
700         no benefit in creating a String for that function if one doesn't already exist.
701
702 2016-11-21  Mark Lam  <mark.lam@apple.com>
703
704         Fix exception scope verification failures in runtime/Intl* files.
705         https://bugs.webkit.org/show_bug.cgi?id=165014
706
707         Reviewed by Saam Barati.
708
709         * runtime/IntlCollatorConstructor.cpp:
710         (JSC::constructIntlCollator):
711         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
712         * runtime/IntlCollatorPrototype.cpp:
713         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
714         * runtime/IntlDateTimeFormatConstructor.cpp:
715         (JSC::constructIntlDateTimeFormat):
716         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
717         * runtime/IntlDateTimeFormatPrototype.cpp:
718         (JSC::IntlDateTimeFormatFuncFormatDateTime):
719         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
720         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
721         * runtime/IntlNumberFormatConstructor.cpp:
722         (JSC::constructIntlNumberFormat):
723         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
724         * runtime/IntlNumberFormatPrototype.cpp:
725         (JSC::IntlNumberFormatFuncFormatNumber):
726         (JSC::IntlNumberFormatPrototypeGetterFormat):
727         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
728         * runtime/IntlObject.cpp:
729         (JSC::lookupSupportedLocales):
730         * runtime/IntlObjectInlines.h:
731         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
732
733 2016-11-28  Mark Lam  <mark.lam@apple.com>
734
735         Fix exception scope verification failures in IteratorOperations.h.
736         https://bugs.webkit.org/show_bug.cgi?id=165015
737
738         Reviewed by Saam Barati.
739
740         * runtime/IteratorOperations.h:
741         (JSC::forEachInIterable):
742
743 2016-11-28  Mark Lam  <mark.lam@apple.com>
744
745         Fix exception scope verification failures in JSArray* files.
746         https://bugs.webkit.org/show_bug.cgi?id=165016
747
748         Reviewed by Saam Barati.
749
750         * runtime/JSArray.cpp:
751         (JSC::JSArray::defineOwnProperty):
752         (JSC::JSArray::put):
753         (JSC::JSArray::setLength):
754         (JSC::JSArray::pop):
755         (JSC::JSArray::push):
756         (JSC::JSArray::unshiftCountWithAnyIndexingType):
757         * runtime/JSArrayBuffer.cpp:
758         (JSC::JSArrayBuffer::put):
759         (JSC::JSArrayBuffer::defineOwnProperty):
760         * runtime/JSArrayInlines.h:
761         (JSC::getLength):
762         (JSC::toLength):
763
764 2016-11-28  Mark Lam  <mark.lam@apple.com>
765
766         Fix exception scope verification failures in JSDataView.cpp.
767         https://bugs.webkit.org/show_bug.cgi?id=165020
768
769         Reviewed by Saam Barati.
770
771         * runtime/JSDataView.cpp:
772         (JSC::JSDataView::put):
773
774 2016-11-28  Mark Lam  <mark.lam@apple.com>
775
776         Fix exception scope verification failures in JSFunction.cpp.
777         https://bugs.webkit.org/show_bug.cgi?id=165021
778
779         Reviewed by Saam Barati.
780
781         * runtime/JSFunction.cpp:
782         (JSC::JSFunction::put):
783         (JSC::JSFunction::defineOwnProperty):
784
785 2016-11-28  Mark Lam  <mark.lam@apple.com>
786
787         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
788         https://bugs.webkit.org/show_bug.cgi?id=165022
789
790         Reviewed by Saam Barati.
791
792         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
793         (JSC::constructGenericTypedArrayViewFromIterator):
794         (JSC::constructGenericTypedArrayViewWithArguments):
795         (JSC::constructGenericTypedArrayView):
796         * runtime/JSGenericTypedArrayViewInlines.h:
797         (JSC::JSGenericTypedArrayView<Adaptor>::set):
798         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
799         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
800         (JSC::speciesConstruct):
801         (JSC::genericTypedArrayViewProtoFuncSet):
802         (JSC::genericTypedArrayViewProtoFuncJoin):
803         (JSC::genericTypedArrayViewProtoFuncSlice):
804         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
805
806 2016-11-28  Mark Lam  <mark.lam@apple.com>
807
808         Fix exception scope verification failures in runtime/Operations.cpp/h.
809         https://bugs.webkit.org/show_bug.cgi?id=165046
810
811         Reviewed by Saam Barati.
812
813         Also switched to using returning { } instead of JSValue().
814
815         * runtime/Operations.cpp:
816         (JSC::jsAddSlowCase):
817         (JSC::jsIsObjectTypeOrNull):
818         * runtime/Operations.h:
819         (JSC::jsStringFromRegisterArray):
820         (JSC::jsStringFromArguments):
821         (JSC::jsLess):
822         (JSC::jsLessEq):
823
824 2016-11-28  Mark Lam  <mark.lam@apple.com>
825
826         Fix exception scope verification failures in JSScope.cpp.
827         https://bugs.webkit.org/show_bug.cgi?id=165047
828
829         Reviewed by Saam Barati.
830
831         * runtime/JSScope.cpp:
832         (JSC::JSScope::resolve):
833
834 2016-11-28  Mark Lam  <mark.lam@apple.com>
835
836         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
837         https://bugs.webkit.org/show_bug.cgi?id=165049
838
839         Reviewed by Saam Barati.
840
841         * runtime/JSTypedArrayViewPrototype.cpp:
842         (JSC::typedArrayViewPrivateFuncSort):
843         (JSC::typedArrayViewProtoFuncSet):
844         (JSC::typedArrayViewProtoFuncCopyWithin):
845         (JSC::typedArrayViewProtoFuncIncludes):
846         (JSC::typedArrayViewProtoFuncLastIndexOf):
847         (JSC::typedArrayViewProtoFuncIndexOf):
848         (JSC::typedArrayViewProtoFuncJoin):
849         (JSC::typedArrayViewProtoGetterFuncBuffer):
850         (JSC::typedArrayViewProtoGetterFuncLength):
851         (JSC::typedArrayViewProtoGetterFuncByteLength):
852         (JSC::typedArrayViewProtoGetterFuncByteOffset):
853         (JSC::typedArrayViewProtoFuncReverse):
854         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
855         (JSC::typedArrayViewProtoFuncSlice):
856
857 2016-11-28  Mark Lam  <mark.lam@apple.com>
858
859         Fix exception scope verification failures in runtime/Map* files.
860         https://bugs.webkit.org/show_bug.cgi?id=165050
861
862         Reviewed by Saam Barati.
863
864         * runtime/MapConstructor.cpp:
865         (JSC::constructMap):
866         * runtime/MapIteratorPrototype.cpp:
867         (JSC::MapIteratorPrototypeFuncNext):
868         * runtime/MapPrototype.cpp:
869         (JSC::privateFuncMapIteratorNext):
870
871 2016-11-28  Mark Lam  <mark.lam@apple.com>
872
873         Fix exception scope verification failures in more miscellaneous files.
874         https://bugs.webkit.org/show_bug.cgi?id=165102
875
876         Reviewed by Saam Barati.
877
878         * wasm/js/WebAssemblyInstanceConstructor.cpp:
879         (JSC::constructJSWebAssemblyInstance):
880
881 2016-11-28  Mark Lam  <mark.lam@apple.com>
882
883         Fix exception scope verification failures in runtime/Weak* files.
884         https://bugs.webkit.org/show_bug.cgi?id=165096
885
886         Reviewed by Geoffrey Garen.
887
888         * runtime/WeakMapConstructor.cpp:
889         (JSC::constructWeakMap):
890         * runtime/WeakMapPrototype.cpp:
891         (JSC::protoFuncWeakMapSet):
892         * runtime/WeakSetConstructor.cpp:
893         (JSC::constructWeakSet):
894         * runtime/WeakSetPrototype.cpp:
895         (JSC::protoFuncWeakSetAdd):
896
897 2016-11-28  Mark Lam  <mark.lam@apple.com>
898
899         Fix exception scope verification failures in runtime/String* files.
900         https://bugs.webkit.org/show_bug.cgi?id=165067
901
902         Reviewed by Saam Barati.
903
904         * runtime/StringConstructor.cpp:
905         (JSC::stringFromCodePoint):
906         (JSC::constructWithStringConstructor):
907         * runtime/StringObject.cpp:
908         (JSC::StringObject::put):
909         (JSC::StringObject::putByIndex):
910         (JSC::StringObject::defineOwnProperty):
911         * runtime/StringPrototype.cpp:
912         (JSC::jsSpliceSubstrings):
913         (JSC::jsSpliceSubstringsWithSeparators):
914         (JSC::replaceUsingRegExpSearch):
915         (JSC::replaceUsingStringSearch):
916         (JSC::repeatCharacter):
917         (JSC::replace):
918         (JSC::stringProtoFuncReplaceUsingStringSearch):
919         (JSC::stringProtoFuncCharAt):
920         (JSC::stringProtoFuncCodePointAt):
921         (JSC::stringProtoFuncConcat):
922         (JSC::stringProtoFuncIndexOf):
923         (JSC::stringProtoFuncLastIndexOf):
924         (JSC::splitStringByOneCharacterImpl):
925         (JSC::stringProtoFuncSplitFast):
926         (JSC::stringProtoFuncSubstring):
927         (JSC::stringProtoFuncToLowerCase):
928         (JSC::stringProtoFuncToUpperCase):
929         (JSC::toLocaleCase):
930         (JSC::trimString):
931         (JSC::stringProtoFuncIncludes):
932         (JSC::builtinStringIncludesInternal):
933         (JSC::stringProtoFuncIterator):
934         (JSC::normalize):
935         (JSC::stringProtoFuncNormalize):
936
937 2016-11-28  Mark Lam  <mark.lam@apple.com>
938
939         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
940         https://bugs.webkit.org/show_bug.cgi?id=165051
941
942         Reviewed by Saam Barati.
943
944         Also,
945         1. Replaced returning JSValue() with returning { }.
946         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
947
948         * runtime/ObjectConstructor.cpp:
949         (JSC::constructObject):
950         (JSC::objectConstructorGetPrototypeOf):
951         (JSC::objectConstructorGetOwnPropertyDescriptor):
952         (JSC::objectConstructorGetOwnPropertyDescriptors):
953         (JSC::objectConstructorGetOwnPropertyNames):
954         (JSC::objectConstructorGetOwnPropertySymbols):
955         (JSC::objectConstructorKeys):
956         (JSC::ownEnumerablePropertyKeys):
957         (JSC::toPropertyDescriptor):
958         (JSC::defineProperties):
959         (JSC::objectConstructorDefineProperties):
960         (JSC::objectConstructorCreate):
961         (JSC::setIntegrityLevel):
962         (JSC::objectConstructorSeal):
963         (JSC::objectConstructorPreventExtensions):
964         (JSC::objectConstructorIsSealed):
965         (JSC::objectConstructorIsFrozen):
966         (JSC::ownPropertyKeys):
967         * runtime/ObjectPrototype.cpp:
968         (JSC::objectProtoFuncValueOf):
969         (JSC::objectProtoFuncHasOwnProperty):
970         (JSC::objectProtoFuncIsPrototypeOf):
971         (JSC::objectProtoFuncDefineGetter):
972         (JSC::objectProtoFuncDefineSetter):
973         (JSC::objectProtoFuncLookupGetter):
974         (JSC::objectProtoFuncLookupSetter):
975         (JSC::objectProtoFuncToLocaleString):
976         (JSC::objectProtoFuncToString):
977
978 2016-11-26  Mark Lam  <mark.lam@apple.com>
979
980         Fix exception scope verification failures in miscellaneous files.
981         https://bugs.webkit.org/show_bug.cgi?id=165055
982
983         Reviewed by Saam Barati.
984
985         * runtime/MathObject.cpp:
986         (JSC::mathProtoFuncIMul):
987         * runtime/ModuleLoaderPrototype.cpp:
988         (JSC::moduleLoaderPrototypeParseModule):
989         (JSC::moduleLoaderPrototypeRequestedModules):
990         * runtime/NativeErrorConstructor.cpp:
991         (JSC::Interpreter::constructWithNativeErrorConstructor):
992         * runtime/NumberConstructor.cpp:
993         (JSC::constructWithNumberConstructor):
994         * runtime/SetConstructor.cpp:
995         (JSC::constructSet):
996         * runtime/SetIteratorPrototype.cpp:
997         (JSC::SetIteratorPrototypeFuncNext):
998         * runtime/SparseArrayValueMap.cpp:
999         (JSC::SparseArrayValueMap::putEntry):
1000         (JSC::SparseArrayEntry::put):
1001         * runtime/TemplateRegistry.cpp:
1002         (JSC::TemplateRegistry::getTemplateObject):
1003
1004 2016-11-28  Mark Lam  <mark.lam@apple.com>
1005
1006         Fix exception scope verification failures in ReflectObject.cpp.
1007         https://bugs.webkit.org/show_bug.cgi?id=165066
1008
1009         Reviewed by Saam Barati.
1010
1011         * runtime/ReflectObject.cpp:
1012         (JSC::reflectObjectConstruct):
1013         (JSC::reflectObjectDefineProperty):
1014         (JSC::reflectObjectEnumerate):
1015         (JSC::reflectObjectGet):
1016         (JSC::reflectObjectGetOwnPropertyDescriptor):
1017         (JSC::reflectObjectGetPrototypeOf):
1018         (JSC::reflectObjectOwnKeys):
1019         (JSC::reflectObjectSet):
1020
1021 2016-11-24  Mark Lam  <mark.lam@apple.com>
1022
1023         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
1024         https://bugs.webkit.org/show_bug.cgi?id=164972
1025
1026         Reviewed by Geoffrey Garen.
1027
1028         * runtime/ArrayConstructor.cpp:
1029         (JSC::constructArrayWithSizeQuirk):
1030         * runtime/ArrayPrototype.cpp:
1031         (JSC::getProperty):
1032         (JSC::putLength):
1033         (JSC::speciesWatchpointsValid):
1034         (JSC::speciesConstructArray):
1035         (JSC::shift):
1036         (JSC::unshift):
1037         (JSC::arrayProtoFuncToString):
1038         (JSC::arrayProtoFuncToLocaleString):
1039         (JSC::slowJoin):
1040         (JSC::fastJoin):
1041         (JSC::arrayProtoFuncJoin):
1042         (JSC::arrayProtoFuncPop):
1043         (JSC::arrayProtoFuncPush):
1044         (JSC::arrayProtoFuncReverse):
1045         (JSC::arrayProtoFuncShift):
1046         (JSC::arrayProtoFuncSlice):
1047         (JSC::arrayProtoFuncSplice):
1048         (JSC::arrayProtoFuncUnShift):
1049         (JSC::arrayProtoFuncIndexOf):
1050         (JSC::arrayProtoFuncLastIndexOf):
1051         (JSC::concatAppendOne):
1052         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1053         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
1054
1055 2016-11-28  Mark Lam  <mark.lam@apple.com>
1056
1057         Fix exception scope verification failures in LLIntSlowPaths.cpp.
1058         https://bugs.webkit.org/show_bug.cgi?id=164969
1059
1060         Reviewed by Geoffrey Garen.
1061
1062         * llint/LLIntSlowPaths.cpp:
1063         (JSC::LLInt::getByVal):
1064         (JSC::LLInt::setUpCall):
1065         (JSC::LLInt::varargsSetup):
1066         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1067
1068 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1069
1070         [WTF] Import std::optional reference implementation as WTF::Optional
1071         https://bugs.webkit.org/show_bug.cgi?id=164199
1072
1073         Reviewed by Saam Barati and Sam Weinig.
1074
1075         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
1076         std::optional::emplace has the same semantics to the previous one.
1077         So we change the code to use it.
1078
1079         * Scripts/builtins/builtins_templates.py:
1080         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1081         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1082         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1083         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1084         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1085         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1086         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1087         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1088         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1089         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1090         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1091         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1092         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1093         * assembler/MacroAssemblerARM64.h:
1094         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
1095         * assembler/MacroAssemblerX86Common.h:
1096         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
1097         * b3/B3CheckSpecial.cpp:
1098         (JSC::B3::CheckSpecial::forEachArg):
1099         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
1100         * b3/B3CheckSpecial.h:
1101         * b3/B3LowerToAir.cpp:
1102         (JSC::B3::Air::LowerToAir::scaleForShl):
1103         (JSC::B3::Air::LowerToAir::effectiveAddr):
1104         (JSC::B3::Air::LowerToAir::tryAppendLea):
1105         * b3/B3Opcode.cpp:
1106         (JSC::B3::invertedCompare):
1107         * b3/B3Opcode.h:
1108         * b3/B3PatchpointSpecial.cpp:
1109         (JSC::B3::PatchpointSpecial::forEachArg):
1110         * b3/B3StackmapSpecial.cpp:
1111         (JSC::B3::StackmapSpecial::forEachArgImpl):
1112         * b3/B3StackmapSpecial.h:
1113         * b3/B3Value.cpp:
1114         (JSC::B3::Value::invertedCompare):
1115         * b3/air/AirArg.h:
1116         (JSC::B3::Air::Arg::isValidScale):
1117         (JSC::B3::Air::Arg::isValidAddrForm):
1118         (JSC::B3::Air::Arg::isValidIndexForm):
1119         (JSC::B3::Air::Arg::isValidForm):
1120         * b3/air/AirCustom.h:
1121         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
1122         * b3/air/AirFixObviousSpills.cpp:
1123         * b3/air/AirInst.h:
1124         * b3/air/AirInstInlines.h:
1125         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1126         * b3/air/AirIteratedRegisterCoalescing.cpp:
1127         * b3/air/AirSpecial.cpp:
1128         (JSC::B3::Air::Special::shouldTryAliasingDef):
1129         * b3/air/AirSpecial.h:
1130         * bytecode/BytecodeGeneratorification.cpp:
1131         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1132         * bytecode/CodeBlock.cpp:
1133         (JSC::CodeBlock::findPC):
1134         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1135         * bytecode/CodeBlock.h:
1136         * bytecode/UnlinkedFunctionExecutable.cpp:
1137         (JSC::UnlinkedFunctionExecutable::link):
1138         * bytecode/UnlinkedFunctionExecutable.h:
1139         * bytecompiler/BytecodeGenerator.h:
1140         * bytecompiler/NodesCodegen.cpp:
1141         (JSC::PropertyListNode::emitPutConstantProperty):
1142         (JSC::ObjectPatternNode::bindValue):
1143         * debugger/Debugger.cpp:
1144         (JSC::Debugger::resolveBreakpoint):
1145         * debugger/DebuggerCallFrame.cpp:
1146         (JSC::DebuggerCallFrame::currentPosition):
1147         * debugger/DebuggerParseData.cpp:
1148         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
1149         * debugger/DebuggerParseData.h:
1150         * debugger/ScriptProfilingScope.h:
1151         * dfg/DFGAbstractInterpreterInlines.h:
1152         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1153         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1154         * dfg/DFGJITCode.cpp:
1155         (JSC::DFG::JITCode::findPC):
1156         * dfg/DFGJITCode.h:
1157         * dfg/DFGOperations.cpp:
1158         (JSC::DFG::operationPutByValInternal):
1159         * dfg/DFGSlowPathGenerator.h:
1160         (JSC::DFG::SlowPathGenerator::generate):
1161         * dfg/DFGSpeculativeJIT.cpp:
1162         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1163         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1164         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1165         (JSC::DFG::SpeculativeJIT::compileMathIC):
1166         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1167         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1168         * dfg/DFGSpeculativeJIT.h:
1169         * dfg/DFGSpeculativeJIT32_64.cpp:
1170         (JSC::DFG::SpeculativeJIT::compile):
1171         * dfg/DFGSpeculativeJIT64.cpp:
1172         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1173         (JSC::DFG::SpeculativeJIT::emitBranch):
1174         (JSC::DFG::SpeculativeJIT::compile):
1175         * dfg/DFGStrengthReductionPhase.cpp:
1176         (JSC::DFG::StrengthReductionPhase::handleNode):
1177         * ftl/FTLJITCode.cpp:
1178         (JSC::FTL::JITCode::findPC):
1179         * ftl/FTLJITCode.h:
1180         * heap/Heap.cpp:
1181         (JSC::Heap::collectAsync):
1182         (JSC::Heap::collectSync):
1183         (JSC::Heap::collectInThread):
1184         (JSC::Heap::requestCollection):
1185         (JSC::Heap::willStartCollection):
1186         (JSC::Heap::didFinishCollection):
1187         (JSC::Heap::shouldDoFullCollection):
1188         * heap/Heap.h:
1189         (JSC::Heap::collectionScope):
1190         * heap/HeapSnapshot.cpp:
1191         (JSC::HeapSnapshot::nodeForCell):
1192         (JSC::HeapSnapshot::nodeForObjectIdentifier):
1193         * heap/HeapSnapshot.h:
1194         * inspector/InspectorBackendDispatcher.cpp:
1195         (Inspector::BackendDispatcher::dispatch):
1196         (Inspector::BackendDispatcher::sendPendingErrors):
1197         (Inspector::BackendDispatcher::reportProtocolError):
1198         * inspector/InspectorBackendDispatcher.h:
1199         * inspector/agents/InspectorHeapAgent.cpp:
1200         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1201         (Inspector::InspectorHeapAgent::getPreview):
1202         (Inspector::InspectorHeapAgent::getRemoteObject):
1203         * inspector/agents/InspectorHeapAgent.h:
1204         * inspector/remote/RemoteConnectionToTarget.h:
1205         * inspector/remote/RemoteConnectionToTarget.mm:
1206         (Inspector::RemoteConnectionToTarget::targetIdentifier):
1207         (Inspector::RemoteConnectionToTarget::setup):
1208         * inspector/remote/RemoteInspector.h:
1209         * inspector/remote/RemoteInspector.mm:
1210         (Inspector::RemoteInspector::updateClientCapabilities):
1211         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1212         (_generate_declarations_for_enum_conversion_methods):
1213         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
1214         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1215         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
1216         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1217         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1218         * inspector/scripts/tests/expected/enum-values.json-result:
1219         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1220         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1221         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1222         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1223         * jit/JITCode.h:
1224         (JSC::JITCode::findPC):
1225         * jit/JITDivGenerator.cpp:
1226         (JSC::JITDivGenerator::generateFastPath):
1227         * jit/JITOperations.cpp:
1228         * jit/PCToCodeOriginMap.cpp:
1229         (JSC::PCToCodeOriginMap::findPC):
1230         * jit/PCToCodeOriginMap.h:
1231         * jsc.cpp:
1232         (WTF::RuntimeArray::getOwnPropertySlot):
1233         * llint/LLIntSlowPaths.cpp:
1234         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1235         * parser/ModuleAnalyzer.cpp:
1236         (JSC::ModuleAnalyzer::exportVariable):
1237         * runtime/ConcurrentJSLock.h:
1238         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
1239         * runtime/DefinePropertyAttributes.h:
1240         (JSC::DefinePropertyAttributes::writable):
1241         (JSC::DefinePropertyAttributes::configurable):
1242         (JSC::DefinePropertyAttributes::enumerable):
1243         * runtime/GenericArgumentsInlines.h:
1244         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1245         (JSC::GenericArguments<Type>::put):
1246         (JSC::GenericArguments<Type>::deleteProperty):
1247         (JSC::GenericArguments<Type>::defineOwnProperty):
1248         * runtime/HasOwnPropertyCache.h:
1249         (JSC::HasOwnPropertyCache::get):
1250         * runtime/HashMapImpl.h:
1251         (JSC::concurrentJSMapHash):
1252         * runtime/Identifier.h:
1253         (JSC::parseIndex):
1254         * runtime/JSArray.cpp:
1255         (JSC::JSArray::defineOwnProperty):
1256         * runtime/JSCJSValue.cpp:
1257         (JSC::JSValue::toNumberFromPrimitive):
1258         (JSC::JSValue::putToPrimitive):
1259         * runtime/JSCJSValue.h:
1260         * runtime/JSGenericTypedArrayView.h:
1261         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
1262         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1263         (JSC::constructGenericTypedArrayViewWithArguments):
1264         (JSC::constructGenericTypedArrayView):
1265         * runtime/JSGenericTypedArrayViewInlines.h:
1266         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1267         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1268         * runtime/JSModuleRecord.cpp:
1269         * runtime/JSModuleRecord.h:
1270         * runtime/JSObject.cpp:
1271         (JSC::JSObject::putDirectAccessor):
1272         (JSC::JSObject::deleteProperty):
1273         (JSC::JSObject::putDirectMayBeIndex):
1274         (JSC::JSObject::defineOwnProperty):
1275         * runtime/JSObject.h:
1276         (JSC::JSObject::getOwnPropertySlot):
1277         (JSC::JSObject::getPropertySlot):
1278         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
1279         * runtime/JSObjectInlines.h:
1280         (JSC::JSObject::putInline):
1281         * runtime/JSString.cpp:
1282         (JSC::JSString::getStringPropertyDescriptor):
1283         * runtime/JSString.h:
1284         (JSC::JSString::getStringPropertySlot):
1285         * runtime/LiteralParser.cpp:
1286         (JSC::LiteralParser<CharType>::parse):
1287         * runtime/MathCommon.h:
1288         (JSC::safeReciprocalForDivByConst):
1289         * runtime/ObjectPrototype.cpp:
1290         (JSC::objectProtoFuncHasOwnProperty):
1291         * runtime/PropertyDescriptor.h:
1292         (JSC::toPropertyDescriptor):
1293         * runtime/PropertyName.h:
1294         (JSC::parseIndex):
1295         * runtime/SamplingProfiler.cpp:
1296         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1297         * runtime/StringObject.cpp:
1298         (JSC::StringObject::put):
1299         (JSC::isStringOwnProperty):
1300         (JSC::StringObject::deleteProperty):
1301         * runtime/ToNativeFromValue.h:
1302         (JSC::toNativeFromValueWithoutCoercion):
1303         * runtime/TypedArrayAdaptors.h:
1304         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
1305         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
1306         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
1307         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
1308         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
1309         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
1310         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
1311
1312 2016-11-26  Sam Weinig  <sam@webkit.org>
1313
1314         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
1315         https://bugs.webkit.org/show_bug.cgi?id=164965
1316
1317         Reviewed by Simon Fraser.
1318
1319         * runtime/CommonIdentifiers.h:
1320         Add identifiers needed for RuntimeEnabledFeatures.
1321
1322 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
1323
1324         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
1325         https://bugs.webkit.org/show_bug.cgi?id=165027
1326
1327         Reviewed by Darin Adler.
1328
1329         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
1330         No port enables this and the guarded code doesn't build at all,
1331         so it's safe to say it's abandoned.
1332
1333         * jit/ExecutableAllocator.cpp:
1334         (JSC::ExecutableAllocator::initializeAllocator):
1335         (JSC::ExecutableAllocator::ExecutableAllocator):
1336         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1337
1338 2016-11-18  Mark Lam  <mark.lam@apple.com>
1339
1340         Fix exception scope verification failures in JSC profiler files.
1341         https://bugs.webkit.org/show_bug.cgi?id=164971
1342
1343         Reviewed by Saam Barati.
1344
1345         * profiler/ProfilerBytecodeSequence.cpp:
1346         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1347         * profiler/ProfilerCompilation.cpp:
1348         (JSC::Profiler::Compilation::toJS):
1349         * profiler/ProfilerDatabase.cpp:
1350         (JSC::Profiler::Database::toJS):
1351         (JSC::Profiler::Database::toJSON):
1352         * profiler/ProfilerOSRExitSite.cpp:
1353         (JSC::Profiler::OSRExitSite::toJS):
1354         * profiler/ProfilerOriginStack.cpp:
1355         (JSC::Profiler::OriginStack::toJS):
1356
1357 2016-11-22  Mark Lam  <mark.lam@apple.com>
1358
1359         Fix exception scope verification failures in JSONObject.cpp.
1360         https://bugs.webkit.org/show_bug.cgi?id=165025
1361
1362         Reviewed by Saam Barati.
1363
1364         * runtime/JSONObject.cpp:
1365         (JSC::gap):
1366         (JSC::Stringifier::Stringifier):
1367         (JSC::Stringifier::stringify):
1368         (JSC::Stringifier::toJSON):
1369         (JSC::Stringifier::appendStringifiedValue):
1370         (JSC::Stringifier::Holder::appendNextProperty):
1371         (JSC::Walker::walk):
1372         (JSC::JSONProtoFuncParse):
1373         (JSC::JSONProtoFuncStringify):
1374         (JSC::JSONStringify):
1375
1376 2016-11-21  Mark Lam  <mark.lam@apple.com>
1377
1378         Removed an extra space character at the end of line.
1379
1380         Not reviewed.
1381
1382         * runtime/JSCell.cpp:
1383         (JSC::JSCell::toNumber):
1384
1385 2016-11-21  Mark Lam  <mark.lam@apple.com>
1386
1387         Fix exception scope verification failures in FunctionConstructor.cpp.
1388         https://bugs.webkit.org/show_bug.cgi?id=165011
1389
1390         Reviewed by Saam Barati.
1391
1392         * runtime/FunctionConstructor.cpp:
1393         (JSC::constructFunction):
1394         (JSC::constructFunctionSkippingEvalEnabledCheck):
1395
1396 2016-11-21  Mark Lam  <mark.lam@apple.com>
1397
1398         Fix exception scope verification failures in GetterSetter.cpp.
1399         https://bugs.webkit.org/show_bug.cgi?id=165013
1400
1401         Reviewed by Saam Barati.
1402
1403         * runtime/GetterSetter.cpp:
1404         (JSC::callGetter):
1405         (JSC::callSetter):
1406
1407 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1408
1409         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
1410         https://bugs.webkit.org/show_bug.cgi?id=164898
1411
1412         Reviewed by Darin Adler.
1413
1414         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
1415         same tagged template literal need to return an identical object.
1416         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
1417         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
1418         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
1419         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
1420         while this TemplateRegistryKey is allocated in the main thread.
1421
1422         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
1423         while the entry of the WeakGCMap is alive, the callsite object has the reference to
1424         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
1425
1426         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
1427         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
1428         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
1429         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
1430         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
1431
1432         * CMakeLists.txt:
1433         * JavaScriptCore.xcodeproj/project.pbxproj:
1434         * builtins/BuiltinNames.h:
1435         * bytecompiler/BytecodeGenerator.cpp:
1436         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
1437         (JSC::BytecodeGenerator::emitGetTemplateObject):
1438         * bytecompiler/BytecodeGenerator.h:
1439         * runtime/JSGlobalObject.cpp:
1440         (JSC::getTemplateObject):
1441         * runtime/JSTemplateRegistryKey.cpp:
1442         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
1443         (JSC::JSTemplateRegistryKey::create):
1444         * runtime/JSTemplateRegistryKey.h:
1445         * runtime/TemplateRegistry.cpp:
1446         (JSC::TemplateRegistry::getTemplateObject):
1447         * runtime/TemplateRegistry.h:
1448         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
1449         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
1450         * runtime/TemplateRegistryKey.h:
1451         (JSC::TemplateRegistryKey::calculateHash):
1452         (JSC::TemplateRegistryKey::create):
1453         (JSC::TemplateRegistryKey::TemplateRegistryKey):
1454         * runtime/TemplateRegistryKeyTable.cpp: Added.
1455         (JSC::TemplateRegistryKeyTranslator::hash):
1456         (JSC::TemplateRegistryKeyTranslator::equal):
1457         (JSC::TemplateRegistryKeyTranslator::translate):
1458         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
1459         (JSC::TemplateRegistryKeyTable::createKey):
1460         (JSC::TemplateRegistryKeyTable::unregister):
1461         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
1462         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
1463         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
1464         * runtime/VM.h:
1465         (JSC::VM::templateRegistryKeyTable):
1466
1467 2016-11-21  Mark Lam  <mark.lam@apple.com>
1468
1469         Fix exception scope verification failures in runtime/Error* files.
1470         https://bugs.webkit.org/show_bug.cgi?id=164998
1471
1472         Reviewed by Darin Adler.
1473
1474         * runtime/ErrorConstructor.cpp:
1475         (JSC::Interpreter::constructWithErrorConstructor):
1476         * runtime/ErrorInstance.cpp:
1477         (JSC::ErrorInstance::create):
1478         * runtime/ErrorInstance.h:
1479         * runtime/ErrorPrototype.cpp:
1480         (JSC::errorProtoFuncToString):
1481
1482 2016-11-21  Mark Lam  <mark.lam@apple.com>
1483
1484         Fix exception scope verification failures in *Executable.cpp files.
1485         https://bugs.webkit.org/show_bug.cgi?id=164996
1486
1487         Reviewed by Darin Adler.
1488
1489         * runtime/DirectEvalExecutable.cpp:
1490         (JSC::DirectEvalExecutable::create):
1491         * runtime/IndirectEvalExecutable.cpp:
1492         (JSC::IndirectEvalExecutable::create):
1493         * runtime/ProgramExecutable.cpp:
1494         (JSC::ProgramExecutable::initializeGlobalProperties):
1495         * runtime/ScriptExecutable.cpp:
1496         (JSC::ScriptExecutable::prepareForExecutionImpl):
1497
1498 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
1499
1500         [EncryptedMedia] Make EME API runtime-enabled
1501         https://bugs.webkit.org/show_bug.cgi?id=164927
1502
1503         Reviewed by Jer Noble.
1504
1505         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
1506
1507 2016-11-20  Mark Lam  <mark.lam@apple.com>
1508
1509         Fix exception scope verification failures in ConstructData.cpp.
1510         https://bugs.webkit.org/show_bug.cgi?id=164976
1511
1512         Reviewed by Darin Adler.
1513
1514         * runtime/ConstructData.cpp:
1515         (JSC::construct):
1516
1517 2016-11-20  Mark Lam  <mark.lam@apple.com>
1518
1519         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
1520         https://bugs.webkit.org/show_bug.cgi?id=164975
1521
1522         Reviewed by Darin Adler.
1523
1524         * runtime/CommonSlowPaths.cpp:
1525         (JSC::SLOW_PATH_DECL):
1526         * runtime/CommonSlowPaths.h:
1527         (JSC::CommonSlowPaths::opIn):
1528
1529 2016-11-20  Mark Lam  <mark.lam@apple.com>
1530
1531         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
1532         https://bugs.webkit.org/show_bug.cgi?id=164995
1533
1534         Reviewed by Darin Adler.
1535
1536         * runtime/DateConstructor.cpp:
1537         (JSC::millisecondsFromComponents):
1538         (JSC::constructDate):
1539         * runtime/DatePrototype.cpp:
1540         (JSC::dateProtoFuncToPrimitiveSymbol):
1541
1542 2016-11-20  Caitlin Potter  <caitp@igalia.com>
1543
1544         [JSC] speed up parsing of async functions
1545         https://bugs.webkit.org/show_bug.cgi?id=164808
1546
1547         Reviewed by Yusuke Suzuki.
1548
1549         Minor adjustments to Parser in order to mitigate slowdown with async
1550         function parsing enabled:
1551
1552           - Tokenize "async" as a keyword
1553           - Perform less branching in various areas of the Parser
1554
1555         * parser/Keywords.table:
1556         * parser/Parser.cpp:
1557         (JSC::Parser<LexerType>::parseStatementListItem):
1558         (JSC::Parser<LexerType>::parseStatement):
1559         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1560         (JSC::Parser<LexerType>::parseClass):
1561         (JSC::Parser<LexerType>::parseExportDeclaration):
1562         (JSC::Parser<LexerType>::parseAssignmentExpression):
1563         (JSC::Parser<LexerType>::parseProperty):
1564         (JSC::Parser<LexerType>::createResolveAndUseVariable):
1565         (JSC::Parser<LexerType>::parsePrimaryExpression):
1566         (JSC::Parser<LexerType>::parseMemberExpression):
1567         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1568         * parser/Parser.h:
1569         (JSC::isAnyContextualKeyword):
1570         (JSC::isIdentifierOrAnyContextualKeyword):
1571         (JSC::isSafeContextualKeyword):
1572         (JSC::Parser::matchSpecIdentifier):
1573         * parser/ParserTokens.h:
1574         * runtime/CommonIdentifiers.h:
1575
1576 2016-11-19  Mark Lam  <mark.lam@apple.com>
1577
1578         Add --timeoutMultiplier option to allow some tests more time to run.
1579         https://bugs.webkit.org/show_bug.cgi?id=164951
1580
1581         Reviewed by Yusuke Suzuki.
1582
1583         * jsc.cpp:
1584         (timeoutThreadMain):
1585         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
1586         (startTimeoutThreadIfNeeded):
1587         - Moved the code that starts the timeout thread here from main() so that we can
1588         call it after command line args have been parsed instead.
1589         (main):
1590         - Deleted old timeout thread starting code.
1591         (CommandLine::parseArguments):
1592         - Added parsing of the --timeoutMultiplier option.
1593         (jscmain):
1594         - Start the timeout thread if needed after we've parsed the command line args.
1595
1596 2016-11-19  Mark Lam  <mark.lam@apple.com>
1597
1598         Fix missing exception checks in JSC inspector files.
1599         https://bugs.webkit.org/show_bug.cgi?id=164959
1600
1601         Reviewed by Saam Barati.
1602
1603         * inspector/JSInjectedScriptHost.cpp:
1604         (Inspector::JSInjectedScriptHost::getInternalProperties):
1605         (Inspector::JSInjectedScriptHost::weakMapEntries):
1606         (Inspector::JSInjectedScriptHost::weakSetEntries):
1607         (Inspector::JSInjectedScriptHost::iteratorEntries):
1608         * inspector/JSJavaScriptCallFrame.cpp:
1609         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1610
1611 2016-11-18  Mark Lam  <mark.lam@apple.com>
1612
1613         Fix missing exception checks in DFGOperations.cpp.
1614         https://bugs.webkit.org/show_bug.cgi?id=164958
1615
1616         Reviewed by Geoffrey Garen.
1617
1618         * dfg/DFGOperations.cpp:
1619
1620 2016-11-18  Mark Lam  <mark.lam@apple.com>
1621
1622         Fix exception scope verification failures in ShadowChicken.cpp.
1623         https://bugs.webkit.org/show_bug.cgi?id=164966
1624
1625         Reviewed by Saam Barati.
1626
1627         * interpreter/ShadowChicken.cpp:
1628         (JSC::ShadowChicken::functionsOnStack):
1629
1630 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
1631
1632         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
1633         https://bugs.webkit.org/show_bug.cgi?id=163801
1634
1635         Reviewed by Simon Fraser.
1636
1637         * Configurations/FeatureDefines.xcconfig:
1638
1639 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
1640
1641         Unreviewed, fix cloop.
1642
1643         * bytecode/CodeBlock.cpp:
1644         (JSC::CodeBlock::stronglyVisitStrongReferences):
1645
1646 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
1647
1648         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
1649         https://bugs.webkit.org/show_bug.cgi?id=164282
1650
1651         Reviewed by Geoffrey Garen and Oliver Hunt.
1652         
1653         The two three remaining bugs were:
1654
1655         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
1656           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
1657           That proved a bit tricky. On the other hand, this means that we could probably remove the
1658           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
1659           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
1660           anything.
1661         
1662         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
1663           their friends now hold locks) and incremental-safe (we need to update predictions in the
1664           finalizer to make sure we clear anything that was put into a value profile towards the end
1665           of GC).
1666         
1667         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
1668           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
1669           I found that they would do many useless iterations of GC because they wouldn't pause long
1670           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
1671           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
1672           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
1673           the amount of allocation that the mutator had done is low. Having a utilization ceiling
1674           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
1675           huge heaps (like CDjs in its "large" configuration).
1676         
1677         This preserves splay performance, makes the concurrent GC more stable, and makes the
1678         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
1679         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
1680
1681         * bytecode/CodeBlock.cpp:
1682         (JSC::CodeBlock::CodeBlock):
1683         (JSC::CodeBlock::visitWeakly):
1684         (JSC::CodeBlock::visitChildren):
1685         (JSC::CodeBlock::shouldVisitStrongly):
1686         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1687         (JSC::CodeBlock::propagateTransitions):
1688         (JSC::CodeBlock::determineLiveness):
1689         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
1690         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1691         (JSC::CodeBlock::visitOSRExitTargets):
1692         (JSC::CodeBlock::stronglyVisitStrongReferences):
1693         (JSC::CodeBlock::stronglyVisitWeakReferences):
1694         * bytecode/CodeBlock.h:
1695         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
1696         * heap/CodeBlockSet.cpp:
1697         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1698         * heap/Heap.cpp:
1699         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
1700         (JSC::Heap::markToFixpoint):
1701         (JSC::Heap::beginMarking):
1702         (JSC::Heap::addToRememberedSet):
1703         (JSC::Heap::collectInThread):
1704         * heap/Heap.h:
1705         * heap/HeapInlines.h:
1706         (JSC::Heap::mutatorFence):
1707         * heap/MarkedBlock.cpp:
1708         * runtime/JSCellInlines.h:
1709         (JSC::JSCell::finishCreation):
1710         * runtime/JSObjectInlines.h:
1711         (JSC::JSObject::putDirectWithoutTransition):
1712         (JSC::JSObject::putDirectInternal):
1713         * runtime/Options.h:
1714         * runtime/Structure.cpp:
1715         (JSC::Structure::add):
1716         * runtime/Structure.h:
1717         * runtime/StructureInlines.h:
1718         (JSC::Structure::add):
1719
1720 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
1721
1722         Web Inspector: Generator functions should have a displayable name when shown in stack traces
1723         https://bugs.webkit.org/show_bug.cgi?id=164844
1724         <rdar://problem/29300697>
1725
1726         Reviewed by Yusuke Suzuki.
1727
1728         * parser/SyntaxChecker.h:
1729         (JSC::SyntaxChecker::createGeneratorFunctionBody):
1730         * parser/ASTBuilder.h:
1731         (JSC::ASTBuilder::createGeneratorFunctionBody):
1732         New way to create a generator function with an inferred name.
1733
1734         * parser/Parser.cpp:
1735         (JSC::Parser<LexerType>::parseInner):
1736         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1737         * parser/Parser.h:
1738         Pass on the name of the generator wrapper function so we can
1739         use it on the inner generator function.
1740
1741 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
1742
1743         Add an experimental API to find elements across shadow boundaries
1744         https://bugs.webkit.org/show_bug.cgi?id=164851
1745         <rdar://problem/28220092>
1746
1747         Reviewed by Sam Weinig.
1748
1749         * runtime/CommonIdentifiers.h:
1750
1751 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1752
1753         [JSC] Drop arguments.caller
1754         https://bugs.webkit.org/show_bug.cgi?id=164859
1755
1756         Reviewed by Saam Barati.
1757
1758         Originally, some JavaScript engine has `arguments.caller` property.
1759         But it easily causes some information leaks and it becomes obstacles
1760         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
1761         mode. To do so, we explicitly set "caller" getter throwing TypeError
1762         to arguments in strict mode.
1763
1764         But now, there is no modern engine which supports `arguments.caller`
1765         in sloppy mode. So the original compatibility problem is gone and
1766         "caller" getter in the strict mode arguments becomes meaningless.
1767
1768         ES2017 drops this from the spec. In this patch, we also drop this
1769         `arguments.caller` in strict mode support.
1770
1771         Note that Function#caller is still alive.
1772
1773         * runtime/ClonedArguments.cpp:
1774         (JSC::ClonedArguments::getOwnPropertySlot):
1775         (JSC::ClonedArguments::put):
1776         (JSC::ClonedArguments::deleteProperty):
1777         (JSC::ClonedArguments::defineOwnProperty):
1778         (JSC::ClonedArguments::materializeSpecials):
1779
1780 2016-11-17  Mark Lam  <mark.lam@apple.com>
1781
1782         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
1783         https://bugs.webkit.org/show_bug.cgi?id=164893
1784         <rdar://problem/29146436>
1785
1786         Reviewed by Saam Barati.
1787
1788         * runtime/Options.cpp:
1789         (JSC::recomputeDependentOptions):
1790
1791 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
1792
1793         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
1794         https://bugs.webkit.org/show_bug.cgi?id=164885
1795
1796         Reviewed by Mark Lam.
1797         
1798         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
1799         related fences. It currently returns true only on x86().
1800         
1801         The goal here is to get the bots to tell us if this code is responsible for perf issues on
1802         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
1803         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
1804         we could get rid of it and instead teach B3 how to think about fences.
1805
1806         * assembler/CPU.h:
1807         (JSC::useGCFences):
1808         * bytecode/PolymorphicAccess.cpp:
1809         (JSC::AccessCase::generateImpl):
1810         * dfg/DFGSpeculativeJIT.cpp:
1811         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1812         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1813         * ftl/FTLLowerDFGToB3.cpp:
1814         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1815         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1816         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1817         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1818         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1819         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1820         * jit/AssemblyHelpers.h:
1821         (JSC::AssemblyHelpers::mutatorFence):
1822         (JSC::AssemblyHelpers::storeButterfly):
1823         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
1824         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
1825
1826 2016-11-17  Keith Miller  <keith_miller@apple.com>
1827
1828         Add rotate to Wasm
1829         https://bugs.webkit.org/show_bug.cgi?id=164871
1830
1831         Reviewed by Filip Pizlo.
1832
1833         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
1834         This also moves arm specific transformations of rotate left to lower macros
1835         after optimization. It's a bad idea to have platform specific canonicalizations
1836         in reduce strength since other optimizations may not be aware of it.
1837
1838         Add a bug to do pure CSE after lower macros after optimization since we want to
1839         clean up RotL(value, Neg(Neg(shift))).
1840
1841         * b3/B3Generate.cpp:
1842         (JSC::B3::generateToAir):
1843         * b3/B3LowerMacrosAfterOptimizations.cpp:
1844         * b3/B3ReduceStrength.cpp:
1845         * wasm/wasm.json:
1846
1847 2016-11-17  Keith Miller  <keith_miller@apple.com>
1848
1849         Add sqrt to Wasm
1850         https://bugs.webkit.org/show_bug.cgi?id=164877
1851
1852         Reviewed by Mark Lam.
1853
1854         B3 already has a Sqrt opcode we just need to map Wasm to it.
1855
1856         * wasm/wasm.json:
1857
1858 2016-11-17  Keith Miller  <keith_miller@apple.com>
1859
1860         Add support for rotate in B3 and the relevant assemblers
1861         https://bugs.webkit.org/show_bug.cgi?id=164869
1862
1863         Reviewed by Geoffrey Garen.
1864
1865         This patch runs RotR and RotL (rotate right and left respectively)
1866         through B3 and B3's assemblers. One thing of note is that ARM64 does
1867         not support rotate left instead it allows negative right rotations.
1868
1869         This patch also fixes a theoretical bug in the assembler where
1870         on X86 doing someShiftOp(reg, edx) would instead shift the shift
1871         amount by the value. Additionally, this patch refactors some
1872         of the X86 assembler to use templates when deciding how to format
1873         the appropriate shift instruction.
1874
1875         * assembler/MacroAssemblerARM64.h:
1876         (JSC::MacroAssemblerARM64::rotateRight32):
1877         (JSC::MacroAssemblerARM64::rotateRight64):
1878         * assembler/MacroAssemblerX86Common.h:
1879         (JSC::MacroAssemblerX86Common::rotateRight32):
1880         (JSC::MacroAssemblerX86Common::rotateLeft32):
1881         * assembler/MacroAssemblerX86_64.h:
1882         (JSC::MacroAssemblerX86_64::lshift64):
1883         (JSC::MacroAssemblerX86_64::rshift64):
1884         (JSC::MacroAssemblerX86_64::urshift64):
1885         (JSC::MacroAssemblerX86_64::rotateRight64):
1886         (JSC::MacroAssemblerX86_64::rotateLeft64):
1887         (JSC::MacroAssemblerX86_64::or64):
1888         * assembler/X86Assembler.h:
1889         (JSC::X86Assembler::xorq_rm):
1890         (JSC::X86Assembler::shiftInstruction32):
1891         (JSC::X86Assembler::sarl_i8r):
1892         (JSC::X86Assembler::shrl_i8r):
1893         (JSC::X86Assembler::shll_i8r):
1894         (JSC::X86Assembler::rorl_i8r):
1895         (JSC::X86Assembler::rorl_CLr):
1896         (JSC::X86Assembler::roll_i8r):
1897         (JSC::X86Assembler::roll_CLr):
1898         (JSC::X86Assembler::shiftInstruction64):
1899         (JSC::X86Assembler::sarq_CLr):
1900         (JSC::X86Assembler::sarq_i8r):
1901         (JSC::X86Assembler::shrq_i8r):
1902         (JSC::X86Assembler::shlq_i8r):
1903         (JSC::X86Assembler::rorq_i8r):
1904         (JSC::X86Assembler::rorq_CLr):
1905         (JSC::X86Assembler::rolq_i8r):
1906         (JSC::X86Assembler::rolq_CLr):
1907         * b3/B3Common.h:
1908         (JSC::B3::rotateRight):
1909         (JSC::B3::rotateLeft):
1910         * b3/B3Const32Value.cpp:
1911         (JSC::B3::Const32Value::rotRConstant):
1912         (JSC::B3::Const32Value::rotLConstant):
1913         * b3/B3Const32Value.h:
1914         * b3/B3Const64Value.cpp:
1915         (JSC::B3::Const64Value::rotRConstant):
1916         (JSC::B3::Const64Value::rotLConstant):
1917         * b3/B3Const64Value.h:
1918         * b3/B3LowerToAir.cpp:
1919         (JSC::B3::Air::LowerToAir::lower):
1920         * b3/B3Opcode.cpp:
1921         (WTF::printInternal):
1922         * b3/B3Opcode.h:
1923         * b3/B3ReduceStrength.cpp:
1924         * b3/B3Validate.cpp:
1925         * b3/B3Value.cpp:
1926         (JSC::B3::Value::rotRConstant):
1927         (JSC::B3::Value::rotLConstant):
1928         (JSC::B3::Value::effects):
1929         (JSC::B3::Value::key):
1930         (JSC::B3::Value::typeFor):
1931         * b3/B3Value.h:
1932         * b3/B3ValueKey.cpp:
1933         (JSC::B3::ValueKey::materialize):
1934         * b3/air/AirInstInlines.h:
1935         (JSC::B3::Air::isRotateRight32Valid):
1936         (JSC::B3::Air::isRotateLeft32Valid):
1937         (JSC::B3::Air::isRotateRight64Valid):
1938         (JSC::B3::Air::isRotateLeft64Valid):
1939         * b3/air/AirOpcode.opcodes:
1940         * b3/testb3.cpp:
1941         (JSC::B3::testRotR):
1942         (JSC::B3::testRotL):
1943         (JSC::B3::testRotRWithImmShift):
1944         (JSC::B3::testRotLWithImmShift):
1945         (JSC::B3::run):
1946
1947 2016-11-17  Saam Barati  <sbarati@apple.com>
1948
1949         Remove async/await compile time flag and enable tests
1950         https://bugs.webkit.org/show_bug.cgi?id=164828
1951         <rdar://problem/28639334>
1952
1953         Reviewed by Yusuke Suzuki.
1954
1955         * Configurations/FeatureDefines.xcconfig:
1956         * parser/Parser.cpp:
1957         (JSC::Parser<LexerType>::parseStatementListItem):
1958         (JSC::Parser<LexerType>::parseStatement):
1959         (JSC::Parser<LexerType>::parseClass):
1960         (JSC::Parser<LexerType>::parseExportDeclaration):
1961         (JSC::Parser<LexerType>::parseAssignmentExpression):
1962         (JSC::Parser<LexerType>::parseProperty):
1963         (JSC::Parser<LexerType>::parsePrimaryExpression):
1964         (JSC::Parser<LexerType>::parseMemberExpression):
1965         (JSC::Parser<LexerType>::parseUnaryExpression):
1966
1967 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1968
1969         [JSC] WTF::TemporaryChange with WTF::SetForScope
1970         https://bugs.webkit.org/show_bug.cgi?id=164761
1971
1972         Reviewed by Saam Barati.
1973
1974         * bytecompiler/BytecodeGenerator.h:
1975         * bytecompiler/SetForScope.h: Removed.
1976         * debugger/Debugger.cpp:
1977         * inspector/InspectorBackendDispatcher.cpp:
1978         (Inspector::BackendDispatcher::dispatch):
1979         * inspector/ScriptDebugServer.cpp:
1980         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
1981         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
1982         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
1983         (Inspector::ScriptDebugServer::sourceParsed):
1984         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1985         * parser/Parser.cpp:
1986
1987 2016-11-16  Mark Lam  <mark.lam@apple.com>
1988
1989         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
1990         https://bugs.webkit.org/show_bug.cgi?id=164843
1991
1992         Reviewed by Keith Miller.
1993
1994         The ThrowScope will check for unchecked simulated exceptions before throwing a
1995         new exception.  This ensures that we don't quietly overwrite a pending exception
1996         (which should never happen, with the only exception being to rethrow the same
1997         exception).  However, ExceptionFuzz works by intentionally throwing its own
1998         exception even when one may already exist thereby potentially overwriting an
1999         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
2000         the exception check verifier before ExceptionFuzz throws its own exception.
2001
2002         * runtime/ExceptionFuzz.cpp:
2003         (JSC::doExceptionFuzzing):
2004
2005 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
2006
2007         UnlinkedCodeBlock should not have a starting line number
2008         https://bugs.webkit.org/show_bug.cgi?id=164838
2009
2010         Reviewed by Mark Lam.
2011
2012         Here's how the starting line number in UnlinkedCodeBlock used to work:
2013
2014         (1) Assign the source code starting line number to the parser starting
2015         line number.
2016
2017         (2) Assign (1) to the AST.
2018
2019         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
2020
2021         Then, when linking:
2022
2023         (4) Add (3) to (1).
2024
2025         This was an awesome no-op.
2026
2027         Generally, unlinked code is code that is not tied to any particular
2028         web page or resource. So, it's inappropriate to think of it having a
2029         starting line number.
2030
2031         * bytecode/UnlinkedCodeBlock.cpp:
2032         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2033         * bytecode/UnlinkedCodeBlock.h:
2034         (JSC::UnlinkedCodeBlock::recordParse):
2035         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
2036         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
2037         * runtime/CodeCache.cpp:
2038         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2039         * runtime/CodeCache.h:
2040         (JSC::generateUnlinkedCodeBlock):
2041
2042 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2043
2044         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
2045         https://bugs.webkit.org/show_bug.cgi?id=164827
2046
2047         Reviewed by Ryosuke Niwa.
2048
2049         * Configurations/FeatureDefines.xcconfig:
2050
2051 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
2052
2053         Unreviewed, roll out r208811. It's not sound.
2054
2055         * ftl/FTLLowerDFGToB3.cpp:
2056         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2057         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2058         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2059         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2060         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2061         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2062         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
2063
2064 2016-11-16  Keith Miller  <keith_miller@apple.com>
2065
2066         Wasm function parser should use template functions for each binary and unary opcode
2067         https://bugs.webkit.org/show_bug.cgi?id=164835
2068
2069         Reviewed by Mark Lam.
2070
2071         This patch changes the wasm function parser to call into a template specialization
2072         for each binary/unary opcode. This change makes it easier to have custom implementations
2073         of various opcodes. It is also, in theory a speedup since it does not require switching
2074         on the opcode twice.
2075
2076         * CMakeLists.txt:
2077         * DerivedSources.make:
2078         * wasm/WasmB3IRGenerator.cpp:
2079         (): Deleted.
2080         * wasm/WasmFunctionParser.h:
2081         (JSC::Wasm::FunctionParser<Context>::binaryCase):
2082         (JSC::Wasm::FunctionParser<Context>::unaryCase):
2083         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2084         * wasm/WasmValidate.cpp:
2085         * wasm/generateWasm.py:
2086         (isBinary):
2087         (isSimple):
2088         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
2089         (generateSimpleCode):
2090         * wasm/generateWasmOpsHeader.py:
2091         (opcodeMacroizer):
2092         * wasm/generateWasmValidateInlinesHeader.py:
2093
2094 2016-11-16  Mark Lam  <mark.lam@apple.com>
2095
2096         ExceptionFuzz functions should use its client's ThrowScope.
2097         https://bugs.webkit.org/show_bug.cgi?id=164834
2098
2099         Reviewed by Geoffrey Garen.
2100
2101         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
2102         exception check sites.  Using the client's ThrowScope solves 2 problems:
2103
2104         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
2105            mis-attributed to ExceptionFuzz when it should be attributed to its client.
2106
2107         2. One way exception scope verification works is by having ThrowScopes assert
2108            that there are no unchecked simulated exceptions when the ThrowScope is
2109            instantiated.  However, ExceptionFuzz necessarily works by inserting
2110            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
2111            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
2112            we will be instantiating the ThrowScope between the point where a simulated
2113            throw occurs and where the needed exception check can occur.  Hence, having
2114            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
2115            verification every time.
2116
2117         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
2118
2119         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
2120         already exists in every slow path function instead of creating a new one.
2121
2122         * jit/JITOperations.cpp:
2123         * llint/LLIntSlowPaths.cpp:
2124         * runtime/CommonSlowPaths.cpp:
2125         * runtime/ExceptionFuzz.cpp:
2126         (JSC::doExceptionFuzzing):
2127         * runtime/ExceptionFuzz.h:
2128         (JSC::doExceptionFuzzingIfEnabled):
2129
2130 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
2131
2132         Slight Octane regression from concurrent GC's eager object zero-fill
2133         https://bugs.webkit.org/show_bug.cgi?id=164823
2134
2135         Reviewed by Geoffrey Garen.
2136         
2137         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
2138         executing the end-of-allocation fence. This causes some regressions. This is an attempt
2139         to fix those regressions by making them conditional on whether the mutator is fenced.
2140         
2141         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
2142         regression.
2143
2144         * ftl/FTLLowerDFGToB3.cpp:
2145         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2146         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
2147         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2148         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2149         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2150         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2151         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2152
2153 2016-11-16  Mark Lam  <mark.lam@apple.com>
2154
2155         Fix exception scope checking in JSGlobalObject.cpp.
2156         https://bugs.webkit.org/show_bug.cgi?id=164831
2157
2158         Reviewed by Saam Barati.
2159
2160         * runtime/JSGlobalObject.cpp:
2161         (JSC::JSGlobalObject::init):
2162         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
2163           to fail with errors.
2164         (JSC::JSGlobalObject::put):
2165         - Fix exception check requirements.
2166
2167 2016-11-16  Keith Miller  <keith_miller@apple.com>
2168
2169         Unreviewed, ARM build fix.
2170
2171         * b3/B3LowerToAir.cpp:
2172         (JSC::B3::Air::LowerToAir::lower):
2173         (JSC::B3::Air::LowerToAir::lowerX86Div):
2174         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
2175
2176 2016-11-15  Mark Lam  <mark.lam@apple.com>
2177
2178         Make JSC test functions more robust.
2179         https://bugs.webkit.org/show_bug.cgi?id=164807
2180
2181         Reviewed by Keith Miller.
2182
2183         * jsc.cpp:
2184         (functionGetHiddenValue):
2185         (functionSetHiddenValue):
2186
2187 2016-11-15  Keith Miller  <keith_miller@apple.com>
2188
2189         B3 should support UDiv/UMod
2190         https://bugs.webkit.org/show_bug.cgi?id=164811
2191
2192         Reviewed by Filip Pizlo.
2193
2194         This patch adds support for UDiv and UMod in B3. Many of the magic number
2195         cases have been ommited for now since they are unlikely to happen in wasm
2196         code. Most wasm code we will see is generated via llvm, which has more
2197         robust versions of what we would do anyway. Additionally, this patch
2198         links the new opcodes up to the wasm parser.
2199
2200         * assembler/MacroAssemblerARM64.h:
2201         (JSC::MacroAssemblerARM64::uDiv32):
2202         (JSC::MacroAssemblerARM64::uDiv64):
2203         * assembler/MacroAssemblerX86Common.h:
2204         (JSC::MacroAssemblerX86Common::x86UDiv32):
2205         * assembler/MacroAssemblerX86_64.h:
2206         (JSC::MacroAssemblerX86_64::x86UDiv64):
2207         * assembler/X86Assembler.h:
2208         (JSC::X86Assembler::divq_r):
2209         * b3/B3Common.h:
2210         (JSC::B3::chillUDiv):
2211         (JSC::B3::chillUMod):
2212         * b3/B3Const32Value.cpp:
2213         (JSC::B3::Const32Value::uDivConstant):
2214         (JSC::B3::Const32Value::uModConstant):
2215         * b3/B3Const32Value.h:
2216         * b3/B3Const64Value.cpp:
2217         (JSC::B3::Const64Value::uDivConstant):
2218         (JSC::B3::Const64Value::uModConstant):
2219         * b3/B3Const64Value.h:
2220         * b3/B3LowerMacros.cpp:
2221         * b3/B3LowerToAir.cpp:
2222         (JSC::B3::Air::LowerToAir::lower):
2223         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
2224         * b3/B3Opcode.cpp:
2225         (WTF::printInternal):
2226         * b3/B3Opcode.h:
2227         * b3/B3ReduceStrength.cpp:
2228         * b3/B3Validate.cpp:
2229         * b3/B3Value.cpp:
2230         (JSC::B3::Value::uDivConstant):
2231         (JSC::B3::Value::uModConstant):
2232         (JSC::B3::Value::effects):
2233         (JSC::B3::Value::key):
2234         (JSC::B3::Value::typeFor):
2235         * b3/B3Value.h:
2236         * b3/B3ValueKey.cpp:
2237         (JSC::B3::ValueKey::materialize):
2238         * b3/air/AirInstInlines.h:
2239         (JSC::B3::Air::isX86UDiv32Valid):
2240         (JSC::B3::Air::isX86UDiv64Valid):
2241         * b3/air/AirOpcode.opcodes:
2242         * b3/testb3.cpp:
2243         (JSC::B3::testUDivArgsInt32):
2244         (JSC::B3::testUDivArgsInt64):
2245         (JSC::B3::testUModArgsInt32):
2246         (JSC::B3::testUModArgsInt64):
2247         (JSC::B3::run):
2248         * wasm/wasm.json:
2249
2250 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
2251
2252         Web Inspector: Preview other CSS @media in browser window (print)
2253         https://bugs.webkit.org/show_bug.cgi?id=13530
2254         <rdar://problem/5712928>
2255
2256         Reviewed by Timothy Hatcher.
2257
2258         * inspector/protocol/Page.json:
2259         Update to preferred JSON style.
2260
2261 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2262
2263         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
2264
2265         * dfg/DFGDriver.cpp:
2266         (JSC::DFG::compileImpl):
2267         * heap/Heap.cpp:
2268         (JSC::Heap::addToRememberedSet):
2269         * jit/JITWorklist.cpp:
2270         (JSC::JITWorklist::compileLater):
2271         (JSC::JITWorklist::compileNow):
2272         * runtime/Options.cpp:
2273         (JSC::recomputeDependentOptions):
2274         * runtime/Options.h:
2275         * runtime/WriteBarrierInlines.h:
2276         (JSC::WriteBarrierBase<T>::set):
2277         (JSC::WriteBarrierBase<Unknown>::set):
2278
2279 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
2280
2281         Debugging and other tools should not disable the code cache
2282         https://bugs.webkit.org/show_bug.cgi?id=164802
2283
2284         Reviewed by Mark Lam.
2285
2286         * bytecode/UnlinkedFunctionExecutable.cpp:
2287         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
2288         change.
2289
2290         * parser/SourceCodeKey.h:
2291         (JSC::SourceCodeFlags::SourceCodeFlags):
2292         (JSC::SourceCodeFlags::bits):
2293         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
2294         as part of our key so that we can cache code while using tools. Be sure
2295         to include these bits in our hash function so you don't get storms of
2296         collisions as you open and close the Web Inspector.
2297
2298         * runtime/CodeCache.cpp:
2299         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2300         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
2301         a part of our key instead of as a reason to disable caching.
2302
2303         * runtime/CodeCache.h:
2304
2305 2016-11-15  Mark Lam  <mark.lam@apple.com>
2306
2307         Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
2308         https://bugs.webkit.org/show_bug.cgi?id=164777
2309
2310         Reviewed by Geoffrey Garen.
2311
2312         JSString::SafeView no longer achieves its intended goal to make it easier to
2313         handle strings safely.  Its clients still need to do explicit exception checks in
2314         order to be correct.  We'll remove it and replace its uses with
2315         StringViewWithUnderlyingString instead which serves to gets the a StringView
2316         (which is what we really wanted from SafeView) and keeps the backing String alive
2317         while the view is in use.
2318
2319         Also added some missing exception checks.
2320
2321         * jsc.cpp:
2322         (printInternal):
2323         (functionDebug):
2324         * runtime/ArrayPrototype.cpp:
2325         (JSC::arrayProtoFuncJoin):
2326         * runtime/FunctionConstructor.cpp:
2327         (JSC::constructFunctionSkippingEvalEnabledCheck):
2328         * runtime/IntlCollatorPrototype.cpp:
2329         (JSC::IntlCollatorFuncCompare):
2330         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2331         (JSC::genericTypedArrayViewProtoFuncJoin):
2332         * runtime/JSGlobalObjectFunctions.cpp:
2333         (JSC::toStringView):
2334         (JSC::globalFuncParseFloat):
2335         * runtime/JSONObject.cpp:
2336         (JSC::JSONProtoFuncParse):
2337         * runtime/JSString.h:
2338         (JSC::JSString::SafeView::is8Bit): Deleted.
2339         (JSC::JSString::SafeView::length): Deleted.
2340         (JSC::JSString::SafeView::SafeView): Deleted.
2341         (JSC::JSString::SafeView::get): Deleted.
2342         (JSC::JSString::view): Deleted.
2343         * runtime/StringPrototype.cpp:
2344         (JSC::stringProtoFuncRepeatCharacter):
2345         (JSC::stringProtoFuncCharAt):
2346         (JSC::stringProtoFuncCharCodeAt):
2347         (JSC::stringProtoFuncIndexOf):
2348         (JSC::stringProtoFuncNormalize):
2349
2350 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2351
2352         Unreviewed, remove bogus assertion.
2353
2354         * heap/Heap.cpp:
2355         (JSC::Heap::markToFixpoint):
2356
2357 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2358
2359         [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
2360         https://bugs.webkit.org/show_bug.cgi?id=162986
2361
2362         Reviewed by Saam Barati.
2363         
2364         This assertion is wrong for concurrent GC anyway, so this removes it.
2365
2366         * runtime/Structure.cpp:
2367         (JSC::Structure::visitChildren):
2368
2369 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2370
2371         Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
2372         https://bugs.webkit.org/show_bug.cgi?id=164791
2373
2374         Reviewed by Geoffrey Garen.
2375         
2376         Just renaming.
2377
2378         * JavaScriptCore.xcodeproj/project.pbxproj:
2379         * bytecode/ArrayProfile.cpp:
2380         (JSC::ArrayProfile::computeUpdatedPrediction):
2381         (JSC::ArrayProfile::briefDescription):
2382         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2383         * bytecode/ArrayProfile.h:
2384         (JSC::ArrayProfile::observedArrayModes):
2385         (JSC::ArrayProfile::mayInterceptIndexedAccesses):
2386         (JSC::ArrayProfile::mayStoreToHole):
2387         (JSC::ArrayProfile::outOfBounds):
2388         (JSC::ArrayProfile::usesOriginalArrayStructures):
2389         * bytecode/CallLinkStatus.cpp:
2390         (JSC::CallLinkStatus::computeFromLLInt):
2391         (JSC::CallLinkStatus::computeFor):
2392         (JSC::CallLinkStatus::computeExitSiteData):
2393         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2394         (JSC::CallLinkStatus::computeDFGStatuses):
2395         * bytecode/CallLinkStatus.h:
2396         * bytecode/CodeBlock.cpp:
2397         (JSC::CodeBlock::dumpValueProfiling):
2398         (JSC::CodeBlock::dumpArrayProfiling):
2399         (JSC::CodeBlock::finishCreation):
2400         (JSC::CodeBlock::setConstantRegisters):
2401         (JSC::CodeBlock::getStubInfoMap):
2402         (JSC::CodeBlock::getCallLinkInfoMap):
2403         (JSC::CodeBlock::getByValInfoMap):
2404         (JSC::CodeBlock::addStubInfo):
2405         (JSC::CodeBlock::addByValInfo):
2406         (JSC::CodeBlock::addCallLinkInfo):
2407         (JSC::CodeBlock::resetJITData):
2408         (JSC::CodeBlock::shrinkToFit):
2409         (JSC::CodeBlock::getArrayProfile):
2410         (JSC::CodeBlock::addArrayProfile):
2411         (JSC::CodeBlock::getOrAddArrayProfile):
2412         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2413         (JSC::CodeBlock::updateAllArrayPredictions):
2414         (JSC::CodeBlock::nameForRegister):
2415         (JSC::CodeBlock::livenessAnalysisSlow):
2416         * bytecode/CodeBlock.h:
2417         (JSC::CodeBlock::setJITCode):
2418         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
2419         (JSC::CodeBlock::addFrequentExitSite):
2420         (JSC::CodeBlock::hasExitSite):
2421         (JSC::CodeBlock::livenessAnalysis):
2422         * bytecode/DFGExitProfile.cpp:
2423         (JSC::DFG::ExitProfile::add):
2424         (JSC::DFG::ExitProfile::hasExitSite):
2425         (JSC::DFG::QueryableExitProfile::initialize):
2426         * bytecode/DFGExitProfile.h:
2427         (JSC::DFG::ExitProfile::hasExitSite):
2428         * bytecode/GetByIdStatus.cpp:
2429         (JSC::GetByIdStatus::hasExitSite):
2430         (JSC::GetByIdStatus::computeFor):
2431         (JSC::GetByIdStatus::computeForStubInfo):
2432         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2433         * bytecode/GetByIdStatus.h:
2434         * bytecode/LazyOperandValueProfile.cpp:
2435         (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
2436         (JSC::CompressedLazyOperandValueProfileHolder::add):
2437         (JSC::LazyOperandValueProfileParser::initialize):
2438         (JSC::LazyOperandValueProfileParser::prediction):
2439         * bytecode/LazyOperandValueProfile.h:
2440         * bytecode/MethodOfGettingAValueProfile.cpp:
2441         (JSC::MethodOfGettingAValueProfile::emitReportValue):
2442         * bytecode/PutByIdStatus.cpp:
2443         (JSC::PutByIdStatus::hasExitSite):
2444         (JSC::PutByIdStatus::computeFor):
2445         (JSC::PutByIdStatus::computeForStubInfo):
2446         * bytecode/PutByIdStatus.h:
2447         * bytecode/StructureStubClearingWatchpoint.cpp:
2448         (JSC::StructureStubClearingWatchpoint::fireInternal):
2449         * bytecode/ValueProfile.h:
2450         (JSC::ValueProfileBase::briefDescription):
2451         (JSC::ValueProfileBase::computeUpdatedPrediction):
2452         * dfg/DFGArrayMode.cpp:
2453         (JSC::DFG::ArrayMode::fromObserved):
2454         * dfg/DFGArrayMode.h:
2455         (JSC::DFG::ArrayMode::withSpeculationFromProfile):
2456         (JSC::DFG::ArrayMode::withProfile):
2457         * dfg/DFGByteCodeParser.cpp:
2458         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
2459         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2460         (JSC::DFG::ByteCodeParser::getArrayMode):
2461         (JSC::DFG::ByteCodeParser::handleInlining):
2462         (JSC::DFG::ByteCodeParser::parseBlock):
2463         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2464         * dfg/DFGDriver.cpp:
2465         (JSC::DFG::compileImpl):
2466         * dfg/DFGFixupPhase.cpp:
2467         (JSC::DFG::FixupPhase::fixupNode):
2468         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2469         * dfg/DFGGraph.cpp:
2470         (JSC::DFG::Graph::tryGetConstantClosureVar):
2471         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2472         * dfg/DFGPredictionInjectionPhase.cpp:
2473         (JSC::DFG::PredictionInjectionPhase::run):
2474         * ftl/FTLLowerDFGToB3.cpp:
2475         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2476         * ftl/FTLOperations.cpp:
2477         (JSC::FTL::operationMaterializeObjectInOSR):
2478         * heap/Heap.cpp:
2479         (JSC::Heap::addToRememberedSet):
2480         * jit/JIT.cpp:
2481         (JSC::JIT::compileWithoutLinking):
2482         * jit/JITInlines.h:
2483         (JSC::JIT::chooseArrayMode):
2484         * jit/JITOperations.cpp:
2485         (JSC::tryGetByValOptimize):
2486         * jit/JITPropertyAccess.cpp:
2487         (JSC::JIT::privateCompileGetByValWithCachedId):
2488         (JSC::JIT::privateCompilePutByValWithCachedId):
2489         * jit/JITWorklist.cpp:
2490         (JSC::JITWorklist::compileLater):
2491         (JSC::JITWorklist::compileNow):
2492         * jit/Repatch.cpp:
2493         (JSC::repatchGetByID):
2494         (JSC::repatchPutByID):
2495         * llint/LLIntSlowPaths.cpp:
2496         (JSC::LLInt::setupGetByIdPrototypeCache):
2497         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2498         (JSC::LLInt::setUpCall):
2499         * profiler/ProfilerBytecodeSequence.cpp:
2500         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2501         * runtime/CommonSlowPaths.cpp:
2502         (JSC::SLOW_PATH_DECL):
2503         * runtime/CommonSlowPaths.h:
2504         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2505         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2506         * runtime/ConcurrentJITLock.h: Removed.
2507         * runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
2508         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
2509         (JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
2510         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
2511         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
2512         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
2513         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
2514         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
2515         (JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
2516         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
2517         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
2518         (JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
2519         * runtime/InferredType.cpp:
2520         (JSC::InferredType::canWatch):
2521         (JSC::InferredType::addWatchpoint):
2522         (JSC::InferredType::willStoreValueSlow):
2523         (JSC::InferredType::makeTopSlow):
2524         (JSC::InferredType::set):
2525         (JSC::InferredType::removeStructure):
2526         * runtime/InferredType.h:
2527         * runtime/InferredTypeTable.cpp:
2528         (JSC::InferredTypeTable::visitChildren):
2529         (JSC::InferredTypeTable::get):
2530         (JSC::InferredTypeTable::willStoreValue):
2531         (JSC::InferredTypeTable::makeTop):
2532         * runtime/InferredTypeTable.h:
2533         * runtime/JSEnvironmentRecord.cpp:
2534         (JSC::JSEnvironmentRecord::heapSnapshot):
2535         * runtime/JSGlobalObject.cpp:
2536         (JSC::JSGlobalObject::addGlobalVar):
2537         (JSC::JSGlobalObject::addStaticGlobals):
2538         * runtime/JSLexicalEnvironment.cpp:
2539         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2540         * runtime/JSObject.cpp:
2541         (JSC::JSObject::deleteProperty):
2542         (JSC::JSObject::shiftButterflyAfterFlattening):
2543         * runtime/JSObject.h:
2544         * runtime/JSObjectInlines.h:
2545         (JSC::JSObject::putDirectWithoutTransition):
2546         (JSC::JSObject::putDirectInternal):
2547         * runtime/JSScope.cpp:
2548         (JSC::abstractAccess):
2549         (JSC::JSScope::collectClosureVariablesUnderTDZ):
2550         * runtime/JSSegmentedVariableObject.cpp:
2551         (JSC::JSSegmentedVariableObject::findVariableIndex):
2552         (JSC::JSSegmentedVariableObject::addVariables):
2553         (JSC::JSSegmentedVariableObject::heapSnapshot):
2554         * runtime/JSSegmentedVariableObject.h:
2555         * runtime/JSSymbolTableObject.cpp:
2556         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2557         * runtime/JSSymbolTableObject.h:
2558         (JSC::symbolTableGet):
2559         (JSC::symbolTablePut):
2560         * runtime/Options.cpp:
2561         (JSC::recomputeDependentOptions):
2562         * runtime/Options.h:
2563         * runtime/ProgramExecutable.cpp:
2564         (JSC::ProgramExecutable::initializeGlobalProperties):
2565         * runtime/RegExp.cpp:
2566         (JSC::RegExp::compile):
2567         (JSC::RegExp::matchConcurrently):
2568         (JSC::RegExp::compileMatchOnly):
2569         (JSC::RegExp::deleteCode):
2570         * runtime/RegExp.h:
2571         * runtime/Structure.cpp:
2572         (JSC::Structure::materializePropertyTable):
2573         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
2574         (JSC::Structure::addNewPropertyTransition):
2575         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2576         (JSC::Structure::nonPropertyTransition):
2577         (JSC::Structure::flattenDictionaryStructure):
2578         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
2579         (JSC::Structure::add):
2580         (JSC::Structure::remove):
2581         (JSC::Structure::visitChildren):
2582         * runtime/Structure.h:
2583         * runtime/StructureInlines.h:
2584         (JSC::Structure::propertyReplacementWatchpointSet):
2585         (JSC::Structure::add):
2586         (JSC::Structure::remove):
2587         * runtime/SymbolTable.cpp:
2588         (JSC::SymbolTable::visitChildren):
2589         (JSC::SymbolTable::localToEntry):
2590         (JSC::SymbolTable::entryFor):
2591         (JSC::SymbolTable::prepareForTypeProfiling):
2592         (JSC::SymbolTable::uniqueIDForVariable):
2593         (JSC::SymbolTable::uniqueIDForOffset):
2594         (JSC::SymbolTable::globalTypeSetForOffset):
2595         (JSC::SymbolTable::globalTypeSetForVariable):
2596         * runtime/SymbolTable.h:
2597         * runtime/TypeSet.cpp:
2598         (JSC::TypeSet::addTypeInformation):
2599         (JSC::TypeSet::invalidateCache):
2600         * runtime/TypeSet.h:
2601         (JSC::TypeSet::structureSet):
2602         * runtime/VM.h:
2603         * runtime/WriteBarrierInlines.h:
2604         (JSC::WriteBarrierBase<T>::set):
2605         (JSC::WriteBarrierBase<Unknown>::set):
2606         * yarr/YarrInterpreter.cpp:
2607         (JSC::Yarr::ByteCompiler::compile):
2608         (JSC::Yarr::byteCompile):
2609         * yarr/YarrInterpreter.h:
2610         (JSC::Yarr::BytecodePattern::BytecodePattern):
2611
2612 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
2613
2614         Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
2615         https://bugs.webkit.org/show_bug.cgi?id=164793
2616
2617         Reviewed by Matt Baker.
2618
2619         * inspector/protocol/Page.json:
2620
2621 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2622
2623         Unreviewed, build fix for Windows debug build after r208738
2624         https://bugs.webkit.org/show_bug.cgi?id=164727
2625
2626         This static member variable can be touched outside of the JSC project
2627         since inlined MacroAssembler member functions read / write it.
2628         So it should be exported.
2629
2630         * assembler/MacroAssemblerX86Common.h:
2631
2632 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
2633
2634         Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
2635         https://bugs.webkit.org/show_bug.cgi?id=164787
2636
2637         Reviewed by Timothy Hatcher.
2638
2639         * inspector/agents/InspectorDebuggerAgent.cpp:
2640         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2641         Clear this DebuggerAgent state when we resume.
2642
2643 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2644
2645         It should be possible to disable concurrent GC timeslicing
2646         https://bugs.webkit.org/show_bug.cgi?id=164788
2647
2648         Reviewed by Saam Barati.
2649         
2650         Collector timeslicing means that the collector will try to pause once every 2ms. This is
2651         great because it throttles the mutator and prevents it from outpacing the collector. But
2652         it reduces some of the efficacy of the collectContinuously=true configuration: while
2653         it's great that collecting continuously means that the collector will also pause more
2654         frequently and so it will test the pausing code, it also means that the collector will
2655         spend less time running concurrently. The primary purpose of collectContinuously is to
2656         maximize the amount of time that the collector is running concurrently to the mutator to
2657         maximize the likelihood that a race will cause a detectable error.
2658         
2659         This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
2660         The idea is that we will usually use this in conjunction with collectContinuously=true
2661         to find race conditions during marking, but we can also use the two options
2662         independently to focus our testing on other things.
2663
2664         * heap/Heap.cpp:
2665         (JSC::Heap::markToFixpoint):
2666         * heap/SlotVisitor.cpp:
2667         (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
2668         * heap/SlotVisitor.h:
2669         * runtime/Options.h:
2670
2671 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2672
2673         The concurrent GC should have a timeslicing controller
2674         https://bugs.webkit.org/show_bug.cgi?id=164783
2675
2676         Reviewed by Geoffrey Garen.
2677         
2678         This adds a simple control system for deciding when the collector should let the mutator run
2679         and when it should stop the mutator. We definitely have to stop the mutator during certain
2680         collector phases, but during marking - which takes the most time - we can go either way.
2681         Normally we want to let the mutator run, but if the heap size starts to grow then we have to
2682         stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
2683         lead to memory exhaustion, so it's better to just stop in that case.
2684         
2685         The controller tries to never stop the mutator for longer than short timeslices. It slices on
2686         a 2ms period (configurable via Options). The amount of that period that the collector spends
2687         with the mutator stopped is determined by the fraction of the collector's concurrent headroom
2688         that has been allocated over. The headroom is currently configured at 50% of what was
2689         allocated before the collector started.
2690         
2691         This moves a bunch of parameters into Options so that it's easier to play with different
2692         configurations.
2693         
2694         I tried these different values for the period:
2695         
2696         1ms: 30% worse than 2ms on splay-latency.
2697         2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
2698         3ms: 40% worse than 2ms on splay-latency.
2699         4ms: 40% worse than 2ms on splay-latency.
2700         
2701         I also tried 100% headroom as an alternate to 50% and found it to be a worse.
2702         
2703         This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
2704         enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
2705         would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
2706         concurrent GC.
2707
2708         * heap/Heap.cpp:
2709         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2710         (JSC::Heap::markToFixpoint):
2711         (JSC::Heap::collectInThread):
2712         * runtime/Options.h:
2713
2714 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2715
2716         Unreviewed, build fix for CLoop after r208738
2717         https://bugs.webkit.org/show_bug.cgi?id=164727
2718
2719         * jsc.cpp:
2720         (WTF::DOMJITFunctionObject::unsafeFunction):
2721         (WTF::DOMJITFunctionObject::finishCreation):
2722
2723 2016-11-15  Mark Lam  <mark.lam@apple.com>
2724
2725         The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
2726         https://bugs.webkit.org/show_bug.cgi?id=164781
2727         <rdar://problem/28418590>
2728
2729         Reviewed by Geoffrey Garen and Michael Saboff.
2730
2731         * jsc.cpp:
2732         (functionSetImpureGetterDelegate):
2733
2734 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2735
2736         [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
2737         https://bugs.webkit.org/show_bug.cgi?id=164727
2738
2739         Reviewed by Filip Pizlo.
2740
2741         While CallDOMGetter can use macro assembler scratch registers, we previiously
2742         assumed that CheckDOM code generator does not use macro assembler scratch registers.
2743         It is currently true in x86 environment. But it is not true in the other environments.
2744
2745         We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
2746         arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
2747         CheckDOM to use macro assembler scratch registers.
2748
2749         * ftl/FTLLowerDFGToB3.cpp:
2750         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
2751         * jsc.cpp:
2752         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2753         (WTF::DOMJITFunctionObject::createStructure):
2754         (WTF::DOMJITFunctionObject::create):
2755         (WTF::DOMJITFunctionObject::unsafeFunction):
2756         (WTF::DOMJITFunctionObject::safeFunction):
2757         (WTF::DOMJITFunctionObject::checkDOMJITNode):
2758         (WTF::DOMJITFunctionObject::finishCreation):
2759         (GlobalObject::finishCreation):
2760         (functionCreateDOMJITFunctionObject):
2761
2762 2016-11-14  Geoffrey Garen  <ggaren@apple.com>
2763
2764         CodeCache should stop pretending to cache builtins
2765         https://bugs.webkit.org/show_bug.cgi?id=164750
2766
2767         Reviewed by Saam Barati.
2768
2769         We were passing JSParserBuiltinMode to all CodeCache functions, but the
2770         passed-in value was always NotBuiltin.
2771
2772         Let's stop passing it.
2773
2774         * parser/SourceCodeKey.h:
2775         (JSC::SourceCodeFlags::SourceCodeFlags):
2776         (JSC::SourceCodeKey::SourceCodeKey):
2777         * runtime/CodeCache.cpp:
2778         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2779         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
2780         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
2781         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
2782         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2783         * runtime/CodeCache.h:
2784         (JSC::generateUnlinkedCodeBlock):
2785         * runtime/JSGlobalObject.cpp:
2786         (JSC::JSGlobalObject::createProgramCodeBlock):
2787         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
2788         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
2789         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2790
2791 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2792
2793         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
2794         https://bugs.webkit.org/show_bug.cgi?id=164775
2795
2796         Reviewed by Mark Lam and Keith Miller.
2797         
2798         We were calling inlineStorage() which asserts that inline storage is not empty. But we
2799         were calling it in a context where it could be empty and that's fine. So, we now call
2800         inlineStorageUnsafe().
2801
2802         * runtime/JSObject.h:
2803         (JSC::JSFinalObject::JSFinalObject):
2804
2805 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
2806
2807         [ARM] Unreviewed buildfix after r208720.
2808
2809         * assembler/MacroAssemblerARM.h:
2810         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
2811
2812 2016-11-14  Caitlin Potter  <caitp@igalia.com>
2813
2814         [JSC] do not reference AwaitExpression Promises in async function Promise chain
2815         https://bugs.webkit.org/show_bug.cgi?id=164753
2816
2817         Reviewed by Yusuke Suzuki.
2818
2819         Previously, long-running async functions which contained many AwaitExpressions
2820         would allocate and retain references to intermediate Promise objects for each `await`,
2821         resulting in a memory leak.
2822
2823         To mitigate this leak, a reference to the original Promise (and its resolve and reject
2824         functions) associated with the async function are kept, and passed to each call to
2825         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
2826         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
2827         with an async function wrapper. The capability is used to reject the Promise if an
2828         exception is thrown during parameter initialization, and is used to store the resulting
2829         value once the async function has terminated.
2830
2831         * builtins/AsyncFunctionPrototype.js:
2832         (globalPrivate.asyncFunctionResume):
2833         * bytecompiler/BytecodeGenerator.cpp:
2834         (JSC::BytecodeGenerator::BytecodeGenerator):
2835         * bytecompiler/BytecodeGenerator.h:
2836         (JSC::BytecodeGenerator::promiseCapabilityRegister):
2837         * bytecompiler/NodesCodegen.cpp:
2838         (JSC::FunctionNode::emitBytecode):
2839
2840 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2841
2842         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
2843         https://bugs.webkit.org/show_bug.cgi?id=164305
2844         <rdar://problem/29056192>
2845
2846         Reviewed by Timothy Hatcher.
2847
2848         * inspector/InjectedScriptSource.js:
2849         (InjectedScript.prototype._propertyDescriptors):
2850         Accessing __proto__ does a ToThis(...) conversion on the receiver.
2851         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
2852         this would return undefined and throw an exception. We can use
2853         Object.getPrototypeOf to avoid that conversion and possible error.
2854
2855         * inspector/protocol/Debugger.json:
2856         Provide a new way to effectively `resume` + `pause` immediately.
2857         This must be implemented on the backend to correctly synchronize
2858         the resuming and pausing.
2859
2860         * inspector/agents/InspectorDebuggerAgent.h:
2861         * inspector/agents/InspectorDebuggerAgent.cpp:
2862         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
2863         Treat this as `resume` and `pause`. Resume now, and trigger
2864         a pause if the VM becomes idle and we didn't pause before then
2865         (such as hitting a breakpoint after we resumed).
2866
2867         (Inspector::InspectorDebuggerAgent::pause):
2868         (Inspector::InspectorDebuggerAgent::resume):
2869         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2870         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2871         Clean up and correct pause on next statement logic.
2872
2873         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
2874         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
2875         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
2876         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
2877         The idle handler may now also trigger a pause in the case
2878         where continueUntilNextRunLoop resumed and wants to pause.
2879
2880         (Inspector::InspectorDebuggerAgent::didPause):
2881         Eliminate the useless didPause. The DOMDebugger was keeping track
2882         of its own state that was worse then the state in DebuggerAgent.
2883
2884 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
2885
2886         Unreviewed, fix cloop.
2887
2888         * runtime/JSCellInlines.h:
2889
2890 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
2891
2892         The GC should be optionally concurrent and disabled by default
2893         https://bugs.webkit.org/show_bug.cgi?id=164454
2894
2895         Reviewed by Geoffrey Garen.
2896         
2897         This started out as a patch to have the GC scan the stack at the end, and then the
2898         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
2899         mode that can be enabled at runtime, and whose only effect is that it turns on the
2900         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
2901         thread is running solo with the world stopped and the parallel markers converged and
2902         waiting. We have a parallel work scope to enable the parallel markers and now we have a
2903         ResumeTheWorldScope that will optionally resume the world and then stop it again.
2904         
2905         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
2906         this one won't do that when you run it. I set a specific goal: I wanted to do >10
2907         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
2908         disabled.
2909         
2910         To reach this milestone, I needed to do a bunch of stuff:
2911         
2912         - The mutator needs a separate mark stack for the barrier, since it will mutate this
2913           stack concurrently to the collector's slot visitors.
2914         
2915         - The use of CellState to indicate whether an object is being scanned the first time or
2916           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
2917           time as visitChildren is running or if the barrier runs at the same time as the GC
2918           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
2919           you know why you're being scanned by looking at which stack you came off of.
2920         
2921         - All of root marking must be in the collector fixpoint. I renamed markRoots to
2922           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
2923           this way. We never gained anything from forcing people to make a choice between
2924           scanning something in the fixpoint versus outside of it. Because root scanning is
2925           cheap, we can afford to do it repeatedly, which means all root scanning can now do
2926           constraint-based marking (like: I'll mark you if that thing is marked).
2927         
2928         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
2929           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
2930           reshaping functions - like the one that flattens a dictionary and some sneaky
2931           ArrayStorage transformations. Many of these can be fixed by using store-store fences
2932           in the mutator and load-load fences in the collector. I've adopted the rule that the
2933           collector must always see either a butterfly and structure that match or a newer
2934           butterfly with an older structure, where their age is just one transition apart. This
2935           can be achieved with fences. For the cases where it breaks down, I added a lock to
2936           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
2937           the indexingType. See the WTF ChangeLog for details.
2938           
2939           The mutator fencing rules are as follows:
2940           
2941           - Store-store fence before and after setting the butterfly.
2942           - Store-store fence before setting structure if you had changed the shape of the
2943             butterfly.
2944           - Store-store fence after initializing all fields in an allocation.
2945         
2946         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
2947           So, JSObject::visitChildren will now grab the object's structure's lock if the
2948           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
2949           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
2950           scan an object from two threads).
2951         
2952         - The GC can blow away a Structure's property table at any time. As a small consolation,
2953           it's now holding the Structure's lock when it does so. But there was tons of code in
2954           Structure that uses DeferGC to prevent the GC from blowing away the property table.
2955           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
2956           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
2957           marking and it was the Structure::visitChildren that would delete the table. It turns
2958           out that Structure's reliance on the property table not being deleted was the product
2959           of code rot. We already had functions that would materialize the table on demand. We
2960           were simply making the mistake of saying:
2961           
2962               structure->materializePropertyMap();
2963               ...
2964               structure->propertyTable()->things
2965           
2966           Instead of saying:
2967           
2968               PropertyTable* table = structure->ensurePropertyTable();
2969               ...
2970               table->things
2971           
2972           Switching the code to use the latter idiom allowed me to simplify the code a lot while
2973           fixing the race.
2974         
2975         - The LLInt's get_by_val handling was broken because the indexing shape constants were
2976           wrong. Once I started putting more things into the IndexingType, that started causing
2977           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
2978           had rotted in subtle ways.
2979         
2980         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
2981         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
2982         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
2983         is disabled: in all of the places where it would have resumed the world to run marking
2984         concurrently to the mutator, it will just skip the resume step. When you enable
2985         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
2986         It seems to perform quite well: on my machine, it improves both splay-throughput and
2987         splay-latency. It's probably unstable for other programs.
2988
2989         * API/JSVirtualMachine.mm:
2990         (-[JSVirtualMachine isOldExternalObject:]):
2991         * assembler/MacroAssemblerARMv7.h:
2992         (JSC::MacroAssemblerARMv7::storeFence):
2993         * bytecode/InlineAccess.cpp:
2994         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2995         (JSC::InlineAccess::generateSelfPropertyAccess):
2996         (JSC::InlineAccess::generateArrayLength):
2997         * bytecode/ObjectAllocationProfile.h:
2998         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
2999         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
3000         (JSC::ObjectAllocationProfile::initialize):
3001         (JSC::ObjectAllocationProfile::inlineCapacity):
3002         (JSC::ObjectAllocationProfile::clear):
3003         * bytecode/PolymorphicAccess.cpp:
3004         (JSC::AccessCase::generateWithGuard):
3005         (JSC::AccessCase::generateImpl):
3006         * dfg/DFGArrayifySlowPathGenerator.h:
3007         * dfg/DFGClobberize.h:
3008         (JSC::DFG::clobberize):
3009         * dfg/DFGOSRExitCompiler32_64.cpp:
3010         (JSC::DFG::OSRExitCompiler::compileExit):
3011         * dfg/DFGOSRExitCompiler64.cpp:
3012         (JSC::DFG::OSRExitCompiler::compileExit):
3013         * dfg/DFGOperations.cpp:
3014         * dfg/DFGPlan.cpp:
3015         (JSC::DFG::Plan::markCodeBlocks):
3016         (JSC::DFG::Plan::rememberCodeBlocks):
3017         * dfg/DFGPlan.h:
3018         * dfg/DFGSpeculativeJIT.cpp:
3019         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3020         (JSC::DFG::SpeculativeJIT::checkArray):
3021         (JSC::DFG::SpeculativeJIT::arrayify):
3022         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3023         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3024         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3025         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3026         (JSC::DFG::SpeculativeJIT::compileSpread):
3027         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3028         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3029         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3030         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
3031         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3032         * dfg/DFGSpeculativeJIT64.cpp:
3033         (JSC::DFG::SpeculativeJIT::compile):
3034         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3035         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3036         (JSC::DFG::TierUpCheckInjectionPhase::run):
3037         * dfg/DFGWorklist.cpp:
3038         (JSC::DFG::Worklist::markCodeBlocks):
3039         (JSC::DFG::Worklist::rememberCodeBlocks):
3040         (JSC::DFG::markCodeBlocks):
3041         (JSC::DFG::completeAllPlansForVM):
3042         (JSC::DFG::rememberCodeBlocks):
3043         * dfg/DFGWorklist.h:
3044         * ftl/FTLAbstractHeapRepository.cpp:
3045         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3046         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
3047         * ftl/FTLAbstractHeapRepository.h:
3048         * ftl/FTLJITCode.cpp:
3049         (JSC::FTL::JITCode::~JITCode):
3050         * ftl/FTLLowerDFGToB3.cpp:
3051         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
3052         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
3053         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3054         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3055         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3056         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
3057         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3058         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3059         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3060         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3061         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3062         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3063         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3064         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3065         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3066         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3067         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
3068         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3069         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3070         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3071         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
3072         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3073         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3074         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3075         * ftl/FTLOSRExitCompiler.cpp:
3076         (JSC::FTL::compileStub):
3077         * ftl/FTLOutput.cpp:
3078         (JSC::FTL::Output::signExt32ToPtr):
3079         (JSC::FTL::Output::fence):
3080         * ftl/FTLOutput.h:
3081         * heap/CellState.h:
3082         * heap/GCSegmentedArray.h:
3083         * heap/Heap.cpp:
3084         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
3085         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
3086         (JSC::Heap::Heap):
3087         (JSC::Heap::~Heap):
3088         (JSC::Heap::harvestWeakReferences):
3089         (JSC::Heap::finalizeUnconditionalFinalizers):
3090         (JSC::Heap::completeAllJITPlans):
3091         (JSC::Heap::markToFixpoint):
3092         (JSC::Heap::gatherStackRoots):
3093         (JSC::Heap::beginMarking):
3094         (JSC::Heap::visitConservativeRoots):
3095         (JSC::Heap::visitCompilerWorklistWeakReferences):
3096         (JSC::Heap::updateObjectCounts):
3097         (JSC::Heap::endMarking):
3098         (JSC::Heap::addToRememberedSet):
3099         (JSC::Heap::collectInThread):
3100         (JSC::Heap::stopTheWorld):
3101         (JSC::Heap::resumeTheWorld):
3102         (JSC::Heap::setGCDidJIT):
3103         (JSC::Heap::setNeedFinalize):
3104         (JSC::Heap::setMutatorWaiting):
3105         (JSC::Heap::clearMutatorWaiting):
3106         (JSC::Heap::finalize):
3107         (JSC::Heap::flushWriteBarrierBuffer):
3108         (JSC::Heap::writeBarrierSlowPath):
3109         (JSC::Heap::canCollect):
3110         (JSC::Heap::reportExtraMemoryVisited):
3111         (JSC::Heap::reportExternalMemoryVisited):
3112         (JSC::Heap::notifyIsSafeToCollect):
3113         (JSC::Heap::markRoots): Deleted.
3114         (JSC::Heap::visitExternalRememberedSet): Deleted.
3115         (JSC::Heap::visitSmallStrings): Deleted.
3116         (JSC::Heap::visitProtectedObjects): Deleted.
3117         (JSC::Heap::visitArgumentBuffers): Deleted.
3118         (JSC::Heap::visitException): Deleted.
3119         (JSC::Heap::visitStrongHandles): Deleted.
3120         (JSC::Heap::visitHandleStack): Deleted.
3121         (JSC::Heap::visitSamplingProfiler): Deleted.
3122         (JSC::Heap::visitTypeProfiler): Deleted.
3123         (JSC::Heap::visitShadowChicken): Deleted.
3124         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
3125         (JSC::Heap::visitWeakHandles): Deleted.
3126         (JSC::Heap::flushOldStructureIDTables): Deleted.
3127         (JSC::Heap::stopAllocation): Deleted.
3128         * heap/Heap.h:
3129         (JSC::Heap::collectorSlotVisitor):
3130         (JSC::Heap::mutatorMarkStack):
3131         (JSC::Heap::mutatorShouldBeFenced):
3132         (JSC::Heap::addressOfMutatorShouldBeFenced):
3133         (JSC::Heap::slotVisitor): Deleted.
3134         (JSC::Heap::notifyIsSafeToCollect): Deleted.
3135         (JSC::Heap::barrierShouldBeFenced): Deleted.
3136         (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
3137         * heap/MarkStack.cpp:
3138         (JSC::MarkStackArray::transferTo):
3139         * heap/MarkStack.h:
3140         * heap/MarkedAllocator.cpp:
3141         (JSC::MarkedAllocator::tryAllocateIn):
3142         * heap/MarkedBlock.cpp:
3143         (JSC::MarkedBlock::MarkedBlock):
3144         (JSC::MarkedBlock::Handle::specializedSweep):
3145         (JSC::MarkedBlock::Handle::sweep):
3146         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
3147         (JSC::MarkedBlock::Handle::stopAllocating):
3148         (JSC::MarkedBlock::Handle::resumeAllocating):
3149         (JSC::MarkedBlock::aboutToMarkSlow):
3150         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3151         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
3152         (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
3153         * heap/MarkedBlock.h:
3154         * heap/MarkedSpace.cpp:
3155         (JSC::MarkedSpace::resumeAllocating):
3156         * heap/SlotVisitor.cpp:
3157         (JSC::SlotVisitor::SlotVisitor):
3158         (JSC::SlotVisitor::~SlotVisitor):
3159         (JSC::SlotVisitor::reset):
3160         (JSC::SlotVisitor::clearMarkStacks):
3161         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3162         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3163         (JSC::SlotVisitor::appendToMarkStack):
3164         (JSC::SlotVisitor::appendToMutatorMarkStack):
3165         (JSC::SlotVisitor::visitChildren):
3166         (JSC::SlotVisitor::donateKnownParallel):
3167         (JSC::SlotVisitor::drain):
3168         (JSC::SlotVisitor::drainFromShared):
3169         (JSC::SlotVisitor::containsOpaqueRoot):
3170         (JSC::SlotVisitor::donateAndDrain):
3171         (JSC::SlotVisitor::mergeOpaqueRoots):
3172         (JSC::SlotVisitor::dump):
3173         (JSC::SlotVisitor::clearMarkStack): Deleted.
3174         (JSC::SlotVisitor::opaqueRootCount): Deleted.
3175         * heap/SlotVisitor.h:
3176         (JSC::SlotVisitor::collectorMarkStack):
3177         (JSC::SlotVisitor::mutatorMarkStack):
3178         (JSC::SlotVisitor::isEmpty):
3179         (JSC::SlotVisitor::bytesVisited):
3180         (JSC::SlotVisitor::markStack): Deleted.
3181         (JSC::SlotVisitor::bytesCopied): Deleted.
3182         * heap/SlotVisitorInlines.h:
3183         (JSC::SlotVisitor::reportExtraMemoryVisited):
3184         (JSC::SlotVisitor::reportExternalMemoryVisited):
3185         * jit/AssemblyHelpers.cpp:
3186         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3187         * jit/AssemblyHelpers.h:
3188         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3189         (JSC::AssemblyHelpers::barrierStoreLoadFence):
3190         (JSC::AssemblyHelpers::mutatorFence):
3191         (JSC::AssemblyHelpers::storeButterfly):
3192         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
3193         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
3194         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
3195         (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
3196         * jit/JITInlines.h:
3197         (JSC::JIT::emitArrayProfilingSiteWithCell):
3198         * jit/JITOperations.cpp:
3199         * jit/JITPropertyAccess.cpp:
3200         (JSC::JIT::emit_op_put_to_scope):
3201         (JSC::JIT::emit_op_put_to_arguments):
3202         * llint/LLIntData.cpp:
3203         (JSC::LLInt::Data::performAssertions):
3204         * llint/LowLevelInterpreter.asm:
3205         * llint/LowLevelInterpreter64.asm:
3206         * runtime/ButterflyInlines.h:
3207         (JSC::Butterfly::create):
3208         (JSC::Butterfly::createOrGrowPropertyStorage):
3209         * runtime/ConcurrentJITLock.h:
3210         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
3211         * runtime/GenericArgumentsInlines.h:
3212         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
3213         (JSC::GenericArguments<Type>::putByIndex):
3214         * runtime/IndexingType.h:
3215         * runtime/JSArray.cpp:
3216         (JSC::JSArray::unshiftCountSlowCase):
3217         (JSC::JSArray::unshiftCountWithArrayStorage):
3218         * runtime/JSCell.h:
3219         (JSC::JSCell::InternalLocker::InternalLocker):
3220         (JSC::JSCell::InternalLocker::~InternalLocker):
3221         (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
3222         (JSC::JSCell::atomicCompareExchangeCellStateStrong):
3223         (JSC::JSCell::indexingTypeAndMiscOffset):
3224         (JSC::JSCell::indexingTypeOffset): Deleted.
3225         * runtime/JSCellInlines.h:
3226         (JSC::JSCell::JSCell):
3227         (JSC::JSCell::finishCreation):
3228         (JSC::JSCell::indexingTypeAndMisc):
3229         (JSC::JSCell::indexingType):
3230         (JSC::JSCell::setStructure):
3231         (JSC::JSCell::callDestructor):
3232         (JSC::JSCell::lockInternalLock):
3233         (JSC::JSCell::unlockInternalLock):
3234         * runtime/JSObject.cpp:
3235         (JSC::JSObject::visitButterfly):
3236         (JSC::JSObject::visitChildren):
3237         (JSC::JSFinalObject::visitChildren):
3238         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3239         (JSC::JSObject::createInitialUndecided):
3240         (JSC::JSObject::createInitialInt32):
3241         (JSC::JSObject::createInitialDouble):
3242         (JSC::JSObject::createInitialContiguous):
3243         (JSC::JSObject::createArrayStorage):
3244         (JSC::JSObject::convertUndecidedToArrayStorage):
3245         (JSC::JSObject::convertInt32ToArrayStorage):
3246         (JSC::JSObject::convertDoubleToArrayStorage):
3247         (JSC::JSObject::convertContiguousToArrayStorage):
3248         (JSC::JSObject::deleteProperty):
3249         (JSC::JSObject::defineOwnIndexedProperty):
3250         (JSC::JSObject::increaseVectorLength):
3251         (JSC::JSObject::ensureLengthSlow):
3252         (JSC::JSObject::reallocateAndShrinkButterfly):
3253         (JSC::JSObject::allocateMoreOutOfLineStorage):
3254         (JSC::JSObject::shiftButterflyAfterFlattening):
3255         (JSC::JSObject::growOutOfLineStorage): Deleted.
3256         * runtime/JSObject.h:
3257         (JSC::JSFinalObject::JSFinalObject):
3258         (JSC::JSObject::setButterfly):
3259         (JSC::JSObject::getOwnNonIndexPropertySlot):
3260         (JSC::JSObject::fillCustomGetterPropertySlot):
3261         (JSC::JSObject::getOwnPropertySlot):
3262         (JSC::JSObject::getPropertySlot):
3263         (JSC::JSObject::setStructureAndButterfly): Deleted.
3264         (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
3265         (JSC::JSObject::putDirectInternal): Deleted.
3266         (JSC::JSObject::putDirectWithoutTransition): Deleted.
3267         * runtime/JSObjectInlines.h:
3268         (JSC::JSObject::getPropertySlot):
3269         (JSC::JSObject::getNonIndexPropertySlot):
3270         (JSC::JSObject::putDirectWithoutTransition):
3271         (JSC::JSObject::putDirectInternal):
3272         * runtime/Options.h:
3273         * runtime/SparseArrayValueMap.h:
3274         * runtime/Structure.cpp:
3275         (JSC::Structure::dumpStatistics):
3276         (JSC::Structure::findStructuresAndMapForMaterialization):
3277         (JSC::Structure::materializePropertyTable):
3278         (JSC::Structure::addNewPropertyTransition):
3279         (JSC::Structure::changePrototypeTransition):
3280         (JSC::Structure::attributeChangeTransition):
3281         (JSC::Structure::toDictionaryTransition):
3282         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3283         (JSC::Structure::nonPropertyTransition):
3284         (JSC::Structure::isSealed):
3285         (JSC::Structure::isFrozen):
3286         (JSC::Structure::flattenDictionaryStructure):
3287         (JSC::Structure::pin):
3288         (JSC::Structure::pinForCaching):
3289         (JSC::Structure::willStoreValueSlow):
3290         (JSC::Structure::copyPropertyTableForPinning):
3291         (JSC::Structure::add):
3292         (JSC::Structure::remove):
3293         (JSC::Structure::getPropertyNamesFromStructure):
3294         (JSC::Structure::visitChildren):
3295         (JSC::Structure::materializePropertyMap): Deleted.
3296         (JSC::Structure::addPropertyWithoutTransition): Deleted.
3297         (JSC::Structure::removePropertyWithoutTransition): Deleted.
3298         (JSC::Structure::copyPropertyTable): Deleted.
3299         (JSC::Structure::createPropertyMap): Deleted.
3300         (JSC::PropertyTable::checkConsistency): Deleted.
3301         (JSC::Structure::checkConsistency): Deleted.
3302         * runtime/Structure.h:
3303         * runtime/StructureIDBlob.h:
3304         (JSC::StructureIDBlob::StructureIDBlob):
3305         (JSC::StructureIDBlob::indexingTypeIncludingHistory):
3306         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
3307         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
3308         (JSC::StructureIDBlob::indexingType): Deleted.
3309         (JSC::StructureIDBlob::setIndexingType): Deleted.
3310         (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
3311         * runtime/StructureInlines.h:
3312         (JSC::Structure::get):
3313         (JSC::Structure::checkOffsetConsistency):
3314         (JSC::Structure::checkConsistency):
3315         (JSC::Structure::add):
3316         (JSC::Structure::remove):
3317         (JSC::Structure::addPropertyWithoutTransition):
3318         (JSC::Structure::removePropertyWithoutTransition):
3319         (JSC::Structure::setPropertyTable):
3320         (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
3321         (JSC::Structure::propertyTable): Deleted.
3322         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
3323
3324 2016-11-14  Keith Miller  <keith_miller@apple.com>
3325
3326         Add Wasm select
3327         https://bugs.webkit.org/show_bug.cgi?id=164743
3328
3329         Reviewed by Saam Barati.
3330
3331         Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
3332         when they shouldn't be.
3333
3334         * jsc.cpp:
3335         (box):
3336         * wasm/WasmB3IRGenerator.cpp:
3337         * wasm/WasmFunctionParser.h:
3338         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3339         * wasm/WasmValidate.cpp:
3340         (JSC::Wasm::Validate::addSelect):
3341
3342 2016-11-11  Geoffrey Garen  <ggaren@apple.com>
3343
3344         JSC should distinguish between local and global eval
3345         https://bugs.webkit.org/show_bug.cgi?id=164628
3346
3347         Reviewed by Saam Barati.
3348
3349         Local use of the 'eval' keyword and invocation of the global window.eval
3350         function are distinct operations in JavaScript.
3351
3352         This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
3353         order to help distinguish these operations in code.
3354
3355         Our code used to do some silly things for lack of distinguishing these
3356         cases. For example, it would double cache local eval in CodeCache and
3357         EvalCodeCache. This made CodeCache seem more complicated than it really
3358         was.
3359
3360         * CMakeLists.txt:
3361         * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
3362
3363         * bytecode/CodeBlock.h:
3364
3365         * bytecode/EvalCodeCache.h:
3366         (JSC::EvalCodeCache::tryGet):
3367         (JSC::EvalCodeCache::set):
3368         (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
3369         the cache to avoid tight coupling. Now the cache just caches.
3370
3371         * bytecode/UnlinkedEvalCodeBlock.h:
3372         * bytecode/UnlinkedFunctionExecutable.cpp:
3373         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
3374         * bytecode/UnlinkedModuleProgramCodeBlock.h:<