c87c07ab53a3ef7ebd17215ea57b0dad41762266
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-01-19  Skachkov Oleksandr  <gskachkov@gmail.com>
2
3         "this" missing after await in async arrow function
4         https://bugs.webkit.org/show_bug.cgi?id=166919
5
6         Reviewed by NOBODY Saam Barati.
7
8         This patch fixed issue in async arrow function. Issue appears because in arrow
9         function _this_ is loaded from arrow function virtual scope. 
10         Async arrow function can be suspended and when resuming should be used _this_ from 
11         virtual scope, to allow this we load _this_ from virtual scope before store it to 
12         generator.generatorThis property 
13
14         * bytecompiler/NodesCodegen.cpp:
15         (JSC::FunctionNode::emitBytecode):
16
17 2017-01-18  Yusuke Suzuki  <utatane.tea@gmail.com>
18
19         [B3] B3 strength reduction could encounter Value without owner in PureCSE
20         https://bugs.webkit.org/show_bug.cgi?id=167161
21
22         Reviewed by Filip Pizlo.
23
24         PureCSE relies on the fact that all the stored Values have owner member.
25         This assumption is broken when you execute specializeSelect in B3ReduceStrength phase.
26         It clears owner of Values which are in between Select and Check to clone them to then/else
27         blocks. If these cleared Values are already stored in PureCSE map, this map poses a Value
28         with nullptr owner in PureCSE.
29
30         This patch changes PureCSE to ignore stored Values tha have nullptr owner. This even means
31         that a client of PureCSE could deliberately null the owner if they wanted to signal the
32         Value should be ignored.
33
34         While PureCSE ignores chance for optimization if Value's owner is nullptr, in the current
35         strength reduction algorithm, this does not hurt optimization because CSE will be eventually
36         applied since the strength reduction phase want to reach fixed point. But even without
37         this iterations, our result itself is valid since PureCSE is allowed to be conservative.
38
39         * b3/B3PureCSE.cpp:
40         (JSC::B3::PureCSE::findMatch):
41         (JSC::B3::PureCSE::process):
42         * b3/testb3.cpp:
43         (JSC::B3::testCheckSelectAndCSE):
44         (JSC::B3::run):
45
46 2017-01-18  Filip Pizlo  <fpizlo@apple.com>
47
48         JSSegmentedVariableObject and its subclasses should have a sane destruction story
49         https://bugs.webkit.org/show_bug.cgi?id=167193
50
51         Reviewed by Saam Barati.
52         
53         Prior to this change, JSSegmentedVariableObjects' subclasses install finalizers that call
54         destroy. They did this in random ways, which sometimes resulted in
55         JSSegmentedVariableObject::~JSSegmentedVariableObject executing more than once (which worked
56         because of the way that ~SegmentedVector is written). Maybe this works now, but it's a disaster
57         waiting to happen.
58
59         Fortunately we can now just give those things their own Subspace and teach it its own protocol of
60         destruction. This change introduces JSSegmentedVariableObjectSubspace and stashes a m_classInfo
61         in JSSegmentedVariableObject. Now, subclasses of JSSegmentedVariableObject are destructible in
62         much the same way as JSDestructibleObject without having to be subclasses of
63         JSDestructibleObject.
64
65         * API/JSCallbackObject.cpp:
66         (JSC::JSCallbackObject<JSGlobalObject>::create):
67         * CMakeLists.txt:
68         * JavaScriptCore.xcodeproj/project.pbxproj:
69         * jsc.cpp:
70         (GlobalObject::create):
71         * runtime/JSGlobalLexicalEnvironment.h:
72         (JSC::JSGlobalLexicalEnvironment::create):
73         * runtime/JSGlobalObject.cpp:
74         (JSC::JSGlobalObject::create):
75         (JSC::JSGlobalObject::finishCreation):
76         * runtime/JSGlobalObject.h:
77         (JSC::JSGlobalObject::create): Deleted.
78         (JSC::JSGlobalObject::finishCreation): Deleted.
79         * runtime/JSSegmentedVariableObject.cpp:
80         (JSC::JSSegmentedVariableObject::destroy):
81         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
82         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
83         (JSC::JSSegmentedVariableObject::finishCreation):
84         * runtime/JSSegmentedVariableObject.h:
85         (JSC::JSSegmentedVariableObject::subspaceFor):
86         (JSC::JSSegmentedVariableObject::classInfo):
87         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): Deleted.
88         (JSC::JSSegmentedVariableObject::finishCreation): Deleted.
89         * runtime/JSSegmentedVariableObjectSubspace.cpp: Added.
90         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
91         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace):
92         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
93         (JSC::JSSegmentedVariableObjectSubspace::destroy):
94         * runtime/JSSegmentedVariableObjectSubspace.h: Added.
95         * runtime/VM.cpp:
96         (JSC::VM::VM):
97         * runtime/VM.h:
98         * testRegExp.cpp:
99         (GlobalObject::create):
100
101 2017-01-18  Joseph Pecoraro  <pecoraro@apple.com>
102
103         Web Inspector: console.table only works for the first 5 properties
104         https://bugs.webkit.org/show_bug.cgi?id=167175
105
106         Reviewed by Timothy Hatcher.
107
108         * inspector/InjectedScriptSource.js:
109         (InjectedScript.prototype.wrapTable):
110         (InjectedScript.RemoteObject.createObjectPreviewForValue):
111         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
112         Pass through secondLevelKeys. Though the keys are themselves ignored, the
113         existence is a signal that we should send more than the first 5 properties.
114
115 2017-01-18  Antti Koivisto  <antti@apple.com>
116
117         Only delete source provider caches on full collection
118         https://bugs.webkit.org/show_bug.cgi?id=167173
119
120         Reviewed by Andreas Kling.
121
122         They are currently often wiped and recreated during page loading due to eden collections.
123
124         It is not clear that tying the lifetime of these caches to gc makes sense at all but this
125         should at least help some.
126
127         * heap/Heap.cpp:
128         (JSC::Heap::deleteSourceProviderCaches):
129
130 2017-01-18  Filip Pizlo  <fpizlo@apple.com>
131
132         JSObjectSetPrivate should not use jsCast<>
133         rdar://problem/30069096
134
135         Reviewed by Keith Miller.
136
137         * API/JSObjectRef.cpp:
138         (JSObjectSetPrivate):
139
140 2017-01-18  Brian Burg  <bburg@apple.com>
141
142         Web Inspector: remove an unnecessary include in generated Objective-C Inspector protocol code
143         https://bugs.webkit.org/show_bug.cgi?id=167156
144
145         Rubber-stamped by Geoffrey Garen.
146
147         * inspector/scripts/codegen/objc_generator_templates.py:
148         This include of config.h doesn't make sense when using the code generator
149         outside of JavaScriptCore/WebKit. It is not necessary either, so remove it.
150
151         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
152         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
153         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
154         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
155         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
156         * inspector/scripts/tests/generic/expected/enum-values.json-result:
157         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
158         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
159         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
160         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
161         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
162         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
163         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
164         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
165         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
166         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
167         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
168         Rebaseline test results.
169
170 2017-01-18  Csaba Osztrogonác  <ossy@webkit.org>
171
172         Fix the JSCOnly build after r210844
173         https://bugs.webkit.org/show_bug.cgi?id=167155
174
175         Unreviewed buildfix.
176
177         * heap/EdenGCActivityCallback.cpp:
178
179 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
180
181         Make opaque root scanning truly constraint-based
182         https://bugs.webkit.org/show_bug.cgi?id=165760
183
184         Reviewed by Geoffrey Garen.
185
186         We have bugs when visitChildren() changes its mind about what opaque root to add, since
187         we don't have barriers on opaque roots. This supposedly once worked for generational GC,
188         and I started adding more barriers to support concurrent GC. But I think that the real
189         bug here is that we want the JSObject->OpaqueRoot to be evaluated as a constraint that
190         participates in the fixpoint. I like to think of this as an *output* constraint, because it
191         is concerned with outgoing edges in the heap from the object that registered the constraint.
192         An *input* constraint is like what Weak<> does when deciding whether the thing it points to
193         should be live.
194
195         Whether or not an object has output constraints depends on its type. So, we want the GC to
196         have a feature where we rapidly call some function on all marked objects of some type.
197         
198         It's easy to rapidly scan all marked objects in a MarkedBlock. So, we want to allocate all
199         objects that have output constraints in their own MarkedBlocks and we want to track the set
200         of MarkedBlocks with output constraints.
201         
202         This patch makes it easy to have clients of JSC's internal C++ APIs create a Subspace - like
203         what we used to call MarkedSpace::Subspace but now it's in the JSC namespace - which is
204         a collection of objects that you can easily scan during GC from a MarkingConstraint. It's
205         now possible for internal C++ API clients to register their own MarkingConstraints. The DOM
206         now uses this to create two Subspaces (more on why two below) and it calls
207         JSCell::visitOutputConstraints() on all of the marked objects in those subspaces using a new
208         MarkingConstraint. That MarkingConstraint uses a new style of volatility, called
209         SeldomGreyed, which is like GreyedByExecution except it is opportunistically not executed
210         as roots in the hopes that their sole execution will be the snapshot-at-the-end. I also
211         converted the CodeBlock rescan constraint to SeldomGreyed, since that's also an output
212         constraint.
213         
214         This patch also uses Subspace for something pretty obvious: knowing how to call the
215         destructor. Subspaces can specialize the sweep for their way of invoking destructors. We
216         have the following subspaces:
217         
218         - auxiliary
219         - cell
220         - destructibleCell - for JSCell subclasses that have destructors and StructureIsImmortal
221         - stringSpace - inlines ~JSString into the sweep, making string allocation 7% faster
222         - destructibleObjectSpace - for JSDestructibleObject subclasses
223         
224         And WebCore adds:
225         
226         - outputConstraint - for JSDOMObjects that have a visitAdditionalChildren
227         - globalObjectOutputConstraint - for JSDOMGlobalObjects that have a visitAdditionalChildren,
228           since JSDOMGlobalObjects are not JSDestructibleObjects
229         
230         The Subspace for a type is selected by saying JSC::subspaceFor<Type>(vm). This calls
231         Type::subspaceFor<Type>(vm). This allows cell classes to override subspaceFor<> and it
232         allows any subspaceFor<> implementation to query static flags in the type. This is how
233         JSCell::subspaceFor<> can select either cellSpace or destructibleCellSpace.
234         
235         This patch is mostly about:
236         
237         - Moving MarkedSpace::Subspace out of MarkedSpace and making it a nice class with a nice
238           API. Almost all of its functionality is just taken out of MarkedSpace.
239         - Converting users of the old API for allocating objects and getting MarkedAllocators, like
240           heap.allocatorForObjectWithoutDestructor() and its friends. That would now say
241           vm.cellSpace.allocatorFor().
242         
243         Altogether, this means that we only have a small regression on Dromaeo. The regression is
244         due to the fact that we scan output constraints. Before the Subspace optimizations (see
245         r209766, which was rolled out in r209812), this regression on Dromaeo/jslib was 2x but after
246         the optimizations in this patch it's only 1.12x. Note that Dromaeo/jslib creats gigabytes of
247         DOM nodes. Compared to web pages, this is a very extreme synthetic microbenchmark. Still, we
248         like optimizing these because we don't want to presume what web pages will look like.
249         
250         The use of Subspaces to specialize destructors happened not because it's super necessary but
251         because I wanted to introduce a single unified way of communicating to the GC how to treat
252         different types. Any Subspace feature that allowed us to collect some types together would
253         have to be mindful of the destructorness of objects. I could have turned this into a
254         liability where each Subspace has two subsubspaces - one for destructor objects and one for
255         non-destructor objects, which would have allowed me to keep the old sweep specialization
256         code. Just days prior, mlam wanted to do something that was hard because of that old sweep
257         specializer, so I decided to take the opportunity to fix the sweep specializer while also
258         making Subspace be the one true way of teaching the GC about types. To validate that this
259         actually does things, I added a JSStringSubspace and a test that shows that this is a 7%
260         string allocation progression.
261         
262         In bug 167066, I'm getting rid of the rest of the code in JSC that would special-case for
263         JSDestructibleObject vs StructureIsImmortal by using the GC's DestructionMode. After that,
264         Subspace will be only mechanism by which JSC uses the GC to encode types.
265         
266         Prior to this change, having multiple MarkedSpace::Subspaces would have been expensive
267         because they create a bunch of MarkedAllocators upfront. We now have the ability to create
268         MarkedAllocators lazily. We create them on the first allocation from that size class or when
269         a JIT asks for the MarkedAllocator. The concurrent JITs can ask for MarkedAllocators because
270         their creation is under a lock.
271         
272         On my machine, this might be a 1.1% JetStream speed-up with 87% confidence and it might be
273         a 0.4% PLT3 slow-down with 92% confidence. Note that 0.4% on PLT3 is the level of systematic
274         error on PLT3 on my computer: I've seen definite 0.4% speed-ups and slow-downs that were not
275         confirmed by any bot. Let's see what the bots say.
276         
277         * CMakeLists.txt:
278         * JavaScriptCore.xcodeproj/project.pbxproj:
279         * bytecode/ObjectAllocationProfile.h:
280         (JSC::ObjectAllocationProfile::initialize):
281         * bytecode/PolymorphicAccess.cpp:
282         (JSC::AccessCase::generateImpl):
283         * dfg/DFGSpeculativeJIT.cpp:
284         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
285         (JSC::DFG::SpeculativeJIT::compileMakeRope):
286         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
287         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
288         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
289         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
290         * dfg/DFGSpeculativeJIT64.cpp:
291         (JSC::DFG::SpeculativeJIT::compile):
292         * ftl/FTLAbstractHeapRepository.h:
293         * ftl/FTLLowerDFGToB3.cpp:
294         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
295         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
296         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
297         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
298         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
299         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
300         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
301         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
302         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
303         * heap/AllocatorAttributes.h:
304         (JSC::AllocatorAttributes::AllocatorAttributes):
305         * heap/ConstraintVolatility.h: Added.
306         (WTF::printInternal):
307         * heap/GCActivityCallback.cpp:
308         * heap/Heap.cpp:
309         (JSC::Heap::Heap):
310         (JSC::Heap::lastChanceToFinalize):
311         (JSC::Heap::markToFixpoint):
312         (JSC::Heap::updateObjectCounts):
313         (JSC::Heap::collectAllGarbage):
314         (JSC::Heap::collectInThread):
315         (JSC::Heap::stopTheWorld):
316         (JSC::Heap::updateAllocationLimits):
317         (JSC::Heap::bytesVisited):
318         (JSC::Heap::addCoreConstraints):
319         (JSC::Heap::addMarkingConstraint):
320         (JSC::Heap::notifyIsSafeToCollect):
321         (JSC::Heap::preventCollection):
322         (JSC::Heap::allowCollection):
323         (JSC::Heap::setMutatorShouldBeFenced):
324         (JSC::Heap::buildConstraintSet): Deleted.
325         (JSC::Heap::writeBarrierOpaqueRootSlow): Deleted.
326         (JSC::Heap::addMutatorShouldBeFencedCache): Deleted.
327         * heap/Heap.h:
328         (JSC::Heap::mutatorExecutionVersion):
329         (JSC::Heap::numOpaqueRoots):
330         (JSC::Heap::vm): Deleted.
331         (JSC::Heap::subspaceForObjectWithoutDestructor): Deleted.
332         (JSC::Heap::subspaceForObjectDestructor): Deleted.
333         (JSC::Heap::subspaceForAuxiliaryData): Deleted.
334         (JSC::Heap::allocatorForObjectWithoutDestructor): Deleted.
335         (JSC::Heap::allocatorForObjectWithDestructor): Deleted.
336         (JSC::Heap::allocatorForAuxiliaryData): Deleted.
337         * heap/HeapInlines.h:
338         (JSC::Heap::vm):
339         (JSC::Heap::allocateWithDestructor): Deleted.
340         (JSC::Heap::allocateWithoutDestructor): Deleted.
341         (JSC::Heap::allocateObjectOfType): Deleted.
342         (JSC::Heap::subspaceForObjectOfType): Deleted.
343         (JSC::Heap::allocatorForObjectOfType): Deleted.
344         (JSC::Heap::allocateAuxiliary): Deleted.
345         (JSC::Heap::tryAllocateAuxiliary): Deleted.
346         (JSC::Heap::tryReallocateAuxiliary): Deleted.
347         (JSC::Heap::ascribeOwner): Deleted.
348         (JSC::Heap::writeBarrierOpaqueRoot): Deleted.
349         * heap/LargeAllocation.cpp:
350         (JSC::LargeAllocation::tryCreate):
351         (JSC::LargeAllocation::LargeAllocation):
352         (JSC::LargeAllocation::~LargeAllocation):
353         (JSC::LargeAllocation::sweep):
354         * heap/LargeAllocation.h:
355         * heap/MarkedAllocator.cpp:
356         (JSC::MarkedAllocator::MarkedAllocator):
357         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
358         (JSC::MarkedAllocator::tryAllocateIn):
359         (JSC::MarkedAllocator::allocateSlowCaseImpl):
360         (JSC::MarkedAllocator::tryAllocateBlock):
361         (JSC::MarkedAllocator::shrink):
362         (JSC::MarkedAllocator::markedSpace):
363         * heap/MarkedAllocator.h:
364         (JSC::MarkedAllocator::nextAllocatorInSubspace):
365         (JSC::MarkedAllocator::setNextAllocatorInSubspace):
366         (JSC::MarkedAllocator::subspace):
367         (JSC::MarkedAllocator::tryAllocate): Deleted.
368         (JSC::MarkedAllocator::allocate): Deleted.
369         (JSC::MarkedAllocator::forEachBlock): Deleted.
370         * heap/MarkedAllocatorInlines.h: Added.
371         (JSC::MarkedAllocator::tryAllocate):
372         (JSC::MarkedAllocator::allocate):
373         (JSC::MarkedAllocator::forEachBlock):
374         (JSC::MarkedAllocator::forEachNotEmptyBlock):
375         * heap/MarkedBlock.cpp:
376         (JSC::MarkedBlock::Handle::subspace):
377         (JSC::MarkedBlock::Handle::sweep):
378         (JSC::MarkedBlock::Handle::specializedSweep): Deleted.
379         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode): Deleted.
380         (JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode): Deleted.
381         (JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated): Deleted.
382         (JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode): Deleted.
383         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode): Deleted.
384         * heap/MarkedBlock.h:
385         (JSC::MarkedBlock::Handle::visitWeakSet):
386         * heap/MarkedBlockInlines.h:
387         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale):
388         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
389         (JSC::MarkedBlock::heap):
390         (JSC::MarkedBlock::space):
391         (JSC::MarkedBlock::Handle::space):
392         (JSC::MarkedBlock::Handle::specializedSweep):
393         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
394         (JSC::MarkedBlock::Handle::sweepDestructionMode):
395         (JSC::MarkedBlock::Handle::emptyMode):
396         (JSC::MarkedBlock::Handle::scribbleMode):
397         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
398         (JSC::MarkedBlock::Handle::marksMode):
399         (JSC::MarkedBlock::Handle::forEachMarkedCell):
400         * heap/MarkedSpace.cpp:
401         (JSC::MarkedSpace::initializeSizeClassForStepSize):
402         (JSC::MarkedSpace::MarkedSpace):
403         (JSC::MarkedSpace::lastChanceToFinalize):
404         (JSC::MarkedSpace::addMarkedAllocator):
405         (JSC::MarkedSpace::allocate): Deleted.
406         (JSC::MarkedSpace::tryAllocate): Deleted.
407         (JSC::MarkedSpace::allocateLarge): Deleted.
408         (JSC::MarkedSpace::tryAllocateLarge): Deleted.
409         * heap/MarkedSpace.h:
410         (JSC::MarkedSpace::heap):
411         (JSC::MarkedSpace::allocatorLock):
412         (JSC::MarkedSpace::subspaceForObjectsWithDestructor): Deleted.
413         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor): Deleted.
414         (JSC::MarkedSpace::subspaceForAuxiliaryData): Deleted.
415         (JSC::MarkedSpace::allocatorFor): Deleted.
416         (JSC::MarkedSpace::destructorAllocatorFor): Deleted.
417         (JSC::MarkedSpace::auxiliaryAllocatorFor): Deleted.
418         (JSC::MarkedSpace::allocateWithoutDestructor): Deleted.
419         (JSC::MarkedSpace::allocateWithDestructor): Deleted.
420         (JSC::MarkedSpace::allocateAuxiliary): Deleted.
421         (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
422         (JSC::MarkedSpace::forEachSubspace): Deleted.
423         * heap/MarkingConstraint.cpp:
424         (JSC::MarkingConstraint::MarkingConstraint):
425         * heap/MarkingConstraint.h:
426         (JSC::MarkingConstraint::volatility):
427         * heap/MarkingConstraintSet.cpp:
428         (JSC::MarkingConstraintSet::resetStats):
429         (JSC::MarkingConstraintSet::add):
430         (JSC::MarkingConstraintSet::executeConvergenceImpl):
431         * heap/MarkingConstraintSet.h:
432         * heap/SlotVisitor.cpp:
433         (JSC::SlotVisitor::visitChildren):
434         (JSC::SlotVisitor::visitAsConstraint):
435         (JSC::SlotVisitor::drain):
436         (JSC::SlotVisitor::addOpaqueRoot):
437         (JSC::SlotVisitor::mergeIfNecessary):
438         (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary): Deleted.
439         * heap/SlotVisitor.h:
440         (JSC::SlotVisitor::setIgnoreNewOpaqueRoots):
441         * heap/SlotVisitorInlines.h:
442         (JSC::SlotVisitor::reportExtraMemoryVisited):
443         (JSC::SlotVisitor::reportExternalMemoryVisited):
444         * heap/Subspace.cpp: Added.
445         (JSC::Subspace::Subspace):
446         (JSC::Subspace::~Subspace):
447         (JSC::Subspace::finishSweep):
448         (JSC::Subspace::destroy):
449         (JSC::Subspace::allocate):
450         (JSC::Subspace::tryAllocate):
451         (JSC::Subspace::allocatorForSlow):
452         (JSC::Subspace::allocateSlow):
453         (JSC::Subspace::tryAllocateSlow):
454         * heap/Subspace.h: Added.
455         (JSC::Subspace::tryAllocatorFor):
456         (JSC::Subspace::allocatorFor):
457         * heap/SubspaceInlines.h: Added.
458         (JSC::Subspace::forEachMarkedBlock):
459         (JSC::Subspace::forEachNotEmptyMarkedBlock):
460         (JSC::Subspace::forEachLargeAllocation):
461         (JSC::Subspace::forEachMarkedCell):
462         * heap/WeakBlock.cpp:
463         (JSC::WeakBlock::specializedVisit):
464         * heap/WeakBlock.h:
465         * heap/WeakSet.h:
466         (JSC::WeakSet::visit):
467         * jit/AssemblyHelpers.h:
468         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
469         (JSC::AssemblyHelpers::emitAllocateVariableSized):
470         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
471         * jit/JITOpcodes.cpp:
472         (JSC::JIT::emit_op_new_object):
473         * jsc.cpp:
474         * runtime/ButterflyInlines.h:
475         (JSC::Butterfly::createUninitialized):
476         (JSC::Butterfly::growArrayRight):
477         * runtime/ClassInfo.h:
478         * runtime/ClonedArguments.cpp:
479         (JSC::ClonedArguments::createEmpty):
480         * runtime/DirectArguments.cpp:
481         (JSC::DirectArguments::overrideThings):
482         * runtime/GenericArgumentsInlines.h:
483         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
484         * runtime/HashMapImpl.h:
485         (JSC::HashMapBuffer::create):
486         * runtime/JSArray.cpp:
487         (JSC::JSArray::tryCreateUninitialized):
488         (JSC::JSArray::unshiftCountSlowCase):
489         * runtime/JSArrayBufferView.cpp:
490         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
491         * runtime/JSCell.h:
492         (JSC::subspaceFor):
493         * runtime/JSCellInlines.h:
494         (JSC::JSCell::visitOutputConstraints):
495         (JSC::JSCell::subspaceFor):
496         (JSC::allocateCell):
497         * runtime/JSDestructibleObject.h:
498         (JSC::JSDestructibleObject::subspaceFor):
499         * runtime/JSDestructibleObjectSubspace.cpp: Added.
500         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
501         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace):
502         (JSC::JSDestructibleObjectSubspace::finishSweep):
503         (JSC::JSDestructibleObjectSubspace::destroy):
504         * runtime/JSDestructibleObjectSubspace.h: Added.
505         * runtime/JSObject.h:
506         (JSC::JSObject::JSObject):
507         * runtime/JSObjectInlines.h:
508         * runtime/JSSegmentedVariableObject.h:
509         * runtime/JSString.h:
510         (JSC::JSString::subspaceFor):
511         * runtime/JSStringSubspace.cpp: Added.
512         (JSC::JSStringSubspace::JSStringSubspace):
513         (JSC::JSStringSubspace::~JSStringSubspace):
514         (JSC::JSStringSubspace::finishSweep):
515         (JSC::JSStringSubspace::destroy):
516         * runtime/JSStringSubspace.h: Added.
517         * runtime/RegExpMatchesArray.h:
518         (JSC::tryCreateUninitializedRegExpMatchesArray):
519         * runtime/VM.cpp:
520         (JSC::VM::VM):
521         * runtime/VM.h:
522
523 2017-01-17  Michael Saboff  <msaboff@apple.com>
524
525         Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory
526         https://bugs.webkit.org/show_bug.cgi?id=167125
527
528         Reviewed by Filip Pizlo.
529
530         Changed Yarr to handle nested parenthesized subexpressions where the minimum count is
531         not 0 directly in the Yarr interpreter.  Previously we'd factor an expression like
532         (a|b)+ into (a|b)(a|b)* with special handling for captures.  This factoring was done
533         using a deep copy that doubled the size of the resulting expresion for each nested 
534         parenthesized subexpression.  Now the Yarr interpreter can directly process a regexp
535         like (a|b){2,42}.  
536
537         The parser will allow one level of nested, non-zero minimum, counted parenthesis using
538         the old copy method.  After one level, it will generate parenthesis terms with a non-zero
539         minimum.   Such an expression wasn't handled by the Yarr JIT before the change, so this
540         change isn't a performance regression.
541
542         Added a minimum count to the YarrPattern and ByteTerm classes, and then factored that
543         minimum into the interpreter.  A non-zero minimum is only handled by the Yarr interpreter.
544         If the Yarr JIT see such a term, it punts back to the interpreter.
545
546         * yarr/YarrInterpreter.cpp:
547         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
548         (JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
549         (JSC::Yarr::Interpreter::matchCharacterClass):
550         (JSC::Yarr::Interpreter::backtrackCharacterClass):
551         (JSC::Yarr::Interpreter::matchBackReference):
552         (JSC::Yarr::Interpreter::backtrackBackReference):
553         (JSC::Yarr::Interpreter::matchParenthesesOnceBegin):
554         (JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
555         (JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin):
556         (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
557         (JSC::Yarr::Interpreter::matchParenthesesTerminalBegin):
558         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalBegin):
559         (JSC::Yarr::Interpreter::matchParentheticalAssertionBegin):
560         (JSC::Yarr::Interpreter::matchParentheticalAssertionEnd):
561         (JSC::Yarr::Interpreter::backtrackParentheticalAssertionBegin):
562         (JSC::Yarr::Interpreter::backtrackParentheticalAssertionEnd):
563         (JSC::Yarr::Interpreter::matchParentheses):
564         (JSC::Yarr::Interpreter::backtrackParentheses):
565         (JSC::Yarr::Interpreter::matchDisjunction):
566         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
567         (JSC::Yarr::ByteCompiler::atomCharacterClass):
568         (JSC::Yarr::ByteCompiler::atomBackReference):
569         (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
570         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
571         (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
572         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
573         (JSC::Yarr::ByteCompiler::emitDisjunction):
574         * yarr/YarrInterpreter.h:
575         (JSC::Yarr::ByteTerm::ByteTerm):
576         * yarr/YarrJIT.cpp:
577         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
578         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
579         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
580         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
581         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
582         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
583         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
584         (JSC::Yarr::YarrGenerator::generateTerm):
585         (JSC::Yarr::YarrGenerator::backtrackTerm):
586         (JSC::Yarr::YarrGenerator::generate):
587         (JSC::Yarr::YarrGenerator::backtrack):
588         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
589         * yarr/YarrPattern.cpp:
590         (JSC::Yarr::YarrPatternConstructor::copyTerm):
591         (JSC::Yarr::YarrPatternConstructor::quantifyAtom):
592         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
593         (JSC::Yarr::YarrPattern::YarrPattern):
594         * yarr/YarrPattern.h:
595         (JSC::Yarr::PatternTerm::PatternTerm):
596         (JSC::Yarr::PatternTerm::quantify):
597         (JSC::Yarr::YarrPattern::reset):
598
599 2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
600
601         ENABLE(USER_TIMING) Not Defined for Apple Windows or OS X Ports
602         https://bugs.webkit.org/show_bug.cgi?id=116551
603         <rdar://problem/13949830>
604
605         Reviewed by Alex Christensen.
606
607         * Configurations/FeatureDefines.xcconfig:
608
609 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
610
611         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
612         https://bugs.webkit.org/show_bug.cgi?id=167066
613
614         Reviewed by Keith Miller and Michael Saboff.
615         
616         This reduces the size of JSCell::classInfo() by half and removes some checks that
617         this function previously had to do in case it was called from destructors.
618         
619         I changed all of the destructors so that they don't call JSCell::classInfo() and I
620         added an assertion to JSCell::classInfo() to catch cases where someone called it
621         from a destructor accidentally.
622         
623         This means that we only have one place in destruction that needs to know the class:
624         the sweeper's call to the destructor.
625         
626         One of the trickiest outcomes of this is the need to support inherits() tests in
627         JSObjectGetPrivate(), when it is called from the destructor callback on the object
628         being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
629         on any dead-but-not-destructed object other than the one being destructed right
630         now. The purpose of the inherits() tests is to distinguish between different kinds
631         of CallbackObjects, which may have different kinds of base classes. I think that
632         this was always subtly wrong - for example, if the object being destructed is a
633         JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
634         but does not have an immortal Structure - so classInfo() is not valid. This fixes
635         the issue by having ~JSCallbackObject know its classInfo. It now stashes its
636         classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
637         that it's being used on a currently-destructing object.
638         
639         That was the only really weird part of this patch. The rest is mostly removing
640         illegal uses of jsCast<> in destructors. There were a few other genuine uses of
641         classInfo() but they were in code that already knew how to get its classInfo()
642         using other means:
643         
644         - You can still say structure()->classInfo(), and I use this form in code that
645           knows that its StructureIsImmortal.
646         
647         - You can use this->classInfo() if it's overridden, like in subclasses of
648           JSDestructibleObject.
649         
650         Rolling this back in because I think I fixed the crashes.
651
652         * API/JSAPIWrapperObject.mm:
653         (JSAPIWrapperObjectHandleOwner::finalize):
654         * API/JSCallbackObject.h:
655         * API/JSCallbackObjectFunctions.h:
656         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
657         (JSC::JSCallbackObject<Parent>::init):
658         * API/JSObjectRef.cpp:
659         (classInfoPrivate):
660         (JSObjectGetPrivate):
661         (JSObjectSetPrivate):
662         * bytecode/EvalCodeBlock.cpp:
663         (JSC::EvalCodeBlock::destroy):
664         * bytecode/FunctionCodeBlock.cpp:
665         (JSC::FunctionCodeBlock::destroy):
666         * bytecode/ModuleProgramCodeBlock.cpp:
667         (JSC::ModuleProgramCodeBlock::destroy):
668         * bytecode/ProgramCodeBlock.cpp:
669         (JSC::ProgramCodeBlock::destroy):
670         * bytecode/UnlinkedEvalCodeBlock.cpp:
671         (JSC::UnlinkedEvalCodeBlock::destroy):
672         * bytecode/UnlinkedFunctionCodeBlock.cpp:
673         (JSC::UnlinkedFunctionCodeBlock::destroy):
674         * bytecode/UnlinkedFunctionExecutable.cpp:
675         (JSC::UnlinkedFunctionExecutable::destroy):
676         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
677         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
678         * bytecode/UnlinkedProgramCodeBlock.cpp:
679         (JSC::UnlinkedProgramCodeBlock::destroy):
680         * heap/CodeBlockSet.cpp:
681         (JSC::CodeBlockSet::lastChanceToFinalize):
682         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
683         * heap/MarkedAllocator.cpp:
684         (JSC::MarkedAllocator::allocateSlowCaseImpl):
685         * heap/MarkedBlock.cpp:
686         (JSC::MarkedBlock::Handle::sweep):
687         * jit/JITThunks.cpp:
688         (JSC::JITThunks::finalize):
689         * runtime/AbstractModuleRecord.cpp:
690         (JSC::AbstractModuleRecord::destroy):
691         * runtime/ExecutableBase.cpp:
692         (JSC::ExecutableBase::clearCode):
693         * runtime/JSCellInlines.h:
694         (JSC::JSCell::classInfo):
695         (JSC::JSCell::callDestructor):
696         * runtime/JSLock.h:
697         (JSC::JSLock::ownerThread):
698         * runtime/JSModuleNamespaceObject.cpp:
699         (JSC::JSModuleNamespaceObject::destroy):
700         * runtime/JSModuleRecord.cpp:
701         (JSC::JSModuleRecord::destroy):
702         * runtime/JSPropertyNameEnumerator.cpp:
703         (JSC::JSPropertyNameEnumerator::destroy):
704         * runtime/JSSegmentedVariableObject.h:
705         * runtime/SymbolTable.cpp:
706         (JSC::SymbolTable::destroy):
707         * runtime/VM.h:
708         * wasm/js/JSWebAssemblyCallee.cpp:
709         (JSC::JSWebAssemblyCallee::destroy):
710         * wasm/js/WebAssemblyModuleRecord.cpp:
711         (JSC::WebAssemblyModuleRecord::destroy):
712         * wasm/js/WebAssemblyToJSCallee.cpp:
713         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
714         (JSC::WebAssemblyToJSCallee::destroy):
715
716 2017-01-17  Filip Pizlo  <fpizlo@apple.com>
717
718         Unreviewed, roll out http://trac.webkit.org/changeset/210821
719         It was causing crashes.
720
721         * API/JSAPIWrapperObject.mm:
722         (JSAPIWrapperObjectHandleOwner::finalize):
723         * API/JSCallbackObject.h:
724         * API/JSCallbackObjectFunctions.h:
725         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
726         (JSC::JSCallbackObject<Parent>::init):
727         * API/JSObjectRef.cpp:
728         (JSObjectGetPrivate):
729         (JSObjectSetPrivate):
730         (classInfoPrivate): Deleted.
731         * bytecode/EvalCodeBlock.cpp:
732         (JSC::EvalCodeBlock::destroy):
733         * bytecode/FunctionCodeBlock.cpp:
734         (JSC::FunctionCodeBlock::destroy):
735         * bytecode/ModuleProgramCodeBlock.cpp:
736         (JSC::ModuleProgramCodeBlock::destroy):
737         * bytecode/ProgramCodeBlock.cpp:
738         (JSC::ProgramCodeBlock::destroy):
739         * bytecode/UnlinkedEvalCodeBlock.cpp:
740         (JSC::UnlinkedEvalCodeBlock::destroy):
741         * bytecode/UnlinkedFunctionCodeBlock.cpp:
742         (JSC::UnlinkedFunctionCodeBlock::destroy):
743         * bytecode/UnlinkedFunctionExecutable.cpp:
744         (JSC::UnlinkedFunctionExecutable::destroy):
745         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
746         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
747         * bytecode/UnlinkedProgramCodeBlock.cpp:
748         (JSC::UnlinkedProgramCodeBlock::destroy):
749         * heap/CodeBlockSet.cpp:
750         (JSC::CodeBlockSet::lastChanceToFinalize):
751         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
752         * heap/MarkedAllocator.cpp:
753         (JSC::MarkedAllocator::allocateSlowCaseImpl):
754         * heap/MarkedBlock.cpp:
755         (JSC::MarkedBlock::Handle::sweep):
756         * jit/JITThunks.cpp:
757         (JSC::JITThunks::finalize):
758         * runtime/AbstractModuleRecord.cpp:
759         (JSC::AbstractModuleRecord::destroy):
760         * runtime/ExecutableBase.cpp:
761         (JSC::ExecutableBase::clearCode):
762         * runtime/JSCellInlines.h:
763         (JSC::JSCell::classInfo):
764         (JSC::JSCell::callDestructor):
765         * runtime/JSLock.h:
766         (JSC::JSLock::exclusiveThread):
767         (JSC::JSLock::ownerThread): Deleted.
768         * runtime/JSModuleNamespaceObject.cpp:
769         (JSC::JSModuleNamespaceObject::destroy):
770         * runtime/JSModuleRecord.cpp:
771         (JSC::JSModuleRecord::destroy):
772         * runtime/JSPropertyNameEnumerator.cpp:
773         (JSC::JSPropertyNameEnumerator::destroy):
774         * runtime/JSSegmentedVariableObject.h:
775         * runtime/SymbolTable.cpp:
776         (JSC::SymbolTable::destroy):
777         * runtime/VM.h:
778         * wasm/js/JSWebAssemblyCallee.cpp:
779         (JSC::JSWebAssemblyCallee::destroy):
780         * wasm/js/WebAssemblyModuleRecord.cpp:
781         (JSC::WebAssemblyModuleRecord::destroy):
782         * wasm/js/WebAssemblyToJSCallee.cpp:
783         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
784         (JSC::WebAssemblyToJSCallee::destroy):
785
786 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
787
788         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
789         https://bugs.webkit.org/show_bug.cgi?id=167066
790
791         Reviewed by Keith Miller and Michael Saboff.
792         
793         This reduces the size of JSCell::classInfo() by half and removes some checks that
794         this function previously had to do in case it was called from destructors.
795         
796         I changed all of the destructors so that they don't call JSCell::classInfo() and I
797         added an assertion to JSCell::classInfo() to catch cases where someone called it
798         from a destructor accidentally.
799         
800         This means that we only have one place in destruction that needs to know the class:
801         the sweeper's call to the destructor.
802         
803         One of the trickiest outcomes of this is the need to support inherits() tests in
804         JSObjectGetPrivate(), when it is called from the destructor callback on the object
805         being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
806         on any dead-but-not-destructed object other than the one being destructed right
807         now. The purpose of the inherits() tests is to distinguish between different kinds
808         of CallbackObjects, which may have different kinds of base classes. I think that
809         this was always subtly wrong - for example, if the object being destructed is a
810         JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
811         but does not have an immortal Structure - so classInfo() is not valid. This fixes
812         the issue by having ~JSCallbackObject know its classInfo. It now stashes its
813         classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
814         that it's being used on a currently-destructing object.
815         
816         That was the only really weird part of this patch. The rest is mostly removing
817         illegal uses of jsCast<> in destructors. There were a few other genuine uses of
818         classInfo() but they were in code that already knew how to get its classInfo()
819         using other means:
820         
821         - You can still say structure()->classInfo(), and I use this form in code that
822           knows that its StructureIsImmortal.
823         
824         - You can use this->classInfo() if it's overridden, like in subclasses of
825           JSDestructibleObject.
826
827         * API/JSAPIWrapperObject.mm:
828         (JSAPIWrapperObjectHandleOwner::finalize):
829         * API/JSCallbackObject.h:
830         * API/JSCallbackObjectFunctions.h:
831         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
832         (JSC::JSCallbackObject<Parent>::init):
833         * API/JSObjectRef.cpp:
834         (classInfoPrivate):
835         (JSObjectGetPrivate):
836         (JSObjectSetPrivate):
837         * bytecode/EvalCodeBlock.cpp:
838         (JSC::EvalCodeBlock::destroy):
839         * bytecode/FunctionCodeBlock.cpp:
840         (JSC::FunctionCodeBlock::destroy):
841         * bytecode/ModuleProgramCodeBlock.cpp:
842         (JSC::ModuleProgramCodeBlock::destroy):
843         * bytecode/ProgramCodeBlock.cpp:
844         (JSC::ProgramCodeBlock::destroy):
845         * bytecode/UnlinkedEvalCodeBlock.cpp:
846         (JSC::UnlinkedEvalCodeBlock::destroy):
847         * bytecode/UnlinkedFunctionCodeBlock.cpp:
848         (JSC::UnlinkedFunctionCodeBlock::destroy):
849         * bytecode/UnlinkedFunctionExecutable.cpp:
850         (JSC::UnlinkedFunctionExecutable::destroy):
851         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
852         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
853         * bytecode/UnlinkedProgramCodeBlock.cpp:
854         (JSC::UnlinkedProgramCodeBlock::destroy):
855         * heap/CodeBlockSet.cpp:
856         (JSC::CodeBlockSet::lastChanceToFinalize):
857         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
858         * heap/MarkedAllocator.cpp:
859         (JSC::MarkedAllocator::allocateSlowCaseImpl):
860         * heap/MarkedBlock.cpp:
861         (JSC::MarkedBlock::Handle::sweep):
862         * jit/JITThunks.cpp:
863         (JSC::JITThunks::finalize):
864         * runtime/AbstractModuleRecord.cpp:
865         (JSC::AbstractModuleRecord::destroy):
866         * runtime/ExecutableBase.cpp:
867         (JSC::ExecutableBase::clearCode):
868         * runtime/JSCellInlines.h:
869         (JSC::JSCell::classInfo):
870         (JSC::JSCell::callDestructor):
871         * runtime/JSLock.h:
872         (JSC::JSLock::ownerThread):
873         * runtime/JSModuleNamespaceObject.cpp:
874         (JSC::JSModuleNamespaceObject::destroy):
875         * runtime/JSModuleRecord.cpp:
876         (JSC::JSModuleRecord::destroy):
877         * runtime/JSPropertyNameEnumerator.cpp:
878         (JSC::JSPropertyNameEnumerator::destroy):
879         * runtime/JSSegmentedVariableObject.h:
880         * runtime/SymbolTable.cpp:
881         (JSC::SymbolTable::destroy):
882         * runtime/VM.h:
883         * wasm/js/JSWebAssemblyCallee.cpp:
884         (JSC::JSWebAssemblyCallee::destroy):
885         * wasm/js/WebAssemblyModuleRecord.cpp:
886         (JSC::WebAssemblyModuleRecord::destroy):
887         * wasm/js/WebAssemblyToJSCallee.cpp:
888         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
889         (JSC::WebAssemblyToJSCallee::destroy):
890
891 2017-01-16  Joseph Pecoraro  <pecoraro@apple.com>
892
893         Remove the REQUEST_ANIMATION_FRAME flag
894         https://bugs.webkit.org/show_bug.cgi?id=156980
895         <rdar://problem/25906849>
896
897         Reviewed by Simon Fraser.
898
899         * Configurations/FeatureDefines.xcconfig:
900
901 2017-01-14  Yusuke Suzuki  <utatane.tea@gmail.com>
902
903         WebAssembly: Suppress warnings & errors in GCC
904         https://bugs.webkit.org/show_bug.cgi?id=167049
905
906         Reviewed by Sam Weinig.
907
908         * wasm/WasmFunctionParser.h:
909         Add missing { } after the switch. Ideally, it is not necessary.
910         But in GCC, it is required. Since this function is fairly large,
911         I think the code generated by this does not cause performance
912         regression.
913
914         * wasm/WasmPageCount.h:
915         UINT_MAX is defined in limits.h.
916
917         * wasm/generateWasmValidateInlinesHeader.py:
918         On the other hand, we use this suppress pragma here to solve the
919         same problem in wasm/WasmFunctionParser.h. Since the load function
920         is fairly small, the additional `return { };` may generate some
921         suboptimal code. See bug 150794 for more detail.
922
923 2017-01-14  Yusuke Suzuki  <utatane.tea@gmail.com>
924
925         Reserve capacity for StringBuilder in unescape
926         https://bugs.webkit.org/show_bug.cgi?id=167008
927
928         Reviewed by Sam Weinig.
929
930         `unescape` function is frequently called in Kraken sha256-iterative.
931         This patch just reserves the capacity for the StringBuilder.
932
933         Currently, we select the length of the string for the reserved capacity.
934         It improves the performance 2.73%.
935
936             Benchmark report for Kraken on sakura-trick.
937
938             VMs tested:
939             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
940             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
941
942             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
943             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
944             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
945             milliseconds.
946
947                                                        baseline                  patched
948
949             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
950
951             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
952
953         * runtime/JSGlobalObjectFunctions.cpp:
954         (JSC::globalFuncUnescape):
955
956 2017-01-13  Joseph Pecoraro  <pecoraro@apple.com>
957
958         Remove ENABLE(DETAILS_ELEMENT) guards
959         https://bugs.webkit.org/show_bug.cgi?id=167042
960
961         Reviewed by Alex Christensen.
962
963         * Configurations/FeatureDefines.xcconfig:
964
965 2017-01-11  Darin Adler  <darin@apple.com>
966
967         Remove PassRefPtr from more of "platform"
968         https://bugs.webkit.org/show_bug.cgi?id=166809
969
970         Reviewed by Sam Weinig.
971
972         * inspector/JSInjectedScriptHost.h:
973         (Inspector::JSInjectedScriptHost::impl): Simplified code since we don't need a
974         const_cast here any more.
975         * runtime/PrivateName.h:
976         (JSC::PrivateName::uid): Ditto.
977
978 2017-01-13  Ryan Haddad  <ryanhaddad@apple.com>
979
980         Unreviewed, rolling out r210735.
981
982         This change introduced LayoutTest and JSC test flakiness.
983
984         Reverted changeset:
985
986         "Reserve capacity for StringBuilder in unescape"
987         https://bugs.webkit.org/show_bug.cgi?id=167008
988         http://trac.webkit.org/changeset/210735
989
990 2017-01-13  Saam Barati  <sbarati@apple.com>
991
992         Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time
993         https://bugs.webkit.org/show_bug.cgi?id=167017
994         <rdar://problem/30019309>
995
996         Reviewed by Keith Miller and Filip Pizlo.
997
998         This patch is to reverse the JSBench regression from r210695.
999         
1000         The new state diagram for the array species watchpoint is as
1001         follows:
1002         
1003         1. On GlobalObject construction, it starts life out as ClearWatchpoint.
1004         2. When slice is called for the first time, we observe the state
1005         of the world, and either transition it to IsWatched if we were able
1006         to set up the object property conditions, or to IsInvalidated if we
1007         were not.
1008         3. The DFG compiler will now only lower slice as an intrinsic if
1009         it observed the speciesWatchpoint.state() as IsWatched.
1010         4. The IsWatched => IsInvalidated transition happens only when
1011         one of the object property condition watchpoints fire.
1012
1013         * dfg/DFGByteCodeParser.cpp:
1014         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1015         * runtime/ArrayPrototype.cpp:
1016         (JSC::speciesWatchpointIsValid):
1017         (JSC::speciesConstructArray):
1018         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1019         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1020         (JSC::ArrayPrototype::initializeSpeciesWatchpoint): Deleted.
1021         * runtime/ArrayPrototype.h:
1022         * runtime/JSGlobalObject.cpp:
1023         (JSC::JSGlobalObject::JSGlobalObject):
1024         (JSC::JSGlobalObject::init):
1025
1026 2017-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1027
1028         Reserve capacity for StringBuilder in unescape
1029         https://bugs.webkit.org/show_bug.cgi?id=167008
1030
1031         Reviewed by Sam Weinig.
1032
1033         `unescape` function is frequently called in Kraken sha256-iterative.
1034         This patch just reserves the capacity for the StringBuilder.
1035
1036         Currently, we select the length of the string for the reserved capacity.
1037         It improves the performance 2.73%.
1038
1039             Benchmark report for Kraken on sakura-trick.
1040
1041             VMs tested:
1042             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
1043             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
1044
1045             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
1046             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
1047             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
1048             milliseconds.
1049
1050                                                        baseline                  patched
1051
1052             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1053
1054             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1055
1056         * runtime/JSGlobalObjectFunctions.cpp:
1057         (JSC::globalFuncUnescape):
1058
1059 2017-01-12  Saam Barati  <sbarati@apple.com>
1060
1061         Add a slice intrinsic to the DFG/FTL
1062         https://bugs.webkit.org/show_bug.cgi?id=166707
1063         <rdar://problem/29913445>
1064
1065         Reviewed by Filip Pizlo.
1066
1067         The gist of this patch is to inline Array.prototype.slice
1068         into the DFG/FTL. The implementation in the DFG-backend
1069         and FTLLowerDFGToB3 is just a straight forward implementation
1070         of what the C function is doing. The more interesting bits
1071         of this patch are setting up the proper watchpoints and conditions
1072         in the executing code to prove that its safe to skip all of the
1073         observable JS actions that Array.prototype.slice normally does.
1074         
1075         We perform the following proofs:
1076         1. Array.prototype.constructor has not changed (via a watchpoint).
1077         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
1078         3. The global object is not having a bad time.
1079         4. The array that is being sliced has an original array structure.
1080         5. Array.prototype/Object.prototype have not transitioned.
1081         
1082         Conditions 1, 2, and 3 are strictly required.
1083         
1084         4 is ensuring a couple things:
1085         1. That a "constructor" property hasn't been added to the array
1086         we're slicing since we're supposed to perform a Get(array, "constructor").
1087         2. That we're not slicing an instance of a subclass of Array.
1088         
1089         We could relax 4.1 in the future if we find other ways to test if
1090         the incoming array hasn't changed the "constructor" property. We
1091         would probably use TryGetById to do this.
1092         
1093         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
1094         the total benchmark (the results are sometimes noisy).
1095
1096         * dfg/DFGAbstractInterpreterInlines.h:
1097         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1098         * dfg/DFGByteCodeParser.cpp:
1099         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1100         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1101         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1102         * dfg/DFGClobberize.h:
1103         (JSC::DFG::clobberize):
1104         * dfg/DFGDoesGC.cpp:
1105         (JSC::DFG::doesGC):
1106         * dfg/DFGFixupPhase.cpp:
1107         (JSC::DFG::FixupPhase::fixupNode):
1108         * dfg/DFGNodeType.h:
1109         * dfg/DFGPredictionPropagationPhase.cpp:
1110         * dfg/DFGSafeToExecute.h:
1111         (JSC::DFG::safeToExecute):
1112         * dfg/DFGSpeculativeJIT.cpp:
1113         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1114         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1115         * dfg/DFGSpeculativeJIT.h:
1116         * dfg/DFGSpeculativeJIT32_64.cpp:
1117         (JSC::DFG::SpeculativeJIT::compile):
1118         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1119         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1120         * dfg/DFGSpeculativeJIT64.cpp:
1121         (JSC::DFG::SpeculativeJIT::compile):
1122         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1123         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1124         * ftl/FTLAbstractHeapRepository.h:
1125         * ftl/FTLCapabilities.cpp:
1126         (JSC::FTL::canCompile):
1127         * ftl/FTLLowerDFGToB3.cpp:
1128         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1129         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1130         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1131         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1132         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1133         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1134         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1135         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1136         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1137         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1138         * jit/AssemblyHelpers.cpp:
1139         (JSC::AssemblyHelpers::emitLoadStructure):
1140         * runtime/ArrayPrototype.cpp:
1141         (JSC::ArrayPrototype::finishCreation):
1142         (JSC::speciesWatchpointIsValid):
1143         (JSC::speciesConstructArray):
1144         (JSC::arrayProtoFuncSlice):
1145         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1146         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
1147         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1148         (JSC::speciesWatchpointsValid): Deleted.
1149         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
1150         * runtime/ArrayPrototype.h:
1151         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
1152         (): Deleted.
1153         * runtime/Intrinsic.h:
1154         * runtime/JSGlobalObject.cpp:
1155         (JSC::JSGlobalObject::JSGlobalObject):
1156         (JSC::JSGlobalObject::init):
1157         * runtime/JSGlobalObject.h:
1158         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
1159         * runtime/Structure.h:
1160
1161 2017-01-12  Saam Barati  <sbarati@apple.com>
1162
1163         Concurrent GC has a bug where we would detect a race but fail to rescan the object
1164         https://bugs.webkit.org/show_bug.cgi?id=166960
1165         <rdar://problem/29983526>
1166
1167         Reviewed by Filip Pizlo and Mark Lam.
1168
1169         We have code like this in JSC:
1170         
1171         ```
1172         Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
1173         nukeStructureAndSetButterfly(vm, structureID, butterfly);
1174         structure->setLastOffset(newLastOffset);
1175         WTF::storeStoreFence();
1176         setStructureIDDirectly(structureID);
1177         ```
1178         
1179         Note that the collector could detect a race here, which sometimes
1180         incorrectly caused us to not visit the object again.
1181         
1182         Mutator Thread: M, Collector Thread: C, assuming sequential consistency via
1183         proper barriers:
1184         
1185         M: allocate new butterfly
1186         M: Set nuked structure ID
1187         M: Set butterfly (this does a barrier)
1188         C: Start scanning O
1189         C: load structure ID
1190         C: See it's nuked and bail, (we used to rely on a write barrier to rescan).
1191         
1192         We sometimes never rescanned here because we were calling
1193         setStructureIDDirectly which doesn't do a write barrier.
1194         (Note, the places that do this but call setStructure were
1195         OK because setStructure will perform a write barrier.)
1196         
1197         (This same issue also existed in places where the collector thread
1198         detected races for Structure::m_offset, but places that changed
1199         Structure::m_offset didn't perform a write barrier on the object
1200         after changing its Structure's m_offset.)
1201         
1202         To prevent such code from requiring every call site to perform
1203         a write barrier on the object, I've changed the collector code
1204         to keep a stack of cells to be revisited due to races. This stack
1205         is then consulted when we do marking. Because such races are rare,
1206         we have a single stack on Heap that is guarded by a lock.
1207
1208         * heap/Heap.cpp:
1209         (JSC::Heap::Heap):
1210         (JSC::Heap::~Heap):
1211         (JSC::Heap::markToFixpoint):
1212         (JSC::Heap::endMarking):
1213         (JSC::Heap::buildConstraintSet):
1214         (JSC::Heap::addToRaceMarkStack):
1215         * heap/Heap.h:
1216         (JSC::Heap::collectorSlotVisitor):
1217         (JSC::Heap::mutatorMarkStack): Deleted.
1218         * heap/SlotVisitor.cpp:
1219         (JSC::SlotVisitor::didRace):
1220         * heap/SlotVisitor.h:
1221         (JSC::SlotVisitor::didRace):
1222         (JSC::SlotVisitor::didNotRace): Deleted.
1223         * heap/SlotVisitorInlines.h:
1224         (JSC::SlotVisitor::didNotRace): Deleted.
1225         * runtime/JSObject.cpp:
1226         (JSC::JSObject::visitButterfly):
1227         (JSC::JSObject::visitButterflyImpl):
1228         * runtime/JSObjectInlines.h:
1229         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1230         * runtime/Structure.cpp:
1231         (JSC::Structure::flattenDictionaryStructure):
1232
1233 2017-01-12  Chris Dumez  <cdumez@apple.com>
1234
1235         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
1236         https://bugs.webkit.org/show_bug.cgi?id=166995
1237
1238         Reviewed by Jer Noble.
1239
1240         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
1241         as some people are having trouble building without it.
1242
1243         * Configurations/FeatureDefines.xcconfig:
1244
1245 2017-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1246
1247         Implement InlineClassicScript
1248         https://bugs.webkit.org/show_bug.cgi?id=166925
1249
1250         Reviewed by Ryosuke Niwa.
1251
1252         Add ScriptFetcher field for SourceOrigin.
1253
1254         * runtime/SourceOrigin.h:
1255         (JSC::SourceOrigin::SourceOrigin):
1256         (JSC::SourceOrigin::fetcher):
1257
1258 2017-01-11  Andreas Kling  <akling@apple.com>
1259
1260         Crash when WebCore's GC heap grows way too large.
1261         <https://webkit.org/b/166875>
1262         <rdar://problem/27896585>
1263
1264         Reviewed by Mark Lam.
1265
1266         Add a simple API to JSC::Heap that allows setting a hard limit on the amount
1267         of live bytes. If this is exceeded, we crash with a recognizable signature.
1268         By default there is no limit.
1269
1270         * heap/Heap.cpp:
1271         (JSC::Heap::didExceedMaxLiveSize):
1272         (JSC::Heap::updateAllocationLimits):
1273         * heap/Heap.h:
1274         (JSC::Heap::setMaxLiveSize):
1275
1276 2017-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1277
1278         Decouple module loading initiator from ScriptElement
1279         https://bugs.webkit.org/show_bug.cgi?id=166888
1280
1281         Reviewed by Saam Barati and Ryosuke Niwa.
1282
1283         Add ScriptFetcher and JSScriptFetcher.
1284
1285         * CMakeLists.txt:
1286         * JavaScriptCore.xcodeproj/project.pbxproj:
1287         * builtins/ModuleLoaderPrototype.js:
1288         (requestFetch):
1289         (requestInstantiate):
1290         (requestSatisfy):
1291         (requestInstantiateAll):
1292         (requestLink):
1293         (moduleEvaluation):
1294         (loadAndEvaluateModule):
1295         (importModule):
1296         * llint/LLIntData.cpp:
1297         (JSC::LLInt::Data::performAssertions):
1298         * llint/LowLevelInterpreter.asm:
1299         * runtime/Completion.cpp:
1300         (JSC::loadAndEvaluateModule):
1301         (JSC::loadModule):
1302         (JSC::linkAndEvaluateModule):
1303         * runtime/Completion.h:
1304         * runtime/JSModuleLoader.cpp:
1305         (JSC::JSModuleLoader::loadAndEvaluateModule):
1306         (JSC::JSModuleLoader::loadModule):
1307         (JSC::JSModuleLoader::linkAndEvaluateModule):
1308         (JSC::JSModuleLoader::resolve):
1309         (JSC::JSModuleLoader::fetch):
1310         (JSC::JSModuleLoader::instantiate):
1311         (JSC::JSModuleLoader::evaluate):
1312         * runtime/JSModuleLoader.h:
1313         * runtime/JSScriptFetcher.cpp: Copied from Source/WebCore/dom/LoadableScript.cpp.
1314         (JSC::JSScriptFetcher::destroy):
1315         * runtime/JSScriptFetcher.h: Added.
1316         (JSC::JSScriptFetcher::createStructure):
1317         (JSC::JSScriptFetcher::create):
1318         (JSC::JSScriptFetcher::fetcher):
1319         (JSC::JSScriptFetcher::JSScriptFetcher):
1320         * runtime/JSType.h:
1321         * runtime/ScriptFetcher.h: Copied from Source/WebCore/dom/LoadableScript.cpp.
1322         (JSC::ScriptFetcher::~ScriptFetcher):
1323         * runtime/VM.cpp:
1324         (JSC::VM::VM):
1325         * runtime/VM.h:
1326
1327 2017-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         Implement JSSourceCode to propagate SourceCode in module pipeline
1330         https://bugs.webkit.org/show_bug.cgi?id=166861
1331
1332         Reviewed by Saam Barati.
1333
1334         Instead of propagating source code string, we propagate JSSourceCode
1335         cell in the module pipeline. This allows us to attach a metadata
1336         to the propagated source code string. In particular, it propagates
1337         SourceOrigin through the module pipeline.
1338
1339         And it also fixes JSC shell to use Module source type for module source code.
1340
1341         * CMakeLists.txt:
1342         * JavaScriptCore.xcodeproj/project.pbxproj:
1343         * builtins/ModuleLoaderPrototype.js:
1344         (fulfillFetch):
1345         (requestFetch):
1346         * jsc.cpp:
1347         (GlobalObject::moduleLoaderFetch):
1348         (runWithScripts):
1349         * llint/LLIntData.cpp:
1350         (JSC::LLInt::Data::performAssertions):
1351         * llint/LowLevelInterpreter.asm:
1352         * runtime/Completion.cpp:
1353         (JSC::loadAndEvaluateModule):
1354         (JSC::loadModule):
1355         * runtime/JSModuleLoader.cpp:
1356         (JSC::JSModuleLoader::provide):
1357         * runtime/JSModuleLoader.h:
1358         * runtime/JSSourceCode.cpp: Added.
1359         (JSC::JSSourceCode::destroy):
1360         * runtime/JSSourceCode.h: Added.
1361         (JSC::JSSourceCode::createStructure):
1362         (JSC::JSSourceCode::create):
1363         (JSC::JSSourceCode::sourceCode):
1364         (JSC::JSSourceCode::JSSourceCode):
1365         * runtime/JSType.h:
1366         * runtime/ModuleLoaderPrototype.cpp:
1367         (JSC::moduleLoaderPrototypeParseModule):
1368         * runtime/VM.cpp:
1369         (JSC::VM::VM):
1370         * runtime/VM.h:
1371
1372 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1373
1374         Unreviewed, rolling out r210052.
1375         https://bugs.webkit.org/show_bug.cgi?id=166915
1376
1377         "breaks web compatability" (Requested by keith_miller on
1378         #webkit).
1379
1380         Reverted changeset:
1381
1382         "Add support for global"
1383         https://bugs.webkit.org/show_bug.cgi?id=165171
1384         http://trac.webkit.org/changeset/210052
1385
1386 2017-01-10  Sam Weinig  <sam@webkit.org>
1387
1388         [WebIDL] Remove most of the custom bindings for the WebGL code
1389         https://bugs.webkit.org/show_bug.cgi?id=166834
1390
1391         Reviewed by Alex Christensen.
1392
1393         * runtime/ArrayPrototype.h:
1394         * runtime/ObjectPrototype.h:
1395         Export the ClassInfo so it can be used from WebCore.
1396
1397 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1398
1399         Streamline the GC barrier slowpath
1400         https://bugs.webkit.org/show_bug.cgi?id=166878
1401
1402         Reviewed by Geoffrey Garen and Saam Barati.
1403         
1404         This implements two optimizations to the barrier:
1405         
1406         - Removes the write barrier buffer. This was just overhead.
1407         
1408         - Teaches the slow path how to white an object that was black but unmarked, ensuring that
1409           we don't take slow path for this object again.
1410
1411         * JavaScriptCore.xcodeproj/project.pbxproj:
1412         * dfg/DFGSpeculativeJIT.cpp:
1413         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1414         * ftl/FTLLowerDFGToB3.cpp:
1415         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1416         * heap/CellState.h:
1417         * heap/Heap.cpp:
1418         (JSC::Heap::Heap):
1419         (JSC::Heap::markToFixpoint):
1420         (JSC::Heap::addToRememberedSet):
1421         (JSC::Heap::stopTheWorld):
1422         (JSC::Heap::writeBarrierSlowPath):
1423         (JSC::Heap::buildConstraintSet):
1424         (JSC::Heap::flushWriteBarrierBuffer): Deleted.
1425         * heap/Heap.h:
1426         (JSC::Heap::writeBarrierBuffer): Deleted.
1427         * heap/SlotVisitor.cpp:
1428         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1429         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1430         (JSC::SlotVisitor::appendToMarkStack):
1431         (JSC::SlotVisitor::visitChildren):
1432         * heap/WriteBarrierBuffer.cpp: Removed.
1433         * heap/WriteBarrierBuffer.h: Removed.
1434         * jit/JITOperations.cpp:
1435         * jit/JITOperations.h:
1436         * runtime/JSCellInlines.h:
1437         (JSC::JSCell::JSCell):
1438         * runtime/StructureIDBlob.h:
1439         (JSC::StructureIDBlob::StructureIDBlob):
1440
1441 2017-01-10  Mark Lam  <mark.lam@apple.com>
1442
1443         Property setters should not be called for bound arguments list entries.
1444         https://bugs.webkit.org/show_bug.cgi?id=165631
1445
1446         Reviewed by Filip Pizlo.
1447
1448         * builtins/FunctionPrototype.js:
1449         (bind):
1450         - use @putByValDirect to set the bound arguments so that we don't consult the
1451           prototype chain for setters.
1452
1453         * runtime/IntlDateTimeFormatPrototype.cpp:
1454         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1455         * runtime/IntlNumberFormatPrototype.cpp:
1456         (JSC::IntlNumberFormatPrototypeGetterFormat):
1457         - no need to create a bound arguments array because these bound functions binds
1458           no arguments according to the spec.
1459
1460 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
1461
1462         Calling async arrow function which is in a class's member function will cause error
1463         https://bugs.webkit.org/show_bug.cgi?id=166879
1464
1465         Reviewed by Saam Barati.
1466
1467         Current patch fixed loading 'super' in async arrow function. Errored appear becuase 
1468         super was loaded always nevertherless if it used in async arrow function or not, but bytecompiler
1469         put to arrow function context only if it used within arrow function. So to fix this issue we need to 
1470         check if super was used in arrow function. 
1471
1472         * bytecompiler/BytecodeGenerator.h:
1473         * bytecompiler/NodesCodegen.cpp:
1474         (JSC::FunctionNode::emitBytecode):
1475
1476 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1477
1478         Unreviewed, rolling out r210537.
1479         https://bugs.webkit.org/show_bug.cgi?id=166903
1480
1481         This change introduced JSC test failures (Requested by
1482         ryanhaddad on #webkit).
1483
1484         Reverted changeset:
1485
1486         "Implement JSSourceCode to propagate SourceCode in module
1487         pipeline"
1488         https://bugs.webkit.org/show_bug.cgi?id=166861
1489         http://trac.webkit.org/changeset/210537
1490
1491 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1492
1493         Unreviewed, rolling out r210540.
1494         https://bugs.webkit.org/show_bug.cgi?id=166896
1495
1496         too crude for non-WebCore clients (Requested by kling on
1497         #webkit).
1498
1499         Reverted changeset:
1500
1501         "Crash when GC heap grows way too large."
1502         https://bugs.webkit.org/show_bug.cgi?id=166875
1503         http://trac.webkit.org/changeset/210540
1504
1505 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1506
1507         JSArray has some object scanning races
1508         https://bugs.webkit.org/show_bug.cgi?id=166874
1509
1510         Reviewed by Mark Lam.
1511         
1512         This fixes two separate bugs, both of which I detected by running
1513         array-splice-contiguous.js in extreme anger:
1514         
1515         1) Some of the paths of shifting and unshifting were not grabbing the internal cell
1516            lock. This was causing the array storage scan to crash, even though it was well
1517            synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
1518            that memmoves the innards of the butterfly.
1519         
1520         2) Out of line property scanning was synchronized using double collect snapshot. Array
1521            storage scanning was synchronized using locks. But what if array storage
1522            transformations messed up the out of line properties? It turns out that we actually
1523            need to hoist the array storage scanner's locking up into the double collect
1524            snapshot.
1525         
1526         I don't know how to write a test that does any better of a job of catching this than
1527         array-splice-contiguous.js.
1528
1529         * heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
1530         * runtime/JSArray.cpp:
1531         (JSC::JSArray::unshiftCountSlowCase):
1532         (JSC::JSArray::shiftCountWithArrayStorage):
1533         (JSC::JSArray::unshiftCountWithArrayStorage):
1534         * runtime/JSObject.cpp:
1535         (JSC::JSObject::visitButterflyImpl):
1536
1537 2017-01-10  Andreas Kling  <akling@apple.com>
1538
1539         Crash when GC heap grows way too large.
1540         <https://webkit.org/b/166875>
1541         <rdar://problem/27896585>
1542
1543         Reviewed by Mark Lam.
1544
1545         Hard cap the JavaScript heap at 4GB of live objects (determined post-GC.)
1546         If we go past this limit, crash with a recognizable signature.
1547
1548         * heap/Heap.cpp:
1549         (JSC::Heap::didExceedHeapSizeLimit):
1550         (JSC::Heap::updateAllocationLimits):
1551
1552 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1553
1554         Implement JSSourceCode to propagate SourceCode in module pipeline
1555         https://bugs.webkit.org/show_bug.cgi?id=166861
1556
1557         Reviewed by Saam Barati.
1558
1559         Instead of propagating source code string, we propagate JSSourceCode
1560         cell in the module pipeline. This allows us to attach a metadata
1561         to the propagated source code string. In particular, it propagates
1562         SourceOrigin through the module pipeline.
1563
1564         * CMakeLists.txt:
1565         * JavaScriptCore.xcodeproj/project.pbxproj:
1566         * builtins/ModuleLoaderPrototype.js:
1567         (fulfillFetch):
1568         (requestFetch):
1569         * jsc.cpp:
1570         (GlobalObject::moduleLoaderFetch):
1571         * llint/LLIntData.cpp:
1572         (JSC::LLInt::Data::performAssertions):
1573         * llint/LowLevelInterpreter.asm:
1574         * runtime/Completion.cpp:
1575         (JSC::loadAndEvaluateModule):
1576         (JSC::loadModule):
1577         * runtime/JSModuleLoader.cpp:
1578         (JSC::JSModuleLoader::provide):
1579         * runtime/JSModuleLoader.h:
1580         * runtime/JSSourceCode.cpp: Added.
1581         (JSC::JSSourceCode::destroy):
1582         * runtime/JSSourceCode.h: Added.
1583         (JSC::JSSourceCode::createStructure):
1584         (JSC::JSSourceCode::create):
1585         (JSC::JSSourceCode::sourceCode):
1586         (JSC::JSSourceCode::JSSourceCode):
1587         * runtime/JSType.h:
1588         * runtime/ModuleLoaderPrototype.cpp:
1589         (JSC::moduleLoaderPrototypeParseModule):
1590         * runtime/VM.cpp:
1591         (JSC::VM::VM):
1592         * runtime/VM.h:
1593
1594 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1595
1596         REGRESSION (r210522): ASSERTION FAILED: divot.offset >= divotStart.offset seen with stress/import-basic.js and stress/import-from-eval.js
1597         https://bugs.webkit.org/show_bug.cgi?id=166873
1598
1599         Reviewed by Saam Barati.
1600
1601         The divot should be the end of `import` token.
1602
1603         * parser/Parser.cpp:
1604         (JSC::Parser<LexerType>::parseMemberExpression):
1605
1606 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1607
1608         Unreviewed, fix cloop.
1609
1610         * dfg/DFGPlanInlines.h:
1611
1612 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1613
1614         [JSC] Prototype dynamic-import
1615         https://bugs.webkit.org/show_bug.cgi?id=165724
1616
1617         Reviewed by Saam Barati.
1618
1619         In this patch, we implement stage3 dynamic-import proposal[1].
1620         This patch adds a new special operator `import`. And by using it, we can import
1621         the module dynamically from modules and scripts. Before this feature, the module
1622         is always imported statically and before executing the modules, importing the modules
1623         needs to be done. And especially, the module can only be imported from the module.
1624         So the classic script cannot import and use the modules. This dynamic-import relaxes
1625         the above restrictions.
1626
1627         The typical dynamic-import form is the following.
1628
1629             import("...").then(function (namespace) { ... });
1630
1631         You can pass any AssignmentExpression for the import operator. So you can determine
1632         the importing modules dynamically.
1633
1634             import(value).then(function (namespace) { ... });
1635
1636         And previously the module import declaration is only allowed in the top level statements.
1637         But this import operator is just an expression. So you can use it in the function.
1638         And you can use it conditionally.
1639
1640             async function go(cond)
1641             {
1642                 if (cond)
1643                     return import("...");
1644                 return undefined;
1645             }
1646             await go(true);
1647
1648         Currently, this patch just implements this feature only for the JSC shell.
1649         JSC module loader requires a new hook, `importModule`. And the JSC shell implements
1650         this hook. So, for now, this dynamic-import is not available in the browser side.
1651         If you write this `import` call, it always returns the rejected promise.
1652
1653         import is implemented like a special operator similar to `super`.
1654         This is because import is context-sensitive. If you call the `import`, the module
1655         key resolution is done based on the caller's running context.
1656
1657         For example, if you are running the script which filename is "./ok/hello.js", the module
1658         key for the call`import("./resource/syntax.js")` becomes `"./ok/resource/syntax.js"`.
1659         But if you write the completely same import form in the script "./error/hello.js", the
1660         key becomes "./error/resource/syntax.js". So exposing this feature as the `import`
1661         function is misleading: this function becomes caller's context-sensitive. That's why
1662         dynamic-import is specified as a special operator.
1663
1664         To resolve the module key, we need the caller's context information like the filename of
1665         the caller. This is provided by the SourceOrigin implemented in r210149.
1666         In the JSC shell implementation, this SourceOrigin holds the filename of the caller. So
1667         based on this implementation, the module loader resolve the module key.
1668         In the near future, we will extend this SourceOrigin to hold more information needed for
1669         the browser-side import implementation.
1670
1671         [1]: https://tc39.github.io/proposal-dynamic-import/
1672
1673         * builtins/ModuleLoaderPrototype.js:
1674         (importModule):
1675         * bytecompiler/BytecodeGenerator.cpp:
1676         (JSC::BytecodeGenerator::emitGetTemplateObject):
1677         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
1678         * bytecompiler/BytecodeGenerator.h:
1679         * bytecompiler/NodesCodegen.cpp:
1680         (JSC::ImportNode::emitBytecode):
1681         * jsc.cpp:
1682         (absolutePath):
1683         (GlobalObject::moduleLoaderImportModule):
1684         (functionRun):
1685         (functionLoad):
1686         (functionCheckSyntax):
1687         (runWithScripts):
1688         * parser/ASTBuilder.h:
1689         (JSC::ASTBuilder::createImportExpr):
1690         * parser/NodeConstructors.h:
1691         (JSC::ImportNode::ImportNode):
1692         * parser/Nodes.h:
1693         (JSC::ExpressionNode::isImportNode):
1694         * parser/Parser.cpp:
1695         (JSC::Parser<LexerType>::parseMemberExpression):
1696         * parser/SyntaxChecker.h:
1697         (JSC::SyntaxChecker::createImportExpr):
1698         * runtime/JSGlobalObject.cpp:
1699         (JSC::JSGlobalObject::init):
1700         * runtime/JSGlobalObject.h:
1701         * runtime/JSGlobalObjectFunctions.cpp:
1702         (JSC::globalFuncImportModule):
1703         * runtime/JSGlobalObjectFunctions.h:
1704         * runtime/JSModuleLoader.cpp:
1705         (JSC::JSModuleLoader::importModule):
1706         (JSC::JSModuleLoader::getModuleNamespaceObject):
1707         * runtime/JSModuleLoader.h:
1708         * runtime/ModuleLoaderPrototype.cpp:
1709         (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):
1710
1711 2017-01-08  Filip Pizlo  <fpizlo@apple.com>
1712
1713         Make the collector's fixpoint smart about scheduling work
1714         https://bugs.webkit.org/show_bug.cgi?id=165910
1715
1716         Reviewed by Keith Miller.
1717         
1718         Prior to this change, every time the GC would run any constraints in markToFixpoint, it
1719         would run all of the constraints. It would always run them in the same order. That means
1720         that so long as any one constraint was generating new work, we'd pay the price of all
1721         constraints. This is usually OK because most constraints are cheap but it artificially
1722         inflates the cost of slow constraints - especially ones that are expensive but usually
1723         generate no new work.
1724         
1725         This patch redoes how the GC runs constraints by applying ideas from data flow analysis.
1726         The GC now builds a MarkingConstraintSet when it boots up, and this contains all of the
1727         constraints as well as some meta-data about them. Now, markToFixpoint just calls into
1728         MarkingConstraintSet to execute constraints. Because constraint execution and scheduling
1729         need to be aware of each other, I rewrote markToFixpoint in such a way that it's more
1730         obvious how the GC goes between constraint solving, marking with stopped mutator, and
1731         marking with resumed mutator. This also changes the scheduler API in such a way that a
1732         synchronous stop-the-world collection no longer needs to do fake stop/resume - instead we
1733         just swap the space-time scheduler for the stop-the-world scheduler.
1734         
1735         This is a big streamlining of the GC. This is a speed-up in GC-heavy tests because we
1736         now execute most constraints exactly twice regardless of how many total fixpoint
1737         iterations we do. Now, when we run out of marking work, the constraint solver will just
1738         run the constraint that is most likely to generate new visiting work, and if it does
1739         generate work, then the GC now goes back to marking. Before, it would run *all*
1740         constraints and then go back to marking. The constraint solver is armed with three
1741         information signals that it uses to sort the constraints in order of descending likelihood
1742         to generate new marking work. Then it runs them in that order until it there is new
1743         marking work. The signals are:
1744         
1745         1) Whether the constraint is greyed by marking or execution. We call this the volatility
1746            of the constraint. For example, weak reference constraints have GreyedByMarking as
1747            their volatility because they are most likely to have something to say after we've done
1748            some marking. On the other hand, conservative roots have GreyedByExecution as their
1749            volatility because they will give new information anytime we let the mutator run. The
1750            constraint solver will only run GreyedByExecution constraints as roots and after the
1751            GreyedByMarking constraints go silent. This ensures that we don't try to scan
1752            conservative roots every time we need to re-run weak references and vice-versa.
1753            
1754            Another way to look at it is that the constraint solver tries to predict if the
1755            wavefront is advancing or retreating. The wavefront is almost certainly advancing so
1756            long as the mark stacks are non-empty or so long as at least one of the GreyedByMarking
1757            constraints is still producing work. Otherwise the wavefront is almost certainly
1758            retreating. It's most profitable to run GreyedByMarking constraints when the wavefront
1759            is advancing, and most profitable to run GreyedByExecution constraints when the
1760            wavefront is retreating.
1761            
1762            We use the predicted wavefront direction and the volatility of constraints as a
1763            first-order signal of constraint profitability.
1764         
1765         2) How much visiting work was created the last time the constraint ran. The solver
1766            remembers the lastVisitCount, and uses it to predict how much work the constraint will
1767            generate next time. In practice this means we will keep re-running the one interesting
1768            constraint until it shuts up.
1769         
1770         3) Optional work predictors for some constraints. The constraint that shuffles the mutator
1771            mark stack into the main SlotVisitor's mutator mark stack always knows exactly how much
1772            work it will create.
1773            
1774            The sum of (2) and (3) are used as a second-order signal of constraint profitability.
1775         
1776         The constraint solver will always run all of the GreyedByExecution constraints at GC
1777         start, since these double as the GC's roots. The constraint solver will always run all of
1778         the GreyedByMarking constraints the first time that marking stalls. Other than that, the
1779         solver will keep running constraints, sorted according to their likelihood to create work,
1780         until either work is created or we run out of constraints to run. GC termination happens
1781         when we run out of constraints to run.
1782         
1783         This new infrastructure means that we have a much better chance of dealing with worst-case
1784         DOM pathologies. If we can intelligently factor different evil DOM things into different
1785         constraints with the right work predictions then this could reduce the cost of those DOM
1786         things by a factor of N where N is the number of fixpoint iterations the GC typically
1787         does. N is usually around 5-6 even for simple heaps.
1788         
1789         My perf measurements say:
1790         
1791         PLT3: 0.02% faster with 5.3% confidence.
1792         JetStream: 0.15% faster with 17% confidence.
1793         Speedometer: 0.58% faster with 82% confidence.
1794         
1795         Here are the details from JetStream:
1796         
1797         splay: 1.02173x faster with 0.996841 confidence
1798         splay-latency: 1.0617x faster with 0.987462 confidence
1799         towers.c: 1.01852x faster with 0.92128 confidence
1800         crypto-md5: 1.06058x faster with 0.482363 confidence
1801         score: 1.00152x faster with 0.16892 confidence
1802         
1803         I think that Speedometer is legitimately benefiting from this change based on looking at
1804         --logGC=true output. We are now spending less time reexecuting expensive constraints. I
1805         think that JetStream/splay is also benefiting, because although the constraints it sees
1806         are cheap, it spends 30% of its time in GC so even small improvements matter.
1807
1808         * CMakeLists.txt:
1809         * JavaScriptCore.xcodeproj/project.pbxproj:
1810         * dfg/DFGPlan.cpp:
1811         (JSC::DFG::Plan::markCodeBlocks): Deleted.
1812         (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
1813         * dfg/DFGPlan.h:
1814         * dfg/DFGPlanInlines.h: Added.
1815         (JSC::DFG::Plan::iterateCodeBlocksForGC):
1816         * dfg/DFGWorklist.cpp:
1817         (JSC::DFG::Worklist::markCodeBlocks): Deleted.
1818         (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
1819         (JSC::DFG::rememberCodeBlocks): Deleted.
1820         * dfg/DFGWorklist.h:
1821         * dfg/DFGWorklistInlines.h: Added.
1822         (JSC::DFG::iterateCodeBlocksForGC):
1823         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
1824         * heap/CodeBlockSet.cpp:
1825         (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting): Deleted.
1826         * heap/CodeBlockSet.h:
1827         (JSC::CodeBlockSet::iterate): Deleted.
1828         * heap/CodeBlockSetInlines.h:
1829         (JSC::CodeBlockSet::iterate):
1830         (JSC::CodeBlockSet::iterateCurrentlyExecuting):
1831         * heap/Heap.cpp:
1832         (JSC::Heap::Heap):
1833         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
1834         (JSC::Heap::iterateExecutingAndCompilingCodeBlocksWithoutHoldingLocks):
1835         (JSC::Heap::assertSharedMarkStacksEmpty):
1836         (JSC::Heap::markToFixpoint):
1837         (JSC::Heap::endMarking):
1838         (JSC::Heap::collectInThread):
1839         (JSC::Heap::stopIfNecessarySlow):
1840         (JSC::Heap::acquireAccessSlow):
1841         (JSC::Heap::collectIfNecessaryOrDefer):
1842         (JSC::Heap::buildConstraintSet):
1843         (JSC::Heap::notifyIsSafeToCollect):
1844         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope): Deleted.
1845         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope): Deleted.
1846         (JSC::Heap::harvestWeakReferences): Deleted.
1847         (JSC::Heap::visitConservativeRoots): Deleted.
1848         (JSC::Heap::visitCompilerWorklistWeakReferences): Deleted.
1849         * heap/Heap.h:
1850         * heap/MarkingConstraint.cpp: Added.
1851         (JSC::MarkingConstraint::MarkingConstraint):
1852         (JSC::MarkingConstraint::~MarkingConstraint):
1853         (JSC::MarkingConstraint::resetStats):
1854         (JSC::MarkingConstraint::execute):
1855         * heap/MarkingConstraint.h: Added.
1856         (JSC::MarkingConstraint::index):
1857         (JSC::MarkingConstraint::abbreviatedName):
1858         (JSC::MarkingConstraint::name):
1859         (JSC::MarkingConstraint::lastVisitCount):
1860         (JSC::MarkingConstraint::quickWorkEstimate):
1861         (JSC::MarkingConstraint::workEstimate):
1862         (JSC::MarkingConstraint::volatility):
1863         * heap/MarkingConstraintSet.cpp: Added.
1864         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext):
1865         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething):
1866         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut):
1867         (JSC::MarkingConstraintSet::ExecutionContext::drain):
1868         (JSC::MarkingConstraintSet::ExecutionContext::didExecute):
1869         (JSC::MarkingConstraintSet::ExecutionContext::execute):
1870         (JSC::MarkingConstraintSet::MarkingConstraintSet):
1871         (JSC::MarkingConstraintSet::~MarkingConstraintSet):
1872         (JSC::MarkingConstraintSet::resetStats):
1873         (JSC::MarkingConstraintSet::add):
1874         (JSC::MarkingConstraintSet::executeBootstrap):
1875         (JSC::MarkingConstraintSet::executeConvergence):
1876         (JSC::MarkingConstraintSet::isWavefrontAdvancing):
1877         (JSC::MarkingConstraintSet::executeConvergenceImpl):
1878         (JSC::MarkingConstraintSet::executeAll):
1879         * heap/MarkingConstraintSet.h: Added.
1880         (JSC::MarkingConstraintSet::isWavefrontRetreating):
1881         * heap/MutatorScheduler.cpp: Added.
1882         (JSC::MutatorScheduler::MutatorScheduler):
1883         (JSC::MutatorScheduler::~MutatorScheduler):
1884         (JSC::MutatorScheduler::didStop):
1885         (JSC::MutatorScheduler::willResume):
1886         (JSC::MutatorScheduler::didExecuteConstraints):
1887         (JSC::MutatorScheduler::log):
1888         (JSC::MutatorScheduler::shouldStop):
1889         (JSC::MutatorScheduler::shouldResume):
1890         * heap/MutatorScheduler.h: Added.
1891         * heap/OpaqueRootSet.h:
1892         (JSC::OpaqueRootSet::add):
1893         * heap/SlotVisitor.cpp:
1894         (JSC::SlotVisitor::visitAsConstraint):
1895         (JSC::SlotVisitor::drain):
1896         (JSC::SlotVisitor::didReachTermination):
1897         (JSC::SlotVisitor::hasWork):
1898         (JSC::SlotVisitor::drainFromShared):
1899         (JSC::SlotVisitor::drainInParallelPassively):
1900         (JSC::SlotVisitor::addOpaqueRoot):
1901         * heap/SlotVisitor.h:
1902         (JSC::SlotVisitor::addToVisitCount):
1903         * heap/SpaceTimeMutatorScheduler.cpp: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.cpp.
1904         (JSC::SpaceTimeMutatorScheduler::Snapshot::Snapshot):
1905         (JSC::SpaceTimeMutatorScheduler::Snapshot::now):
1906         (JSC::SpaceTimeMutatorScheduler::Snapshot::bytesAllocatedThisCycle):
1907         (JSC::SpaceTimeMutatorScheduler::SpaceTimeMutatorScheduler):
1908         (JSC::SpaceTimeMutatorScheduler::~SpaceTimeMutatorScheduler):
1909         (JSC::SpaceTimeMutatorScheduler::state):
1910         (JSC::SpaceTimeMutatorScheduler::beginCollection):
1911         (JSC::SpaceTimeMutatorScheduler::didStop):
1912         (JSC::SpaceTimeMutatorScheduler::willResume):
1913         (JSC::SpaceTimeMutatorScheduler::didExecuteConstraints):
1914         (JSC::SpaceTimeMutatorScheduler::timeToStop):
1915         (JSC::SpaceTimeMutatorScheduler::timeToResume):
1916         (JSC::SpaceTimeMutatorScheduler::log):
1917         (JSC::SpaceTimeMutatorScheduler::endCollection):
1918         (JSC::SpaceTimeMutatorScheduler::bytesAllocatedThisCycleImpl):
1919         (JSC::SpaceTimeMutatorScheduler::bytesSinceBeginningOfCycle):
1920         (JSC::SpaceTimeMutatorScheduler::maxHeadroom):
1921         (JSC::SpaceTimeMutatorScheduler::headroomFullness):
1922         (JSC::SpaceTimeMutatorScheduler::mutatorUtilization):
1923         (JSC::SpaceTimeMutatorScheduler::collectorUtilization):
1924         (JSC::SpaceTimeMutatorScheduler::elapsedInPeriod):
1925         (JSC::SpaceTimeMutatorScheduler::phase):
1926         (JSC::SpaceTimeMutatorScheduler::shouldBeResumed):
1927         (JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization): Deleted.
1928         (JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization): Deleted.
1929         (JSC::SpaceTimeScheduler::Decision::elapsedInPeriod): Deleted.
1930         (JSC::SpaceTimeScheduler::Decision::phase): Deleted.
1931         (JSC::SpaceTimeScheduler::Decision::shouldBeResumed): Deleted.
1932         (JSC::SpaceTimeScheduler::Decision::timeToResume): Deleted.
1933         (JSC::SpaceTimeScheduler::Decision::timeToStop): Deleted.
1934         (JSC::SpaceTimeScheduler::SpaceTimeScheduler): Deleted.
1935         (JSC::SpaceTimeScheduler::snapPhase): Deleted.
1936         (JSC::SpaceTimeScheduler::currentDecision): Deleted.
1937         * heap/SpaceTimeMutatorScheduler.h: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.h.
1938         (JSC::SpaceTimeScheduler::Decision::operator bool): Deleted.
1939         * heap/SpaceTimeScheduler.cpp: Removed.
1940         * heap/SpaceTimeScheduler.h: Removed.
1941         * heap/SynchronousStopTheWorldMutatorScheduler.cpp: Added.
1942         (JSC::SynchronousStopTheWorldMutatorScheduler::SynchronousStopTheWorldMutatorScheduler):
1943         (JSC::SynchronousStopTheWorldMutatorScheduler::~SynchronousStopTheWorldMutatorScheduler):
1944         (JSC::SynchronousStopTheWorldMutatorScheduler::state):
1945         (JSC::SynchronousStopTheWorldMutatorScheduler::beginCollection):
1946         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToStop):
1947         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToResume):
1948         (JSC::SynchronousStopTheWorldMutatorScheduler::endCollection):
1949         * heap/SynchronousStopTheWorldMutatorScheduler.h: Added.
1950         * heap/VisitingTimeout.h: Added.
1951         (JSC::VisitingTimeout::VisitingTimeout):
1952         (JSC::VisitingTimeout::visitCount):
1953         (JSC::VisitingTimeout::didVisitSomething):
1954         (JSC::VisitingTimeout::shouldTimeOut):
1955         * runtime/Options.h:
1956
1957 2017-01-09  Commit Queue  <commit-queue@webkit.org>
1958
1959         Unreviewed, rolling out r210476.
1960         https://bugs.webkit.org/show_bug.cgi?id=166859
1961
1962         "4% JSBench regression" (Requested by keith_mi_ on #webkit).
1963
1964         Reverted changeset:
1965
1966         "Add a slice intrinsic to the DFG/FTL"
1967         https://bugs.webkit.org/show_bug.cgi?id=166707
1968         http://trac.webkit.org/changeset/210476
1969
1970 2017-01-08  Andreas Kling  <akling@apple.com>
1971
1972         Inject MarkedSpace size classes for a few more high-volume objects.
1973         <https://webkit.org/b/166815>
1974
1975         Reviewed by Darin Adler.
1976
1977         Add the following classes to the list of manually injected size classes:
1978
1979             - JSString
1980             - JSFunction
1981             - PropertyTable
1982             - Structure
1983
1984         Only Structure actually ends up with a new size class, the others already
1985         can't get any tighter due to the current MarkedBlock::atomSize being 16.
1986         I've put them in anyway to ensure that we have optimally carved-out cells
1987         for them in the future, should they grow.
1988
1989         With this change, Structures get allocated in 128-byte cells instead of
1990         160-byte cells, giving us 25% more Structures per MarkedBlock.
1991
1992         * heap/MarkedSpace.cpp:
1993
1994 2017-01-06  Saam Barati  <sbarati@apple.com>
1995
1996         Add a slice intrinsic to the DFG/FTL
1997         https://bugs.webkit.org/show_bug.cgi?id=166707
1998
1999         Reviewed by Filip Pizlo.
2000
2001         The gist of this patch is to inline Array.prototype.slice
2002         into the DFG/FTL. The implementation in the DFG-backend
2003         and FTLLowerDFGToB3 is just a straight forward implementation
2004         of what the C function is doing. The more interesting bits
2005         of this patch are setting up the proper watchpoints and conditions
2006         in the executing code to prove that its safe to skip all of the
2007         observable JS actions that Array.prototype.slice normally does.
2008         
2009         We perform the following proofs:
2010         1. Array.prototype.constructor has not changed (via a watchpoint).
2011         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
2012         3. The global object is not having a bad time.
2013         3. The array that is being sliced has an original array structure.
2014         5. Array.prototype/Object.prototype have not transitioned.
2015         
2016         Conditions 1, 2, and 3 are strictly required.
2017         
2018         4 is ensuring a couple things:
2019         1. That a "constructor" property hasn't been added to the array
2020         we're slicing since we're supposed to perform a Get(array, "constructor").
2021         2. That we're not slicing an instance of a subclass of Array.
2022         
2023         We could relax 4.1 in the future if we find other ways to test if
2024         the incoming array hasn't changed the "constructor" property.
2025         
2026         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
2027         the total benchmark (the results are sometimes noisy).
2028
2029         * bytecode/ExitKind.cpp:
2030         (JSC::exitKindToString):
2031         * bytecode/ExitKind.h:
2032         * dfg/DFGAbstractInterpreterInlines.h:
2033         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2034         * dfg/DFGByteCodeParser.cpp:
2035         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2036         * dfg/DFGClobberize.h:
2037         (JSC::DFG::clobberize):
2038         * dfg/DFGDoesGC.cpp:
2039         (JSC::DFG::doesGC):
2040         * dfg/DFGFixupPhase.cpp:
2041         (JSC::DFG::FixupPhase::fixupNode):
2042         * dfg/DFGNode.h:
2043         (JSC::DFG::Node::hasHeapPrediction):
2044         (JSC::DFG::Node::hasArrayMode):
2045         * dfg/DFGNodeType.h:
2046         * dfg/DFGPredictionPropagationPhase.cpp:
2047         * dfg/DFGSafeToExecute.h:
2048         (JSC::DFG::safeToExecute):
2049         * dfg/DFGSpeculativeJIT.cpp:
2050         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2051         * dfg/DFGSpeculativeJIT.h:
2052         * dfg/DFGSpeculativeJIT32_64.cpp:
2053         (JSC::DFG::SpeculativeJIT::compile):
2054         * dfg/DFGSpeculativeJIT64.cpp:
2055         (JSC::DFG::SpeculativeJIT::compile):
2056         * ftl/FTLCapabilities.cpp:
2057         (JSC::FTL::canCompile):
2058         * ftl/FTLLowerDFGToB3.cpp:
2059         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2060         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2061         * jit/AssemblyHelpers.cpp:
2062         (JSC::AssemblyHelpers::emitLoadStructure):
2063         * runtime/ArrayPrototype.cpp:
2064         (JSC::ArrayPrototype::finishCreation):
2065         (JSC::speciesWatchpointIsValid):
2066         (JSC::speciesConstructArray):
2067         (JSC::arrayProtoFuncSlice):
2068         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2069         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
2070         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2071         (JSC::speciesWatchpointsValid): Deleted.
2072         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
2073         * runtime/ArrayPrototype.h:
2074         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
2075         (): Deleted.
2076         * runtime/Intrinsic.h:
2077         * runtime/JSGlobalObject.cpp:
2078         (JSC::JSGlobalObject::JSGlobalObject):
2079         (JSC::JSGlobalObject::init):
2080         * runtime/JSGlobalObject.h:
2081         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
2082
2083 2017-01-06  Mark Lam  <mark.lam@apple.com>
2084
2085         The ObjC API's JSVirtualMachine's map tables need to be guarded by a lock.
2086         https://bugs.webkit.org/show_bug.cgi?id=166778
2087         <rdar://problem/29761198>
2088
2089         Reviewed by Filip Pizlo.
2090
2091         Now that we have a concurrent GC, access to JSVirtualMachine's
2092         m_externalObjectGraph and m_externalRememberedSet need to be guarded by a lock
2093         since both the GC marker thread and the mutator thread may access them at the
2094         same time.
2095
2096         * API/JSVirtualMachine.mm:
2097         (-[JSVirtualMachine addExternalRememberedObject:]):
2098         (-[JSVirtualMachine addManagedReference:withOwner:]):
2099         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2100         (-[JSVirtualMachine externalDataMutex]):
2101         (scanExternalObjectGraph):
2102         (scanExternalRememberedSet):
2103
2104         * API/JSVirtualMachineInternal.h:
2105         - Deleted externalObjectGraph method.  There's no need to expose this.
2106
2107 2017-01-06  Michael Saboff  <msaboff@apple.com>
2108
2109         @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
2110         https://bugs.webkit.org/show_bug.cgi?id=153486
2111
2112         Reviewed by Saam Barati.
2113
2114         Moved read only check in putDirect() to all paths.
2115
2116         * runtime/SparseArrayValueMap.cpp:
2117         (JSC::SparseArrayValueMap::putDirect):
2118
2119 2016-12-30  Filip Pizlo  <fpizlo@apple.com>
2120
2121         DeferGC::~DeferGC should be super cheap
2122         https://bugs.webkit.org/show_bug.cgi?id=166626
2123
2124         Reviewed by Saam Barati.
2125         
2126         Right now, ~DeferGC requires running the collector's full collectIfNecessaryOrDefer()
2127         hook, which is super big. Normally, that hook would only be called from GC slow paths,
2128         so it ought to be possible to add complex logic to it. It benefits the GC algorithm to
2129         make that code smart, not necessarily fast.
2130
2131         The right thing for it to do is to have ~DeferGC check a boolean to see if
2132         collectIfNecessaryOrDefer() had previously deferred anything, and only call it if that
2133         is true. That's what this patch does.
2134         
2135         Unfortunately, this means that we lose the collectAccordingToDeferGCProbability mode,
2136         which we used for two tests. Since I could only see two tests that used this mode, I
2137         felt that it was better to enhance the GC than to keep the tests. I filed bug 166627 to
2138         bring back something like that mode.
2139         
2140         Although this patch does make some paths faster, its real goal is to ensure that bug
2141         165963 can add more logic to collectIfNecessaryOrDefer() without introducing a big
2142         regression. Until then, I wouldn't be surprised if this patch was a progression, but I'm
2143         not betting on it.
2144
2145         * heap/Heap.cpp:
2146         (JSC::Heap::collectIfNecessaryOrDefer):
2147         (JSC::Heap::decrementDeferralDepthAndGCIfNeededSlow):
2148         (JSC::Heap::canCollect): Deleted.
2149         (JSC::Heap::shouldCollectHeuristic): Deleted.
2150         (JSC::Heap::shouldCollect): Deleted.
2151         (JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
2152         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
2153         * heap/Heap.h:
2154         * heap/HeapInlines.h:
2155         (JSC::Heap::incrementDeferralDepth):
2156         (JSC::Heap::decrementDeferralDepth):
2157         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2158         (JSC::Heap::mayNeedToStop):
2159         (JSC::Heap::stopIfNecessary):
2160         * runtime/Options.h:
2161
2162 2017-01-05  Filip Pizlo  <fpizlo@apple.com>
2163
2164         AutomaticThread timeout shutdown leaves a small window where notify() would think that the thread is still running
2165         https://bugs.webkit.org/show_bug.cgi?id=166742
2166
2167         Reviewed by Geoffrey Garen.
2168         
2169         Update to new AutomaticThread API.
2170
2171         * dfg/DFGWorklist.cpp:
2172
2173 2017-01-05  Per Arne Vollan  <pvollan@apple.com>
2174
2175         [Win] Compile error.
2176         https://bugs.webkit.org/show_bug.cgi?id=166726
2177
2178         Reviewed by Alex Christensen.
2179
2180         Add include folder.
2181
2182         * CMakeLists.txt:
2183
2184 2016-12-21  Brian Burg  <bburg@apple.com>
2185
2186         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2187         https://bugs.webkit.org/show_bug.cgi?id=166003
2188         <rdar://problem/28718990>
2189
2190         Reviewed by Joseph Pecoraro.
2191
2192         This patch implements parser, model, and generator-side changes to account for
2193         platform-specific types, events, and commands. The 'platform' property is parsed
2194         for top-level definitions and assumed to be the 'generic' platform if none is specified.
2195
2196         Since the generator's platform setting acts to filter definitions with an incompatible platform,
2197         all generators must be modified to consult a list of filtered types/commands/events for
2198         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
2199         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
2200         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
2201
2202         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2203         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2204         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2205         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2206         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2207         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2208         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2209         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2210         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2211         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
2212         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2213         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2214         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2215         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2216         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2217         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2218         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2219         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2220         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2221         (_generate_typedefs_for_domain):
2222         (_generate_builders_for_domain):
2223         (_generate_forward_declarations_for_binding_traits):
2224         (_generate_declarations_for_enum_conversion_methods):
2225         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2226         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2227         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2228         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2229         * inspector/scripts/codegen/generate_js_backend_commands.py:
2230         (JSBackendCommandsGenerator.should_generate_domain):
2231         (JSBackendCommandsGenerator.domains_to_generate):
2232         (JSBackendCommandsGenerator.generate_domain):
2233         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
2234         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2235         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2236         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2237         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2238         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2239         (ObjCBackendDispatcherImplementationGenerator):
2240         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2241         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
2242         (ObjCConfigurationImplementationGenerator): Deleted.
2243         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
2244         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
2245         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
2246         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
2247         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
2248         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
2249         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
2250         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
2251         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
2252         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
2253         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
2254         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2255         (ObjCConfigurationHeaderGenerator.generate_output):
2256         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2257         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2258         (ObjCConfigurationImplementationGenerator):
2259         (ObjCConfigurationImplementationGenerator.generate_output):
2260         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
2261         (ObjCConfigurationImplementationGenerator._generate_ivars):
2262         (ObjCConfigurationImplementationGenerator._generate_dealloc):
2263         (ObjCBackendDispatcherImplementationGenerator): Deleted.
2264         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
2265         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
2266         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
2267         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
2268         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
2269         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
2270         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
2271         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
2272         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
2273         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2274         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2275         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2276         * inspector/scripts/codegen/generate_objc_header.py:
2277         (ObjCHeaderGenerator.generate_output):
2278         (ObjCHeaderGenerator._generate_forward_declarations):
2279         (ObjCHeaderGenerator._generate_enums):
2280         (ObjCHeaderGenerator._generate_types):
2281         (ObjCHeaderGenerator._generate_command_protocols):
2282         (ObjCHeaderGenerator._generate_event_interfaces):
2283         * inspector/scripts/codegen/generate_objc_internal_header.py:
2284         (ObjCInternalHeaderGenerator.generate_output):
2285         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2286         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2287         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2288         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
2289         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2290         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2291         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
2292         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
2293         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2294         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2295         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
2296
2297         * inspector/scripts/codegen/generator.py:
2298         (Generator.can_generate_platform):
2299         (Generator):
2300         (Generator.type_declarations_for_domain):
2301         (Generator.commands_for_domain):
2302         (Generator.events_for_domain):
2303         These are the core methods for computing whether a definition can be used given a target platform.
2304
2305         (Generator.calculate_types_requiring_shape_assertions):
2306         (Generator._traverse_and_assign_enum_values):
2307         * inspector/scripts/codegen/models.py:
2308         (Protocol.parse_type_declaration):
2309         (Protocol.parse_command):
2310         (Protocol.parse_event):
2311         (Protocol.resolve_types):
2312
2313         (Domain.__init__):
2314         (Domain):
2315         (Domain.all_type_declarations):
2316         (Domain.all_commands):
2317         (Domain.all_events):
2318         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
2319
2320         (Domain.resolve_type_references):
2321         (TypeDeclaration.__init__):
2322         (Command.__init__):
2323         (Event.__init__):
2324         * inspector/scripts/codegen/objc_generator.py:
2325         (ObjCGenerator.should_generate_types_for_domain):
2326         (ObjCGenerator):
2327         (ObjCGenerator.should_generate_commands_for_domain):
2328         (ObjCGenerator.should_generate_events_for_domain):
2329         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
2330         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
2331         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
2332         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
2333         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
2334         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
2335         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
2336         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
2337
2338         The results above need rebaselining because the class names for two generators were swapped by accident.
2339         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
2340         generated file includes the same copyright block at the top.
2341
2342         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2343         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2344         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2345         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2346         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2347         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2348         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2349         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2350         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2351         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2352         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2353         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2354         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2355
2356         * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Added.
2357         * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Added.
2358         * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Added.
2359         * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Added.
2360
2361         Add error test cases for invalid platforms in commands, types, and events.
2362
2363         * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Added.
2364         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Added.
2365         * inspector/scripts/tests/all/definitions-with-mac-platform.json: Added.
2366         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Added.
2367         * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Added.
2368         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Added.
2369         * inspector/scripts/tests/mac/definitions-with-mac-platform.json: Added.
2370         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Added.
2371
2372         Add a basic 4-way test that generates code for each platform from the same specification.
2373         With 'macos' platform for each definition, only 'all' and 'mac' generate anything interesting.
2374
2375 2017-01-03  Brian Burg  <bburg@apple.com>
2376
2377         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2378         https://bugs.webkit.org/show_bug.cgi?id=166003
2379         <rdar://problem/28718990>
2380
2381         Reviewed by Joseph Pecoraro.
2382
2383         This patch implements parser, model, and generator-side changes to account for
2384         platform-specific types, events, and commands. The 'platform' property is parsed
2385         for top-level definitions and assumed to be the 'generic' platform if none is specified.
2386
2387         Since the generator's platform setting acts to filter definitions with an incompatible platform,
2388         all generators must be modified to consult a list of filtered types/commands/events for
2389         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
2390         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
2391         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
2392
2393         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2394         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2395         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2396         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2397         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2398         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2399         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2400         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2401         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2402         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
2403         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2404         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2405         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2406         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2407         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2408         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2409         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2410         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2411         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2412         (_generate_typedefs_for_domain):
2413         (_generate_builders_for_domain):
2414         (_generate_forward_declarations_for_binding_traits):
2415         (_generate_declarations_for_enum_conversion_methods):
2416         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2417         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2418         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2419         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2420         * inspector/scripts/codegen/generate_js_backend_commands.py:
2421         (JSBackendCommandsGenerator.should_generate_domain):
2422         (JSBackendCommandsGenerator.domains_to_generate):
2423         (JSBackendCommandsGenerator.generate_domain):
2424         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
2425         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2426         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2427         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2428         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2429         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2430         (ObjCBackendDispatcherImplementationGenerator):
2431         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2432         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
2433         (ObjCConfigurationImplementationGenerator): Deleted.
2434         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
2435         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
2436         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
2437         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
2438         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
2439         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
2440         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
2441         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
2442         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
2443         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
2444         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
2445         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2446         (ObjCConfigurationHeaderGenerator.generate_output):
2447         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2448         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2449         (ObjCConfigurationImplementationGenerator):
2450         (ObjCConfigurationImplementationGenerator.generate_output):
2451         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
2452         (ObjCConfigurationImplementationGenerator._generate_ivars):
2453         (ObjCConfigurationImplementationGenerator._generate_dealloc):
2454         (ObjCBackendDispatcherImplementationGenerator): Deleted.
2455         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
2456         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
2457         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
2458         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
2459         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
2460         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
2461         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
2462         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
2463         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
2464         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2465         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2466         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2467         * inspector/scripts/codegen/generate_objc_header.py:
2468         (ObjCHeaderGenerator.generate_output):
2469         (ObjCHeaderGenerator._generate_forward_declarations):
2470         (ObjCHeaderGenerator._generate_enums):
2471         (ObjCHeaderGenerator._generate_types):
2472         (ObjCHeaderGenerator._generate_command_protocols):
2473         (ObjCHeaderGenerator._generate_event_interfaces):
2474         * inspector/scripts/codegen/generate_objc_internal_header.py:
2475         (ObjCInternalHeaderGenerator.generate_output):
2476         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2477         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2478         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2479         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
2480         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2481         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2482         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
2483         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
2484         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2485         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2486         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
2487
2488         * inspector/scripts/codegen/generator.py:
2489         (Generator.can_generate_platform):
2490         (Generator):
2491         (Generator.type_declarations_for_domain):
2492         (Generator.commands_for_domain):
2493         (Generator.events_for_domain):
2494         These are the core methods for computing whether a definition can be used given a target platform.
2495
2496         (Generator.calculate_types_requiring_shape_assertions):
2497         (Generator._traverse_and_assign_enum_values):
2498         * inspector/scripts/codegen/models.py:
2499         (Protocol.parse_type_declaration):
2500         (Protocol.parse_command):
2501         (Protocol.parse_event):
2502         (Protocol.resolve_types):
2503
2504         (Domain.__init__):
2505         (Domain):
2506         (Domain.all_type_declarations):
2507         (Domain.all_commands):
2508         (Domain.all_events):
2509         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
2510
2511         (Domain.resolve_type_references):
2512         (TypeDeclaration.__init__):
2513         (Command.__init__):
2514         (Event.__init__):
2515         * inspector/scripts/codegen/objc_generator.py:
2516         (ObjCGenerator.should_generate_types_for_domain):
2517         (ObjCGenerator):
2518         (ObjCGenerator.should_generate_commands_for_domain):
2519         (ObjCGenerator.should_generate_events_for_domain):
2520         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
2521         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
2522         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
2523         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
2524         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
2525         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
2526         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
2527         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
2528
2529         The following results need rebaselining because the class names for two generators were swapped by accident.
2530         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
2531         generated file includes the same copyright block at the top.
2532
2533         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2534         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2535         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2536         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2537         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2538         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2539         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2540         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2541         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2542         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2543         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2544         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2545         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2546
2547 2017-01-03  Brian Burg  <bburg@apple.com>
2548
2549         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2550         https://bugs.webkit.org/show_bug.cgi?id=166003
2551         <rdar://problem/28718990>
2552
2553         Reviewed by Joseph Pecoraro.
2554
2555         Make it possible to test inspector protocol generator output for different platforms.
2556
2557         Move existing tests to the generic/ subdirectory, as they are to be generated
2558         without any specific platform. Later, platform-specific generator behavior will be
2559         tested by cloning the same test to multiple platform directories.
2560
2561         * inspector/scripts/tests{/ => /generic/}commands-with-async-attribute.json
2562         * inspector/scripts/tests{/ => /generic/}commands-with-optional-call-return-parameters.json
2563         * inspector/scripts/tests{/ => /generic/}domains-with-varying-command-sizes.json
2564         * inspector/scripts/tests{/ => /generic/}enum-values.json
2565         * inspector/scripts/tests{/ => /generic/}events-with-optional-parameters.json
2566         * inspector/scripts/tests{/ => /generic/}expected/commands-with-async-attribute.json-result
2567         * inspector/scripts/tests{/ => /generic/}expected/commands-with-optional-call-return-parameters.json-result
2568         * inspector/scripts/tests{/ => /generic/}expected/domains-with-varying-command-sizes.json-result
2569         * inspector/scripts/tests{/ => /generic/}expected/enum-values.json-result
2570         * inspector/scripts/tests{/ => /generic/}expected/events-with-optional-parameters.json-result
2571         * inspector/scripts/tests{/ => /generic/}expected/fail-on-domain-availability.json-error
2572         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-call-parameter-names.json-error
2573         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-return-parameter-names.json-error
2574         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-event-parameter-names.json-error
2575         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-declarations.json-error
2576         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-member-names.json-error
2577         * inspector/scripts/tests{/ => /generic/}expected/fail-on-enum-with-no-values.json-error
2578         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-parameter-flag.json-error
2579         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-type-member.json-error
2580         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-parameter-flag.json-error
2581         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-type-member.json-error
2582         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-declaration-using-type-reference.json-error
2583         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-reference-as-primitive-type.json-error
2584         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-with-lowercase-name.json-error
2585         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-declaration.json-error
2586         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-member.json-error
2587         * inspector/scripts/tests{/ => /generic/}expected/generate-domains-with-feature-guards.json-result
2588         * inspector/scripts/tests{/ => /generic/}expected/same-type-id-different-domain.json-result
2589         * inspector/scripts/tests{/ => /generic/}expected/shadowed-optional-type-setters.json-result
2590         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-aliased-primitive-type.json-result
2591         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-array-type.json-result
2592         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-enum-type.json-result
2593         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-object-type.json-result
2594         * inspector/scripts/tests{/ => /generic/}expected/type-requiring-runtime-casts.json-result
2595         * inspector/scripts/tests{/ => /generic/}fail-on-domain-availability.json
2596         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-call-parameter-names.json
2597         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-return-parameter-names.json
2598         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-event-parameter-names.json
2599         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-declarations.json
2600         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-member-names.json
2601         * inspector/scripts/tests{/ => /generic/}fail-on-enum-with-no-values.json
2602         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-parameter-flag.json
2603         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-type-member.json
2604         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-parameter-flag.json
2605         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-type-member.json
2606         * inspector/scripts/tests{/ => /generic/}fail-on-type-declaration-using-type-reference.json
2607         * inspector/scripts/tests{/ => /generic/}fail-on-type-reference-as-primitive-type.json
2608         * inspector/scripts/tests{/ => /generic/}fail-on-type-with-lowercase-name.json
2609         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-declaration.json
2610         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-member.json
2611         * inspector/scripts/tests{/ => /generic/}generate-domains-with-feature-guards.json
2612         * inspector/scripts/tests{/ => /generic/}same-type-id-different-domain.json
2613         * inspector/scripts/tests{/ => /generic/}shadowed-optional-type-setters.json
2614         * inspector/scripts/tests{/ => /generic/}type-declaration-aliased-primitive-type.json
2615         * inspector/scripts/tests{/ => /generic/}type-declaration-array-type.json
2616         * inspector/scripts/tests{/ => /generic/}type-declaration-enum-type.json
2617         * inspector/scripts/tests{/ => /generic/}type-declaration-object-type.json
2618         * inspector/scripts/tests{/ => /generic/}type-requiring-runtime-casts.json
2619
2620 2017-01-03  Brian Burg  <bburg@apple.com>
2621
2622         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2623         https://bugs.webkit.org/show_bug.cgi?id=166003
2624         <rdar://problem/28718990>
2625
2626         Reviewed by Joseph Pecoraro.
2627
2628         Add a --platform argument to generate-inspector-protocol-bindings.py and propagate
2629         the specified platform to each generator. This will be used in the next few patches
2630         to exclude types, events, and commands that are unsupported by the backend platform.
2631
2632         Covert all subclasses of Generator to pass along their positional arguments so that we
2633         can easily change base class arguments without editing all generator constructors.
2634
2635         * inspector/scripts/codegen/cpp_generator.py:
2636         (CppGenerator.__init__):
2637         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2638         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
2639         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2640         (CppBackendDispatcherHeaderGenerator.__init__):
2641         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2642         (CppBackendDispatcherImplementationGenerator.__init__):
2643         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2644         (CppFrontendDispatcherHeaderGenerator.__init__):
2645         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2646         (CppFrontendDispatcherImplementationGenerator.__init__):
2647         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2648         (CppProtocolTypesHeaderGenerator.__init__):
2649         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2650         (CppProtocolTypesImplementationGenerator.__init__):
2651         * inspector/scripts/codegen/generate_js_backend_commands.py:
2652         (JSBackendCommandsGenerator.__init__):
2653         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2654         (ObjCBackendDispatcherHeaderGenerator.__init__):
2655         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2656         (ObjCConfigurationImplementationGenerator.__init__):
2657         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2658         (ObjCConfigurationHeaderGenerator.__init__):
2659         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2660         (ObjCBackendDispatcherImplementationGenerator.__init__):
2661         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2662         (ObjCFrontendDispatcherImplementationGenerator.__init__):
2663         * inspector/scripts/codegen/generate_objc_header.py:
2664         (ObjCHeaderGenerator.__init__):
2665         * inspector/scripts/codegen/generate_objc_internal_header.py:
2666         (ObjCInternalHeaderGenerator.__init__):
2667         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2668         (ObjCProtocolTypeConversionsHeaderGenerator.__init__):
2669         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2670         (ObjCProtocolTypeConversionsImplementationGenerator.__init__):
2671         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2672         (ObjCProtocolTypesImplementationGenerator.__init__):
2673         Pass along *args instead of single positional arguments.
2674
2675         * inspector/scripts/codegen/generator.py:
2676         (Generator.__init__):
2677         Save the target platform and add a getter.
2678
2679         * inspector/scripts/codegen/models.py:
2680         (Platform):
2681         (Platform.__init__):
2682         (Platform.fromString):
2683         (Platforms):
2684         Define the allowed Platform instances (iOS, macOS, and Any).
2685
2686         * inspector/scripts/codegen/objc_generator.py:
2687         (ObjCGenerator.and.__init__):
2688         * inspector/scripts/generate-inspector-protocol-bindings.py:
2689         (generate_from_specification):
2690         Pass along *args instead of single positional arguments.
2691
2692 2017-01-04  JF Bastien  <jfbastien@apple.com>
2693
2694         WebAssembly JS API: add Module.sections
2695         https://bugs.webkit.org/show_bug.cgi?id=165159
2696         <rdar://problem/29760326>
2697
2698         Reviewed by Mark Lam.
2699
2700         As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections
2701
2702         This was added for Emscripten, and is likely to be used soon.
2703
2704         * wasm/WasmFormat.h: custom sections are just name + bytes
2705         * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
2706         * wasm/WasmModuleParser.h:
2707         * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
2708         ArrayBuffer as described in the spec
2709         (JSC::webAssemblyModuleProtoCustomSections):
2710
2711 2017-01-04  Saam Barati  <sbarati@apple.com>
2712
2713         We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
2714         https://bugs.webkit.org/show_bug.cgi?id=163720
2715
2716         Reviewed by Mark Lam.
2717
2718         In the LLInt, we were incorrectly doing the exception check after the call.
2719         Before the exception check, we were unwinding to our caller's
2720         frame under the assumption that our caller was always a JS frame.
2721         This is incorrect, however, because our caller might be a C frame.
2722         One way that it can be a C frame is when C calls to JS, and JS tail
2723         calls to native. This patch fixes this bug by doing unwinding from
2724         the native callee's frame instead of its callers.
2725
2726         * llint/LowLevelInterpreter32_64.asm:
2727         * llint/LowLevelInterpreter64.asm:
2728
2729 2017-01-03  JF Bastien  <jfbastien@apple.com>
2730
2731         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
2732         https://bugs.webkit.org/show_bug.cgi?id=166669
2733         <rdar://problem/29856455>
2734
2735         Reviewed by Saam Barati.
2736
2737         Bug #165282 added wasm -> wasm calls, but caused crashes in
2738         release builds because the pinned registers are also callee-saved
2739         and were being clobbered. B3 didn't see itself clobbering them
2740         when no memory was used, and therefore omitted a restore.
2741
2742         This was causing the C++ code in callWebAssemblyFunction to crash
2743         because $r12 was 0, and it expected it to have its value prior to
2744         the call.
2745
2746         * wasm/WasmB3IRGenerator.cpp:
2747         (JSC::Wasm::createJSToWasmWrapper):
2748
2749 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
2750
2751         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
2752         https://bugs.webkit.org/show_bug.cgi?id=166300
2753
2754         Reviewed by Brian Burg.
2755
2756         * debugger/Debugger.cpp:
2757         (JSC::Debugger::continueProgram):
2758         When continuing, clear states that would have had us pause again.
2759
2760         * inspector/agents/InspectorDebuggerAgent.cpp:
2761         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
2762         When resuming after becoming idle, be sure to clear Debugger state.
2763
2764 2017-01-03  JF Bastien  <jfbastien@apple.com>
2765
2766         WebAssembly JS API: check and test in-call / out-call values
2767         https://bugs.webkit.org/show_bug.cgi?id=164876
2768         <rdar://problem/29844107>
2769
2770         Reviewed by Saam Barati.
2771
2772         * wasm/WasmBinding.cpp:
2773         (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
2774         f64 which the assotiated tests inadvertently tripped on: the
2775         previous code wasn't correctly performing JSValue boxing for
2776         "double" values. This change is slightly involved because it
2777         requires two scratch registers to materialize the
2778         `DoubleEncodeOffset` value. This change therefore reorganizes the
2779         code to first generate traps, then handle all integers (freeing
2780         all GPRs), and then all the floating-point values.
2781         * wasm/js/WebAssemblyFunction.cpp:
2782         (JSC::callWebAssemblyFunction): Implement the defined semantics
2783         for mismatched arities when JS calls wasm:
2784         https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
2785           - i32 is 0, f32 / f64 are NaN.
2786           - wasm functions which return "void" are "undefined" in JS.
2787
2788 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
2789
2790         [Win] jsc.exe sometimes never exits.
2791         https://bugs.webkit.org/show_bug.cgi?id=158073
2792
2793         Reviewed by Darin Adler.
2794
2795         On Windows the thread specific destructor is also called when the main thread is exiting.
2796         This may lead to the main thread waiting forever for the machine thread lock when exiting,
2797         if the sampling profiler thread was terminated by the system while holding the machine
2798         thread lock.
2799
2800         * heap/MachineStackMarker.cpp:
2801         (JSC::MachineThreads::removeThread):
2802
2803 2017-01-02  Julien Brianceau  <jbriance@cisco.com>
2804
2805         Remove sh4 specific code from JavaScriptCore
2806         https://bugs.webkit.org/show_bug.cgi?id=166640
2807
2808         Reviewed by Filip Pizlo.
2809
2810         sh4-specific code does not compile for a while (r189884 at least).
2811         As nobody seems to have interest in this architecture anymore, let's
2812         remove this dead code and thus ease the burden for JSC maintainers.
2813
2814         * CMakeLists.txt:
2815         * JavaScriptCore.xcodeproj/project.pbxproj:
2816         * assembler/AbstractMacroAssembler.h:
2817         (JSC::AbstractMacroAssembler::Jump::Jump):
2818         (JSC::AbstractMacroAssembler::Jump::link):
2819         * assembler/MacroAssembler.h:
2820         * assembler/MacroAssemblerSH4.h: Removed.
2821         * assembler/MaxFrameExtentForSlowPathCall.h:
2822         * assembler/SH4Assembler.h: Removed.
2823         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
2824         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2825         * dfg/DFGSpeculativeJIT.h:
2826         (JSC::DFG::SpeculativeJIT::callOperation):
2827         * jit/AssemblyHelpers.h:
2828         (JSC::AssemblyHelpers::debugCall):
2829         * jit/CCallHelpers.h:
2830         (JSC::CCallHelpers::setupArgumentsWithExecState):
2831         (JSC::CCallHelpers::prepareForTailCallSlow):
2832         * jit/CallFrameShuffler.cpp:
2833         (JSC::CallFrameShuffler::prepareForTailCall):
2834         * jit/ExecutableAllocator.h:
2835         * jit/FPRInfo.h:
2836         * jit/GPRInfo.h:
2837         * jit/JITInlines.h:
2838         (JSC::JIT::callOperation):
2839         * jit/JITOpcodes32_64.cpp:
2840         (JSC::JIT::privateCompileCTINativeCall):
2841         * jit/JITOperations.cpp:
2842         * jit/RegisterSet.cpp:
2843         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
2844         (JSC::RegisterSet::dfgCalleeSaveRegisters):
2845         * jit/ThunkGenerators.cpp:
2846         (JSC::nativeForGenerator):
2847         * llint/LLIntData.cpp:
2848         (JSC::LLInt::Data::performAssertions):
2849         * llint/LLIntOfflineAsmConfig.h:
2850         * llint/LowLevelInterpreter.asm:
2851         * llint/LowLevelInterpreter32_64.asm:
2852         * offlineasm/backends.rb:
2853         * offlineasm/instructions.rb:
2854         * offlineasm/sh4.rb: Removed.
2855         * yarr/YarrJIT.cpp:
2856         (JSC::Yarr::YarrGenerator::generateEnter):
2857         (JSC::Yarr::YarrGenerator::generateReturn):
2858
2859 2017-01-02  JF Bastien  <jfbastien@apple.com>
2860
2861         WebAssembly: handle and optimize wasm export → wasm import calls
2862         https://bugs.webkit.org/show_bug.cgi?id=165282
2863
2864         Reviewed by Saam Barati.
2865
2866           - Add a new JSType for WebAssemblyFunction, and use it when creating its
2867             structure. This will is used to quickly detect from wasm whether the import
2868             call is to another wasm module, or whether it's to JS.
2869           - Generate two stubs from the import stub generator: one for wasm->JS and one
2870             for wasm -> wasm. This is done at Module time. Which is called will only be
2871             known at Instance time, once we've received the import object. We want to
2872             avoid codegen at Instance time, so having both around is great.
2873           - Restore the WebAssembly global state (VM top Instance, and pinned registers)
2874             after call / call_indirect, and in the JS->wasm entry stub.
2875           - Pinned registers are now a global thing, not per-Memory, because the wasm ->
2876             wasm stubs are generated at Module time where we don't really have enough
2877             information to do the right thing (doing so would generate too much code).
2878
2879         * CMakeLists.txt:
2880         * JavaScriptCore.xcodeproj/project.pbxproj:
2881         * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
2882         * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
2883         could be external work, and how we save / restore global state:
2884         VM's top Instance, and pinned registers
2885         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2886         (JSC::Wasm::getMemoryBaseAndSize):
2887         (JSC::Wasm::restoreWebAssemblyGlobalState):
2888         (JSC::Wasm::createJSToWasmWrapper):
2889         (JSC::Wasm::parseAndCompile):
2890         * wasm/WasmB3IRGenerator.h:
2891         * wasm/WasmBinding.cpp:
2892         (JSC::Wasm::materializeImportJSCell):
2893         (JSC::Wasm::wasmToJS):
2894         (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
2895         (JSC::Wasm::exitStubGenerator):
2896         * wasm/WasmBinding.h:
2897         * wasm/WasmFormat.h: Get rid of much of the function index space:
2898         we already have all of its information elsewhere, and as-is it
2899         provides no extra efficiency.
2900         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
2901         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
2902         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
2903         * wasm/WasmFunctionParser.h:
2904         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
2905         * wasm/WasmMemory.cpp: Add some logging.
2906         (JSC::Wasm::Memory::dump): this was nice when debugging
2907         (JSC::Wasm::Memory::makeString):
2908         (JSC::Wasm::Memory::Memory):
2909         (JSC::Wasm::Memory::~Memory):
2910         (JSC::Wasm::Memory::grow):
2911         * wasm/WasmMemory.h: don't use extra indirection, it wasn't
2912         needed. Reorder some of the fields which are looked up at runtime
2913         so they're more cache-friendly.
2914         (JSC::Wasm::Memory::Memory):
2915         (JSC::Wasm::Memory::mode):
2916         (JSC::Wasm::Memory::offsetOfSize):
2917         * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
2918         global thing for all of JSC, not a per-Memory thing
2919         anymore. wasm->wasm calls are more complex otherwise: they have to
2920         figure out how to bridge between the caller and callee's
2921         special-snowflake pinning.
2922         (JSC::Wasm::PinnedRegisterInfo::get):
2923         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2924         (JSC::Wasm::MemoryInformation::MemoryInformation):
2925         * wasm/WasmMemoryInformation.h:
2926         * wasm/WasmModuleParser.cpp:
2927         * wasm/WasmModuleParser.h:
2928         * wasm/WasmPageCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2929         (JSC::Wasm::PageCount::dump): nice for debugging
2930         * wasm/WasmPageCount.h:
2931         * wasm/WasmPlan.cpp:
2932         (JSC::Wasm::Plan::parseAndValidateModule):
2933         (JSC::Wasm::Plan::run):
2934         * wasm/WasmPlan.h:
2935         (JSC::Wasm::Plan::takeWasmExitStubs):
2936         * wasm/WasmSignature.cpp:
2937         (JSC::Wasm::Signature::toString):
2938         (JSC::Wasm::Signature::dump):
2939         * wasm/WasmSignature.h:
2940         * wasm/WasmValidate.cpp:
2941         (JSC::Wasm::validateFunction):
2942         * wasm/WasmValidate.h:
2943         * wasm/js/JSWebAssemblyInstance.h:
2944         (JSC::JSWebAssemblyInstance::offsetOfTable):
2945         (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
2946         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
2947         * wasm/js/JSWebAssemblyMemory.cpp:
2948         (JSC::JSWebAssemblyMemory::create):
2949         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
2950         (JSC::JSWebAssemblyMemory::buffer):
2951         (JSC::JSWebAssemblyMemory::grow):
2952         * wasm/js/JSWebAssemblyMemory.h:
2953         (JSC::JSWebAssemblyMemory::memory):
2954         (JSC::JSWebAssemblyMemory::offsetOfMemory):
2955         (JSC::JSWebAssemblyMemory::offsetOfSize):
2956         * wasm/js/JSWebAssemblyModule.cpp:
2957         (JSC::JSWebAssemblyModule::create):
2958         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
2959         * wasm/js/JSWebAssemblyModule.h:
2960         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
2961         (JSC::JSWebAssemblyModule::functionImportCount):
2962         * wasm/js/WebAssemblyFunction.cpp:
2963         (JSC::callWebAssemblyFunction):
2964         (JSC::WebAssemblyFunction::create):
2965         (JSC::WebAssemblyFunction::createStructure):
2966         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2967         (JSC::WebAssemblyFunction::finishCreation):
2968         * wasm/js/WebAssemblyFunction.h:
2969         (JSC::WebAssemblyFunction::wasmEntrypoint):
2970         (JSC::WebAssemblyFunction::offsetOfInstance):
2971         (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode):
2972         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2973         (JSC::constructJSWebAssemblyInstance): always start with a dummy
2974         memory, so wasm->wasm calls don't need to null-check
2975         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2976         (JSC::constructJSWebAssemblyMemory):
2977         * wasm/js/WebAssemblyModuleConstructor.cpp:
2978         (JSC::WebAssemblyModuleConstructor::createModule):
2979         * wasm/js/WebAssemblyModuleRecord.cpp:
2980         (JSC::WebAssemblyModuleRecord::link):
2981         (JSC::WebAssemblyModuleRecord::evaluate):
2982         * wasm/js/WebAssemblyModuleRecord.h:
2983
2984 2017-01-02  Saam Barati  <sbarati@apple.com>
2985
2986         WebAssembly: Some loads don't take into account the offset
2987         https://bugs.webkit.org/show_bug.cgi?id=166616
2988         <rdar://problem/29841541>
2989
2990         Reviewed by Keith Miller.
2991
2992         * wasm/WasmB3IRGenerator.cpp:
2993         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2994
2995 2017-01-01  Jeff Miller  <jeffm@apple.com>
2996
2997         Update user-visible copyright strings to include 2017
2998         https://bugs.webkit.org/show_bug.cgi?id=166278
2999
3000         Reviewed by Dan Bernstein.
3001
3002         * Info.plist:
3003
3004 2016-12-28  Saam Barati  <sbarati@apple.com>
3005
3006         WebAssembly: Don't allow duplicate export names
3007         https://bugs.webkit.org/show_bug.cgi?id=166490
3008         <rdar://problem/29815000>
3009
3010         Reviewed by Keith Miller.
3011
3012         * wasm/WasmModuleParser.cpp:
3013
3014 2016-12-28  Saam Barati  <sbarati@apple.com>
3015
3016         Unreviewed. Fix jsc.cpp build error.
3017
3018         * jsc.cpp:
3019         (functionTestWasmModuleFunctions):
3020
3021 2016-12-28  Saam Barati  <sbarati@apple.com>
3022
3023         WebAssembly: Implement grow_memory and current_memory
3024         https://bugs.webkit.org/show_bug.cgi?id=166448
3025         <rdar://problem/29803676>
3026
3027         Reviewed by Keith Miller.
3028
3029         This patch implements grow_memory, current_memory, and WebAssembly.prototype.grow.
3030         See relevant spec texts here:
3031         
3032         https://github.com/WebAssembly/design/blob/master/Semantics.md#linear-memory-accesses
3033         https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymemoryprototypegrow
3034         
3035         I also fix a couple miscellaneous bugs:
3036         
3037         1. Data section now understands full init_exprs. 
3038         2. parseVarUint1 no longer has a bug where we allow values larger than 1 if
3039         their bottom 8 bits are zero.
3040         
3041         Since the JS API can now grow memory, we need to make calling an import
3042         and call_indirect refresh the base memory register and the size registers.
3043
3044         * jsc.cpp:
3045         (functionTestWasmModuleFunctions):
3046         * runtime/Options.h:
3047         * runtime/VM.h:
3048         * wasm/WasmB3IRGenerator.cpp:
3049         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3050         (JSC::Wasm::reloadPinnedRegisters):
3051         (JSC::Wasm::B3IRGenerator::emitReloadPinnedRegisters):
3052         (JSC::Wasm::createJSToWasmWrapper):
3053         (JSC::Wasm::parseAndCompile):
3054         * wasm/WasmFormat.cpp:
3055         (JSC::Wasm::Segment::create):
3056         * wasm/WasmFormat.h:
3057         (JSC::Wasm::I32InitExpr::I32InitExpr):
3058         (JSC::Wasm::I32InitExpr::globalImport):
3059         (JSC::Wasm::I32InitExpr::constValue):
3060         (JSC::Wasm::I32InitExpr::isConst):
3061         (JSC::Wasm::I32InitExpr::isGlobalImport):
3062         (JSC::Wasm::I32InitExpr::globalImportIndex):
3063         (JSC::Wasm::Segment::byte):
3064         (JSC::Wasm::ModuleInformation::importFunctionCount):
3065         (JSC::Wasm::ModuleInformation::hasMemory):
3066         * wasm/WasmFunctionParser.h:
3067         * wasm/WasmMemory.cpp:
3068         (JSC::Wasm::Memory::Memory):
3069         (JSC::Wasm::Memory::grow):
3070         * wasm/WasmMemory.h:
3071         (JSC::Wasm::Memory::size):
3072         (JSC::Wasm::Memory::sizeInPages):
3073         (JSC::Wasm::Memory::offsetOfMemory):
3074         (JSC::Wasm::Memory::isValid): Deleted.
3075         (JSC::Wasm::Memory::grow): Deleted.
3076         * wasm/WasmModuleParser.cpp:
3077         (JSC::Wasm::makeI32InitExpr):
3078         * wasm/WasmModuleParser.h:
3079         * wasm/WasmPageCount.h:
3080         (JSC::Wasm::PageCount::bytes):
3081         (JSC::Wasm::PageCount::pageCount):
3082         (JSC::Wasm::PageCount::fromBytes):
3083         (JSC::Wasm::PageCount::operator+):
3084         * wasm/WasmParser.h:
3085         (JSC::Wasm::Parser<SuccessType>::parseVarUInt1):
3086         * wasm/WasmValidate.cpp:
3087         * wasm/js/JSWebAssemblyInstance.h:
3088         (JSC::JSWebAssemblyInstance::offsetOfMemory):
3089         * wasm/js/JSWebAssemblyMemory.cpp:
3090         (JSC::JSWebAssemblyMemory::~JSWebAssemblyMemory):
3091         (JSC::JSWebAssemblyMemory::grow):
3092         * wasm/js/JSWebAssemblyMemory.h:
3093         (JSC::JSWebAssemblyMemory::offsetOfMemory):
3094         * wasm/js/JSWebAssemblyModule.h:
3095         (JSC::JSWebAssemblyModule::functionImportCount):
3096         (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace):
3097         (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace):
3098         (JSC::JSWebAssemblyModule::importCount): Deleted.
3099         * wasm/js/WebAssemblyFunction.cpp:
3100         (JSC::callWebAssemblyFunction):
3101         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3102         (JSC::constructJSWebAssemblyInstance):
3103         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3104         (JSC::constructJSWebAssemblyMemory):
3105         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3106         (JSC::getMemory):
3107         (JSC::webAssemblyMemoryProtoFuncBuffer):
3108         (JSC::webAssemblyMemoryProtoFuncGrow):
3109         * wasm/js/WebAssemblyModuleRecord.cpp:
3110         (JSC::WebAssemblyModuleRecord::link):
3111         (JSC::dataSegmentFail):
3112         (JSC::WebAssemblyModuleRecord::evaluate):
3113         * wasm/wasm.json:
3114
3115 2016-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3116
3117         Use variadic templates in JSC Parser to clean up
3118         https://bugs.webkit.org/show_bug.cgi?id=166482
3119
3120         Reviewed by Saam Barati.
3121
3122         * parser/Parser.cpp:
3123         (JSC::Parser<LexerType>::logError):
3124         * parser/Parser.h:
3125
3126 2016-12-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3127
3128         Propagate the source origin as much as possible
3129         https://bugs.webkit.org/show_bug.cgi?id=166348
3130
3131         Reviewed by Darin Adler.
3132
3133         This patch introduces CallFrame::callerSourceOrigin, SourceOrigin class
3134         and SourceProvider::m_sourceOrigin. CallFrame::callerSourceOrigin returns
3135         an appropriate SourceOrigin if possible. If we cannot find the appropriate
3136         one, we just return null SourceOrigin.
3137
3138         This paves the way for implementing the module dynamic-import[1].
3139         When the import operator is evaluated, it will resolve the module
3140         specifier with this propagated source origin of the caller function.
3141
3142         To support import operator inside the dynamic code generation
3143         functions (like `eval`, `new Function`, indirect call to `eval`),
3144         we need to propagate the caller's source origin to the generated
3145         source code.
3146
3147         We do not use sourceURL for that purpose. This is because we
3148         would like to keep sourceURL for `eval` / `new Function` null.
3149         This sourceURL will be used for the stack dump for errors with line/column
3150         numbers. Dumping the caller's sourceURL with line/column numbers are
3151         meaningless. So we would like to keep it null while we would like
3152         to propagate SourceOrigin for dynamic imports.
3153
3154         [1]: https://github.com/tc39/proposal-dynamic-import
3155
3156         * API/JSBase.cpp:
3157         (JSEvaluateScript):
3158         (JSCheckScriptSyntax):
3159         * API/JSObjectRef.cpp:
3160         (JSObjectMakeFunction):
3161         * API/JSScriptRef.cpp:
3162         (OpaqueJSScript::create):
3163         (OpaqueJSScript::vm):
3164         (OpaqueJSScript::OpaqueJSScript):
3165         (parseScript):
3166         * JavaScriptCore.xcodeproj/project.pbxproj:
3167         * Scripts/builtins/builtins_templates.py:
3168         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3169         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3170         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3171         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3172         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3173         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3174         * builtins/BuiltinExecutables.cpp:
3175         (JSC::BuiltinExecutables::BuiltinExecutables):
3176         (JSC::BuiltinExecutables::createDefaultConstructor):
3177         * debugger/DebuggerCallFrame.cpp:
3178         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3179         * inspector/InjectedScriptManager.cpp:
3180         (Inspector::InjectedScriptManager::createInjectedScript):
3181         * inspector/JSInjectedScriptHost.cpp:
3182         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3183         * inspector/agents/InspectorRuntimeAgent.cpp:
3184         (Inspector::InspectorRuntimeAgent::parse):
3185         * interpreter/CallFrame.cpp:
3186         (JSC::CallFrame::callerSourceOrigin):
3187         * interpreter/CallFrame.h:
3188         * interpreter/Interpreter.cpp:
3189         (JSC::eval):
3190         * jsc.cpp:
3191         (jscSource):
3192         (GlobalObject::finishCreation):
3193         (extractDirectoryName):
3194         (currentWorkingDirectory):
3195         (GlobalObject::moduleLoaderResolve):
3196         (functionRunString):
3197         (functionLoadString):
3198         (functionCallerSourceOrigin):
3199         (functionCreateBuiltin):
3200         (functionCheckModuleSyntax):
3201         (runInteractive):
3202         * parser/SourceCode.h:
3203         (JSC::makeSource):
3204         * parser/SourceProvider.cpp:
3205         (JSC::SourceProvider::SourceProvider):
3206         * parser/SourceProvider.h:
3207         (JSC::SourceProvider::sourceOrigin):
3208         (JSC::StringSourceProvider::create):
3209         (JSC::StringSourceProvider::StringSourceProvider):
3210         (JSC::WebAssemblySourceProvider::create):
3211         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
3212         * runtime/FunctionConstructor.cpp:
3213         (JSC::constructFunction):
3214         (JSC::constructFunctionSkippingEvalEnabledCheck):
3215         * runtime/FunctionConstructor.h:
3216         * runtime/JSGlobalObjectFunctions.cpp:
3217         (JSC::globalFuncEval):
3218         * runtime/ModuleLoaderPrototype.cpp:
3219         (JSC::moduleLoaderPrototypeParseModule):
3220         * runtime/ScriptExecutable.h:
3221         (JSC::ScriptExecutable::sourceOrigin):
3222         * runtime/SourceOrigin.h: Added.
3223         (JSC::SourceOrigin::SourceOrigin):
3224         (JSC::SourceOrigin::string):
3225         (JSC::SourceOrigin::isNull):
3226         * tools/FunctionOverrides.cpp:
3227         (JSC::initializeOverrideInfo):
3228
3229 2016-12-24  Caio Lima  <ticaiolima@gmail.com>
3230
3231         [test262] Fixing mapped arguments object property test case
3232         https://bugs.webkit.org/show_bug.cgi?id=159398
3233
3234         Reviewed by Saam Barati.
3235
3236         This patch changes GenericArguments' override mechanism to
3237         implement corret behavior on ECMAScript test262 suite test cases of
3238         mapped arguments object with non-configurable and non-writable
3239         property. Also it is ensuring that arguments[i]
3240         cannot be deleted when argument "i" is {configurable: false}.
3241         
3242         The previous implementation is against to the specification for 2 reasons:
3243
3244         1. Every argument in arguments object are {writable: true} by default
3245            (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject).
3246            It means that we have to stop mapping a defined property index
3247            if the new property descriptor contains writable (i.e writable is
3248            present) and its value is false (also check
3249            https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
3250            Previous implementation considers {writable: false} if writable is
3251            not present.
3252
3253         2. When a property is overriden, "delete" operation is always returning true. However
3254            delete operations should follow the specification.
3255
3256         We created an auxilary boolean array named m_modifiedArgumentsDescriptor
3257         to store which arguments[i] descriptor was changed from its default
3258         property descriptor. This modification was necessary because m_overrides
3259         was responsible to keep this information at the same time
3260         of keeping information about arguments mapping. The problem of this apporach was
3261         that we needed to call overridesArgument(i) as soon as the ith argument's property
3262         descriptor was changed and it stops the argument's mapping as sideffect, producing
3263         wrong behavior.
3264         To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
3265         DirectArguments::m_mappedArguments and now we it is responsible to manage if an
3266         argument[i] is mapped or not.
3267         With these 2 structures, now it is possible to an argument[i] have its property 
3268         descriptor modified and don't stop the mapping as soon as it happens. One example
3269         of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
3270         test case, that now is fixed by this new mechanism.
3271
3272         * bytecode/PolymorphicAccess.cpp:
3273         (JSC::AccessCase::generateWithGuard):
3274         * dfg/DFGSpeculativeJIT.cpp:
3275         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3276         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3277         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3278         * ftl/FTLAbstractHeapRepository.h:
3279         * ftl/FTLLowerDFGToB3.cpp:
3280         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3281         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3282         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3283         * jit/JITOperations.cpp:
3284         (JSC::canAccessArgumentIndexQuickly):
3285         * jit/JITPropertyAccess.cpp:
3286         (JSC::JIT::emitDirectArgumentsGetByVal):
3287         * runtime/DirectArguments.cpp:
3288         (JSC::DirectArguments::estimatedSize):
3289         (JSC::DirectArguments::visitChildren):
3290         (JSC::DirectArguments::overrideThings):
3291         (JSC::DirectArguments::overrideThingsIfNecessary):
3292         (JSC::DirectArguments::unmapArgument):
3293         (JSC::DirectArguments::copyToArguments):
3294         (JSC::DirectArguments::overridesSize):
3295         (JSC::DirectArguments::overrideArgument): Deleted.
3296         * runtime/DirectArguments.h:
3297         (JSC::DirectArguments::length):
3298         (JSC::DirectArguments::isMappedArgument):
3299         (JSC::DirectArguments::isMappedArgumentInDFG):
3300         (JSC::DirectArguments::getIndexQuickly):
3301         (JSC::DirectArguments::setIndexQuickly):
3302         (JSC::DirectArguments::overrodeThings):
3303         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
3304         (JSC::DirectArguments::setModifiedArgumentDescriptor):
3305         (JSC::DirectArguments::isModifiedArgumentDescriptor):
3306         (JSC::DirectArguments::offsetOfMappedArguments):
3307         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
3308         (JSC::DirectArguments::canAccessIndexQuickly): Deleted.
3309         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
3310         (JSC::DirectArguments::offsetOfOverrides): Deleted.
3311         * runtime/GenericArguments.h:
3312         * runtime/GenericArgumentsInlines.h:
3313         (JSC::GenericArguments<Type>::visitChildren):
3314         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3315         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
3316         (JSC::GenericArguments<Type>::getOwnPropertyNames):
3317         (JSC::GenericArguments<Type>::put):
3318         (JSC::GenericArguments<Type>::putByIndex):
3319         (JSC::GenericArguments<Type>::deleteProperty):
3320         (JSC::GenericArguments<Type>::deletePropertyByIndex):
3321         (JSC::GenericArguments<Type>::defineOwnProperty):
3322         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3323         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
3324         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
3325         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
3326         (JSC::GenericArguments<Type>::copyToArguments):
3327         * runtime/ScopedArguments.cpp:
3328         (JSC::ScopedArguments::visitChildren):
3329         (JSC::ScopedArguments::unmapArgument):
3330         (JSC::ScopedArguments::overrideArgument): Deleted.
3331         * runtime/ScopedArguments.h:
3332         (JSC::ScopedArguments::isMappedArgument):
3333         (JSC::ScopedArguments::isMappedArgumentInDFG):
3334         (JSC::ScopedArguments::getIndexQuickly):
3335         (JSC::ScopedArguments::setIndexQuickly):
3336         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
3337         (JSC::ScopedArguments::setModifiedArgumentDescriptor):
3338         (JSC::ScopedArguments::isModifiedArgumentDescriptor):
3339         (JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
3340         (JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
3341
3342 2016-12-23  Mark Lam  <mark.lam@apple.com>
3343
3344         Using Option::breakOnThrow() shouldn't crash while printing a null CodeBlock.
3345         https://bugs.webkit.org/show_bug.cgi?id=166466
3346
3347         Reviewed by Keith Miller.
3348
3349         * runtime/VM.cpp:
3350         (JSC::VM::throwException):
3351
3352 2016-12-23  Mark Lam  <mark.lam@apple.com>
3353
3354         Enhance LLInt tracing to dump the codeBlock signature instead of just a pointer where appropriate.
3355         https://bugs.webkit.org/show_bug.cgi?id=166465
3356
3357         Reviewed by Keith Miller.
3358
3359         * llint/LLIntSlowPaths.cpp:
3360         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3361         (JSC::LLInt::traceFunctionPrologue):
3362
3363 2016-12-23  Keith Miller  <keith_miller@apple.com>
3364
3365         WebAssembly: trap on bad division.
3366         https://bugs.webkit.org/show_bug.cgi?id=164786
3367
3368         Reviewed by Mark Lam.
3369
3370         This patch adds traps for division / modulo by zero and for
3371         division by int_min / -1.
3372
3373         * wasm/WasmB3IRGenerator.cpp:
3374         (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
3375         * wasm/WasmExceptionType.h:
3376         * wasm/WasmPlan.cpp:
3377         (JSC::Wasm::Plan::run):
3378         * wasm/wasm.json:
3379
3380 2016-12-23  Mark Lam  <mark.lam@apple.com>
3381
3382         Fix broken LLINT_SLOW_PATH_TRACING build.
3383         https://bugs.webkit.org/show_bug.cgi?id=166463
3384
3385         Reviewed by Keith Miller.
3386
3387         * llint/LLIntExceptions.cpp:
3388         (JSC::LLInt::returnToThrow):
3389         (JSC::LLInt::callToThrow):
3390         * runtime/CommonSlowPathsExceptions.cpp:
3391         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3392
3393 2016-12-22  Keith Miller  <keith_miller@apple.com>
3394
3395         WebAssembly: Make spec-tests/f32.wast.js and spec-tests/f64.wast.js pass
3396         https://bugs.webkit.org/show_bug.cgi?id=166447
3397
3398         Reviewed by Saam Barati.
3399
3400         We needed to treat -0.0 < 0.0 for floating point min/max. For min,
3401         the algorithm works because if a == b then a and b are not NaNs so
3402         either they are the same or they are some zero. When we or a and b
3403         either we get the same number back or we get -0.0. Similarly for
3404         max we use an and and the sign bit gets dropped if one is 0.0 and
3405         the other is -0.0, otherwise, we get the same number back.
3406
3407         * wasm/wasm.json:
3408
3409 2016-12-22  Saam Barati  <sbarati@apple.com>
3410
3411         WebAssembly: Make calling Wasm functions that returns or takes an i64 as a parameter an early exception
3412         https://bugs.webkit.org/show_bug.cgi?id=166437
3413         <rdar://problem/29793949>
3414
3415         Reviewed by Keith Miller.
3416
3417         This patch makes it so that we throw an exception before we do
3418         anything else if we call a wasm function that either takes an
3419         i64 as an argument or returns an i64.
3420
3421         * wasm/js/WebAssemblyFunction.cpp:
3422         (JSC::callWebAssemblyFunction):
3423         (JSC::WebAssemblyFunction::WebAssemblyFunction):
3424         (JSC::WebAssemblyFunction::call): Deleted.
3425         * wasm/js/WebAssemblyFunction.h:
3426         (JSC::WebAssemblyFunction::signatureIndex):
3427         (JSC::WebAssemblyFunction::jsEntrypoint):
3428
3429 2016-12-22  Keith Miller  <keith_miller@apple.com>
3430
3431         Add BitOr for floating points to B3
3432         https://bugs.webkit.org/show_bug.cgi?id=166446
3433
3434         Reviewed by Saam Barati.
3435
3436         This patch does some slight refactoring to the ARM assembler,
3437         which groups all the vector floating point instructions together.
3438
3439         * assembler/ARM64Assembler.h:
3440         (JSC::ARM64Assembler::vand):
3441         (JSC::ARM64Assembler::vorr):
3442         (JSC::ARM64Assembler::vectorDataProcessingLogical):
3443         (JSC::ARM64Assembler::vectorDataProcessing2Source): Deleted.
3444         * assembler/MacroAssemblerARM64.h:
3445         (JSC::MacroAssemblerARM64::orDouble):
3446         (JSC::MacroAssemblerARM64::orFloat):
3447         * assembler/MacroAssemblerX86Common.h:
3448         (JSC::MacroAssemblerX86Common::orDouble):
3449         (JSC::MacroAssemblerX86Common::orFloat):
3450         * assembler/X86Assembler.h:
3451         (JSC::X86Assembler::orps_rr):
3452         * b3/B3ConstDoubleValue.cpp:
3453         (JSC::B3::ConstDoubleValue::bitOrConstant):
3454         (JSC::B3::ConstDoubleValue::bitXorConstant):
3455         * b3/B3ConstDoubleValue.h:
3456         * b3/B3ConstFloatValue.cpp:
3457         (JSC::B3::ConstFloatValue::bitOrConstant):
3458         (JSC::B3::ConstFloatValue::bitXorConstant):
3459         * b3/B3ConstFloatValue.h:
3460         * b3/B3LowerToAir.cpp:
3461         (JSC::B3::Air::LowerToAir::lower):
3462         * b3/B3Validate.cpp:
3463         * b3/air/AirInstInlines.h:
3464         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3465         * b3/air/AirOpcode.opcodes:
3466         * b3/testb3.cpp:
3467         (JSC::B3::bitOrDouble):
3468         (JSC::B3::testBitOrArgDouble):
3469         (JSC::B3::testBitOrArgsDouble):
3470         (JSC::B3::testBitOrArgImmDouble):
3471         (JSC::B3::testBitOrImmsDouble):
3472         (JSC::B3::bitOrFloat):
3473         (JSC::B3::testBitOrArgFloat):
3474         (JSC::B3::testBitOrArgsFloat):
3475         (JSC::B3::testBitOrArgImmFloat):
3476         (JSC::B3::testBitOrImmsFloat):
3477         (JSC::B3::testBitOrArgsFloatWithUselessDoubleConversion):
3478         (JSC::B3::run):
3479
3480 2016-12-22  Mark Lam  <mark.lam@apple.com>
3481
3482         BytecodeGenerator::m_finallyDepth should be unsigned.
3483         https://bugs.webkit.org/show_bug.cgi?id=166438
3484
3485         Reviewed by Saam Barati.
3486
3487         Also removed FinallyContext::m_finallyDepth because it is not used.
3488
3489         * bytecompiler/BytecodeGenerator.cpp:
3490         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
3491         (JSC::BytecodeGenerator::labelScopeDepth):
3492         * bytecompiler/BytecodeGenerator.h:
3493         (JSC::FinallyContext::FinallyContext):
3494         (JSC::FinallyContext::finallyLabel):
3495         (JSC::FinallyContext::depth): Deleted.
3496
3497 2016-12-22  Mark Lam  <mark.lam@apple.com>
3498
3499         De-duplicate finally blocks.
3500         https://bugs.webkit.org/show_bug.cgi?id=160168
3501
3502         Reviewed by Saam Barati.
3503
3504         JS execution can arrive at a finally block when there are abrupt completions from
3505         its try or catch block.  The abrupt completion types include Break,
3506         Continue, Return, and Throw.  The non-abrupt completion type is called Normal
3507         (i.e. the case of a try block falling through to the finally block).
3508
3509         Previously, we enable each of these paths for abrupt completion (except for Throw)
3510         to run the finally block code by duplicating the finally block code at each of
3511         the sites that trigger those completions.  This patch fixes the implementation so
3512         that each of these abrupt completions will set a completionTypeRegister (plus a
3513         completionValueRegister for CompletionType::Return) and then jump to the
3514         relevant finally blocks, and continue to thread through subsequent outer finally
3515         blocks until execution reaches the outermost finally block that the completion
3516         type dictates.  We no longer duplicate the finally block code.
3517
3518         The implementation details:
3519         1. We allocate a pair of registers (completionTypeRegister and completionValueRegister)
3520            just before entering the outermost try-catch-finally scope.
3521
3522            On allocating the registers, we initialize the completionTypeRegister to
3523            CompletionType::Normal, and set the completionValueRegister to the empty
3524            JSValue.
3525
3526         2. The completionTypeRegister will hold a CompletionType value.  This is how we
3527            encode the CompletionType value to be set:
3528
3529            a. For Normal, Return, and Throw completion types: 
3530               - The completionTypeRegister is set to CompletionType::Normal,
3531                 CompletionType::Return, and CompletionType::Throw respectively.
3532
3533            b. For Break and Continue completion types:
3534               - The completionTypeRegister is set to a unique jumpID where the jumpID is
3535                 computed as:
3536
3537                 jumpID = CompletionType::NumberOfTypes + bytecodeOffset
3538
3539                 The bytecodeOffset used here is the bytecodeOffset of the break or continue
3540                 statement that triggered this completion.
3541
3542         3. Each finally block will have 2 entries:
3543            a. the catch entry.
3544            b. the normal entry.
3545
3546            The catch entry is recorded in the codeBlock's exception handler table,
3547            and can only be jumped to by the VM's exception handling mechanism.
3548
3549            The normal entry is recorded in a FinallyContext (at bytecode generation time
3550            only) and is jumped to when we want enter the finally block due any of the
3551            other CompletionTypes.
3552
3553         4. How each completion type works?
3554
3555            CompletionType::Normal
3556            ======================
3557            We normally encounter this when falling through from a try or catch block to
3558            the finally block.  
3559           
3560            For the try block case, since completionTypeRegister is set to Normal by default,
3561            there's nothing more that needs to be done.
3562
3563            For the catch block case, since we entered the catch block with an exception,
3564            completionTypeRegister may be set to Throw.  We'll need to set it to Normal
3565            before jumping to the finally block's normal entry.
3566
3567            CompletionType::Break
3568            =====================
3569            When we emit bytecode for the BreakNode, we check if we have any FinallyContexts
3570            that we need to service before jumping to the breakTarget.  If we don't, then
3571            emit op_jump to the breakTarget as usual.  Otherwise:
3572
3573            a. we'll register a jumpID and the breakTarget with the FinallyContext for the
3574               outermost finally block that we're supposed to run through.
3575            b. we'll also increment the numberOfBreaksOrContinues count in each FinallyContext
3576               from the innermost to the one for that outermost finally block.
3577            c. emit bytecode to set the completionTypeRegister to the jumpID.
3578            d. emit bytecode to jump to the normal entry of the innermost finally block.
3579
3580            Each finally block will take care of cascading to the next outer finally block
3581            as needed (see (5) below).
3582
3583            CompletionType::Continue
3584            ========================
3585            Since continues and breaks work the same way (i.e. with a jump), we handle this
3586            exactly the same way as CompletionType::Break, except that we use the
3587            continueTarget instead of the breakTarget.
3588
3589            CompletionType::Return
3590            ======================
3591            When we emit bytecode for the ReturnNode, we check if we have any FinallyContexts
3592            at all on the m_controlFlowScopeStack.  If we don't, then emit op_ret as usual.
3593            Otherwise:
3594
3595            a. emit bytecode to set the completionTypeRegister to CompletionType::Return.
3596            b. emit bytecode to move the return value into the completionValueRegister.
3597            c. emit bytecode to jump to the normal entry of the innermost finally block.
3598
3599            Each finally block will take care of cascading to the next outer finally block
3600            as needed (see (5) below).
3601
3602            CompletionType::Throw
3603            ======================
3604            At the catch entry a finally block, we:
3605            1. emit an op_catch that stores the caught Exception object in the
3606               completionValueRegister.
3607            2. emit bytecode to set the completionTypeRegister to CompletionType::Throw.
3608            3. Fall through or jump to the finally block's normal entry.
3609
3610         5. What happens in each finally block?
3611            ==================================
3612            For details on the finally block's catch entry, see "CompletionType::Throw" in
3613            (4) above.
3614
3615            The finally block's normal entry will:
3616            1. restore the scope of the finally block.
3617            2. save the completionTypeRegister in a savedCompletionTypeRegister.
3618            3. proceed to execute the body of the finally block.
3619
3620            At the end of the finally block, we will emit bytecode check the
3621            savedCompletionTypeRegister for each completion type see emitFinallyCompletion())
3622            in the following order:
3623           
3624            a. Check for CompletionType::Normal
3625               ================================
3626               If savedCompletionTypeRegister is CompletionType::Normal, jump to the
3627               designated normalCompletion label.  We only need this check this finally
3628               block also needs to check for Break, Continue, or Return.  If not, the
3629               completion type check for CompletionType::Throw below will make this check
3630               redundant.
3631
3632            b. Check for CompletionType::Break and Continue
3633               ============================================
3634               If the FinallyContext for this block has registered FinallyJumps, we'll
3635               check the jumpIDs against the savedCompletionTypeRegister.  If the jumpID
3636               matches, jump to the corresponding jumpTarget.
3637
3638               If no jumpIDs match but the FinallyContext's numberOfBreaksOrContinues is
3639               greater than the number of registered FinallyJumps, then this means that
3640               we have a Break or Continue that needs to be handled by an outer finally
3641               block.  In that case, jump to the next outer finally block's normal entry.
3642              
3643            c. Check for CompletionType::Return
3644               ================================
3645               If this finally block is not the outermost and the savedCompletionTypeRegister
3646               is set to CompletionType::Return, then jump to the next outer finally
3647               block's normal entry.
3648
3649               Otherwise, if this finally block is the outermost and the savedCompletionTypeRegister
3650               is set to CompletionType::Return, then execute op_ret and return the value
3651               in the completionValueRegister.
3652
3653            d. CompletionType::Throw
3654               =====================
3655               If savedCompletionTypeRegister is CompletionType::Throw, then just re-throw the
3656               Exception object in the completionValueRegister.
3657
3658            Detail 1: that we check the savedCompletionTypeRegister (and not the
3659            completionTypeRegister).  This is because the finally block may itself contain
3660            a try-finally, and this inner try-finally may have trashed the completionTypeRegister.
3661            Here's an example:
3662
3663                try {
3664                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
3665                } finally {
3666                    // completionTypeRegister is CompletionType::Return here.
3667
3668                    try {
3669                        ... // do stuff.
3670                    } finally {
3671                        ... // do more stuff.
3672                    }
3673
3674                    // completionTypeRegister may be anything here depending on what
3675                    // was executed in the inner try-finally block above.
3676
3677                    // Hence, finally completion here must be based on a saved copy of the
3678                    // completionTypeRegister when we entered this finally block.
3679                }
3680
3681            Detail 2: the finally completion for CompletionType::Throw must always explicitly
3682            check if the savedCompletionTypeRegister is CompletionType::Throw before throwing.
3683            We cannot imply that it is so from the Throw case being last.  Here's why:
3684
3685                // completionTypeRegister is CompletionType::Normal here.
3686                try {
3687                    return "r1"; // Sets completionTypeRegister to CompletionType::Return;
3688                } finally {
3689                    // completionTypeRegister is CompletionType::Return here.
3690
3691                    try {
3692                        ... // do stuff.  No abrupt completions.
3693                    } finally {
3694                        // completionTypeRegister is CompletionType::Return here (from the outer try-finally).
3695                        // savedCompletionTypeRegister is set to completionTypeRegister (i.e. CompletionType::Return) here.
3696
3697                        ... // do more stuff.  No abrupt completions.
3698
3699                        // Unless there's an abrupt completion since entering the outer
3700                        // finally block, the savedCompletionTypeRegister will remain set
3701                        // to CompletionType::Return.  If we don't explicitly check if the
3702                        // savedCompletionTypeRegister is CompletionType::Throw before
3703                        // throwing here, we'll end up erroneously throwing "r1".
3704                    }
3705
3706                    ...
3707                }
3708
3709         6. restoreScopeRegister()
3710        
3711            Since the needed scope objects are always stored in a local, we can restore
3712            the scope register by simply moving from that local instead of going through
3713            op_get_parent_scope.
3714
3715         7. m_controlFlowScopeStack needs to be a SegmentedVector instead of a Vector.
3716            This makes it easier to keep a pointer to the FinallyContext on that stack,
3717            and not have to worry about the vector being realloc'ed due to resizing. 
3718
3719         Performance appears to be neutral both on ES6SampleBench (run via cli) and the
3720         JSC benchmarks.
3721
3722         Relevant spec references:
3723         https://tc39.github.io/ecma262/#sec-completion-record-specification-type
3724         https://tc39.github.io/ecma262/#sec-try-statement-runtime-semantics-evaluation
3725
3726         * bytecode/HandlerInfo.h:
3727         (JSC::HandlerInfoBase::typeName):
3728         * bytecompiler/BytecodeGenerator.cpp:
3729         (JSC::BytecodeGenerator::generate):
3730         (JSC::BytecodeGenerator::BytecodeGenerator):
3731         (JSC::BytecodeGenerator::emitReturn):
3732         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
3733         (JSC::BytecodeGenerator::popFinallyControlFlowScope):
3734         (JSC::BytecodeGenerator::allocateAndEmitScope):
3735         (JSC::BytecodeGenerator::pushTry):
3736         (JSC::BytecodeGenerator::popTry):
3737         (JSC::BytecodeGenerator::emitCatch):
3738         (JSC::BytecodeGenerator::restoreScopeRegister):
3739         (JSC::BytecodeGenerator::labelScopeDepthToLexicalScopeIndex):
3740         (JSC::BytecodeGenerator::labelScopeDepth):
3741         (JSC::BytecodeGenerator::pushLocalControlFlowScope):
3742         (JSC::BytecodeGenerator::popLocalControlFlowScope):
3743         (JSC::BytecodeGenerator::emitEnumeration):
3744         (JSC::BytecodeGenerator::emitIsNumber):
3745         (JSC::BytecodeGenerator::emitYield):
3746         (JSC::BytecodeGenerator::emitDelegateYield):
3747         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3748         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3749         (JSC::BytecodeGenerator::emitFinallyCompletion):
3750         (JSC::BytecodeGenerator::allocateCompletionRecordRegisters):
3751         (JSC::BytecodeGenerator::releaseCompletionRecordRegisters):
3752         (JSC::BytecodeGenerator::emitJumpIf):
3753         (JSC::BytecodeGenerator::pushIteratorCloseControlFlowScope): Deleted.
3754         (JSC::BytecodeGenerator::popIteratorCloseControlFlowScope): Deleted.
3755         (JSC::BytecodeGenerator::emitComplexPopScopes): Deleted.
3756         (JSC::BytecodeGenerator::emitPopScopes): Deleted.
3757         (JSC::BytecodeGenerator::popTryAndEmitCatch): Deleted.
3758         * bytecompiler/BytecodeGenerator.h:
3759         (JSC::bytecodeOffsetToJumpID):
3760         (JSC::FinallyJump::FinallyJump):
3761         (JSC::FinallyContext::FinallyContext):
3762         (JSC::FinallyContext::outerContext):
3763         (JSC::Final