[WTF] Import std::optional reference implementation as WTF::Optional
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [WTF] Import std::optional reference implementation as WTF::Optional
4         https://bugs.webkit.org/show_bug.cgi?id=164199
5
6         Reviewed by Saam Barati and Sam Weinig.
7
8         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
9         std::optional::emplace has the same semantics to the previous one.
10         So we change the code to use it.
11
12         * Scripts/builtins/builtins_templates.py:
13         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
14         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
15         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
16         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
17         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
18         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
19         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
20         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
21         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
22         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
23         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
24         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
25         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
26         * assembler/MacroAssemblerARM64.h:
27         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
28         * assembler/MacroAssemblerX86Common.h:
29         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
30         * b3/B3CheckSpecial.cpp:
31         (JSC::B3::CheckSpecial::forEachArg):
32         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
33         * b3/B3CheckSpecial.h:
34         * b3/B3LowerToAir.cpp:
35         (JSC::B3::Air::LowerToAir::scaleForShl):
36         (JSC::B3::Air::LowerToAir::effectiveAddr):
37         (JSC::B3::Air::LowerToAir::tryAppendLea):
38         * b3/B3Opcode.cpp:
39         (JSC::B3::invertedCompare):
40         * b3/B3Opcode.h:
41         * b3/B3PatchpointSpecial.cpp:
42         (JSC::B3::PatchpointSpecial::forEachArg):
43         * b3/B3StackmapSpecial.cpp:
44         (JSC::B3::StackmapSpecial::forEachArgImpl):
45         * b3/B3StackmapSpecial.h:
46         * b3/B3Value.cpp:
47         (JSC::B3::Value::invertedCompare):
48         * b3/air/AirArg.h:
49         (JSC::B3::Air::Arg::isValidScale):
50         (JSC::B3::Air::Arg::isValidAddrForm):
51         (JSC::B3::Air::Arg::isValidIndexForm):
52         (JSC::B3::Air::Arg::isValidForm):
53         * b3/air/AirCustom.h:
54         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
55         * b3/air/AirFixObviousSpills.cpp:
56         * b3/air/AirInst.h:
57         * b3/air/AirInstInlines.h:
58         (JSC::B3::Air::Inst::shouldTryAliasingDef):
59         * b3/air/AirIteratedRegisterCoalescing.cpp:
60         * b3/air/AirSpecial.cpp:
61         (JSC::B3::Air::Special::shouldTryAliasingDef):
62         * b3/air/AirSpecial.h:
63         * bytecode/BytecodeGeneratorification.cpp:
64         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
65         * bytecode/CodeBlock.cpp:
66         (JSC::CodeBlock::findPC):
67         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
68         * bytecode/CodeBlock.h:
69         * bytecode/UnlinkedFunctionExecutable.cpp:
70         (JSC::UnlinkedFunctionExecutable::link):
71         * bytecode/UnlinkedFunctionExecutable.h:
72         * bytecompiler/BytecodeGenerator.h:
73         * bytecompiler/NodesCodegen.cpp:
74         (JSC::PropertyListNode::emitPutConstantProperty):
75         (JSC::ObjectPatternNode::bindValue):
76         * debugger/Debugger.cpp:
77         (JSC::Debugger::resolveBreakpoint):
78         * debugger/DebuggerCallFrame.cpp:
79         (JSC::DebuggerCallFrame::currentPosition):
80         * debugger/DebuggerParseData.cpp:
81         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
82         * debugger/DebuggerParseData.h:
83         * debugger/ScriptProfilingScope.h:
84         * dfg/DFGAbstractInterpreterInlines.h:
85         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
86         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
87         * dfg/DFGJITCode.cpp:
88         (JSC::DFG::JITCode::findPC):
89         * dfg/DFGJITCode.h:
90         * dfg/DFGOperations.cpp:
91         (JSC::DFG::operationPutByValInternal):
92         * dfg/DFGSlowPathGenerator.h:
93         (JSC::DFG::SlowPathGenerator::generate):
94         * dfg/DFGSpeculativeJIT.cpp:
95         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
96         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
97         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
98         (JSC::DFG::SpeculativeJIT::compileMathIC):
99         (JSC::DFG::SpeculativeJIT::compileArithDiv):
100         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
101         * dfg/DFGSpeculativeJIT.h:
102         * dfg/DFGSpeculativeJIT32_64.cpp:
103         (JSC::DFG::SpeculativeJIT::compile):
104         * dfg/DFGSpeculativeJIT64.cpp:
105         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
106         (JSC::DFG::SpeculativeJIT::emitBranch):
107         (JSC::DFG::SpeculativeJIT::compile):
108         * dfg/DFGStrengthReductionPhase.cpp:
109         (JSC::DFG::StrengthReductionPhase::handleNode):
110         * ftl/FTLJITCode.cpp:
111         (JSC::FTL::JITCode::findPC):
112         * ftl/FTLJITCode.h:
113         * heap/Heap.cpp:
114         (JSC::Heap::collectAsync):
115         (JSC::Heap::collectSync):
116         (JSC::Heap::collectInThread):
117         (JSC::Heap::requestCollection):
118         (JSC::Heap::willStartCollection):
119         (JSC::Heap::didFinishCollection):
120         (JSC::Heap::shouldDoFullCollection):
121         * heap/Heap.h:
122         (JSC::Heap::collectionScope):
123         * heap/HeapSnapshot.cpp:
124         (JSC::HeapSnapshot::nodeForCell):
125         (JSC::HeapSnapshot::nodeForObjectIdentifier):
126         * heap/HeapSnapshot.h:
127         * inspector/InspectorBackendDispatcher.cpp:
128         (Inspector::BackendDispatcher::dispatch):
129         (Inspector::BackendDispatcher::sendPendingErrors):
130         (Inspector::BackendDispatcher::reportProtocolError):
131         * inspector/InspectorBackendDispatcher.h:
132         * inspector/agents/InspectorHeapAgent.cpp:
133         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
134         (Inspector::InspectorHeapAgent::getPreview):
135         (Inspector::InspectorHeapAgent::getRemoteObject):
136         * inspector/agents/InspectorHeapAgent.h:
137         * inspector/remote/RemoteConnectionToTarget.h:
138         * inspector/remote/RemoteConnectionToTarget.mm:
139         (Inspector::RemoteConnectionToTarget::targetIdentifier):
140         (Inspector::RemoteConnectionToTarget::setup):
141         * inspector/remote/RemoteInspector.h:
142         * inspector/remote/RemoteInspector.mm:
143         (Inspector::RemoteInspector::updateClientCapabilities):
144         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
145         (_generate_declarations_for_enum_conversion_methods):
146         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
147         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
148         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
149         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
150         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
151         * inspector/scripts/tests/expected/enum-values.json-result:
152         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
153         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
154         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
155         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
156         * jit/JITCode.h:
157         (JSC::JITCode::findPC):
158         * jit/JITDivGenerator.cpp:
159         (JSC::JITDivGenerator::generateFastPath):
160         * jit/JITOperations.cpp:
161         * jit/PCToCodeOriginMap.cpp:
162         (JSC::PCToCodeOriginMap::findPC):
163         * jit/PCToCodeOriginMap.h:
164         * jsc.cpp:
165         (WTF::RuntimeArray::getOwnPropertySlot):
166         * llint/LLIntSlowPaths.cpp:
167         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
168         * parser/ModuleAnalyzer.cpp:
169         (JSC::ModuleAnalyzer::exportVariable):
170         * runtime/ConcurrentJSLock.h:
171         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
172         * runtime/DefinePropertyAttributes.h:
173         (JSC::DefinePropertyAttributes::writable):
174         (JSC::DefinePropertyAttributes::configurable):
175         (JSC::DefinePropertyAttributes::enumerable):
176         * runtime/GenericArgumentsInlines.h:
177         (JSC::GenericArguments<Type>::getOwnPropertySlot):
178         (JSC::GenericArguments<Type>::put):
179         (JSC::GenericArguments<Type>::deleteProperty):
180         (JSC::GenericArguments<Type>::defineOwnProperty):
181         * runtime/HasOwnPropertyCache.h:
182         (JSC::HasOwnPropertyCache::get):
183         * runtime/HashMapImpl.h:
184         (JSC::concurrentJSMapHash):
185         * runtime/Identifier.h:
186         (JSC::parseIndex):
187         * runtime/JSArray.cpp:
188         (JSC::JSArray::defineOwnProperty):
189         * runtime/JSCJSValue.cpp:
190         (JSC::JSValue::toNumberFromPrimitive):
191         (JSC::JSValue::putToPrimitive):
192         * runtime/JSCJSValue.h:
193         * runtime/JSGenericTypedArrayView.h:
194         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
195         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
196         (JSC::constructGenericTypedArrayViewWithArguments):
197         (JSC::constructGenericTypedArrayView):
198         * runtime/JSGenericTypedArrayViewInlines.h:
199         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
200         (JSC::JSGenericTypedArrayView<Adaptor>::put):
201         * runtime/JSModuleRecord.cpp:
202         * runtime/JSModuleRecord.h:
203         * runtime/JSObject.cpp:
204         (JSC::JSObject::putDirectAccessor):
205         (JSC::JSObject::deleteProperty):
206         (JSC::JSObject::putDirectMayBeIndex):
207         (JSC::JSObject::defineOwnProperty):
208         * runtime/JSObject.h:
209         (JSC::JSObject::getOwnPropertySlot):
210         (JSC::JSObject::getPropertySlot):
211         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
212         * runtime/JSObjectInlines.h:
213         (JSC::JSObject::putInline):
214         * runtime/JSString.cpp:
215         (JSC::JSString::getStringPropertyDescriptor):
216         * runtime/JSString.h:
217         (JSC::JSString::getStringPropertySlot):
218         * runtime/LiteralParser.cpp:
219         (JSC::LiteralParser<CharType>::parse):
220         * runtime/MathCommon.h:
221         (JSC::safeReciprocalForDivByConst):
222         * runtime/ObjectPrototype.cpp:
223         (JSC::objectProtoFuncHasOwnProperty):
224         * runtime/PropertyDescriptor.h:
225         (JSC::toPropertyDescriptor):
226         * runtime/PropertyName.h:
227         (JSC::parseIndex):
228         * runtime/SamplingProfiler.cpp:
229         (JSC::SamplingProfiler::processUnverifiedStackTraces):
230         * runtime/StringObject.cpp:
231         (JSC::StringObject::put):
232         (JSC::isStringOwnProperty):
233         (JSC::StringObject::deleteProperty):
234         * runtime/ToNativeFromValue.h:
235         (JSC::toNativeFromValueWithoutCoercion):
236         * runtime/TypedArrayAdaptors.h:
237         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
238         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
239         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
240         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
241         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
242         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
243         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
244
245 2016-11-26  Sam Weinig  <sam@webkit.org>
246
247         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
248         https://bugs.webkit.org/show_bug.cgi?id=164965
249
250         Reviewed by Simon Fraser.
251
252         * runtime/CommonIdentifiers.h:
253         Add identifiers needed for RuntimeEnabledFeatures.
254
255 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
256
257         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
258         https://bugs.webkit.org/show_bug.cgi?id=165027
259
260         Reviewed by Darin Adler.
261
262         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
263         No port enables this and the guarded code doesn't build at all,
264         so it's safe to say it's abandoned.
265
266         * jit/ExecutableAllocator.cpp:
267         (JSC::ExecutableAllocator::initializeAllocator):
268         (JSC::ExecutableAllocator::ExecutableAllocator):
269         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
270
271 2016-11-18  Mark Lam  <mark.lam@apple.com>
272
273         Fix exception scope verification failures in JSC profiler files.
274         https://bugs.webkit.org/show_bug.cgi?id=164971
275
276         Reviewed by Saam Barati.
277
278         * profiler/ProfilerBytecodeSequence.cpp:
279         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
280         * profiler/ProfilerCompilation.cpp:
281         (JSC::Profiler::Compilation::toJS):
282         * profiler/ProfilerDatabase.cpp:
283         (JSC::Profiler::Database::toJS):
284         (JSC::Profiler::Database::toJSON):
285         * profiler/ProfilerOSRExitSite.cpp:
286         (JSC::Profiler::OSRExitSite::toJS):
287         * profiler/ProfilerOriginStack.cpp:
288         (JSC::Profiler::OriginStack::toJS):
289
290 2016-11-22  Mark Lam  <mark.lam@apple.com>
291
292         Fix exception scope verification failures in JSONObject.cpp.
293         https://bugs.webkit.org/show_bug.cgi?id=165025
294
295         Reviewed by Saam Barati.
296
297         * runtime/JSONObject.cpp:
298         (JSC::gap):
299         (JSC::Stringifier::Stringifier):
300         (JSC::Stringifier::stringify):
301         (JSC::Stringifier::toJSON):
302         (JSC::Stringifier::appendStringifiedValue):
303         (JSC::Stringifier::Holder::appendNextProperty):
304         (JSC::Walker::walk):
305         (JSC::JSONProtoFuncParse):
306         (JSC::JSONProtoFuncStringify):
307         (JSC::JSONStringify):
308
309 2016-11-21  Mark Lam  <mark.lam@apple.com>
310
311         Removed an extra space character at the end of line.
312
313         Not reviewed.
314
315         * runtime/JSCell.cpp:
316         (JSC::JSCell::toNumber):
317
318 2016-11-21  Mark Lam  <mark.lam@apple.com>
319
320         Fix exception scope verification failures in FunctionConstructor.cpp.
321         https://bugs.webkit.org/show_bug.cgi?id=165011
322
323         Reviewed by Saam Barati.
324
325         * runtime/FunctionConstructor.cpp:
326         (JSC::constructFunction):
327         (JSC::constructFunctionSkippingEvalEnabledCheck):
328
329 2016-11-21  Mark Lam  <mark.lam@apple.com>
330
331         Fix exception scope verification failures in GetterSetter.cpp.
332         https://bugs.webkit.org/show_bug.cgi?id=165013
333
334         Reviewed by Saam Barati.
335
336         * runtime/GetterSetter.cpp:
337         (JSC::callGetter):
338         (JSC::callSetter):
339
340 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
341
342         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
343         https://bugs.webkit.org/show_bug.cgi?id=164898
344
345         Reviewed by Darin Adler.
346
347         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
348         same tagged template literal need to return an identical object.
349         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
350         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
351         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
352         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
353         while this TemplateRegistryKey is allocated in the main thread.
354
355         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
356         while the entry of the WeakGCMap is alive, the callsite object has the reference to
357         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
358
359         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
360         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
361         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
362         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
363         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
364
365         * CMakeLists.txt:
366         * JavaScriptCore.xcodeproj/project.pbxproj:
367         * builtins/BuiltinNames.h:
368         * bytecompiler/BytecodeGenerator.cpp:
369         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
370         (JSC::BytecodeGenerator::emitGetTemplateObject):
371         * bytecompiler/BytecodeGenerator.h:
372         * runtime/JSGlobalObject.cpp:
373         (JSC::getTemplateObject):
374         * runtime/JSTemplateRegistryKey.cpp:
375         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
376         (JSC::JSTemplateRegistryKey::create):
377         * runtime/JSTemplateRegistryKey.h:
378         * runtime/TemplateRegistry.cpp:
379         (JSC::TemplateRegistry::getTemplateObject):
380         * runtime/TemplateRegistry.h:
381         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
382         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
383         * runtime/TemplateRegistryKey.h:
384         (JSC::TemplateRegistryKey::calculateHash):
385         (JSC::TemplateRegistryKey::create):
386         (JSC::TemplateRegistryKey::TemplateRegistryKey):
387         * runtime/TemplateRegistryKeyTable.cpp: Added.
388         (JSC::TemplateRegistryKeyTranslator::hash):
389         (JSC::TemplateRegistryKeyTranslator::equal):
390         (JSC::TemplateRegistryKeyTranslator::translate):
391         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
392         (JSC::TemplateRegistryKeyTable::createKey):
393         (JSC::TemplateRegistryKeyTable::unregister):
394         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
395         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
396         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
397         * runtime/VM.h:
398         (JSC::VM::templateRegistryKeyTable):
399
400 2016-11-21  Mark Lam  <mark.lam@apple.com>
401
402         Fix exception scope verification failures in runtime/Error* files.
403         https://bugs.webkit.org/show_bug.cgi?id=164998
404
405         Reviewed by Darin Adler.
406
407         * runtime/ErrorConstructor.cpp:
408         (JSC::Interpreter::constructWithErrorConstructor):
409         * runtime/ErrorInstance.cpp:
410         (JSC::ErrorInstance::create):
411         * runtime/ErrorInstance.h:
412         * runtime/ErrorPrototype.cpp:
413         (JSC::errorProtoFuncToString):
414
415 2016-11-21  Mark Lam  <mark.lam@apple.com>
416
417         Fix exception scope verification failures in *Executable.cpp files.
418         https://bugs.webkit.org/show_bug.cgi?id=164996
419
420         Reviewed by Darin Adler.
421
422         * runtime/DirectEvalExecutable.cpp:
423         (JSC::DirectEvalExecutable::create):
424         * runtime/IndirectEvalExecutable.cpp:
425         (JSC::IndirectEvalExecutable::create):
426         * runtime/ProgramExecutable.cpp:
427         (JSC::ProgramExecutable::initializeGlobalProperties):
428         * runtime/ScriptExecutable.cpp:
429         (JSC::ScriptExecutable::prepareForExecutionImpl):
430
431 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
432
433         [EncryptedMedia] Make EME API runtime-enabled
434         https://bugs.webkit.org/show_bug.cgi?id=164927
435
436         Reviewed by Jer Noble.
437
438         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
439
440 2016-11-20  Mark Lam  <mark.lam@apple.com>
441
442         Fix exception scope verification failures in ConstructData.cpp.
443         https://bugs.webkit.org/show_bug.cgi?id=164976
444
445         Reviewed by Darin Adler.
446
447         * runtime/ConstructData.cpp:
448         (JSC::construct):
449
450 2016-11-20  Mark Lam  <mark.lam@apple.com>
451
452         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
453         https://bugs.webkit.org/show_bug.cgi?id=164975
454
455         Reviewed by Darin Adler.
456
457         * runtime/CommonSlowPaths.cpp:
458         (JSC::SLOW_PATH_DECL):
459         * runtime/CommonSlowPaths.h:
460         (JSC::CommonSlowPaths::opIn):
461
462 2016-11-20  Mark Lam  <mark.lam@apple.com>
463
464         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
465         https://bugs.webkit.org/show_bug.cgi?id=164995
466
467         Reviewed by Darin Adler.
468
469         * runtime/DateConstructor.cpp:
470         (JSC::millisecondsFromComponents):
471         (JSC::constructDate):
472         * runtime/DatePrototype.cpp:
473         (JSC::dateProtoFuncToPrimitiveSymbol):
474
475 2016-11-20  Caitlin Potter  <caitp@igalia.com>
476
477         [JSC] speed up parsing of async functions
478         https://bugs.webkit.org/show_bug.cgi?id=164808
479
480         Reviewed by Yusuke Suzuki.
481
482         Minor adjustments to Parser in order to mitigate slowdown with async
483         function parsing enabled:
484
485           - Tokenize "async" as a keyword
486           - Perform less branching in various areas of the Parser
487
488         * parser/Keywords.table:
489         * parser/Parser.cpp:
490         (JSC::Parser<LexerType>::parseStatementListItem):
491         (JSC::Parser<LexerType>::parseStatement):
492         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
493         (JSC::Parser<LexerType>::parseClass):
494         (JSC::Parser<LexerType>::parseExportDeclaration):
495         (JSC::Parser<LexerType>::parseAssignmentExpression):
496         (JSC::Parser<LexerType>::parseProperty):
497         (JSC::Parser<LexerType>::createResolveAndUseVariable):
498         (JSC::Parser<LexerType>::parsePrimaryExpression):
499         (JSC::Parser<LexerType>::parseMemberExpression):
500         (JSC::Parser<LexerType>::printUnexpectedTokenText):
501         * parser/Parser.h:
502         (JSC::isAnyContextualKeyword):
503         (JSC::isIdentifierOrAnyContextualKeyword):
504         (JSC::isSafeContextualKeyword):
505         (JSC::Parser::matchSpecIdentifier):
506         * parser/ParserTokens.h:
507         * runtime/CommonIdentifiers.h:
508
509 2016-11-19  Mark Lam  <mark.lam@apple.com>
510
511         Add --timeoutMultiplier option to allow some tests more time to run.
512         https://bugs.webkit.org/show_bug.cgi?id=164951
513
514         Reviewed by Yusuke Suzuki.
515
516         * jsc.cpp:
517         (timeoutThreadMain):
518         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
519         (startTimeoutThreadIfNeeded):
520         - Moved the code that starts the timeout thread here from main() so that we can
521         call it after command line args have been parsed instead.
522         (main):
523         - Deleted old timeout thread starting code.
524         (CommandLine::parseArguments):
525         - Added parsing of the --timeoutMultiplier option.
526         (jscmain):
527         - Start the timeout thread if needed after we've parsed the command line args.
528
529 2016-11-19  Mark Lam  <mark.lam@apple.com>
530
531         Fix missing exception checks in JSC inspector files.
532         https://bugs.webkit.org/show_bug.cgi?id=164959
533
534         Reviewed by Saam Barati.
535
536         * inspector/JSInjectedScriptHost.cpp:
537         (Inspector::JSInjectedScriptHost::getInternalProperties):
538         (Inspector::JSInjectedScriptHost::weakMapEntries):
539         (Inspector::JSInjectedScriptHost::weakSetEntries):
540         (Inspector::JSInjectedScriptHost::iteratorEntries):
541         * inspector/JSJavaScriptCallFrame.cpp:
542         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
543
544 2016-11-18  Mark Lam  <mark.lam@apple.com>
545
546         Fix missing exception checks in DFGOperations.cpp.
547         https://bugs.webkit.org/show_bug.cgi?id=164958
548
549         Reviewed by Geoffrey Garen.
550
551         * dfg/DFGOperations.cpp:
552
553 2016-11-18  Mark Lam  <mark.lam@apple.com>
554
555         Fix exception scope verification failures in ShadowChicken.cpp.
556         https://bugs.webkit.org/show_bug.cgi?id=164966
557
558         Reviewed by Saam Barati.
559
560         * interpreter/ShadowChicken.cpp:
561         (JSC::ShadowChicken::functionsOnStack):
562
563 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
564
565         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
566         https://bugs.webkit.org/show_bug.cgi?id=163801
567
568         Reviewed by Simon Fraser.
569
570         * Configurations/FeatureDefines.xcconfig:
571
572 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
573
574         Unreviewed, fix cloop.
575
576         * bytecode/CodeBlock.cpp:
577         (JSC::CodeBlock::stronglyVisitStrongReferences):
578
579 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
580
581         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
582         https://bugs.webkit.org/show_bug.cgi?id=164282
583
584         Reviewed by Geoffrey Garen and Oliver Hunt.
585         
586         The two three remaining bugs were:
587
588         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
589           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
590           That proved a bit tricky. On the other hand, this means that we could probably remove the
591           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
592           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
593           anything.
594         
595         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
596           their friends now hold locks) and incremental-safe (we need to update predictions in the
597           finalizer to make sure we clear anything that was put into a value profile towards the end
598           of GC).
599         
600         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
601           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
602           I found that they would do many useless iterations of GC because they wouldn't pause long
603           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
604           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
605           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
606           the amount of allocation that the mutator had done is low. Having a utilization ceiling
607           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
608           huge heaps (like CDjs in its "large" configuration).
609         
610         This preserves splay performance, makes the concurrent GC more stable, and makes the
611         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
612         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
613
614         * bytecode/CodeBlock.cpp:
615         (JSC::CodeBlock::CodeBlock):
616         (JSC::CodeBlock::visitWeakly):
617         (JSC::CodeBlock::visitChildren):
618         (JSC::CodeBlock::shouldVisitStrongly):
619         (JSC::CodeBlock::shouldJettisonDueToOldAge):
620         (JSC::CodeBlock::propagateTransitions):
621         (JSC::CodeBlock::determineLiveness):
622         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
623         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
624         (JSC::CodeBlock::visitOSRExitTargets):
625         (JSC::CodeBlock::stronglyVisitStrongReferences):
626         (JSC::CodeBlock::stronglyVisitWeakReferences):
627         * bytecode/CodeBlock.h:
628         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
629         * heap/CodeBlockSet.cpp:
630         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
631         * heap/Heap.cpp:
632         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
633         (JSC::Heap::markToFixpoint):
634         (JSC::Heap::beginMarking):
635         (JSC::Heap::addToRememberedSet):
636         (JSC::Heap::collectInThread):
637         * heap/Heap.h:
638         * heap/HeapInlines.h:
639         (JSC::Heap::mutatorFence):
640         * heap/MarkedBlock.cpp:
641         * runtime/JSCellInlines.h:
642         (JSC::JSCell::finishCreation):
643         * runtime/JSObjectInlines.h:
644         (JSC::JSObject::putDirectWithoutTransition):
645         (JSC::JSObject::putDirectInternal):
646         * runtime/Options.h:
647         * runtime/Structure.cpp:
648         (JSC::Structure::add):
649         * runtime/Structure.h:
650         * runtime/StructureInlines.h:
651         (JSC::Structure::add):
652
653 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
654
655         Web Inspector: Generator functions should have a displayable name when shown in stack traces
656         https://bugs.webkit.org/show_bug.cgi?id=164844
657         <rdar://problem/29300697>
658
659         Reviewed by Yusuke Suzuki.
660
661         * parser/SyntaxChecker.h:
662         (JSC::SyntaxChecker::createGeneratorFunctionBody):
663         * parser/ASTBuilder.h:
664         (JSC::ASTBuilder::createGeneratorFunctionBody):
665         New way to create a generator function with an inferred name.
666
667         * parser/Parser.cpp:
668         (JSC::Parser<LexerType>::parseInner):
669         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
670         * parser/Parser.h:
671         Pass on the name of the generator wrapper function so we can
672         use it on the inner generator function.
673
674 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
675
676         Add an experimental API to find elements across shadow boundaries
677         https://bugs.webkit.org/show_bug.cgi?id=164851
678         <rdar://problem/28220092>
679
680         Reviewed by Sam Weinig.
681
682         * runtime/CommonIdentifiers.h:
683
684 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
685
686         [JSC] Drop arguments.caller
687         https://bugs.webkit.org/show_bug.cgi?id=164859
688
689         Reviewed by Saam Barati.
690
691         Originally, some JavaScript engine has `arguments.caller` property.
692         But it easily causes some information leaks and it becomes obstacles
693         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
694         mode. To do so, we explicitly set "caller" getter throwing TypeError
695         to arguments in strict mode.
696
697         But now, there is no modern engine which supports `arguments.caller`
698         in sloppy mode. So the original compatibility problem is gone and
699         "caller" getter in the strict mode arguments becomes meaningless.
700
701         ES2017 drops this from the spec. In this patch, we also drop this
702         `arguments.caller` in strict mode support.
703
704         Note that Function#caller is still alive.
705
706         * runtime/ClonedArguments.cpp:
707         (JSC::ClonedArguments::getOwnPropertySlot):
708         (JSC::ClonedArguments::put):
709         (JSC::ClonedArguments::deleteProperty):
710         (JSC::ClonedArguments::defineOwnProperty):
711         (JSC::ClonedArguments::materializeSpecials):
712
713 2016-11-17  Mark Lam  <mark.lam@apple.com>
714
715         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
716         https://bugs.webkit.org/show_bug.cgi?id=164893
717         <rdar://problem/29146436>
718
719         Reviewed by Saam Barati.
720
721         * runtime/Options.cpp:
722         (JSC::recomputeDependentOptions):
723
724 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
725
726         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
727         https://bugs.webkit.org/show_bug.cgi?id=164885
728
729         Reviewed by Mark Lam.
730         
731         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
732         related fences. It currently returns true only on x86().
733         
734         The goal here is to get the bots to tell us if this code is responsible for perf issues on
735         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
736         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
737         we could get rid of it and instead teach B3 how to think about fences.
738
739         * assembler/CPU.h:
740         (JSC::useGCFences):
741         * bytecode/PolymorphicAccess.cpp:
742         (JSC::AccessCase::generateImpl):
743         * dfg/DFGSpeculativeJIT.cpp:
744         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
745         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
746         * ftl/FTLLowerDFGToB3.cpp:
747         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
748         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
749         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
750         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
751         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
752         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
753         * jit/AssemblyHelpers.h:
754         (JSC::AssemblyHelpers::mutatorFence):
755         (JSC::AssemblyHelpers::storeButterfly):
756         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
757         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
758
759 2016-11-17  Keith Miller  <keith_miller@apple.com>
760
761         Add rotate to Wasm
762         https://bugs.webkit.org/show_bug.cgi?id=164871
763
764         Reviewed by Filip Pizlo.
765
766         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
767         This also moves arm specific transformations of rotate left to lower macros
768         after optimization. It's a bad idea to have platform specific canonicalizations
769         in reduce strength since other optimizations may not be aware of it.
770
771         Add a bug to do pure CSE after lower macros after optimization since we want to
772         clean up RotL(value, Neg(Neg(shift))).
773
774         * b3/B3Generate.cpp:
775         (JSC::B3::generateToAir):
776         * b3/B3LowerMacrosAfterOptimizations.cpp:
777         * b3/B3ReduceStrength.cpp:
778         * wasm/wasm.json:
779
780 2016-11-17  Keith Miller  <keith_miller@apple.com>
781
782         Add sqrt to Wasm
783         https://bugs.webkit.org/show_bug.cgi?id=164877
784
785         Reviewed by Mark Lam.
786
787         B3 already has a Sqrt opcode we just need to map Wasm to it.
788
789         * wasm/wasm.json:
790
791 2016-11-17  Keith Miller  <keith_miller@apple.com>
792
793         Add support for rotate in B3 and the relevant assemblers
794         https://bugs.webkit.org/show_bug.cgi?id=164869
795
796         Reviewed by Geoffrey Garen.
797
798         This patch runs RotR and RotL (rotate right and left respectively)
799         through B3 and B3's assemblers. One thing of note is that ARM64 does
800         not support rotate left instead it allows negative right rotations.
801
802         This patch also fixes a theoretical bug in the assembler where
803         on X86 doing someShiftOp(reg, edx) would instead shift the shift
804         amount by the value. Additionally, this patch refactors some
805         of the X86 assembler to use templates when deciding how to format
806         the appropriate shift instruction.
807
808         * assembler/MacroAssemblerARM64.h:
809         (JSC::MacroAssemblerARM64::rotateRight32):
810         (JSC::MacroAssemblerARM64::rotateRight64):
811         * assembler/MacroAssemblerX86Common.h:
812         (JSC::MacroAssemblerX86Common::rotateRight32):
813         (JSC::MacroAssemblerX86Common::rotateLeft32):
814         * assembler/MacroAssemblerX86_64.h:
815         (JSC::MacroAssemblerX86_64::lshift64):
816         (JSC::MacroAssemblerX86_64::rshift64):
817         (JSC::MacroAssemblerX86_64::urshift64):
818         (JSC::MacroAssemblerX86_64::rotateRight64):
819         (JSC::MacroAssemblerX86_64::rotateLeft64):
820         (JSC::MacroAssemblerX86_64::or64):
821         * assembler/X86Assembler.h:
822         (JSC::X86Assembler::xorq_rm):
823         (JSC::X86Assembler::shiftInstruction32):
824         (JSC::X86Assembler::sarl_i8r):
825         (JSC::X86Assembler::shrl_i8r):
826         (JSC::X86Assembler::shll_i8r):
827         (JSC::X86Assembler::rorl_i8r):
828         (JSC::X86Assembler::rorl_CLr):
829         (JSC::X86Assembler::roll_i8r):
830         (JSC::X86Assembler::roll_CLr):
831         (JSC::X86Assembler::shiftInstruction64):
832         (JSC::X86Assembler::sarq_CLr):
833         (JSC::X86Assembler::sarq_i8r):
834         (JSC::X86Assembler::shrq_i8r):
835         (JSC::X86Assembler::shlq_i8r):
836         (JSC::X86Assembler::rorq_i8r):
837         (JSC::X86Assembler::rorq_CLr):
838         (JSC::X86Assembler::rolq_i8r):
839         (JSC::X86Assembler::rolq_CLr):
840         * b3/B3Common.h:
841         (JSC::B3::rotateRight):
842         (JSC::B3::rotateLeft):
843         * b3/B3Const32Value.cpp:
844         (JSC::B3::Const32Value::rotRConstant):
845         (JSC::B3::Const32Value::rotLConstant):
846         * b3/B3Const32Value.h:
847         * b3/B3Const64Value.cpp:
848         (JSC::B3::Const64Value::rotRConstant):
849         (JSC::B3::Const64Value::rotLConstant):
850         * b3/B3Const64Value.h:
851         * b3/B3LowerToAir.cpp:
852         (JSC::B3::Air::LowerToAir::lower):
853         * b3/B3Opcode.cpp:
854         (WTF::printInternal):
855         * b3/B3Opcode.h:
856         * b3/B3ReduceStrength.cpp:
857         * b3/B3Validate.cpp:
858         * b3/B3Value.cpp:
859         (JSC::B3::Value::rotRConstant):
860         (JSC::B3::Value::rotLConstant):
861         (JSC::B3::Value::effects):
862         (JSC::B3::Value::key):
863         (JSC::B3::Value::typeFor):
864         * b3/B3Value.h:
865         * b3/B3ValueKey.cpp:
866         (JSC::B3::ValueKey::materialize):
867         * b3/air/AirInstInlines.h:
868         (JSC::B3::Air::isRotateRight32Valid):
869         (JSC::B3::Air::isRotateLeft32Valid):
870         (JSC::B3::Air::isRotateRight64Valid):
871         (JSC::B3::Air::isRotateLeft64Valid):
872         * b3/air/AirOpcode.opcodes:
873         * b3/testb3.cpp:
874         (JSC::B3::testRotR):
875         (JSC::B3::testRotL):
876         (JSC::B3::testRotRWithImmShift):
877         (JSC::B3::testRotLWithImmShift):
878         (JSC::B3::run):
879
880 2016-11-17  Saam Barati  <sbarati@apple.com>
881
882         Remove async/await compile time flag and enable tests
883         https://bugs.webkit.org/show_bug.cgi?id=164828
884         <rdar://problem/28639334>
885
886         Reviewed by Yusuke Suzuki.
887
888         * Configurations/FeatureDefines.xcconfig:
889         * parser/Parser.cpp:
890         (JSC::Parser<LexerType>::parseStatementListItem):
891         (JSC::Parser<LexerType>::parseStatement):
892         (JSC::Parser<LexerType>::parseClass):
893         (JSC::Parser<LexerType>::parseExportDeclaration):
894         (JSC::Parser<LexerType>::parseAssignmentExpression):
895         (JSC::Parser<LexerType>::parseProperty):
896         (JSC::Parser<LexerType>::parsePrimaryExpression):
897         (JSC::Parser<LexerType>::parseMemberExpression):
898         (JSC::Parser<LexerType>::parseUnaryExpression):
899
900 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
901
902         [JSC] WTF::TemporaryChange with WTF::SetForScope
903         https://bugs.webkit.org/show_bug.cgi?id=164761
904
905         Reviewed by Saam Barati.
906
907         * bytecompiler/BytecodeGenerator.h:
908         * bytecompiler/SetForScope.h: Removed.
909         * debugger/Debugger.cpp:
910         * inspector/InspectorBackendDispatcher.cpp:
911         (Inspector::BackendDispatcher::dispatch):
912         * inspector/ScriptDebugServer.cpp:
913         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
914         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
915         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
916         (Inspector::ScriptDebugServer::sourceParsed):
917         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
918         * parser/Parser.cpp:
919
920 2016-11-16  Mark Lam  <mark.lam@apple.com>
921
922         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
923         https://bugs.webkit.org/show_bug.cgi?id=164843
924
925         Reviewed by Keith Miller.
926
927         The ThrowScope will check for unchecked simulated exceptions before throwing a
928         new exception.  This ensures that we don't quietly overwrite a pending exception
929         (which should never happen, with the only exception being to rethrow the same
930         exception).  However, ExceptionFuzz works by intentionally throwing its own
931         exception even when one may already exist thereby potentially overwriting an
932         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
933         the exception check verifier before ExceptionFuzz throws its own exception.
934
935         * runtime/ExceptionFuzz.cpp:
936         (JSC::doExceptionFuzzing):
937
938 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
939
940         UnlinkedCodeBlock should not have a starting line number
941         https://bugs.webkit.org/show_bug.cgi?id=164838
942
943         Reviewed by Mark Lam.
944
945         Here's how the starting line number in UnlinkedCodeBlock used to work:
946
947         (1) Assign the source code starting line number to the parser starting
948         line number.
949
950         (2) Assign (1) to the AST.
951
952         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
953
954         Then, when linking:
955
956         (4) Add (3) to (1).
957
958         This was an awesome no-op.
959
960         Generally, unlinked code is code that is not tied to any particular
961         web page or resource. So, it's inappropriate to think of it having a
962         starting line number.
963
964         * bytecode/UnlinkedCodeBlock.cpp:
965         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
966         * bytecode/UnlinkedCodeBlock.h:
967         (JSC::UnlinkedCodeBlock::recordParse):
968         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
969         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
970         * runtime/CodeCache.cpp:
971         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
972         * runtime/CodeCache.h:
973         (JSC::generateUnlinkedCodeBlock):
974
975 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
976
977         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
978         https://bugs.webkit.org/show_bug.cgi?id=164827
979
980         Reviewed by Ryosuke Niwa.
981
982         * Configurations/FeatureDefines.xcconfig:
983
984 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
985
986         Unreviewed, roll out r208811. It's not sound.
987
988         * ftl/FTLLowerDFGToB3.cpp:
989         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
990         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
991         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
992         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
993         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
994         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
995         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
996
997 2016-11-16  Keith Miller  <keith_miller@apple.com>
998
999         Wasm function parser should use template functions for each binary and unary opcode
1000         https://bugs.webkit.org/show_bug.cgi?id=164835
1001
1002         Reviewed by Mark Lam.
1003
1004         This patch changes the wasm function parser to call into a template specialization
1005         for each binary/unary opcode. This change makes it easier to have custom implementations
1006         of various opcodes. It is also, in theory a speedup since it does not require switching
1007         on the opcode twice.
1008
1009         * CMakeLists.txt:
1010         * DerivedSources.make:
1011         * wasm/WasmB3IRGenerator.cpp:
1012         (): Deleted.
1013         * wasm/WasmFunctionParser.h:
1014         (JSC::Wasm::FunctionParser<Context>::binaryCase):
1015         (JSC::Wasm::FunctionParser<Context>::unaryCase):
1016         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1017         * wasm/WasmValidate.cpp:
1018         * wasm/generateWasm.py:
1019         (isBinary):
1020         (isSimple):
1021         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
1022         (generateSimpleCode):
1023         * wasm/generateWasmOpsHeader.py:
1024         (opcodeMacroizer):
1025         * wasm/generateWasmValidateInlinesHeader.py:
1026
1027 2016-11-16  Mark Lam  <mark.lam@apple.com>
1028
1029         ExceptionFuzz functions should use its client's ThrowScope.
1030         https://bugs.webkit.org/show_bug.cgi?id=164834
1031
1032         Reviewed by Geoffrey Garen.
1033
1034         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
1035         exception check sites.  Using the client's ThrowScope solves 2 problems:
1036
1037         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
1038            mis-attributed to ExceptionFuzz when it should be attributed to its client.
1039
1040         2. One way exception scope verification works is by having ThrowScopes assert
1041            that there are no unchecked simulated exceptions when the ThrowScope is
1042            instantiated.  However, ExceptionFuzz necessarily works by inserting
1043            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
1044            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
1045            we will be instantiating the ThrowScope between the point where a simulated
1046            throw occurs and where the needed exception check can occur.  Hence, having
1047            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
1048            verification every time.
1049
1050         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
1051
1052         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
1053         already exists in every slow path function instead of creating a new one.
1054
1055         * jit/JITOperations.cpp:
1056         * llint/LLIntSlowPaths.cpp:
1057         * runtime/CommonSlowPaths.cpp:
1058         * runtime/ExceptionFuzz.cpp:
1059         (JSC::doExceptionFuzzing):
1060         * runtime/ExceptionFuzz.h:
1061         (JSC::doExceptionFuzzingIfEnabled):
1062
1063 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
1064
1065         Slight Octane regression from concurrent GC's eager object zero-fill
1066         https://bugs.webkit.org/show_bug.cgi?id=164823
1067
1068         Reviewed by Geoffrey Garen.
1069         
1070         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
1071         executing the end-of-allocation fence. This causes some regressions. This is an attempt
1072         to fix those regressions by making them conditional on whether the mutator is fenced.
1073         
1074         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
1075         regression.
1076
1077         * ftl/FTLLowerDFGToB3.cpp:
1078         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1079         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
1080         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1081         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1082         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1083         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1084         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1085
1086 2016-11-16  Mark Lam  <mark.lam@apple.com>
1087
1088         Fix exception scope checking in JSGlobalObject.cpp.
1089         https://bugs.webkit.org/show_bug.cgi?id=164831
1090
1091         Reviewed by Saam Barati.
1092
1093         * runtime/JSGlobalObject.cpp:
1094         (JSC::JSGlobalObject::init):
1095         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
1096           to fail with errors.
1097         (JSC::JSGlobalObject::put):
1098         - Fix exception check requirements.
1099
1100 2016-11-16  Keith Miller  <keith_miller@apple.com>
1101
1102         Unreviewed, ARM build fix.
1103
1104         * b3/B3LowerToAir.cpp:
1105         (JSC::B3::Air::LowerToAir::lower):
1106         (JSC::B3::Air::LowerToAir::lowerX86Div):
1107         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
1108
1109 2016-11-15  Mark Lam  <mark.lam@apple.com>
1110
1111         Make JSC test functions more robust.
1112         https://bugs.webkit.org/show_bug.cgi?id=164807
1113
1114         Reviewed by Keith Miller.
1115
1116         * jsc.cpp:
1117         (functionGetHiddenValue):
1118         (functionSetHiddenValue):
1119
1120 2016-11-15  Keith Miller  <keith_miller@apple.com>
1121
1122         B3 should support UDiv/UMod
1123         https://bugs.webkit.org/show_bug.cgi?id=164811
1124
1125         Reviewed by Filip Pizlo.
1126
1127         This patch adds support for UDiv and UMod in B3. Many of the magic number
1128         cases have been ommited for now since they are unlikely to happen in wasm
1129         code. Most wasm code we will see is generated via llvm, which has more
1130         robust versions of what we would do anyway. Additionally, this patch
1131         links the new opcodes up to the wasm parser.
1132
1133         * assembler/MacroAssemblerARM64.h:
1134         (JSC::MacroAssemblerARM64::uDiv32):
1135         (JSC::MacroAssemblerARM64::uDiv64):
1136         * assembler/MacroAssemblerX86Common.h:
1137         (JSC::MacroAssemblerX86Common::x86UDiv32):
1138         * assembler/MacroAssemblerX86_64.h:
1139         (JSC::MacroAssemblerX86_64::x86UDiv64):
1140         * assembler/X86Assembler.h:
1141         (JSC::X86Assembler::divq_r):
1142         * b3/B3Common.h:
1143         (JSC::B3::chillUDiv):
1144         (JSC::B3::chillUMod):
1145         * b3/B3Const32Value.cpp:
1146         (JSC::B3::Const32Value::uDivConstant):
1147         (JSC::B3::Const32Value::uModConstant):
1148         * b3/B3Const32Value.h:
1149         * b3/B3Const64Value.cpp:
1150         (JSC::B3::Const64Value::uDivConstant):
1151         (JSC::B3::Const64Value::uModConstant):
1152         * b3/B3Const64Value.h:
1153         * b3/B3LowerMacros.cpp:
1154         * b3/B3LowerToAir.cpp:
1155         (JSC::B3::Air::LowerToAir::lower):
1156         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
1157         * b3/B3Opcode.cpp:
1158         (WTF::printInternal):
1159         * b3/B3Opcode.h:
1160         * b3/B3ReduceStrength.cpp:
1161         * b3/B3Validate.cpp:
1162         * b3/B3Value.cpp:
1163         (JSC::B3::Value::uDivConstant):
1164         (JSC::B3::Value::uModConstant):
1165         (JSC::B3::Value::effects):
1166         (JSC::B3::Value::key):
1167         (JSC::B3::Value::typeFor):
1168         * b3/B3Value.h:
1169         * b3/B3ValueKey.cpp:
1170         (JSC::B3::ValueKey::materialize):
1171         * b3/air/AirInstInlines.h:
1172         (JSC::B3::Air::isX86UDiv32Valid):
1173         (JSC::B3::Air::isX86UDiv64Valid):
1174         * b3/air/AirOpcode.opcodes:
1175         * b3/testb3.cpp:
1176         (JSC::B3::testUDivArgsInt32):
1177         (JSC::B3::testUDivArgsInt64):
1178         (JSC::B3::testUModArgsInt32):
1179         (JSC::B3::testUModArgsInt64):
1180         (JSC::B3::run):
1181         * wasm/wasm.json:
1182
1183 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1184
1185         Web Inspector: Preview other CSS @media in browser window (print)
1186         https://bugs.webkit.org/show_bug.cgi?id=13530
1187         <rdar://problem/5712928>
1188
1189         Reviewed by Timothy Hatcher.
1190
1191         * inspector/protocol/Page.json:
1192         Update to preferred JSON style.
1193
1194 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1195
1196         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
1197
1198         * dfg/DFGDriver.cpp:
1199         (JSC::DFG::compileImpl):
1200         * heap/Heap.cpp:
1201         (JSC::Heap::addToRememberedSet):
1202         * jit/JITWorklist.cpp:
1203         (JSC::JITWorklist::compileLater):
1204         (JSC::JITWorklist::compileNow):
1205         * runtime/Options.cpp:
1206         (JSC::recomputeDependentOptions):
1207         * runtime/Options.h:
1208         * runtime/WriteBarrierInlines.h:
1209         (JSC::WriteBarrierBase<T>::set):
1210         (JSC::WriteBarrierBase<Unknown>::set):
1211
1212 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
1213
1214         Debugging and other tools should not disable the code cache
1215         https://bugs.webkit.org/show_bug.cgi?id=164802
1216
1217         Reviewed by Mark Lam.
1218
1219         * bytecode/UnlinkedFunctionExecutable.cpp:
1220         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
1221         change.
1222
1223         * parser/SourceCodeKey.h:
1224         (JSC::SourceCodeFlags::SourceCodeFlags):
1225         (JSC::SourceCodeFlags::bits):
1226         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
1227         as part of our key so that we can cache code while using tools. Be sure
1228         to include these bits in our hash function so you don't get storms of
1229         collisions as you open and close the Web Inspector.
1230
1231         * runtime/CodeCache.cpp:
1232         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1233         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
1234         a part of our key instead of as a reason to disable caching.
1235
1236         * runtime/CodeCache.h:
1237
1238 2016-11-15  Mark Lam  <mark.lam@apple.com>
1239
1240         Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
1241         https://bugs.webkit.org/show_bug.cgi?id=164777
1242
1243         Reviewed by Geoffrey Garen.
1244
1245         JSString::SafeView no longer achieves its intended goal to make it easier to
1246         handle strings safely.  Its clients still need to do explicit exception checks in
1247         order to be correct.  We'll remove it and replace its uses with
1248         StringViewWithUnderlyingString instead which serves to gets the a StringView
1249         (which is what we really wanted from SafeView) and keeps the backing String alive
1250         while the view is in use.
1251
1252         Also added some missing exception checks.
1253
1254         * jsc.cpp:
1255         (printInternal):
1256         (functionDebug):
1257         * runtime/ArrayPrototype.cpp:
1258         (JSC::arrayProtoFuncJoin):
1259         * runtime/FunctionConstructor.cpp:
1260         (JSC::constructFunctionSkippingEvalEnabledCheck):
1261         * runtime/IntlCollatorPrototype.cpp:
1262         (JSC::IntlCollatorFuncCompare):
1263         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1264         (JSC::genericTypedArrayViewProtoFuncJoin):
1265         * runtime/JSGlobalObjectFunctions.cpp:
1266         (JSC::toStringView):
1267         (JSC::globalFuncParseFloat):
1268         * runtime/JSONObject.cpp:
1269         (JSC::JSONProtoFuncParse):
1270         * runtime/JSString.h:
1271         (JSC::JSString::SafeView::is8Bit): Deleted.
1272         (JSC::JSString::SafeView::length): Deleted.
1273         (JSC::JSString::SafeView::SafeView): Deleted.
1274         (JSC::JSString::SafeView::get): Deleted.
1275         (JSC::JSString::view): Deleted.
1276         * runtime/StringPrototype.cpp:
1277         (JSC::stringProtoFuncRepeatCharacter):
1278         (JSC::stringProtoFuncCharAt):
1279         (JSC::stringProtoFuncCharCodeAt):
1280         (JSC::stringProtoFuncIndexOf):
1281         (JSC::stringProtoFuncNormalize):
1282
1283 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1284
1285         Unreviewed, remove bogus assertion.
1286
1287         * heap/Heap.cpp:
1288         (JSC::Heap::markToFixpoint):
1289
1290 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1291
1292         [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
1293         https://bugs.webkit.org/show_bug.cgi?id=162986
1294
1295         Reviewed by Saam Barati.
1296         
1297         This assertion is wrong for concurrent GC anyway, so this removes it.
1298
1299         * runtime/Structure.cpp:
1300         (JSC::Structure::visitChildren):
1301
1302 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1303
1304         Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
1305         https://bugs.webkit.org/show_bug.cgi?id=164791
1306
1307         Reviewed by Geoffrey Garen.
1308         
1309         Just renaming.
1310
1311         * JavaScriptCore.xcodeproj/project.pbxproj:
1312         * bytecode/ArrayProfile.cpp:
1313         (JSC::ArrayProfile::computeUpdatedPrediction):
1314         (JSC::ArrayProfile::briefDescription):
1315         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1316         * bytecode/ArrayProfile.h:
1317         (JSC::ArrayProfile::observedArrayModes):
1318         (JSC::ArrayProfile::mayInterceptIndexedAccesses):
1319         (JSC::ArrayProfile::mayStoreToHole):
1320         (JSC::ArrayProfile::outOfBounds):
1321         (JSC::ArrayProfile::usesOriginalArrayStructures):
1322         * bytecode/CallLinkStatus.cpp:
1323         (JSC::CallLinkStatus::computeFromLLInt):
1324         (JSC::CallLinkStatus::computeFor):
1325         (JSC::CallLinkStatus::computeExitSiteData):
1326         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1327         (JSC::CallLinkStatus::computeDFGStatuses):
1328         * bytecode/CallLinkStatus.h:
1329         * bytecode/CodeBlock.cpp:
1330         (JSC::CodeBlock::dumpValueProfiling):
1331         (JSC::CodeBlock::dumpArrayProfiling):
1332         (JSC::CodeBlock::finishCreation):
1333         (JSC::CodeBlock::setConstantRegisters):
1334         (JSC::CodeBlock::getStubInfoMap):
1335         (JSC::CodeBlock::getCallLinkInfoMap):
1336         (JSC::CodeBlock::getByValInfoMap):
1337         (JSC::CodeBlock::addStubInfo):
1338         (JSC::CodeBlock::addByValInfo):
1339         (JSC::CodeBlock::addCallLinkInfo):
1340         (JSC::CodeBlock::resetJITData):
1341         (JSC::CodeBlock::shrinkToFit):
1342         (JSC::CodeBlock::getArrayProfile):
1343         (JSC::CodeBlock::addArrayProfile):
1344         (JSC::CodeBlock::getOrAddArrayProfile):
1345         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1346         (JSC::CodeBlock::updateAllArrayPredictions):
1347         (JSC::CodeBlock::nameForRegister):
1348         (JSC::CodeBlock::livenessAnalysisSlow):
1349         * bytecode/CodeBlock.h:
1350         (JSC::CodeBlock::setJITCode):
1351         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1352         (JSC::CodeBlock::addFrequentExitSite):
1353         (JSC::CodeBlock::hasExitSite):
1354         (JSC::CodeBlock::livenessAnalysis):
1355         * bytecode/DFGExitProfile.cpp:
1356         (JSC::DFG::ExitProfile::add):
1357         (JSC::DFG::ExitProfile::hasExitSite):
1358         (JSC::DFG::QueryableExitProfile::initialize):
1359         * bytecode/DFGExitProfile.h:
1360         (JSC::DFG::ExitProfile::hasExitSite):
1361         * bytecode/GetByIdStatus.cpp:
1362         (JSC::GetByIdStatus::hasExitSite):
1363         (JSC::GetByIdStatus::computeFor):
1364         (JSC::GetByIdStatus::computeForStubInfo):
1365         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1366         * bytecode/GetByIdStatus.h:
1367         * bytecode/LazyOperandValueProfile.cpp:
1368         (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
1369         (JSC::CompressedLazyOperandValueProfileHolder::add):
1370         (JSC::LazyOperandValueProfileParser::initialize):
1371         (JSC::LazyOperandValueProfileParser::prediction):
1372         * bytecode/LazyOperandValueProfile.h:
1373         * bytecode/MethodOfGettingAValueProfile.cpp:
1374         (JSC::MethodOfGettingAValueProfile::emitReportValue):
1375         * bytecode/PutByIdStatus.cpp:
1376         (JSC::PutByIdStatus::hasExitSite):
1377         (JSC::PutByIdStatus::computeFor):
1378         (JSC::PutByIdStatus::computeForStubInfo):
1379         * bytecode/PutByIdStatus.h:
1380         * bytecode/StructureStubClearingWatchpoint.cpp:
1381         (JSC::StructureStubClearingWatchpoint::fireInternal):
1382         * bytecode/ValueProfile.h:
1383         (JSC::ValueProfileBase::briefDescription):
1384         (JSC::ValueProfileBase::computeUpdatedPrediction):
1385         * dfg/DFGArrayMode.cpp:
1386         (JSC::DFG::ArrayMode::fromObserved):
1387         * dfg/DFGArrayMode.h:
1388         (JSC::DFG::ArrayMode::withSpeculationFromProfile):
1389         (JSC::DFG::ArrayMode::withProfile):
1390         * dfg/DFGByteCodeParser.cpp:
1391         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1392         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1393         (JSC::DFG::ByteCodeParser::getArrayMode):
1394         (JSC::DFG::ByteCodeParser::handleInlining):
1395         (JSC::DFG::ByteCodeParser::parseBlock):
1396         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1397         * dfg/DFGDriver.cpp:
1398         (JSC::DFG::compileImpl):
1399         * dfg/DFGFixupPhase.cpp:
1400         (JSC::DFG::FixupPhase::fixupNode):
1401         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1402         * dfg/DFGGraph.cpp:
1403         (JSC::DFG::Graph::tryGetConstantClosureVar):
1404         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1405         * dfg/DFGPredictionInjectionPhase.cpp:
1406         (JSC::DFG::PredictionInjectionPhase::run):
1407         * ftl/FTLLowerDFGToB3.cpp:
1408         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1409         * ftl/FTLOperations.cpp:
1410         (JSC::FTL::operationMaterializeObjectInOSR):
1411         * heap/Heap.cpp:
1412         (JSC::Heap::addToRememberedSet):
1413         * jit/JIT.cpp:
1414         (JSC::JIT::compileWithoutLinking):
1415         * jit/JITInlines.h:
1416         (JSC::JIT::chooseArrayMode):
1417         * jit/JITOperations.cpp:
1418         (JSC::tryGetByValOptimize):
1419         * jit/JITPropertyAccess.cpp:
1420         (JSC::JIT::privateCompileGetByValWithCachedId):
1421         (JSC::JIT::privateCompilePutByValWithCachedId):
1422         * jit/JITWorklist.cpp:
1423         (JSC::JITWorklist::compileLater):
1424         (JSC::JITWorklist::compileNow):
1425         * jit/Repatch.cpp:
1426         (JSC::repatchGetByID):
1427         (JSC::repatchPutByID):
1428         * llint/LLIntSlowPaths.cpp:
1429         (JSC::LLInt::setupGetByIdPrototypeCache):
1430         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1431         (JSC::LLInt::setUpCall):
1432         * profiler/ProfilerBytecodeSequence.cpp:
1433         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1434         * runtime/CommonSlowPaths.cpp:
1435         (JSC::SLOW_PATH_DECL):
1436         * runtime/CommonSlowPaths.h:
1437         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1438         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1439         * runtime/ConcurrentJITLock.h: Removed.
1440         * runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
1441         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
1442         (JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
1443         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
1444         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
1445         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
1446         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
1447         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
1448         (JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
1449         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
1450         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
1451         (JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
1452         * runtime/InferredType.cpp:
1453         (JSC::InferredType::canWatch):
1454         (JSC::InferredType::addWatchpoint):
1455         (JSC::InferredType::willStoreValueSlow):
1456         (JSC::InferredType::makeTopSlow):
1457         (JSC::InferredType::set):
1458         (JSC::InferredType::removeStructure):
1459         * runtime/InferredType.h:
1460         * runtime/InferredTypeTable.cpp:
1461         (JSC::InferredTypeTable::visitChildren):
1462         (JSC::InferredTypeTable::get):
1463         (JSC::InferredTypeTable::willStoreValue):
1464         (JSC::InferredTypeTable::makeTop):
1465         * runtime/InferredTypeTable.h:
1466         * runtime/JSEnvironmentRecord.cpp:
1467         (JSC::JSEnvironmentRecord::heapSnapshot):
1468         * runtime/JSGlobalObject.cpp:
1469         (JSC::JSGlobalObject::addGlobalVar):
1470         (JSC::JSGlobalObject::addStaticGlobals):
1471         * runtime/JSLexicalEnvironment.cpp:
1472         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1473         * runtime/JSObject.cpp:
1474         (JSC::JSObject::deleteProperty):
1475         (JSC::JSObject::shiftButterflyAfterFlattening):
1476         * runtime/JSObject.h:
1477         * runtime/JSObjectInlines.h:
1478         (JSC::JSObject::putDirectWithoutTransition):
1479         (JSC::JSObject::putDirectInternal):
1480         * runtime/JSScope.cpp:
1481         (JSC::abstractAccess):
1482         (JSC::JSScope::collectClosureVariablesUnderTDZ):
1483         * runtime/JSSegmentedVariableObject.cpp:
1484         (JSC::JSSegmentedVariableObject::findVariableIndex):
1485         (JSC::JSSegmentedVariableObject::addVariables):
1486         (JSC::JSSegmentedVariableObject::heapSnapshot):
1487         * runtime/JSSegmentedVariableObject.h:
1488         * runtime/JSSymbolTableObject.cpp:
1489         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1490         * runtime/JSSymbolTableObject.h:
1491         (JSC::symbolTableGet):
1492         (JSC::symbolTablePut):
1493         * runtime/Options.cpp:
1494         (JSC::recomputeDependentOptions):
1495         * runtime/Options.h:
1496         * runtime/ProgramExecutable.cpp:
1497         (JSC::ProgramExecutable::initializeGlobalProperties):
1498         * runtime/RegExp.cpp:
1499         (JSC::RegExp::compile):
1500         (JSC::RegExp::matchConcurrently):
1501         (JSC::RegExp::compileMatchOnly):
1502         (JSC::RegExp::deleteCode):
1503         * runtime/RegExp.h:
1504         * runtime/Structure.cpp:
1505         (JSC::Structure::materializePropertyTable):
1506         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1507         (JSC::Structure::addNewPropertyTransition):
1508         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1509         (JSC::Structure::nonPropertyTransition):
1510         (JSC::Structure::flattenDictionaryStructure):
1511         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1512         (JSC::Structure::add):
1513         (JSC::Structure::remove):
1514         (JSC::Structure::visitChildren):
1515         * runtime/Structure.h:
1516         * runtime/StructureInlines.h:
1517         (JSC::Structure::propertyReplacementWatchpointSet):
1518         (JSC::Structure::add):
1519         (JSC::Structure::remove):
1520         * runtime/SymbolTable.cpp:
1521         (JSC::SymbolTable::visitChildren):
1522         (JSC::SymbolTable::localToEntry):
1523         (JSC::SymbolTable::entryFor):
1524         (JSC::SymbolTable::prepareForTypeProfiling):
1525         (JSC::SymbolTable::uniqueIDForVariable):
1526         (JSC::SymbolTable::uniqueIDForOffset):
1527         (JSC::SymbolTable::globalTypeSetForOffset):
1528         (JSC::SymbolTable::globalTypeSetForVariable):
1529         * runtime/SymbolTable.h:
1530         * runtime/TypeSet.cpp:
1531         (JSC::TypeSet::addTypeInformation):
1532         (JSC::TypeSet::invalidateCache):
1533         * runtime/TypeSet.h:
1534         (JSC::TypeSet::structureSet):
1535         * runtime/VM.h:
1536         * runtime/WriteBarrierInlines.h:
1537         (JSC::WriteBarrierBase<T>::set):
1538         (JSC::WriteBarrierBase<Unknown>::set):
1539         * yarr/YarrInterpreter.cpp:
1540         (JSC::Yarr::ByteCompiler::compile):
1541         (JSC::Yarr::byteCompile):
1542         * yarr/YarrInterpreter.h:
1543         (JSC::Yarr::BytecodePattern::BytecodePattern):
1544
1545 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1546
1547         Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
1548         https://bugs.webkit.org/show_bug.cgi?id=164793
1549
1550         Reviewed by Matt Baker.
1551
1552         * inspector/protocol/Page.json:
1553
1554 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1555
1556         Unreviewed, build fix for Windows debug build after r208738
1557         https://bugs.webkit.org/show_bug.cgi?id=164727
1558
1559         This static member variable can be touched outside of the JSC project
1560         since inlined MacroAssembler member functions read / write it.
1561         So it should be exported.
1562
1563         * assembler/MacroAssemblerX86Common.h:
1564
1565 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1566
1567         Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
1568         https://bugs.webkit.org/show_bug.cgi?id=164787
1569
1570         Reviewed by Timothy Hatcher.
1571
1572         * inspector/agents/InspectorDebuggerAgent.cpp:
1573         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1574         Clear this DebuggerAgent state when we resume.
1575
1576 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1577
1578         It should be possible to disable concurrent GC timeslicing
1579         https://bugs.webkit.org/show_bug.cgi?id=164788
1580
1581         Reviewed by Saam Barati.
1582         
1583         Collector timeslicing means that the collector will try to pause once every 2ms. This is
1584         great because it throttles the mutator and prevents it from outpacing the collector. But
1585         it reduces some of the efficacy of the collectContinuously=true configuration: while
1586         it's great that collecting continuously means that the collector will also pause more
1587         frequently and so it will test the pausing code, it also means that the collector will
1588         spend less time running concurrently. The primary purpose of collectContinuously is to
1589         maximize the amount of time that the collector is running concurrently to the mutator to
1590         maximize the likelihood that a race will cause a detectable error.
1591         
1592         This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
1593         The idea is that we will usually use this in conjunction with collectContinuously=true
1594         to find race conditions during marking, but we can also use the two options
1595         independently to focus our testing on other things.
1596
1597         * heap/Heap.cpp:
1598         (JSC::Heap::markToFixpoint):
1599         * heap/SlotVisitor.cpp:
1600         (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
1601         * heap/SlotVisitor.h:
1602         * runtime/Options.h:
1603
1604 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1605
1606         The concurrent GC should have a timeslicing controller
1607         https://bugs.webkit.org/show_bug.cgi?id=164783
1608
1609         Reviewed by Geoffrey Garen.
1610         
1611         This adds a simple control system for deciding when the collector should let the mutator run
1612         and when it should stop the mutator. We definitely have to stop the mutator during certain
1613         collector phases, but during marking - which takes the most time - we can go either way.
1614         Normally we want to let the mutator run, but if the heap size starts to grow then we have to
1615         stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
1616         lead to memory exhaustion, so it's better to just stop in that case.
1617         
1618         The controller tries to never stop the mutator for longer than short timeslices. It slices on
1619         a 2ms period (configurable via Options). The amount of that period that the collector spends
1620         with the mutator stopped is determined by the fraction of the collector's concurrent headroom
1621         that has been allocated over. The headroom is currently configured at 50% of what was
1622         allocated before the collector started.
1623         
1624         This moves a bunch of parameters into Options so that it's easier to play with different
1625         configurations.
1626         
1627         I tried these different values for the period:
1628         
1629         1ms: 30% worse than 2ms on splay-latency.
1630         2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
1631         3ms: 40% worse than 2ms on splay-latency.
1632         4ms: 40% worse than 2ms on splay-latency.
1633         
1634         I also tried 100% headroom as an alternate to 50% and found it to be a worse.
1635         
1636         This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
1637         enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
1638         would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
1639         concurrent GC.
1640
1641         * heap/Heap.cpp:
1642         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
1643         (JSC::Heap::markToFixpoint):
1644         (JSC::Heap::collectInThread):
1645         * runtime/Options.h:
1646
1647 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1648
1649         Unreviewed, build fix for CLoop after r208738
1650         https://bugs.webkit.org/show_bug.cgi?id=164727
1651
1652         * jsc.cpp:
1653         (WTF::DOMJITFunctionObject::unsafeFunction):
1654         (WTF::DOMJITFunctionObject::finishCreation):
1655
1656 2016-11-15  Mark Lam  <mark.lam@apple.com>
1657
1658         The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
1659         https://bugs.webkit.org/show_bug.cgi?id=164781
1660         <rdar://problem/28418590>
1661
1662         Reviewed by Geoffrey Garen and Michael Saboff.
1663
1664         * jsc.cpp:
1665         (functionSetImpureGetterDelegate):
1666
1667 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1668
1669         [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
1670         https://bugs.webkit.org/show_bug.cgi?id=164727
1671
1672         Reviewed by Filip Pizlo.
1673
1674         While CallDOMGetter can use macro assembler scratch registers, we previiously
1675         assumed that CheckDOM code generator does not use macro assembler scratch registers.
1676         It is currently true in x86 environment. But it is not true in the other environments.
1677
1678         We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
1679         arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
1680         CheckDOM to use macro assembler scratch registers.
1681
1682         * ftl/FTLLowerDFGToB3.cpp:
1683         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
1684         * jsc.cpp:
1685         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
1686         (WTF::DOMJITFunctionObject::createStructure):
1687         (WTF::DOMJITFunctionObject::create):
1688         (WTF::DOMJITFunctionObject::unsafeFunction):
1689         (WTF::DOMJITFunctionObject::safeFunction):
1690         (WTF::DOMJITFunctionObject::checkDOMJITNode):
1691         (WTF::DOMJITFunctionObject::finishCreation):
1692         (GlobalObject::finishCreation):
1693         (functionCreateDOMJITFunctionObject):
1694
1695 2016-11-14  Geoffrey Garen  <ggaren@apple.com>
1696
1697         CodeCache should stop pretending to cache builtins
1698         https://bugs.webkit.org/show_bug.cgi?id=164750
1699
1700         Reviewed by Saam Barati.
1701
1702         We were passing JSParserBuiltinMode to all CodeCache functions, but the
1703         passed-in value was always NotBuiltin.
1704
1705         Let's stop passing it.
1706
1707         * parser/SourceCodeKey.h:
1708         (JSC::SourceCodeFlags::SourceCodeFlags):
1709         (JSC::SourceCodeKey::SourceCodeKey):
1710         * runtime/CodeCache.cpp:
1711         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1712         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
1713         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
1714         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
1715         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1716         * runtime/CodeCache.h:
1717         (JSC::generateUnlinkedCodeBlock):
1718         * runtime/JSGlobalObject.cpp:
1719         (JSC::JSGlobalObject::createProgramCodeBlock):
1720         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
1721         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
1722         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1723
1724 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1725
1726         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
1727         https://bugs.webkit.org/show_bug.cgi?id=164775
1728
1729         Reviewed by Mark Lam and Keith Miller.
1730         
1731         We were calling inlineStorage() which asserts that inline storage is not empty. But we
1732         were calling it in a context where it could be empty and that's fine. So, we now call
1733         inlineStorageUnsafe().
1734
1735         * runtime/JSObject.h:
1736         (JSC::JSFinalObject::JSFinalObject):
1737
1738 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
1739
1740         [ARM] Unreviewed buildfix after r208720.
1741
1742         * assembler/MacroAssemblerARM.h:
1743         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
1744
1745 2016-11-14  Caitlin Potter  <caitp@igalia.com>
1746
1747         [JSC] do not reference AwaitExpression Promises in async function Promise chain
1748         https://bugs.webkit.org/show_bug.cgi?id=164753
1749
1750         Reviewed by Yusuke Suzuki.
1751
1752         Previously, long-running async functions which contained many AwaitExpressions
1753         would allocate and retain references to intermediate Promise objects for each `await`,
1754         resulting in a memory leak.
1755
1756         To mitigate this leak, a reference to the original Promise (and its resolve and reject
1757         functions) associated with the async function are kept, and passed to each call to
1758         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
1759         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
1760         with an async function wrapper. The capability is used to reject the Promise if an
1761         exception is thrown during parameter initialization, and is used to store the resulting
1762         value once the async function has terminated.
1763
1764         * builtins/AsyncFunctionPrototype.js:
1765         (globalPrivate.asyncFunctionResume):
1766         * bytecompiler/BytecodeGenerator.cpp:
1767         (JSC::BytecodeGenerator::BytecodeGenerator):
1768         * bytecompiler/BytecodeGenerator.h:
1769         (JSC::BytecodeGenerator::promiseCapabilityRegister):
1770         * bytecompiler/NodesCodegen.cpp:
1771         (JSC::FunctionNode::emitBytecode):
1772
1773 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1774
1775         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
1776         https://bugs.webkit.org/show_bug.cgi?id=164305
1777         <rdar://problem/29056192>
1778
1779         Reviewed by Timothy Hatcher.
1780
1781         * inspector/InjectedScriptSource.js:
1782         (InjectedScript.prototype._propertyDescriptors):
1783         Accessing __proto__ does a ToThis(...) conversion on the receiver.
1784         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
1785         this would return undefined and throw an exception. We can use
1786         Object.getPrototypeOf to avoid that conversion and possible error.
1787
1788         * inspector/protocol/Debugger.json:
1789         Provide a new way to effectively `resume` + `pause` immediately.
1790         This must be implemented on the backend to correctly synchronize
1791         the resuming and pausing.
1792
1793         * inspector/agents/InspectorDebuggerAgent.h:
1794         * inspector/agents/InspectorDebuggerAgent.cpp:
1795         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
1796         Treat this as `resume` and `pause`. Resume now, and trigger
1797         a pause if the VM becomes idle and we didn't pause before then
1798         (such as hitting a breakpoint after we resumed).
1799
1800         (Inspector::InspectorDebuggerAgent::pause):
1801         (Inspector::InspectorDebuggerAgent::resume):
1802         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1803         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1804         Clean up and correct pause on next statement logic.
1805
1806         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
1807         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
1808         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
1809         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
1810         The idle handler may now also trigger a pause in the case
1811         where continueUntilNextRunLoop resumed and wants to pause.
1812
1813         (Inspector::InspectorDebuggerAgent::didPause):
1814         Eliminate the useless didPause. The DOMDebugger was keeping track
1815         of its own state that was worse then the state in DebuggerAgent.
1816
1817 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
1818
1819         Unreviewed, fix cloop.
1820
1821         * runtime/JSCellInlines.h:
1822
1823 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
1824
1825         The GC should be optionally concurrent and disabled by default
1826         https://bugs.webkit.org/show_bug.cgi?id=164454
1827
1828         Reviewed by Geoffrey Garen.
1829         
1830         This started out as a patch to have the GC scan the stack at the end, and then the
1831         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
1832         mode that can be enabled at runtime, and whose only effect is that it turns on the
1833         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
1834         thread is running solo with the world stopped and the parallel markers converged and
1835         waiting. We have a parallel work scope to enable the parallel markers and now we have a
1836         ResumeTheWorldScope that will optionally resume the world and then stop it again.
1837         
1838         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
1839         this one won't do that when you run it. I set a specific goal: I wanted to do >10
1840         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
1841         disabled.
1842         
1843         To reach this milestone, I needed to do a bunch of stuff:
1844         
1845         - The mutator needs a separate mark stack for the barrier, since it will mutate this
1846           stack concurrently to the collector's slot visitors.
1847         
1848         - The use of CellState to indicate whether an object is being scanned the first time or
1849           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
1850           time as visitChildren is running or if the barrier runs at the same time as the GC
1851           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
1852           you know why you're being scanned by looking at which stack you came off of.
1853         
1854         - All of root marking must be in the collector fixpoint. I renamed markRoots to
1855           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
1856           this way. We never gained anything from forcing people to make a choice between
1857           scanning something in the fixpoint versus outside of it. Because root scanning is
1858           cheap, we can afford to do it repeatedly, which means all root scanning can now do
1859           constraint-based marking (like: I'll mark you if that thing is marked).
1860         
1861         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
1862           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
1863           reshaping functions - like the one that flattens a dictionary and some sneaky
1864           ArrayStorage transformations. Many of these can be fixed by using store-store fences
1865           in the mutator and load-load fences in the collector. I've adopted the rule that the
1866           collector must always see either a butterfly and structure that match or a newer
1867           butterfly with an older structure, where their age is just one transition apart. This
1868           can be achieved with fences. For the cases where it breaks down, I added a lock to
1869           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
1870           the indexingType. See the WTF ChangeLog for details.
1871           
1872           The mutator fencing rules are as follows:
1873           
1874           - Store-store fence before and after setting the butterfly.
1875           - Store-store fence before setting structure if you had changed the shape of the
1876             butterfly.
1877           - Store-store fence after initializing all fields in an allocation.
1878         
1879         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
1880           So, JSObject::visitChildren will now grab the object's structure's lock if the
1881           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
1882           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
1883           scan an object from two threads).
1884         
1885         - The GC can blow away a Structure's property table at any time. As a small consolation,
1886           it's now holding the Structure's lock when it does so. But there was tons of code in
1887           Structure that uses DeferGC to prevent the GC from blowing away the property table.
1888           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
1889           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
1890           marking and it was the Structure::visitChildren that would delete the table. It turns
1891           out that Structure's reliance on the property table not being deleted was the product
1892           of code rot. We already had functions that would materialize the table on demand. We
1893           were simply making the mistake of saying:
1894           
1895               structure->materializePropertyMap();
1896               ...
1897               structure->propertyTable()->things
1898           
1899           Instead of saying:
1900           
1901               PropertyTable* table = structure->ensurePropertyTable();
1902               ...
1903               table->things
1904           
1905           Switching the code to use the latter idiom allowed me to simplify the code a lot while
1906           fixing the race.
1907         
1908         - The LLInt's get_by_val handling was broken because the indexing shape constants were
1909           wrong. Once I started putting more things into the IndexingType, that started causing
1910           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
1911           had rotted in subtle ways.
1912         
1913         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
1914         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
1915         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
1916         is disabled: in all of the places where it would have resumed the world to run marking
1917         concurrently to the mutator, it will just skip the resume step. When you enable
1918         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
1919         It seems to perform quite well: on my machine, it improves both splay-throughput and
1920         splay-latency. It's probably unstable for other programs.
1921
1922         * API/JSVirtualMachine.mm:
1923         (-[JSVirtualMachine isOldExternalObject:]):
1924         * assembler/MacroAssemblerARMv7.h:
1925         (JSC::MacroAssemblerARMv7::storeFence):
1926         * bytecode/InlineAccess.cpp:
1927         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1928         (JSC::InlineAccess::generateSelfPropertyAccess):
1929         (JSC::InlineAccess::generateArrayLength):
1930         * bytecode/ObjectAllocationProfile.h:
1931         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
1932         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1933         (JSC::ObjectAllocationProfile::initialize):
1934         (JSC::ObjectAllocationProfile::inlineCapacity):
1935         (JSC::ObjectAllocationProfile::clear):
1936         * bytecode/PolymorphicAccess.cpp:
1937         (JSC::AccessCase::generateWithGuard):
1938         (JSC::AccessCase::generateImpl):
1939         * dfg/DFGArrayifySlowPathGenerator.h:
1940         * dfg/DFGClobberize.h:
1941         (JSC::DFG::clobberize):
1942         * dfg/DFGOSRExitCompiler32_64.cpp:
1943         (JSC::DFG::OSRExitCompiler::compileExit):
1944         * dfg/DFGOSRExitCompiler64.cpp:
1945         (JSC::DFG::OSRExitCompiler::compileExit):
1946         * dfg/DFGOperations.cpp:
1947         * dfg/DFGPlan.cpp:
1948         (JSC::DFG::Plan::markCodeBlocks):
1949         (JSC::DFG::Plan::rememberCodeBlocks):
1950         * dfg/DFGPlan.h:
1951         * dfg/DFGSpeculativeJIT.cpp:
1952         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1953         (JSC::DFG::SpeculativeJIT::checkArray):
1954         (JSC::DFG::SpeculativeJIT::arrayify):
1955         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1956         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1957         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1958         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1959         (JSC::DFG::SpeculativeJIT::compileSpread):
1960         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1961         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1962         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1963         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1964         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1965         * dfg/DFGSpeculativeJIT64.cpp:
1966         (JSC::DFG::SpeculativeJIT::compile):
1967         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1968         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1969         (JSC::DFG::TierUpCheckInjectionPhase::run):
1970         * dfg/DFGWorklist.cpp:
1971         (JSC::DFG::Worklist::markCodeBlocks):
1972         (JSC::DFG::Worklist::rememberCodeBlocks):
1973         (JSC::DFG::markCodeBlocks):
1974         (JSC::DFG::completeAllPlansForVM):
1975         (JSC::DFG::rememberCodeBlocks):
1976         * dfg/DFGWorklist.h:
1977         * ftl/FTLAbstractHeapRepository.cpp:
1978         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1979         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1980         * ftl/FTLAbstractHeapRepository.h:
1981         * ftl/FTLJITCode.cpp:
1982         (JSC::FTL::JITCode::~JITCode):
1983         * ftl/FTLLowerDFGToB3.cpp:
1984         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1985         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1986         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1987         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
1989         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
1990         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1991         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1992         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1993         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1994         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1995         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1996         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1997         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
1998         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1999         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2000         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2001         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2002         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2003         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2004         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
2005         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2006         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2007         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2008         * ftl/FTLOSRExitCompiler.cpp:
2009         (JSC::FTL::compileStub):
2010         * ftl/FTLOutput.cpp:
2011         (JSC::FTL::Output::signExt32ToPtr):
2012         (JSC::FTL::Output::fence):
2013         * ftl/FTLOutput.h:
2014         * heap/CellState.h:
2015         * heap/GCSegmentedArray.h:
2016         * heap/Heap.cpp:
2017         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2018         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
2019         (JSC::Heap::Heap):
2020         (JSC::Heap::~Heap):
2021         (JSC::Heap::harvestWeakReferences):
2022         (JSC::Heap::finalizeUnconditionalFinalizers):
2023         (JSC::Heap::completeAllJITPlans):
2024         (JSC::Heap::markToFixpoint):
2025         (JSC::Heap::gatherStackRoots):
2026         (JSC::Heap::beginMarking):
2027         (JSC::Heap::visitConservativeRoots):
2028         (JSC::Heap::visitCompilerWorklistWeakReferences):
2029         (JSC::Heap::updateObjectCounts):
2030         (JSC::Heap::endMarking):
2031         (JSC::Heap::addToRememberedSet):
2032         (JSC::Heap::collectInThread):
2033         (JSC::Heap::stopTheWorld):
2034         (JSC::Heap::resumeTheWorld):
2035         (JSC::Heap::setGCDidJIT):
2036         (JSC::Heap::setNeedFinalize):
2037         (JSC::Heap::setMutatorWaiting):
2038         (JSC::Heap::clearMutatorWaiting):
2039         (JSC::Heap::finalize):
2040         (JSC::Heap::flushWriteBarrierBuffer):
2041         (JSC::Heap::writeBarrierSlowPath):
2042         (JSC::Heap::canCollect):
2043         (JSC::Heap::reportExtraMemoryVisited):
2044         (JSC::Heap::reportExternalMemoryVisited):
2045         (JSC::Heap::notifyIsSafeToCollect):
2046         (JSC::Heap::markRoots): Deleted.
2047         (JSC::Heap::visitExternalRememberedSet): Deleted.
2048         (JSC::Heap::visitSmallStrings): Deleted.
2049         (JSC::Heap::visitProtectedObjects): Deleted.
2050         (JSC::Heap::visitArgumentBuffers): Deleted.
2051         (JSC::Heap::visitException): Deleted.
2052         (JSC::Heap::visitStrongHandles): Deleted.
2053         (JSC::Heap::visitHandleStack): Deleted.
2054         (JSC::Heap::visitSamplingProfiler): Deleted.
2055         (JSC::Heap::visitTypeProfiler): Deleted.
2056         (JSC::Heap::visitShadowChicken): Deleted.
2057         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
2058         (JSC::Heap::visitWeakHandles): Deleted.
2059         (JSC::Heap::flushOldStructureIDTables): Deleted.
2060         (JSC::Heap::stopAllocation): Deleted.
2061         * heap/Heap.h:
2062         (JSC::Heap::collectorSlotVisitor):
2063         (JSC::Heap::mutatorMarkStack):
2064         (JSC::Heap::mutatorShouldBeFenced):
2065         (JSC::Heap::addressOfMutatorShouldBeFenced):
2066         (JSC::Heap::slotVisitor): Deleted.
2067         (JSC::Heap::notifyIsSafeToCollect): Deleted.
2068         (JSC::Heap::barrierShouldBeFenced): Deleted.
2069         (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
2070         * heap/MarkStack.cpp:
2071         (JSC::MarkStackArray::transferTo):
2072         * heap/MarkStack.h:
2073         * heap/MarkedAllocator.cpp:
2074         (JSC::MarkedAllocator::tryAllocateIn):
2075         * heap/MarkedBlock.cpp:
2076         (JSC::MarkedBlock::MarkedBlock):
2077         (JSC::MarkedBlock::Handle::specializedSweep):
2078         (JSC::MarkedBlock::Handle::sweep):
2079         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
2080         (JSC::MarkedBlock::Handle::stopAllocating):
2081         (JSC::MarkedBlock::Handle::resumeAllocating):
2082         (JSC::MarkedBlock::aboutToMarkSlow):
2083         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2084         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
2085         (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
2086         * heap/MarkedBlock.h:
2087         * heap/MarkedSpace.cpp:
2088         (JSC::MarkedSpace::resumeAllocating):
2089         * heap/SlotVisitor.cpp:
2090         (JSC::SlotVisitor::SlotVisitor):
2091         (JSC::SlotVisitor::~SlotVisitor):
2092         (JSC::SlotVisitor::reset):
2093         (JSC::SlotVisitor::clearMarkStacks):
2094         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2095         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2096         (JSC::SlotVisitor::appendToMarkStack):
2097         (JSC::SlotVisitor::appendToMutatorMarkStack):
2098         (JSC::SlotVisitor::visitChildren):
2099         (JSC::SlotVisitor::donateKnownParallel):
2100         (JSC::SlotVisitor::drain):
2101         (JSC::SlotVisitor::drainFromShared):
2102         (JSC::SlotVisitor::containsOpaqueRoot):
2103         (JSC::SlotVisitor::donateAndDrain):
2104         (JSC::SlotVisitor::mergeOpaqueRoots):
2105         (JSC::SlotVisitor::dump):
2106         (JSC::SlotVisitor::clearMarkStack): Deleted.
2107         (JSC::SlotVisitor::opaqueRootCount): Deleted.
2108         * heap/SlotVisitor.h:
2109         (JSC::SlotVisitor::collectorMarkStack):
2110         (JSC::SlotVisitor::mutatorMarkStack):
2111         (JSC::SlotVisitor::isEmpty):
2112         (JSC::SlotVisitor::bytesVisited):
2113         (JSC::SlotVisitor::markStack): Deleted.
2114         (JSC::SlotVisitor::bytesCopied): Deleted.
2115         * heap/SlotVisitorInlines.h:
2116         (JSC::SlotVisitor::reportExtraMemoryVisited):
2117         (JSC::SlotVisitor::reportExternalMemoryVisited):
2118         * jit/AssemblyHelpers.cpp:
2119         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2120         * jit/AssemblyHelpers.h:
2121         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2122         (JSC::AssemblyHelpers::barrierStoreLoadFence):
2123         (JSC::AssemblyHelpers::mutatorFence):
2124         (JSC::AssemblyHelpers::storeButterfly):
2125         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
2126         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
2127         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2128         (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
2129         * jit/JITInlines.h:
2130         (JSC::JIT::emitArrayProfilingSiteWithCell):
2131         * jit/JITOperations.cpp:
2132         * jit/JITPropertyAccess.cpp:
2133         (JSC::JIT::emit_op_put_to_scope):
2134         (JSC::JIT::emit_op_put_to_arguments):
2135         * llint/LLIntData.cpp:
2136         (JSC::LLInt::Data::performAssertions):
2137         * llint/LowLevelInterpreter.asm:
2138         * llint/LowLevelInterpreter64.asm:
2139         * runtime/ButterflyInlines.h:
2140         (JSC::Butterfly::create):
2141         (JSC::Butterfly::createOrGrowPropertyStorage):
2142         * runtime/ConcurrentJITLock.h:
2143         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
2144         * runtime/GenericArgumentsInlines.h:
2145         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2146         (JSC::GenericArguments<Type>::putByIndex):
2147         * runtime/IndexingType.h:
2148         * runtime/JSArray.cpp:
2149         (JSC::JSArray::unshiftCountSlowCase):
2150         (JSC::JSArray::unshiftCountWithArrayStorage):
2151         * runtime/JSCell.h:
2152         (JSC::JSCell::InternalLocker::InternalLocker):
2153         (JSC::JSCell::InternalLocker::~InternalLocker):
2154         (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
2155         (JSC::JSCell::atomicCompareExchangeCellStateStrong):
2156         (JSC::JSCell::indexingTypeAndMiscOffset):
2157         (JSC::JSCell::indexingTypeOffset): Deleted.
2158         * runtime/JSCellInlines.h:
2159         (JSC::JSCell::JSCell):
2160         (JSC::JSCell::finishCreation):
2161         (JSC::JSCell::indexingTypeAndMisc):
2162         (JSC::JSCell::indexingType):
2163         (JSC::JSCell::setStructure):
2164         (JSC::JSCell::callDestructor):
2165         (JSC::JSCell::lockInternalLock):
2166         (JSC::JSCell::unlockInternalLock):
2167         * runtime/JSObject.cpp:
2168         (JSC::JSObject::visitButterfly):
2169         (JSC::JSObject::visitChildren):
2170         (JSC::JSFinalObject::visitChildren):
2171         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2172         (JSC::JSObject::createInitialUndecided):
2173         (JSC::JSObject::createInitialInt32):
2174         (JSC::JSObject::createInitialDouble):
2175         (JSC::JSObject::createInitialContiguous):
2176         (JSC::JSObject::createArrayStorage):
2177         (JSC::JSObject::convertUndecidedToArrayStorage):
2178         (JSC::JSObject::convertInt32ToArrayStorage):
2179         (JSC::JSObject::convertDoubleToArrayStorage):
2180         (JSC::JSObject::convertContiguousToArrayStorage):
2181         (JSC::JSObject::deleteProperty):
2182         (JSC::JSObject::defineOwnIndexedProperty):
2183         (JSC::JSObject::increaseVectorLength):
2184         (JSC::JSObject::ensureLengthSlow):
2185         (JSC::JSObject::reallocateAndShrinkButterfly):
2186         (JSC::JSObject::allocateMoreOutOfLineStorage):
2187         (JSC::JSObject::shiftButterflyAfterFlattening):
2188         (JSC::JSObject::growOutOfLineStorage): Deleted.
2189         * runtime/JSObject.h:
2190         (JSC::JSFinalObject::JSFinalObject):
2191         (JSC::JSObject::setButterfly):
2192         (JSC::JSObject::getOwnNonIndexPropertySlot):
2193         (JSC::JSObject::fillCustomGetterPropertySlot):
2194         (JSC::JSObject::getOwnPropertySlot):
2195         (JSC::JSObject::getPropertySlot):
2196         (JSC::JSObject::setStructureAndButterfly): Deleted.
2197         (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
2198         (JSC::JSObject::putDirectInternal): Deleted.
2199         (JSC::JSObject::putDirectWithoutTransition): Deleted.
2200         * runtime/JSObjectInlines.h:
2201         (JSC::JSObject::getPropertySlot):
2202         (JSC::JSObject::getNonIndexPropertySlot):
2203         (JSC::JSObject::putDirectWithoutTransition):
2204         (JSC::JSObject::putDirectInternal):
2205         * runtime/Options.h:
2206         * runtime/SparseArrayValueMap.h:
2207         * runtime/Structure.cpp:
2208         (JSC::Structure::dumpStatistics):
2209         (JSC::Structure::findStructuresAndMapForMaterialization):
2210         (JSC::Structure::materializePropertyTable):
2211         (JSC::Structure::addNewPropertyTransition):
2212         (JSC::Structure::changePrototypeTransition):
2213         (JSC::Structure::attributeChangeTransition):
2214         (JSC::Structure::toDictionaryTransition):
2215         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2216         (JSC::Structure::nonPropertyTransition):
2217         (JSC::Structure::isSealed):
2218         (JSC::Structure::isFrozen):
2219         (JSC::Structure::flattenDictionaryStructure):
2220         (JSC::Structure::pin):
2221         (JSC::Structure::pinForCaching):
2222         (JSC::Structure::willStoreValueSlow):
2223         (JSC::Structure::copyPropertyTableForPinning):
2224         (JSC::Structure::add):
2225         (JSC::Structure::remove):
2226         (JSC::Structure::getPropertyNamesFromStructure):
2227         (JSC::Structure::visitChildren):
2228         (JSC::Structure::materializePropertyMap): Deleted.
2229         (JSC::Structure::addPropertyWithoutTransition): Deleted.
2230         (JSC::Structure::removePropertyWithoutTransition): Deleted.
2231         (JSC::Structure::copyPropertyTable): Deleted.
2232         (JSC::Structure::createPropertyMap): Deleted.
2233         (JSC::PropertyTable::checkConsistency): Deleted.
2234         (JSC::Structure::checkConsistency): Deleted.
2235         * runtime/Structure.h:
2236         * runtime/StructureIDBlob.h:
2237         (JSC::StructureIDBlob::StructureIDBlob):
2238         (JSC::StructureIDBlob::indexingTypeIncludingHistory):
2239         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
2240         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
2241         (JSC::StructureIDBlob::indexingType): Deleted.
2242         (JSC::StructureIDBlob::setIndexingType): Deleted.
2243         (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
2244         * runtime/StructureInlines.h:
2245         (JSC::Structure::get):
2246         (JSC::Structure::checkOffsetConsistency):
2247         (JSC::Structure::checkConsistency):
2248         (JSC::Structure::add):
2249         (JSC::Structure::remove):
2250         (JSC::Structure::addPropertyWithoutTransition):
2251         (JSC::Structure::removePropertyWithoutTransition):
2252         (JSC::Structure::setPropertyTable):
2253         (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
2254         (JSC::Structure::propertyTable): Deleted.
2255         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2256
2257 2016-11-14  Keith Miller  <keith_miller@apple.com>
2258
2259         Add Wasm select
2260         https://bugs.webkit.org/show_bug.cgi?id=164743
2261
2262         Reviewed by Saam Barati.
2263
2264         Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
2265         when they shouldn't be.
2266
2267         * jsc.cpp:
2268         (box):
2269         * wasm/WasmB3IRGenerator.cpp:
2270         * wasm/WasmFunctionParser.h:
2271         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2272         * wasm/WasmValidate.cpp:
2273         (JSC::Wasm::Validate::addSelect):
2274
2275 2016-11-11  Geoffrey Garen  <ggaren@apple.com>
2276
2277         JSC should distinguish between local and global eval
2278         https://bugs.webkit.org/show_bug.cgi?id=164628
2279
2280         Reviewed by Saam Barati.
2281
2282         Local use of the 'eval' keyword and invocation of the global window.eval
2283         function are distinct operations in JavaScript.
2284
2285         This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
2286         order to help distinguish these operations in code.
2287
2288         Our code used to do some silly things for lack of distinguishing these
2289         cases. For example, it would double cache local eval in CodeCache and
2290         EvalCodeCache. This made CodeCache seem more complicated than it really
2291         was.
2292
2293         * CMakeLists.txt:
2294         * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
2295
2296         * bytecode/CodeBlock.h:
2297
2298         * bytecode/EvalCodeCache.h:
2299         (JSC::EvalCodeCache::tryGet):
2300         (JSC::EvalCodeCache::set):
2301         (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
2302         the cache to avoid tight coupling. Now the cache just caches.
2303
2304         * bytecode/UnlinkedEvalCodeBlock.h:
2305         * bytecode/UnlinkedFunctionExecutable.cpp:
2306         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2307         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2308         * bytecode/UnlinkedProgramCodeBlock.h:
2309         * debugger/DebuggerCallFrame.cpp:
2310         (JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
2311         changes.
2312
2313         * interpreter/Interpreter.cpp:
2314         (JSC::eval): Moved code generation here so the cache didn't need to build
2315         it in.
2316
2317         * llint/LLIntOffsetsExtractor.cpp:
2318
2319         * runtime/CodeCache.cpp:
2320         (JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
2321         variables any more. We only cache global programs, and global variable
2322         access always does TDZ checks.
2323
2324         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
2325         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
2326         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
2327         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2328
2329         (JSC::CodeCache::CodeCache): Deleted.
2330         (JSC::CodeCache::~CodeCache): Deleted.
2331         (JSC::CodeCache::getGlobalCodeBlock): Deleted.
2332         (JSC::CodeCache::getProgramCodeBlock): Deleted.
2333         (JSC::CodeCache::getEvalCodeBlock): Deleted.
2334         (JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
2335         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.
2336
2337         * runtime/CodeCache.h:
2338         (JSC::CodeCache::clear):
2339         (JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
2340         out of the CodeCache class and into a stand-alone function because
2341         we need it for local eval, which does not live in CodeCache.
2342
2343         * runtime/EvalExecutable.cpp:
2344         (JSC::EvalExecutable::create): Deleted.
2345         * runtime/EvalExecutable.h:
2346         (): Deleted.
2347         * runtime/GlobalEvalExecutable.cpp: Added.
2348         (JSC::GlobalEvalExecutable::create):
2349         (JSC::GlobalEvalExecutable::GlobalEvalExecutable):
2350         * runtime/GlobalEvalExecutable.h: Added.
2351         * runtime/LocalEvalExecutable.cpp: Added.
2352         (JSC::LocalEvalExecutable::create):
2353         (JSC::LocalEvalExecutable::LocalEvalExecutable):
2354         * runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
2355         EvalExecutable classes to distinguish these operations in code. The key
2356         difference is that LocalEvalExecutable does not live in the CodeCache
2357         and only lives in the EvalCodeCache.
2358
2359         * runtime/JSGlobalObject.cpp:
2360         (JSC::JSGlobalObject::createProgramCodeBlock):
2361         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
2362         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
2363         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2364         (JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
2365         * runtime/JSGlobalObject.h:
2366         * runtime/JSGlobalObjectFunctions.cpp:
2367         (JSC::globalFuncEval):
2368
2369         * runtime/JSScope.cpp:
2370         (JSC::JSScope::collectClosureVariablesUnderTDZ):
2371         (JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
2372         global lexical variables in our concept of TDZ scopes anymore. Global
2373         variable access always does TDZ checks unconditionally. So, only closure
2374         scope accesses give specific consideration to TDZ checks.
2375
2376         * runtime/JSScope.h:
2377
2378 2016-11-14  Caitlin Potter  <caitp@igalia.com>
2379
2380         [JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
2381         https://bugs.webkit.org/show_bug.cgi?id=164037
2382
2383         Reviewed by Yusuke Suzuki.
2384
2385         This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
2386         in much the same capacity that https://trac.webkit.org/changeset/194216 added
2387         DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
2388         PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.
2389
2390         Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
2391         async wrapper functions may be deferred or eliminated during the allocation sinking
2392         phase.
2393
2394         * dfg/DFGAbstractInterpreterInlines.h:
2395         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2396         * dfg/DFGByteCodeParser.cpp:
2397         (JSC::DFG::ByteCodeParser::parseBlock):
2398         * dfg/DFGCapabilities.cpp:
2399         (JSC::DFG::capabilityLevel):
2400         * dfg/DFGClobberize.h:
2401         (JSC::DFG::clobberize):
2402         * dfg/DFGClobbersExitState.cpp:
2403         (JSC::DFG::clobbersExitState):
2404         * dfg/DFGDoesGC.cpp:
2405         (JSC::DFG::doesGC):
2406         * dfg/DFGFixupPhase.cpp:
2407         (JSC::DFG::FixupPhase::fixupNode):
2408         * dfg/DFGMayExit.cpp:
2409         * dfg/DFGNode.h:
2410         (JSC::DFG::Node::convertToPhantomNewFunction):
2411         (JSC::DFG::Node::convertToPhantomNewAsyncFunction):
2412         (JSC::DFG::Node::hasCellOperand):
2413         (JSC::DFG::Node::isFunctionAllocation):
2414         (JSC::DFG::Node::isPhantomFunctionAllocation):
2415         (JSC::DFG::Node::isPhantomAllocation):
2416         * dfg/DFGNodeType.h:
2417         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2418         * dfg/DFGPredictionPropagationPhase.cpp:
2419         * dfg/DFGSafeToExecute.h:
2420         (JSC::DFG::safeToExecute):
2421         * dfg/DFGSpeculativeJIT.cpp:
2422         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2423         * dfg/DFGSpeculativeJIT32_64.cpp:
2424         (JSC::DFG::SpeculativeJIT::compile):
2425         * dfg/DFGSpeculativeJIT64.cpp:
2426         (JSC::DFG::SpeculativeJIT::compile):
2427         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2428         * dfg/DFGStructureRegistrationPhase.cpp:
2429         (JSC::DFG::StructureRegistrationPhase::run):
2430         * dfg/DFGValidate.cpp:
2431         * ftl/FTLCapabilities.cpp:
2432         (JSC::FTL::canCompile):
2433         * ftl/FTLLowerDFGToB3.cpp:
2434         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2435         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2436         * ftl/FTLOperations.cpp:
2437         (JSC::FTL::operationPopulateObjectInOSR):
2438         (JSC::FTL::operationMaterializeObjectInOSR):
2439         * runtime/JSGlobalObject.cpp:
2440         (JSC::JSGlobalObject::init):
2441         (JSC::JSGlobalObject::visitChildren):
2442         * runtime/JSGlobalObject.h:
2443         (JSC::JSGlobalObject::asyncFunctionPrototype):
2444         (JSC::JSGlobalObject::asyncFunctionStructure):
2445         (JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
2446         (JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
2447         (JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.
2448
2449 2016-11-14  Mark Lam  <mark.lam@apple.com>
2450
2451         Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
2452         https://bugs.webkit.org/show_bug.cgi?id=164701
2453         <rdar://problem/27462104>
2454
2455         Reviewed by Darin Adler.
2456
2457         The characters8(), characters16(), and operator[] in JSString::SafeView converts
2458         the underlying JSString to a StringView via get(), and then uses the StringView
2459         without first checking if an exception was thrown during the conversion.  This is
2460         unsafe because the conversion may have failed.
2461         
2462         Instead, we should remove these 3 convenience methods, and make the caller
2463         explicitly call get() and do the appropriate exception checks before using the
2464         StringView.
2465
2466         * runtime/JSGlobalObjectFunctions.cpp:
2467         (JSC::toStringView):
2468         (JSC::encode):
2469         (JSC::decode):
2470         (JSC::globalFuncParseInt):
2471         (JSC::globalFuncEscape):
2472         (JSC::globalFuncUnescape):
2473         (JSC::toSafeView): Deleted.
2474         * runtime/JSONObject.cpp:
2475         (JSC::JSONProtoFuncParse):
2476         * runtime/JSString.h:
2477         (JSC::JSString::SafeView::length):
2478         (JSC::JSString::SafeView::characters8): Deleted.
2479         (JSC::JSString::SafeView::characters16): Deleted.
2480         (JSC::JSString::SafeView::operator[]): Deleted.
2481         * runtime/StringPrototype.cpp:
2482         (JSC::stringProtoFuncRepeatCharacter):
2483         (JSC::stringProtoFuncCharAt):
2484         (JSC::stringProtoFuncCharCodeAt):
2485         (JSC::stringProtoFuncNormalize):
2486
2487 2016-11-14  Mark Lam  <mark.lam@apple.com>
2488
2489         RegExpObject::exec/match should handle errors gracefully.
2490         https://bugs.webkit.org/show_bug.cgi?id=155145
2491         <rdar://problem/27435934>
2492
2493         Reviewed by Keith Miller.
2494
2495         1. Added some missing exception checks to RegExpObject::execInline() and
2496            RegExpObject::matchInline().
2497         2. Updated related code to work with ExceptionScope verification requirements.
2498
2499         * dfg/DFGOperations.cpp:
2500         * runtime/RegExpObjectInlines.h:
2501         (JSC::RegExpObject::execInline):
2502         (JSC::RegExpObject::matchInline):
2503         * runtime/RegExpPrototype.cpp:
2504         (JSC::regExpProtoFuncTestFast):
2505         (JSC::regExpProtoFuncExec):
2506         (JSC::regExpProtoFuncMatchFast):
2507
2508 2016-11-13  Mark Lam  <mark.lam@apple.com>
2509
2510         Add debugging facility to limit the max single allocation size.
2511         https://bugs.webkit.org/show_bug.cgi?id=164681
2512
2513         Reviewed by Keith Miller.
2514
2515         Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
2516         This option is only available on Debug builds.
2517
2518         * runtime/Options.cpp:
2519         (JSC::Options::isAvailable):
2520         (JSC::recomputeDependentOptions):
2521         * runtime/Options.h:
2522
2523 2016-11-12  Joseph Pecoraro  <pecoraro@apple.com>
2524
2525         Follow-up fix to r208639.
2526
2527         Unreviewed fix. This is a straightfoward change where I forgot to
2528         switch from uncheckedArgument() to argument() in once case after
2529         dropping an argumentCount check. All other cases do this properly.
2530         This addresses an ASSERT seen on the bots running tests.
2531
2532         * runtime/JSDataViewPrototype.cpp:
2533         (JSC::setData):
2534
2535 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
2536
2537         test262: DataView with explicit undefined byteLength should be the same as it not being present
2538         https://bugs.webkit.org/show_bug.cgi?id=164453
2539
2540         Reviewed by Darin Adler.
2541
2542         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2543         (JSC::constructGenericTypedArrayView):
2544         Handle the special case of DataView construction with an undefined byteLength value.
2545
2546 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
2547
2548         test262: DataView get methods should allow for missing offset, set methods should allow for missing value
2549         https://bugs.webkit.org/show_bug.cgi?id=164451
2550
2551         Reviewed by Darin Adler.
2552
2553         * runtime/JSDataViewPrototype.cpp:
2554         (JSC::getData):
2555         Missing offset is still valid and will be coerced to 0.
2556
2557         (JSC::setData):
2558         Missing value is still valid and will be coerced to 0.
2559
2560 2016-11-11  Saam Barati  <sbarati@apple.com>
2561
2562         We should have a more concise way of determining when we're varargs calling a function using rest parameters
2563         https://bugs.webkit.org/show_bug.cgi?id=164258
2564
2565         Reviewed by Yusuke Suzuki.
2566
2567         This patch adds two new bytecodes and DFG nodes for the following code patterns:
2568
2569         ```
2570         foo(a, b, ...c)
2571         let x = [a, b, ...c];
2572         ```
2573
2574         To do this, I've introduced two new bytecode operations (and their
2575         corresponding DFG nodes):
2576
2577         op_spread and op_new_array_with_spread.
2578
2579         op_spread takes a single input and performs the ES6 iteration protocol on it.
2580         It returns the result of doing the spread inside a new class I've
2581         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
2582         field and a buffer of values allocated inline in the cell. Abstracting
2583         the protocol into a single node is good because it will make IR analysis
2584         in the future much simpler. For now, it's also good because it allows
2585         us to create fast paths for array iteration (which is quite common).
2586         This fast path allows us to emit really good code for array iteration
2587         inside the DFG/FTL.
2588
2589         op_new_array_with_spread is a variable argument bytecode that also
2590         has a bit vector associated with it. The bit vector indicates if
2591         any particular argument is to be spread or not. Arguments that
2592         are spread are known to be JSFixedArray because we must emit an
2593         op_spread before op_new_array_with_spread consumes the value.
2594         For example, for this array:
2595         [a, b, ...c, d, ...e]
2596         we will have this bit vector:
2597         [0, 0, 1, 0, 1]
2598
2599         The reason I've chosen this IR is that it will make eliminating
2600         a rest allocation for this type of code much easier:
2601
2602         ```
2603         function foo(...args) {
2604             return bar(a, b, ...args);
2605         }
2606         ```
2607
2608         It will be easier to analyze the IR now that the operations
2609         will be described at a high level.
2610
2611         This patch is an ~8% speedup on ES6SampleBench on my MBP.
2612
2613         * CMakeLists.txt:
2614         * DerivedSources.make:
2615         * JavaScriptCore.xcodeproj/project.pbxproj:
2616         * builtins/IteratorHelpers.js: Added.
2617         (performIteration):
2618         * bytecode/BytecodeList.json:
2619         * bytecode/BytecodeUseDef.h:
2620         (JSC::computeUsesForBytecodeOffset):
2621         (JSC::computeDefsForBytecodeOffset):
2622         * bytecode/CodeBlock.cpp:
2623         (JSC::CodeBlock::dumpBytecode):
2624         * bytecode/ObjectPropertyConditionSet.cpp:
2625         (JSC::generateConditionForSelfEquivalence):
2626         * bytecode/ObjectPropertyConditionSet.h:
2627         * bytecode/TrackedReferences.cpp:
2628         (JSC::TrackedReferences::check):
2629         * bytecode/UnlinkedCodeBlock.h:
2630         (JSC::UnlinkedCodeBlock::bitVectors):
2631         (JSC::UnlinkedCodeBlock::bitVector):
2632         (JSC::UnlinkedCodeBlock::addBitVector):
2633         (JSC::UnlinkedCodeBlock::shrinkToFit):
2634         * bytecompiler/BytecodeGenerator.cpp:
2635         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
2636         * bytecompiler/BytecodeGenerator.h:
2637         * bytecompiler/NodesCodegen.cpp:
2638         (JSC::ArrayNode::emitBytecode):
2639         * dfg/DFGAbstractInterpreterInlines.h:
2640         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2641         * dfg/DFGByteCodeParser.cpp:
2642         (JSC::DFG::ByteCodeParser::addToGraph):
2643         (JSC::DFG::ByteCodeParser::parseBlock):
2644         * dfg/DFGCapabilities.cpp:
2645         (JSC::DFG::capabilityLevel):
2646         * dfg/DFGClobberize.h:
2647         (JSC::DFG::clobberize):
2648         * dfg/DFGDoesGC.cpp:
2649         (JSC::DFG::doesGC):
2650         * dfg/DFGFixupPhase.cpp:
2651         (JSC::DFG::FixupPhase::fixupNode):
2652         (JSC::DFG::FixupPhase::watchHavingABadTime):
2653         * dfg/DFGGraph.h:
2654         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2655         * dfg/DFGNode.h:
2656         (JSC::DFG::Node::bitVector):
2657         * dfg/DFGNodeType.h:
2658         * dfg/DFGOperations.cpp:
2659         * dfg/DFGOperations.h:
2660         * dfg/DFGPredictionPropagationPhase.cpp:
2661         * dfg/DFGSafeToExecute.h:
2662         (JSC::DFG::safeToExecute):
2663         * dfg/DFGSpeculativeJIT.cpp:
2664         (JSC::DFG::SpeculativeJIT::compileSpread):
2665         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2666         * dfg/DFGSpeculativeJIT.h:
2667         (JSC::DFG::SpeculativeJIT::callOperation):
2668         * dfg/DFGSpeculativeJIT32_64.cpp:
2669         (JSC::DFG::SpeculativeJIT::compile):
2670         * dfg/DFGSpeculativeJIT64.cpp:
2671         (JSC::DFG::SpeculativeJIT::compile):
2672         * dfg/DFGStructureRegistrationPhase.cpp:
2673         (JSC::DFG::StructureRegistrationPhase::run):
2674         * ftl/FTLAbstractHeapRepository.h:
2675         * ftl/FTLCapabilities.cpp:
2676         (JSC::FTL::canCompile):
2677         * ftl/FTLLowerDFGToB3.cpp:
2678         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2679         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2680         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2681         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2682         * jit/AssemblyHelpers.h:
2683         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2684         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
2685         * jit/JIT.cpp:
2686         (JSC::JIT::privateCompileMainPass):
2687         * jit/JIT.h:
2688         * jit/JITOpcodes.cpp:
2689         (JSC::JIT::emit_op_new_array_with_spread):
2690         (JSC::JIT::emit_op_spread):
2691         * jit/JITOperations.h:
2692         * llint/LLIntData.cpp:
2693         (JSC::LLInt::Data::performAssertions):
2694         * llint/LLIntSlowPaths.cpp:
2695         * llint/LowLevelInterpreter.asm:
2696         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
2697         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
2698         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
2699         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
2700         * runtime/CommonSlowPaths.cpp:
2701         (JSC::SLOW_PATH_DECL):
2702         * runtime/CommonSlowPaths.h:
2703         * runtime/IteratorOperations.h:
2704         (JSC::forEachInIterable):
2705         * runtime/JSCInlines.h:
2706         * runtime/JSFixedArray.cpp: Added.
2707         (JSC::JSFixedArray::visitChildren):
2708         * runtime/JSFixedArray.h: Added.
2709         (JSC::JSFixedArray::createStructure):
2710         (JSC::JSFixedArray::createFromArray):
2711         (JSC::JSFixedArray::get):
2712         (JSC::JSFixedArray::buffer):
2713         (JSC::JSFixedArray::size):
2714         (JSC::JSFixedArray::offsetOfSize):
2715         (JSC::JSFixedArray::offsetOfData):
2716         (JSC::JSFixedArray::create):
2717         (JSC::JSFixedArray::JSFixedArray):
2718         (JSC::JSFixedArray::allocationSize):
2719         * runtime/JSGlobalObject.cpp:
2720         (JSC::JSGlobalObject::JSGlobalObject):
2721         (JSC::JSGlobalObject::init):
2722         (JSC::JSGlobalObject::visitChildren):
2723         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
2724         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
2725         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
2726         * runtime/JSGlobalObject.h:
2727         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
2728         (JSC::JSGlobalObject::iteratorProtocolFunction):
2729         * runtime/JSGlobalObjectInlines.h: Added.
2730         (JSC::JSGlobalObject::objectPrototypeIsSane):
2731         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2732         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2733         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
2734         * runtime/JSType.h:
2735         * runtime/VM.cpp:
2736         (JSC::VM::VM):
2737         * runtime/VM.h:
2738
2739 2016-11-11  Keith Miller  <keith_miller@apple.com>
2740
2741         Move Wasm tests to JS
2742         https://bugs.webkit.org/show_bug.cgi?id=164611
2743
2744         Reviewed by Geoffrey Garen.
2745
2746         This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
2747         ommited tests were earliest tests, which tested trivial things, like adding two
2748         constants. Some tests are ommited for other reasons, however. These are:
2749
2750         1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers.  2)
2751         Tests that would validate the memory of the module once wasm was done with it since that's
2752         not really possible in JS.
2753
2754         In order to make such a translation easier this patch also adds some features to the JS
2755         testing api:
2756
2757         1) Blocks can now be done lexically by adding a lambda as the last argument of the block
2758         opcode. For example one can do:
2759             ...
2760             .Block("i32", b => b.I32Const(1) )
2761
2762         and the nested lambda will automatically have an end attached.
2763
2764         2) The JS testing api can now handle inline signature types.
2765
2766         3) Relocate some code to make it easier to follow and prevent 44 space indentation.
2767
2768         4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
2769         wasm.json without being remapped.
2770
2771         5) Add support for Memory and Function sections to the Builder.
2772
2773         6) Add support for local variables.
2774
2775         On the JSC side, we needed to expose a new function to validate the compiled wasm code
2776         behaves the way we expect. At least until the JS Wasm API is finished. The new validation
2777         function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
2778         number of functions in the blob and tests for each of those functions.
2779
2780         * jsc.cpp:
2781         (GlobalObject::finishCreation):
2782         (box):
2783         (callWasmFunction):
2784         (functionTestWasmModuleFunctions):
2785         * testWasm.cpp:
2786         (checkPlan):
2787         (runWasmTests):
2788         * wasm/WasmB3IRGenerator.cpp:
2789         (JSC::Wasm::parseAndCompile):
2790         * wasm/WasmFunctionParser.h:
2791         (JSC::Wasm::FunctionParser<Context>::parse):
2792         (JSC::Wasm::FunctionParser<Context>::parseBody):
2793         (JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
2794         * wasm/WasmModuleParser.cpp:
2795         (JSC::Wasm::ModuleParser::parseMemory):
2796         (JSC::Wasm::ModuleParser::parseExport):
2797         * wasm/WasmPlan.cpp:
2798         (JSC::Wasm::Plan::Plan):
2799         (JSC::Wasm::Plan::run):
2800         * wasm/WasmPlan.h:
2801         * wasm/js/WebAssemblyModuleConstructor.cpp:
2802         (JSC::constructJSWebAssemblyModule):
2803
2804 2016-11-11  Saam Barati  <sbarati@apple.com>
2805
2806         Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650
2807
2808         * dfg/DFGByteCodeParser.cpp:
2809         (JSC::DFG::ByteCodeParser::parseBlock):
2810
2811 2016-11-11  Saam Barati  <sbarati@apple.com>
2812
2813         We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
2814         https://bugs.webkit.org/show_bug.cgi?id=164650
2815
2816         Reviewed by Geoffrey Garen.
2817
2818         Some code was incorrectly holding a lock when recursively calling
2819         back into the bytecode parser's via inlining a put_by_val as a put_by_id.
2820         This can cause a deadlock if the inlinee CodeBlock is something we're
2821         already holding a lock for. I've changed the range of the lock holder
2822         to be as narrow as possible.
2823
2824         * dfg/DFGByteCodeParser.cpp:
2825         (JSC::DFG::ByteCodeParser::parseBlock):
2826
2827 2016-11-11  Chris Dumez  <cdumez@apple.com>
2828
2829         Unreviewed, rolling out r208584.
2830
2831         Seems to have regressed Speedometer by 1% on Mac
2832
2833         Reverted changeset:
2834
2835         "We should have a more concise way of determining when we're
2836         varargs calling a function using rest parameters"
2837         https://bugs.webkit.org/show_bug.cgi?id=164258
2838         http://trac.webkit.org/changeset/208584
2839
2840 2016-11-11  Chris Dumez  <cdumez@apple.com>
2841
2842         Unreviewed, rolling out r208117 and r208160.
2843
2844         Regressed Speedometer by >1.5%
2845
2846         Reverted changesets:
2847
2848         "We should have a way of profiling when a get_by_id is pure
2849         and to emit a PureGetById in the DFG/FTL"
2850         https://bugs.webkit.org/show_bug.cgi?id=163305
2851         http://trac.webkit.org/changeset/208117
2852
2853         "Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
2854         out"
2855         https://bugs.webkit.org/show_bug.cgi?id=164227
2856         http://trac.webkit.org/changeset/208160
2857
2858 2016-11-11  Saam Barati  <sbarati@apple.com>
2859
2860         We should have a more concise way of determining when we're varargs calling a function using rest parameters
2861         https://bugs.webkit.org/show_bug.cgi?id=164258
2862
2863         Reviewed by Yusuke Suzuki.
2864
2865         This patch adds two new bytecodes and DFG nodes for the following code patterns:
2866
2867         ```
2868         foo(a, b, ...c)
2869         let x = [a, b, ...c];
2870         ```
2871
2872         To do this, I've introduced two new bytecode operations (and their
2873         corresponding DFG nodes):
2874
2875         op_spread and op_new_array_with_spread.
2876
2877         op_spread takes a single input and performs the ES6 iteration protocol on it.
2878         It returns the result of doing the spread inside a new class I've
2879         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
2880         field and a buffer of values allocated inline in the cell. Abstracting
2881         the protocol into a single node is good because it will make IR analysis
2882         in the future much simpler. For now, it's also good because it allows
2883         us to create fast paths for array iteration (which is quite common).
2884         This fast path allows us to emit really good code for array iteration
2885         inside the DFG/FTL.
2886
2887         op_new_array_with_spread is a variable argument bytecode that also
2888         has a bit vector associated with it. The bit vector indicates if
2889         any particular argument is to be spread or not. Arguments that
2890         are spread are known to be JSFixedArray because we must emit an
2891         op_spread before op_new_array_with_spread consumes the value.
2892         For example, for this array:
2893         [a, b, ...c, d, ...e]
2894         we will have this bit vector:
2895         [0, 0, 1, 0, 1]
2896
2897         The reason I've chosen this IR is that it will make eliminating
2898         a rest allocation for this type of code much easier:
2899
2900         ```
2901         function foo(...args) {
2902             return bar(a, b, ...args);
2903         }
2904         ```
2905
2906         It will be easier to analyze the IR now that the operations
2907         will be described at a high level.
2908
2909         This patch is an ~8% speedup on ES6SampleBench on my MBP.
2910
2911         * CMakeLists.txt:
2912         * DerivedSources.make:
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         * builtins/IteratorHelpers.js: Added.
2915         (performIteration):
2916         * bytecode/BytecodeList.json:
2917         * bytecode/BytecodeUseDef.h:
2918         (JSC::computeUsesForBytecodeOffset):
2919         (JSC::computeDefsForBytecodeOffset):
2920         * bytecode/CodeBlock.cpp:
2921         (JSC::CodeBlock::dumpBytecode):
2922         * bytecode/ObjectPropertyConditionSet.cpp:
2923         (JSC::generateConditionForSelfEquivalence):
2924         * bytecode/ObjectPropertyConditionSet.h:
2925         * bytecode/TrackedReferences.cpp:
2926         (JSC::TrackedReferences::check):
2927         * bytecode/UnlinkedCodeBlock.h:
2928         (JSC::UnlinkedCodeBlock::bitVectors):
2929         (JSC::UnlinkedCodeBlock::bitVector):
2930         (JSC::UnlinkedCodeBlock::addBitVector):
2931         (JSC::UnlinkedCodeBlock::shrinkToFit):
2932         * bytecompiler/BytecodeGenerator.cpp:
2933         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
2934         * bytecompiler/BytecodeGenerator.h:
2935         * bytecompiler/NodesCodegen.cpp:
2936         (JSC::ArrayNode::emitBytecode):
2937         * dfg/DFGAbstractInterpreterInlines.h:
2938         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2939         * dfg/DFGByteCodeParser.cpp:
2940         (JSC::DFG::ByteCodeParser::addToGraph):
2941         (JSC::DFG::ByteCodeParser::parseBlock):
2942         * dfg/DFGCapabilities.cpp:
2943         (JSC::DFG::capabilityLevel):
2944         * dfg/DFGClobberize.h:
2945         (JSC::DFG::clobberize):
2946         * dfg/DFGDoesGC.cpp:
2947         (JSC::DFG::doesGC):
2948         * dfg/DFGFixupPhase.cpp:
2949         (JSC::DFG::FixupPhase::fixupNode):
2950         (JSC::DFG::FixupPhase::watchHavingABadTime):
2951         * dfg/DFGGraph.h:
2952         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2953         * dfg/DFGNode.h:
2954         (JSC::DFG::Node::bitVector):
2955         * dfg/DFGNodeType.h:
2956         * dfg/DFGOperations.cpp:
2957         * dfg/DFGOperations.h:
2958         * dfg/DFGPredictionPropagationPhase.cpp:
2959         * dfg/DFGSafeToExecute.h:
2960         (JSC::DFG::safeToExecute):
2961         * dfg/DFGSpeculativeJIT.cpp:
2962         (JSC::DFG::SpeculativeJIT::compileSpread):
2963         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2964         * dfg/DFGSpeculativeJIT.h:
2965         (JSC::DFG::SpeculativeJIT::callOperation):
2966         * dfg/DFGSpeculativeJIT32_64.cpp:
2967         (JSC::DFG::SpeculativeJIT::compile):
2968         * dfg/DFGSpeculativeJIT64.cpp:
2969         (JSC::DFG::SpeculativeJIT::compile):
2970         * dfg/DFGStructureRegistrationPhase.cpp:
2971         (JSC::DFG::StructureRegistrationPhase::run):
2972         * ftl/FTLAbstractHeapRepository.h:
2973         * ftl/FTLCapabilities.cpp:
2974         (JSC::FTL::canCompile):
2975         * ftl/FTLLowerDFGToB3.cpp:
2976         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2977         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2978         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2979         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2980         * jit/AssemblyHelpers.h:
2981         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2982         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
2983         * jit/JIT.cpp:
2984         (JSC::JIT::privateCompileMainPass):
2985         * jit/JIT.h:
2986         * jit/JITOpcodes.cpp:
2987         (JSC::JIT::emit_op_new_array_with_spread):
2988         (JSC::JIT::emit_op_spread):
2989         * jit/JITOperations.h:
2990         * llint/LLIntData.cpp:
2991         (JSC::LLInt::Data::performAssertions):
2992         * llint/LLIntSlowPaths.cpp:
2993         * llint/LowLevelInterpreter.asm:
2994         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
2995         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
2996         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
2997         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
2998         * runtime/CommonSlowPaths.cpp:
2999         (JSC::SLOW_PATH_DECL):
3000         * runtime/CommonSlowPaths.h:
3001         * runtime/IteratorOperations.h:
3002         (JSC::forEachInIterable):
3003         * runtime/JSCInlines.h:
3004         * runtime/JSFixedArray.cpp: Added.
3005         (JSC::JSFixedArray::visitChildren):
3006         * runtime/JSFixedArray.h: Added.
3007         (JSC::JSFixedArray::createStructure):
3008         (JSC::JSFixedArray::createFromArray):
3009         (JSC::JSFixedArray::get):
3010         (JSC::JSFixedArray::buffer):
3011         (JSC::JSFixedArray::size):
3012         (JSC::JSFixedArray::offsetOfSize):
3013         (JSC::JSFixedArray::offsetOfData):
3014         (JSC::JSFixedArray::create):
3015         (JSC::JSFixedArray::JSFixedArray):
3016         (JSC::JSFixedArray::allocationSize):
3017         * runtime/JSGlobalObject.cpp:
3018         (JSC::JSGlobalObject::JSGlobalObject):
3019         (JSC::JSGlobalObject::init):
3020         (JSC::JSGlobalObject::visitChildren):
3021         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
3022         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
3023         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
3024         * runtime/JSGlobalObject.h:
3025         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
3026         (JSC::JSGlobalObject::iteratorProtocolFunction):
3027         * runtime/JSGlobalObjectInlines.h: Added.
3028         (JSC::JSGlobalObject::objectPrototypeIsSane):
3029         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3030         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3031         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
3032         * runtime/JSType.h:
3033         * runtime/VM.cpp:
3034         (JSC::VM::VM):
3035         * runtime/VM.h:
3036
3037 2016-11-10  JF Bastien  <jfbastien@apple.com>
3038
3039         ASSERTION FAILED: length > offset encountered with wasm.yaml/wasm/js-api/test_Module.js.default-wasm
3040         https://bugs.webkit.org/show_bug.cgi?id=164597
3041
3042         Reviewed by Keith Miller.
3043
3044         * wasm/WasmParser.h:
3045         (JSC::Wasm::Parser::parseVarUInt32): move closer to other parsers
3046         (JSC::Wasm::Parser::parseVarUInt64): move closer to other parsers
3047
3048 2016-11-10  Joseph Pecoraro  <pecoraro@apple.com>
3049
3050         test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex)
3051         https://bugs.webkit.org/show_bug.cgi?id=164450
3052
3053         Reviewed by Darin Adler.
3054
3055         * runtime/JSCJSValue.h:
3056         * runtime/JSCJSValueInlines.h:
3057         (JSC::JSValue::toIndex):
3058         Introduce a method for toIndex, which is used by DataView and TypedArrays
3059         to convert an argument to a number with the possibility of throwing
3060         RangeErrors for negative values. We also throw RangeErrors for large
3061         values, because wherever this is used we expect an unsigned.
3062
3063         * runtime/JSArrayBufferConstructor.cpp:
3064         (JSC::constructArrayBuffer):
3065         * runtime/JSDataViewPrototype.cpp:
3066         (JSC::getData):
3067         (JSC::setData):
3068         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3069         (JSC::constructGenericTypedArrayViewWithArguments):
3070         (JSC::constructGenericTypedArrayView):
3071         Use toIndex instead of toUint32 where required.
3072
3073 2016-11-10  Mark Lam  <mark.lam@apple.com>
3074
3075         A few bits of minor code clean up.
3076         https://bugs.webkit.org/show_bug.cgi?id=164523
3077
3078         Reviewed by Yusuke Suzuki.
3079
3080         * interpreter/StackVisitor.cpp:
3081         (JSC::StackVisitor::Frame::dump):
3082         - Insert a space to make the dump more legible.
3083
3084         * runtime/Options.h:
3085         - Fixed some typos.
3086
3087         * runtime/StringPrototype.cpp:
3088         (JSC::stringProtoFuncReplaceUsingRegExp):
3089         (JSC::stringProtoFuncReplaceUsingStringSearch):
3090         - Use the VM& that is already available.
3091
3092 2016-11-10  Mark Lam  <mark.lam@apple.com>
3093
3094         Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node.
3095         https://bugs.webkit.org/show_bug.cgi?id=164600
3096         <rdar://problem/28828676>
3097
3098         Reviewed by Filip Pizlo.
3099
3100         Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG
3101         node that it is provided with always has a different origin than the node that is
3102         using that operand.  For example, in a DFG graph that looks like this:
3103
3104             a: ...
3105             b: ArithAdd(@a, ...)
3106
3107         ... when emitting speculation checks on @a for the ArithAdd node at @b,
3108         Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to
3109         originate from a different bytecode than @b.  The intent here is to get the
3110         profile for @a so that the OSR exit ramp for @b can update @a's profile with the
3111         observed result type from @a so that future type prediction on incoming args for
3112         the ArithAdd node can take this into consideration.
3113
3114         However, op_negate can be compiled into the following series of nodes:
3115
3116             a: ...
3117             b: BooleanToNumber(@a)
3118             c: DoubleRep(@b)
3119             d: ArithNegate(@c)
3120
3121         All 3 nodes @b, @c, and @d maps to the same op_negate bytecode i.e. they have the
3122         same origin.  When the speculativeJIT emits a speculationCheck for DoubleRep, it
3123         calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the
3124         BooleanToNumber node.  But because all 3 nodes have the same origin,
3125         Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for
3126         the op_negate.  Subsequently, the OSR exit ramp will modify the ArithProfile of
3127         the op_negate and corrupt its profile.  Instead, what the OSR exit ramp should be
3128         doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's
3129         operand @a in this case.
3130
3131         The fix is to always pass the current node we're generating code for (in addition
3132         to the operand node) to Graph::methodOfGettingAValueProfileFor().  This way, we
3133         know the profile is valid if and only if the current node and its operand node
3134         does not have the same origin.
3135
3136         In this patch, we also fixed the following:
3137         1. Teach Graph::methodOfGettingAValueProfileFor() to get the profile for
3138            BooleanToNumber's operand if the operand node it is given is BooleanToNumber.
3139         2. Change JITCompiler::appendExceptionHandlingOSRExit() to explicitly pass an
3140            empty MethodOfGettingAValueProfile().  It was implicitly doing this before.
3141         3. Change SpeculativeJIT::emitInvalidationPoint() to pass an empty
3142            MethodOfGettingAValueProfile().  It has no child node.  Hence, it doesn't
3143            make sense to call Graph::methodOfGettingAValueProfileFor() for a child node
3144            that does not exist.
3145
3146         * dfg/DFGGraph.cpp:
3147         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3148         * dfg/DFGGraph.h:
3149         * dfg/DFGJITCompiler.cpp:
3150         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
3151         * dfg/DFGSpeculativeJIT.cpp:
3152         (JSC::DFG::SpeculativeJIT::speculationCheck):
3153         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
3154         * ftl/FTLLowerDFGToB3.cpp:
3155         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
3156
3157 2016-11-10  Aaron Chu  <aaron_chu@apple.com>
3158
3159         Web Inspector: AXI: clarify button roles (e.g. toggle or popup button)
3160         https://bugs.webkit.org/show_bug.cgi?id=130726
3161         <rdar://problem/16420420>
3162
3163         Reviewed by Brian Burg.
3164
3165         Add the isPopupButton flag to the AccessibilityProperties type.
3166
3167         * inspector/protocol/DOM.json:
3168
3169 2016-11-10  Csaba Osztrogon√°c  <ossy@webkit.org>
3170
3171         [ARM] Unreviewed buildfix after r208450.
3172
3173         * assembler/MacroAssemblerARM.h:
3174         (JSC::MacroAssemblerARM::load8SignedExtendTo32): Added.
3175
3176 2016-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3177
3178         [JSC] Avoid cloned arguments allocation in ArrayPrototype methods
3179         https://bugs.webkit.org/show_bug.cgi?id=164502
3180
3181         Reviewed by Saam Barati.
3182
3183         In many builtin functions, we use `arguments` to just get optional parameters.
3184         While FTL argument elimination can drop `arguments` allocations, it leaves
3185         the allocations in LLInt, Baseline, and DFG. And we found that DFG compiled
3186         Array#map is heavily used in ES6SampleBench/Basic. And it always creates
3187         a meaningless ClonedArguments.
3188
3189         Using ES6 default parameter here is not a solution. It increases the number
3190         of parameters of the CodeBlock (not `function.length`). And the optional
3191         parameters in Array.prototype.xxx methods are not typically passed. For
3192         example, we typically do not pass `thisArg` to `Array.prototype.map` function.
3193         In this case, the arity check frequently fails. It requires the additional C
3194         call to fixup arguments and it becomes pure overhead.
3195
3196         To solve this problem, this patch introduces a new bytecode intrinsic @argument().
3197         This offers the way to retrieve the argument value without increasing the
3198         arity of the function. And if the argument is not passed (out of bounds), it
3199         just returns `undefined`. The semantics of this intrinsic is the same to the C++
3200         ExecState::argument(). This operation does not require `arguments` object. And we
3201         can drop the `argument` references even in lower 3 tiers.
3202
3203         We implement op_get_argument for this intrinsic. And later this will be converted
3204         to DFG GetArgument node. All the tiers handles this feature.
3205
3206         This patch improves ES6SampleBench/Basic 13.8% in steady state. And in summary,
3207         it improves 4.5%.
3208
3209         In the future, we can improve the implementation of the default parameters.
3210         Currently, the default parameter always increases the arity of the function. So
3211         if you do not pass the argument, the arity check fails. But since it is the default
3212         parameter, it is likely that we don't pass the argument. Using op_get_argument to
3213         implement the default parameter can decrease the case in which the arity check
3214         frequently fails. And it can change the builtin implementation to use the ES6
3215         default parameters instead of using the special @argument() intrinsic in the future.
3216         And at that case, the user code also receives the benefit.
3217
3218         ES6SampleBench/Basic.
3219             Baseline:
3220                 Running... Basic ( 1  to go)
3221                 firstIteration:     39.38 ms +- 4.48 ms
3222                 averageWorstCase:   20.79 ms +- 0.96 ms
3223                 steadyState:        1959.22 ms +- 65.55 ms
3224
3225             Patched:
3226                 Running... Basic ( 1  to go)
3227                 firstIteration:     37.85 ms +- 4.09 ms
3228                 averageWorstCase:   18.60 ms +- 0.76 ms
3229                 steadyState:        1721.89 ms +- 57.58 ms
3230
3231         All summary.
3232             Baseline:
3233                 summary:            164.34 ms +- 5.01 ms
3234             Patched:
3235                 summary:            157.26 ms +- 5.96 ms
3236
3237         * builtins/ArrayConstructor.js:
3238         * builtins/ArrayPrototype.js:
3239         (reduce):
3240         (reduceRight):
3241         (every):
3242         (forEach):
3243         (filter):
3244         (map):
3245         (some):
3246         (fill):
3247         (find):
3248         (findIndex):
3249         (includes):
3250         (copyWithin):
3251         * builtins/DatePrototype.js:
3252         (toLocaleString):
3253         (toLocaleDateString):
3254         (toLocaleTimeString):
3255         * builtins/MapPrototype.js:
3256         (forEach):
3257         * builtins/NumberPrototype.js:
3258         (toLocaleString):
3259         * builtins/SetPrototype.js:
3260         (forEach):
3261         * builtins/StringPrototype.js:
3262         (padStart):
3263         (padEnd):
3264         (localeCompare):
3265         * builtins/TypedArrayConstructor.js:
3266         * builtins/TypedArrayPrototype.js:
3267         (every):
3268         (fill):
3269         (find):
3270         (findIndex):
3271         (forEach):
3272         (some):
3273         (reduce):
3274         (reduceRight):
3275         (map):
3276         (filter):
3277         * bytecode/BytecodeIntrinsicRegistry.h:
3278         * bytecode/BytecodeList.json:
3279         * bytecode/BytecodeUseDef.h:
3280         (JSC::computeUsesForBytecodeOffset):
3281         (JSC::computeDefsForBytecodeOffset):
3282         * bytecode/CodeBlock.cpp:
3283         (JSC::CodeBlock::dumpBytecode):
3284         (JSC::CodeBlock::finishCreation):
3285         * bytecompiler/BytecodeGenerator.cpp:
3286         (JSC::BytecodeGenerator::emitGetArgument):
3287         * bytecompiler/BytecodeGenerator.h:
3288         * bytecompiler/NodesCodegen.cpp:
3289         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argument):
3290         * dfg/DFGAbstractInterpreterInlines.h:
3291         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3292         * dfg/DFGByteCodeParser.cpp:
3293         (JSC::DFG::ByteCodeParser::parseBlock):
3294         * dfg/DFGCapabilities.cpp:
3295         (JSC::DFG::capabilityLevel):
3296         * dfg/DFGClobberize.h:
3297         (JSC::DFG::clobberize):
3298         * dfg/DFGDoesGC.cpp:
3299         (JSC::DFG::doesGC):
3300         * dfg/DFGFixupPhase.cpp:
3301         (JSC::DFG::FixupPhase::fixupNode):
3302         * dfg/DFGNode.h:
3303         (JSC::DFG::Node::hasHeapPrediction):
3304         (JSC::DFG::Node::hasArgumentIndex):
3305         (JSC::DFG::Node::argumentIndex):
3306         * dfg/DFGNodeType.h:
3307         * dfg/DFGPreciseLocalClobberize.h:
3308         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3309         * dfg/DFGPredictionPropagationPhase.cpp:
3310         * dfg/DFGSafeToExecute.h:
3311         (JSC::DFG::safeToExecute):
3312         * dfg/DFGSpeculativeJIT.cpp:
3313         (JSC::DFG::SpeculativeJIT::compileGetArgument):
3314         * dfg/DFGSpeculativeJIT.h:
3315         * dfg/DFGSpeculativeJIT32_64.cpp:
3316         (JSC::DFG::SpeculativeJIT::compile):
3317         * dfg/DFGSpeculativeJIT64.cpp:
3318         (JSC::DFG::SpeculativeJIT::compile):
3319         * ftl/FTLCapabilities.cpp:
3320         (JSC::FTL::canCompile):
3321         * ftl/FTLLowerDFGToB3.cpp:
3322         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3323         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
3324         * jit/JIT.cpp:
3325         (JSC::JIT::privateCompileMainPass):
3326         * jit/JIT.h:
3327         * jit/JITOpcodes.cpp:
3328         (JSC::JIT::emit_op_get_argument):
3329         * jit/JITOpcodes32_64.cpp:
3330         (JSC::JIT::emit_op_get_argument):
3331         * llint/LowLevelInterpreter32_64.asm:
3332         * llint/LowLevelInterpreter64.asm:
3333
3334 2016-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3335
3336         Web Inspector: DebuggerManager.Event.Resumed introduces test flakiness
3337         https://bugs.webkit.org/show_bug.cgi?id=161951
3338         <rdar://problem/28295767>
3339
3340         Reviewed by Brian Burg.
3341
3342         This removes an ambiguity in the protocol when stepping through
3343         JavaScript. Previously, when paused and issuing a Debugger.step*
3344         command the frontend would always receive a Debugger.resumed event and
3345         then, maybe, a Debugger.paused event indicating we paused again (after
3346         stepping). However, this ambiguity means that the frontend needs to
3347         wait for a short period of time to determine if we really resumed
3348         or not. And even still that decision may be incorrect if the step
3349         takes a sufficiently long period of time.
3350
3351         The new approach removes this ambiguity. Now, in response to a
3352         Debugger.step* command the backend MUST send a single Debugger.paused
3353         event or Debugger.resumed event. Now the frontend knows that the
3354         next Debugger event it receives after issuing the step command is
3355         the result (stepped and paused, or stepped and resumed).
3356
3357         To make resuming consistent in all cases, a Debugger.resume command