SharedArrayBuffer plus WebGL should not equal CRASH
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-01-23  Filip Pizlo  <fpizlo@apple.com>
2
3         SharedArrayBuffer plus WebGL should not equal CRASH
4         https://bugs.webkit.org/show_bug.cgi?id=167329
5
6         Reviewed by Saam Barati.
7         
8         DOM unwrapping methods should return null rather than crashing. The code expects an
9         unshared buffer, so we should return null when it's shared. The caller can then decide
10         if they like null or not.
11
12         * runtime/JSArrayBufferViewInlines.h:
13         (JSC::JSArrayBufferView::toWrapped):
14
15 2017-01-23  Mark Lam  <mark.lam@apple.com>
16
17         ObjCCallbackFunction::destroy() should not use jsCast().
18         https://bugs.webkit.org/show_bug.cgi?id=167322
19
20         Reviewed by Filip Pizlo.
21
22         Since r210829, it is no longer correct for object destructors to use jsCast().
23         Fixed ObjCCallbackFunction::destroy() to use a static_cast instead.
24
25         * API/ObjCCallbackFunction.mm:
26         (JSC::ObjCCallbackFunction::destroy):
27
28 2017-01-23  Michael Saboff  <msaboff@apple.com>
29
30         IntlObject uses JSArray::tryCreateUninitialized in an unsafe way
31         https://bugs.webkit.org/show_bug.cgi?id=167288
32
33         Reviewed by Filip Pizlo.
34
35         Refactored the following "create" methods into a "tryCreate" method and a
36         "create" wrapper: JSArray::create(), Butterfly::create() and
37         createArrayButterfly().
38
39         Changed IntlObject.cpp to use JSArray::tryCreate() as it is simpler to use
40         by not requiring the caller to be GC savey.  The performance benefits of
41         tryCreateUninitialized() are not needed by the IntlObject c++ code.
42
43         Did not add a new test as the bug caused LayoutTests/js/intl.html to fail
44         reliably with the JSC option values scribbleFreeCells=true,
45         collectContinuously=true and JSC_useGenerationalGC=false.
46
47         * runtime/Butterfly.h:
48         * runtime/ButterflyInlines.h:
49         (JSC::Butterfly::tryCreate): Added.
50         (JSC::Butterfly::create):
51         * runtime/IntlObject.cpp:
52         (JSC::canonicalizeLocaleList):
53         (JSC::lookupSupportedLocales):
54         (JSC::intlObjectFuncGetCanonicalLocales):
55         * runtime/JSArray.h:
56         (JSC::createContiguousArrayButterfly): Deleted.
57         (JSC::tryCreateArrayButterfly): Added.
58         (JSC::createArrayButterfly):
59         (JSC::JSArray::tryCreate): Added.
60         (JSC::JSArray::create):
61
62 2017-01-23  Joseph Pecoraro  <pecoraro@apple.com>
63
64         JavaScriptCore has a weak external symbol in it
65         https://bugs.webkit.org/show_bug.cgi?id=167282
66
67         Reviewed by Yusuke Suzuki.
68
69         * debugger/Debugger.cpp:
70         (JSC::Debugger::ProfilingClient::~ProfilingClient):
71         * debugger/Debugger.h:
72         Avoid possible weak external symbol.
73
74 2017-01-21  Chris Dumez  <cdumez@apple.com>
75
76         JavaScript for-of does not work on a lot of collection types (e.g. HTMLCollection)
77         https://bugs.webkit.org/show_bug.cgi?id=167091
78
79         Reviewed by Darin Adler.
80
81         Update Array methods to throw a TypeError when (this === null || this === undefined)
82         instead of when (this == null). This is because (this == null) returns true for types
83         that masquerades as undefined (such as document.all) and this prevented use of the
84         Array API on such types. The specification only stays to use ToObject(), which throws
85         when the input is undefined or null.
86
87         The corresponding specification is at:
88         - https://www.ecma-international.org/ecma-262/7.0/index.html#sec-array.prototype.values
89         - https://www.ecma-international.org/ecma-262/7.0/index.html#sec-toobject
90
91         * builtins/ArrayPrototype.js:
92         (values):
93         (keys):
94         (entries):
95         (reduce):
96         (reduceRight):
97         (every):
98         (forEach):
99         (filter):
100         (map):
101         (some):
102         (fill):
103         (find):
104         (findIndex):
105         (includes):
106         (sort):
107         (concatSlowPath):
108         (copyWithin):
109
110 2017-01-21  Yusuke Suzuki  <utatane.tea@gmail.com>
111
112         [JSC] export JSC::importModule API for WebCore dynamic import
113         https://bugs.webkit.org/show_bug.cgi?id=167099
114
115         Reviewed by Darin Adler.
116
117         We newly expose JSC::importModule API. This can be used later
118         from WebCore to implement WebCore side dynamic import.
119         And JSC shell also uses this API.
120
121         And this patch also cleans up module loader a bit:
122         Dropping requestInstantiateAll.
123
124         * builtins/BuiltinNames.h:
125         * builtins/ModuleLoaderPrototype.js:
126         (requestLink):
127         (requestImportModule):
128         (requestInstantiateAll): Deleted.
129         (importModule): Deleted.
130         * jsc.cpp:
131         (GlobalObject::moduleLoaderImportModule):
132         * runtime/Completion.cpp:
133         (JSC::importModule):
134         * runtime/Completion.h:
135         * runtime/JSModuleLoader.cpp:
136         (JSC::JSModuleLoader::requestImportModule):
137         * runtime/JSModuleLoader.h:
138         * runtime/ModuleLoaderPrototype.cpp:
139
140 2017-01-21  Yusuke Suzuki  <utatane.tea@gmail.com>
141
142         dynamic import is ambiguous with import declaration at module code
143         https://bugs.webkit.org/show_bug.cgi?id=167098
144
145         Reviewed by Darin Adler.
146
147         This patch fixes two syntax issues related to dynamic import.
148
149         1. Fix member expression parsing with dynamic import results
150
151         We should not return import expression immediately after parsing
152         it in parseMemberExpression. This prohibits us to parse the following
153         code,
154
155             import("...").then(function () {
156             });
157
158         2. dynamic import with import declaration under the module context
159
160         Before this patch, we always attempt to parse IMPORT as import declaration
161         under the module context. It means that import call in the top level
162         expression statement fails to be parsed since the parser attempts to parse
163         it as import declaration.
164
165             import("...")  // module top level statement.
166
167         In this patch, we check the condition `[lookahead != (]` before starting
168         parsing import declaration. This allows us to put import call in the module
169         top level statement.
170
171         * parser/Parser.cpp:
172         (JSC::Parser<LexerType>::parseModuleSourceElements):
173         (JSC::Parser<LexerType>::parseMemberExpression):
174
175 2017-01-20  Joseph Pecoraro  <pecoraro@apple.com>
176
177         Remove outdated ENABLE(CSP_NEXT) build flag
178         https://bugs.webkit.org/show_bug.cgi?id=167252
179
180         Reviewed by Brent Fulgham.
181
182         * Configurations/FeatureDefines.xcconfig:
183
184 2017-01-20  Saam Barati  <sbarati@apple.com>
185
186         We should flash a safepoint before each DFG/FTL phase
187         https://bugs.webkit.org/show_bug.cgi?id=167234
188
189         Reviewed by Filip Pizlo.
190
191         The recent GC changes caused us to regress Kraken because of a
192         longstanding issue that happened to be hit with higher frequency because
193         of a change in timing between when a particular GC was happening and 
194         when a particular FTL compilation was happening. The regression is caused
195         by the GC was waiting for a large function to make it through the DFG portion
196         of an FTL compilation. This was taking 20ms-30ms and started happened during a
197         particular test with much higher frequency.
198         
199         This means that anytime the GC waits for this compilation, the test ran at least
200         ~20ms slower because the GC waits for the compiler threads the mutator is stopped.
201         
202         It's good that we have such an easily reproducible case of this performance
203         issue because it will effect many real JS programs, especially ones with
204         large functions that get hot.
205         
206         The most straight forward solution to fix this is to flash a safepoint before
207         each phase, allowing the GC to suspend the compiler if needed. In my testing,
208         this progresses Kraken in the browser, and doesn't regress anything else. This
209         solution also makes the most sense. I did some analysis on the compilation time
210         of this function that took ~20-30ms to pass through the DFG phases, and
211         the phase times were mostly evenly distributed. Some took longer than others,
212         but no phase was longer than 3ms. Most were in the 0.25ms to 1.5ms range.
213
214         * dfg/DFGPlan.cpp:
215         (JSC::DFG::Plan::compileInThreadImpl):
216         * dfg/DFGSafepoint.cpp:
217         (JSC::DFG::Safepoint::begin):
218         * runtime/Options.h:
219
220 2017-01-20  Skachkov Oleksandr  <gskachkov@gmail.com>
221
222         Super property access in base class constructor doesn't work
223         https://bugs.webkit.org/show_bug.cgi?id=166665
224
225         Reviewed by Ryosuke Niwa.
226
227         Allow to use super inside of the constructor for classes 
228         without parent class.
229         Parser checks if super used within the constructor and 
230         add this information to function metedata, and later it is used
231         during byte code generation.
232
233         * bytecompiler/NodesCodegen.cpp:
234         (JSC::ClassExprNode::emitBytecode):
235         * parser/Parser.cpp:
236         (JSC::Parser<LexerType>::parseFunctionBody):
237         (JSC::Parser<LexerType>::parseFunctionInfo):
238         * parser/Parser.h:
239         (JSC::Scope::usesEval):
240         (JSC::Scope::fillParametersForSourceProviderCache):
241         (JSC::Scope::restoreFromSourceProviderCache):
242         (JSC::Parser::adjustSuperBindingForBaseConstructor):
243         * parser/SourceProviderCacheItem.h:
244         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
245
246 2017-01-19  Chris Dumez  <cdumez@apple.com>
247
248         iterable<> should be enabled on WK1
249         https://bugs.webkit.org/show_bug.cgi?id=167221
250         <rdar://problem/30108531>
251
252         Reviewed by Youenn Fablet.
253
254         * runtime/CommonIdentifiers.h:
255
256 2017-01-19  Filip Pizlo  <fpizlo@apple.com>
257
258         Structure::pin() needs to be called while holding a lock
259         https://bugs.webkit.org/show_bug.cgi?id=167220
260
261         Reviewed by Saam Barati.
262
263         Imagine this race: the mutator calls pin() and the collector calls visitChildren(),
264         on the same Structure at the same time. In trunk pin() does not require a lock to be
265         held and it doesn't grab any locks. Meanwhile visitChildren() grabs the lock, checks
266         if the structure is pinned, and if not, it removes it by overwriting with zero. Now
267         imagine how this plays out when pin() runs. Since pin() grabs no locks, it is
268         irrelevant that visitChildren() grabs any locks. So, visitChildren() might check if
269         the table is pinned before pin() pins it, and then clear the table after it was
270         already pinned.
271
272         The problem here is that pin() should be holding a lock. We could either make pin()
273         grab that lock by itself, or what this patch does is makes the caller grab the lock.
274         This is great because it means that sometimes we don't have to introduce any new
275         locking.
276
277         This fixes a materializePropertyTable() checkOffsetConsistency() crash that happens
278         very rarely, but I was able to get it to reproduce with run-webkit-tests and
279         aggressive GC settings.
280
281         * runtime/ConcurrentJSLock.h:
282         * runtime/Structure.cpp:
283         (JSC::Structure::materializePropertyTable):
284         (JSC::Structure::changePrototypeTransition):
285         (JSC::Structure::attributeChangeTransition):
286         (JSC::Structure::toDictionaryTransition):
287         (JSC::Structure::nonPropertyTransition):
288         (JSC::Structure::pin):
289         (JSC::Structure::pinForCaching):
290         (JSC::Structure::add):
291         * runtime/Structure.h:
292         * runtime/StructureInlines.h:
293         (JSC::Structure::checkOffsetConsistency):
294         (JSC::Structure::add):
295         (JSC::Structure::addPropertyWithoutTransition):
296
297 2017-01-19  Filip Pizlo  <fpizlo@apple.com>
298
299         The mutator needs to fire a barrier after memmoving stuff around in an object that the GC scans
300         https://bugs.webkit.org/show_bug.cgi?id=167208
301
302         Reviewed by Saam Barati.
303         
304         It used to be that if you moved a value from one place to another in the same object
305         then there is no need for a barrier because the generational GC would have no need to
306         know that some old object still continues to refer to the same other old object.
307
308         But the concurrent GC might scan that object as the mutator moves pointers around in
309         it. If the ordering is right, this could mean that the collector never sees some of
310         those pointers. This can be fixed by adding a barrier.
311
312         This fixes the most obvious cases I found. There may be more and I'll continue to
313         audit. Most of the other memmove users seem to already use some kind of synchronization
314         to prevent this. For example, this can also be fixed by just holding the cell lock
315         around the memmove since we're dealing with indexing storage and the GC reads that
316         under the cell lock.
317
318         * runtime/JSArray.cpp:
319         (JSC::JSArray::shiftCountWithAnyIndexingType):
320         (JSC::JSArray::unshiftCountWithAnyIndexingType):
321
322 2017-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
323
324         [Cocoa] Variation fonts are erroneously disabled on iOS
325         https://bugs.webkit.org/show_bug.cgi?id=167172
326
327         Reviewed by Simon Fraser.
328
329         OpenSource builders don't seem to understand sdk=embedded*.
330
331         * Configurations/FeatureDefines.xcconfig:
332
333 2017-01-19  Skachkov Oleksandr  <gskachkov@gmail.com>
334
335         "this" missing after await in async arrow function
336         https://bugs.webkit.org/show_bug.cgi?id=166919
337
338         Reviewed by NOBODY Saam Barati.
339
340         This patch fixed issue in async arrow function. Issue appears because in arrow
341         function _this_ is loaded from arrow function virtual scope. 
342         Async arrow function can be suspended and when resuming should be used _this_ from 
343         virtual scope, to allow this we load _this_ from virtual scope before store it to 
344         generator.generatorThis property 
345
346         * bytecompiler/NodesCodegen.cpp:
347         (JSC::FunctionNode::emitBytecode):
348
349 2017-01-18  Yusuke Suzuki  <utatane.tea@gmail.com>
350
351         [B3] B3 strength reduction could encounter Value without owner in PureCSE
352         https://bugs.webkit.org/show_bug.cgi?id=167161
353
354         Reviewed by Filip Pizlo.
355
356         PureCSE relies on the fact that all the stored Values have owner member.
357         This assumption is broken when you execute specializeSelect in B3ReduceStrength phase.
358         It clears owner of Values which are in between Select and Check to clone them to then/else
359         blocks. If these cleared Values are already stored in PureCSE map, this map poses a Value
360         with nullptr owner in PureCSE.
361
362         This patch changes PureCSE to ignore stored Values tha have nullptr owner. This even means
363         that a client of PureCSE could deliberately null the owner if they wanted to signal the
364         Value should be ignored.
365
366         While PureCSE ignores chance for optimization if Value's owner is nullptr, in the current
367         strength reduction algorithm, this does not hurt optimization because CSE will be eventually
368         applied since the strength reduction phase want to reach fixed point. But even without
369         this iterations, our result itself is valid since PureCSE is allowed to be conservative.
370
371         * b3/B3PureCSE.cpp:
372         (JSC::B3::PureCSE::findMatch):
373         (JSC::B3::PureCSE::process):
374         * b3/testb3.cpp:
375         (JSC::B3::testCheckSelectAndCSE):
376         (JSC::B3::run):
377
378 2017-01-18  Filip Pizlo  <fpizlo@apple.com>
379
380         JSSegmentedVariableObject and its subclasses should have a sane destruction story
381         https://bugs.webkit.org/show_bug.cgi?id=167193
382
383         Reviewed by Saam Barati.
384         
385         Prior to this change, JSSegmentedVariableObjects' subclasses install finalizers that call
386         destroy. They did this in random ways, which sometimes resulted in
387         JSSegmentedVariableObject::~JSSegmentedVariableObject executing more than once (which worked
388         because of the way that ~SegmentedVector is written). Maybe this works now, but it's a disaster
389         waiting to happen.
390
391         Fortunately we can now just give those things their own Subspace and teach it its own protocol of
392         destruction. This change introduces JSSegmentedVariableObjectSubspace and stashes a m_classInfo
393         in JSSegmentedVariableObject. Now, subclasses of JSSegmentedVariableObject are destructible in
394         much the same way as JSDestructibleObject without having to be subclasses of
395         JSDestructibleObject.
396
397         * API/JSCallbackObject.cpp:
398         (JSC::JSCallbackObject<JSGlobalObject>::create):
399         * CMakeLists.txt:
400         * JavaScriptCore.xcodeproj/project.pbxproj:
401         * jsc.cpp:
402         (GlobalObject::create):
403         * runtime/JSGlobalLexicalEnvironment.h:
404         (JSC::JSGlobalLexicalEnvironment::create):
405         * runtime/JSGlobalObject.cpp:
406         (JSC::JSGlobalObject::create):
407         (JSC::JSGlobalObject::finishCreation):
408         * runtime/JSGlobalObject.h:
409         (JSC::JSGlobalObject::create): Deleted.
410         (JSC::JSGlobalObject::finishCreation): Deleted.
411         * runtime/JSSegmentedVariableObject.cpp:
412         (JSC::JSSegmentedVariableObject::destroy):
413         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
414         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
415         (JSC::JSSegmentedVariableObject::finishCreation):
416         * runtime/JSSegmentedVariableObject.h:
417         (JSC::JSSegmentedVariableObject::subspaceFor):
418         (JSC::JSSegmentedVariableObject::classInfo):
419         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): Deleted.
420         (JSC::JSSegmentedVariableObject::finishCreation): Deleted.
421         * runtime/JSSegmentedVariableObjectSubspace.cpp: Added.
422         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
423         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace):
424         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
425         (JSC::JSSegmentedVariableObjectSubspace::destroy):
426         * runtime/JSSegmentedVariableObjectSubspace.h: Added.
427         * runtime/VM.cpp:
428         (JSC::VM::VM):
429         * runtime/VM.h:
430         * testRegExp.cpp:
431         (GlobalObject::create):
432
433 2017-01-18  Joseph Pecoraro  <pecoraro@apple.com>
434
435         Web Inspector: console.table only works for the first 5 properties
436         https://bugs.webkit.org/show_bug.cgi?id=167175
437
438         Reviewed by Timothy Hatcher.
439
440         * inspector/InjectedScriptSource.js:
441         (InjectedScript.prototype.wrapTable):
442         (InjectedScript.RemoteObject.createObjectPreviewForValue):
443         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
444         Pass through secondLevelKeys. Though the keys are themselves ignored, the
445         existence is a signal that we should send more than the first 5 properties.
446
447 2017-01-18  Antti Koivisto  <antti@apple.com>
448
449         Only delete source provider caches on full collection
450         https://bugs.webkit.org/show_bug.cgi?id=167173
451
452         Reviewed by Andreas Kling.
453
454         They are currently often wiped and recreated during page loading due to eden collections.
455
456         It is not clear that tying the lifetime of these caches to gc makes sense at all but this
457         should at least help some.
458
459         * heap/Heap.cpp:
460         (JSC::Heap::deleteSourceProviderCaches):
461
462 2017-01-18  Filip Pizlo  <fpizlo@apple.com>
463
464         JSObjectSetPrivate should not use jsCast<>
465         rdar://problem/30069096
466
467         Reviewed by Keith Miller.
468
469         * API/JSObjectRef.cpp:
470         (JSObjectSetPrivate):
471
472 2017-01-18  Brian Burg  <bburg@apple.com>
473
474         Web Inspector: remove an unnecessary include in generated Objective-C Inspector protocol code
475         https://bugs.webkit.org/show_bug.cgi?id=167156
476
477         Rubber-stamped by Geoffrey Garen.
478
479         * inspector/scripts/codegen/objc_generator_templates.py:
480         This include of config.h doesn't make sense when using the code generator
481         outside of JavaScriptCore/WebKit. It is not necessary either, so remove it.
482
483         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
484         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
485         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
486         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
487         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
488         * inspector/scripts/tests/generic/expected/enum-values.json-result:
489         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
490         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
491         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
492         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
493         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
494         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
495         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
496         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
497         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
498         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
499         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
500         Rebaseline test results.
501
502 2017-01-18  Csaba Osztrogonác  <ossy@webkit.org>
503
504         Fix the JSCOnly build after r210844
505         https://bugs.webkit.org/show_bug.cgi?id=167155
506
507         Unreviewed buildfix.
508
509         * heap/EdenGCActivityCallback.cpp:
510
511 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
512
513         Make opaque root scanning truly constraint-based
514         https://bugs.webkit.org/show_bug.cgi?id=165760
515
516         Reviewed by Geoffrey Garen.
517
518         We have bugs when visitChildren() changes its mind about what opaque root to add, since
519         we don't have barriers on opaque roots. This supposedly once worked for generational GC,
520         and I started adding more barriers to support concurrent GC. But I think that the real
521         bug here is that we want the JSObject->OpaqueRoot to be evaluated as a constraint that
522         participates in the fixpoint. I like to think of this as an *output* constraint, because it
523         is concerned with outgoing edges in the heap from the object that registered the constraint.
524         An *input* constraint is like what Weak<> does when deciding whether the thing it points to
525         should be live.
526
527         Whether or not an object has output constraints depends on its type. So, we want the GC to
528         have a feature where we rapidly call some function on all marked objects of some type.
529         
530         It's easy to rapidly scan all marked objects in a MarkedBlock. So, we want to allocate all
531         objects that have output constraints in their own MarkedBlocks and we want to track the set
532         of MarkedBlocks with output constraints.
533         
534         This patch makes it easy to have clients of JSC's internal C++ APIs create a Subspace - like
535         what we used to call MarkedSpace::Subspace but now it's in the JSC namespace - which is
536         a collection of objects that you can easily scan during GC from a MarkingConstraint. It's
537         now possible for internal C++ API clients to register their own MarkingConstraints. The DOM
538         now uses this to create two Subspaces (more on why two below) and it calls
539         JSCell::visitOutputConstraints() on all of the marked objects in those subspaces using a new
540         MarkingConstraint. That MarkingConstraint uses a new style of volatility, called
541         SeldomGreyed, which is like GreyedByExecution except it is opportunistically not executed
542         as roots in the hopes that their sole execution will be the snapshot-at-the-end. I also
543         converted the CodeBlock rescan constraint to SeldomGreyed, since that's also an output
544         constraint.
545         
546         This patch also uses Subspace for something pretty obvious: knowing how to call the
547         destructor. Subspaces can specialize the sweep for their way of invoking destructors. We
548         have the following subspaces:
549         
550         - auxiliary
551         - cell
552         - destructibleCell - for JSCell subclasses that have destructors and StructureIsImmortal
553         - stringSpace - inlines ~JSString into the sweep, making string allocation 7% faster
554         - destructibleObjectSpace - for JSDestructibleObject subclasses
555         
556         And WebCore adds:
557         
558         - outputConstraint - for JSDOMObjects that have a visitAdditionalChildren
559         - globalObjectOutputConstraint - for JSDOMGlobalObjects that have a visitAdditionalChildren,
560           since JSDOMGlobalObjects are not JSDestructibleObjects
561         
562         The Subspace for a type is selected by saying JSC::subspaceFor<Type>(vm). This calls
563         Type::subspaceFor<Type>(vm). This allows cell classes to override subspaceFor<> and it
564         allows any subspaceFor<> implementation to query static flags in the type. This is how
565         JSCell::subspaceFor<> can select either cellSpace or destructibleCellSpace.
566         
567         This patch is mostly about:
568         
569         - Moving MarkedSpace::Subspace out of MarkedSpace and making it a nice class with a nice
570           API. Almost all of its functionality is just taken out of MarkedSpace.
571         - Converting users of the old API for allocating objects and getting MarkedAllocators, like
572           heap.allocatorForObjectWithoutDestructor() and its friends. That would now say
573           vm.cellSpace.allocatorFor().
574         
575         Altogether, this means that we only have a small regression on Dromaeo. The regression is
576         due to the fact that we scan output constraints. Before the Subspace optimizations (see
577         r209766, which was rolled out in r209812), this regression on Dromaeo/jslib was 2x but after
578         the optimizations in this patch it's only 1.12x. Note that Dromaeo/jslib creats gigabytes of
579         DOM nodes. Compared to web pages, this is a very extreme synthetic microbenchmark. Still, we
580         like optimizing these because we don't want to presume what web pages will look like.
581         
582         The use of Subspaces to specialize destructors happened not because it's super necessary but
583         because I wanted to introduce a single unified way of communicating to the GC how to treat
584         different types. Any Subspace feature that allowed us to collect some types together would
585         have to be mindful of the destructorness of objects. I could have turned this into a
586         liability where each Subspace has two subsubspaces - one for destructor objects and one for
587         non-destructor objects, which would have allowed me to keep the old sweep specialization
588         code. Just days prior, mlam wanted to do something that was hard because of that old sweep
589         specializer, so I decided to take the opportunity to fix the sweep specializer while also
590         making Subspace be the one true way of teaching the GC about types. To validate that this
591         actually does things, I added a JSStringSubspace and a test that shows that this is a 7%
592         string allocation progression.
593         
594         In bug 167066, I'm getting rid of the rest of the code in JSC that would special-case for
595         JSDestructibleObject vs StructureIsImmortal by using the GC's DestructionMode. After that,
596         Subspace will be only mechanism by which JSC uses the GC to encode types.
597         
598         Prior to this change, having multiple MarkedSpace::Subspaces would have been expensive
599         because they create a bunch of MarkedAllocators upfront. We now have the ability to create
600         MarkedAllocators lazily. We create them on the first allocation from that size class or when
601         a JIT asks for the MarkedAllocator. The concurrent JITs can ask for MarkedAllocators because
602         their creation is under a lock.
603         
604         On my machine, this might be a 1.1% JetStream speed-up with 87% confidence and it might be
605         a 0.4% PLT3 slow-down with 92% confidence. Note that 0.4% on PLT3 is the level of systematic
606         error on PLT3 on my computer: I've seen definite 0.4% speed-ups and slow-downs that were not
607         confirmed by any bot. Let's see what the bots say.
608         
609         * CMakeLists.txt:
610         * JavaScriptCore.xcodeproj/project.pbxproj:
611         * bytecode/ObjectAllocationProfile.h:
612         (JSC::ObjectAllocationProfile::initialize):
613         * bytecode/PolymorphicAccess.cpp:
614         (JSC::AccessCase::generateImpl):
615         * dfg/DFGSpeculativeJIT.cpp:
616         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
617         (JSC::DFG::SpeculativeJIT::compileMakeRope):
618         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
619         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
620         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
621         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
622         * dfg/DFGSpeculativeJIT64.cpp:
623         (JSC::DFG::SpeculativeJIT::compile):
624         * ftl/FTLAbstractHeapRepository.h:
625         * ftl/FTLLowerDFGToB3.cpp:
626         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
627         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
628         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
629         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
630         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
631         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
632         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
633         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
634         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
635         * heap/AllocatorAttributes.h:
636         (JSC::AllocatorAttributes::AllocatorAttributes):
637         * heap/ConstraintVolatility.h: Added.
638         (WTF::printInternal):
639         * heap/GCActivityCallback.cpp:
640         * heap/Heap.cpp:
641         (JSC::Heap::Heap):
642         (JSC::Heap::lastChanceToFinalize):
643         (JSC::Heap::markToFixpoint):
644         (JSC::Heap::updateObjectCounts):
645         (JSC::Heap::collectAllGarbage):
646         (JSC::Heap::collectInThread):
647         (JSC::Heap::stopTheWorld):
648         (JSC::Heap::updateAllocationLimits):
649         (JSC::Heap::bytesVisited):
650         (JSC::Heap::addCoreConstraints):
651         (JSC::Heap::addMarkingConstraint):
652         (JSC::Heap::notifyIsSafeToCollect):
653         (JSC::Heap::preventCollection):
654         (JSC::Heap::allowCollection):
655         (JSC::Heap::setMutatorShouldBeFenced):
656         (JSC::Heap::buildConstraintSet): Deleted.
657         (JSC::Heap::writeBarrierOpaqueRootSlow): Deleted.
658         (JSC::Heap::addMutatorShouldBeFencedCache): Deleted.
659         * heap/Heap.h:
660         (JSC::Heap::mutatorExecutionVersion):
661         (JSC::Heap::numOpaqueRoots):
662         (JSC::Heap::vm): Deleted.
663         (JSC::Heap::subspaceForObjectWithoutDestructor): Deleted.
664         (JSC::Heap::subspaceForObjectDestructor): Deleted.
665         (JSC::Heap::subspaceForAuxiliaryData): Deleted.
666         (JSC::Heap::allocatorForObjectWithoutDestructor): Deleted.
667         (JSC::Heap::allocatorForObjectWithDestructor): Deleted.
668         (JSC::Heap::allocatorForAuxiliaryData): Deleted.
669         * heap/HeapInlines.h:
670         (JSC::Heap::vm):
671         (JSC::Heap::allocateWithDestructor): Deleted.
672         (JSC::Heap::allocateWithoutDestructor): Deleted.
673         (JSC::Heap::allocateObjectOfType): Deleted.
674         (JSC::Heap::subspaceForObjectOfType): Deleted.
675         (JSC::Heap::allocatorForObjectOfType): Deleted.
676         (JSC::Heap::allocateAuxiliary): Deleted.
677         (JSC::Heap::tryAllocateAuxiliary): Deleted.
678         (JSC::Heap::tryReallocateAuxiliary): Deleted.
679         (JSC::Heap::ascribeOwner): Deleted.
680         (JSC::Heap::writeBarrierOpaqueRoot): Deleted.
681         * heap/LargeAllocation.cpp:
682         (JSC::LargeAllocation::tryCreate):
683         (JSC::LargeAllocation::LargeAllocation):
684         (JSC::LargeAllocation::~LargeAllocation):
685         (JSC::LargeAllocation::sweep):
686         * heap/LargeAllocation.h:
687         * heap/MarkedAllocator.cpp:
688         (JSC::MarkedAllocator::MarkedAllocator):
689         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
690         (JSC::MarkedAllocator::tryAllocateIn):
691         (JSC::MarkedAllocator::allocateSlowCaseImpl):
692         (JSC::MarkedAllocator::tryAllocateBlock):
693         (JSC::MarkedAllocator::shrink):
694         (JSC::MarkedAllocator::markedSpace):
695         * heap/MarkedAllocator.h:
696         (JSC::MarkedAllocator::nextAllocatorInSubspace):
697         (JSC::MarkedAllocator::setNextAllocatorInSubspace):
698         (JSC::MarkedAllocator::subspace):
699         (JSC::MarkedAllocator::tryAllocate): Deleted.
700         (JSC::MarkedAllocator::allocate): Deleted.
701         (JSC::MarkedAllocator::forEachBlock): Deleted.
702         * heap/MarkedAllocatorInlines.h: Added.
703         (JSC::MarkedAllocator::tryAllocate):
704         (JSC::MarkedAllocator::allocate):
705         (JSC::MarkedAllocator::forEachBlock):
706         (JSC::MarkedAllocator::forEachNotEmptyBlock):
707         * heap/MarkedBlock.cpp:
708         (JSC::MarkedBlock::Handle::subspace):
709         (JSC::MarkedBlock::Handle::sweep):
710         (JSC::MarkedBlock::Handle::specializedSweep): Deleted.
711         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode): Deleted.
712         (JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode): Deleted.
713         (JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated): Deleted.
714         (JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode): Deleted.
715         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode): Deleted.
716         * heap/MarkedBlock.h:
717         (JSC::MarkedBlock::Handle::visitWeakSet):
718         * heap/MarkedBlockInlines.h:
719         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale):
720         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
721         (JSC::MarkedBlock::heap):
722         (JSC::MarkedBlock::space):
723         (JSC::MarkedBlock::Handle::space):
724         (JSC::MarkedBlock::Handle::specializedSweep):
725         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
726         (JSC::MarkedBlock::Handle::sweepDestructionMode):
727         (JSC::MarkedBlock::Handle::emptyMode):
728         (JSC::MarkedBlock::Handle::scribbleMode):
729         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
730         (JSC::MarkedBlock::Handle::marksMode):
731         (JSC::MarkedBlock::Handle::forEachMarkedCell):
732         * heap/MarkedSpace.cpp:
733         (JSC::MarkedSpace::initializeSizeClassForStepSize):
734         (JSC::MarkedSpace::MarkedSpace):
735         (JSC::MarkedSpace::lastChanceToFinalize):
736         (JSC::MarkedSpace::addMarkedAllocator):
737         (JSC::MarkedSpace::allocate): Deleted.
738         (JSC::MarkedSpace::tryAllocate): Deleted.
739         (JSC::MarkedSpace::allocateLarge): Deleted.
740         (JSC::MarkedSpace::tryAllocateLarge): Deleted.
741         * heap/MarkedSpace.h:
742         (JSC::MarkedSpace::heap):
743         (JSC::MarkedSpace::allocatorLock):
744         (JSC::MarkedSpace::subspaceForObjectsWithDestructor): Deleted.
745         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor): Deleted.
746         (JSC::MarkedSpace::subspaceForAuxiliaryData): Deleted.
747         (JSC::MarkedSpace::allocatorFor): Deleted.
748         (JSC::MarkedSpace::destructorAllocatorFor): Deleted.
749         (JSC::MarkedSpace::auxiliaryAllocatorFor): Deleted.
750         (JSC::MarkedSpace::allocateWithoutDestructor): Deleted.
751         (JSC::MarkedSpace::allocateWithDestructor): Deleted.
752         (JSC::MarkedSpace::allocateAuxiliary): Deleted.
753         (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
754         (JSC::MarkedSpace::forEachSubspace): Deleted.
755         * heap/MarkingConstraint.cpp:
756         (JSC::MarkingConstraint::MarkingConstraint):
757         * heap/MarkingConstraint.h:
758         (JSC::MarkingConstraint::volatility):
759         * heap/MarkingConstraintSet.cpp:
760         (JSC::MarkingConstraintSet::resetStats):
761         (JSC::MarkingConstraintSet::add):
762         (JSC::MarkingConstraintSet::executeConvergenceImpl):
763         * heap/MarkingConstraintSet.h:
764         * heap/SlotVisitor.cpp:
765         (JSC::SlotVisitor::visitChildren):
766         (JSC::SlotVisitor::visitAsConstraint):
767         (JSC::SlotVisitor::drain):
768         (JSC::SlotVisitor::addOpaqueRoot):
769         (JSC::SlotVisitor::mergeIfNecessary):
770         (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary): Deleted.
771         * heap/SlotVisitor.h:
772         (JSC::SlotVisitor::setIgnoreNewOpaqueRoots):
773         * heap/SlotVisitorInlines.h:
774         (JSC::SlotVisitor::reportExtraMemoryVisited):
775         (JSC::SlotVisitor::reportExternalMemoryVisited):
776         * heap/Subspace.cpp: Added.
777         (JSC::Subspace::Subspace):
778         (JSC::Subspace::~Subspace):
779         (JSC::Subspace::finishSweep):
780         (JSC::Subspace::destroy):
781         (JSC::Subspace::allocate):
782         (JSC::Subspace::tryAllocate):
783         (JSC::Subspace::allocatorForSlow):
784         (JSC::Subspace::allocateSlow):
785         (JSC::Subspace::tryAllocateSlow):
786         * heap/Subspace.h: Added.
787         (JSC::Subspace::tryAllocatorFor):
788         (JSC::Subspace::allocatorFor):
789         * heap/SubspaceInlines.h: Added.
790         (JSC::Subspace::forEachMarkedBlock):
791         (JSC::Subspace::forEachNotEmptyMarkedBlock):
792         (JSC::Subspace::forEachLargeAllocation):
793         (JSC::Subspace::forEachMarkedCell):
794         * heap/WeakBlock.cpp:
795         (JSC::WeakBlock::specializedVisit):
796         * heap/WeakBlock.h:
797         * heap/WeakSet.h:
798         (JSC::WeakSet::visit):
799         * jit/AssemblyHelpers.h:
800         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
801         (JSC::AssemblyHelpers::emitAllocateVariableSized):
802         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
803         * jit/JITOpcodes.cpp:
804         (JSC::JIT::emit_op_new_object):
805         * jsc.cpp:
806         * runtime/ButterflyInlines.h:
807         (JSC::Butterfly::createUninitialized):
808         (JSC::Butterfly::growArrayRight):
809         * runtime/ClassInfo.h:
810         * runtime/ClonedArguments.cpp:
811         (JSC::ClonedArguments::createEmpty):
812         * runtime/DirectArguments.cpp:
813         (JSC::DirectArguments::overrideThings):
814         * runtime/GenericArgumentsInlines.h:
815         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
816         * runtime/HashMapImpl.h:
817         (JSC::HashMapBuffer::create):
818         * runtime/JSArray.cpp:
819         (JSC::JSArray::tryCreateUninitialized):
820         (JSC::JSArray::unshiftCountSlowCase):
821         * runtime/JSArrayBufferView.cpp:
822         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
823         * runtime/JSCell.h:
824         (JSC::subspaceFor):
825         * runtime/JSCellInlines.h:
826         (JSC::JSCell::visitOutputConstraints):
827         (JSC::JSCell::subspaceFor):
828         (JSC::allocateCell):
829         * runtime/JSDestructibleObject.h:
830         (JSC::JSDestructibleObject::subspaceFor):
831         * runtime/JSDestructibleObjectSubspace.cpp: Added.
832         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
833         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace):
834         (JSC::JSDestructibleObjectSubspace::finishSweep):
835         (JSC::JSDestructibleObjectSubspace::destroy):
836         * runtime/JSDestructibleObjectSubspace.h: Added.
837         * runtime/JSObject.h:
838         (JSC::JSObject::JSObject):
839         * runtime/JSObjectInlines.h:
840         * runtime/JSSegmentedVariableObject.h:
841         * runtime/JSString.h:
842         (JSC::JSString::subspaceFor):
843         * runtime/JSStringSubspace.cpp: Added.
844         (JSC::JSStringSubspace::JSStringSubspace):
845         (JSC::JSStringSubspace::~JSStringSubspace):
846         (JSC::JSStringSubspace::finishSweep):
847         (JSC::JSStringSubspace::destroy):
848         * runtime/JSStringSubspace.h: Added.
849         * runtime/RegExpMatchesArray.h:
850         (JSC::tryCreateUninitializedRegExpMatchesArray):
851         * runtime/VM.cpp:
852         (JSC::VM::VM):
853         * runtime/VM.h:
854
855 2017-01-17  Michael Saboff  <msaboff@apple.com>
856
857         Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory
858         https://bugs.webkit.org/show_bug.cgi?id=167125
859
860         Reviewed by Filip Pizlo.
861
862         Changed Yarr to handle nested parenthesized subexpressions where the minimum count is
863         not 0 directly in the Yarr interpreter.  Previously we'd factor an expression like
864         (a|b)+ into (a|b)(a|b)* with special handling for captures.  This factoring was done
865         using a deep copy that doubled the size of the resulting expresion for each nested 
866         parenthesized subexpression.  Now the Yarr interpreter can directly process a regexp
867         like (a|b){2,42}.  
868
869         The parser will allow one level of nested, non-zero minimum, counted parenthesis using
870         the old copy method.  After one level, it will generate parenthesis terms with a non-zero
871         minimum.   Such an expression wasn't handled by the Yarr JIT before the change, so this
872         change isn't a performance regression.
873
874         Added a minimum count to the YarrPattern and ByteTerm classes, and then factored that
875         minimum into the interpreter.  A non-zero minimum is only handled by the Yarr interpreter.
876         If the Yarr JIT see such a term, it punts back to the interpreter.
877
878         * yarr/YarrInterpreter.cpp:
879         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
880         (JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
881         (JSC::Yarr::Interpreter::matchCharacterClass):
882         (JSC::Yarr::Interpreter::backtrackCharacterClass):
883         (JSC::Yarr::Interpreter::matchBackReference):
884         (JSC::Yarr::Interpreter::backtrackBackReference):
885         (JSC::Yarr::Interpreter::matchParenthesesOnceBegin):
886         (JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
887         (JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin):
888         (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
889         (JSC::Yarr::Interpreter::matchParenthesesTerminalBegin):
890         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalBegin):
891         (JSC::Yarr::Interpreter::matchParentheticalAssertionBegin):
892         (JSC::Yarr::Interpreter::matchParentheticalAssertionEnd):
893         (JSC::Yarr::Interpreter::backtrackParentheticalAssertionBegin):
894         (JSC::Yarr::Interpreter::backtrackParentheticalAssertionEnd):
895         (JSC::Yarr::Interpreter::matchParentheses):
896         (JSC::Yarr::Interpreter::backtrackParentheses):
897         (JSC::Yarr::Interpreter::matchDisjunction):
898         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
899         (JSC::Yarr::ByteCompiler::atomCharacterClass):
900         (JSC::Yarr::ByteCompiler::atomBackReference):
901         (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
902         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
903         (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
904         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
905         (JSC::Yarr::ByteCompiler::emitDisjunction):
906         * yarr/YarrInterpreter.h:
907         (JSC::Yarr::ByteTerm::ByteTerm):
908         * yarr/YarrJIT.cpp:
909         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
910         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
911         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
912         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
913         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
914         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
915         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
916         (JSC::Yarr::YarrGenerator::generateTerm):
917         (JSC::Yarr::YarrGenerator::backtrackTerm):
918         (JSC::Yarr::YarrGenerator::generate):
919         (JSC::Yarr::YarrGenerator::backtrack):
920         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
921         * yarr/YarrPattern.cpp:
922         (JSC::Yarr::YarrPatternConstructor::copyTerm):
923         (JSC::Yarr::YarrPatternConstructor::quantifyAtom):
924         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
925         (JSC::Yarr::YarrPattern::YarrPattern):
926         * yarr/YarrPattern.h:
927         (JSC::Yarr::PatternTerm::PatternTerm):
928         (JSC::Yarr::PatternTerm::quantify):
929         (JSC::Yarr::YarrPattern::reset):
930
931 2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
932
933         ENABLE(USER_TIMING) Not Defined for Apple Windows or OS X Ports
934         https://bugs.webkit.org/show_bug.cgi?id=116551
935         <rdar://problem/13949830>
936
937         Reviewed by Alex Christensen.
938
939         * Configurations/FeatureDefines.xcconfig:
940
941 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
942
943         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
944         https://bugs.webkit.org/show_bug.cgi?id=167066
945
946         Reviewed by Keith Miller and Michael Saboff.
947         
948         This reduces the size of JSCell::classInfo() by half and removes some checks that
949         this function previously had to do in case it was called from destructors.
950         
951         I changed all of the destructors so that they don't call JSCell::classInfo() and I
952         added an assertion to JSCell::classInfo() to catch cases where someone called it
953         from a destructor accidentally.
954         
955         This means that we only have one place in destruction that needs to know the class:
956         the sweeper's call to the destructor.
957         
958         One of the trickiest outcomes of this is the need to support inherits() tests in
959         JSObjectGetPrivate(), when it is called from the destructor callback on the object
960         being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
961         on any dead-but-not-destructed object other than the one being destructed right
962         now. The purpose of the inherits() tests is to distinguish between different kinds
963         of CallbackObjects, which may have different kinds of base classes. I think that
964         this was always subtly wrong - for example, if the object being destructed is a
965         JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
966         but does not have an immortal Structure - so classInfo() is not valid. This fixes
967         the issue by having ~JSCallbackObject know its classInfo. It now stashes its
968         classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
969         that it's being used on a currently-destructing object.
970         
971         That was the only really weird part of this patch. The rest is mostly removing
972         illegal uses of jsCast<> in destructors. There were a few other genuine uses of
973         classInfo() but they were in code that already knew how to get its classInfo()
974         using other means:
975         
976         - You can still say structure()->classInfo(), and I use this form in code that
977           knows that its StructureIsImmortal.
978         
979         - You can use this->classInfo() if it's overridden, like in subclasses of
980           JSDestructibleObject.
981         
982         Rolling this back in because I think I fixed the crashes.
983
984         * API/JSAPIWrapperObject.mm:
985         (JSAPIWrapperObjectHandleOwner::finalize):
986         * API/JSCallbackObject.h:
987         * API/JSCallbackObjectFunctions.h:
988         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
989         (JSC::JSCallbackObject<Parent>::init):
990         * API/JSObjectRef.cpp:
991         (classInfoPrivate):
992         (JSObjectGetPrivate):
993         (JSObjectSetPrivate):
994         * bytecode/EvalCodeBlock.cpp:
995         (JSC::EvalCodeBlock::destroy):
996         * bytecode/FunctionCodeBlock.cpp:
997         (JSC::FunctionCodeBlock::destroy):
998         * bytecode/ModuleProgramCodeBlock.cpp:
999         (JSC::ModuleProgramCodeBlock::destroy):
1000         * bytecode/ProgramCodeBlock.cpp:
1001         (JSC::ProgramCodeBlock::destroy):
1002         * bytecode/UnlinkedEvalCodeBlock.cpp:
1003         (JSC::UnlinkedEvalCodeBlock::destroy):
1004         * bytecode/UnlinkedFunctionCodeBlock.cpp:
1005         (JSC::UnlinkedFunctionCodeBlock::destroy):
1006         * bytecode/UnlinkedFunctionExecutable.cpp:
1007         (JSC::UnlinkedFunctionExecutable::destroy):
1008         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1009         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
1010         * bytecode/UnlinkedProgramCodeBlock.cpp:
1011         (JSC::UnlinkedProgramCodeBlock::destroy):
1012         * heap/CodeBlockSet.cpp:
1013         (JSC::CodeBlockSet::lastChanceToFinalize):
1014         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1015         * heap/MarkedAllocator.cpp:
1016         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1017         * heap/MarkedBlock.cpp:
1018         (JSC::MarkedBlock::Handle::sweep):
1019         * jit/JITThunks.cpp:
1020         (JSC::JITThunks::finalize):
1021         * runtime/AbstractModuleRecord.cpp:
1022         (JSC::AbstractModuleRecord::destroy):
1023         * runtime/ExecutableBase.cpp:
1024         (JSC::ExecutableBase::clearCode):
1025         * runtime/JSCellInlines.h:
1026         (JSC::JSCell::classInfo):
1027         (JSC::JSCell::callDestructor):
1028         * runtime/JSLock.h:
1029         (JSC::JSLock::ownerThread):
1030         * runtime/JSModuleNamespaceObject.cpp:
1031         (JSC::JSModuleNamespaceObject::destroy):
1032         * runtime/JSModuleRecord.cpp:
1033         (JSC::JSModuleRecord::destroy):
1034         * runtime/JSPropertyNameEnumerator.cpp:
1035         (JSC::JSPropertyNameEnumerator::destroy):
1036         * runtime/JSSegmentedVariableObject.h:
1037         * runtime/SymbolTable.cpp:
1038         (JSC::SymbolTable::destroy):
1039         * runtime/VM.h:
1040         * wasm/js/JSWebAssemblyCallee.cpp:
1041         (JSC::JSWebAssemblyCallee::destroy):
1042         * wasm/js/WebAssemblyModuleRecord.cpp:
1043         (JSC::WebAssemblyModuleRecord::destroy):
1044         * wasm/js/WebAssemblyToJSCallee.cpp:
1045         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
1046         (JSC::WebAssemblyToJSCallee::destroy):
1047
1048 2017-01-17  Filip Pizlo  <fpizlo@apple.com>
1049
1050         Unreviewed, roll out http://trac.webkit.org/changeset/210821
1051         It was causing crashes.
1052
1053         * API/JSAPIWrapperObject.mm:
1054         (JSAPIWrapperObjectHandleOwner::finalize):
1055         * API/JSCallbackObject.h:
1056         * API/JSCallbackObjectFunctions.h:
1057         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
1058         (JSC::JSCallbackObject<Parent>::init):
1059         * API/JSObjectRef.cpp:
1060         (JSObjectGetPrivate):
1061         (JSObjectSetPrivate):
1062         (classInfoPrivate): Deleted.
1063         * bytecode/EvalCodeBlock.cpp:
1064         (JSC::EvalCodeBlock::destroy):
1065         * bytecode/FunctionCodeBlock.cpp:
1066         (JSC::FunctionCodeBlock::destroy):
1067         * bytecode/ModuleProgramCodeBlock.cpp:
1068         (JSC::ModuleProgramCodeBlock::destroy):
1069         * bytecode/ProgramCodeBlock.cpp:
1070         (JSC::ProgramCodeBlock::destroy):
1071         * bytecode/UnlinkedEvalCodeBlock.cpp:
1072         (JSC::UnlinkedEvalCodeBlock::destroy):
1073         * bytecode/UnlinkedFunctionCodeBlock.cpp:
1074         (JSC::UnlinkedFunctionCodeBlock::destroy):
1075         * bytecode/UnlinkedFunctionExecutable.cpp:
1076         (JSC::UnlinkedFunctionExecutable::destroy):
1077         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1078         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
1079         * bytecode/UnlinkedProgramCodeBlock.cpp:
1080         (JSC::UnlinkedProgramCodeBlock::destroy):
1081         * heap/CodeBlockSet.cpp:
1082         (JSC::CodeBlockSet::lastChanceToFinalize):
1083         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1084         * heap/MarkedAllocator.cpp:
1085         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1086         * heap/MarkedBlock.cpp:
1087         (JSC::MarkedBlock::Handle::sweep):
1088         * jit/JITThunks.cpp:
1089         (JSC::JITThunks::finalize):
1090         * runtime/AbstractModuleRecord.cpp:
1091         (JSC::AbstractModuleRecord::destroy):
1092         * runtime/ExecutableBase.cpp:
1093         (JSC::ExecutableBase::clearCode):
1094         * runtime/JSCellInlines.h:
1095         (JSC::JSCell::classInfo):
1096         (JSC::JSCell::callDestructor):
1097         * runtime/JSLock.h:
1098         (JSC::JSLock::exclusiveThread):
1099         (JSC::JSLock::ownerThread): Deleted.
1100         * runtime/JSModuleNamespaceObject.cpp:
1101         (JSC::JSModuleNamespaceObject::destroy):
1102         * runtime/JSModuleRecord.cpp:
1103         (JSC::JSModuleRecord::destroy):
1104         * runtime/JSPropertyNameEnumerator.cpp:
1105         (JSC::JSPropertyNameEnumerator::destroy):
1106         * runtime/JSSegmentedVariableObject.h:
1107         * runtime/SymbolTable.cpp:
1108         (JSC::SymbolTable::destroy):
1109         * runtime/VM.h:
1110         * wasm/js/JSWebAssemblyCallee.cpp:
1111         (JSC::JSWebAssemblyCallee::destroy):
1112         * wasm/js/WebAssemblyModuleRecord.cpp:
1113         (JSC::WebAssemblyModuleRecord::destroy):
1114         * wasm/js/WebAssemblyToJSCallee.cpp:
1115         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
1116         (JSC::WebAssemblyToJSCallee::destroy):
1117
1118 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
1119
1120         JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction
1121         https://bugs.webkit.org/show_bug.cgi?id=167066
1122
1123         Reviewed by Keith Miller and Michael Saboff.
1124         
1125         This reduces the size of JSCell::classInfo() by half and removes some checks that
1126         this function previously had to do in case it was called from destructors.
1127         
1128         I changed all of the destructors so that they don't call JSCell::classInfo() and I
1129         added an assertion to JSCell::classInfo() to catch cases where someone called it
1130         from a destructor accidentally.
1131         
1132         This means that we only have one place in destruction that needs to know the class:
1133         the sweeper's call to the destructor.
1134         
1135         One of the trickiest outcomes of this is the need to support inherits() tests in
1136         JSObjectGetPrivate(), when it is called from the destructor callback on the object
1137         being destructed. JSObjectGetPrivate() is undefined behavior anyway if you use it
1138         on any dead-but-not-destructed object other than the one being destructed right
1139         now. The purpose of the inherits() tests is to distinguish between different kinds
1140         of CallbackObjects, which may have different kinds of base classes. I think that
1141         this was always subtly wrong - for example, if the object being destructed is a
1142         JSGlobalObject then it's not a DestructibleObject, is not in a destructor block,
1143         but does not have an immortal Structure - so classInfo() is not valid. This fixes
1144         the issue by having ~JSCallbackObject know its classInfo. It now stashes its
1145         classInfo in VM so that JSObjectGetPrivate can use that classInfo if it detects
1146         that it's being used on a currently-destructing object.
1147         
1148         That was the only really weird part of this patch. The rest is mostly removing
1149         illegal uses of jsCast<> in destructors. There were a few other genuine uses of
1150         classInfo() but they were in code that already knew how to get its classInfo()
1151         using other means:
1152         
1153         - You can still say structure()->classInfo(), and I use this form in code that
1154           knows that its StructureIsImmortal.
1155         
1156         - You can use this->classInfo() if it's overridden, like in subclasses of
1157           JSDestructibleObject.
1158
1159         * API/JSAPIWrapperObject.mm:
1160         (JSAPIWrapperObjectHandleOwner::finalize):
1161         * API/JSCallbackObject.h:
1162         * API/JSCallbackObjectFunctions.h:
1163         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
1164         (JSC::JSCallbackObject<Parent>::init):
1165         * API/JSObjectRef.cpp:
1166         (classInfoPrivate):
1167         (JSObjectGetPrivate):
1168         (JSObjectSetPrivate):
1169         * bytecode/EvalCodeBlock.cpp:
1170         (JSC::EvalCodeBlock::destroy):
1171         * bytecode/FunctionCodeBlock.cpp:
1172         (JSC::FunctionCodeBlock::destroy):
1173         * bytecode/ModuleProgramCodeBlock.cpp:
1174         (JSC::ModuleProgramCodeBlock::destroy):
1175         * bytecode/ProgramCodeBlock.cpp:
1176         (JSC::ProgramCodeBlock::destroy):
1177         * bytecode/UnlinkedEvalCodeBlock.cpp:
1178         (JSC::UnlinkedEvalCodeBlock::destroy):
1179         * bytecode/UnlinkedFunctionCodeBlock.cpp:
1180         (JSC::UnlinkedFunctionCodeBlock::destroy):
1181         * bytecode/UnlinkedFunctionExecutable.cpp:
1182         (JSC::UnlinkedFunctionExecutable::destroy):
1183         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1184         (JSC::UnlinkedModuleProgramCodeBlock::destroy):
1185         * bytecode/UnlinkedProgramCodeBlock.cpp:
1186         (JSC::UnlinkedProgramCodeBlock::destroy):
1187         * heap/CodeBlockSet.cpp:
1188         (JSC::CodeBlockSet::lastChanceToFinalize):
1189         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1190         * heap/MarkedAllocator.cpp:
1191         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1192         * heap/MarkedBlock.cpp:
1193         (JSC::MarkedBlock::Handle::sweep):
1194         * jit/JITThunks.cpp:
1195         (JSC::JITThunks::finalize):
1196         * runtime/AbstractModuleRecord.cpp:
1197         (JSC::AbstractModuleRecord::destroy):
1198         * runtime/ExecutableBase.cpp:
1199         (JSC::ExecutableBase::clearCode):
1200         * runtime/JSCellInlines.h:
1201         (JSC::JSCell::classInfo):
1202         (JSC::JSCell::callDestructor):
1203         * runtime/JSLock.h:
1204         (JSC::JSLock::ownerThread):
1205         * runtime/JSModuleNamespaceObject.cpp:
1206         (JSC::JSModuleNamespaceObject::destroy):
1207         * runtime/JSModuleRecord.cpp:
1208         (JSC::JSModuleRecord::destroy):
1209         * runtime/JSPropertyNameEnumerator.cpp:
1210         (JSC::JSPropertyNameEnumerator::destroy):
1211         * runtime/JSSegmentedVariableObject.h:
1212         * runtime/SymbolTable.cpp:
1213         (JSC::SymbolTable::destroy):
1214         * runtime/VM.h:
1215         * wasm/js/JSWebAssemblyCallee.cpp:
1216         (JSC::JSWebAssemblyCallee::destroy):
1217         * wasm/js/WebAssemblyModuleRecord.cpp:
1218         (JSC::WebAssemblyModuleRecord::destroy):
1219         * wasm/js/WebAssemblyToJSCallee.cpp:
1220         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
1221         (JSC::WebAssemblyToJSCallee::destroy):
1222
1223 2017-01-16  Joseph Pecoraro  <pecoraro@apple.com>
1224
1225         Remove the REQUEST_ANIMATION_FRAME flag
1226         https://bugs.webkit.org/show_bug.cgi?id=156980
1227         <rdar://problem/25906849>
1228
1229         Reviewed by Simon Fraser.
1230
1231         * Configurations/FeatureDefines.xcconfig:
1232
1233 2017-01-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1234
1235         WebAssembly: Suppress warnings & errors in GCC
1236         https://bugs.webkit.org/show_bug.cgi?id=167049
1237
1238         Reviewed by Sam Weinig.
1239
1240         * wasm/WasmFunctionParser.h:
1241         Add missing { } after the switch. Ideally, it is not necessary.
1242         But in GCC, it is required. Since this function is fairly large,
1243         I think the code generated by this does not cause performance
1244         regression.
1245
1246         * wasm/WasmPageCount.h:
1247         UINT_MAX is defined in limits.h.
1248
1249         * wasm/generateWasmValidateInlinesHeader.py:
1250         On the other hand, we use this suppress pragma here to solve the
1251         same problem in wasm/WasmFunctionParser.h. Since the load function
1252         is fairly small, the additional `return { };` may generate some
1253         suboptimal code. See bug 150794 for more detail.
1254
1255 2017-01-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1256
1257         Reserve capacity for StringBuilder in unescape
1258         https://bugs.webkit.org/show_bug.cgi?id=167008
1259
1260         Reviewed by Sam Weinig.
1261
1262         `unescape` function is frequently called in Kraken sha256-iterative.
1263         This patch just reserves the capacity for the StringBuilder.
1264
1265         Currently, we select the length of the string for the reserved capacity.
1266         It improves the performance 2.73%.
1267
1268             Benchmark report for Kraken on sakura-trick.
1269
1270             VMs tested:
1271             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
1272             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
1273
1274             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
1275             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
1276             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
1277             milliseconds.
1278
1279                                                        baseline                  patched
1280
1281             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1282
1283             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1284
1285         * runtime/JSGlobalObjectFunctions.cpp:
1286         (JSC::globalFuncUnescape):
1287
1288 2017-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1289
1290         Remove ENABLE(DETAILS_ELEMENT) guards
1291         https://bugs.webkit.org/show_bug.cgi?id=167042
1292
1293         Reviewed by Alex Christensen.
1294
1295         * Configurations/FeatureDefines.xcconfig:
1296
1297 2017-01-11  Darin Adler  <darin@apple.com>
1298
1299         Remove PassRefPtr from more of "platform"
1300         https://bugs.webkit.org/show_bug.cgi?id=166809
1301
1302         Reviewed by Sam Weinig.
1303
1304         * inspector/JSInjectedScriptHost.h:
1305         (Inspector::JSInjectedScriptHost::impl): Simplified code since we don't need a
1306         const_cast here any more.
1307         * runtime/PrivateName.h:
1308         (JSC::PrivateName::uid): Ditto.
1309
1310 2017-01-13  Ryan Haddad  <ryanhaddad@apple.com>
1311
1312         Unreviewed, rolling out r210735.
1313
1314         This change introduced LayoutTest and JSC test flakiness.
1315
1316         Reverted changeset:
1317
1318         "Reserve capacity for StringBuilder in unescape"
1319         https://bugs.webkit.org/show_bug.cgi?id=167008
1320         http://trac.webkit.org/changeset/210735
1321
1322 2017-01-13  Saam Barati  <sbarati@apple.com>
1323
1324         Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time
1325         https://bugs.webkit.org/show_bug.cgi?id=167017
1326         <rdar://problem/30019309>
1327
1328         Reviewed by Keith Miller and Filip Pizlo.
1329
1330         This patch is to reverse the JSBench regression from r210695.
1331         
1332         The new state diagram for the array species watchpoint is as
1333         follows:
1334         
1335         1. On GlobalObject construction, it starts life out as ClearWatchpoint.
1336         2. When slice is called for the first time, we observe the state
1337         of the world, and either transition it to IsWatched if we were able
1338         to set up the object property conditions, or to IsInvalidated if we
1339         were not.
1340         3. The DFG compiler will now only lower slice as an intrinsic if
1341         it observed the speciesWatchpoint.state() as IsWatched.
1342         4. The IsWatched => IsInvalidated transition happens only when
1343         one of the object property condition watchpoints fire.
1344
1345         * dfg/DFGByteCodeParser.cpp:
1346         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1347         * runtime/ArrayPrototype.cpp:
1348         (JSC::speciesWatchpointIsValid):
1349         (JSC::speciesConstructArray):
1350         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1351         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1352         (JSC::ArrayPrototype::initializeSpeciesWatchpoint): Deleted.
1353         * runtime/ArrayPrototype.h:
1354         * runtime/JSGlobalObject.cpp:
1355         (JSC::JSGlobalObject::JSGlobalObject):
1356         (JSC::JSGlobalObject::init):
1357
1358 2017-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1359
1360         Reserve capacity for StringBuilder in unescape
1361         https://bugs.webkit.org/show_bug.cgi?id=167008
1362
1363         Reviewed by Sam Weinig.
1364
1365         `unescape` function is frequently called in Kraken sha256-iterative.
1366         This patch just reserves the capacity for the StringBuilder.
1367
1368         Currently, we select the length of the string for the reserved capacity.
1369         It improves the performance 2.73%.
1370
1371             Benchmark report for Kraken on sakura-trick.
1372
1373             VMs tested:
1374             "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/untot/Release/bin/jsc
1375             "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/un/Release/bin/jsc
1376
1377             Collected 100 samples per benchmark/VM, with 100 VM invocations per benchmark. Emitted a call to gc() between
1378             sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
1379             function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
1380             milliseconds.
1381
1382                                                        baseline                  patched
1383
1384             stanford-crypto-sha256-iterative        51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1385
1386             <arithmetic>                            51.609+-0.672             50.237+-0.860           might be 1.0273x faster
1387
1388         * runtime/JSGlobalObjectFunctions.cpp:
1389         (JSC::globalFuncUnescape):
1390
1391 2017-01-12  Saam Barati  <sbarati@apple.com>
1392
1393         Add a slice intrinsic to the DFG/FTL
1394         https://bugs.webkit.org/show_bug.cgi?id=166707
1395         <rdar://problem/29913445>
1396
1397         Reviewed by Filip Pizlo.
1398
1399         The gist of this patch is to inline Array.prototype.slice
1400         into the DFG/FTL. The implementation in the DFG-backend
1401         and FTLLowerDFGToB3 is just a straight forward implementation
1402         of what the C function is doing. The more interesting bits
1403         of this patch are setting up the proper watchpoints and conditions
1404         in the executing code to prove that its safe to skip all of the
1405         observable JS actions that Array.prototype.slice normally does.
1406         
1407         We perform the following proofs:
1408         1. Array.prototype.constructor has not changed (via a watchpoint).
1409         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
1410         3. The global object is not having a bad time.
1411         4. The array that is being sliced has an original array structure.
1412         5. Array.prototype/Object.prototype have not transitioned.
1413         
1414         Conditions 1, 2, and 3 are strictly required.
1415         
1416         4 is ensuring a couple things:
1417         1. That a "constructor" property hasn't been added to the array
1418         we're slicing since we're supposed to perform a Get(array, "constructor").
1419         2. That we're not slicing an instance of a subclass of Array.
1420         
1421         We could relax 4.1 in the future if we find other ways to test if
1422         the incoming array hasn't changed the "constructor" property. We
1423         would probably use TryGetById to do this.
1424         
1425         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
1426         the total benchmark (the results are sometimes noisy).
1427
1428         * dfg/DFGAbstractInterpreterInlines.h:
1429         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1430         * dfg/DFGByteCodeParser.cpp:
1431         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1432         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1433         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1434         * dfg/DFGClobberize.h:
1435         (JSC::DFG::clobberize):
1436         * dfg/DFGDoesGC.cpp:
1437         (JSC::DFG::doesGC):
1438         * dfg/DFGFixupPhase.cpp:
1439         (JSC::DFG::FixupPhase::fixupNode):
1440         * dfg/DFGNodeType.h:
1441         * dfg/DFGPredictionPropagationPhase.cpp:
1442         * dfg/DFGSafeToExecute.h:
1443         (JSC::DFG::safeToExecute):
1444         * dfg/DFGSpeculativeJIT.cpp:
1445         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1446         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1447         * dfg/DFGSpeculativeJIT.h:
1448         * dfg/DFGSpeculativeJIT32_64.cpp:
1449         (JSC::DFG::SpeculativeJIT::compile):
1450         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1451         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1452         * dfg/DFGSpeculativeJIT64.cpp:
1453         (JSC::DFG::SpeculativeJIT::compile):
1454         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1455         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1456         * ftl/FTLAbstractHeapRepository.h:
1457         * ftl/FTLCapabilities.cpp:
1458         (JSC::FTL::canCompile):
1459         * ftl/FTLLowerDFGToB3.cpp:
1460         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1461         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1462         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1463         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1464         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1465         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1466         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1467         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1468         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1469         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1470         * jit/AssemblyHelpers.cpp:
1471         (JSC::AssemblyHelpers::emitLoadStructure):
1472         * runtime/ArrayPrototype.cpp:
1473         (JSC::ArrayPrototype::finishCreation):
1474         (JSC::speciesWatchpointIsValid):
1475         (JSC::speciesConstructArray):
1476         (JSC::arrayProtoFuncSlice):
1477         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1478         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
1479         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1480         (JSC::speciesWatchpointsValid): Deleted.
1481         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
1482         * runtime/ArrayPrototype.h:
1483         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
1484         (): Deleted.
1485         * runtime/Intrinsic.h:
1486         * runtime/JSGlobalObject.cpp:
1487         (JSC::JSGlobalObject::JSGlobalObject):
1488         (JSC::JSGlobalObject::init):
1489         * runtime/JSGlobalObject.h:
1490         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
1491         * runtime/Structure.h:
1492
1493 2017-01-12  Saam Barati  <sbarati@apple.com>
1494
1495         Concurrent GC has a bug where we would detect a race but fail to rescan the object
1496         https://bugs.webkit.org/show_bug.cgi?id=166960
1497         <rdar://problem/29983526>
1498
1499         Reviewed by Filip Pizlo and Mark Lam.
1500
1501         We have code like this in JSC:
1502         
1503         ```
1504         Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
1505         nukeStructureAndSetButterfly(vm, structureID, butterfly);
1506         structure->setLastOffset(newLastOffset);
1507         WTF::storeStoreFence();
1508         setStructureIDDirectly(structureID);
1509         ```
1510         
1511         Note that the collector could detect a race here, which sometimes
1512         incorrectly caused us to not visit the object again.
1513         
1514         Mutator Thread: M, Collector Thread: C, assuming sequential consistency via
1515         proper barriers:
1516         
1517         M: allocate new butterfly
1518         M: Set nuked structure ID
1519         M: Set butterfly (this does a barrier)
1520         C: Start scanning O
1521         C: load structure ID
1522         C: See it's nuked and bail, (we used to rely on a write barrier to rescan).
1523         
1524         We sometimes never rescanned here because we were calling
1525         setStructureIDDirectly which doesn't do a write barrier.
1526         (Note, the places that do this but call setStructure were
1527         OK because setStructure will perform a write barrier.)
1528         
1529         (This same issue also existed in places where the collector thread
1530         detected races for Structure::m_offset, but places that changed
1531         Structure::m_offset didn't perform a write barrier on the object
1532         after changing its Structure's m_offset.)
1533         
1534         To prevent such code from requiring every call site to perform
1535         a write barrier on the object, I've changed the collector code
1536         to keep a stack of cells to be revisited due to races. This stack
1537         is then consulted when we do marking. Because such races are rare,
1538         we have a single stack on Heap that is guarded by a lock.
1539
1540         * heap/Heap.cpp:
1541         (JSC::Heap::Heap):
1542         (JSC::Heap::~Heap):
1543         (JSC::Heap::markToFixpoint):
1544         (JSC::Heap::endMarking):
1545         (JSC::Heap::buildConstraintSet):
1546         (JSC::Heap::addToRaceMarkStack):
1547         * heap/Heap.h:
1548         (JSC::Heap::collectorSlotVisitor):
1549         (JSC::Heap::mutatorMarkStack): Deleted.
1550         * heap/SlotVisitor.cpp:
1551         (JSC::SlotVisitor::didRace):
1552         * heap/SlotVisitor.h:
1553         (JSC::SlotVisitor::didRace):
1554         (JSC::SlotVisitor::didNotRace): Deleted.
1555         * heap/SlotVisitorInlines.h:
1556         (JSC::SlotVisitor::didNotRace): Deleted.
1557         * runtime/JSObject.cpp:
1558         (JSC::JSObject::visitButterfly):
1559         (JSC::JSObject::visitButterflyImpl):
1560         * runtime/JSObjectInlines.h:
1561         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1562         * runtime/Structure.cpp:
1563         (JSC::Structure::flattenDictionaryStructure):
1564
1565 2017-01-12  Chris Dumez  <cdumez@apple.com>
1566
1567         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
1568         https://bugs.webkit.org/show_bug.cgi?id=166995
1569
1570         Reviewed by Jer Noble.
1571
1572         Add KEYBOARD_KEY_ATTRIBUTE / KEYBOARD_CODE_ATTRIBUTE to FeatureDefines.xcconfig
1573         as some people are having trouble building without it.
1574
1575         * Configurations/FeatureDefines.xcconfig:
1576
1577 2017-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1578
1579         Implement InlineClassicScript
1580         https://bugs.webkit.org/show_bug.cgi?id=166925
1581
1582         Reviewed by Ryosuke Niwa.
1583
1584         Add ScriptFetcher field for SourceOrigin.
1585
1586         * runtime/SourceOrigin.h:
1587         (JSC::SourceOrigin::SourceOrigin):
1588         (JSC::SourceOrigin::fetcher):
1589
1590 2017-01-11  Andreas Kling  <akling@apple.com>
1591
1592         Crash when WebCore's GC heap grows way too large.
1593         <https://webkit.org/b/166875>
1594         <rdar://problem/27896585>
1595
1596         Reviewed by Mark Lam.
1597
1598         Add a simple API to JSC::Heap that allows setting a hard limit on the amount
1599         of live bytes. If this is exceeded, we crash with a recognizable signature.
1600         By default there is no limit.
1601
1602         * heap/Heap.cpp:
1603         (JSC::Heap::didExceedMaxLiveSize):
1604         (JSC::Heap::updateAllocationLimits):
1605         * heap/Heap.h:
1606         (JSC::Heap::setMaxLiveSize):
1607
1608 2017-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1609
1610         Decouple module loading initiator from ScriptElement
1611         https://bugs.webkit.org/show_bug.cgi?id=166888
1612
1613         Reviewed by Saam Barati and Ryosuke Niwa.
1614
1615         Add ScriptFetcher and JSScriptFetcher.
1616
1617         * CMakeLists.txt:
1618         * JavaScriptCore.xcodeproj/project.pbxproj:
1619         * builtins/ModuleLoaderPrototype.js:
1620         (requestFetch):
1621         (requestInstantiate):
1622         (requestSatisfy):
1623         (requestInstantiateAll):
1624         (requestLink):
1625         (moduleEvaluation):
1626         (loadAndEvaluateModule):
1627         (importModule):
1628         * llint/LLIntData.cpp:
1629         (JSC::LLInt::Data::performAssertions):
1630         * llint/LowLevelInterpreter.asm:
1631         * runtime/Completion.cpp:
1632         (JSC::loadAndEvaluateModule):
1633         (JSC::loadModule):
1634         (JSC::linkAndEvaluateModule):
1635         * runtime/Completion.h:
1636         * runtime/JSModuleLoader.cpp:
1637         (JSC::JSModuleLoader::loadAndEvaluateModule):
1638         (JSC::JSModuleLoader::loadModule):
1639         (JSC::JSModuleLoader::linkAndEvaluateModule):
1640         (JSC::JSModuleLoader::resolve):
1641         (JSC::JSModuleLoader::fetch):
1642         (JSC::JSModuleLoader::instantiate):
1643         (JSC::JSModuleLoader::evaluate):
1644         * runtime/JSModuleLoader.h:
1645         * runtime/JSScriptFetcher.cpp: Copied from Source/WebCore/dom/LoadableScript.cpp.
1646         (JSC::JSScriptFetcher::destroy):
1647         * runtime/JSScriptFetcher.h: Added.
1648         (JSC::JSScriptFetcher::createStructure):
1649         (JSC::JSScriptFetcher::create):
1650         (JSC::JSScriptFetcher::fetcher):
1651         (JSC::JSScriptFetcher::JSScriptFetcher):
1652         * runtime/JSType.h:
1653         * runtime/ScriptFetcher.h: Copied from Source/WebCore/dom/LoadableScript.cpp.
1654         (JSC::ScriptFetcher::~ScriptFetcher):
1655         * runtime/VM.cpp:
1656         (JSC::VM::VM):
1657         * runtime/VM.h:
1658
1659 2017-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         Implement JSSourceCode to propagate SourceCode in module pipeline
1662         https://bugs.webkit.org/show_bug.cgi?id=166861
1663
1664         Reviewed by Saam Barati.
1665
1666         Instead of propagating source code string, we propagate JSSourceCode
1667         cell in the module pipeline. This allows us to attach a metadata
1668         to the propagated source code string. In particular, it propagates
1669         SourceOrigin through the module pipeline.
1670
1671         And it also fixes JSC shell to use Module source type for module source code.
1672
1673         * CMakeLists.txt:
1674         * JavaScriptCore.xcodeproj/project.pbxproj:
1675         * builtins/ModuleLoaderPrototype.js:
1676         (fulfillFetch):
1677         (requestFetch):
1678         * jsc.cpp:
1679         (GlobalObject::moduleLoaderFetch):
1680         (runWithScripts):
1681         * llint/LLIntData.cpp:
1682         (JSC::LLInt::Data::performAssertions):
1683         * llint/LowLevelInterpreter.asm:
1684         * runtime/Completion.cpp:
1685         (JSC::loadAndEvaluateModule):
1686         (JSC::loadModule):
1687         * runtime/JSModuleLoader.cpp:
1688         (JSC::JSModuleLoader::provide):
1689         * runtime/JSModuleLoader.h:
1690         * runtime/JSSourceCode.cpp: Added.
1691         (JSC::JSSourceCode::destroy):
1692         * runtime/JSSourceCode.h: Added.
1693         (JSC::JSSourceCode::createStructure):
1694         (JSC::JSSourceCode::create):
1695         (JSC::JSSourceCode::sourceCode):
1696         (JSC::JSSourceCode::JSSourceCode):
1697         * runtime/JSType.h:
1698         * runtime/ModuleLoaderPrototype.cpp:
1699         (JSC::moduleLoaderPrototypeParseModule):
1700         * runtime/VM.cpp:
1701         (JSC::VM::VM):
1702         * runtime/VM.h:
1703
1704 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1705
1706         Unreviewed, rolling out r210052.
1707         https://bugs.webkit.org/show_bug.cgi?id=166915
1708
1709         "breaks web compatability" (Requested by keith_miller on
1710         #webkit).
1711
1712         Reverted changeset:
1713
1714         "Add support for global"
1715         https://bugs.webkit.org/show_bug.cgi?id=165171
1716         http://trac.webkit.org/changeset/210052
1717
1718 2017-01-10  Sam Weinig  <sam@webkit.org>
1719
1720         [WebIDL] Remove most of the custom bindings for the WebGL code
1721         https://bugs.webkit.org/show_bug.cgi?id=166834
1722
1723         Reviewed by Alex Christensen.
1724
1725         * runtime/ArrayPrototype.h:
1726         * runtime/ObjectPrototype.h:
1727         Export the ClassInfo so it can be used from WebCore.
1728
1729 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1730
1731         Streamline the GC barrier slowpath
1732         https://bugs.webkit.org/show_bug.cgi?id=166878
1733
1734         Reviewed by Geoffrey Garen and Saam Barati.
1735         
1736         This implements two optimizations to the barrier:
1737         
1738         - Removes the write barrier buffer. This was just overhead.
1739         
1740         - Teaches the slow path how to white an object that was black but unmarked, ensuring that
1741           we don't take slow path for this object again.
1742
1743         * JavaScriptCore.xcodeproj/project.pbxproj:
1744         * dfg/DFGSpeculativeJIT.cpp:
1745         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1746         * ftl/FTLLowerDFGToB3.cpp:
1747         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1748         * heap/CellState.h:
1749         * heap/Heap.cpp:
1750         (JSC::Heap::Heap):
1751         (JSC::Heap::markToFixpoint):
1752         (JSC::Heap::addToRememberedSet):
1753         (JSC::Heap::stopTheWorld):
1754         (JSC::Heap::writeBarrierSlowPath):
1755         (JSC::Heap::buildConstraintSet):
1756         (JSC::Heap::flushWriteBarrierBuffer): Deleted.
1757         * heap/Heap.h:
1758         (JSC::Heap::writeBarrierBuffer): Deleted.
1759         * heap/SlotVisitor.cpp:
1760         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1761         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1762         (JSC::SlotVisitor::appendToMarkStack):
1763         (JSC::SlotVisitor::visitChildren):
1764         * heap/WriteBarrierBuffer.cpp: Removed.
1765         * heap/WriteBarrierBuffer.h: Removed.
1766         * jit/JITOperations.cpp:
1767         * jit/JITOperations.h:
1768         * runtime/JSCellInlines.h:
1769         (JSC::JSCell::JSCell):
1770         * runtime/StructureIDBlob.h:
1771         (JSC::StructureIDBlob::StructureIDBlob):
1772
1773 2017-01-10  Mark Lam  <mark.lam@apple.com>
1774
1775         Property setters should not be called for bound arguments list entries.
1776         https://bugs.webkit.org/show_bug.cgi?id=165631
1777
1778         Reviewed by Filip Pizlo.
1779
1780         * builtins/FunctionPrototype.js:
1781         (bind):
1782         - use @putByValDirect to set the bound arguments so that we don't consult the
1783           prototype chain for setters.
1784
1785         * runtime/IntlDateTimeFormatPrototype.cpp:
1786         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1787         * runtime/IntlNumberFormatPrototype.cpp:
1788         (JSC::IntlNumberFormatPrototypeGetterFormat):
1789         - no need to create a bound arguments array because these bound functions binds
1790           no arguments according to the spec.
1791
1792 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
1793
1794         Calling async arrow function which is in a class's member function will cause error
1795         https://bugs.webkit.org/show_bug.cgi?id=166879
1796
1797         Reviewed by Saam Barati.
1798
1799         Current patch fixed loading 'super' in async arrow function. Errored appear becuase 
1800         super was loaded always nevertherless if it used in async arrow function or not, but bytecompiler
1801         put to arrow function context only if it used within arrow function. So to fix this issue we need to 
1802         check if super was used in arrow function. 
1803
1804         * bytecompiler/BytecodeGenerator.h:
1805         * bytecompiler/NodesCodegen.cpp:
1806         (JSC::FunctionNode::emitBytecode):
1807
1808 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1809
1810         Unreviewed, rolling out r210537.
1811         https://bugs.webkit.org/show_bug.cgi?id=166903
1812
1813         This change introduced JSC test failures (Requested by
1814         ryanhaddad on #webkit).
1815
1816         Reverted changeset:
1817
1818         "Implement JSSourceCode to propagate SourceCode in module
1819         pipeline"
1820         https://bugs.webkit.org/show_bug.cgi?id=166861
1821         http://trac.webkit.org/changeset/210537
1822
1823 2017-01-10  Commit Queue  <commit-queue@webkit.org>
1824
1825         Unreviewed, rolling out r210540.
1826         https://bugs.webkit.org/show_bug.cgi?id=166896
1827
1828         too crude for non-WebCore clients (Requested by kling on
1829         #webkit).
1830
1831         Reverted changeset:
1832
1833         "Crash when GC heap grows way too large."
1834         https://bugs.webkit.org/show_bug.cgi?id=166875
1835         http://trac.webkit.org/changeset/210540
1836
1837 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1838
1839         JSArray has some object scanning races
1840         https://bugs.webkit.org/show_bug.cgi?id=166874
1841
1842         Reviewed by Mark Lam.
1843         
1844         This fixes two separate bugs, both of which I detected by running
1845         array-splice-contiguous.js in extreme anger:
1846         
1847         1) Some of the paths of shifting and unshifting were not grabbing the internal cell
1848            lock. This was causing the array storage scan to crash, even though it was well
1849            synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
1850            that memmoves the innards of the butterfly.
1851         
1852         2) Out of line property scanning was synchronized using double collect snapshot. Array
1853            storage scanning was synchronized using locks. But what if array storage
1854            transformations messed up the out of line properties? It turns out that we actually
1855            need to hoist the array storage scanner's locking up into the double collect
1856            snapshot.
1857         
1858         I don't know how to write a test that does any better of a job of catching this than
1859         array-splice-contiguous.js.
1860
1861         * heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
1862         * runtime/JSArray.cpp:
1863         (JSC::JSArray::unshiftCountSlowCase):
1864         (JSC::JSArray::shiftCountWithArrayStorage):
1865         (JSC::JSArray::unshiftCountWithArrayStorage):
1866         * runtime/JSObject.cpp:
1867         (JSC::JSObject::visitButterflyImpl):
1868
1869 2017-01-10  Andreas Kling  <akling@apple.com>
1870
1871         Crash when GC heap grows way too large.
1872         <https://webkit.org/b/166875>
1873         <rdar://problem/27896585>
1874
1875         Reviewed by Mark Lam.
1876
1877         Hard cap the JavaScript heap at 4GB of live objects (determined post-GC.)
1878         If we go past this limit, crash with a recognizable signature.
1879
1880         * heap/Heap.cpp:
1881         (JSC::Heap::didExceedHeapSizeLimit):
1882         (JSC::Heap::updateAllocationLimits):
1883
1884 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1885
1886         Implement JSSourceCode to propagate SourceCode in module pipeline
1887         https://bugs.webkit.org/show_bug.cgi?id=166861
1888
1889         Reviewed by Saam Barati.
1890
1891         Instead of propagating source code string, we propagate JSSourceCode
1892         cell in the module pipeline. This allows us to attach a metadata
1893         to the propagated source code string. In particular, it propagates
1894         SourceOrigin through the module pipeline.
1895
1896         * CMakeLists.txt:
1897         * JavaScriptCore.xcodeproj/project.pbxproj:
1898         * builtins/ModuleLoaderPrototype.js:
1899         (fulfillFetch):
1900         (requestFetch):
1901         * jsc.cpp:
1902         (GlobalObject::moduleLoaderFetch):
1903         * llint/LLIntData.cpp:
1904         (JSC::LLInt::Data::performAssertions):
1905         * llint/LowLevelInterpreter.asm:
1906         * runtime/Completion.cpp:
1907         (JSC::loadAndEvaluateModule):
1908         (JSC::loadModule):
1909         * runtime/JSModuleLoader.cpp:
1910         (JSC::JSModuleLoader::provide):
1911         * runtime/JSModuleLoader.h:
1912         * runtime/JSSourceCode.cpp: Added.
1913         (JSC::JSSourceCode::destroy):
1914         * runtime/JSSourceCode.h: Added.
1915         (JSC::JSSourceCode::createStructure):
1916         (JSC::JSSourceCode::create):
1917         (JSC::JSSourceCode::sourceCode):
1918         (JSC::JSSourceCode::JSSourceCode):
1919         * runtime/JSType.h:
1920         * runtime/ModuleLoaderPrototype.cpp:
1921         (JSC::moduleLoaderPrototypeParseModule):
1922         * runtime/VM.cpp:
1923         (JSC::VM::VM):
1924         * runtime/VM.h:
1925
1926 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1927
1928         REGRESSION (r210522): ASSERTION FAILED: divot.offset >= divotStart.offset seen with stress/import-basic.js and stress/import-from-eval.js
1929         https://bugs.webkit.org/show_bug.cgi?id=166873
1930
1931         Reviewed by Saam Barati.
1932
1933         The divot should be the end of `import` token.
1934
1935         * parser/Parser.cpp:
1936         (JSC::Parser<LexerType>::parseMemberExpression):
1937
1938 2017-01-09  Filip Pizlo  <fpizlo@apple.com>
1939
1940         Unreviewed, fix cloop.
1941
1942         * dfg/DFGPlanInlines.h:
1943
1944 2017-01-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1945
1946         [JSC] Prototype dynamic-import
1947         https://bugs.webkit.org/show_bug.cgi?id=165724
1948
1949         Reviewed by Saam Barati.
1950
1951         In this patch, we implement stage3 dynamic-import proposal[1].
1952         This patch adds a new special operator `import`. And by using it, we can import
1953         the module dynamically from modules and scripts. Before this feature, the module
1954         is always imported statically and before executing the modules, importing the modules
1955         needs to be done. And especially, the module can only be imported from the module.
1956         So the classic script cannot import and use the modules. This dynamic-import relaxes
1957         the above restrictions.
1958
1959         The typical dynamic-import form is the following.
1960
1961             import("...").then(function (namespace) { ... });
1962
1963         You can pass any AssignmentExpression for the import operator. So you can determine
1964         the importing modules dynamically.
1965
1966             import(value).then(function (namespace) { ... });
1967
1968         And previously the module import declaration is only allowed in the top level statements.
1969         But this import operator is just an expression. So you can use it in the function.
1970         And you can use it conditionally.
1971
1972             async function go(cond)
1973             {
1974                 if (cond)
1975                     return import("...");
1976                 return undefined;
1977             }
1978             await go(true);
1979
1980         Currently, this patch just implements this feature only for the JSC shell.
1981         JSC module loader requires a new hook, `importModule`. And the JSC shell implements
1982         this hook. So, for now, this dynamic-import is not available in the browser side.
1983         If you write this `import` call, it always returns the rejected promise.
1984
1985         import is implemented like a special operator similar to `super`.
1986         This is because import is context-sensitive. If you call the `import`, the module
1987         key resolution is done based on the caller's running context.
1988
1989         For example, if you are running the script which filename is "./ok/hello.js", the module
1990         key for the call`import("./resource/syntax.js")` becomes `"./ok/resource/syntax.js"`.
1991         But if you write the completely same import form in the script "./error/hello.js", the
1992         key becomes "./error/resource/syntax.js". So exposing this feature as the `import`
1993         function is misleading: this function becomes caller's context-sensitive. That's why
1994         dynamic-import is specified as a special operator.
1995
1996         To resolve the module key, we need the caller's context information like the filename of
1997         the caller. This is provided by the SourceOrigin implemented in r210149.
1998         In the JSC shell implementation, this SourceOrigin holds the filename of the caller. So
1999         based on this implementation, the module loader resolve the module key.
2000         In the near future, we will extend this SourceOrigin to hold more information needed for
2001         the browser-side import implementation.
2002
2003         [1]: https://tc39.github.io/proposal-dynamic-import/
2004
2005         * builtins/ModuleLoaderPrototype.js:
2006         (importModule):
2007         * bytecompiler/BytecodeGenerator.cpp:
2008         (JSC::BytecodeGenerator::emitGetTemplateObject):
2009         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
2010         * bytecompiler/BytecodeGenerator.h:
2011         * bytecompiler/NodesCodegen.cpp:
2012         (JSC::ImportNode::emitBytecode):
2013         * jsc.cpp:
2014         (absolutePath):
2015         (GlobalObject::moduleLoaderImportModule):
2016         (functionRun):
2017         (functionLoad):
2018         (functionCheckSyntax):
2019         (runWithScripts):
2020         * parser/ASTBuilder.h:
2021         (JSC::ASTBuilder::createImportExpr):
2022         * parser/NodeConstructors.h:
2023         (JSC::ImportNode::ImportNode):
2024         * parser/Nodes.h:
2025         (JSC::ExpressionNode::isImportNode):
2026         * parser/Parser.cpp:
2027         (JSC::Parser<LexerType>::parseMemberExpression):
2028         * parser/SyntaxChecker.h:
2029         (JSC::SyntaxChecker::createImportExpr):
2030         * runtime/JSGlobalObject.cpp:
2031         (JSC::JSGlobalObject::init):
2032         * runtime/JSGlobalObject.h:
2033         * runtime/JSGlobalObjectFunctions.cpp:
2034         (JSC::globalFuncImportModule):
2035         * runtime/JSGlobalObjectFunctions.h:
2036         * runtime/JSModuleLoader.cpp:
2037         (JSC::JSModuleLoader::importModule):
2038         (JSC::JSModuleLoader::getModuleNamespaceObject):
2039         * runtime/JSModuleLoader.h:
2040         * runtime/ModuleLoaderPrototype.cpp:
2041         (JSC::moduleLoaderPrototypeGetModuleNamespaceObject):
2042
2043 2017-01-08  Filip Pizlo  <fpizlo@apple.com>
2044
2045         Make the collector's fixpoint smart about scheduling work
2046         https://bugs.webkit.org/show_bug.cgi?id=165910
2047
2048         Reviewed by Keith Miller.
2049         
2050         Prior to this change, every time the GC would run any constraints in markToFixpoint, it
2051         would run all of the constraints. It would always run them in the same order. That means
2052         that so long as any one constraint was generating new work, we'd pay the price of all
2053         constraints. This is usually OK because most constraints are cheap but it artificially
2054         inflates the cost of slow constraints - especially ones that are expensive but usually
2055         generate no new work.
2056         
2057         This patch redoes how the GC runs constraints by applying ideas from data flow analysis.
2058         The GC now builds a MarkingConstraintSet when it boots up, and this contains all of the
2059         constraints as well as some meta-data about them. Now, markToFixpoint just calls into
2060         MarkingConstraintSet to execute constraints. Because constraint execution and scheduling
2061         need to be aware of each other, I rewrote markToFixpoint in such a way that it's more
2062         obvious how the GC goes between constraint solving, marking with stopped mutator, and
2063         marking with resumed mutator. This also changes the scheduler API in such a way that a
2064         synchronous stop-the-world collection no longer needs to do fake stop/resume - instead we
2065         just swap the space-time scheduler for the stop-the-world scheduler.
2066         
2067         This is a big streamlining of the GC. This is a speed-up in GC-heavy tests because we
2068         now execute most constraints exactly twice regardless of how many total fixpoint
2069         iterations we do. Now, when we run out of marking work, the constraint solver will just
2070         run the constraint that is most likely to generate new visiting work, and if it does
2071         generate work, then the GC now goes back to marking. Before, it would run *all*
2072         constraints and then go back to marking. The constraint solver is armed with three
2073         information signals that it uses to sort the constraints in order of descending likelihood
2074         to generate new marking work. Then it runs them in that order until it there is new
2075         marking work. The signals are:
2076         
2077         1) Whether the constraint is greyed by marking or execution. We call this the volatility
2078            of the constraint. For example, weak reference constraints have GreyedByMarking as
2079            their volatility because they are most likely to have something to say after we've done
2080            some marking. On the other hand, conservative roots have GreyedByExecution as their
2081            volatility because they will give new information anytime we let the mutator run. The
2082            constraint solver will only run GreyedByExecution constraints as roots and after the
2083            GreyedByMarking constraints go silent. This ensures that we don't try to scan
2084            conservative roots every time we need to re-run weak references and vice-versa.
2085            
2086            Another way to look at it is that the constraint solver tries to predict if the
2087            wavefront is advancing or retreating. The wavefront is almost certainly advancing so
2088            long as the mark stacks are non-empty or so long as at least one of the GreyedByMarking
2089            constraints is still producing work. Otherwise the wavefront is almost certainly
2090            retreating. It's most profitable to run GreyedByMarking constraints when the wavefront
2091            is advancing, and most profitable to run GreyedByExecution constraints when the
2092            wavefront is retreating.
2093            
2094            We use the predicted wavefront direction and the volatility of constraints as a
2095            first-order signal of constraint profitability.
2096         
2097         2) How much visiting work was created the last time the constraint ran. The solver
2098            remembers the lastVisitCount, and uses it to predict how much work the constraint will
2099            generate next time. In practice this means we will keep re-running the one interesting
2100            constraint until it shuts up.
2101         
2102         3) Optional work predictors for some constraints. The constraint that shuffles the mutator
2103            mark stack into the main SlotVisitor's mutator mark stack always knows exactly how much
2104            work it will create.
2105            
2106            The sum of (2) and (3) are used as a second-order signal of constraint profitability.
2107         
2108         The constraint solver will always run all of the GreyedByExecution constraints at GC
2109         start, since these double as the GC's roots. The constraint solver will always run all of
2110         the GreyedByMarking constraints the first time that marking stalls. Other than that, the
2111         solver will keep running constraints, sorted according to their likelihood to create work,
2112         until either work is created or we run out of constraints to run. GC termination happens
2113         when we run out of constraints to run.
2114         
2115         This new infrastructure means that we have a much better chance of dealing with worst-case
2116         DOM pathologies. If we can intelligently factor different evil DOM things into different
2117         constraints with the right work predictions then this could reduce the cost of those DOM
2118         things by a factor of N where N is the number of fixpoint iterations the GC typically
2119         does. N is usually around 5-6 even for simple heaps.
2120         
2121         My perf measurements say:
2122         
2123         PLT3: 0.02% faster with 5.3% confidence.
2124         JetStream: 0.15% faster with 17% confidence.
2125         Speedometer: 0.58% faster with 82% confidence.
2126         
2127         Here are the details from JetStream:
2128         
2129         splay: 1.02173x faster with 0.996841 confidence
2130         splay-latency: 1.0617x faster with 0.987462 confidence
2131         towers.c: 1.01852x faster with 0.92128 confidence
2132         crypto-md5: 1.06058x faster with 0.482363 confidence
2133         score: 1.00152x faster with 0.16892 confidence
2134         
2135         I think that Speedometer is legitimately benefiting from this change based on looking at
2136         --logGC=true output. We are now spending less time reexecuting expensive constraints. I
2137         think that JetStream/splay is also benefiting, because although the constraints it sees
2138         are cheap, it spends 30% of its time in GC so even small improvements matter.
2139
2140         * CMakeLists.txt:
2141         * JavaScriptCore.xcodeproj/project.pbxproj:
2142         * dfg/DFGPlan.cpp:
2143         (JSC::DFG::Plan::markCodeBlocks): Deleted.
2144         (JSC::DFG::Plan::rememberCodeBlocks): Deleted.
2145         * dfg/DFGPlan.h:
2146         * dfg/DFGPlanInlines.h: Added.
2147         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2148         * dfg/DFGWorklist.cpp:
2149         (JSC::DFG::Worklist::markCodeBlocks): Deleted.
2150         (JSC::DFG::Worklist::rememberCodeBlocks): Deleted.
2151         (JSC::DFG::rememberCodeBlocks): Deleted.
2152         * dfg/DFGWorklist.h:
2153         * dfg/DFGWorklistInlines.h: Added.
2154         (JSC::DFG::iterateCodeBlocksForGC):
2155         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2156         * heap/CodeBlockSet.cpp:
2157         (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting): Deleted.
2158         * heap/CodeBlockSet.h:
2159         (JSC::CodeBlockSet::iterate): Deleted.
2160         * heap/CodeBlockSetInlines.h:
2161         (JSC::CodeBlockSet::iterate):
2162         (JSC::CodeBlockSet::iterateCurrentlyExecuting):
2163         * heap/Heap.cpp:
2164         (JSC::Heap::Heap):
2165         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
2166         (JSC::Heap::iterateExecutingAndCompilingCodeBlocksWithoutHoldingLocks):
2167         (JSC::Heap::assertSharedMarkStacksEmpty):
2168         (JSC::Heap::markToFixpoint):
2169         (JSC::Heap::endMarking):
2170         (JSC::Heap::collectInThread):
2171         (JSC::Heap::stopIfNecessarySlow):
2172         (JSC::Heap::acquireAccessSlow):
2173         (JSC::Heap::collectIfNecessaryOrDefer):
2174         (JSC::Heap::buildConstraintSet):
2175         (JSC::Heap::notifyIsSafeToCollect):
2176         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope): Deleted.
2177         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope): Deleted.
2178         (JSC::Heap::harvestWeakReferences): Deleted.
2179         (JSC::Heap::visitConservativeRoots): Deleted.
2180         (JSC::Heap::visitCompilerWorklistWeakReferences): Deleted.
2181         * heap/Heap.h:
2182         * heap/MarkingConstraint.cpp: Added.
2183         (JSC::MarkingConstraint::MarkingConstraint):
2184         (JSC::MarkingConstraint::~MarkingConstraint):
2185         (JSC::MarkingConstraint::resetStats):
2186         (JSC::MarkingConstraint::execute):
2187         * heap/MarkingConstraint.h: Added.
2188         (JSC::MarkingConstraint::index):
2189         (JSC::MarkingConstraint::abbreviatedName):
2190         (JSC::MarkingConstraint::name):
2191         (JSC::MarkingConstraint::lastVisitCount):
2192         (JSC::MarkingConstraint::quickWorkEstimate):
2193         (JSC::MarkingConstraint::workEstimate):
2194         (JSC::MarkingConstraint::volatility):
2195         * heap/MarkingConstraintSet.cpp: Added.
2196         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext):
2197         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething):
2198         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut):
2199         (JSC::MarkingConstraintSet::ExecutionContext::drain):
2200         (JSC::MarkingConstraintSet::ExecutionContext::didExecute):
2201         (JSC::MarkingConstraintSet::ExecutionContext::execute):
2202         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2203         (JSC::MarkingConstraintSet::~MarkingConstraintSet):
2204         (JSC::MarkingConstraintSet::resetStats):
2205         (JSC::MarkingConstraintSet::add):
2206         (JSC::MarkingConstraintSet::executeBootstrap):
2207         (JSC::MarkingConstraintSet::executeConvergence):
2208         (JSC::MarkingConstraintSet::isWavefrontAdvancing):
2209         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2210         (JSC::MarkingConstraintSet::executeAll):
2211         * heap/MarkingConstraintSet.h: Added.
2212         (JSC::MarkingConstraintSet::isWavefrontRetreating):
2213         * heap/MutatorScheduler.cpp: Added.
2214         (JSC::MutatorScheduler::MutatorScheduler):
2215         (JSC::MutatorScheduler::~MutatorScheduler):
2216         (JSC::MutatorScheduler::didStop):
2217         (JSC::MutatorScheduler::willResume):
2218         (JSC::MutatorScheduler::didExecuteConstraints):
2219         (JSC::MutatorScheduler::log):
2220         (JSC::MutatorScheduler::shouldStop):
2221         (JSC::MutatorScheduler::shouldResume):
2222         * heap/MutatorScheduler.h: Added.
2223         * heap/OpaqueRootSet.h:
2224         (JSC::OpaqueRootSet::add):
2225         * heap/SlotVisitor.cpp:
2226         (JSC::SlotVisitor::visitAsConstraint):
2227         (JSC::SlotVisitor::drain):
2228         (JSC::SlotVisitor::didReachTermination):
2229         (JSC::SlotVisitor::hasWork):
2230         (JSC::SlotVisitor::drainFromShared):
2231         (JSC::SlotVisitor::drainInParallelPassively):
2232         (JSC::SlotVisitor::addOpaqueRoot):
2233         * heap/SlotVisitor.h:
2234         (JSC::SlotVisitor::addToVisitCount):
2235         * heap/SpaceTimeMutatorScheduler.cpp: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.cpp.
2236         (JSC::SpaceTimeMutatorScheduler::Snapshot::Snapshot):
2237         (JSC::SpaceTimeMutatorScheduler::Snapshot::now):
2238         (JSC::SpaceTimeMutatorScheduler::Snapshot::bytesAllocatedThisCycle):
2239         (JSC::SpaceTimeMutatorScheduler::SpaceTimeMutatorScheduler):
2240         (JSC::SpaceTimeMutatorScheduler::~SpaceTimeMutatorScheduler):
2241         (JSC::SpaceTimeMutatorScheduler::state):
2242         (JSC::SpaceTimeMutatorScheduler::beginCollection):
2243         (JSC::SpaceTimeMutatorScheduler::didStop):
2244         (JSC::SpaceTimeMutatorScheduler::willResume):
2245         (JSC::SpaceTimeMutatorScheduler::didExecuteConstraints):
2246         (JSC::SpaceTimeMutatorScheduler::timeToStop):
2247         (JSC::SpaceTimeMutatorScheduler::timeToResume):
2248         (JSC::SpaceTimeMutatorScheduler::log):
2249         (JSC::SpaceTimeMutatorScheduler::endCollection):
2250         (JSC::SpaceTimeMutatorScheduler::bytesAllocatedThisCycleImpl):
2251         (JSC::SpaceTimeMutatorScheduler::bytesSinceBeginningOfCycle):
2252         (JSC::SpaceTimeMutatorScheduler::maxHeadroom):
2253         (JSC::SpaceTimeMutatorScheduler::headroomFullness):
2254         (JSC::SpaceTimeMutatorScheduler::mutatorUtilization):
2255         (JSC::SpaceTimeMutatorScheduler::collectorUtilization):
2256         (JSC::SpaceTimeMutatorScheduler::elapsedInPeriod):
2257         (JSC::SpaceTimeMutatorScheduler::phase):
2258         (JSC::SpaceTimeMutatorScheduler::shouldBeResumed):
2259         (JSC::SpaceTimeScheduler::Decision::targetMutatorUtilization): Deleted.
2260         (JSC::SpaceTimeScheduler::Decision::targetCollectorUtilization): Deleted.
2261         (JSC::SpaceTimeScheduler::Decision::elapsedInPeriod): Deleted.
2262         (JSC::SpaceTimeScheduler::Decision::phase): Deleted.
2263         (JSC::SpaceTimeScheduler::Decision::shouldBeResumed): Deleted.
2264         (JSC::SpaceTimeScheduler::Decision::timeToResume): Deleted.
2265         (JSC::SpaceTimeScheduler::Decision::timeToStop): Deleted.
2266         (JSC::SpaceTimeScheduler::SpaceTimeScheduler): Deleted.
2267         (JSC::SpaceTimeScheduler::snapPhase): Deleted.
2268         (JSC::SpaceTimeScheduler::currentDecision): Deleted.
2269         * heap/SpaceTimeMutatorScheduler.h: Copied from Source/JavaScriptCore/heap/SpaceTimeScheduler.h.
2270         (JSC::SpaceTimeScheduler::Decision::operator bool): Deleted.
2271         * heap/SpaceTimeScheduler.cpp: Removed.
2272         * heap/SpaceTimeScheduler.h: Removed.
2273         * heap/SynchronousStopTheWorldMutatorScheduler.cpp: Added.
2274         (JSC::SynchronousStopTheWorldMutatorScheduler::SynchronousStopTheWorldMutatorScheduler):
2275         (JSC::SynchronousStopTheWorldMutatorScheduler::~SynchronousStopTheWorldMutatorScheduler):
2276         (JSC::SynchronousStopTheWorldMutatorScheduler::state):
2277         (JSC::SynchronousStopTheWorldMutatorScheduler::beginCollection):
2278         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToStop):
2279         (JSC::SynchronousStopTheWorldMutatorScheduler::timeToResume):
2280         (JSC::SynchronousStopTheWorldMutatorScheduler::endCollection):
2281         * heap/SynchronousStopTheWorldMutatorScheduler.h: Added.
2282         * heap/VisitingTimeout.h: Added.
2283         (JSC::VisitingTimeout::VisitingTimeout):
2284         (JSC::VisitingTimeout::visitCount):
2285         (JSC::VisitingTimeout::didVisitSomething):
2286         (JSC::VisitingTimeout::shouldTimeOut):
2287         * runtime/Options.h:
2288
2289 2017-01-09  Commit Queue  <commit-queue@webkit.org>
2290
2291         Unreviewed, rolling out r210476.
2292         https://bugs.webkit.org/show_bug.cgi?id=166859
2293
2294         "4% JSBench regression" (Requested by keith_mi_ on #webkit).
2295
2296         Reverted changeset:
2297
2298         "Add a slice intrinsic to the DFG/FTL"
2299         https://bugs.webkit.org/show_bug.cgi?id=166707
2300         http://trac.webkit.org/changeset/210476
2301
2302 2017-01-08  Andreas Kling  <akling@apple.com>
2303
2304         Inject MarkedSpace size classes for a few more high-volume objects.
2305         <https://webkit.org/b/166815>
2306
2307         Reviewed by Darin Adler.
2308
2309         Add the following classes to the list of manually injected size classes:
2310
2311             - JSString
2312             - JSFunction
2313             - PropertyTable
2314             - Structure
2315
2316         Only Structure actually ends up with a new size class, the others already
2317         can't get any tighter due to the current MarkedBlock::atomSize being 16.
2318         I've put them in anyway to ensure that we have optimally carved-out cells
2319         for them in the future, should they grow.
2320
2321         With this change, Structures get allocated in 128-byte cells instead of
2322         160-byte cells, giving us 25% more Structures per MarkedBlock.
2323
2324         * heap/MarkedSpace.cpp:
2325
2326 2017-01-06  Saam Barati  <sbarati@apple.com>
2327
2328         Add a slice intrinsic to the DFG/FTL
2329         https://bugs.webkit.org/show_bug.cgi?id=166707
2330
2331         Reviewed by Filip Pizlo.
2332
2333         The gist of this patch is to inline Array.prototype.slice
2334         into the DFG/FTL. The implementation in the DFG-backend
2335         and FTLLowerDFGToB3 is just a straight forward implementation
2336         of what the C function is doing. The more interesting bits
2337         of this patch are setting up the proper watchpoints and conditions
2338         in the executing code to prove that its safe to skip all of the
2339         observable JS actions that Array.prototype.slice normally does.
2340         
2341         We perform the following proofs:
2342         1. Array.prototype.constructor has not changed (via a watchpoint).
2343         2. That Array.prototype.constructor[Symbol.species] has not changed (via a watchpoint).
2344         3. The global object is not having a bad time.
2345         3. The array that is being sliced has an original array structure.
2346         5. Array.prototype/Object.prototype have not transitioned.
2347         
2348         Conditions 1, 2, and 3 are strictly required.
2349         
2350         4 is ensuring a couple things:
2351         1. That a "constructor" property hasn't been added to the array
2352         we're slicing since we're supposed to perform a Get(array, "constructor").
2353         2. That we're not slicing an instance of a subclass of Array.
2354         
2355         We could relax 4.1 in the future if we find other ways to test if
2356         the incoming array hasn't changed the "constructor" property.
2357         
2358         I'm seeing a 5% speedup on crypto-pbkdf2 and often a 1% speedup on
2359         the total benchmark (the results are sometimes noisy).
2360
2361         * bytecode/ExitKind.cpp:
2362         (JSC::exitKindToString):
2363         * bytecode/ExitKind.h:
2364         * dfg/DFGAbstractInterpreterInlines.h:
2365         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2366         * dfg/DFGByteCodeParser.cpp:
2367         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2368         * dfg/DFGClobberize.h:
2369         (JSC::DFG::clobberize):
2370         * dfg/DFGDoesGC.cpp:
2371         (JSC::DFG::doesGC):
2372         * dfg/DFGFixupPhase.cpp:
2373         (JSC::DFG::FixupPhase::fixupNode):
2374         * dfg/DFGNode.h:
2375         (JSC::DFG::Node::hasHeapPrediction):
2376         (JSC::DFG::Node::hasArrayMode):
2377         * dfg/DFGNodeType.h:
2378         * dfg/DFGPredictionPropagationPhase.cpp:
2379         * dfg/DFGSafeToExecute.h:
2380         (JSC::DFG::safeToExecute):
2381         * dfg/DFGSpeculativeJIT.cpp:
2382         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2383         * dfg/DFGSpeculativeJIT.h:
2384         * dfg/DFGSpeculativeJIT32_64.cpp:
2385         (JSC::DFG::SpeculativeJIT::compile):
2386         * dfg/DFGSpeculativeJIT64.cpp:
2387         (JSC::DFG::SpeculativeJIT::compile):
2388         * ftl/FTLCapabilities.cpp:
2389         (JSC::FTL::canCompile):
2390         * ftl/FTLLowerDFGToB3.cpp:
2391         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2392         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2393         * jit/AssemblyHelpers.cpp:
2394         (JSC::AssemblyHelpers::emitLoadStructure):
2395         * runtime/ArrayPrototype.cpp:
2396         (JSC::ArrayPrototype::finishCreation):
2397         (JSC::speciesWatchpointIsValid):
2398         (JSC::speciesConstructArray):
2399         (JSC::arrayProtoFuncSlice):
2400         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2401         (JSC::ArrayPrototype::initializeSpeciesWatchpoint):
2402         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2403         (JSC::speciesWatchpointsValid): Deleted.
2404         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint): Deleted.
2405         * runtime/ArrayPrototype.h:
2406         (JSC::ArrayPrototype::speciesWatchpointStatus): Deleted.
2407         (): Deleted.
2408         * runtime/Intrinsic.h:
2409         * runtime/JSGlobalObject.cpp:
2410         (JSC::JSGlobalObject::JSGlobalObject):
2411         (JSC::JSGlobalObject::init):
2412         * runtime/JSGlobalObject.h:
2413         (JSC::JSGlobalObject::arraySpeciesWatchpoint):
2414
2415 2017-01-06  Mark Lam  <mark.lam@apple.com>
2416
2417         The ObjC API's JSVirtualMachine's map tables need to be guarded by a lock.
2418         https://bugs.webkit.org/show_bug.cgi?id=166778
2419         <rdar://problem/29761198>
2420
2421         Reviewed by Filip Pizlo.
2422
2423         Now that we have a concurrent GC, access to JSVirtualMachine's
2424         m_externalObjectGraph and m_externalRememberedSet need to be guarded by a lock
2425         since both the GC marker thread and the mutator thread may access them at the
2426         same time.
2427
2428         * API/JSVirtualMachine.mm:
2429         (-[JSVirtualMachine addExternalRememberedObject:]):
2430         (-[JSVirtualMachine addManagedReference:withOwner:]):
2431         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2432         (-[JSVirtualMachine externalDataMutex]):
2433         (scanExternalObjectGraph):
2434         (scanExternalRememberedSet):
2435
2436         * API/JSVirtualMachineInternal.h:
2437         - Deleted externalObjectGraph method.  There's no need to expose this.
2438
2439 2017-01-06  Michael Saboff  <msaboff@apple.com>
2440
2441         @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
2442         https://bugs.webkit.org/show_bug.cgi?id=153486
2443
2444         Reviewed by Saam Barati.
2445
2446         Moved read only check in putDirect() to all paths.
2447
2448         * runtime/SparseArrayValueMap.cpp:
2449         (JSC::SparseArrayValueMap::putDirect):
2450
2451 2016-12-30  Filip Pizlo  <fpizlo@apple.com>
2452
2453         DeferGC::~DeferGC should be super cheap
2454         https://bugs.webkit.org/show_bug.cgi?id=166626
2455
2456         Reviewed by Saam Barati.
2457         
2458         Right now, ~DeferGC requires running the collector's full collectIfNecessaryOrDefer()
2459         hook, which is super big. Normally, that hook would only be called from GC slow paths,
2460         so it ought to be possible to add complex logic to it. It benefits the GC algorithm to
2461         make that code smart, not necessarily fast.
2462
2463         The right thing for it to do is to have ~DeferGC check a boolean to see if
2464         collectIfNecessaryOrDefer() had previously deferred anything, and only call it if that
2465         is true. That's what this patch does.
2466         
2467         Unfortunately, this means that we lose the collectAccordingToDeferGCProbability mode,
2468         which we used for two tests. Since I could only see two tests that used this mode, I
2469         felt that it was better to enhance the GC than to keep the tests. I filed bug 166627 to
2470         bring back something like that mode.
2471         
2472         Although this patch does make some paths faster, its real goal is to ensure that bug
2473         165963 can add more logic to collectIfNecessaryOrDefer() without introducing a big
2474         regression. Until then, I wouldn't be surprised if this patch was a progression, but I'm
2475         not betting on it.
2476
2477         * heap/Heap.cpp:
2478         (JSC::Heap::collectIfNecessaryOrDefer):
2479         (JSC::Heap::decrementDeferralDepthAndGCIfNeededSlow):
2480         (JSC::Heap::canCollect): Deleted.
2481         (JSC::Heap::shouldCollectHeuristic): Deleted.
2482         (JSC::Heap::shouldCollect): Deleted.
2483         (JSC::Heap::collectAccordingToDeferGCProbability): Deleted.
2484         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): Deleted.
2485         * heap/Heap.h:
2486         * heap/HeapInlines.h:
2487         (JSC::Heap::incrementDeferralDepth):
2488         (JSC::Heap::decrementDeferralDepth):
2489         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2490         (JSC::Heap::mayNeedToStop):
2491         (JSC::Heap::stopIfNecessary):
2492         * runtime/Options.h:
2493
2494 2017-01-05  Filip Pizlo  <fpizlo@apple.com>
2495
2496         AutomaticThread timeout shutdown leaves a small window where notify() would think that the thread is still running
2497         https://bugs.webkit.org/show_bug.cgi?id=166742
2498
2499         Reviewed by Geoffrey Garen.
2500         
2501         Update to new AutomaticThread API.
2502
2503         * dfg/DFGWorklist.cpp:
2504
2505 2017-01-05  Per Arne Vollan  <pvollan@apple.com>
2506
2507         [Win] Compile error.
2508         https://bugs.webkit.org/show_bug.cgi?id=166726
2509
2510         Reviewed by Alex Christensen.
2511
2512         Add include folder.
2513
2514         * CMakeLists.txt:
2515
2516 2016-12-21  Brian Burg  <bburg@apple.com>
2517
2518         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2519         https://bugs.webkit.org/show_bug.cgi?id=166003
2520         <rdar://problem/28718990>
2521
2522         Reviewed by Joseph Pecoraro.
2523
2524         This patch implements parser, model, and generator-side changes to account for
2525         platform-specific types, events, and commands. The 'platform' property is parsed
2526         for top-level definitions and assumed to be the 'generic' platform if none is specified.
2527
2528         Since the generator's platform setting acts to filter definitions with an incompatible platform,
2529         all generators must be modified to consult a list of filtered types/commands/events for
2530         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
2531         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
2532         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
2533
2534         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2535         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2536         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2537         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2538         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2539         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2540         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2541         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2542         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2543         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
2544         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2545         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2546         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2547         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2548         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2549         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2550         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2551         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2552         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2553         (_generate_typedefs_for_domain):
2554         (_generate_builders_for_domain):
2555         (_generate_forward_declarations_for_binding_traits):
2556         (_generate_declarations_for_enum_conversion_methods):
2557         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2558         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2559         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2560         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2561         * inspector/scripts/codegen/generate_js_backend_commands.py:
2562         (JSBackendCommandsGenerator.should_generate_domain):
2563         (JSBackendCommandsGenerator.domains_to_generate):
2564         (JSBackendCommandsGenerator.generate_domain):
2565         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
2566         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2567         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2568         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2569         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2570         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2571         (ObjCBackendDispatcherImplementationGenerator):
2572         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2573         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
2574         (ObjCConfigurationImplementationGenerator): Deleted.
2575         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
2576         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
2577         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
2578         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
2579         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
2580         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
2581         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
2582         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
2583         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
2584         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
2585         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
2586         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2587         (ObjCConfigurationHeaderGenerator.generate_output):
2588         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2589         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2590         (ObjCConfigurationImplementationGenerator):
2591         (ObjCConfigurationImplementationGenerator.generate_output):
2592         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
2593         (ObjCConfigurationImplementationGenerator._generate_ivars):
2594         (ObjCConfigurationImplementationGenerator._generate_dealloc):
2595         (ObjCBackendDispatcherImplementationGenerator): Deleted.
2596         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
2597         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
2598         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
2599         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
2600         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
2601         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
2602         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
2603         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
2604         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
2605         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2606         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2607         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2608         * inspector/scripts/codegen/generate_objc_header.py:
2609         (ObjCHeaderGenerator.generate_output):
2610         (ObjCHeaderGenerator._generate_forward_declarations):
2611         (ObjCHeaderGenerator._generate_enums):
2612         (ObjCHeaderGenerator._generate_types):
2613         (ObjCHeaderGenerator._generate_command_protocols):
2614         (ObjCHeaderGenerator._generate_event_interfaces):
2615         * inspector/scripts/codegen/generate_objc_internal_header.py:
2616         (ObjCInternalHeaderGenerator.generate_output):
2617         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2618         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2619         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2620         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
2621         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2622         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2623         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
2624         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
2625         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2626         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2627         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
2628
2629         * inspector/scripts/codegen/generator.py:
2630         (Generator.can_generate_platform):
2631         (Generator):
2632         (Generator.type_declarations_for_domain):
2633         (Generator.commands_for_domain):
2634         (Generator.events_for_domain):
2635         These are the core methods for computing whether a definition can be used given a target platform.
2636
2637         (Generator.calculate_types_requiring_shape_assertions):
2638         (Generator._traverse_and_assign_enum_values):
2639         * inspector/scripts/codegen/models.py:
2640         (Protocol.parse_type_declaration):
2641         (Protocol.parse_command):
2642         (Protocol.parse_event):
2643         (Protocol.resolve_types):
2644
2645         (Domain.__init__):
2646         (Domain):
2647         (Domain.all_type_declarations):
2648         (Domain.all_commands):
2649         (Domain.all_events):
2650         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
2651
2652         (Domain.resolve_type_references):
2653         (TypeDeclaration.__init__):
2654         (Command.__init__):
2655         (Event.__init__):
2656         * inspector/scripts/codegen/objc_generator.py:
2657         (ObjCGenerator.should_generate_types_for_domain):
2658         (ObjCGenerator):
2659         (ObjCGenerator.should_generate_commands_for_domain):
2660         (ObjCGenerator.should_generate_events_for_domain):
2661         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
2662         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
2663         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
2664         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
2665         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
2666         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
2667         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
2668         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
2669
2670         The results above need rebaselining because the class names for two generators were swapped by accident.
2671         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
2672         generated file includes the same copyright block at the top.
2673
2674         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2675         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2676         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2677         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2678         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2679         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2680         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2681         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2682         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2683         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2684         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2685         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2686         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2687
2688         * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Added.
2689         * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Added.
2690         * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Added.
2691         * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Added.
2692
2693         Add error test cases for invalid platforms in commands, types, and events.
2694
2695         * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Added.
2696         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Added.
2697         * inspector/scripts/tests/all/definitions-with-mac-platform.json: Added.
2698         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Added.
2699         * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Added.
2700         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Added.
2701         * inspector/scripts/tests/mac/definitions-with-mac-platform.json: Added.
2702         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Added.
2703
2704         Add a basic 4-way test that generates code for each platform from the same specification.
2705         With 'macos' platform for each definition, only 'all' and 'mac' generate anything interesting.
2706
2707 2017-01-03  Brian Burg  <bburg@apple.com>
2708
2709         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2710         https://bugs.webkit.org/show_bug.cgi?id=166003
2711         <rdar://problem/28718990>
2712
2713         Reviewed by Joseph Pecoraro.
2714
2715         This patch implements parser, model, and generator-side changes to account for
2716         platform-specific types, events, and commands. The 'platform' property is parsed
2717         for top-level definitions and assumed to be the 'generic' platform if none is specified.
2718
2719         Since the generator's platform setting acts to filter definitions with an incompatible platform,
2720         all generators must be modified to consult a list of filtered types/commands/events for
2721         a domain instead of directly accessing Domain.{type_declarations, commands, events}. To prevent
2722         accidental misuse, hide those fields behind accessors (e.g., `all_type_declarations()`) so that they
2723         are still accessible if truly necessary, but not used by default and caused an error if not migrated.
2724
2725         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2726         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2727         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2728         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2729         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
2730         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2731         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2732         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2733         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2734         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
2735         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2736         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2737         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2738         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2739         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2740         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2741         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
2742         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2743         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2744         (_generate_typedefs_for_domain):
2745         (_generate_builders_for_domain):
2746         (_generate_forward_declarations_for_binding_traits):
2747         (_generate_declarations_for_enum_conversion_methods):
2748         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2749         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2750         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2751         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2752         * inspector/scripts/codegen/generate_js_backend_commands.py:
2753         (JSBackendCommandsGenerator.should_generate_domain):
2754         (JSBackendCommandsGenerator.domains_to_generate):
2755         (JSBackendCommandsGenerator.generate_domain):
2756         (JSBackendCommandsGenerator.domains_to_generate.should_generate_domain): Deleted.
2757         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2758         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2759         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2760         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2761         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2762         (ObjCBackendDispatcherImplementationGenerator):
2763         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2764         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain):
2765         (ObjCConfigurationImplementationGenerator): Deleted.
2766         (ObjCConfigurationImplementationGenerator.__init__): Deleted.
2767         (ObjCConfigurationImplementationGenerator.output_filename): Deleted.
2768         (ObjCConfigurationImplementationGenerator.domains_to_generate): Deleted.
2769         (ObjCConfigurationImplementationGenerator.generate_output): Deleted.
2770         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): Deleted.
2771         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command): Deleted.
2772         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): Deleted.
2773         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and): Deleted.
2774         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command): Deleted.
2775         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command.in_param_expression): Deleted.
2776         (ObjCConfigurationImplementationGenerator._generate_invocation_for_command): Deleted.
2777         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2778         (ObjCConfigurationHeaderGenerator.generate_output):
2779         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2780         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2781         (ObjCConfigurationImplementationGenerator):
2782         (ObjCConfigurationImplementationGenerator.generate_output):
2783         (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains):
2784         (ObjCConfigurationImplementationGenerator._generate_ivars):
2785         (ObjCConfigurationImplementationGenerator._generate_dealloc):
2786         (ObjCBackendDispatcherImplementationGenerator): Deleted.
2787         (ObjCBackendDispatcherImplementationGenerator.__init__): Deleted.
2788         (ObjCBackendDispatcherImplementationGenerator.output_filename): Deleted.
2789         (ObjCBackendDispatcherImplementationGenerator.generate_output): Deleted.
2790         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): Deleted.
2791         (ObjCBackendDispatcherImplementationGenerator._generate_ivars): Deleted.
2792         (ObjCBackendDispatcherImplementationGenerator._generate_dealloc): Deleted.
2793         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): Deleted.
2794         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): Deleted.
2795         (ObjCBackendDispatcherImplementationGenerator._variable_name_prefix_for_domain): Deleted.
2796         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2797         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2798         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2799         * inspector/scripts/codegen/generate_objc_header.py:
2800         (ObjCHeaderGenerator.generate_output):
2801         (ObjCHeaderGenerator._generate_forward_declarations):
2802         (ObjCHeaderGenerator._generate_enums):
2803         (ObjCHeaderGenerator._generate_types):
2804         (ObjCHeaderGenerator._generate_command_protocols):
2805         (ObjCHeaderGenerator._generate_event_interfaces):
2806         * inspector/scripts/codegen/generate_objc_internal_header.py:
2807         (ObjCInternalHeaderGenerator.generate_output):
2808         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2809         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2810         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2811         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions):
2812         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2813         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2814         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
2815         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
2816         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2817         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2818         (ObjCProtocolTypesImplementationGenerator.generate_type_implementations):
2819
2820         * inspector/scripts/codegen/generator.py:
2821         (Generator.can_generate_platform):
2822         (Generator):
2823         (Generator.type_declarations_for_domain):
2824         (Generator.commands_for_domain):
2825         (Generator.events_for_domain):
2826         These are the core methods for computing whether a definition can be used given a target platform.
2827
2828         (Generator.calculate_types_requiring_shape_assertions):
2829         (Generator._traverse_and_assign_enum_values):
2830         * inspector/scripts/codegen/models.py:
2831         (Protocol.parse_type_declaration):
2832         (Protocol.parse_command):
2833         (Protocol.parse_event):
2834         (Protocol.resolve_types):
2835
2836         (Domain.__init__):
2837         (Domain):
2838         (Domain.all_type_declarations):
2839         (Domain.all_commands):
2840         (Domain.all_events):
2841         Hide fields behind these accessors so it's really obvious when we are ignoring platform filtering.
2842
2843         (Domain.resolve_type_references):
2844         (TypeDeclaration.__init__):
2845         (Command.__init__):
2846         (Event.__init__):
2847         * inspector/scripts/codegen/objc_generator.py:
2848         (ObjCGenerator.should_generate_types_for_domain):
2849         (ObjCGenerator):
2850         (ObjCGenerator.should_generate_commands_for_domain):
2851         (ObjCGenerator.should_generate_events_for_domain):
2852         (ObjCGenerator.should_generate_domain_types_filter): Deleted.
2853         (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): Deleted.
2854         (ObjCGenerator.should_generate_domain_command_handler_filter): Deleted.
2855         (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): Deleted.
2856         (ObjCGenerator.should_generate_domain_event_dispatcher_filter): Deleted.
2857         (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): Deleted.
2858         Clean up some messy code that essentially did the same definition filtering as we must do for platforms.
2859         This will be enhanced in a future patch so that platform filtering will take priority over the target framework.
2860
2861         The following results need rebaselining because the class names for two generators were swapped by accident.
2862         Fixing the names causes the order of generated files to change, and this generates ugly diffs because every
2863         generated file includes the same copyright block at the top.
2864
2865         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2866         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2867         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2868         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2869         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2870         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2871         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2872         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2873         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2874         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2875         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2876         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2877         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2878
2879 2017-01-03  Brian Burg  <bburg@apple.com>
2880
2881         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2882         https://bugs.webkit.org/show_bug.cgi?id=166003
2883         <rdar://problem/28718990>
2884
2885         Reviewed by Joseph Pecoraro.
2886
2887         Make it possible to test inspector protocol generator output for different platforms.
2888
2889         Move existing tests to the generic/ subdirectory, as they are to be generated
2890         without any specific platform. Later, platform-specific generator behavior will be
2891         tested by cloning the same test to multiple platform directories.
2892
2893         * inspector/scripts/tests{/ => /generic/}commands-with-async-attribute.json
2894         * inspector/scripts/tests{/ => /generic/}commands-with-optional-call-return-parameters.json
2895         * inspector/scripts/tests{/ => /generic/}domains-with-varying-command-sizes.json
2896         * inspector/scripts/tests{/ => /generic/}enum-values.json
2897         * inspector/scripts/tests{/ => /generic/}events-with-optional-parameters.json
2898         * inspector/scripts/tests{/ => /generic/}expected/commands-with-async-attribute.json-result
2899         * inspector/scripts/tests{/ => /generic/}expected/commands-with-optional-call-return-parameters.json-result
2900         * inspector/scripts/tests{/ => /generic/}expected/domains-with-varying-command-sizes.json-result
2901         * inspector/scripts/tests{/ => /generic/}expected/enum-values.json-result
2902         * inspector/scripts/tests{/ => /generic/}expected/events-with-optional-parameters.json-result
2903         * inspector/scripts/tests{/ => /generic/}expected/fail-on-domain-availability.json-error
2904         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-call-parameter-names.json-error
2905         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-command-return-parameter-names.json-error
2906         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-event-parameter-names.json-error
2907         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-declarations.json-error
2908         * inspector/scripts/tests{/ => /generic/}expected/fail-on-duplicate-type-member-names.json-error
2909         * inspector/scripts/tests{/ => /generic/}expected/fail-on-enum-with-no-values.json-error
2910         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-parameter-flag.json-error
2911         * inspector/scripts/tests{/ => /generic/}expected/fail-on-number-typed-optional-type-member.json-error
2912         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-parameter-flag.json-error
2913         * inspector/scripts/tests{/ => /generic/}expected/fail-on-string-typed-optional-type-member.json-error
2914         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-declaration-using-type-reference.json-error
2915         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-reference-as-primitive-type.json-error
2916         * inspector/scripts/tests{/ => /generic/}expected/fail-on-type-with-lowercase-name.json-error
2917         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-declaration.json-error
2918         * inspector/scripts/tests{/ => /generic/}expected/fail-on-unknown-type-reference-in-type-member.json-error
2919         * inspector/scripts/tests{/ => /generic/}expected/generate-domains-with-feature-guards.json-result
2920         * inspector/scripts/tests{/ => /generic/}expected/same-type-id-different-domain.json-result
2921         * inspector/scripts/tests{/ => /generic/}expected/shadowed-optional-type-setters.json-result
2922         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-aliased-primitive-type.json-result
2923         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-array-type.json-result
2924         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-enum-type.json-result
2925         * inspector/scripts/tests{/ => /generic/}expected/type-declaration-object-type.json-result
2926         * inspector/scripts/tests{/ => /generic/}expected/type-requiring-runtime-casts.json-result
2927         * inspector/scripts/tests{/ => /generic/}fail-on-domain-availability.json
2928         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-call-parameter-names.json
2929         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-command-return-parameter-names.json
2930         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-event-parameter-names.json
2931         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-declarations.json
2932         * inspector/scripts/tests{/ => /generic/}fail-on-duplicate-type-member-names.json
2933         * inspector/scripts/tests{/ => /generic/}fail-on-enum-with-no-values.json
2934         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-parameter-flag.json
2935         * inspector/scripts/tests{/ => /generic/}fail-on-number-typed-optional-type-member.json
2936         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-parameter-flag.json
2937         * inspector/scripts/tests{/ => /generic/}fail-on-string-typed-optional-type-member.json
2938         * inspector/scripts/tests{/ => /generic/}fail-on-type-declaration-using-type-reference.json
2939         * inspector/scripts/tests{/ => /generic/}fail-on-type-reference-as-primitive-type.json
2940         * inspector/scripts/tests{/ => /generic/}fail-on-type-with-lowercase-name.json
2941         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-declaration.json
2942         * inspector/scripts/tests{/ => /generic/}fail-on-unknown-type-reference-in-type-member.json
2943         * inspector/scripts/tests{/ => /generic/}generate-domains-with-feature-guards.json
2944         * inspector/scripts/tests{/ => /generic/}same-type-id-different-domain.json
2945         * inspector/scripts/tests{/ => /generic/}shadowed-optional-type-setters.json
2946         * inspector/scripts/tests{/ => /generic/}type-declaration-aliased-primitive-type.json
2947         * inspector/scripts/tests{/ => /generic/}type-declaration-array-type.json
2948         * inspector/scripts/tests{/ => /generic/}type-declaration-enum-type.json
2949         * inspector/scripts/tests{/ => /generic/}type-declaration-object-type.json
2950         * inspector/scripts/tests{/ => /generic/}type-requiring-runtime-casts.json
2951
2952 2017-01-03  Brian Burg  <bburg@apple.com>
2953
2954         Web Inspector: teach the protocol generator about platform-specific types, events, and commands
2955         https://bugs.webkit.org/show_bug.cgi?id=166003
2956         <rdar://problem/28718990>
2957
2958         Reviewed by Joseph Pecoraro.
2959
2960         Add a --platform argument to generate-inspector-protocol-bindings.py and propagate
2961         the specified platform to each generator. This will be used in the next few patches
2962         to exclude types, events, and commands that are unsupported by the backend platform.
2963
2964         Covert all subclasses of Generator to pass along their positional arguments so that we
2965         can easily change base class arguments without editing all generator constructors.
2966
2967         * inspector/scripts/codegen/cpp_generator.py:
2968         (CppGenerator.__init__):
2969         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2970         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
2971         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2972         (CppBackendDispatcherHeaderGenerator.__init__):
2973         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2974         (CppBackendDispatcherImplementationGenerator.__init__):
2975         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2976         (CppFrontendDispatcherHeaderGenerator.__init__):
2977         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2978         (CppFrontendDispatcherImplementationGenerator.__init__):
2979         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2980         (CppProtocolTypesHeaderGenerator.__init__):
2981         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2982         (CppProtocolTypesImplementationGenerator.__init__):
2983         * inspector/scripts/codegen/generate_js_backend_commands.py:
2984         (JSBackendCommandsGenerator.__init__):
2985         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2986         (ObjCBackendDispatcherHeaderGenerator.__init__):
2987         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2988         (ObjCConfigurationImplementationGenerator.__init__):
2989         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2990         (ObjCConfigurationHeaderGenerator.__init__):
2991         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2992         (ObjCBackendDispatcherImplementationGenerator.__init__):
2993         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2994         (ObjCFrontendDispatcherImplementationGenerator.__init__):
2995         * inspector/scripts/codegen/generate_objc_header.py:
2996         (ObjCHeaderGenerator.__init__):
2997         * inspector/scripts/codegen/generate_objc_internal_header.py:
2998         (ObjCInternalHeaderGenerator.__init__):
2999         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3000         (ObjCProtocolTypeConversionsHeaderGenerator.__init__):
3001         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
3002         (ObjCProtocolTypeConversionsImplementationGenerator.__init__):
3003         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3004         (ObjCProtocolTypesImplementationGenerator.__init__):
3005         Pass along *args instead of single positional arguments.
3006
3007         * inspector/scripts/codegen/generator.py:
3008         (Generator.__init__):
3009         Save the target platform and add a getter.
3010
3011         * inspector/scripts/codegen/models.py:
3012         (Platform):
3013         (Platform.__init__):
3014         (Platform.fromString):
3015         (Platforms):
3016         Define the allowed Platform instances (iOS, macOS, and Any).
3017
3018         * inspector/scripts/codegen/objc_generator.py:
3019         (ObjCGenerator.and.__init__):
3020         * inspector/scripts/generate-inspector-protocol-bindings.py:
3021         (generate_from_specification):
3022         Pass along *args instead of single positional arguments.
3023
3024 2017-01-04  JF Bastien  <jfbastien@apple.com>
3025
3026         WebAssembly JS API: add Module.sections
3027         https://bugs.webkit.org/show_bug.cgi?id=165159
3028         <rdar://problem/29760326>
3029
3030         Reviewed by Mark Lam.
3031
3032         As described in: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymodulecustomsections
3033
3034         This was added for Emscripten, and is likely to be used soon.
3035
3036         * wasm/WasmFormat.h: custom sections are just name + bytes
3037         * wasm/WasmModuleParser.cpp: parse them, instead of skipping over
3038         * wasm/WasmModuleParser.h:
3039         * wasm/js/WebAssemblyModulePrototype.cpp: construct the Array of
3040         ArrayBuffer as described in the spec
3041         (JSC::webAssemblyModuleProtoCustomSections):
3042
3043 2017-01-04  Saam Barati  <sbarati@apple.com>
3044
3045         We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
3046         https://bugs.webkit.org/show_bug.cgi?id=163720
3047
3048         Reviewed by Mark Lam.
3049
3050         In the LLInt, we were incorrectly doing the exception check after the call.
3051         Before the exception check, we were unwinding to our caller's
3052         frame under the assumption that our caller was always a JS frame.
3053         This is incorrect, however, because our caller might be a C frame.
3054         One way that it can be a C frame is when C calls to JS, and JS tail
3055         calls to native. This patch fixes this bug by doing unwinding from
3056         the native callee's frame instead of its callers.
3057
3058         * llint/LowLevelInterpreter32_64.asm:
3059         * llint/LowLevelInterpreter64.asm:
3060
3061 2017-01-03  JF Bastien  <jfbastien@apple.com>
3062
3063         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
3064         https://bugs.webkit.org/show_bug.cgi?id=166669
3065         <rdar://problem/29856455>
3066
3067         Reviewed by Saam Barati.
3068
3069         Bug #165282 added wasm -> wasm calls, but caused crashes in
3070         release builds because the pinned registers are also callee-saved
3071         and were being clobbered. B3 didn't see itself clobbering them
3072         when no memory was used, and therefore omitted a restore.
3073
3074         This was causing the C++ code in callWebAssemblyFunction to crash
3075         because $r12 was 0, and it expected it to have its value prior to
3076         the call.
3077
3078         * wasm/WasmB3IRGenerator.cpp:
3079         (JSC::Wasm::createJSToWasmWrapper):
3080
3081 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
3082
3083         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
3084         https://bugs.webkit.org/show_bug.cgi?id=166300
3085
3086         Reviewed by Brian Burg.
3087
3088         * debugger/Debugger.cpp:
3089         (JSC::Debugger::continueProgram):
3090         When continuing, clear states that would have had us pause again.
3091
3092         * inspector/agents/InspectorDebuggerAgent.cpp:
3093         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
3094         When resuming after becoming idle, be sure to clear Debugger state.
3095
3096 2017-01-03  JF Bastien  <jfbastien@apple.com>
3097
3098         WebAssembly JS API: check and test in-call / out-call values
3099         https://bugs.webkit.org/show_bug.cgi?id=164876
3100         <rdar://problem/29844107>
3101
3102         Reviewed by Saam Barati.
3103
3104         * wasm/WasmBinding.cpp:
3105         (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
3106         f64 which the assotiated tests inadvertently tripped on: the
3107         previous code wasn't correctly performing JSValue boxing for
3108         "double" values. This change is slightly involved because it
3109         requires two scratch registers to materialize the
3110         `DoubleEncodeOffset` value. This change therefore reorganizes the
3111         code to first generate traps, then handle all integers (freeing
3112         all GPRs), and then all the floating-point values.
3113         * wasm/js/WebAssemblyFunction.cpp:
3114         (JSC::callWebAssemblyFunction): Implement the defined semantics
3115         for mismatched arities when JS calls wasm:
3116         https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
3117           - i32 is 0, f32 / f64 are NaN.
3118           - wasm functions which return "void" are "undefined" in JS.
3119
3120 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
3121
3122         [Win] jsc.exe sometimes never exits.
3123         https://bugs.webkit.org/show_bug.cgi?id=158073
3124
3125         Reviewed by Darin Adler.
3126
3127         On Windows the thread specific destructor is also called when the main thread is exiting.
3128         This may lead to the main thread waiting forever for the machine thread lock when exiting,
3129         if the sampling profiler thread was terminated by the system while holding the machine
3130         thread lock.
3131
3132         * heap/MachineStackMarker.cpp:
3133         (JSC::MachineThreads::removeThread):
3134
3135 2017-01-02  Julien Brianceau  <jbriance@cisco.com>
3136
3137         Remove sh4 specific code from JavaScriptCore
3138         https://bugs.webkit.org/show_bug.cgi?id=166640
3139
3140         Reviewed by Filip Pizlo.
3141
3142         sh4-specific code does not compile for a while (r189884 at least).
3143         As nobody seems to have interest in this architecture anymore, let's
3144         remove this dead code and thus ease the burden for JSC maintainers.
3145
3146         * CMakeLists.txt:
3147         * JavaScriptCore.xcodeproj/project.pbxproj:
3148         * assembler/AbstractMacroAssembler.h:
3149         (JSC::AbstractMacroAssembler::Jump::Jump):
3150         (JSC::AbstractMacroAssembler::Jump::link):
3151         * assembler/MacroAssembler.h:
3152         * assembler/MacroAssemblerSH4.h: Removed.
3153         * assembler/MaxFrameExtentForSlowPathCall.h:
3154         * assembler/SH4Assembler.h: Removed.
3155         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
3156         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3157         * dfg/DFGSpeculativeJIT.h:
3158         (JSC::DFG::SpeculativeJIT::callOperation):
3159         * jit/AssemblyHelpers.h:
3160         (JSC::AssemblyHelpers::debugCall):
3161         * jit/CCallHelpers.h:
3162         (JSC::CCallHelpers::setupArgumentsWithExecState):
3163         (JSC::CCallHelpers::prepareForTailCallSlow):
3164         * jit/CallFrameShuffler.cpp:
3165         (JSC::CallFrameShuffler::prepareForTailCall):
3166         * jit/ExecutableAllocator.h:
3167         * jit/FPRInfo.h:
3168         * jit/GPRInfo.h:
3169         * jit/JITInlines.h:
3170         (JSC::JIT::callOperation):
3171         * jit/JITOpcodes32_64.cpp:
3172         (JSC::JIT::privateCompileCTINativeCall):
3173         * jit/JITOperations.cpp:
3174         * jit/RegisterSet.cpp:
3175         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3176         (JSC::RegisterSet::dfgCalleeSaveRegisters):
3177         * jit/ThunkGenerators.cpp:
3178         (JSC::nativeForGenerator):
3179         * llint/LLIntData.cpp:
3180         (JSC::LLInt::Data::performAssertions):
3181         * llint/LLIntOfflineAsmConfig.h:
3182         * llint/LowLevelInterpreter.asm:
3183         * llint/LowLevelInterpreter32_64.asm:
3184         * offlineasm/backends.rb:
3185         * offlineasm/instructions.rb:
3186         * offlineasm/sh4.rb: Removed.
3187         * yarr/YarrJIT.cpp:
3188         (JSC::Yarr::YarrGenerator::generateEnter):
3189         (JSC::Yarr::YarrGenerator::generateReturn):
3190
3191 2017-01-02  JF Bastien  <jfbastien@apple.com>
3192
3193         WebAssembly: handle and optimize wasm export → wasm import calls
3194         https://bugs.webkit.org/show_bug.cgi?id=165282
3195
3196         Reviewed by Saam Barati.
3197
3198           - Add a new JSType for WebAssemblyFunction, and use it when creating its
3199             structure. This will is used to quickly detect from wasm whether the import
3200             call is to another wasm module, or whether it's to JS.
3201           - Generate two stubs from the import stub generator: one for wasm->JS and one
3202             for wasm -> wasm. This is done at Module time. Which is called will only be
3203             known at Instance time, once we've received the import object. We want to
3204             avoid codegen at Instance time, so having both around is great.
3205           - Restore the WebAssembly global state (VM top Instance, and pinned registers)
3206             after call / call_indirect, and in the JS->wasm entry stub.
3207           - Pinned registers are now a global thing, not per-Memory, because the wasm ->
3208             wasm stubs are generated at Module time where we don't really have enough
3209             information to do the right thing (doing so would generate too much code).
3210
3211         * CMakeLists.txt:
3212         * JavaScriptCore.xcodeproj/project.pbxproj:
3213         * runtime/JSType.h: add WebAssemblyFunctionType as a JSType
3214         * wasm/WasmB3IRGenerator.cpp: significantly rework how calls which
3215         could be external work, and how we save / restore global state:
3216         VM's top Instance, and pinned registers
3217         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3218         (JSC::Wasm::getMemoryBaseAndSize):
3219         (JSC::Wasm::restoreWebAssemblyGlobalState):
3220         (JSC::Wasm::createJSToWasmWrapper):
3221         (JSC::Wasm::parseAndCompile):
3222         * wasm/WasmB3IRGenerator.h:
3223         * wasm/WasmBinding.cpp:
3224         (JSC::Wasm::materializeImportJSCell):
3225         (JSC::Wasm::wasmToJS):
3226         (JSC::Wasm::wasmToWasm): the main goal of this patch was adding this function
3227         (JSC::Wasm::exitStubGenerator):
3228         * wasm/WasmBinding.h:
3229         * wasm/WasmFormat.h: Get rid of much of the function index space:
3230         we already have all of its information elsewhere, and as-is it
3231         provides no extra efficiency.
3232         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
3233         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
3234         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
3235         * wasm/WasmFunctionParser.h:
3236         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
3237         * wasm/WasmMemory.cpp: Add some logging.
3238         (JSC::Wasm::Memory::dump): this was nice when debugging
3239         (JSC::Wasm::Memory::makeString):
3240         (JSC::Wasm::Memory::Memory):
3241         (JSC::Wasm::Memory::~Memory):
3242         (JSC::Wasm::Memory::grow):
3243         * wasm/WasmMemory.h: don't use extra indirection, it wasn't
3244         needed. Reorder some of the fields which are looked up at runtime
3245         so they're more cache-friendly.
3246         (JSC::Wasm::Memory::Memory):
3247         (JSC::Wasm::Memory::mode):
3248         (JSC::Wasm::Memory::offsetOfSize):
3249         * wasm/WasmMemoryInformation.cpp: Pinned registers are now a
3250         global thing for all of JSC, not a per-Memory thing
3251         anymore. wasm->wasm calls are more complex otherwise: they have to
3252         figure out how to bridge between the caller and callee's