d4147e00b34634a577b43ac574ad5259d4721168
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-12-05  Keith Miller  <keith_miller@apple.com>
2
3         Add Wasm i64 to i32 conversion.
4         https://bugs.webkit.org/show_bug.cgi?id=165378
5
6         Reviewed by Filip Pizlo.
7
8         It turns out the wrap operation is just B3's Trunc.
9
10         * wasm/wasm.json:
11
12 2016-12-05  Joseph Pecoraro  <pecoraro@apple.com>
13
14         REGRESSION(r208985): SafariForWebKitDevelopment Symbol Not Found looking for method with WTF::Optional
15         https://bugs.webkit.org/show_bug.cgi?id=165351
16
17         Reviewed by Yusuke Suzuki.
18
19         Some versions of Safari expect:
20
21             Inspector::BackendDispatcher::reportProtocolError(WTF::Optional<long>, Inspector::BackendDispatcher::CommonErrorCode, WTF::String const&)
22         
23         Which we had updated to use std::optional. Expose a version with the original
24         Symbol for these Safaris. This stub will just call through to the new version.
25
26         * inspector/InspectorBackendDispatcher.cpp:
27         (Inspector::BackendDispatcher::reportProtocolError):
28         * inspector/InspectorBackendDispatcher.h:
29
30 2016-12-05  Konstantin Tokarev  <annulen@yandex.ru>
31
32         Add __STDC_FORMAT_MACROS before inttypes.h is included
33         https://bugs.webkit.org/show_bug.cgi?id=165374
34
35         We need formatting macros like PRIu64 to be available in all places where
36         inttypes.h header is used. All these usages get inttypes.h definitions
37         via wtf/Assertions.h header, except SQLiteFileSystem.cpp where formatting
38         macros are not used anymore since r185129.
39
40         This patch fixes multiple build errors with MinGW and reduces number of
41         independent __STDC_FORMAT_MACROS uses in the code base.
42
43         Reviewed by Darin Adler.
44
45         * disassembler/ARM64/A64DOpcode.cpp: Removed __STDC_FORMAT_MACROS
46         because it is obtained via Assertions.h now
47         * disassembler/ARM64Disassembler.cpp: Ditto.
48
49 2016-12-04  Keith Miller  <keith_miller@apple.com>
50
51         Add support for Wasm ctz and popcnt
52         https://bugs.webkit.org/show_bug.cgi?id=165369
53
54         Reviewed by Saam Barati.
55
56         * assembler/MacroAssemblerARM64.h:
57         (JSC::MacroAssemblerARM64::countTrailingZeros32):
58         (JSC::MacroAssemblerARM64::countTrailingZeros64):
59         * assembler/MacroAssemblerX86Common.cpp:
60         * assembler/MacroAssemblerX86Common.h:
61         (JSC::MacroAssemblerX86Common::countTrailingZeros32):
62         (JSC::MacroAssemblerX86Common::supportsBMI1):
63         (JSC::MacroAssemblerX86Common::ctzAfterBsf):
64         * assembler/MacroAssemblerX86_64.h:
65         (JSC::MacroAssemblerX86_64::countTrailingZeros64):
66         * assembler/X86Assembler.h:
67         (JSC::X86Assembler::tzcnt_rr):
68         (JSC::X86Assembler::tzcntq_rr):
69         (JSC::X86Assembler::bsf_rr):
70         (JSC::X86Assembler::bsfq_rr):
71         * wasm/WasmB3IRGenerator.cpp:
72         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Ctz>):
73         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Ctz>):
74         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
75         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
76         * wasm/WasmFunctionParser.h:
77         (JSC::Wasm::FunctionParser<Context>::parseExpression):
78
79 2016-12-04  Saam Barati  <sbarati@apple.com>
80
81         We should have a Wasm callee
82         https://bugs.webkit.org/show_bug.cgi?id=165163
83
84         Reviewed by Keith Miller.
85
86         This patch adds JSWebAssemblyCallee and stores it into the
87         callee slot in the call frame as part of the prologue of a
88         wasm function. This is the first step in implementing
89         unwinding from/through wasm frames. We will use the callee
90         to identify that a machine frame belongs to wasm code.
91
92         * CMakeLists.txt:
93         * JavaScriptCore.xcodeproj/project.pbxproj:
94         * jsc.cpp:
95         (callWasmFunction):
96         (functionTestWasmModuleFunctions):
97         * llint/LowLevelInterpreter64.asm:
98         * runtime/JSGlobalObject.cpp:
99         * runtime/VM.cpp:
100         (JSC::VM::VM):
101         * runtime/VM.h:
102         * wasm/JSWebAssembly.h:
103         * wasm/WasmB3IRGenerator.cpp:
104         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
105         (JSC::Wasm::parseAndCompile):
106         * wasm/WasmCallingConvention.h:
107         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
108         * wasm/WasmFormat.h:
109         * wasm/WasmPlan.cpp:
110         (JSC::Wasm::Plan::initializeCallees):
111         * wasm/WasmPlan.h:
112         (JSC::Wasm::Plan::compiledFunction):
113         (JSC::Wasm::Plan::getCompiledFunctions): Deleted.
114         * wasm/js/JSWebAssemblyCallee.cpp: Added.
115         (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee):
116         (JSC::JSWebAssemblyCallee::finishCreation):
117         (JSC::JSWebAssemblyCallee::destroy):
118         * wasm/js/JSWebAssemblyCallee.h: Added.
119         (JSC::JSWebAssemblyCallee::create):
120         (JSC::JSWebAssemblyCallee::createStructure):
121         (JSC::JSWebAssemblyCallee::jsEntryPoint):
122         * wasm/js/JSWebAssemblyModule.cpp:
123         (JSC::JSWebAssemblyModule::create):
124         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
125         (JSC::JSWebAssemblyModule::visitChildren):
126         * wasm/js/JSWebAssemblyModule.h:
127         (JSC::JSWebAssemblyModule::moduleInformation):
128         (JSC::JSWebAssemblyModule::callee):
129         (JSC::JSWebAssemblyModule::callees):
130         (JSC::JSWebAssemblyModule::offsetOfCallees):
131         (JSC::JSWebAssemblyModule::allocationSize):
132         (JSC::JSWebAssemblyModule::compiledFunctions): Deleted.
133         * wasm/js/WebAssemblyFunction.cpp:
134         (JSC::callWebAssemblyFunction):
135         (JSC::WebAssemblyFunction::create):
136         (JSC::WebAssemblyFunction::visitChildren):
137         (JSC::WebAssemblyFunction::finishCreation):
138         * wasm/js/WebAssemblyFunction.h:
139         (JSC::WebAssemblyFunction::webAssemblyCallee):
140         (JSC::WebAssemblyFunction::instance):
141         (JSC::WebAssemblyFunction::signature):
142         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction): Deleted.
143         (JSC::WebAssemblyFunction::webAssemblyFunctionCell): Deleted.
144         * wasm/js/WebAssemblyFunctionCell.cpp:
145         (JSC::WebAssemblyFunctionCell::create): Deleted.
146         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell): Deleted.
147         (JSC::WebAssemblyFunctionCell::destroy): Deleted.
148         (JSC::WebAssemblyFunctionCell::createStructure): Deleted.
149         * wasm/js/WebAssemblyFunctionCell.h:
150         (JSC::WebAssemblyFunctionCell::function): Deleted.
151         * wasm/js/WebAssemblyModuleConstructor.cpp:
152         (JSC::constructJSWebAssemblyModule):
153         * wasm/js/WebAssemblyModuleRecord.cpp:
154         (JSC::WebAssemblyModuleRecord::link):
155
156 2016-12-04  Matt Baker  <mattbaker@apple.com>
157
158         Web Inspector: Assertion Failures breakpoint should respect global Breakpoints enabled setting
159         https://bugs.webkit.org/show_bug.cgi?id=165277
160         <rdar://problem/29467098>
161
162         Reviewed by Mark Lam.
163
164         * inspector/agents/InspectorDebuggerAgent.cpp:
165         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
166         Check that breakpoints are active before pausing.
167
168 2016-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
169
170         Refactor SymbolImpl layout
171         https://bugs.webkit.org/show_bug.cgi?id=165247
172
173         Reviewed by Darin Adler.
174
175         Use SymbolImpl::{create, createNullSymbol} instead.
176
177         * runtime/PrivateName.h:
178         (JSC::PrivateName::PrivateName):
179
180 2016-12-03  JF Bastien  <jfbastien@apple.com>
181
182         WebAssembly: update binary format to 0xD version
183         https://bugs.webkit.org/show_bug.cgi?id=165345
184
185         Reviewed by Keith Miller.
186
187         As described in the following PR: https://github.com/WebAssembly/design/pull/836
188         Originally committed in r209175, reverted in r209242, and fixed in r209284.
189
190         * wasm/WasmB3IRGenerator.cpp:
191         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
192         (JSC::Wasm::B3IRGenerator::zeroForType):
193         (JSC::Wasm::B3IRGenerator::addConstant):
194         (JSC::Wasm::createJSWrapper):
195         * wasm/WasmCallingConvention.h:
196         (JSC::Wasm::CallingConvention::marshallArgument):
197         * wasm/WasmFormat.cpp:
198         (JSC::Wasm::toString): Deleted.
199         * wasm/WasmFormat.h:
200         (JSC::Wasm::isValueType):
201         (JSC::Wasm::toB3Type): Deleted.
202         * wasm/WasmFunctionParser.h:
203         (JSC::Wasm::FunctionParser<Context>::parseExpression):
204         * wasm/WasmModuleParser.cpp:
205         (JSC::Wasm::ModuleParser::parse):
206         (JSC::Wasm::ModuleParser::parseType):
207         * wasm/WasmModuleParser.h:
208         * wasm/WasmParser.h:
209         (JSC::Wasm::Parser::parseResultType):
210         * wasm/generateWasm.py:
211         (Wasm.__init__):
212         * wasm/generateWasmOpsHeader.py:
213         (cppMacro):
214         (typeMacroizer):
215         (opcodeMacroizer):
216         * wasm/js/WebAssemblyFunction.cpp:
217         (JSC::callWebAssemblyFunction):
218         * wasm/wasm.json:
219
220 2016-12-02  Keith Miller  <keith_miller@apple.com>
221
222         Add Wasm copysign
223         https://bugs.webkit.org/show_bug.cgi?id=165355
224
225         Reviewed by Filip Pizlo.
226
227         This patch also makes two other important changes:
228
229         1) allows for i64 constants in the B3 generator language.
230         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
231            of a Double in B3.
232
233         * wasm/WasmB3IRGenerator.cpp:
234         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
235         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
236         (CodeGenerator.generateOpcode):
237         (generateConstCode):
238         (generateI32ConstCode): Deleted.
239         * wasm/wasm.json:
240
241 2016-12-03  Commit Queue  <commit-queue@webkit.org>
242
243         Unreviewed, rolling out r209298.
244         https://bugs.webkit.org/show_bug.cgi?id=165359
245
246         broke the build (Requested by smfr on #webkit).
247
248         Reverted changeset:
249
250         "Add Wasm copysign"
251         https://bugs.webkit.org/show_bug.cgi?id=165355
252         http://trac.webkit.org/changeset/209298
253
254 2016-12-02  Keith Miller  <keith_miller@apple.com>
255
256         Add Wasm copysign
257         https://bugs.webkit.org/show_bug.cgi?id=165355
258
259         Reviewed by Filip Pizlo.
260
261         This patch also makes two other important changes:
262
263         1) allows for i64 constants in the B3 generator language.
264         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
265            of a Double in B3.
266
267         * wasm/WasmB3IRGenerator.cpp:
268         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
269         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
270         (CodeGenerator.generateOpcode):
271         (generateConstCode):
272         (generateI32ConstCode): Deleted.
273         * wasm/wasm.json:
274
275 2016-12-02  Keith Miller  <keith_miller@apple.com>
276
277         Unreviewed, fix git having a breakdown over trying to reland a rollout.
278
279 2016-12-02  Keith Miller  <keith_miller@apple.com>
280
281         Add Wasm floating point nearest and trunc
282         https://bugs.webkit.org/show_bug.cgi?id=165339
283
284         Reviewed by Saam Barati.
285
286         This patch also allows any wasm primitive type to be passed as a
287         string.
288
289         * assembler/MacroAssemblerARM64.h:
290         (JSC::MacroAssemblerARM64::nearestIntDouble):
291         (JSC::MacroAssemblerARM64::nearestIntFloat):
292         (JSC::MacroAssemblerARM64::truncDouble):
293         (JSC::MacroAssemblerARM64::truncFloat):
294         * assembler/MacroAssemblerX86Common.h:
295         (JSC::MacroAssemblerX86Common::nearestIntDouble):
296         (JSC::MacroAssemblerX86Common::nearestIntFloat):
297         * jsc.cpp:
298         (box):
299         * wasm/WasmB3IRGenerator.cpp:
300         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
301         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
302         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
303         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
304         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
305         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
306         * wasm/WasmFunctionParser.h:
307         (JSC::Wasm::FunctionParser<Context>::parseExpression):
308
309 2016-12-02  Caitlin Potter  <caitp@igalia.com>
310
311 [JSC] add additional bit to JSTokenType bitfield
312         https://bugs.webkit.org/show_bug.cgi?id=165091
313
314         Reviewed by Geoffrey Garen.
315
316         Avoid overflow which causes keyword tokens to be treated as unary
317         tokens now that "async" is tokenized as a keyword, by granting an
318         additional 64 bits to be occupied by token IDs.
319
320         * parser/ParserTokens.h:
321
322 2016-12-02  Andy Estes  <aestes@apple.com>
323
324         [Cocoa] Adopt the PRODUCT_BUNDLE_IDENTIFIER build setting
325         https://bugs.webkit.org/show_bug.cgi?id=164492
326
327         Reviewed by Dan Bernstein.
328
329         * Configurations/JavaScriptCore.xcconfig: Set PRODUCT_BUNDLE_IDENTIFIER to
330         com.apple.$(PRODUCT_NAME:rfc1034identifier).
331         * Info.plist: Changed CFBundleIdentifier's value from com.apple.${PRODUCT_NAME} to
332         ${PRODUCT_BUNDLE_IDENTIFIER}.
333
334 2016-12-02  JF Bastien  <jfbastien@apple.com>
335
336         WebAssembly: mark WasmOps.h as private
337         https://bugs.webkit.org/show_bug.cgi?id=165335
338
339         Reviewed by Mark Lam.
340
341         * JavaScriptCore.xcodeproj/project.pbxproj: WasmOps.h will be used by non-JSC and should therefore be private
342
343 2016-12-02  Commit Queue  <commit-queue@webkit.org>
344
345         Unreviewed, rolling out r209275 and r209276.
346         https://bugs.webkit.org/show_bug.cgi?id=165348
347
348         "broke the arm build" (Requested by keith_miller on #webkit).
349
350         Reverted changesets:
351
352         "Add Wasm floating point nearest and trunc"
353         https://bugs.webkit.org/show_bug.cgi?id=165339
354         http://trac.webkit.org/changeset/209275
355
356         "Unreviewed, forgot to change instruction after renaming."
357         http://trac.webkit.org/changeset/209276
358
359 2016-12-02  Keith Miller  <keith_miller@apple.com>
360
361         Unreviewed, forgot to change instruction after renaming.
362
363         * assembler/MacroAssemblerARM64.h:
364         (JSC::MacroAssemblerARM64::nearestIntDouble):
365         (JSC::MacroAssemblerARM64::nearestIntFloat):
366
367 2016-12-02  Keith Miller  <keith_miller@apple.com>
368
369         Add Wasm floating point nearest and trunc
370         https://bugs.webkit.org/show_bug.cgi?id=165339
371
372         Reviewed by Filip Pizlo.
373
374         This patch also allows any wasm primitive type to be passed as a
375         string.
376
377         * assembler/MacroAssemblerARM64.h:
378         (JSC::MacroAssemblerARM64::nearestIntDouble):
379         (JSC::MacroAssemblerARM64::nearestIntFloat):
380         (JSC::MacroAssemblerARM64::truncDouble):
381         (JSC::MacroAssemblerARM64::truncFloat):
382         * assembler/MacroAssemblerX86Common.h:
383         (JSC::MacroAssemblerX86Common::nearestIntDouble):
384         (JSC::MacroAssemblerX86Common::nearestIntFloat):
385         * jsc.cpp:
386         (box):
387         * wasm/WasmB3IRGenerator.cpp:
388         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
389         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
390         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
391         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
392         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
393         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
394         * wasm/WasmFunctionParser.h:
395         (JSC::Wasm::FunctionParser<Context>::parseExpression):
396
397 2016-12-02  JF Bastien  <jfbastien@apple.com>
398
399         WebAssembly: revert patch causing odd breakage
400         https://bugs.webkit.org/show_bug.cgi?id=165308
401
402         Unreviewed.
403
404         Bug #164724 seems to cause build issues which I haven't tracked down yet. WasmOps.h can't be found:
405         ./Source/JavaScriptCore/wasm/WasmFormat.h:34:10: fatal error: 'WasmOps.h' file not found
406
407         It's weird since the file is auto-generated and has been for a while. #164724 merely includes it in WasmFormat.h.
408
409         * wasm/WasmB3IRGenerator.cpp:
410         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
411         (JSC::Wasm::B3IRGenerator::zeroForType):
412         (JSC::Wasm::B3IRGenerator::addConstant):
413         (JSC::Wasm::createJSWrapper):
414         * wasm/WasmCallingConvention.h:
415         (JSC::Wasm::CallingConvention::marshallArgument):
416         * wasm/WasmFormat.cpp:
417         (JSC::Wasm::toString):
418         * wasm/WasmFormat.h:
419         (JSC::Wasm::toB3Type):
420         * wasm/WasmFunctionParser.h:
421         (JSC::Wasm::FunctionParser<Context>::parseExpression):
422         * wasm/WasmModuleParser.cpp:
423         (JSC::Wasm::ModuleParser::parse):
424         (JSC::Wasm::ModuleParser::parseType):
425         * wasm/WasmModuleParser.h:
426         * wasm/WasmParser.h:
427         (JSC::Wasm::Parser::parseResultType):
428         * wasm/generateWasm.py:
429         (Wasm.__init__):
430         * wasm/generateWasmOpsHeader.py:
431         (cppMacro):
432         (opcodeMacroizer):
433         (typeMacroizer): Deleted.
434         * wasm/js/WebAssemblyFunction.cpp:
435         (JSC::callWebAssemblyFunction):
436         * wasm/wasm.json:
437
438 2016-12-01  Brian Burg  <bburg@apple.com>
439
440         Remote Inspector: fix weird typo in generated ObjC protocol type initializer implementations
441         https://bugs.webkit.org/show_bug.cgi?id=165295
442         <rdar://problem/29427778>
443
444         Reviewed by Joseph Pecoraro.
445
446         Remove a stray semicolon appended after custom initializer signatures.
447         This is a syntax error when building with less lenient compiler warnings.
448
449         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
450         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
451         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
452         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
453         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
454         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
455         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
456         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
457         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
458
459 2016-12-01  Saam Barati  <sbarati@apple.com>
460
461         Rename CallFrame::callee() to CallFrame::jsCallee()
462         https://bugs.webkit.org/show_bug.cgi?id=165293
463
464         Reviewed by Keith Miller.
465
466         Wasm will soon have its own Callee that doesn't derive
467         from JSObject, but derives from JSCell. I want to introduce
468         a new function like:
469         ```
470         CalleeBase* CallFrame::callee()
471         ```
472         
473         once we have a Wasm callee. It only makes sense to name that
474         function callee() and rename the current one turn to:
475         ```
476         JSObject* CallFrame::jsCallee()
477         ```
478
479         * API/APICallbackFunction.h:
480         (JSC::APICallbackFunction::call):
481         (JSC::APICallbackFunction::construct):
482         * API/JSCallbackObjectFunctions.h:
483         (JSC::JSCallbackObject<Parent>::construct):
484         (JSC::JSCallbackObject<Parent>::call):
485         * debugger/DebuggerCallFrame.cpp:
486         (JSC::DebuggerCallFrame::scope):
487         (JSC::DebuggerCallFrame::type):
488         * interpreter/CallFrame.cpp:
489         (JSC::CallFrame::friendlyFunctionName):
490         * interpreter/CallFrame.h:
491         (JSC::ExecState::jsCallee):
492         (JSC::ExecState::callee): Deleted.
493         * interpreter/Interpreter.cpp:
494         (JSC::Interpreter::dumpRegisters):
495         (JSC::notifyDebuggerOfUnwinding):
496         * interpreter/ShadowChicken.cpp:
497         (JSC::ShadowChicken::update):
498         * interpreter/StackVisitor.cpp:
499         (JSC::StackVisitor::readNonInlinedFrame):
500         * llint/LLIntSlowPaths.cpp:
501         (JSC::LLInt::traceFunctionPrologue):
502         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
503         * runtime/ArrayConstructor.cpp:
504         (JSC::constructArrayWithSizeQuirk):
505         * runtime/AsyncFunctionConstructor.cpp:
506         (JSC::callAsyncFunctionConstructor):
507         (JSC::constructAsyncFunctionConstructor):
508         * runtime/BooleanConstructor.cpp:
509         (JSC::constructWithBooleanConstructor):
510         * runtime/ClonedArguments.cpp:
511         (JSC::ClonedArguments::createWithInlineFrame):
512         * runtime/CommonSlowPaths.h:
513         (JSC::CommonSlowPaths::arityCheckFor):
514         * runtime/DateConstructor.cpp:
515         (JSC::constructWithDateConstructor):
516         * runtime/DirectArguments.cpp:
517         (JSC::DirectArguments::createByCopying):
518         * runtime/Error.h:
519         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
520         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
521         * runtime/ErrorConstructor.cpp:
522         (JSC::Interpreter::constructWithErrorConstructor):
523         (JSC::Interpreter::callErrorConstructor):
524         * runtime/FunctionConstructor.cpp:
525         (JSC::constructWithFunctionConstructor):
526         (JSC::callFunctionConstructor):
527         * runtime/GeneratorFunctionConstructor.cpp:
528         (JSC::callGeneratorFunctionConstructor):
529         (JSC::constructGeneratorFunctionConstructor):
530         * runtime/InternalFunction.cpp:
531         (JSC::InternalFunction::createSubclassStructure):
532         * runtime/IntlCollator.cpp:
533         (JSC::IntlCollator::initializeCollator):
534         * runtime/IntlCollatorConstructor.cpp:
535         (JSC::constructIntlCollator):
536         (JSC::callIntlCollator):
537         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
538         * runtime/IntlDateTimeFormat.cpp:
539         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
540         * runtime/IntlDateTimeFormatConstructor.cpp:
541         (JSC::constructIntlDateTimeFormat):
542         (JSC::callIntlDateTimeFormat):
543         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
544         * runtime/IntlNumberFormat.cpp:
545         (JSC::IntlNumberFormat::initializeNumberFormat):
546         * runtime/IntlNumberFormatConstructor.cpp:
547         (JSC::constructIntlNumberFormat):
548         (JSC::callIntlNumberFormat):
549         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
550         * runtime/IntlObject.cpp:
551         (JSC::canonicalizeLocaleList):
552         (JSC::defaultLocale):
553         (JSC::lookupSupportedLocales):
554         (JSC::intlObjectFuncGetCanonicalLocales):
555         * runtime/JSArrayBufferConstructor.cpp:
556         (JSC::constructArrayBuffer):
557         * runtime/JSArrayBufferPrototype.cpp:
558         (JSC::arrayBufferProtoFuncSlice):
559         * runtime/JSBoundFunction.cpp:
560         (JSC::boundThisNoArgsFunctionCall):
561         (JSC::boundFunctionCall):
562         (JSC::boundThisNoArgsFunctionConstruct):
563         (JSC::boundFunctionConstruct):
564         * runtime/JSCellInlines.h:
565         (JSC::ExecState::vm):
566         * runtime/JSCustomGetterSetterFunction.cpp:
567         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
568         * runtime/JSFunction.cpp:
569         (JSC::callHostFunctionAsConstructor):
570         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
571         (JSC::constructGenericTypedArrayView):
572         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
573         (JSC::genericTypedArrayViewProtoFuncSlice):
574         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
575         * runtime/JSGlobalObjectFunctions.cpp:
576         (JSC::globalFuncEval):
577         * runtime/JSInternalPromiseConstructor.cpp:
578         (JSC::constructPromise):
579         * runtime/JSMapIterator.cpp:
580         (JSC::JSMapIterator::createPair):
581         (JSC::JSMapIterator::clone):
582         * runtime/JSNativeStdFunction.cpp:
583         (JSC::runStdFunction):
584         * runtime/JSPromiseConstructor.cpp:
585         (JSC::constructPromise):
586         * runtime/JSPropertyNameIterator.cpp:
587         (JSC::JSPropertyNameIterator::clone):
588         * runtime/JSScope.h:
589         (JSC::ExecState::lexicalGlobalObject):
590         * runtime/JSSetIterator.cpp:
591         (JSC::JSSetIterator::createPair):
592         (JSC::JSSetIterator::clone):
593         * runtime/JSStringIterator.cpp:
594         (JSC::JSStringIterator::clone):
595         * runtime/MapConstructor.cpp:
596         (JSC::constructMap):
597         * runtime/MapPrototype.cpp:
598         (JSC::mapProtoFuncValues):
599         (JSC::mapProtoFuncEntries):
600         (JSC::mapProtoFuncKeys):
601         (JSC::privateFuncMapIterator):
602         * runtime/NativeErrorConstructor.cpp:
603         (JSC::Interpreter::constructWithNativeErrorConstructor):
604         (JSC::Interpreter::callNativeErrorConstructor):
605         * runtime/ObjectConstructor.cpp:
606         (JSC::constructObject):
607         * runtime/ProxyObject.cpp:
608         (JSC::performProxyCall):
609         (JSC::performProxyConstruct):
610         * runtime/ProxyRevoke.cpp:
611         (JSC::performProxyRevoke):
612         * runtime/RegExpConstructor.cpp:
613         (JSC::constructWithRegExpConstructor):
614         (JSC::callRegExpConstructor):
615         * runtime/ScopedArguments.cpp:
616         (JSC::ScopedArguments::createByCopying):
617         * runtime/SetConstructor.cpp:
618         (JSC::constructSet):
619         * runtime/SetPrototype.cpp:
620         (JSC::setProtoFuncValues):
621         (JSC::setProtoFuncEntries):
622         (JSC::privateFuncSetIterator):
623         * runtime/StringConstructor.cpp:
624         (JSC::constructWithStringConstructor):
625         * runtime/StringPrototype.cpp:
626         (JSC::stringProtoFuncIterator):
627         * runtime/WeakMapConstructor.cpp:
628         (JSC::constructWeakMap):
629         * runtime/WeakSetConstructor.cpp:
630         (JSC::constructWeakSet):
631         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
632         (JSC::constructJSWebAssemblyCompileError):
633         * wasm/js/WebAssemblyFunction.cpp:
634         (JSC::callWebAssemblyFunction):
635         * wasm/js/WebAssemblyModuleConstructor.cpp:
636         (JSC::constructJSWebAssemblyModule):
637         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
638         (JSC::constructJSWebAssemblyRuntimeError):
639
640 2016-12-01  Brian Burg  <bburg@apple.com>
641
642         Web Inspector: generated code should use a framework-style import for *ProtocolArrayConversions.h
643         https://bugs.webkit.org/show_bug.cgi?id=165281
644         <rdar://problem/29427778>
645
646         Reviewed by Joseph Pecoraro.
647
648         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
649         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
650         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
651         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
652         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
653         * inspector/scripts/tests/expected/enum-values.json-result:
654         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
655         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
656         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
657         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
658         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
659         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
660         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
661         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
662         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
663
664 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
665
666         SourceCodeKey should use unlinked source code
667         https://bugs.webkit.org/show_bug.cgi?id=165286
668
669         Reviewed by Saam Barati.
670
671         This patch splits out UnlinkedSourceCode from SourceCode, and deploys
672         UnlinkedSourceCode in SourceCodeKey.
673
674         It's misleading to store SourceCode in SourceCodeKey because SourceCode
675         has an absolute location whereas unlinked cached code has no location.
676
677         I plan to deploy UnlinkedSourceCode in more places, to indicate code
678         that has no absolute location.
679
680         * JavaScriptCore.xcodeproj/project.pbxproj:
681         * parser/SourceCode.cpp:
682         (JSC::UnlinkedSourceCode::toUTF8):
683         (JSC::SourceCode::toUTF8): Deleted.
684         * parser/SourceCode.h:
685         (JSC::SourceCode::SourceCode):
686         (JSC::SourceCode::startColumn):
687         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
688         (JSC::SourceCode::hash): Deleted.
689         (JSC::SourceCode::view): Deleted.
690         (JSC::SourceCode::providerID): Deleted.
691         (JSC::SourceCode::isNull): Deleted.
692         (JSC::SourceCode::provider): Deleted.
693         (JSC::SourceCode::startOffset): Deleted.
694         (JSC::SourceCode::endOffset): Deleted.
695         (JSC::SourceCode::length): Deleted. Move a bunch of stuff in to a new
696         base class, UnlinkedSourceCode.
697
698         * parser/SourceCodeKey.h:
699         (JSC::SourceCodeKey::SourceCodeKey): Use UnlinkedSourceCode since code
700         in the cache has no location.
701
702         * parser/UnlinkedSourceCode.h: Copied from Source/JavaScriptCore/parser/SourceCode.h.
703         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
704         (JSC::UnlinkedSourceCode::provider):
705         (JSC::SourceCode::SourceCode): Deleted.
706         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
707         (JSC::SourceCode::hash): Deleted.
708         (JSC::SourceCode::view): Deleted.
709         (JSC::SourceCode::providerID): Deleted.
710         (JSC::SourceCode::isNull): Deleted.
711         (JSC::SourceCode::provider): Deleted.
712         (JSC::SourceCode::firstLine): Deleted.
713         (JSC::SourceCode::startColumn): Deleted.
714         (JSC::SourceCode::startOffset): Deleted.
715         (JSC::SourceCode::endOffset): Deleted.
716         (JSC::SourceCode::length): Deleted.
717         (JSC::makeSource): Deleted.
718         (JSC::SourceCode::subExpression): Deleted.
719
720         * runtime/CodeCache.h: Use UnlinkedSourceCode in the cache.
721
722 2016-12-01  Keith Miller  <keith_miller@apple.com>
723
724         Add wasm int to floating point opcodes
725         https://bugs.webkit.org/show_bug.cgi?id=165252
726
727         Reviewed by Geoffrey Garen.
728
729         This patch adds support for the Wasm integral type => floating point
730         type conversion opcodes. Most of these were already supported by B3
731         however there was no support for uint64 to float/double. Unfortunately,
732         AFAIK x86_64 does not have a single instruction that performs this
733         conversion. Since there is a signed conversion instruction on x86 we
734         use that for all uint64s that don't have the top bit set. If they do have
735         the top bit set we need to divide by 2 (rounding up) then convert the number
736         with the signed conversion then double the result.
737
738         * assembler/MacroAssemblerX86_64.h:
739         (JSC::MacroAssemblerX86_64::convertUInt64ToDouble):
740         (JSC::MacroAssemblerX86_64::convertUInt64ToFloat):
741         * jsc.cpp:
742         (valueWithTypeOfWasmValue):
743         (box):
744         (functionTestWasmModuleFunctions):
745         * wasm/WasmB3IRGenerator.cpp:
746         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
747         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
748         * wasm/WasmFunctionParser.h:
749         (JSC::Wasm::FunctionParser<Context>::parseExpression):
750         * wasm/wasm.json:
751
752 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
753
754         Renamed EvalCodeCache => DirectEvalCodeCache
755         https://bugs.webkit.org/show_bug.cgi?id=165271
756
757         Reviewed by Saam Barati.
758
759         We only use this cache for DirectEval, not IndirectEval.
760
761         * JavaScriptCore.xcodeproj/project.pbxproj:
762         * bytecode/CodeBlock.cpp:
763         (JSC::DirectEvalCodeCache::visitAggregate):
764         (JSC::CodeBlock::stronglyVisitStrongReferences):
765         (JSC::EvalCodeCache::visitAggregate): Deleted.
766         * bytecode/CodeBlock.h:
767         (JSC::CodeBlock::directEvalCodeCache):
768         (JSC::CodeBlock::evalCodeCache): Deleted.
769         * bytecode/DirectEvalCodeCache.h: Copied from Source/JavaScriptCore/bytecode/EvalCodeCache.h.
770         (JSC::EvalCodeCache::CacheKey::CacheKey): Deleted.
771         (JSC::EvalCodeCache::CacheKey::hash): Deleted.
772         (JSC::EvalCodeCache::CacheKey::isEmptyValue): Deleted.
773         (JSC::EvalCodeCache::CacheKey::operator==): Deleted.
774         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue): Deleted.
775         (JSC::EvalCodeCache::CacheKey::Hash::hash): Deleted.
776         (JSC::EvalCodeCache::CacheKey::Hash::equal): Deleted.
777         (JSC::EvalCodeCache::tryGet): Deleted.
778         (JSC::EvalCodeCache::set): Deleted.
779         (JSC::EvalCodeCache::isEmpty): Deleted.
780         (JSC::EvalCodeCache::clear): Deleted.
781         * bytecode/EvalCodeCache.h: Removed.
782         * interpreter/Interpreter.cpp:
783         (JSC::eval):
784         * runtime/DirectEvalExecutable.cpp:
785         (JSC::DirectEvalExecutable::create):
786
787 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
788
789         Removed some unnecessary indirection in code generation
790         https://bugs.webkit.org/show_bug.cgi?id=165264
791
792         Reviewed by Keith Miller.
793
794         There's no need to route through JSGlobalObject when producing code --
795         it just made the code harder to read.
796
797         This patch moves functions from JSGlobalObject to their singleton
798         call sites.
799
800         * runtime/CodeCache.cpp:
801         (JSC::CodeCache::getUnlinkedEvalCodeBlock):
802         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock): Deleted.
803         * runtime/CodeCache.h:
804         * runtime/DirectEvalExecutable.cpp:
805         (JSC::DirectEvalExecutable::create):
806         * runtime/IndirectEvalExecutable.cpp:
807         (JSC::IndirectEvalExecutable::create):
808         * runtime/JSGlobalObject.cpp:
809         (JSC::JSGlobalObject::createProgramCodeBlock): Deleted.
810         (JSC::JSGlobalObject::createLocalEvalCodeBlock): Deleted.
811         (JSC::JSGlobalObject::createGlobalEvalCodeBlock): Deleted.
812         (JSC::JSGlobalObject::createModuleProgramCodeBlock): Deleted.
813         * runtime/JSGlobalObject.h:
814         * runtime/ModuleProgramExecutable.cpp:
815         (JSC::ModuleProgramExecutable::create):
816         * runtime/ProgramExecutable.cpp:
817         (JSC::ProgramExecutable::initializeGlobalProperties):
818         * runtime/ProgramExecutable.h:
819
820 2016-11-30  Darin Adler  <darin@apple.com>
821
822         Roll out StringBuilder changes from the previous patch.
823         They were a slowdown on a Kraken JSON test.
824
825         * runtime/JSONObject.cpp:
826         Roll out changes from below.
827
828 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
829
830         [JSC] Specifying same module entry point multiple times cause TypeError
831         https://bugs.webkit.org/show_bug.cgi?id=164858
832
833         Reviewed by Saam Barati.
834
835         Allow importing the same module multiple times. Previously, when specifying the same
836         module in the <script type="module" src="here">, it throws TypeError.
837
838         * builtins/ModuleLoaderPrototype.js:
839         (requestFetch):
840         (requestTranslate):
841         (requestInstantiate):
842         (requestSatisfy):
843
844 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
845
846         WebAssembly JS API: export a module namespace object instead of a module environment
847         https://bugs.webkit.org/show_bug.cgi?id=165121
848
849         Reviewed by Saam Barati.
850
851         This patch setup AbstractModuleRecord further for WebAssemblyModuleRecord.
852         For exported entries in a wasm instance, we set up exported entries for
853         AbstractModuleRecord. This allows us to export WASM exported functions in
854         the module handling code.
855
856         Since the exported entries in the abstract module record are correctly
857         instantiated, the module namespace object for WASM module also starts
858         working correctly. So we start exposing the module namespace object
859         as `instance.exports` instead of the module environment object.
860
861         And we move SourceCode, lexicalVariables, and declaredVariables fields to
862         JSModuleRecord since they are related to JS source code (in the spec words,
863         they are related to the source text module record).
864
865         * runtime/AbstractModuleRecord.cpp:
866         (JSC::AbstractModuleRecord::AbstractModuleRecord):
867         * runtime/AbstractModuleRecord.h:
868         (JSC::AbstractModuleRecord::sourceCode): Deleted.
869         (JSC::AbstractModuleRecord::declaredVariables): Deleted.
870         (JSC::AbstractModuleRecord::lexicalVariables): Deleted.
871         * runtime/JSModuleRecord.cpp:
872         (JSC::JSModuleRecord::JSModuleRecord):
873         * runtime/JSModuleRecord.h:
874         (JSC::JSModuleRecord::sourceCode):
875         (JSC::JSModuleRecord::declaredVariables):
876         (JSC::JSModuleRecord::lexicalVariables):
877         * wasm/WasmFormat.cpp:
878         * wasm/js/JSWebAssemblyInstance.cpp:
879         (JSC::JSWebAssemblyInstance::finishCreation):
880         * wasm/js/WebAssemblyFunction.cpp:
881         * wasm/js/WebAssemblyInstanceConstructor.cpp:
882         (JSC::constructJSWebAssemblyInstance):
883         * wasm/js/WebAssemblyModuleRecord.cpp:
884         (JSC::WebAssemblyModuleRecord::create):
885         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
886         (JSC::WebAssemblyModuleRecord::finishCreation):
887         WebAssemblyModuleRecord::link should perform linking things.
888         So allocating exported entries should be done here.
889         (JSC::WebAssemblyModuleRecord::link):
890         * wasm/js/WebAssemblyModuleRecord.h:
891
892 2016-11-30  Mark Lam  <mark.lam@apple.com>
893
894         TypeInfo::OutOfLineTypeFlags should be 16 bits in size.
895         https://bugs.webkit.org/show_bug.cgi?id=165224
896
897         Reviewed by Saam Barati.
898
899         There's no reason for OutOfLineTypeFlags to be constraint to 8 bits since the
900         space is available to us.  Making OutOfLineTypeFlags 16 bits brings TypeInfo up
901         to 32 bits in size from the current 24 bits.
902
903         * runtime/JSTypeInfo.h:
904         (JSC::TypeInfo::TypeInfo):
905
906 2016-11-30  Joseph Pecoraro  <pecoraro@apple.com>
907
908         REGRESSION: inspector/sampling-profiler/* LayoutTests are flaky timeouts
909         https://bugs.webkit.org/show_bug.cgi?id=164388
910         <rdar://problem/29101555>
911
912         Reviewed by Saam Barati.
913
914         There was a possibility of a deadlock between the main thread and the GC thread
915         with the SamplingProfiler lock when Inspector is processing samples to send to
916         the frontend. The Inspector (main thread) was holding the SamplingProfiler lock
917         while processing samples, which runs JavaScript that could trigger a GC, and
918         GC then tries to acquire the SamplingProfiler lock to process unprocessed samples.
919
920         A simple solution here is to tighten the bounds of when Inspector holds the
921         SamplingProfiler lock. It only needs the lock when extracting samples from
922         the SamplingProfiler. It doesn't need to hold the lock for processing those
923         samples, which is what can run script and cause a GC.
924
925         * inspector/agents/InspectorScriptProfilerAgent.cpp:
926         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
927         Tighten bounds of this lock to only where it is needed.
928
929 2016-11-30  Mark Lam  <mark.lam@apple.com>
930
931         Proxy is not allowed in the global prototype chain.
932         https://bugs.webkit.org/show_bug.cgi?id=165205
933
934         Reviewed by Geoffrey Garen.
935
936         * runtime/ProgramExecutable.cpp:
937         (JSC::ProgramExecutable::initializeGlobalProperties):
938         - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
939
940 2016-11-30  Commit Queue  <commit-queue@webkit.org>
941
942         Unreviewed, rolling out r209112.
943         https://bugs.webkit.org/show_bug.cgi?id=165208
944
945         "It regressed Octane/Raytrace and JetStream" (Requested by
946         saamyjoon on #webkit).
947
948         Reverted changeset:
949
950         "We should support CreateThis in the FTL"
951         https://bugs.webkit.org/show_bug.cgi?id=164904
952         http://trac.webkit.org/changeset/209112
953
954 2016-11-30  Darin Adler  <darin@apple.com>
955
956         Streamline and speed up tokenizer and segmented string classes
957         https://bugs.webkit.org/show_bug.cgi?id=165003
958
959         Reviewed by Sam Weinig.
960
961         * runtime/JSONObject.cpp:
962         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
963         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
964         no benefit in creating a String for that function if one doesn't already exist.
965
966 2016-11-29  JF Bastien  <jfbastien@apple.com>
967
968         WebAssembly JS API: improve Instance
969         https://bugs.webkit.org/show_bug.cgi?id=164757
970
971         Reviewed by Keith Miller.
972
973         An Instance's `exports` property wasn't populated with exports.
974
975         According to the spec [0], `exports` should present itself as a WebAssembly
976         Module Record. In order to do this we need to split JSModuleRecord into
977         AbstractModuleRecord (without the `link` and `evaluate` functions), and
978         JSModuleRecord (which implements link and evaluate). We can then have a separate
979         WebAssemblyModuleRecord which shares most of the implementation.
980
981         `exports` then maps function names to WebAssemblyFunction and
982         WebAssemblyFunctionCell, which call into the B3-generated WebAssembly code.
983
984         A follow-up patch will do imports.
985
986         A few things of note:
987
988          - Use Identifier instead of String. They get uniqued, we need them for the JSModuleNamespaceObject. This is safe because JSWebAssemblyModule creation is on the main thread.
989          - JSWebAssemblyInstance needs to refer to the JSWebAssemblyModule used to create it, because the module owns the code, identifiers, etc. The world would be very sad if it got GC'd.
990          - Instance.exports shouldn't use putWithoutTransition because it affects all Structures, whereas here each instance needs its own exports.
991          - Expose the compiled functions, and pipe them to the InstanceConstructor. Start moving things around to split JSModuleRecord out into JS and WebAssembly parts.
992
993           [0]: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-constructor
994
995         * CMakeLists.txt:
996         * JavaScriptCore.xcodeproj/project.pbxproj:
997         * runtime/AbstractModuleRecord.cpp: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.cpp, which I split in two
998         (JSC::AbstractModuleRecord::AbstractModuleRecord):
999         (JSC::AbstractModuleRecord::destroy):
1000         (JSC::AbstractModuleRecord::finishCreation):
1001         (JSC::AbstractModuleRecord::visitChildren):
1002         (JSC::AbstractModuleRecord::appendRequestedModule):
1003         (JSC::AbstractModuleRecord::addStarExportEntry):
1004         (JSC::AbstractModuleRecord::addImportEntry):
1005         (JSC::AbstractModuleRecord::addExportEntry):
1006         (JSC::identifierToJSValue):
1007         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1008         (JSC::AbstractModuleRecord::ResolveQuery::ResolveQuery):
1009         (JSC::AbstractModuleRecord::ResolveQuery::isEmptyValue):
1010         (JSC::AbstractModuleRecord::ResolveQuery::isDeletedValue):
1011         (JSC::AbstractModuleRecord::ResolveQuery::Hash::hash):
1012         (JSC::AbstractModuleRecord::ResolveQuery::Hash::equal):
1013         (JSC::AbstractModuleRecord::cacheResolution):
1014         (JSC::getExportedNames):
1015         (JSC::AbstractModuleRecord::getModuleNamespace):
1016         (JSC::printableName):
1017         (JSC::AbstractModuleRecord::dump):
1018         * runtime/AbstractModuleRecord.h: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.h.
1019         (JSC::AbstractModuleRecord::ImportEntry::isNamespace):
1020         (JSC::AbstractModuleRecord::sourceCode):
1021         (JSC::AbstractModuleRecord::moduleKey):
1022         (JSC::AbstractModuleRecord::requestedModules):
1023         (JSC::AbstractModuleRecord::exportEntries):
1024         (JSC::AbstractModuleRecord::importEntries):
1025         (JSC::AbstractModuleRecord::starExportEntries):
1026         (JSC::AbstractModuleRecord::declaredVariables):
1027         (JSC::AbstractModuleRecord::lexicalVariables):
1028         (JSC::AbstractModuleRecord::moduleEnvironment):
1029         * runtime/JSGlobalObject.cpp:
1030         (JSC::JSGlobalObject::init):
1031         (JSC::JSGlobalObject::visitChildren):
1032         * runtime/JSGlobalObject.h:
1033         (JSC::JSGlobalObject::webAssemblyModuleRecordStructure):
1034         (JSC::JSGlobalObject::webAssemblyFunctionStructure):
1035         * runtime/JSModuleEnvironment.cpp:
1036         (JSC::JSModuleEnvironment::create):
1037         (JSC::JSModuleEnvironment::finishCreation):
1038         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1039         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1040         (JSC::JSModuleEnvironment::put):
1041         (JSC::JSModuleEnvironment::deleteProperty):
1042         * runtime/JSModuleEnvironment.h:
1043         (JSC::JSModuleEnvironment::create):
1044         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
1045         (JSC::JSModuleEnvironment::allocationSize):
1046         (JSC::JSModuleEnvironment::moduleRecord):
1047         (JSC::JSModuleEnvironment::moduleRecordSlot):
1048         * runtime/JSModuleNamespaceObject.cpp:
1049         (JSC::JSModuleNamespaceObject::finishCreation):
1050         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1051         * runtime/JSModuleNamespaceObject.h:
1052         (JSC::JSModuleNamespaceObject::create):
1053         (JSC::JSModuleNamespaceObject::moduleRecord):
1054         * runtime/JSModuleRecord.cpp:
1055         (JSC::JSModuleRecord::createStructure):
1056         (JSC::JSModuleRecord::create):
1057         (JSC::JSModuleRecord::JSModuleRecord):
1058         (JSC::JSModuleRecord::destroy):
1059         (JSC::JSModuleRecord::finishCreation):
1060         (JSC::JSModuleRecord::visitChildren):
1061         (JSC::JSModuleRecord::instantiateDeclarations):
1062         * runtime/JSModuleRecord.h:
1063         * runtime/JSScope.cpp:
1064         (JSC::abstractAccess):
1065         (JSC::JSScope::collectClosureVariablesUnderTDZ):
1066         * runtime/VM.cpp:
1067         (JSC::VM::VM):
1068         * runtime/VM.h:
1069         * wasm/JSWebAssembly.h:
1070         * wasm/WasmFormat.h: use Identifier instead of String
1071         * wasm/WasmModuleParser.cpp:
1072         (JSC::Wasm::ModuleParser::parse):
1073         (JSC::Wasm::ModuleParser::parseType):
1074         (JSC::Wasm::ModuleParser::parseImport): fix off-by-one
1075         (JSC::Wasm::ModuleParser::parseFunction):
1076         (JSC::Wasm::ModuleParser::parseExport):
1077         * wasm/WasmModuleParser.h:
1078         (JSC::Wasm::ModuleParser::ModuleParser):
1079         * wasm/WasmPlan.cpp:
1080         (JSC::Wasm::Plan::run):
1081         * wasm/js/JSWebAssemblyInstance.cpp:
1082         (JSC::JSWebAssemblyInstance::create):
1083         (JSC::JSWebAssemblyInstance::finishCreation):
1084         (JSC::JSWebAssemblyInstance::visitChildren):
1085         * wasm/js/JSWebAssemblyInstance.h:
1086         (JSC::JSWebAssemblyInstance::module):
1087         * wasm/js/JSWebAssemblyModule.cpp:
1088         (JSC::JSWebAssemblyModule::create):
1089         (JSC::JSWebAssemblyModule::finishCreation):
1090         (JSC::JSWebAssemblyModule::visitChildren):
1091         * wasm/js/JSWebAssemblyModule.h:
1092         (JSC::JSWebAssemblyModule::moduleInformation):
1093         (JSC::JSWebAssemblyModule::compiledFunctions):
1094         (JSC::JSWebAssemblyModule::exportSymbolTable):
1095         * wasm/js/WebAssemblyFunction.cpp: Added.
1096         (JSC::callWebAssemblyFunction):
1097         (JSC::WebAssemblyFunction::create):
1098         (JSC::WebAssemblyFunction::createStructure):
1099         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1100         (JSC::WebAssemblyFunction::visitChildren):
1101         (JSC::WebAssemblyFunction::finishCreation):
1102         * wasm/js/WebAssemblyFunction.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
1103         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction):
1104         (JSC::WebAssemblyFunction::webAssemblyFunctionCell):
1105         * wasm/js/WebAssemblyFunctionCell.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
1106         (JSC::WebAssemblyFunctionCell::create):
1107         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell):
1108         (JSC::WebAssemblyFunctionCell::destroy):
1109         (JSC::WebAssemblyFunctionCell::createStructure):
1110         * wasm/js/WebAssemblyFunctionCell.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
1111         (JSC::WebAssemblyFunctionCell::function):
1112         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1113         (JSC::constructJSWebAssemblyInstance):
1114         * wasm/js/WebAssemblyModuleConstructor.cpp:
1115         (JSC::constructJSWebAssemblyModule):
1116         * wasm/js/WebAssemblyModuleRecord.cpp: Added.
1117         (JSC::WebAssemblyModuleRecord::createStructure):
1118         (JSC::WebAssemblyModuleRecord::create):
1119         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
1120         (JSC::WebAssemblyModuleRecord::destroy):
1121         (JSC::WebAssemblyModuleRecord::finishCreation):
1122         (JSC::WebAssemblyModuleRecord::visitChildren):
1123         (JSC::WebAssemblyModuleRecord::link):
1124         (JSC::WebAssemblyModuleRecord::evaluate):
1125         * wasm/js/WebAssemblyModuleRecord.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
1126
1127 2016-11-29  Saam Barati  <sbarati@apple.com>
1128
1129         We should be able optimize the pattern where we spread a function's rest parameter to another call
1130         https://bugs.webkit.org/show_bug.cgi?id=163865
1131
1132         Reviewed by Filip Pizlo.
1133
1134         This patch optimizes the following patterns to prevent both the allocation
1135         of the rest parameter, and the execution of the iterator protocol:
1136         
1137         ```
1138         function foo(...args) {
1139             let arr = [...args];
1140         }
1141         
1142         and
1143         
1144         function foo(...args) {
1145             bar(...args);
1146         }
1147         ```
1148         
1149         To do this, I've extended the arguments elimination phase to reason
1150         about Spread and NewArrayWithSpread. I've added two new nodes, PhantomSpread
1151         and PhantomNewArrayWithSpread. PhantomSpread is only allowed over rest
1152         parameters that don't escape. If the rest parameter *does* escape, we can't
1153         convert the spread into a phantom because it would not be sound w.r.t JS
1154         semantics because we would be reading from the call frame even though
1155         the rest array may have changed.
1156         
1157         Note that NewArrayWithSpread also understands what to do when one of its
1158         arguments is PhantomSpread(@PhantomCreateRest) even if it itself is escaped.
1159         
1160         PhantomNewArrayWithSpread is only allowed over a series of
1161         PhantomSpread(@PhantomCreateRest) nodes. Like with PhantomSpread, PhantomNewArrayWithSpread
1162         is only allowed if none of its arguments that are being spread are escaped
1163         and if it itself is not escaped.
1164         
1165         Because there is a dependency between a node being a candidate and
1166         the escaped state of the node's children, I've extended the notion
1167         of escaping a node inside the arguments elimination phase. Now, when
1168         any node is escaped, we must consider all other candidates that are may
1169         now no longer be valid.
1170         
1171         For example:
1172         
1173         ```
1174         function foo(...args) {
1175             escape(args);
1176             bar(...args);
1177         }
1178         ```
1179         
1180         In the above program, we don't know if the function call to escape()
1181         modifies args, therefore, the spread can not become phantom because
1182         the execution of the spread may not be as simple as reading the
1183         arguments from the call frame.
1184         
1185         Unfortunately, the arguments elimination phase does not consider control
1186         flow when doing its escape analysis. It would be good to integrate this
1187         phase with the object allocation sinking phase. To see why, consider
1188         an example where we don't eliminate the spread and allocation of the rest
1189         parameter even though we could:
1190         
1191         ```
1192         function foo(rareCondition, ...args) {
1193             bar(...args);
1194             if (rareCondition)
1195                 baz(args);
1196         }
1197         ```
1198         
1199         There are only a few users of the PhantomSpread and PhantomNewArrayWithSpread
1200         nodes. PhantomSpread is only used by PhantomNewArrayWithSpread and NewArrayWithSpread.
1201         PhantomNewArrayWithSpread is only used by ForwardVarargs and the various
1202         *Call*ForwardVarargs nodes. The users of these phantoms know how to produce
1203         what the phantom node would have produced. For example, NewArrayWithSpread
1204         knows how to produce the values that would have been produced by PhantomSpread(@PhantomCreateRest)
1205         by directly reading from the call frame.
1206         
1207         This patch is a 6% speedup on my MBP on ES6SampleBench.
1208
1209         * b3/B3LowerToAir.cpp:
1210         (JSC::B3::Air::LowerToAir::tryAppendLea):
1211         * b3/B3ValueRep.h:
1212         * builtins/BuiltinExecutables.cpp:
1213         (JSC::BuiltinExecutables::createDefaultConstructor):
1214         * dfg/DFGAbstractInterpreterInlines.h:
1215         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1216         * dfg/DFGArgumentsEliminationPhase.cpp:
1217         * dfg/DFGClobberize.h:
1218         (JSC::DFG::clobberize):
1219         * dfg/DFGDoesGC.cpp:
1220         (JSC::DFG::doesGC):
1221         * dfg/DFGFixupPhase.cpp:
1222         (JSC::DFG::FixupPhase::fixupNode):
1223         * dfg/DFGForAllKills.h:
1224         (JSC::DFG::forAllKillsInBlock):
1225         * dfg/DFGNode.h:
1226         (JSC::DFG::Node::hasConstant):
1227         (JSC::DFG::Node::constant):
1228         (JSC::DFG::Node::bitVector):
1229         (JSC::DFG::Node::isPhantomAllocation):
1230         * dfg/DFGNodeType.h:
1231         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1232         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1233         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
1234         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1235         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1236         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1237         * dfg/DFGPreciseLocalClobberize.h:
1238         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1239         * dfg/DFGPredictionPropagationPhase.cpp:
1240         * dfg/DFGPromotedHeapLocation.cpp:
1241         (WTF::printInternal):
1242         * dfg/DFGPromotedHeapLocation.h:
1243         * dfg/DFGSafeToExecute.h:
1244         (JSC::DFG::safeToExecute):
1245         * dfg/DFGSpeculativeJIT32_64.cpp:
1246         (JSC::DFG::SpeculativeJIT::compile):
1247         * dfg/DFGSpeculativeJIT64.cpp:
1248         (JSC::DFG::SpeculativeJIT::compile):
1249         * dfg/DFGValidate.cpp:
1250         * ftl/FTLCapabilities.cpp:
1251         (JSC::FTL::canCompile):
1252         * ftl/FTLLowerDFGToB3.cpp:
1253         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1254         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1255         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1256         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1257         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1258         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1259         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1260         (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame):
1261         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1262         * ftl/FTLOperations.cpp:
1263         (JSC::FTL::operationPopulateObjectInOSR):
1264         (JSC::FTL::operationMaterializeObjectInOSR):
1265         * jit/SetupVarargsFrame.cpp:
1266         (JSC::emitSetupVarargsFrameFastCase):
1267         * jsc.cpp:
1268         (GlobalObject::finishCreation):
1269         (functionMaxArguments):
1270         * runtime/JSFixedArray.h:
1271         (JSC::JSFixedArray::createFromArray):
1272
1273 2016-11-29  Commit Queue  <commit-queue@webkit.org>
1274
1275         Unreviewed, rolling out r209058 and r209074.
1276         https://bugs.webkit.org/show_bug.cgi?id=165188
1277
1278         These changes caused API test StringBuilderTest.Equal to crash
1279         and/or fail. (Requested by ryanhaddad on #webkit).
1280
1281         Reverted changesets:
1282
1283         "Streamline and speed up tokenizer and segmented string
1284         classes"
1285         https://bugs.webkit.org/show_bug.cgi?id=165003
1286         http://trac.webkit.org/changeset/209058
1287
1288         "REGRESSION (r209058): API test StringBuilderTest.Equal
1289         crashing"
1290         https://bugs.webkit.org/show_bug.cgi?id=165142
1291         http://trac.webkit.org/changeset/209074
1292
1293 2016-11-29  Caitlin Potter  <caitp@igalia.com>
1294
1295         [JSC] always wrap AwaitExpression operand in a new Promise
1296         https://bugs.webkit.org/show_bug.cgi?id=165181
1297
1298         Reviewed by Yusuke Suzuki.
1299
1300         Ensure operand of AwaitExpression is wrapped in a new Promise by
1301         explicitly creating a new Promise Capability and invoking its
1302         resolve callback. This avoids the specified short-circuit for
1303         Promise.resolve().
1304
1305         * builtins/AsyncFunctionPrototype.js:
1306         (globalPrivate.asyncFunctionResume):
1307
1308 2016-11-29  Saam Barati  <sbarati@apple.com>
1309
1310         We should support CreateThis in the FTL
1311         https://bugs.webkit.org/show_bug.cgi?id=164904
1312
1313         Reviewed by Geoffrey Garen.
1314
1315         * ftl/FTLAbstractHeapRepository.h:
1316         * ftl/FTLCapabilities.cpp:
1317         (JSC::FTL::canCompile):
1318         * ftl/FTLLowerDFGToB3.cpp:
1319         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1320         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1321         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1322         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1323         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1324         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1325         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1326         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1327         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1328         * runtime/Structure.h:
1329
1330 2016-11-29  Mark Lam  <mark.lam@apple.com>
1331
1332         Fix exception scope verification failures in runtime/RegExp* files.
1333         https://bugs.webkit.org/show_bug.cgi?id=165054
1334
1335         Reviewed by Saam Barati.
1336
1337         Also replaced returning JSValue() with returning { }.
1338
1339         * runtime/RegExpConstructor.cpp:
1340         (JSC::toFlags):
1341         (JSC::regExpCreate):
1342         (JSC::constructRegExp):
1343         * runtime/RegExpObject.cpp:
1344         (JSC::RegExpObject::defineOwnProperty):
1345         (JSC::collectMatches):
1346         (JSC::RegExpObject::matchGlobal):
1347         * runtime/RegExpObjectInlines.h:
1348         (JSC::getRegExpObjectLastIndexAsUnsigned):
1349         (JSC::RegExpObject::execInline):
1350         (JSC::RegExpObject::matchInline):
1351         * runtime/RegExpPrototype.cpp:
1352         (JSC::regExpProtoFuncCompile):
1353         (JSC::flagsString):
1354         (JSC::regExpProtoFuncToString):
1355         (JSC::regExpProtoFuncSplitFast):
1356
1357 2016-11-29  Andy Estes  <aestes@apple.com>
1358
1359         [Cocoa] Enable two clang warnings recommended by Xcode
1360         https://bugs.webkit.org/show_bug.cgi?id=164498
1361
1362         Reviewed by Mark Lam.
1363
1364         * Configurations/Base.xcconfig: Enabled CLANG_WARN_INFINITE_RECURSION and CLANG_WARN_SUSPICIOUS_MOVE.
1365
1366 2016-11-29  Keith Miller  <keith_miller@apple.com>
1367
1368         Add simple way to implement Wasm ops that require more than one B3 opcode
1369         https://bugs.webkit.org/show_bug.cgi?id=165129
1370
1371         Reviewed by Geoffrey Garen.
1372
1373         This patch adds a simple way to show the B3IRGenerator opcode script how
1374         to generate code for Wasm opcodes that do not have a one to one mapping.
1375         The syntax is pretty simple right now. There are only three things one
1376         can use as of this patch (although more things might be added in the future)
1377         1) Wasm opcode arguments: These are referred to as @<argument_number>. For example,
1378            I32.sub would map to Sub(@0, @1).
1379         2) 32-bit int constants: These are reffered to as i32(<value>). For example, i32.inc
1380            would map to Add(@0, i32(1))
1381         3) B3 opcodes: These are referred to as the B3 opcode name followed by the B3Value's constructor
1382            arguments. A value may take the result of another value as an argument. For example, you can do
1383            Div(Mul(@0, Add(@0, i32(1))), i32(2)) if there was a b3 opcode that computed the sum from 1 to n.
1384
1385         These scripts are used to implement Wasm's eqz and floating point max/min opcodes. This patch
1386         also adds missing support for the Wasm Neg opcodes.
1387
1388         * jsc.cpp:
1389         (box):
1390         (functionTestWasmModuleFunctions):
1391         * wasm/WasmB3IRGenerator.cpp:
1392         (JSC::Wasm::toB3Op): Deleted.
1393         * wasm/WasmFunctionParser.h:
1394         (JSC::Wasm::FunctionParser<Context>::parseBody):
1395         * wasm/WasmModuleParser.cpp:
1396         (JSC::Wasm::ModuleParser::parseType):
1397         * wasm/WasmParser.h:
1398         (JSC::Wasm::Parser::parseUInt8):
1399         (JSC::Wasm::Parser::parseValueType):
1400         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
1401         (Source):
1402         (Source.__init__):
1403         (read):
1404         (lex):
1405         (CodeGenerator):
1406         (CodeGenerator.__init__):
1407         (CodeGenerator.advance):
1408         (CodeGenerator.token):
1409         (CodeGenerator.parseError):
1410         (CodeGenerator.consume):
1411         (CodeGenerator.generateParameters):
1412         (CodeGenerator.generateOpcode):
1413         (CodeGenerator.generate):
1414         (temp):
1415         (generateB3OpCode):
1416         (generateI32ConstCode):
1417         (generateB3Code):
1418         (generateSimpleCode):
1419         * wasm/wasm.json:
1420
1421 2016-11-29  Mark Lam  <mark.lam@apple.com>
1422
1423         Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
1424         https://bugs.webkit.org/show_bug.cgi?id=165053
1425
1426         Reviewed by Saam Barati.
1427
1428         Also replaced returning JSValue() with returning { }.
1429
1430         * runtime/ProxyConstructor.cpp:
1431         (JSC::constructProxyObject):
1432         * runtime/ProxyObject.cpp:
1433         (JSC::ProxyObject::structureForTarget):
1434         (JSC::performProxyGet):
1435         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1436         (JSC::ProxyObject::performHasProperty):
1437         (JSC::ProxyObject::getOwnPropertySlotCommon):
1438         (JSC::ProxyObject::performPut):
1439         (JSC::ProxyObject::putByIndexCommon):
1440         (JSC::performProxyCall):
1441         (JSC::performProxyConstruct):
1442         (JSC::ProxyObject::performDelete):
1443         (JSC::ProxyObject::performPreventExtensions):
1444         (JSC::ProxyObject::performIsExtensible):
1445         (JSC::ProxyObject::performDefineOwnProperty):
1446         (JSC::ProxyObject::performGetOwnPropertyNames):
1447         (JSC::ProxyObject::performSetPrototype):
1448         (JSC::ProxyObject::performGetPrototype):
1449
1450 2016-11-28  Matt Baker  <mattbaker@apple.com>
1451
1452         Web Inspector: Debugger should have an option for showing asynchronous call stacks
1453         https://bugs.webkit.org/show_bug.cgi?id=163230
1454         <rdar://problem/28698683>
1455
1456         Reviewed by Joseph Pecoraro.
1457
1458         * inspector/ScriptCallFrame.cpp:
1459         (Inspector::ScriptCallFrame::isNative):
1460         Encapsulate check for native code source URL.
1461
1462         * inspector/ScriptCallFrame.h:
1463         * inspector/ScriptCallStack.cpp:
1464         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1465         (Inspector::ScriptCallStack::buildInspectorArray):
1466         * inspector/ScriptCallStack.h:
1467         Replace use of Console::StackTrace with Array<Console::CallFrame>.
1468
1469         * inspector/agents/InspectorDebuggerAgent.cpp:
1470         (Inspector::InspectorDebuggerAgent::disable):
1471         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1472         Set number of async frames to store (including boundary frames).
1473         A value of zero disables recording of async call stacks.
1474
1475         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace):
1476         Helper function for building a linked list StackTraces.
1477         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1478         Store a call stack for the script that scheduled the async call.
1479         If the call repeats (e.g. setInterval), the starting reference count is
1480         set to 1. This ensures that dereffing after dispatch won't clear the stack.
1481         If another async call is currently being dispatched, increment the
1482         AsyncCallData reference count for that call.
1483
1484         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1485         Decrement the reference count for the canceled call.
1486
1487         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1488         Set the identifier for the async callback currently being dispatched,
1489         so that if the debugger pauses during dispatch a stack trace can be
1490         associated with the pause location. If an async call is already being
1491         dispatched, which could be the case when a script schedules an async
1492         call in a nested runloop, do nothing.
1493
1494         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
1495         Decrement the reference count for the canceled call.
1496         (Inspector::InspectorDebuggerAgent::didPause):
1497         If a stored stack trace exists for this location, convert to a protocol
1498         object and send to the frontend.
1499
1500         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1501         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1502         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
1503         Increment AsyncCallData reference count.
1504         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
1505         Decrement AsyncCallData reference count. If zero, deref its parent
1506         (if it exists) and remove the AsyncCallData entry.
1507
1508         * inspector/agents/InspectorDebuggerAgent.h:
1509
1510         * inspector/protocol/Console.json:
1511         * inspector/protocol/Network.json:
1512         Replace use of Console.StackTrace with array of Console.CallFrame.
1513
1514         * inspector/protocol/Debugger.json:
1515         New protocol command and event data.
1516
1517 2016-11-28  Darin Adler  <darin@apple.com>
1518
1519         Streamline and speed up tokenizer and segmented string classes
1520         https://bugs.webkit.org/show_bug.cgi?id=165003
1521
1522         Reviewed by Sam Weinig.
1523
1524         * runtime/JSONObject.cpp:
1525         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
1526         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
1527         no benefit in creating a String for that function if one doesn't already exist.
1528
1529 2016-11-21  Mark Lam  <mark.lam@apple.com>
1530
1531         Fix exception scope verification failures in runtime/Intl* files.
1532         https://bugs.webkit.org/show_bug.cgi?id=165014
1533
1534         Reviewed by Saam Barati.
1535
1536         * runtime/IntlCollatorConstructor.cpp:
1537         (JSC::constructIntlCollator):
1538         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1539         * runtime/IntlCollatorPrototype.cpp:
1540         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1541         * runtime/IntlDateTimeFormatConstructor.cpp:
1542         (JSC::constructIntlDateTimeFormat):
1543         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1544         * runtime/IntlDateTimeFormatPrototype.cpp:
1545         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1546         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1547         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1548         * runtime/IntlNumberFormatConstructor.cpp:
1549         (JSC::constructIntlNumberFormat):
1550         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1551         * runtime/IntlNumberFormatPrototype.cpp:
1552         (JSC::IntlNumberFormatFuncFormatNumber):
1553         (JSC::IntlNumberFormatPrototypeGetterFormat):
1554         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1555         * runtime/IntlObject.cpp:
1556         (JSC::lookupSupportedLocales):
1557         * runtime/IntlObjectInlines.h:
1558         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1559
1560 2016-11-28  Mark Lam  <mark.lam@apple.com>
1561
1562         Fix exception scope verification failures in IteratorOperations.h.
1563         https://bugs.webkit.org/show_bug.cgi?id=165015
1564
1565         Reviewed by Saam Barati.
1566
1567         * runtime/IteratorOperations.h:
1568         (JSC::forEachInIterable):
1569
1570 2016-11-28  Mark Lam  <mark.lam@apple.com>
1571
1572         Fix exception scope verification failures in JSArray* files.
1573         https://bugs.webkit.org/show_bug.cgi?id=165016
1574
1575         Reviewed by Saam Barati.
1576
1577         * runtime/JSArray.cpp:
1578         (JSC::JSArray::defineOwnProperty):
1579         (JSC::JSArray::put):
1580         (JSC::JSArray::setLength):
1581         (JSC::JSArray::pop):
1582         (JSC::JSArray::push):
1583         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1584         * runtime/JSArrayBuffer.cpp:
1585         (JSC::JSArrayBuffer::put):
1586         (JSC::JSArrayBuffer::defineOwnProperty):
1587         * runtime/JSArrayInlines.h:
1588         (JSC::getLength):
1589         (JSC::toLength):
1590
1591 2016-11-28  Mark Lam  <mark.lam@apple.com>
1592
1593         Fix exception scope verification failures in JSDataView.cpp.
1594         https://bugs.webkit.org/show_bug.cgi?id=165020
1595
1596         Reviewed by Saam Barati.
1597
1598         * runtime/JSDataView.cpp:
1599         (JSC::JSDataView::put):
1600
1601 2016-11-28  Mark Lam  <mark.lam@apple.com>
1602
1603         Fix exception scope verification failures in JSFunction.cpp.
1604         https://bugs.webkit.org/show_bug.cgi?id=165021
1605
1606         Reviewed by Saam Barati.
1607
1608         * runtime/JSFunction.cpp:
1609         (JSC::JSFunction::put):
1610         (JSC::JSFunction::defineOwnProperty):
1611
1612 2016-11-28  Mark Lam  <mark.lam@apple.com>
1613
1614         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
1615         https://bugs.webkit.org/show_bug.cgi?id=165022
1616
1617         Reviewed by Saam Barati.
1618
1619         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1620         (JSC::constructGenericTypedArrayViewFromIterator):
1621         (JSC::constructGenericTypedArrayViewWithArguments):
1622         (JSC::constructGenericTypedArrayView):
1623         * runtime/JSGenericTypedArrayViewInlines.h:
1624         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1625         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1626         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1627         (JSC::speciesConstruct):
1628         (JSC::genericTypedArrayViewProtoFuncSet):
1629         (JSC::genericTypedArrayViewProtoFuncJoin):
1630         (JSC::genericTypedArrayViewProtoFuncSlice):
1631         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1632
1633 2016-11-28  Mark Lam  <mark.lam@apple.com>
1634
1635         Fix exception scope verification failures in runtime/Operations.cpp/h.
1636         https://bugs.webkit.org/show_bug.cgi?id=165046
1637
1638         Reviewed by Saam Barati.
1639
1640         Also switched to using returning { } instead of JSValue().
1641
1642         * runtime/Operations.cpp:
1643         (JSC::jsAddSlowCase):
1644         (JSC::jsIsObjectTypeOrNull):
1645         * runtime/Operations.h:
1646         (JSC::jsStringFromRegisterArray):
1647         (JSC::jsStringFromArguments):
1648         (JSC::jsLess):
1649         (JSC::jsLessEq):
1650
1651 2016-11-28  Mark Lam  <mark.lam@apple.com>
1652
1653         Fix exception scope verification failures in JSScope.cpp.
1654         https://bugs.webkit.org/show_bug.cgi?id=165047
1655
1656         Reviewed by Saam Barati.
1657
1658         * runtime/JSScope.cpp:
1659         (JSC::JSScope::resolve):
1660
1661 2016-11-28  Mark Lam  <mark.lam@apple.com>
1662
1663         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
1664         https://bugs.webkit.org/show_bug.cgi?id=165049
1665
1666         Reviewed by Saam Barati.
1667
1668         * runtime/JSTypedArrayViewPrototype.cpp:
1669         (JSC::typedArrayViewPrivateFuncSort):
1670         (JSC::typedArrayViewProtoFuncSet):
1671         (JSC::typedArrayViewProtoFuncCopyWithin):
1672         (JSC::typedArrayViewProtoFuncIncludes):
1673         (JSC::typedArrayViewProtoFuncLastIndexOf):
1674         (JSC::typedArrayViewProtoFuncIndexOf):
1675         (JSC::typedArrayViewProtoFuncJoin):
1676         (JSC::typedArrayViewProtoGetterFuncBuffer):
1677         (JSC::typedArrayViewProtoGetterFuncLength):
1678         (JSC::typedArrayViewProtoGetterFuncByteLength):
1679         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1680         (JSC::typedArrayViewProtoFuncReverse):
1681         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1682         (JSC::typedArrayViewProtoFuncSlice):
1683
1684 2016-11-28  Mark Lam  <mark.lam@apple.com>
1685
1686         Fix exception scope verification failures in runtime/Map* files.
1687         https://bugs.webkit.org/show_bug.cgi?id=165050
1688
1689         Reviewed by Saam Barati.
1690
1691         * runtime/MapConstructor.cpp:
1692         (JSC::constructMap):
1693         * runtime/MapIteratorPrototype.cpp:
1694         (JSC::MapIteratorPrototypeFuncNext):
1695         * runtime/MapPrototype.cpp:
1696         (JSC::privateFuncMapIteratorNext):
1697
1698 2016-11-28  Mark Lam  <mark.lam@apple.com>
1699
1700         Fix exception scope verification failures in more miscellaneous files.
1701         https://bugs.webkit.org/show_bug.cgi?id=165102
1702
1703         Reviewed by Saam Barati.
1704
1705         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1706         (JSC::constructJSWebAssemblyInstance):
1707
1708 2016-11-28  Mark Lam  <mark.lam@apple.com>
1709
1710         Fix exception scope verification failures in runtime/Weak* files.
1711         https://bugs.webkit.org/show_bug.cgi?id=165096
1712
1713         Reviewed by Geoffrey Garen.
1714
1715         * runtime/WeakMapConstructor.cpp:
1716         (JSC::constructWeakMap):
1717         * runtime/WeakMapPrototype.cpp:
1718         (JSC::protoFuncWeakMapSet):
1719         * runtime/WeakSetConstructor.cpp:
1720         (JSC::constructWeakSet):
1721         * runtime/WeakSetPrototype.cpp:
1722         (JSC::protoFuncWeakSetAdd):
1723
1724 2016-11-28  Mark Lam  <mark.lam@apple.com>
1725
1726         Fix exception scope verification failures in runtime/String* files.
1727         https://bugs.webkit.org/show_bug.cgi?id=165067
1728
1729         Reviewed by Saam Barati.
1730
1731         * runtime/StringConstructor.cpp:
1732         (JSC::stringFromCodePoint):
1733         (JSC::constructWithStringConstructor):
1734         * runtime/StringObject.cpp:
1735         (JSC::StringObject::put):
1736         (JSC::StringObject::putByIndex):
1737         (JSC::StringObject::defineOwnProperty):
1738         * runtime/StringPrototype.cpp:
1739         (JSC::jsSpliceSubstrings):
1740         (JSC::jsSpliceSubstringsWithSeparators):
1741         (JSC::replaceUsingRegExpSearch):
1742         (JSC::replaceUsingStringSearch):
1743         (JSC::repeatCharacter):
1744         (JSC::replace):
1745         (JSC::stringProtoFuncReplaceUsingStringSearch):
1746         (JSC::stringProtoFuncCharAt):
1747         (JSC::stringProtoFuncCodePointAt):
1748         (JSC::stringProtoFuncConcat):
1749         (JSC::stringProtoFuncIndexOf):
1750         (JSC::stringProtoFuncLastIndexOf):
1751         (JSC::splitStringByOneCharacterImpl):
1752         (JSC::stringProtoFuncSplitFast):
1753         (JSC::stringProtoFuncSubstring):
1754         (JSC::stringProtoFuncToLowerCase):
1755         (JSC::stringProtoFuncToUpperCase):
1756         (JSC::toLocaleCase):
1757         (JSC::trimString):
1758         (JSC::stringProtoFuncIncludes):
1759         (JSC::builtinStringIncludesInternal):
1760         (JSC::stringProtoFuncIterator):
1761         (JSC::normalize):
1762         (JSC::stringProtoFuncNormalize):
1763
1764 2016-11-28  Mark Lam  <mark.lam@apple.com>
1765
1766         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
1767         https://bugs.webkit.org/show_bug.cgi?id=165051
1768
1769         Reviewed by Saam Barati.
1770
1771         Also,
1772         1. Replaced returning JSValue() with returning { }.
1773         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
1774
1775         * runtime/ObjectConstructor.cpp:
1776         (JSC::constructObject):
1777         (JSC::objectConstructorGetPrototypeOf):
1778         (JSC::objectConstructorGetOwnPropertyDescriptor):
1779         (JSC::objectConstructorGetOwnPropertyDescriptors):
1780         (JSC::objectConstructorGetOwnPropertyNames):
1781         (JSC::objectConstructorGetOwnPropertySymbols):
1782         (JSC::objectConstructorKeys):
1783         (JSC::ownEnumerablePropertyKeys):
1784         (JSC::toPropertyDescriptor):
1785         (JSC::defineProperties):
1786         (JSC::objectConstructorDefineProperties):
1787         (JSC::objectConstructorCreate):
1788         (JSC::setIntegrityLevel):
1789         (JSC::objectConstructorSeal):
1790         (JSC::objectConstructorPreventExtensions):
1791         (JSC::objectConstructorIsSealed):
1792         (JSC::objectConstructorIsFrozen):
1793         (JSC::ownPropertyKeys):
1794         * runtime/ObjectPrototype.cpp:
1795         (JSC::objectProtoFuncValueOf):
1796         (JSC::objectProtoFuncHasOwnProperty):
1797         (JSC::objectProtoFuncIsPrototypeOf):
1798         (JSC::objectProtoFuncDefineGetter):
1799         (JSC::objectProtoFuncDefineSetter):
1800         (JSC::objectProtoFuncLookupGetter):
1801         (JSC::objectProtoFuncLookupSetter):
1802         (JSC::objectProtoFuncToLocaleString):
1803         (JSC::objectProtoFuncToString):
1804
1805 2016-11-26  Mark Lam  <mark.lam@apple.com>
1806
1807         Fix exception scope verification failures in miscellaneous files.
1808         https://bugs.webkit.org/show_bug.cgi?id=165055
1809
1810         Reviewed by Saam Barati.
1811
1812         * runtime/MathObject.cpp:
1813         (JSC::mathProtoFuncIMul):
1814         * runtime/ModuleLoaderPrototype.cpp:
1815         (JSC::moduleLoaderPrototypeParseModule):
1816         (JSC::moduleLoaderPrototypeRequestedModules):
1817         * runtime/NativeErrorConstructor.cpp:
1818         (JSC::Interpreter::constructWithNativeErrorConstructor):
1819         * runtime/NumberConstructor.cpp:
1820         (JSC::constructWithNumberConstructor):
1821         * runtime/SetConstructor.cpp:
1822         (JSC::constructSet):
1823         * runtime/SetIteratorPrototype.cpp:
1824         (JSC::SetIteratorPrototypeFuncNext):
1825         * runtime/SparseArrayValueMap.cpp:
1826         (JSC::SparseArrayValueMap::putEntry):
1827         (JSC::SparseArrayEntry::put):
1828         * runtime/TemplateRegistry.cpp:
1829         (JSC::TemplateRegistry::getTemplateObject):
1830
1831 2016-11-28  Mark Lam  <mark.lam@apple.com>
1832
1833         Fix exception scope verification failures in ReflectObject.cpp.
1834         https://bugs.webkit.org/show_bug.cgi?id=165066
1835
1836         Reviewed by Saam Barati.
1837
1838         * runtime/ReflectObject.cpp:
1839         (JSC::reflectObjectConstruct):
1840         (JSC::reflectObjectDefineProperty):
1841         (JSC::reflectObjectEnumerate):
1842         (JSC::reflectObjectGet):
1843         (JSC::reflectObjectGetOwnPropertyDescriptor):
1844         (JSC::reflectObjectGetPrototypeOf):
1845         (JSC::reflectObjectOwnKeys):
1846         (JSC::reflectObjectSet):
1847
1848 2016-11-24  Mark Lam  <mark.lam@apple.com>
1849
1850         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
1851         https://bugs.webkit.org/show_bug.cgi?id=164972
1852
1853         Reviewed by Geoffrey Garen.
1854
1855         * runtime/ArrayConstructor.cpp:
1856         (JSC::constructArrayWithSizeQuirk):
1857         * runtime/ArrayPrototype.cpp:
1858         (JSC::getProperty):
1859         (JSC::putLength):
1860         (JSC::speciesWatchpointsValid):
1861         (JSC::speciesConstructArray):
1862         (JSC::shift):
1863         (JSC::unshift):
1864         (JSC::arrayProtoFuncToString):
1865         (JSC::arrayProtoFuncToLocaleString):
1866         (JSC::slowJoin):
1867         (JSC::fastJoin):
1868         (JSC::arrayProtoFuncJoin):
1869         (JSC::arrayProtoFuncPop):
1870         (JSC::arrayProtoFuncPush):
1871         (JSC::arrayProtoFuncReverse):
1872         (JSC::arrayProtoFuncShift):
1873         (JSC::arrayProtoFuncSlice):
1874         (JSC::arrayProtoFuncSplice):
1875         (JSC::arrayProtoFuncUnShift):
1876         (JSC::arrayProtoFuncIndexOf):
1877         (JSC::arrayProtoFuncLastIndexOf):
1878         (JSC::concatAppendOne):
1879         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1880         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
1881
1882 2016-11-28  Mark Lam  <mark.lam@apple.com>
1883
1884         Fix exception scope verification failures in LLIntSlowPaths.cpp.
1885         https://bugs.webkit.org/show_bug.cgi?id=164969
1886
1887         Reviewed by Geoffrey Garen.
1888
1889         * llint/LLIntSlowPaths.cpp:
1890         (JSC::LLInt::getByVal):
1891         (JSC::LLInt::setUpCall):
1892         (JSC::LLInt::varargsSetup):
1893         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1894
1895 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1896
1897         [WTF] Import std::optional reference implementation as WTF::Optional
1898         https://bugs.webkit.org/show_bug.cgi?id=164199
1899
1900         Reviewed by Saam Barati and Sam Weinig.
1901
1902         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
1903         std::optional::emplace has the same semantics to the previous one.
1904         So we change the code to use it.
1905
1906         * Scripts/builtins/builtins_templates.py:
1907         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1908         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1909         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1910         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1911         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1912         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1913         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1914         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1915         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1916         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1917         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1918         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1919         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1920         * assembler/MacroAssemblerARM64.h:
1921         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
1922         * assembler/MacroAssemblerX86Common.h:
1923         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
1924         * b3/B3CheckSpecial.cpp:
1925         (JSC::B3::CheckSpecial::forEachArg):
1926         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
1927         * b3/B3CheckSpecial.h:
1928         * b3/B3LowerToAir.cpp:
1929         (JSC::B3::Air::LowerToAir::scaleForShl):
1930         (JSC::B3::Air::LowerToAir::effectiveAddr):
1931         (JSC::B3::Air::LowerToAir::tryAppendLea):
1932         * b3/B3Opcode.cpp:
1933         (JSC::B3::invertedCompare):
1934         * b3/B3Opcode.h:
1935         * b3/B3PatchpointSpecial.cpp:
1936         (JSC::B3::PatchpointSpecial::forEachArg):
1937         * b3/B3StackmapSpecial.cpp:
1938         (JSC::B3::StackmapSpecial::forEachArgImpl):
1939         * b3/B3StackmapSpecial.h:
1940         * b3/B3Value.cpp:
1941         (JSC::B3::Value::invertedCompare):
1942         * b3/air/AirArg.h:
1943         (JSC::B3::Air::Arg::isValidScale):
1944         (JSC::B3::Air::Arg::isValidAddrForm):
1945         (JSC::B3::Air::Arg::isValidIndexForm):
1946         (JSC::B3::Air::Arg::isValidForm):
1947         * b3/air/AirCustom.h:
1948         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
1949         * b3/air/AirFixObviousSpills.cpp:
1950         * b3/air/AirInst.h:
1951         * b3/air/AirInstInlines.h:
1952         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1953         * b3/air/AirIteratedRegisterCoalescing.cpp:
1954         * b3/air/AirSpecial.cpp:
1955         (JSC::B3::Air::Special::shouldTryAliasingDef):
1956         * b3/air/AirSpecial.h:
1957         * bytecode/BytecodeGeneratorification.cpp:
1958         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1959         * bytecode/CodeBlock.cpp:
1960         (JSC::CodeBlock::findPC):
1961         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1962         * bytecode/CodeBlock.h:
1963         * bytecode/UnlinkedFunctionExecutable.cpp:
1964         (JSC::UnlinkedFunctionExecutable::link):
1965         * bytecode/UnlinkedFunctionExecutable.h:
1966         * bytecompiler/BytecodeGenerator.h:
1967         * bytecompiler/NodesCodegen.cpp:
1968         (JSC::PropertyListNode::emitPutConstantProperty):
1969         (JSC::ObjectPatternNode::bindValue):
1970         * debugger/Debugger.cpp:
1971         (JSC::Debugger::resolveBreakpoint):
1972         * debugger/DebuggerCallFrame.cpp:
1973         (JSC::DebuggerCallFrame::currentPosition):
1974         * debugger/DebuggerParseData.cpp:
1975         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
1976         * debugger/DebuggerParseData.h:
1977         * debugger/ScriptProfilingScope.h:
1978         * dfg/DFGAbstractInterpreterInlines.h:
1979         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1980         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1981         * dfg/DFGJITCode.cpp:
1982         (JSC::DFG::JITCode::findPC):
1983         * dfg/DFGJITCode.h:
1984         * dfg/DFGOperations.cpp:
1985         (JSC::DFG::operationPutByValInternal):
1986         * dfg/DFGSlowPathGenerator.h:
1987         (JSC::DFG::SlowPathGenerator::generate):
1988         * dfg/DFGSpeculativeJIT.cpp:
1989         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1990         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1991         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1992         (JSC::DFG::SpeculativeJIT::compileMathIC):
1993         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1994         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1995         * dfg/DFGSpeculativeJIT.h:
1996         * dfg/DFGSpeculativeJIT32_64.cpp:
1997         (JSC::DFG::SpeculativeJIT::compile):
1998         * dfg/DFGSpeculativeJIT64.cpp:
1999         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2000         (JSC::DFG::SpeculativeJIT::emitBranch):
2001         (JSC::DFG::SpeculativeJIT::compile):
2002         * dfg/DFGStrengthReductionPhase.cpp:
2003         (JSC::DFG::StrengthReductionPhase::handleNode):
2004         * ftl/FTLJITCode.cpp:
2005         (JSC::FTL::JITCode::findPC):
2006         * ftl/FTLJITCode.h:
2007         * heap/Heap.cpp:
2008         (JSC::Heap::collectAsync):
2009         (JSC::Heap::collectSync):
2010         (JSC::Heap::collectInThread):
2011         (JSC::Heap::requestCollection):
2012         (JSC::Heap::willStartCollection):
2013         (JSC::Heap::didFinishCollection):
2014         (JSC::Heap::shouldDoFullCollection):
2015         * heap/Heap.h:
2016         (JSC::Heap::collectionScope):
2017         * heap/HeapSnapshot.cpp:
2018         (JSC::HeapSnapshot::nodeForCell):
2019         (JSC::HeapSnapshot::nodeForObjectIdentifier):
2020         * heap/HeapSnapshot.h:
2021         * inspector/InspectorBackendDispatcher.cpp:
2022         (Inspector::BackendDispatcher::dispatch):
2023         (Inspector::BackendDispatcher::sendPendingErrors):
2024         (Inspector::BackendDispatcher::reportProtocolError):
2025         * inspector/InspectorBackendDispatcher.h:
2026         * inspector/agents/InspectorHeapAgent.cpp:
2027         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2028         (Inspector::InspectorHeapAgent::getPreview):
2029         (Inspector::InspectorHeapAgent::getRemoteObject):
2030         * inspector/agents/InspectorHeapAgent.h:
2031         * inspector/remote/RemoteConnectionToTarget.h:
2032         * inspector/remote/RemoteConnectionToTarget.mm:
2033         (Inspector::RemoteConnectionToTarget::targetIdentifier):
2034         (Inspector::RemoteConnectionToTarget::setup):
2035         * inspector/remote/RemoteInspector.h:
2036         * inspector/remote/RemoteInspector.mm:
2037         (Inspector::RemoteInspector::updateClientCapabilities):
2038         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2039         (_generate_declarations_for_enum_conversion_methods):
2040         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
2041         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2042         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
2043         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2044         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2045         * inspector/scripts/tests/expected/enum-values.json-result:
2046         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2047         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2048         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2049         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2050         * jit/JITCode.h:
2051         (JSC::JITCode::findPC):
2052         * jit/JITDivGenerator.cpp:
2053         (JSC::JITDivGenerator::generateFastPath):
2054         * jit/JITOperations.cpp:
2055         * jit/PCToCodeOriginMap.cpp:
2056         (JSC::PCToCodeOriginMap::findPC):
2057         * jit/PCToCodeOriginMap.h:
2058         * jsc.cpp:
2059         (WTF::RuntimeArray::getOwnPropertySlot):
2060         * llint/LLIntSlowPaths.cpp:
2061         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2062         * parser/ModuleAnalyzer.cpp:
2063         (JSC::ModuleAnalyzer::exportVariable):
2064         * runtime/ConcurrentJSLock.h:
2065         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
2066         * runtime/DefinePropertyAttributes.h:
2067         (JSC::DefinePropertyAttributes::writable):
2068         (JSC::DefinePropertyAttributes::configurable):
2069         (JSC::DefinePropertyAttributes::enumerable):
2070         * runtime/GenericArgumentsInlines.h:
2071         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2072         (JSC::GenericArguments<Type>::put):
2073         (JSC::GenericArguments<Type>::deleteProperty):
2074         (JSC::GenericArguments<Type>::defineOwnProperty):
2075         * runtime/HasOwnPropertyCache.h:
2076         (JSC::HasOwnPropertyCache::get):
2077         * runtime/HashMapImpl.h:
2078         (JSC::concurrentJSMapHash):
2079         * runtime/Identifier.h:
2080         (JSC::parseIndex):
2081         * runtime/JSArray.cpp:
2082         (JSC::JSArray::defineOwnProperty):
2083         * runtime/JSCJSValue.cpp:
2084         (JSC::JSValue::toNumberFromPrimitive):
2085         (JSC::JSValue::putToPrimitive):
2086         * runtime/JSCJSValue.h:
2087         * runtime/JSGenericTypedArrayView.h:
2088         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
2089         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2090         (JSC::constructGenericTypedArrayViewWithArguments):
2091         (JSC::constructGenericTypedArrayView):
2092         * runtime/JSGenericTypedArrayViewInlines.h:
2093         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2094         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2095         * runtime/JSModuleRecord.cpp:
2096         * runtime/JSModuleRecord.h:
2097         * runtime/JSObject.cpp:
2098         (JSC::JSObject::putDirectAccessor):
2099         (JSC::JSObject::deleteProperty):
2100         (JSC::JSObject::putDirectMayBeIndex):
2101         (JSC::JSObject::defineOwnProperty):
2102         * runtime/JSObject.h:
2103         (JSC::JSObject::getOwnPropertySlot):
2104         (JSC::JSObject::getPropertySlot):
2105         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
2106         * runtime/JSObjectInlines.h:
2107         (JSC::JSObject::putInline):
2108         * runtime/JSString.cpp:
2109         (JSC::JSString::getStringPropertyDescriptor):
2110         * runtime/JSString.h:
2111         (JSC::JSString::getStringPropertySlot):
2112         * runtime/LiteralParser.cpp:
2113         (JSC::LiteralParser<CharType>::parse):
2114         * runtime/MathCommon.h:
2115         (JSC::safeReciprocalForDivByConst):
2116         * runtime/ObjectPrototype.cpp:
2117         (JSC::objectProtoFuncHasOwnProperty):
2118         * runtime/PropertyDescriptor.h:
2119         (JSC::toPropertyDescriptor):
2120         * runtime/PropertyName.h:
2121         (JSC::parseIndex):
2122         * runtime/SamplingProfiler.cpp:
2123         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2124         * runtime/StringObject.cpp:
2125         (JSC::StringObject::put):
2126         (JSC::isStringOwnProperty):
2127         (JSC::StringObject::deleteProperty):
2128         * runtime/ToNativeFromValue.h:
2129         (JSC::toNativeFromValueWithoutCoercion):
2130         * runtime/TypedArrayAdaptors.h:
2131         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2132         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
2133         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2134         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2135         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2136         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
2137         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
2138
2139 2016-11-26  Sam Weinig  <sam@webkit.org>
2140
2141         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
2142         https://bugs.webkit.org/show_bug.cgi?id=164965
2143
2144         Reviewed by Simon Fraser.
2145
2146         * runtime/CommonIdentifiers.h:
2147         Add identifiers needed for RuntimeEnabledFeatures.
2148
2149 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
2150
2151         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
2152         https://bugs.webkit.org/show_bug.cgi?id=165027
2153
2154         Reviewed by Darin Adler.
2155
2156         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
2157         No port enables this and the guarded code doesn't build at all,
2158         so it's safe to say it's abandoned.
2159
2160         * jit/ExecutableAllocator.cpp:
2161         (JSC::ExecutableAllocator::initializeAllocator):
2162         (JSC::ExecutableAllocator::ExecutableAllocator):
2163         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
2164
2165 2016-11-18  Mark Lam  <mark.lam@apple.com>
2166
2167         Fix exception scope verification failures in JSC profiler files.
2168         https://bugs.webkit.org/show_bug.cgi?id=164971
2169
2170         Reviewed by Saam Barati.
2171
2172         * profiler/ProfilerBytecodeSequence.cpp:
2173         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
2174         * profiler/ProfilerCompilation.cpp:
2175         (JSC::Profiler::Compilation::toJS):
2176         * profiler/ProfilerDatabase.cpp:
2177         (JSC::Profiler::Database::toJS):
2178         (JSC::Profiler::Database::toJSON):
2179         * profiler/ProfilerOSRExitSite.cpp:
2180         (JSC::Profiler::OSRExitSite::toJS):
2181         * profiler/ProfilerOriginStack.cpp:
2182         (JSC::Profiler::OriginStack::toJS):
2183
2184 2016-11-22  Mark Lam  <mark.lam@apple.com>
2185
2186         Fix exception scope verification failures in JSONObject.cpp.
2187         https://bugs.webkit.org/show_bug.cgi?id=165025
2188
2189         Reviewed by Saam Barati.
2190
2191         * runtime/JSONObject.cpp:
2192         (JSC::gap):
2193         (JSC::Stringifier::Stringifier):
2194         (JSC::Stringifier::stringify):
2195         (JSC::Stringifier::toJSON):
2196         (JSC::Stringifier::appendStringifiedValue):
2197         (JSC::Stringifier::Holder::appendNextProperty):
2198         (JSC::Walker::walk):
2199         (JSC::JSONProtoFuncParse):
2200         (JSC::JSONProtoFuncStringify):
2201         (JSC::JSONStringify):
2202
2203 2016-11-21  Mark Lam  <mark.lam@apple.com>
2204
2205         Removed an extra space character at the end of line.
2206
2207         Not reviewed.
2208
2209         * runtime/JSCell.cpp:
2210         (JSC::JSCell::toNumber):
2211
2212 2016-11-21  Mark Lam  <mark.lam@apple.com>
2213
2214         Fix exception scope verification failures in FunctionConstructor.cpp.
2215         https://bugs.webkit.org/show_bug.cgi?id=165011
2216
2217         Reviewed by Saam Barati.
2218
2219         * runtime/FunctionConstructor.cpp:
2220         (JSC::constructFunction):
2221         (JSC::constructFunctionSkippingEvalEnabledCheck):
2222
2223 2016-11-21  Mark Lam  <mark.lam@apple.com>
2224
2225         Fix exception scope verification failures in GetterSetter.cpp.
2226         https://bugs.webkit.org/show_bug.cgi?id=165013
2227
2228         Reviewed by Saam Barati.
2229
2230         * runtime/GetterSetter.cpp:
2231         (JSC::callGetter):
2232         (JSC::callSetter):
2233
2234 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2235
2236         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
2237         https://bugs.webkit.org/show_bug.cgi?id=164898
2238
2239         Reviewed by Darin Adler.
2240
2241         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
2242         same tagged template literal need to return an identical object.
2243         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
2244         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
2245         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
2246         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
2247         while this TemplateRegistryKey is allocated in the main thread.
2248
2249         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
2250         while the entry of the WeakGCMap is alive, the callsite object has the reference to
2251         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
2252
2253         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
2254         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
2255         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
2256         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
2257         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
2258
2259         * CMakeLists.txt:
2260         * JavaScriptCore.xcodeproj/project.pbxproj:
2261         * builtins/BuiltinNames.h:
2262         * bytecompiler/BytecodeGenerator.cpp:
2263         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
2264         (JSC::BytecodeGenerator::emitGetTemplateObject):
2265         * bytecompiler/BytecodeGenerator.h:
2266         * runtime/JSGlobalObject.cpp:
2267         (JSC::getTemplateObject):
2268         * runtime/JSTemplateRegistryKey.cpp:
2269         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
2270         (JSC::JSTemplateRegistryKey::create):
2271         * runtime/JSTemplateRegistryKey.h:
2272         * runtime/TemplateRegistry.cpp:
2273         (JSC::TemplateRegistry::getTemplateObject):
2274         * runtime/TemplateRegistry.h:
2275         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
2276         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
2277         * runtime/TemplateRegistryKey.h:
2278         (JSC::TemplateRegistryKey::calculateHash):
2279         (JSC::TemplateRegistryKey::create):
2280         (JSC::TemplateRegistryKey::TemplateRegistryKey):
2281         * runtime/TemplateRegistryKeyTable.cpp: Added.
2282         (JSC::TemplateRegistryKeyTranslator::hash):
2283         (JSC::TemplateRegistryKeyTranslator::equal):
2284         (JSC::TemplateRegistryKeyTranslator::translate):
2285         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
2286         (JSC::TemplateRegistryKeyTable::createKey):
2287         (JSC::TemplateRegistryKeyTable::unregister):
2288         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
2289         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
2290         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
2291         * runtime/VM.h:
2292         (JSC::VM::templateRegistryKeyTable):
2293
2294 2016-11-21  Mark Lam  <mark.lam@apple.com>
2295
2296         Fix exception scope verification failures in runtime/Error* files.
2297         https://bugs.webkit.org/show_bug.cgi?id=164998
2298
2299         Reviewed by Darin Adler.
2300
2301         * runtime/ErrorConstructor.cpp:
2302         (JSC::Interpreter::constructWithErrorConstructor):
2303         * runtime/ErrorInstance.cpp:
2304         (JSC::ErrorInstance::create):
2305         * runtime/ErrorInstance.h:
2306         * runtime/ErrorPrototype.cpp:
2307         (JSC::errorProtoFuncToString):
2308
2309 2016-11-21  Mark Lam  <mark.lam@apple.com>
2310
2311         Fix exception scope verification failures in *Executable.cpp files.
2312         https://bugs.webkit.org/show_bug.cgi?id=164996
2313
2314         Reviewed by Darin Adler.
2315
2316         * runtime/DirectEvalExecutable.cpp:
2317         (JSC::DirectEvalExecutable::create):
2318         * runtime/IndirectEvalExecutable.cpp:
2319         (JSC::IndirectEvalExecutable::create):
2320         * runtime/ProgramExecutable.cpp:
2321         (JSC::ProgramExecutable::initializeGlobalProperties):
2322         * runtime/ScriptExecutable.cpp:
2323         (JSC::ScriptExecutable::prepareForExecutionImpl):
2324
2325 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
2326
2327         [EncryptedMedia] Make EME API runtime-enabled
2328         https://bugs.webkit.org/show_bug.cgi?id=164927
2329
2330         Reviewed by Jer Noble.
2331
2332         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
2333
2334 2016-11-20  Mark Lam  <mark.lam@apple.com>
2335
2336         Fix exception scope verification failures in ConstructData.cpp.
2337         https://bugs.webkit.org/show_bug.cgi?id=164976
2338
2339         Reviewed by Darin Adler.
2340
2341         * runtime/ConstructData.cpp:
2342         (JSC::construct):
2343
2344 2016-11-20  Mark Lam  <mark.lam@apple.com>
2345
2346         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
2347         https://bugs.webkit.org/show_bug.cgi?id=164975
2348
2349         Reviewed by Darin Adler.
2350
2351         * runtime/CommonSlowPaths.cpp:
2352         (JSC::SLOW_PATH_DECL):
2353         * runtime/CommonSlowPaths.h:
2354         (JSC::CommonSlowPaths::opIn):
2355
2356 2016-11-20  Mark Lam  <mark.lam@apple.com>
2357
2358         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
2359         https://bugs.webkit.org/show_bug.cgi?id=164995
2360
2361         Reviewed by Darin Adler.
2362
2363         * runtime/DateConstructor.cpp:
2364         (JSC::millisecondsFromComponents):
2365         (JSC::constructDate):
2366         * runtime/DatePrototype.cpp:
2367         (JSC::dateProtoFuncToPrimitiveSymbol):
2368
2369 2016-11-20  Caitlin Potter  <caitp@igalia.com>
2370
2371         [JSC] speed up parsing of async functions
2372         https://bugs.webkit.org/show_bug.cgi?id=164808
2373
2374         Reviewed by Yusuke Suzuki.
2375
2376         Minor adjustments to Parser in order to mitigate slowdown with async
2377         function parsing enabled:
2378
2379           - Tokenize "async" as a keyword
2380           - Perform less branching in various areas of the Parser
2381
2382         * parser/Keywords.table:
2383         * parser/Parser.cpp:
2384         (JSC::Parser<LexerType>::parseStatementListItem):
2385         (JSC::Parser<LexerType>::parseStatement):
2386         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2387         (JSC::Parser<LexerType>::parseClass):
2388         (JSC::Parser<LexerType>::parseExportDeclaration):
2389         (JSC::Parser<LexerType>::parseAssignmentExpression):
2390         (JSC::Parser<LexerType>::parseProperty):
2391         (JSC::Parser<LexerType>::createResolveAndUseVariable):
2392         (JSC::Parser<LexerType>::parsePrimaryExpression):
2393         (JSC::Parser<LexerType>::parseMemberExpression):
2394         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2395         * parser/Parser.h:
2396         (JSC::isAnyContextualKeyword):
2397         (JSC::isIdentifierOrAnyContextualKeyword):
2398         (JSC::isSafeContextualKeyword):
2399         (JSC::Parser::matchSpecIdentifier):
2400         * parser/ParserTokens.h:
2401         * runtime/CommonIdentifiers.h:
2402
2403 2016-11-19  Mark Lam  <mark.lam@apple.com>
2404
2405         Add --timeoutMultiplier option to allow some tests more time to run.
2406         https://bugs.webkit.org/show_bug.cgi?id=164951
2407
2408         Reviewed by Yusuke Suzuki.
2409
2410         * jsc.cpp:
2411         (timeoutThreadMain):
2412         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
2413         (startTimeoutThreadIfNeeded):
2414         - Moved the code that starts the timeout thread here from main() so that we can
2415         call it after command line args have been parsed instead.
2416         (main):
2417         - Deleted old timeout thread starting code.
2418         (CommandLine::parseArguments):
2419         - Added parsing of the --timeoutMultiplier option.
2420         (jscmain):
2421         - Start the timeout thread if needed after we've parsed the command line args.
2422
2423 2016-11-19  Mark Lam  <mark.lam@apple.com>
2424
2425         Fix missing exception checks in JSC inspector files.
2426         https://bugs.webkit.org/show_bug.cgi?id=164959
2427
2428         Reviewed by Saam Barati.
2429
2430         * inspector/JSInjectedScriptHost.cpp:
2431         (Inspector::JSInjectedScriptHost::getInternalProperties):
2432         (Inspector::JSInjectedScriptHost::weakMapEntries):
2433         (Inspector::JSInjectedScriptHost::weakSetEntries):
2434         (Inspector::JSInjectedScriptHost::iteratorEntries):
2435         * inspector/JSJavaScriptCallFrame.cpp:
2436         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2437
2438 2016-11-18  Mark Lam  <mark.lam@apple.com>
2439
2440         Fix missing exception checks in DFGOperations.cpp.
2441         https://bugs.webkit.org/show_bug.cgi?id=164958
2442
2443         Reviewed by Geoffrey Garen.
2444
2445         * dfg/DFGOperations.cpp:
2446
2447 2016-11-18  Mark Lam  <mark.lam@apple.com>
2448
2449         Fix exception scope verification failures in ShadowChicken.cpp.
2450         https://bugs.webkit.org/show_bug.cgi?id=164966
2451
2452         Reviewed by Saam Barati.
2453
2454         * interpreter/ShadowChicken.cpp:
2455         (JSC::ShadowChicken::functionsOnStack):
2456
2457 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
2458
2459         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
2460         https://bugs.webkit.org/show_bug.cgi?id=163801
2461
2462         Reviewed by Simon Fraser.
2463
2464         * Configurations/FeatureDefines.xcconfig:
2465
2466 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
2467
2468         Unreviewed, fix cloop.
2469
2470         * bytecode/CodeBlock.cpp:
2471         (JSC::CodeBlock::stronglyVisitStrongReferences):
2472
2473 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
2474
2475         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
2476         https://bugs.webkit.org/show_bug.cgi?id=164282
2477
2478         Reviewed by Geoffrey Garen and Oliver Hunt.
2479         
2480         The two three remaining bugs were:
2481
2482         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
2483           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
2484           That proved a bit tricky. On the other hand, this means that we could probably remove the
2485           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
2486           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
2487           anything.
2488         
2489         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
2490           their friends now hold locks) and incremental-safe (we need to update predictions in the
2491           finalizer to make sure we clear anything that was put into a value profile towards the end
2492           of GC).
2493         
2494         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
2495           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
2496           I found that they would do many useless iterations of GC because they wouldn't pause long
2497           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
2498           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
2499           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
2500           the amount of allocation that the mutator had done is low. Having a utilization ceiling
2501           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
2502           huge heaps (like CDjs in its "large" configuration).
2503         
2504         This preserves splay performance, makes the concurrent GC more stable, and makes the
2505         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
2506         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
2507
2508         * bytecode/CodeBlock.cpp:
2509         (JSC::CodeBlock::CodeBlock):
2510         (JSC::CodeBlock::visitWeakly):
2511         (JSC::CodeBlock::visitChildren):
2512         (JSC::CodeBlock::shouldVisitStrongly):
2513         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2514         (JSC::CodeBlock::propagateTransitions):
2515         (JSC::CodeBlock::determineLiveness):
2516         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
2517         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
2518         (JSC::CodeBlock::visitOSRExitTargets):
2519         (JSC::CodeBlock::stronglyVisitStrongReferences):
2520         (JSC::CodeBlock::stronglyVisitWeakReferences):
2521         * bytecode/CodeBlock.h:
2522         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2523         * heap/CodeBlockSet.cpp:
2524         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2525         * heap/Heap.cpp:
2526         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2527         (JSC::Heap::markToFixpoint):
2528         (JSC::Heap::beginMarking):
2529         (JSC::Heap::addToRememberedSet):
2530         (JSC::Heap::collectInThread):
2531         * heap/Heap.h:
2532         * heap/HeapInlines.h:
2533         (JSC::Heap::mutatorFence):
2534         * heap/MarkedBlock.cpp:
2535         * runtime/JSCellInlines.h:
2536         (JSC::JSCell::finishCreation):
2537         * runtime/JSObjectInlines.h:
2538         (JSC::JSObject::putDirectWithoutTransition):
2539         (JSC::JSObject::putDirectInternal):
2540         * runtime/Options.h:
2541         * runtime/Structure.cpp:
2542         (JSC::Structure::add):
2543         * runtime/Structure.h:
2544         * runtime/StructureInlines.h:
2545         (JSC::Structure::add):
2546
2547 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
2548
2549         Web Inspector: Generator functions should have a displayable name when shown in stack traces
2550         https://bugs.webkit.org/show_bug.cgi?id=164844
2551         <rdar://problem/29300697>
2552
2553         Reviewed by Yusuke Suzuki.
2554
2555         * parser/SyntaxChecker.h:
2556         (JSC::SyntaxChecker::createGeneratorFunctionBody):
2557         * parser/ASTBuilder.h:
2558         (JSC::ASTBuilder::createGeneratorFunctionBody):
2559         New way to create a generator function with an inferred name.
2560
2561         * parser/Parser.cpp:
2562         (JSC::Parser<LexerType>::parseInner):
2563         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2564         * parser/Parser.h:
2565         Pass on the name of the generator wrapper function so we can
2566         use it on the inner generator function.
2567
2568 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
2569
2570         Add an experimental API to find elements across shadow boundaries
2571         https://bugs.webkit.org/show_bug.cgi?id=164851
2572         <rdar://problem/28220092>
2573
2574         Reviewed by Sam Weinig.
2575
2576         * runtime/CommonIdentifiers.h:
2577
2578 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2579
2580         [JSC] Drop arguments.caller
2581         https://bugs.webkit.org/show_bug.cgi?id=164859
2582
2583         Reviewed by Saam Barati.
2584
2585         Originally, some JavaScript engine has `arguments.caller` property.
2586         But it easily causes some information leaks and it becomes obstacles
2587         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
2588         mode. To do so, we explicitly set "caller" getter throwing TypeError
2589         to arguments in strict mode.
2590
2591         But now, there is no modern engine which supports `arguments.caller`
2592         in sloppy mode. So the original compatibility problem is gone and
2593         "caller" getter in the strict mode arguments becomes meaningless.
2594
2595         ES2017 drops this from the spec. In this patch, we also drop this
2596         `arguments.caller` in strict mode support.
2597
2598         Note that Function#caller is still alive.
2599
2600         * runtime/ClonedArguments.cpp:
2601         (JSC::ClonedArguments::getOwnPropertySlot):
2602         (JSC::ClonedArguments::put):
2603         (JSC::ClonedArguments::deleteProperty):
2604         (JSC::ClonedArguments::defineOwnProperty):
2605         (JSC::ClonedArguments::materializeSpecials):
2606
2607 2016-11-17  Mark Lam  <mark.lam@apple.com>
2608
2609         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
2610         https://bugs.webkit.org/show_bug.cgi?id=164893
2611         <rdar://problem/29146436>
2612
2613         Reviewed by Saam Barati.
2614
2615         * runtime/Options.cpp:
2616         (JSC::recomputeDependentOptions):
2617
2618 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
2619
2620         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
2621         https://bugs.webkit.org/show_bug.cgi?id=164885
2622
2623         Reviewed by Mark Lam.
2624         
2625         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
2626         related fences. It currently returns true only on x86().
2627         
2628         The goal here is to get the bots to tell us if this code is responsible for perf issues on
2629         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
2630         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
2631         we could get rid of it and instead teach B3 how to think about fences.
2632
2633         * assembler/CPU.h:
2634         (JSC::useGCFences):
2635         * bytecode/PolymorphicAccess.cpp:
2636         (JSC::AccessCase::generateImpl):
2637         * dfg/DFGSpeculativeJIT.cpp:
2638         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2639         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2640         * ftl/FTLLowerDFGToB3.cpp:
2641         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2642         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2643         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2644         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2645         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2646         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2647         * jit/AssemblyHelpers.h:
2648         (JSC::AssemblyHelpers::mutatorFence):
2649         (JSC::AssemblyHelpers::storeButterfly):
2650         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
2651         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2652
2653 2016-11-17  Keith Miller  <keith_miller@apple.com>
2654
2655         Add rotate to Wasm
2656         https://bugs.webkit.org/show_bug.cgi?id=164871
2657
2658         Reviewed by Filip Pizlo.
2659
2660         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
2661         This also moves arm specific transformations of rotate left to lower macros
2662         after optimization. It's a bad idea to have platform specific canonicalizations
2663         in reduce strength since other optimizations may not be aware of it.
2664
2665         Add a bug to do pure CSE after lower macros after optimization since we want to
2666         clean up RotL(value, Neg(Neg(shift))).
2667
2668         * b3/B3Generate.cpp:
2669         (JSC::B3::generateToAir):
2670         * b3/B3LowerMacrosAfterOptimizations.cpp:
2671         * b3/B3ReduceStrength.cpp:
2672         * wasm/wasm.json:
2673
2674 2016-11-17  Keith Miller  <keith_miller@apple.com>
2675
2676         Add sqrt to Wasm
2677         https://bugs.webkit.org/show_bug.cgi?id=164877
2678
2679         Reviewed by Mark Lam.
2680
2681         B3 already has a Sqrt opcode we just need to map Wasm to it.
2682
2683         * wasm/wasm.json:
2684
2685 2016-11-17  Keith Miller  <keith_miller@apple.com>
2686
2687         Add support for rotate in B3 and the relevant assemblers
2688         https://bugs.webkit.org/show_bug.cgi?id=164869
2689
2690         Reviewed by Geoffrey Garen.
2691
2692         This patch runs RotR and RotL (rotate right and left respectively)
2693         through B3 and B3's assemblers. One thing of note is that ARM64 does
2694         not support rotate left instead it allows negative right rotations.
2695
2696         This patch also fixes a theoretical bug in the assembler where
2697         on X86 doing someShiftOp(reg, edx) would instead shift the shift
2698         amount by the value. Additionally, this patch refactors some
2699         of the X86 assembler to use templates when deciding how to format
2700         the appropriate shift instruction.
2701
2702         * assembler/MacroAssemblerARM64.h:
2703         (JSC::MacroAssemblerARM64::rotateRight32):
2704         (JSC::MacroAssemblerARM64::rotateRight64):
2705         * assembler/MacroAssemblerX86Common.h:
2706         (JSC::MacroAssemblerX86Common::rotateRight32):
2707         (JSC::MacroAssemblerX86Common::rotateLeft32):
2708         * assembler/MacroAssemblerX86_64.h:
2709         (JSC::MacroAssemblerX86_64::lshift64):
2710         (JSC::MacroAssemblerX86_64::rshift64):
2711         (JSC::MacroAssemblerX86_64::urshift64):
2712         (JSC::MacroAssemblerX86_64::rotateRight64):
2713         (JSC::MacroAssemblerX86_64::rotateLeft64):
2714         (JSC::MacroAssemblerX86_64::or64):
2715         * assembler/X86Assembler.h:
2716         (JSC::X86Assembler::xorq_rm):
2717         (JSC::X86Assembler::shiftInstruction32):
2718         (JSC::X86Assembler::sarl_i8r):
2719         (JSC::X86Assembler::shrl_i8r):
2720         (JSC::X86Assembler::shll_i8r):
2721         (JSC::X86Assembler::rorl_i8r):
2722         (JSC::X86Assembler::rorl_CLr):
2723         (JSC::X86Assembler::roll_i8r):
2724         (JSC::X86Assembler::roll_CLr):
2725         (JSC::X86Assembler::shiftInstruction64):
2726         (JSC::X86Assembler::sarq_CLr):
2727         (JSC::X86Assembler::sarq_i8r):
2728         (JSC::X86Assembler::shrq_i8r):
2729         (JSC::X86Assembler::shlq_i8r):
2730         (JSC::X86Assembler::rorq_i8r):
2731         (JSC::X86Assembler::rorq_CLr):
2732         (JSC::X86Assembler::rolq_i8r):
2733         (JSC::X86Assembler::rolq_CLr):
2734         * b3/B3Common.h:
2735         (JSC::B3::rotateRight):
2736         (JSC::B3::rotateLeft):
2737         * b3/B3Const32Value.cpp:
2738         (JSC::B3::Const32Value::rotRConstant):
2739         (JSC::B3::Const32Value::rotLConstant):
2740         * b3/B3Const32Value.h:
2741         * b3/B3Const64Value.cpp:
2742         (JSC::B3::Const64Value::rotRConstant):
2743         (JSC::B3::Const64Value::rotLConstant):
2744         * b3/B3Const64Value.h:
2745         * b3/B3LowerToAir.cpp:
2746         (JSC::B3::Air::LowerToAir::lower):
2747         * b3/B3Opcode.cpp:
2748         (WTF::printInternal):
2749         * b3/B3Opcode.h:
2750         * b3/B3ReduceStrength.cpp:
2751         * b3/B3Validate.cpp:
2752         * b3/B3Value.cpp:
2753         (JSC::B3::Value::rotRConstant):
2754         (JSC::B3::Value::rotLConstant):
2755         (JSC::B3::Value::effects):
2756         (JSC::B3::Value::key):
2757         (JSC::B3::Value::typeFor):
2758         * b3/B3Value.h:
2759         * b3/B3ValueKey.cpp:
2760         (JSC::B3::ValueKey::materialize):
2761         * b3/air/AirInstInlines.h:
2762         (JSC::B3::Air::isRotateRight32Valid):
2763         (JSC::B3::Air::isRotateLeft32Valid):
2764         (JSC::B3::Air::isRotateRight64Valid):
2765         (JSC::B3::Air::isRotateLeft64Valid):
2766         * b3/air/AirOpcode.opcodes:
2767         * b3/testb3.cpp:
2768         (JSC::B3::testRotR):
2769         (JSC::B3::testRotL):
2770         (JSC::B3::testRotRWithImmShift):
2771         (JSC::B3::testRotLWithImmShift):
2772         (JSC::B3::run):
2773
2774 2016-11-17  Saam Barati  <sbarati@apple.com>
2775
2776         Remove async/await compile time flag and enable tests
2777         https://bugs.webkit.org/show_bug.cgi?id=164828
2778         <rdar://problem/28639334>
2779
2780         Reviewed by Yusuke Suzuki.
2781
2782         * Configurations/FeatureDefines.xcconfig:
2783         * parser/Parser.cpp:
2784         (JSC::Parser<LexerType>::parseStatementListItem):
2785         (JSC::Parser<LexerType>::parseStatement):
2786         (JSC::Parser<LexerType>::parseClass):
2787         (JSC::Parser<LexerType>::parseExportDeclaration):
2788         (JSC::Parser<LexerType>::parseAssignmentExpression):
2789         (JSC::Parser<LexerType>::parseProperty):
2790         (JSC::Parser<LexerType>::parsePrimaryExpression):
2791         (JSC::Parser<LexerType>::parseMemberExpression):
2792         (JSC::Parser<LexerType>::parseUnaryExpression):
2793
2794 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2795
2796         [JSC] WTF::TemporaryChange with WTF::SetForScope
2797         https://bugs.webkit.org/show_bug.cgi?id=164761
2798
2799         Reviewed by Saam Barati.
2800
2801         * bytecompiler/BytecodeGenerator.h:
2802         * bytecompiler/SetForScope.h: Removed.
2803         * debugger/Debugger.cpp:
2804         * inspector/InspectorBackendDispatcher.cpp:
2805         (Inspector::BackendDispatcher::dispatch):
2806         * inspector/ScriptDebugServer.cpp:
2807         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
2808         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
2809         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2810         (Inspector::ScriptDebugServer::sourceParsed):
2811         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
2812         * parser/Parser.cpp:
2813
2814 2016-11-16  Mark Lam  <mark.lam@apple.com>
2815
2816         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
2817         https://bugs.webkit.org/show_bug.cgi?id=164843
2818
2819         Reviewed by Keith Miller.
2820
2821         The ThrowScope will check for unchecked simulated exceptions before throwing a
2822         new exception.  This ensures that we don't quietly overwrite a pending exception
2823         (which should never happen, with the only exception being to rethrow the same
2824         exception).  However, ExceptionFuzz works by intentionally throwing its own
2825         exception even when one may already exist thereby potentially overwriting an
2826         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
2827         the exception check verifier before ExceptionFuzz throws its own exception.
2828
2829         * runtime/ExceptionFuzz.cpp:
2830         (JSC::doExceptionFuzzing):
2831
2832 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
2833
2834         UnlinkedCodeBlock should not have a starting line number
2835         https://bugs.webkit.org/show_bug.cgi?id=164838
2836
2837         Reviewed by Mark Lam.
2838
2839         Here's how the starting line number in UnlinkedCodeBlock used to work:
2840
2841         (1) Assign the source code starting line number to the parser starting
2842         line number.
2843
2844         (2) Assign (1) to the AST.
2845
2846         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
2847
2848         Then, when linking:
2849
2850         (4) Add (3) to (1).
2851
2852         This was an awesome no-op.
2853
2854         Generally, unlinked code is code that is not tied to any particular
2855         web page or resource. So, it's inappropriate to think of it having a
2856         starting line number.
2857
2858         * bytecode/UnlinkedCodeBlock.cpp:
2859         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2860         * bytecode/UnlinkedCodeBlock.h:
2861         (JSC::UnlinkedCodeBlock::recordParse):
2862         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
2863         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
2864         * runtime/CodeCache.cpp:
2865         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2866         * runtime/CodeCache.h:
2867         (JSC::generateUnlinkedCodeBlock):
2868
2869 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2870
2871         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
2872         https://bugs.webkit.org/show_bug.cgi?id=164827
2873
2874         Reviewed by Ryosuke Niwa.
2875
2876         * Configurations/FeatureDefines.xcconfig:
2877
2878 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
2879
2880         Unreviewed, roll out r208811. It's not sound.
2881
2882         * ftl/FTLLowerDFGToB3.cpp:
2883         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2884         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2885         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2886         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2887         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2888         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2889         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
2890
2891 2016-11-16  Keith Miller  <keith_miller@apple.com>
2892
2893         Wasm function parser should use template functions for each binary and unary opcode
2894         https://bugs.webkit.org/show_bug.cgi?id=164835
2895
2896         Reviewed by Mark Lam.
2897
2898         This patch changes the wasm function parser to call into a template specialization
2899         for each binary/unary opcode. This change makes it easier to have custom implementations
2900         of various opcodes. It is also, in theory a speedup since it does not require switching
2901         on the opcode twice.
2902
2903         * CMakeLists.txt:
2904         * DerivedSources.make:
2905         * wasm/WasmB3IRGenerator.cpp:
2906         (): Deleted.
2907         * wasm/WasmFunctionParser.h:
2908         (JSC::Wasm::FunctionParser<Context>::binaryCase):
2909         (JSC::Wasm::FunctionParser<Context>::unaryCase):
2910         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2911         * wasm/WasmValidate.cpp:
2912         * wasm/generateWasm.py:
2913         (isBinary):
2914         (isSimple):
2915         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
2916         (generateSimpleCode):
2917         * wasm/generateWasmOpsHeader.py:
2918         (opcodeMacroizer):
2919         * wasm/generateWasmValidateInlinesHeader.py:
2920
2921 2016-11-16  Mark Lam  <mark.lam@apple.com>
2922
2923         ExceptionFuzz functions should use its client's ThrowScope.
2924         https://bugs.webkit.org/show_bug.cgi?id=164834
2925
2926         Reviewed by Geoffrey Garen.
2927
2928         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
2929         exception check sites.  Using the client's ThrowScope solves 2 problems:
2930
2931         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
2932            mis-attributed to ExceptionFuzz when it should be attributed to its client.
2933
2934         2. One way exception scope verification works is by having ThrowScopes assert
2935            that there are no unchecked simulated exceptions when the ThrowScope is
2936            instantiated.  However, ExceptionFuzz necessarily works by inserting
2937            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
2938            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
2939            we will be instantiating the ThrowScope between the point where a simulated
2940            throw occurs and where the needed exception check can occur.  Hence, having
2941            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
2942            verification every time.
2943
2944         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
2945
2946         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
2947         already exists in every slow path function instead of creating a new one.
2948
2949         * jit/JITOperations.cpp:
2950         * llint/LLIntSlowPaths.cpp:
2951         * runtime/CommonSlowPaths.cpp:
2952         * runtime/ExceptionFuzz.cpp:
2953         (JSC::doExceptionFuzzing):
2954         * runtime/ExceptionFuzz.h:
2955         (JSC::doExceptionFuzzingIfEnabled):
2956
2957 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
2958
2959         Slight Octane regression from concurrent GC's eager object zero-fill
2960         https://bugs.webkit.org/show_bug.cgi?id=164823
2961
2962         Reviewed by Geoffrey Garen.
2963         
2964         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
2965         executing the end-of-allocation fence. This causes some regressions. This is an attempt
2966         to fix those regressions by making them conditional on whether the mutator is fenced.
2967         
2968         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
2969         regression.
2970
2971         * ftl/FTLLowerDFGToB3.cpp:
2972         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2973         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
2974         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2975         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2976         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2977         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2978         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2979
2980 2016-11-16  Mark Lam  <mark.lam@apple.com>
2981
2982         Fix exception scope checking in JSGlobalObject.cpp.
2983         https://bugs.webkit.org/show_bug.cgi?id=164831
2984
2985         Reviewed by Saam Barati.
2986
2987         * runtime/JSGlobalObject.cpp:
2988         (JSC::JSGlobalObject::init):
2989         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
2990           to fail with errors.
2991         (JSC::JSGlobalObject::put):
2992         - Fix exception check requirements.
2993
2994 2016-11-16  Keith Miller  <keith_miller@apple.com>
2995
2996         Unreviewed, ARM build fix.
2997
2998         * b3/B3LowerToAir.cpp:
2999         (JSC::B3::Air::LowerToAir::lower):
3000         (JSC::B3::Air::LowerToAir::lowerX86Div):
3001         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
3002
3003 2016-11-15  Mark Lam  <mark.lam@apple.com>
3004
3005         Make JSC test functions more robust.
3006         https://bugs.webkit.org/show_bug.cgi?id=164807
3007
3008         Reviewed by Keith Miller.
3009
3010         * jsc.cpp:
3011         (functionGetHiddenValue):
3012         (functionSetHiddenValue):
3013
3014 2016-11-15  Keith Miller  <keith_miller@apple.com>
3015
3016         B3 should support UDiv/UMod
3017         https://bugs.webkit.org/show_bug.cgi?id=164811
3018
3019         Reviewed by Filip Pizlo.
3020
3021         This patch adds support for UDiv and UMod in B3. Many of the magic number
3022         cases have been ommited for now since they are unlikely to happen in wasm
3023         code. Most wasm code we will see is generated via llvm, which has more
3024         robust versions of what we would do anyway. Additionally, this patch
3025         links the new opcodes up to the wasm parser.
3026
3027         * assembler/MacroAssemblerARM64.h:
3028         (JSC::MacroAssemblerARM64::uDiv32):
3029         (JSC::MacroAssemblerARM64::uDiv64):
3030         * assembler/MacroAssemblerX86Common.h:
3031         (JSC::MacroAssemblerX86Common::x86UDiv32):
3032         * assembler/MacroAssemblerX86_64.h:
3033         (JSC::MacroAssemblerX86_64::x86UDiv64):
3034         * assembler/X86Assembler.h:
3035         (JSC::X86Assembler::divq_r):
3036         * b3/B3Common.h:
3037         (JSC::B3::chillUDiv):
3038         (JSC::B3::chillUMod):
3039         * b3/B3Const32Value.cpp:
3040         (JSC::B3::Const32Value::uDivConstant):
3041         (JSC::B3::Const32Value::uModConstant):
3042         * b3/B3Const32Value.h:
3043         * b3/B3Const64Value.cpp:
3044         (JSC::B3::Const64Value::uDivConstant):
3045         (JSC::B3::Const64Value::uModConstant):
3046         * b3/B3Const64Value.h:
3047         * b3/B3LowerMacros.cpp:
3048         * b3/B3LowerToAir.cpp:
3049         (JSC::B3::Air::LowerToAir::lower):
3050         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
3051         * b3/B3Opcode.cpp:
3052         (WTF::printInternal):
3053         * b3/B3Opcode.h:
3054         * b3/B3ReduceStrength.cpp:
3055         * b3/B3Validate.cpp:
3056         * b3/B3Value.cpp:
3057         (JSC::B3::Value::uDivConstant):
3058         (JSC::B3::Value::uModConstant):
3059         (JSC::B3::Value::effects):
3060         (JSC::B3::Value::key):
3061         (JSC::B3::Value::typeFor):
3062         * b3/B3Value.h:
3063         * b3/B3ValueKey.cpp:
3064         (JSC::B3::ValueKey::materialize):
3065         * b3/air/AirInstInlines.h:
3066         (JSC::B3::Air::isX86UDiv32Valid):
3067         (JSC::B3::Air::isX86UDiv64Valid):
3068         * b3/air/AirOpcode.opcodes:
3069         * b3/testb3.cpp:
3070         (JSC::B3::testUDivArgsInt32):
3071         (JSC::B3::testUDivArgsInt64):
3072         (JSC::B3::testUModArgsInt32):
3073         (JSC::B3::testUModArgsInt64):
3074         (JSC::B3::run):
3075         * wasm/wasm.json:
3076
3077 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3078
3079         Web Inspector: Preview other CSS @media in browser window (print)
3080         https://bugs.webkit.org/show_bug.cgi?id=13530
3081         <rdar://problem/5712928>
3082
3083         Reviewed by Timothy Hatcher.
3084
3085         * inspector/protocol/Page.json:
3086         Update to preferred JSON style.
3087
3088 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3089
3090         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
3091
3092         * dfg/DFGDriver.cpp:
3093         (JSC::DFG::compileImpl):
3094         * heap/Heap.cpp:
3095         (JSC::Heap::addToRememberedSet):
3096         * jit/JITWorklist.cpp:
3097         (JSC::JITWorklist::compileLater):
3098         (JSC::JITWorklist::compileNow):
3099         * runtime/Options.cpp:
3100         (JSC::recomputeDependentOptions):
3101         * runtime/Options.h:
3102         * runtime/WriteBarrierInlines.h:
3103         (JSC::WriteBarrierBase<T>::set):
3104         (JSC::WriteBarrierBase<Unknown>::set):
3105
3106 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
3107
3108         Debugging and other tools should not disable the code cache
3109         https://bugs.webkit.org/show_bug.cgi?id=164802
3110
3111         Reviewed by Mark Lam.
3112
3113         * bytecode/UnlinkedFunctionExecutable.cpp:
3114         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
3115         change.
3116
3117         * parser/SourceCodeKey.h:
3118         (JSC::SourceCodeFlags::SourceCodeFlags):
3119         (JSC::SourceCodeFlags::bits):
3120         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
3121         as part of our key so that we can cache code while using tools. Be sure
3122         to include these bits in our hash function so you don't get storms of
3123         collisions as you open and close the Web Inspector.
3124
3125         * runtime/CodeCache.cpp:
3126         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3127         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
3128         a part of our key instead of as a reason to disable caching.
3129
3130         * runtime/CodeCache.h:
3131
3132 2016-11-15  Mark Lam  <mark.lam@apple.com>
3133
3134         Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
3135         https://bugs.webkit.org/show_bug.cgi?id=164777
3136
3137         Reviewed by Geoffrey Garen.
3138
3139         JSString::SafeView no longer achieves its intended goal to make it easier to
3140         handle strings safely.  Its clients still need to do explicit exception checks in
3141         order to be correct.  We'll remove it and replace its uses with
3142         StringViewWithUnderlyingString instead which serves to gets the a StringView
3143         (which is what we really wanted from SafeView) and keeps the backing String alive
3144         while the view is in use.
3145
3146         Also added some missing exception checks.
3147
3148         * jsc.cpp:
3149         (printInternal):
3150         (functionDebug):
3151         * runtime/ArrayPrototype.cpp:
3152         (JSC::arrayProtoFuncJoin):
3153         * runtime/FunctionConstructor.cpp:
3154         (JSC::constructFunctionSkippingEvalEnabledCheck):
3155         * runtime/IntlCollatorPrototype.cpp:
3156         (JSC::IntlCollatorFuncCompare):
3157         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3158         (JSC::genericTypedArrayViewProtoFuncJoin):
3159         * runtime/JSGlobalObjectFunctions.cpp:
3160         (JSC::toStringView):
3161         (JSC::globalFuncParseFloat):
3162         * runtime/JSONObject.cpp:
3163         (JSC::JSONProtoFuncParse):
3164         * runtime/JSString.h:
3165         (JSC::JSString::SafeView::is8Bit): Deleted.
3166         (JSC::JSString::SafeView::length): Deleted.
3167         (JSC::JSString::SafeView::SafeView): Deleted.
3168         (JSC::JSString::SafeView::get): Deleted.
3169         (JSC::JSString::view): Deleted.
3170         * runtime/StringPrototype.cpp:
3171         (JSC::stringProtoFuncRepeatCharacter):
3172         (JSC::stringProtoFuncCharAt):
3173         (JSC::stringProtoFuncCharCodeAt):
3174         (JSC::stringProtoFuncIndexOf):
3175         (JSC::stringProtoFuncNormalize):
3176
3177 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3178
3179         Unreviewed, remove bogus assertion.
3180
3181         * heap/Heap.cpp:
3182         (JSC::Heap::markToFixpoint):
3183
3184 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3185
3186         [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
3187         https://bugs.webkit.org/show_bug.cgi?id=162986
3188
3189         Reviewed by Saam Barati.
3190         
3191         This assertion is wrong for concurrent GC anyway, so this removes it.
3192
3193         * runtime/Structure.cpp:
3194         (JSC::Structure::visitChildren):
3195
3196 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3197
3198         Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
3199         https://bugs.webkit.org/show_bug.cgi?id=164791
3200
3201         Reviewed by Geoffrey Garen.
3202         
3203         Just renaming.
3204
3205         * JavaScriptCore.xcodeproj/project.pbxproj:
3206         * bytecode/ArrayProfile.cpp:
3207         (JSC::ArrayProfile::computeUpdatedPrediction):
3208         (JSC::ArrayProfile::briefDescription):
3209         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3210         * bytecode/ArrayProfile.h:
3211         (JSC::ArrayProfile::observedArrayModes):
3212         (JSC::ArrayProfile::mayInterceptIndexedAccesses):
3213         (JSC::ArrayProfile::mayStoreToHole):
3214         (JSC::ArrayProfile::outOfBounds):
3215         (JSC::ArrayProfile::usesOriginalArrayStructures):
3216         * bytecode/CallLinkStatus.cpp:
3217         (JSC::CallLinkStatus::computeFromLLInt):
3218         (JSC::CallLinkStatus::computeFor):
3219         (JSC::CallLinkStatus::computeExitSiteData):
3220         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3221         (JSC::CallLinkStatus::computeDFGStatuses):
3222         * bytecode/CallLinkStatus.h:
3223         * bytecode/CodeBlock.cpp:
3224         (JSC::CodeBlock::dumpValueProfiling):
3225         (JSC::CodeBlock::dumpArrayProfiling):
3226         (JSC::CodeBlock::finishCreation):
3227         (JSC::CodeBlock::setConstantRegisters):
3228         (JSC::CodeBlock::getStubInfoMap):
3229         (JSC::CodeBlock::getCallLinkInfoMap):
3230         (JSC::CodeBlock::getByValInfoMap):
3231         (JSC::CodeBlock::addStubInfo):
3232         (JSC::CodeBlock::addByValInfo):
3233         (JSC::CodeBlock::addCallLinkInfo):
3234         (JSC::CodeBlock::resetJITData):
3235         (JSC::CodeBlock::shrinkToFit):
3236         (JSC::CodeBlock::getArrayProfile):
3237         (JSC::CodeBlock::addArrayProfile):
3238         (JSC::CodeBlock::getOrAddArrayProfile):
3239         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3240         (JSC::CodeBlock::updateAllArrayPredictions):
3241         (JSC::CodeBlock::nameForRegister):
3242         (JSC::CodeBlock::livenessAnalysisSlow):
3243         * bytecode/CodeBlock.h:
3244         (JSC::CodeBlock::setJITCode):
3245         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
3246         (JSC::CodeBlock::addFrequentExitSite):
3247         (JSC::CodeBlock::hasExitSite):
3248         (JSC::CodeBlock::livenessAnalysis):
3249         * bytecode/DFGExitProfile.cpp:
3250         (JSC::DFG::ExitProfile::add):
3251         (JSC::DFG::ExitProfile::hasExitSite):
3252         (JSC::DFG::QueryableExitProfile::initialize):
3253         * bytecode/DFGExitProfile.h:
3254         (JSC::DFG::ExitProfile::hasExitSite):
3255         * bytecode/GetByIdStatus.cpp:
3256         (JSC::GetByIdStatus::hasExitSite):
3257         (JSC::GetByIdStatus::computeFor):
3258         (JSC::GetByIdStatus::computeForStubInfo):
3259         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3260         * bytecode/GetByIdStatus.h:
3261         * bytecode/LazyOperandValueProfile.cpp:
3262         (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
3263         (JSC::CompressedLazyOperandValueProfileHolder::add):
3264         (JSC::LazyOperandValueProfileParser::initialize):
3265         (JSC::LazyOperandValueProfileParser::prediction):
3266         * bytecode/LazyOperandValueProfile.h:
3267         * bytecode/MethodOfGettingAValueProfile.cpp:
3268         (JSC::MethodOfGettingAValueProfile::emitReportValue):
3269         * bytecode/PutByIdStatus.cpp:
3270         (JSC::PutByIdStatus::hasExitSite):
3271         (JSC::PutByIdStatus::computeFor):
3272         (JSC::PutByIdStatus::computeForStubInfo):
3273         * bytecode/PutByIdStatus.h:
3274         * bytecode/StructureStubClearingWatchpoint.cpp:
3275         (JSC::StructureStubClearingWatchpoint::fireInternal):
3276         * bytecode/ValueProfile.h:
3277         (JSC::ValueProfileBase::briefDescription):
3278         (JSC::ValueProfileBase::computeUpdatedPrediction):
3279         * dfg/DFGArrayMode.cpp:
3280         (JSC::DFG::ArrayMode::fromObserved):
3281         * dfg/DFGArrayMode.h:
3282         (JSC::DFG::ArrayMode::withSpeculationFromProfile):
3283         (JSC::DFG::ArrayMode::withProfile):
3284         * dfg/DFGByteCodeParser.cpp:
3285         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3286         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3287         (JSC::DFG::ByteCodeParser::getArrayMode):
3288         (JSC::DFG::ByteCodeParser::handleInlining):
3289         (JSC::DFG::ByteCodeParser::parseBlock):
3290         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3291         * dfg/DFGDriver.cpp:
3292         (JSC::DFG::compileImpl):
3293         * dfg/DFGFixupPhase.cpp:
3294         (JSC::DFG::FixupPhase::fixupNode):
3295         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3296         * dfg/DFGGraph.cpp:
3297         (JSC::DFG::Graph::tryGetConstantClosureVar):
3298         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3299         * dfg/DFGPredictionInjectionPhase.cpp:
3300         (JSC::DFG::PredictionInjectionPhase::run):
3301         * ftl/FTLLowerDFGToB3.cpp:
3302         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3303         * ftl/FTLOperations.cpp:
3304         (JSC::FTL::operationMaterializeObjectInOSR):
3305         * heap/Heap.cpp:
3306         (JSC::Heap::addToRememberedSet):
3307         * jit/JIT.cpp:
3308         (JSC::JIT::compileWithoutLinking):
3309         * jit/JITInlines.h:
3310         (JSC::JIT::chooseArrayMode):
3311         * jit/JITOperations.cpp:
3312         (JSC::tryGetByValOptimize):
3313         * jit/JITPropertyAccess.cpp:
3314         (JSC::JIT::privateCompileGetByValWithCachedId):
3315         (JSC::JIT::privateCompilePutByValWithCachedId):
3316         * jit/JITWorklist.cpp:
3317         (JSC::JITWorklist::compileLater):
3318         (JSC::JITWorklist::compileNow):
3319         * jit/Repatch.cpp:
3320         (JSC::repatchGetByID):
3321         (JSC::repatchPutByID):
3322         * llint/LLIntSlowPaths.cpp:
3323         (JSC::LLInt::setupGetByIdPrototypeCache):
3324         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3325         (JSC::LLInt::setUpCall):
3326         * profiler/ProfilerBytecodeSequence.cpp:
3327         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3328         * runtime/CommonSlowPaths.cpp:
3329         (JSC::SLOW_PATH_DECL):
3330         * runtime/CommonSlowPaths.h:
3331         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3332         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3333         * runtime/ConcurrentJITLock.h: Removed.
3334         * runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
3335         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
3336         (JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
3337         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
3338         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
3339         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
3340         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
3341         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
3342         (JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
3343         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
3344         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
3345         (JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
3346         * runtime/InferredType.cpp:
3347         (JSC::InferredType::canWatch):
3348         (JSC::InferredType::addWatchpoint):
3349         (JSC::InferredType::willStoreValueSlow):
3350         (JSC::InferredType::makeTopSlow):
3351         (JSC::InferredType::set):
3352         (JSC::InferredType::removeStructure):
3353         * runtime/InferredType.h:
3354         * runtime/InferredTypeTable.cpp:
3355         (JSC::InferredTypeTable::visitChildren):
3356         (JSC::InferredTypeTable::get):
3357         (JSC::InferredTypeTable::willStoreValue):
3358         (JSC::InferredTypeTable::makeTop):
3359         * runtime/InferredTypeTable.h:
3360         * runtime/JSEnvironmentRecord.cpp:
3361         (JSC::JSEnvironmentRecord::heapSnapshot):
3362         * runtime/JSGlobalObject.cpp:
3363         (JSC::JSGlobalObject::addGlobalVar):
3364         (JSC::JSGlobalObject::addStaticGlobals):
3365         * runtime/JSLexicalEnvironment.cpp:
3366         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3367         * runtime/JSObject.cpp:
3368         (JSC::JSObject::deleteProperty):
3369         (JSC::JSObject::shiftButterflyAfterFlattening):
3370         * runtime/JSObject.h:
3371         * runtime/JSObjectInlines.h:
3372         (JSC::JSObject::putDirectWithoutTransition):
3373         (JSC::JSObject::putDirectInternal):
3374         * runtime/JSScope.cpp:
3375         (JSC::abstractAccess):
3376         (JSC::JSScope::collectClosureVariablesUnderTDZ):
3377         * runtime/JSSegmentedVariableObject.cpp:
3378         (JSC::JSSegmentedVariableObject::findVariableIndex):
3379         (JSC::JSSegmentedVariableObject::addVariables):
3380         (JSC::JSSegmentedVariableObject::heapSnapshot):
3381         * runtime/JSSegmentedVariableObject.h:
3382         * runtime/JSSymbolTableObject.cpp:
3383         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3384         * runtime/JSSymbolTableObject.h:
3385         (JSC::symbolTableGet):
3386         (JSC::symbolTablePut):
3387         * runtime/Options.cpp:
3388         (JSC::recomputeDependentOptions):
3389         * runtime/Options.h:
3390         * runtime/ProgramExecutable.cpp:
3391         (JSC::ProgramExecutable::initializeGlobalProperties):
3392         * runtime/RegExp.cpp:
3393         (JSC::RegExp::compile):
3394         (JSC::RegExp::matchConcurrently):
3395         (JSC::RegExp::compileMatchOnly):
3396         (JSC::RegExp::deleteCode):
3397         * runtime/RegExp.h:
3398         * runtime/Structure.cpp:
3399         (JSC::Structure::materializePropertyTable):
3400         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
3401         (JSC::Structure::addNewPropertyTransition):
3402         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3403         (JSC::Structure::nonPropertyTransition):
3404         (JSC::Structure::flattenDictionaryStructure):
3405         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
3406         (JSC::Structure::add):
3407         (JSC::Structure::remove):
3408         (JSC::Structure::visitChildren):
3409         * runtime/Structure.h:
3410         * runtime/StructureInlines.h:
3411         (JSC::Structure::propertyReplacementWatchpointSet):
3412         (JSC::Structure::add):
3413         (JSC::Structure::remove):
3414         * runtime/SymbolTable.cpp:
3415         (JSC::SymbolTable::visitChildren):
3416         (JSC::SymbolTable::localToEntry):
3417         (JSC::SymbolTable::entryFor):
3418         (JSC::SymbolTable::prepareForTypeProfiling):
3419         (JSC::SymbolTable::uniqueIDForVariable):
3420         (JSC::SymbolTable::uniqueIDForOffset):
3421         (JSC::SymbolTable::globalTypeSetForOffset):
3422         (JSC::SymbolTable::globalTypeSetForVariable):
3423         * runtime/SymbolTable.h:
3424         * runtime/TypeSet.cpp:
3425         (JSC::TypeSet::addTypeInformation):
3426         (JSC::TypeSet::invalidateCache):
3427         * runtime/TypeSet.h:
3428         (JSC::TypeSet::structureSet):
3429         * runtime/VM.h:
3430         * runtime/WriteBarrierInlines.h:
3431         (JSC::WriteBarrierBase<T>::set):
3432         (JSC::WriteBarrierBase<Unknown>::set):
3433         * yarr/YarrInterpreter.cpp:
3434         (JSC::Yarr::ByteCompiler::compile):
3435         (JSC::Yarr::byteCompile):
3436         * yarr/YarrInterpreter.h:
3437         (JSC::Yarr::BytecodePattern::BytecodePattern):
3438
3439 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3440
3441         Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
3442         https://bugs.webkit.org/show_bug.cgi?id=164793
3443
3444         Reviewed by Matt Baker.
3445
3446         * inspector/protocol/Page.json:
3447
3448 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3449
3450         Unreviewed, build fix for Windows debug build after r208738
3451         https://bugs.webkit.org/show_bug.cgi?id=164727
3452
3453         This static member variable can be touched outside of the JSC project
3454         since inlined MacroAssembler member functions read / write it.
3455         So it should be exported.
3456
3457         * assembler/MacroAssemblerX86Common.h:
3458
3459 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3460
3461         Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
3462         https://bugs.webkit.org/show_bug.cgi?id=164787
3463
3464         Reviewed by Timothy Hatcher.
3465
3466         * inspector/agents/InspectorDebuggerAgent.cpp:
3467         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
3468         Clear this DebuggerAgent state when we resume.
3469
3470 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3471
3472         It should be possible to disable concurrent GC timeslicing
3473         https://bugs.webkit.org/show_bug.cgi?id=164788
3474
3475         Reviewed by Saam Barati.
3476         
3477         Collector timeslicing means that the collector will try to pause once every 2ms. This is
3478         great because it throttles the mutator and prevents it from outpacing the collector. But
3479         it reduces some of the efficacy of the collectContinuously=true configuration: while
3480         it's great that collecting continuously means that the collector will also pause more
3481         frequently and so it will test the pausing code, it also means that the collector will
3482         spend less time running concurrently. The primary purpose of collectContinuously is to
3483         maximize the amount of time that the collector is running concurrently to the mutator to
3484         maximize the likelihood that a race will cause a detectable error.
3485         
3486         This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
3487         The idea is that we will usually use this in conjunction with collectContinuously=true
3488         to find race conditions during marking, but we can also use the two options
3489         independently to focus our testing on other things.
3490
3491         * heap/Heap.cpp:
3492         (JSC::Heap::markToFixpoint):
3493         * heap/SlotVisitor.cpp:
3494         (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
3495         * heap/SlotVisitor.h:
3496         * runtime/Options.h:
3497
3498 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3499
3500         The concurrent GC should have a timeslicing controller
3501         https://bugs.webkit.org/show_bug.cgi?id=164783
3502
3503         Reviewed by Geoffrey Garen.
3504         
3505         This adds a simple control system for deciding when the collector should let the mutator run
3506         and when it should stop the mutator. We definitely have to stop the mutator during certain
3507         collector phases, but during marking - which takes the most time - we can go either way.
3508         Normally we want to let the mutator run, but if the heap size starts to grow then we have to
3509         stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
3510         lead to memory exhaustion, so it's better to just stop in that case.
3511         
3512         The controller tries to never stop the mutator for longer than short timeslices. It slices on
3513         a 2ms period (configurable via Options). The amount of that period that the collector spends
3514         with the mutator stopped is determined by the fraction of the collector's concurrent headroom
3515         that has been allocated over. The headroom is currently configured at 50% of what was
3516         allocated before the collector started.
3517         
3518         This moves a bunch of parameters into Options so that it's easier to play with different
3519         configurations.
3520         
3521         I tried these different values for the period:
3522         
3523         1ms: 30% worse than 2ms on splay-latency.
3524         2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
3525         3ms: 40% worse than 2ms on splay-latency.
3526         4ms: 40% worse than 2ms on splay-latency.
3527         
3528         I also tried 100% headroom as an alternate to 50% and found it to be a worse.
3529         
3530         This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
3531         enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
3532         would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
3533         concurrent GC.
3534
3535         * heap/Heap.cpp:
3536         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
3537         (JSC::Heap::markToFixpoint):
3538         (JSC::Heap::collectInThread):
3539         * runtime/Options.h:
3540
3541 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3542
3543         Unreviewed, build fix for CLoop after r208738
3544         https://bugs.webkit.org/show_bug.cgi?id=164727
3545
3546         * jsc.cpp:
3547         (WTF::DOMJITFunctionObject::unsafeFunction):
3548         (WTF::DOMJITFunctionObject::finishCreation):
3549
3550 2016-11-15  Mark Lam  <mark.lam@apple.com>
3551
3552         The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
3553         https://bugs.webkit.org/show_bug.cgi?id=164781
3554         <rdar://problem/28418590>
3555
3556         Reviewed by Geoffrey Garen and Michael Saboff.
3557
3558         * jsc.cpp:
3559         (functionSetImpureGetterDelegate):
3560
3561 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3562
3563         [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
3564         https://bugs.webkit.org/show_bug.cgi?id=164727
3565
3566         Reviewed by Filip Pizlo.
3567
3568         While CallDOMGetter can use macro assembler scratch registers, we previiously
3569         assumed that CheckDOM code generator does not use macro assembler scratch registers.
3570         It is currently true in x86 environment. But it is not true in the other environments.
3571
3572         We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
3573         arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
3574         CheckDOM to use macro assembler scratch registers.
3575
3576         * ftl/FTLLowerDFGToB3.cpp:
3577         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
3578         * jsc.cpp:
3579         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
3580         (WTF::DOMJITFunctionObject::createStructure):
3581         (WTF::DOMJITFunctionObject::create):
3582         (WTF::DOMJITFunctionObject::unsafeFunction):
3583         (WTF::DOMJITFunctionObject::safeFunction):
3584         (WTF::DOMJITFunctionObject::checkDOMJITNode):
3585         (WTF::DOMJITFunctionObject::finishCreation):
3586         (GlobalObject::finishCreation):
3587         (functionCreateDOMJITFunctionObject):
3588
3589 2016-11-14  Geoffrey Garen  <ggaren@apple.com>
3590
3591         CodeCache should stop pretending to cache builtins
3592         https://bugs.webkit.org/show_bug.cgi?id=164750
3593
3594         Reviewed by Saam Barati.
3595
3596         We were passing JSParserBuiltinMode to all CodeCache functions, but the
3597         passed-in value was always NotBuiltin.
3598
3599         Let's stop passing it.
3600
3601         * parser/SourceCodeKey.h:
3602         (JSC::SourceCodeFlags::SourceCodeFlags):
3603         (JSC::SourceCodeKey::SourceCodeKey):
3604         * runtime/CodeCache.cpp:
3605         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3606         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
3607         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
3608         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
3609         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3610         * runtime/CodeCache.h:
3611         (JSC::generateUnlinkedCodeBlock):
3612         * runtime/JSGlobalObject.cpp:
3613         (JSC::JSGlobalObject::createProgramCodeBlock):
3614         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
3615         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
3616         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
3617
3618 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3619
3620         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
3621         https://bugs.webkit.org/show_bug.cgi?id=164775
3622
3623         Reviewed by Mark Lam and Keith Miller.
3624         
3625         We were calling inlineStorage() which asserts that inline storage is not empty. But we
3626         were calling it in a context where it could be empty and that's fine. So, we now call
3627         inlineStorageUnsafe().
3628
3629         * runtime/JSObject.h:
3630         (JSC::JSFinalObject::JSFinalObject):
3631
3632 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
3633
3634         [ARM] Unreviewed buildfix after r208720.
3635
3636         * assembler/MacroAssemblerARM.h:
3637         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
3638
3639 2016-11-14  Caitlin Potter  <caitp@igalia.com>
3640
3641         [JSC] do not reference AwaitExpression Promises in async function Promise chain
3642         https://bugs.webkit.org/show_bug.cgi?id=164753
3643
3644         Reviewed by Yusuke Suzuki.
3645
3646         Previously, long-running async functions which contained many AwaitExpressions
3647         would allocate and retain references to intermediate Promise objects for each `await`,
3648         resulting in a memory leak.
3649
3650         To mitigate this leak, a reference to the original Promise (and its resolve and reject
3651         functions) associated with the async function are kept, and passed to each call to
3652         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
3653         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
3654         with an async function wrapper. The capability is used to reject the Promise if an
3655         exception is thrown during parameter initialization, and is used to store the resulting
3656         value once the async function has terminated.
3657
3658         * builtins/AsyncFunctionPrototype.js:
3659         (globalPrivate.asyncFunctionResume):
3660         * bytecompiler/BytecodeGenerator.cpp:
3661         (JSC::BytecodeGenerator::BytecodeGenerator):
3662         * bytecompiler/BytecodeGenerator.h:
3663         (JSC::BytecodeGenerator::promiseCapabilityRegister):
3664         * bytecompiler/NodesCodegen.cpp:
3665         (JSC::FunctionNode::emitBytecode):
3666
3667 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
3668
3669         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
3670         https://bugs.webkit.org/show_bug.cgi?id=164305
3671         <rdar://problem/29056192>
3672
3673         Reviewed by Timothy Hatcher.
3674
3675         * inspector/InjectedScriptSource.js:
3676         (InjectedScript.prototype._propertyDescriptors):
3677         Accessing __proto__ does a ToThis(...) conversion on the receiver.
3678         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
3679         this would return undefined and throw an exception. We can use
3680         Object.getPrototypeOf to avoid that conversion and possible error.
3681
3682         * inspector/protocol/Debugger.json:
3683         Provide a new way to effectively `resume` + `pause` immediately.
3684         This must be implemented on the backend to correctly synchronize
3685         the resuming and pausing.
3686
3687         * inspector/agents/InspectorDebuggerAgent.h:
3688         * inspector/agents/InspectorDebuggerAgent.cpp:
3689         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
3690         Treat this as `resume` and `pause`. Resume now, and trigger
3691         a pause if the VM becomes idle and we didn't pause before then
3692         (such as hitting a breakpoint after we resumed).
3693
3694         (Inspector::InspectorDebuggerAgent::pause):
3695         (Inspector::InspectorDebuggerAgent::resume):
3696         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3697         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
3698         Clean up and correct pause on next statement logic.
3699
3700         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
3701         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
3702         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
3703         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
3704         The idle handler may now also trigger a pause in the case
3705         where continueUntilNextRunLoop resumed and wants to pause.
3706
3707         (Inspector::InspectorDebuggerAgent::didPause):
3708         Eliminate the useless didPause. The DOMDebugger was keeping track
3709         of its own state that was worse then the state in DebuggerAgent.
3710
3711 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
3712
3713         Unreviewed, fix cloop.
3714
3715         * runtime/JSCellInlines.h:
3716
3717 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
3718
3719         The GC should be optionally concurrent and disabled by default
3720         https://bugs.webkit.org/show_bug.cgi?id=164454
3721
3722         Reviewed by Geoffrey Garen.
3723         
3724         This started out as a patch to have the GC scan the stack at the end, and then the
3725         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
3726         mode that can be enabled at runtime, and whose only effect is that it turns on the
3727         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
3728         thread is running solo with the world stopped and the parallel markers converged and
3729         waiting. We have a parallel work scope to enable the parallel markers and now we have a
3730         ResumeTheWorldScope that will optionally resume the world and then stop it again.
3731         
3732         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
3733         this one won't do that when you run it. I set a specific goal: I wanted to do >10
3734         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
3735         disabled.
3736         
3737         To reach this milestone, I needed to do a bunch of stuff:
3738         
3739         - The mutator needs a separate mark stack for the barrier, since it will mutate this
3740           stack concurrently to the collector's slot visitors.
3741         
3742         - The use of CellState to indicate whether an object is being scanned the first time or
3743           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
3744           time as visitChildren is running or if the barrier runs at the same time as the GC
3745           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
3746           you know why you're being scanned by looking at which stack you came off of.
3747         
3748         - All of root marking must be in the collector fixpoint. I renamed markRoots to
3749           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
3750           this way. We never gained anything from forcing people to make a choice between
3751           scanning something in the fixpoint versus outside of it. Because root scanning is
3752           cheap, we can afford to do it repeatedly, which means all root scanning can now do
3753           constraint-based marking (like: I'll mark you if that thing is marked).
3754         
3755         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
3756           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
3757           reshaping functions - like the one that flattens a dictionary and some sneaky
3758           ArrayStorage transformations. Many of these can be fixed by using store-store fences
3759           in the mutator and load-load fences in the collector. I've adopted the rule that the
3760           collector must always see either a butterfly and structure that match or a newer
3761           butterfly with an older structure, where their age is just one transition apart. This
3762           can be achieved with fences. For the cases where it breaks down, I added a lock to
3763           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
3764           the indexingType. See the WTF ChangeLog for details.
3765           
3766           The mutator fencing rules are as follows:
3767           
3768           - Store-store fence before and after setting the butterfly.
3769           - Store-store fence before setting structure if you had changed the shape of the
3770             butterfly.
3771           - Store-store fence after initializing all fields in an allocation.
3772         
3773         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
3774           So, JSObject::visitChildren will now grab the object's structure's lock if the
3775           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
3776           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
3777           scan an object from two threads).
3778         
3779         - The GC can blow away a Structure's property table at any time. As a small consolation,
3780           it's now holding the Structure's lock when it does so. But there was tons of code in
3781           Structure that uses DeferGC to prevent the GC from blowing away the property table.
3782           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
3783           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
3784           marking and it was the Structure::visitChildren that would delete the table. It turns
3785           out that Structure's reliance on the property table not being deleted was the product
3786           of code rot. We already had functions that would materialize the table on demand. We
3787           were simply making the mistake of saying:
3788           
3789               structure->materializePropertyMap();
3790               ...
3791               structure->propertyTable()->things
3792           
3793           Instead of saying:
3794           
3795               PropertyTable* table = structure->ensurePropertyTable();
3796               ...
3797               table->things
3798           
3799           Switching the code to use the latter idiom allowed me to simplify the code a lot while
3800           fixing the race.
3801         
3802         - The LLInt's get_by_val handling was broken because the indexing shape constants were
3803           wrong. Once I started putting more things into the IndexingType, that started causing
3804           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
3805           had rotted in subtle ways.
3806         
3807         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
3808         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
3809         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
3810         is disabled: in all of the places where it would have resumed the world to run marking
3811         concurrently to the mutator, it will just skip the resume step. When you enable
3812         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
3813         It seems to perform quite well: on my machine, it improves both splay-throughput and
3814         splay-latency. It's probably unstable for other programs.
3815
3816         * API/JSVirtualMachine.mm:
3817         (-[JSVirtualMachine isOldExternalObject:]):
3818         * assembler/MacroAssemblerARMv7.h:
3819         (JSC::MacroAssemblerARMv7::storeFence):
3820         * bytecode/InlineAccess.cpp:
3821         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3822         (JSC::InlineAccess::generateSelfPropertyAccess):
3823         (JSC::InlineAccess::generateArrayLength):
3824         * bytecode/ObjectAllocationProfile.h:
3825         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
3826         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
3827         (JSC::ObjectAllocationProfile::initialize):
3828         (JSC::ObjectAllocationProfile::inlineCapacity):
3829         (JSC::ObjectAllocationProfile::clear):
3830         * bytecode/PolymorphicAccess.cpp:
3831         (JSC::AccessCase::generateWithGuard):
3832         (JSC::AccessCase::generateImpl):
3833         * dfg/DFGArrayifySlowPathGenerator.h:
3834         * dfg/DFGClobberize.h:
3835         (JSC::DFG::clobberize):
3836         * dfg/DFGOSRExitCompiler32_64.cpp:
3837         (JSC::DFG::OSRExitCompiler::compileExit):
3838         * dfg/DFGOSRExitCompiler64.cpp:
3839         (JSC::DFG::OSRExitCompiler::compileExit):
3840         * dfg/DFGOperations.cpp:
3841         * dfg/DFGPlan.cpp:
3842         (JSC::DFG::Plan::markCodeBlocks):
3843         (JSC::DFG::Plan::rememberCodeBlocks):
3844         * dfg/DFGPlan.h:
3845         * dfg/DFGSpeculativeJIT.cpp:
3846         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3847         (JSC::DFG::SpeculativeJIT::checkArray):
3848         (JSC::DFG::SpeculativeJIT::arrayify):
3849         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3850         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3851         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3852         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3853         (JSC::DFG::SpeculativeJIT::compileSpread):
3854         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3855         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3856         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3857         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
3858         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3859         * dfg/DFGSpeculativeJIT64.cpp:
3860         (JSC::DFG::SpeculativeJIT::compile):
3861         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3862         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3863         (JSC::DFG::TierUpCheckInjectionPhase::run):
3864         * dfg/DFGWorklist.cpp:
3865         (JSC::DFG::Worklist::markCodeBlocks):
3866         (JSC::DFG::Worklist::rememberCodeBlocks):
3867         (JSC::DFG::markCodeBlocks):
3868         (JSC::DFG::completeAllPlansForVM):
3869         (JSC::DFG::rememberCodeBlocks):
3870         * dfg/DFGWorklist.h:
3871         * ftl/FTLAbstractHeapRepository.cpp:
3872         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3873         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
3874         * ftl/FTLAbstractHeapRepository.h:
3875         * ftl/FTLJITCode.cpp:
3876         (JSC::FTL::JITCode::~JITCode):
3877         * ftl/FTLLowerDFGToB3.cpp:
3878         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
3879         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
3880         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3881         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3882         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3883         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
3884         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3885         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3886         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3887         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3888         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3889         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3890         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3891         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3892         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3893         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3894         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
3895         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3896         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3897         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3898         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
3899         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3900         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3901         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3902         * ftl/FTLOSRExitCompiler.cpp:
3903         (JSC::FTL::compileStub):
3904         * ftl/FTLOutput.cpp:
3905         (JSC::FTL::Output::signExt32ToPtr):
3906         (JSC::FTL::Output::fence):
3907         * ftl/FTLOutput.h:
3908         * heap/CellState.h:
3909         * heap/GCSegmentedArray.h:
3910         * heap/Heap.cpp:
3911         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
3912         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
3913         (JSC::Heap::Heap):
3914         (JSC::Heap::~Heap):
3915         (JSC::Heap::harvestWeakReferences):
3916         (JSC::Heap::finalizeUnconditionalFinalizers):
3917         (JSC::Heap::completeAllJITPlans):
3918         (JSC::Heap::markToFixpoint):
3919         (JSC::Heap::gatherStackRoots):
3920         (JSC::Heap::beginMarking):
3921         (JSC::Heap::visitConservativeRoots):
3922         (JSC::Heap::visitCompilerWorklistWeakReferences):
3923         (JSC::Heap::updateObjectCounts):
3924         (JSC::Heap::endMarking):
3925         (JSC::Heap::addToRememberedSet):
3926         (JSC::Heap::collectInThread):
3927         (JSC::Heap::stopTheWorld):
3928         (JSC::Heap::resumeTheWorld):
3929         (JSC::Heap::setGCDidJIT):
3930         (JSC::Heap::setNeedFinalize):
3931         (JSC::Heap::setMutatorWaiting):
3932         (JSC::Heap::clearMutatorWaiting):
3933         (JSC::Heap::finalize):
3934         (JSC::Heap::flushWriteBarrierBuffer):
3935         (JSC::Heap::writeBarrierSlowPath):
3936         (JSC::Heap::canCollect):
3937         (JSC::Heap::reportExtraMemoryVisited):
3938         (JSC::Heap::reportExternalMemoryVisited):
3939         (JSC::Heap::notifyIsSafeToCollect):
3940         (JSC::Heap::markRoots): Deleted.
3941         (JSC::Heap::visitExternalRememberedSet): Deleted.
3942         (JSC::Heap::visitSmallStrings): Deleted.
3943         (JSC::Heap::visitProtectedObjects): Deleted.
3944         (JSC::Heap::visitArgumentBuffers): Deleted.
3945         (JSC::Heap::visitException): Deleted.
3946         (JSC::Heap::visitStrongHandles): Deleted.
3947         (JSC::Heap::visitHandleStack): Deleted.
3948         (JSC::Heap::visitSamplingProfiler): Deleted.
3949         (JSC::Heap::visitTypeProfiler): Deleted.
3950         (JSC::Heap::visitShadowChicken): Deleted.
3951         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
3952         (JSC::Heap::visitWeakHandles): Deleted.
3953         (JSC::Heap::flushOldStructureIDTables): Deleted.
3954         (JSC::Heap::