18417643325516ea7d500a383f264fada7b582b9
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
2
3         [ARM] Unreviewed buildfix after r208720.
4
5         * assembler/MacroAssemblerARM.h:
6         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
7
8 2016-11-14  Caitlin Potter  <caitp@igalia.com>
9
10         [JSC] do not reference AwaitExpression Promises in async function Promise chain
11         https://bugs.webkit.org/show_bug.cgi?id=164753
12
13         Reviewed by Yusuke Suzuki.
14
15         Previously, long-running async functions which contained many AwaitExpressions
16         would allocate and retain references to intermediate Promise objects for each `await`,
17         resulting in a memory leak.
18
19         To mitigate this leak, a reference to the original Promise (and its resolve and reject
20         functions) associated with the async function are kept, and passed to each call to
21         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
22         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
23         with an async function wrapper. The capability is used to reject the Promise if an
24         exception is thrown during parameter initialization, and is used to store the resulting
25         value once the async function has terminated.
26
27         * builtins/AsyncFunctionPrototype.js:
28         (globalPrivate.asyncFunctionResume):
29         * bytecompiler/BytecodeGenerator.cpp:
30         (JSC::BytecodeGenerator::BytecodeGenerator):
31         * bytecompiler/BytecodeGenerator.h:
32         (JSC::BytecodeGenerator::promiseCapabilityRegister):
33         * bytecompiler/NodesCodegen.cpp:
34         (JSC::FunctionNode::emitBytecode):
35
36 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
37
38         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
39         https://bugs.webkit.org/show_bug.cgi?id=164305
40         <rdar://problem/29056192>
41
42         Reviewed by Timothy Hatcher.
43
44         * inspector/InjectedScriptSource.js:
45         (InjectedScript.prototype._propertyDescriptors):
46         Accessing __proto__ does a ToThis(...) conversion on the receiver.
47         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
48         this would return undefined and throw an exception. We can use
49         Object.getPrototypeOf to avoid that conversion and possible error.
50
51         * inspector/protocol/Debugger.json:
52         Provide a new way to effectively `resume` + `pause` immediately.
53         This must be implemented on the backend to correctly synchronize
54         the resuming and pausing.
55
56         * inspector/agents/InspectorDebuggerAgent.h:
57         * inspector/agents/InspectorDebuggerAgent.cpp:
58         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
59         Treat this as `resume` and `pause`. Resume now, and trigger
60         a pause if the VM becomes idle and we didn't pause before then
61         (such as hitting a breakpoint after we resumed).
62
63         (Inspector::InspectorDebuggerAgent::pause):
64         (Inspector::InspectorDebuggerAgent::resume):
65         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
66         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
67         Clean up and correct pause on next statement logic.
68
69         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
70         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
71         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
72         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
73         The idle handler may now also trigger a pause in the case
74         where continueUntilNextRunLoop resumed and wants to pause.
75
76         (Inspector::InspectorDebuggerAgent::didPause):
77         Eliminate the useless didPause. The DOMDebugger was keeping track
78         of its own state that was worse then the state in DebuggerAgent.
79
80 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
81
82         Unreviewed, fix cloop.
83
84         * runtime/JSCellInlines.h:
85
86 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
87
88         The GC should be optionally concurrent and disabled by default
89         https://bugs.webkit.org/show_bug.cgi?id=164454
90
91         Reviewed by Geoffrey Garen.
92         
93         This started out as a patch to have the GC scan the stack at the end, and then the
94         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
95         mode that can be enabled at runtime, and whose only effect is that it turns on the
96         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
97         thread is running solo with the world stopped and the parallel markers converged and
98         waiting. We have a parallel work scope to enable the parallel markers and now we have a
99         ResumeTheWorldScope that will optionally resume the world and then stop it again.
100         
101         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
102         this one won't do that when you run it. I set a specific goal: I wanted to do >10
103         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
104         disabled.
105         
106         To reach this milestone, I needed to do a bunch of stuff:
107         
108         - The mutator needs a separate mark stack for the barrier, since it will mutate this
109           stack concurrently to the collector's slot visitors.
110         
111         - The use of CellState to indicate whether an object is being scanned the first time or
112           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
113           time as visitChildren is running or if the barrier runs at the same time as the GC
114           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
115           you know why you're being scanned by looking at which stack you came off of.
116         
117         - All of root marking must be in the collector fixpoint. I renamed markRoots to
118           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
119           this way. We never gained anything from forcing people to make a choice between
120           scanning something in the fixpoint versus outside of it. Because root scanning is
121           cheap, we can afford to do it repeatedly, which means all root scanning can now do
122           constraint-based marking (like: I'll mark you if that thing is marked).
123         
124         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
125           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
126           reshaping functions - like the one that flattens a dictionary and some sneaky
127           ArrayStorage transformations. Many of these can be fixed by using store-store fences
128           in the mutator and load-load fences in the collector. I've adopted the rule that the
129           collector must always see either a butterfly and structure that match or a newer
130           butterfly with an older structure, where their age is just one transition apart. This
131           can be achieved with fences. For the cases where it breaks down, I added a lock to
132           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
133           the indexingType. See the WTF ChangeLog for details.
134           
135           The mutator fencing rules are as follows:
136           
137           - Store-store fence before and after setting the butterfly.
138           - Store-store fence before setting structure if you had changed the shape of the
139             butterfly.
140           - Store-store fence after initializing all fields in an allocation.
141         
142         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
143           So, JSObject::visitChildren will now grab the object's structure's lock if the
144           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
145           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
146           scan an object from two threads).
147         
148         - The GC can blow away a Structure's property table at any time. As a small consolation,
149           it's now holding the Structure's lock when it does so. But there was tons of code in
150           Structure that uses DeferGC to prevent the GC from blowing away the property table.
151           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
152           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
153           marking and it was the Structure::visitChildren that would delete the table. It turns
154           out that Structure's reliance on the property table not being deleted was the product
155           of code rot. We already had functions that would materialize the table on demand. We
156           were simply making the mistake of saying:
157           
158               structure->materializePropertyMap();
159               ...
160               structure->propertyTable()->things
161           
162           Instead of saying:
163           
164               PropertyTable* table = structure->ensurePropertyTable();
165               ...
166               table->things
167           
168           Switching the code to use the latter idiom allowed me to simplify the code a lot while
169           fixing the race.
170         
171         - The LLInt's get_by_val handling was broken because the indexing shape constants were
172           wrong. Once I started putting more things into the IndexingType, that started causing
173           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
174           had rotted in subtle ways.
175         
176         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
177         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
178         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
179         is disabled: in all of the places where it would have resumed the world to run marking
180         concurrently to the mutator, it will just skip the resume step. When you enable
181         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
182         It seems to perform quite well: on my machine, it improves both splay-throughput and
183         splay-latency. It's probably unstable for other programs.
184
185         * API/JSVirtualMachine.mm:
186         (-[JSVirtualMachine isOldExternalObject:]):
187         * assembler/MacroAssemblerARMv7.h:
188         (JSC::MacroAssemblerARMv7::storeFence):
189         * bytecode/InlineAccess.cpp:
190         (JSC::InlineAccess::dumpCacheSizesAndCrash):
191         (JSC::InlineAccess::generateSelfPropertyAccess):
192         (JSC::InlineAccess::generateArrayLength):
193         * bytecode/ObjectAllocationProfile.h:
194         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
195         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
196         (JSC::ObjectAllocationProfile::initialize):
197         (JSC::ObjectAllocationProfile::inlineCapacity):
198         (JSC::ObjectAllocationProfile::clear):
199         * bytecode/PolymorphicAccess.cpp:
200         (JSC::AccessCase::generateWithGuard):
201         (JSC::AccessCase::generateImpl):
202         * dfg/DFGArrayifySlowPathGenerator.h:
203         * dfg/DFGClobberize.h:
204         (JSC::DFG::clobberize):
205         * dfg/DFGOSRExitCompiler32_64.cpp:
206         (JSC::DFG::OSRExitCompiler::compileExit):
207         * dfg/DFGOSRExitCompiler64.cpp:
208         (JSC::DFG::OSRExitCompiler::compileExit):
209         * dfg/DFGOperations.cpp:
210         * dfg/DFGPlan.cpp:
211         (JSC::DFG::Plan::markCodeBlocks):
212         (JSC::DFG::Plan::rememberCodeBlocks):
213         * dfg/DFGPlan.h:
214         * dfg/DFGSpeculativeJIT.cpp:
215         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
216         (JSC::DFG::SpeculativeJIT::checkArray):
217         (JSC::DFG::SpeculativeJIT::arrayify):
218         (JSC::DFG::SpeculativeJIT::compileMakeRope):
219         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
220         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
221         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
222         (JSC::DFG::SpeculativeJIT::compileSpread):
223         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
224         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
225         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
226         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
227         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
228         * dfg/DFGSpeculativeJIT64.cpp:
229         (JSC::DFG::SpeculativeJIT::compile):
230         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
231         * dfg/DFGTierUpCheckInjectionPhase.cpp:
232         (JSC::DFG::TierUpCheckInjectionPhase::run):
233         * dfg/DFGWorklist.cpp:
234         (JSC::DFG::Worklist::markCodeBlocks):
235         (JSC::DFG::Worklist::rememberCodeBlocks):
236         (JSC::DFG::markCodeBlocks):
237         (JSC::DFG::completeAllPlansForVM):
238         (JSC::DFG::rememberCodeBlocks):
239         * dfg/DFGWorklist.h:
240         * ftl/FTLAbstractHeapRepository.cpp:
241         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
242         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
243         * ftl/FTLAbstractHeapRepository.h:
244         * ftl/FTLJITCode.cpp:
245         (JSC::FTL::JITCode::~JITCode):
246         * ftl/FTLLowerDFGToB3.cpp:
247         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
248         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
249         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
250         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
251         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
252         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
253         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
254         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
255         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
256         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
257         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
258         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
259         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
260         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
261         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
262         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
263         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
264         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
265         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
266         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
267         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
268         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
269         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
270         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
271         * ftl/FTLOSRExitCompiler.cpp:
272         (JSC::FTL::compileStub):
273         * ftl/FTLOutput.cpp:
274         (JSC::FTL::Output::signExt32ToPtr):
275         (JSC::FTL::Output::fence):
276         * ftl/FTLOutput.h:
277         * heap/CellState.h:
278         * heap/GCSegmentedArray.h:
279         * heap/Heap.cpp:
280         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
281         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
282         (JSC::Heap::Heap):
283         (JSC::Heap::~Heap):
284         (JSC::Heap::harvestWeakReferences):
285         (JSC::Heap::finalizeUnconditionalFinalizers):
286         (JSC::Heap::completeAllJITPlans):
287         (JSC::Heap::markToFixpoint):
288         (JSC::Heap::gatherStackRoots):
289         (JSC::Heap::beginMarking):
290         (JSC::Heap::visitConservativeRoots):
291         (JSC::Heap::visitCompilerWorklistWeakReferences):
292         (JSC::Heap::updateObjectCounts):
293         (JSC::Heap::endMarking):
294         (JSC::Heap::addToRememberedSet):
295         (JSC::Heap::collectInThread):
296         (JSC::Heap::stopTheWorld):
297         (JSC::Heap::resumeTheWorld):
298         (JSC::Heap::setGCDidJIT):
299         (JSC::Heap::setNeedFinalize):
300         (JSC::Heap::setMutatorWaiting):
301         (JSC::Heap::clearMutatorWaiting):
302         (JSC::Heap::finalize):
303         (JSC::Heap::flushWriteBarrierBuffer):
304         (JSC::Heap::writeBarrierSlowPath):
305         (JSC::Heap::canCollect):
306         (JSC::Heap::reportExtraMemoryVisited):
307         (JSC::Heap::reportExternalMemoryVisited):
308         (JSC::Heap::notifyIsSafeToCollect):
309         (JSC::Heap::markRoots): Deleted.
310         (JSC::Heap::visitExternalRememberedSet): Deleted.
311         (JSC::Heap::visitSmallStrings): Deleted.
312         (JSC::Heap::visitProtectedObjects): Deleted.
313         (JSC::Heap::visitArgumentBuffers): Deleted.
314         (JSC::Heap::visitException): Deleted.
315         (JSC::Heap::visitStrongHandles): Deleted.
316         (JSC::Heap::visitHandleStack): Deleted.
317         (JSC::Heap::visitSamplingProfiler): Deleted.
318         (JSC::Heap::visitTypeProfiler): Deleted.
319         (JSC::Heap::visitShadowChicken): Deleted.
320         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
321         (JSC::Heap::visitWeakHandles): Deleted.
322         (JSC::Heap::flushOldStructureIDTables): Deleted.
323         (JSC::Heap::stopAllocation): Deleted.
324         * heap/Heap.h:
325         (JSC::Heap::collectorSlotVisitor):
326         (JSC::Heap::mutatorMarkStack):
327         (JSC::Heap::mutatorShouldBeFenced):
328         (JSC::Heap::addressOfMutatorShouldBeFenced):
329         (JSC::Heap::slotVisitor): Deleted.
330         (JSC::Heap::notifyIsSafeToCollect): Deleted.
331         (JSC::Heap::barrierShouldBeFenced): Deleted.
332         (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
333         * heap/MarkStack.cpp:
334         (JSC::MarkStackArray::transferTo):
335         * heap/MarkStack.h:
336         * heap/MarkedAllocator.cpp:
337         (JSC::MarkedAllocator::tryAllocateIn):
338         * heap/MarkedBlock.cpp:
339         (JSC::MarkedBlock::MarkedBlock):
340         (JSC::MarkedBlock::Handle::specializedSweep):
341         (JSC::MarkedBlock::Handle::sweep):
342         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
343         (JSC::MarkedBlock::Handle::stopAllocating):
344         (JSC::MarkedBlock::Handle::resumeAllocating):
345         (JSC::MarkedBlock::aboutToMarkSlow):
346         (JSC::MarkedBlock::Handle::didConsumeFreeList):
347         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
348         (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
349         * heap/MarkedBlock.h:
350         * heap/MarkedSpace.cpp:
351         (JSC::MarkedSpace::resumeAllocating):
352         * heap/SlotVisitor.cpp:
353         (JSC::SlotVisitor::SlotVisitor):
354         (JSC::SlotVisitor::~SlotVisitor):
355         (JSC::SlotVisitor::reset):
356         (JSC::SlotVisitor::clearMarkStacks):
357         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
358         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
359         (JSC::SlotVisitor::appendToMarkStack):
360         (JSC::SlotVisitor::appendToMutatorMarkStack):
361         (JSC::SlotVisitor::visitChildren):
362         (JSC::SlotVisitor::donateKnownParallel):
363         (JSC::SlotVisitor::drain):
364         (JSC::SlotVisitor::drainFromShared):
365         (JSC::SlotVisitor::containsOpaqueRoot):
366         (JSC::SlotVisitor::donateAndDrain):
367         (JSC::SlotVisitor::mergeOpaqueRoots):
368         (JSC::SlotVisitor::dump):
369         (JSC::SlotVisitor::clearMarkStack): Deleted.
370         (JSC::SlotVisitor::opaqueRootCount): Deleted.
371         * heap/SlotVisitor.h:
372         (JSC::SlotVisitor::collectorMarkStack):
373         (JSC::SlotVisitor::mutatorMarkStack):
374         (JSC::SlotVisitor::isEmpty):
375         (JSC::SlotVisitor::bytesVisited):
376         (JSC::SlotVisitor::markStack): Deleted.
377         (JSC::SlotVisitor::bytesCopied): Deleted.
378         * heap/SlotVisitorInlines.h:
379         (JSC::SlotVisitor::reportExtraMemoryVisited):
380         (JSC::SlotVisitor::reportExternalMemoryVisited):
381         * jit/AssemblyHelpers.cpp:
382         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
383         * jit/AssemblyHelpers.h:
384         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
385         (JSC::AssemblyHelpers::barrierStoreLoadFence):
386         (JSC::AssemblyHelpers::mutatorFence):
387         (JSC::AssemblyHelpers::storeButterfly):
388         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
389         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
390         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
391         (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
392         * jit/JITInlines.h:
393         (JSC::JIT::emitArrayProfilingSiteWithCell):
394         * jit/JITOperations.cpp:
395         * jit/JITPropertyAccess.cpp:
396         (JSC::JIT::emit_op_put_to_scope):
397         (JSC::JIT::emit_op_put_to_arguments):
398         * llint/LLIntData.cpp:
399         (JSC::LLInt::Data::performAssertions):
400         * llint/LowLevelInterpreter.asm:
401         * llint/LowLevelInterpreter64.asm:
402         * runtime/ButterflyInlines.h:
403         (JSC::Butterfly::create):
404         (JSC::Butterfly::createOrGrowPropertyStorage):
405         * runtime/ConcurrentJITLock.h:
406         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
407         * runtime/GenericArgumentsInlines.h:
408         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
409         (JSC::GenericArguments<Type>::putByIndex):
410         * runtime/IndexingType.h:
411         * runtime/JSArray.cpp:
412         (JSC::JSArray::unshiftCountSlowCase):
413         (JSC::JSArray::unshiftCountWithArrayStorage):
414         * runtime/JSCell.h:
415         (JSC::JSCell::InternalLocker::InternalLocker):
416         (JSC::JSCell::InternalLocker::~InternalLocker):
417         (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
418         (JSC::JSCell::atomicCompareExchangeCellStateStrong):
419         (JSC::JSCell::indexingTypeAndMiscOffset):
420         (JSC::JSCell::indexingTypeOffset): Deleted.
421         * runtime/JSCellInlines.h:
422         (JSC::JSCell::JSCell):
423         (JSC::JSCell::finishCreation):
424         (JSC::JSCell::indexingTypeAndMisc):
425         (JSC::JSCell::indexingType):
426         (JSC::JSCell::setStructure):
427         (JSC::JSCell::callDestructor):
428         (JSC::JSCell::lockInternalLock):
429         (JSC::JSCell::unlockInternalLock):
430         * runtime/JSObject.cpp:
431         (JSC::JSObject::visitButterfly):
432         (JSC::JSObject::visitChildren):
433         (JSC::JSFinalObject::visitChildren):
434         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
435         (JSC::JSObject::createInitialUndecided):
436         (JSC::JSObject::createInitialInt32):
437         (JSC::JSObject::createInitialDouble):
438         (JSC::JSObject::createInitialContiguous):
439         (JSC::JSObject::createArrayStorage):
440         (JSC::JSObject::convertUndecidedToArrayStorage):
441         (JSC::JSObject::convertInt32ToArrayStorage):
442         (JSC::JSObject::convertDoubleToArrayStorage):
443         (JSC::JSObject::convertContiguousToArrayStorage):
444         (JSC::JSObject::deleteProperty):
445         (JSC::JSObject::defineOwnIndexedProperty):
446         (JSC::JSObject::increaseVectorLength):
447         (JSC::JSObject::ensureLengthSlow):
448         (JSC::JSObject::reallocateAndShrinkButterfly):
449         (JSC::JSObject::allocateMoreOutOfLineStorage):
450         (JSC::JSObject::shiftButterflyAfterFlattening):
451         (JSC::JSObject::growOutOfLineStorage): Deleted.
452         * runtime/JSObject.h:
453         (JSC::JSFinalObject::JSFinalObject):
454         (JSC::JSObject::setButterfly):
455         (JSC::JSObject::getOwnNonIndexPropertySlot):
456         (JSC::JSObject::fillCustomGetterPropertySlot):
457         (JSC::JSObject::getOwnPropertySlot):
458         (JSC::JSObject::getPropertySlot):
459         (JSC::JSObject::setStructureAndButterfly): Deleted.
460         (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
461         (JSC::JSObject::putDirectInternal): Deleted.
462         (JSC::JSObject::putDirectWithoutTransition): Deleted.
463         * runtime/JSObjectInlines.h:
464         (JSC::JSObject::getPropertySlot):
465         (JSC::JSObject::getNonIndexPropertySlot):
466         (JSC::JSObject::putDirectWithoutTransition):
467         (JSC::JSObject::putDirectInternal):
468         * runtime/Options.h:
469         * runtime/SparseArrayValueMap.h:
470         * runtime/Structure.cpp:
471         (JSC::Structure::dumpStatistics):
472         (JSC::Structure::findStructuresAndMapForMaterialization):
473         (JSC::Structure::materializePropertyTable):
474         (JSC::Structure::addNewPropertyTransition):
475         (JSC::Structure::changePrototypeTransition):
476         (JSC::Structure::attributeChangeTransition):
477         (JSC::Structure::toDictionaryTransition):
478         (JSC::Structure::takePropertyTableOrCloneIfPinned):
479         (JSC::Structure::nonPropertyTransition):
480         (JSC::Structure::isSealed):
481         (JSC::Structure::isFrozen):
482         (JSC::Structure::flattenDictionaryStructure):
483         (JSC::Structure::pin):
484         (JSC::Structure::pinForCaching):
485         (JSC::Structure::willStoreValueSlow):
486         (JSC::Structure::copyPropertyTableForPinning):
487         (JSC::Structure::add):
488         (JSC::Structure::remove):
489         (JSC::Structure::getPropertyNamesFromStructure):
490         (JSC::Structure::visitChildren):
491         (JSC::Structure::materializePropertyMap): Deleted.
492         (JSC::Structure::addPropertyWithoutTransition): Deleted.
493         (JSC::Structure::removePropertyWithoutTransition): Deleted.
494         (JSC::Structure::copyPropertyTable): Deleted.
495         (JSC::Structure::createPropertyMap): Deleted.
496         (JSC::PropertyTable::checkConsistency): Deleted.
497         (JSC::Structure::checkConsistency): Deleted.
498         * runtime/Structure.h:
499         * runtime/StructureIDBlob.h:
500         (JSC::StructureIDBlob::StructureIDBlob):
501         (JSC::StructureIDBlob::indexingTypeIncludingHistory):
502         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
503         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
504         (JSC::StructureIDBlob::indexingType): Deleted.
505         (JSC::StructureIDBlob::setIndexingType): Deleted.
506         (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
507         * runtime/StructureInlines.h:
508         (JSC::Structure::get):
509         (JSC::Structure::checkOffsetConsistency):
510         (JSC::Structure::checkConsistency):
511         (JSC::Structure::add):
512         (JSC::Structure::remove):
513         (JSC::Structure::addPropertyWithoutTransition):
514         (JSC::Structure::removePropertyWithoutTransition):
515         (JSC::Structure::setPropertyTable):
516         (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
517         (JSC::Structure::propertyTable): Deleted.
518         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
519
520 2016-11-14  Keith Miller  <keith_miller@apple.com>
521
522         Add Wasm select
523         https://bugs.webkit.org/show_bug.cgi?id=164743
524
525         Reviewed by Saam Barati.
526
527         Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
528         when they shouldn't be.
529
530         * jsc.cpp:
531         (box):
532         * wasm/WasmB3IRGenerator.cpp:
533         * wasm/WasmFunctionParser.h:
534         (JSC::Wasm::FunctionParser<Context>::parseExpression):
535         * wasm/WasmValidate.cpp:
536         (JSC::Wasm::Validate::addSelect):
537
538 2016-11-11  Geoffrey Garen  <ggaren@apple.com>
539
540         JSC should distinguish between local and global eval
541         https://bugs.webkit.org/show_bug.cgi?id=164628
542
543         Reviewed by Saam Barati.
544
545         Local use of the 'eval' keyword and invocation of the global window.eval
546         function are distinct operations in JavaScript.
547
548         This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
549         order to help distinguish these operations in code.
550
551         Our code used to do some silly things for lack of distinguishing these
552         cases. For example, it would double cache local eval in CodeCache and
553         EvalCodeCache. This made CodeCache seem more complicated than it really
554         was.
555
556         * CMakeLists.txt:
557         * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
558
559         * bytecode/CodeBlock.h:
560
561         * bytecode/EvalCodeCache.h:
562         (JSC::EvalCodeCache::tryGet):
563         (JSC::EvalCodeCache::set):
564         (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
565         the cache to avoid tight coupling. Now the cache just caches.
566
567         * bytecode/UnlinkedEvalCodeBlock.h:
568         * bytecode/UnlinkedFunctionExecutable.cpp:
569         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
570         * bytecode/UnlinkedModuleProgramCodeBlock.h:
571         * bytecode/UnlinkedProgramCodeBlock.h:
572         * debugger/DebuggerCallFrame.cpp:
573         (JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
574         changes.
575
576         * interpreter/Interpreter.cpp:
577         (JSC::eval): Moved code generation here so the cache didn't need to build
578         it in.
579
580         * llint/LLIntOffsetsExtractor.cpp:
581
582         * runtime/CodeCache.cpp:
583         (JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
584         variables any more. We only cache global programs, and global variable
585         access always does TDZ checks.
586
587         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
588         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
589         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
590         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
591
592         (JSC::CodeCache::CodeCache): Deleted.
593         (JSC::CodeCache::~CodeCache): Deleted.
594         (JSC::CodeCache::getGlobalCodeBlock): Deleted.
595         (JSC::CodeCache::getProgramCodeBlock): Deleted.
596         (JSC::CodeCache::getEvalCodeBlock): Deleted.
597         (JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
598         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.
599
600         * runtime/CodeCache.h:
601         (JSC::CodeCache::clear):
602         (JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
603         out of the CodeCache class and into a stand-alone function because
604         we need it for local eval, which does not live in CodeCache.
605
606         * runtime/EvalExecutable.cpp:
607         (JSC::EvalExecutable::create): Deleted.
608         * runtime/EvalExecutable.h:
609         (): Deleted.
610         * runtime/GlobalEvalExecutable.cpp: Added.
611         (JSC::GlobalEvalExecutable::create):
612         (JSC::GlobalEvalExecutable::GlobalEvalExecutable):
613         * runtime/GlobalEvalExecutable.h: Added.
614         * runtime/LocalEvalExecutable.cpp: Added.
615         (JSC::LocalEvalExecutable::create):
616         (JSC::LocalEvalExecutable::LocalEvalExecutable):
617         * runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
618         EvalExecutable classes to distinguish these operations in code. The key
619         difference is that LocalEvalExecutable does not live in the CodeCache
620         and only lives in the EvalCodeCache.
621
622         * runtime/JSGlobalObject.cpp:
623         (JSC::JSGlobalObject::createProgramCodeBlock):
624         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
625         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
626         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
627         (JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
628         * runtime/JSGlobalObject.h:
629         * runtime/JSGlobalObjectFunctions.cpp:
630         (JSC::globalFuncEval):
631
632         * runtime/JSScope.cpp:
633         (JSC::JSScope::collectClosureVariablesUnderTDZ):
634         (JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
635         global lexical variables in our concept of TDZ scopes anymore. Global
636         variable access always does TDZ checks unconditionally. So, only closure
637         scope accesses give specific consideration to TDZ checks.
638
639         * runtime/JSScope.h:
640
641 2016-11-14  Caitlin Potter  <caitp@igalia.com>
642
643         [JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
644         https://bugs.webkit.org/show_bug.cgi?id=164037
645
646         Reviewed by Yusuke Suzuki.
647
648         This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
649         in much the same capacity that https://trac.webkit.org/changeset/194216 added
650         DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
651         PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.
652
653         Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
654         async wrapper functions may be deferred or eliminated during the allocation sinking
655         phase.
656
657         * dfg/DFGAbstractInterpreterInlines.h:
658         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
659         * dfg/DFGByteCodeParser.cpp:
660         (JSC::DFG::ByteCodeParser::parseBlock):
661         * dfg/DFGCapabilities.cpp:
662         (JSC::DFG::capabilityLevel):
663         * dfg/DFGClobberize.h:
664         (JSC::DFG::clobberize):
665         * dfg/DFGClobbersExitState.cpp:
666         (JSC::DFG::clobbersExitState):
667         * dfg/DFGDoesGC.cpp:
668         (JSC::DFG::doesGC):
669         * dfg/DFGFixupPhase.cpp:
670         (JSC::DFG::FixupPhase::fixupNode):
671         * dfg/DFGMayExit.cpp:
672         * dfg/DFGNode.h:
673         (JSC::DFG::Node::convertToPhantomNewFunction):
674         (JSC::DFG::Node::convertToPhantomNewAsyncFunction):
675         (JSC::DFG::Node::hasCellOperand):
676         (JSC::DFG::Node::isFunctionAllocation):
677         (JSC::DFG::Node::isPhantomFunctionAllocation):
678         (JSC::DFG::Node::isPhantomAllocation):
679         * dfg/DFGNodeType.h:
680         * dfg/DFGObjectAllocationSinkingPhase.cpp:
681         * dfg/DFGPredictionPropagationPhase.cpp:
682         * dfg/DFGSafeToExecute.h:
683         (JSC::DFG::safeToExecute):
684         * dfg/DFGSpeculativeJIT.cpp:
685         (JSC::DFG::SpeculativeJIT::compileNewFunction):
686         * dfg/DFGSpeculativeJIT32_64.cpp:
687         (JSC::DFG::SpeculativeJIT::compile):
688         * dfg/DFGSpeculativeJIT64.cpp:
689         (JSC::DFG::SpeculativeJIT::compile):
690         * dfg/DFGStoreBarrierInsertionPhase.cpp:
691         * dfg/DFGStructureRegistrationPhase.cpp:
692         (JSC::DFG::StructureRegistrationPhase::run):
693         * dfg/DFGValidate.cpp:
694         * ftl/FTLCapabilities.cpp:
695         (JSC::FTL::canCompile):
696         * ftl/FTLLowerDFGToB3.cpp:
697         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
698         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
699         * ftl/FTLOperations.cpp:
700         (JSC::FTL::operationPopulateObjectInOSR):
701         (JSC::FTL::operationMaterializeObjectInOSR):
702         * runtime/JSGlobalObject.cpp:
703         (JSC::JSGlobalObject::init):
704         (JSC::JSGlobalObject::visitChildren):
705         * runtime/JSGlobalObject.h:
706         (JSC::JSGlobalObject::asyncFunctionPrototype):
707         (JSC::JSGlobalObject::asyncFunctionStructure):
708         (JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
709         (JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
710         (JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.
711
712 2016-11-14  Mark Lam  <mark.lam@apple.com>
713
714         Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
715         https://bugs.webkit.org/show_bug.cgi?id=164701
716         <rdar://problem/27462104>
717
718         Reviewed by Darin Adler.
719
720         The characters8(), characters16(), and operator[] in JSString::SafeView converts
721         the underlying JSString to a StringView via get(), and then uses the StringView
722         without first checking if an exception was thrown during the conversion.  This is
723         unsafe because the conversion may have failed.
724         
725         Instead, we should remove these 3 convenience methods, and make the caller
726         explicitly call get() and do the appropriate exception checks before using the
727         StringView.
728
729         * runtime/JSGlobalObjectFunctions.cpp:
730         (JSC::toStringView):
731         (JSC::encode):
732         (JSC::decode):
733         (JSC::globalFuncParseInt):
734         (JSC::globalFuncEscape):
735         (JSC::globalFuncUnescape):
736         (JSC::toSafeView): Deleted.
737         * runtime/JSONObject.cpp:
738         (JSC::JSONProtoFuncParse):
739         * runtime/JSString.h:
740         (JSC::JSString::SafeView::length):
741         (JSC::JSString::SafeView::characters8): Deleted.
742         (JSC::JSString::SafeView::characters16): Deleted.
743         (JSC::JSString::SafeView::operator[]): Deleted.
744         * runtime/StringPrototype.cpp:
745         (JSC::stringProtoFuncRepeatCharacter):
746         (JSC::stringProtoFuncCharAt):
747         (JSC::stringProtoFuncCharCodeAt):
748         (JSC::stringProtoFuncNormalize):
749
750 2016-11-14  Mark Lam  <mark.lam@apple.com>
751
752         RegExpObject::exec/match should handle errors gracefully.
753         https://bugs.webkit.org/show_bug.cgi?id=155145
754         <rdar://problem/27435934>
755
756         Reviewed by Keith Miller.
757
758         1. Added some missing exception checks to RegExpObject::execInline() and
759            RegExpObject::matchInline().
760         2. Updated related code to work with ExceptionScope verification requirements.
761
762         * dfg/DFGOperations.cpp:
763         * runtime/RegExpObjectInlines.h:
764         (JSC::RegExpObject::execInline):
765         (JSC::RegExpObject::matchInline):
766         * runtime/RegExpPrototype.cpp:
767         (JSC::regExpProtoFuncTestFast):
768         (JSC::regExpProtoFuncExec):
769         (JSC::regExpProtoFuncMatchFast):
770
771 2016-11-13  Mark Lam  <mark.lam@apple.com>
772
773         Add debugging facility to limit the max single allocation size.
774         https://bugs.webkit.org/show_bug.cgi?id=164681
775
776         Reviewed by Keith Miller.
777
778         Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
779         This option is only available on Debug builds.
780
781         * runtime/Options.cpp:
782         (JSC::Options::isAvailable):
783         (JSC::recomputeDependentOptions):
784         * runtime/Options.h:
785
786 2016-11-12  Joseph Pecoraro  <pecoraro@apple.com>
787
788         Follow-up fix to r208639.
789
790         Unreviewed fix. This is a straightfoward change where I forgot to
791         switch from uncheckedArgument() to argument() in once case after
792         dropping an argumentCount check. All other cases do this properly.
793         This addresses an ASSERT seen on the bots running tests.
794
795         * runtime/JSDataViewPrototype.cpp:
796         (JSC::setData):
797
798 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
799
800         test262: DataView with explicit undefined byteLength should be the same as it not being present
801         https://bugs.webkit.org/show_bug.cgi?id=164453
802
803         Reviewed by Darin Adler.
804
805         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
806         (JSC::constructGenericTypedArrayView):
807         Handle the special case of DataView construction with an undefined byteLength value.
808
809 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
810
811         test262: DataView get methods should allow for missing offset, set methods should allow for missing value
812         https://bugs.webkit.org/show_bug.cgi?id=164451
813
814         Reviewed by Darin Adler.
815
816         * runtime/JSDataViewPrototype.cpp:
817         (JSC::getData):
818         Missing offset is still valid and will be coerced to 0.
819
820         (JSC::setData):
821         Missing value is still valid and will be coerced to 0.
822
823 2016-11-11  Saam Barati  <sbarati@apple.com>
824
825         We should have a more concise way of determining when we're varargs calling a function using rest parameters
826         https://bugs.webkit.org/show_bug.cgi?id=164258
827
828         Reviewed by Yusuke Suzuki.
829
830         This patch adds two new bytecodes and DFG nodes for the following code patterns:
831
832         ```
833         foo(a, b, ...c)
834         let x = [a, b, ...c];
835         ```
836
837         To do this, I've introduced two new bytecode operations (and their
838         corresponding DFG nodes):
839
840         op_spread and op_new_array_with_spread.
841
842         op_spread takes a single input and performs the ES6 iteration protocol on it.
843         It returns the result of doing the spread inside a new class I've
844         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
845         field and a buffer of values allocated inline in the cell. Abstracting
846         the protocol into a single node is good because it will make IR analysis
847         in the future much simpler. For now, it's also good because it allows
848         us to create fast paths for array iteration (which is quite common).
849         This fast path allows us to emit really good code for array iteration
850         inside the DFG/FTL.
851
852         op_new_array_with_spread is a variable argument bytecode that also
853         has a bit vector associated with it. The bit vector indicates if
854         any particular argument is to be spread or not. Arguments that
855         are spread are known to be JSFixedArray because we must emit an
856         op_spread before op_new_array_with_spread consumes the value.
857         For example, for this array:
858         [a, b, ...c, d, ...e]
859         we will have this bit vector:
860         [0, 0, 1, 0, 1]
861
862         The reason I've chosen this IR is that it will make eliminating
863         a rest allocation for this type of code much easier:
864
865         ```
866         function foo(...args) {
867             return bar(a, b, ...args);
868         }
869         ```
870
871         It will be easier to analyze the IR now that the operations
872         will be described at a high level.
873
874         This patch is an ~8% speedup on ES6SampleBench on my MBP.
875
876         * CMakeLists.txt:
877         * DerivedSources.make:
878         * JavaScriptCore.xcodeproj/project.pbxproj:
879         * builtins/IteratorHelpers.js: Added.
880         (performIteration):
881         * bytecode/BytecodeList.json:
882         * bytecode/BytecodeUseDef.h:
883         (JSC::computeUsesForBytecodeOffset):
884         (JSC::computeDefsForBytecodeOffset):
885         * bytecode/CodeBlock.cpp:
886         (JSC::CodeBlock::dumpBytecode):
887         * bytecode/ObjectPropertyConditionSet.cpp:
888         (JSC::generateConditionForSelfEquivalence):
889         * bytecode/ObjectPropertyConditionSet.h:
890         * bytecode/TrackedReferences.cpp:
891         (JSC::TrackedReferences::check):
892         * bytecode/UnlinkedCodeBlock.h:
893         (JSC::UnlinkedCodeBlock::bitVectors):
894         (JSC::UnlinkedCodeBlock::bitVector):
895         (JSC::UnlinkedCodeBlock::addBitVector):
896         (JSC::UnlinkedCodeBlock::shrinkToFit):
897         * bytecompiler/BytecodeGenerator.cpp:
898         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
899         * bytecompiler/BytecodeGenerator.h:
900         * bytecompiler/NodesCodegen.cpp:
901         (JSC::ArrayNode::emitBytecode):
902         * dfg/DFGAbstractInterpreterInlines.h:
903         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
904         * dfg/DFGByteCodeParser.cpp:
905         (JSC::DFG::ByteCodeParser::addToGraph):
906         (JSC::DFG::ByteCodeParser::parseBlock):
907         * dfg/DFGCapabilities.cpp:
908         (JSC::DFG::capabilityLevel):
909         * dfg/DFGClobberize.h:
910         (JSC::DFG::clobberize):
911         * dfg/DFGDoesGC.cpp:
912         (JSC::DFG::doesGC):
913         * dfg/DFGFixupPhase.cpp:
914         (JSC::DFG::FixupPhase::fixupNode):
915         (JSC::DFG::FixupPhase::watchHavingABadTime):
916         * dfg/DFGGraph.h:
917         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
918         * dfg/DFGNode.h:
919         (JSC::DFG::Node::bitVector):
920         * dfg/DFGNodeType.h:
921         * dfg/DFGOperations.cpp:
922         * dfg/DFGOperations.h:
923         * dfg/DFGPredictionPropagationPhase.cpp:
924         * dfg/DFGSafeToExecute.h:
925         (JSC::DFG::safeToExecute):
926         * dfg/DFGSpeculativeJIT.cpp:
927         (JSC::DFG::SpeculativeJIT::compileSpread):
928         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
929         * dfg/DFGSpeculativeJIT.h:
930         (JSC::DFG::SpeculativeJIT::callOperation):
931         * dfg/DFGSpeculativeJIT32_64.cpp:
932         (JSC::DFG::SpeculativeJIT::compile):
933         * dfg/DFGSpeculativeJIT64.cpp:
934         (JSC::DFG::SpeculativeJIT::compile):
935         * dfg/DFGStructureRegistrationPhase.cpp:
936         (JSC::DFG::StructureRegistrationPhase::run):
937         * ftl/FTLAbstractHeapRepository.h:
938         * ftl/FTLCapabilities.cpp:
939         (JSC::FTL::canCompile):
940         * ftl/FTLLowerDFGToB3.cpp:
941         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
942         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
943         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
944         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
945         * jit/AssemblyHelpers.h:
946         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
947         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
948         * jit/JIT.cpp:
949         (JSC::JIT::privateCompileMainPass):
950         * jit/JIT.h:
951         * jit/JITOpcodes.cpp:
952         (JSC::JIT::emit_op_new_array_with_spread):
953         (JSC::JIT::emit_op_spread):
954         * jit/JITOperations.h:
955         * llint/LLIntData.cpp:
956         (JSC::LLInt::Data::performAssertions):
957         * llint/LLIntSlowPaths.cpp:
958         * llint/LowLevelInterpreter.asm:
959         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
960         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
961         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
962         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
963         * runtime/CommonSlowPaths.cpp:
964         (JSC::SLOW_PATH_DECL):
965         * runtime/CommonSlowPaths.h:
966         * runtime/IteratorOperations.h:
967         (JSC::forEachInIterable):
968         * runtime/JSCInlines.h:
969         * runtime/JSFixedArray.cpp: Added.
970         (JSC::JSFixedArray::visitChildren):
971         * runtime/JSFixedArray.h: Added.
972         (JSC::JSFixedArray::createStructure):
973         (JSC::JSFixedArray::createFromArray):
974         (JSC::JSFixedArray::get):
975         (JSC::JSFixedArray::buffer):
976         (JSC::JSFixedArray::size):
977         (JSC::JSFixedArray::offsetOfSize):
978         (JSC::JSFixedArray::offsetOfData):
979         (JSC::JSFixedArray::create):
980         (JSC::JSFixedArray::JSFixedArray):
981         (JSC::JSFixedArray::allocationSize):
982         * runtime/JSGlobalObject.cpp:
983         (JSC::JSGlobalObject::JSGlobalObject):
984         (JSC::JSGlobalObject::init):
985         (JSC::JSGlobalObject::visitChildren):
986         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
987         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
988         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
989         * runtime/JSGlobalObject.h:
990         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
991         (JSC::JSGlobalObject::iteratorProtocolFunction):
992         * runtime/JSGlobalObjectInlines.h: Added.
993         (JSC::JSGlobalObject::objectPrototypeIsSane):
994         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
995         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
996         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
997         * runtime/JSType.h:
998         * runtime/VM.cpp:
999         (JSC::VM::VM):
1000         * runtime/VM.h:
1001
1002 2016-11-11  Keith Miller  <keith_miller@apple.com>
1003
1004         Move Wasm tests to JS
1005         https://bugs.webkit.org/show_bug.cgi?id=164611
1006
1007         Reviewed by Geoffrey Garen.
1008
1009         This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
1010         ommited tests were earliest tests, which tested trivial things, like adding two
1011         constants. Some tests are ommited for other reasons, however. These are:
1012
1013         1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers.  2)
1014         Tests that would validate the memory of the module once wasm was done with it since that's
1015         not really possible in JS.
1016
1017         In order to make such a translation easier this patch also adds some features to the JS
1018         testing api:
1019
1020         1) Blocks can now be done lexically by adding a lambda as the last argument of the block
1021         opcode. For example one can do:
1022             ...
1023             .Block("i32", b => b.I32Const(1) )
1024
1025         and the nested lambda will automatically have an end attached.
1026
1027         2) The JS testing api can now handle inline signature types.
1028
1029         3) Relocate some code to make it easier to follow and prevent 44 space indentation.
1030
1031         4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
1032         wasm.json without being remapped.
1033
1034         5) Add support for Memory and Function sections to the Builder.
1035
1036         6) Add support for local variables.
1037
1038         On the JSC side, we needed to expose a new function to validate the compiled wasm code
1039         behaves the way we expect. At least until the JS Wasm API is finished. The new validation
1040         function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
1041         number of functions in the blob and tests for each of those functions.
1042
1043         * jsc.cpp:
1044         (GlobalObject::finishCreation):
1045         (box):
1046         (callWasmFunction):
1047         (functionTestWasmModuleFunctions):
1048         * testWasm.cpp:
1049         (checkPlan):
1050         (runWasmTests):
1051         * wasm/WasmB3IRGenerator.cpp:
1052         (JSC::Wasm::parseAndCompile):
1053         * wasm/WasmFunctionParser.h:
1054         (JSC::Wasm::FunctionParser<Context>::parse):
1055         (JSC::Wasm::FunctionParser<Context>::parseBody):
1056         (JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
1057         * wasm/WasmModuleParser.cpp:
1058         (JSC::Wasm::ModuleParser::parseMemory):
1059         (JSC::Wasm::ModuleParser::parseExport):
1060         * wasm/WasmPlan.cpp:
1061         (JSC::Wasm::Plan::Plan):
1062         (JSC::Wasm::Plan::run):
1063         * wasm/WasmPlan.h:
1064         * wasm/js/WebAssemblyModuleConstructor.cpp:
1065         (JSC::constructJSWebAssemblyModule):
1066
1067 2016-11-11  Saam Barati  <sbarati@apple.com>
1068
1069         Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650
1070
1071         * dfg/DFGByteCodeParser.cpp:
1072         (JSC::DFG::ByteCodeParser::parseBlock):
1073
1074 2016-11-11  Saam Barati  <sbarati@apple.com>
1075
1076         We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
1077         https://bugs.webkit.org/show_bug.cgi?id=164650
1078
1079         Reviewed by Geoffrey Garen.
1080
1081         Some code was incorrectly holding a lock when recursively calling
1082         back into the bytecode parser's via inlining a put_by_val as a put_by_id.
1083         This can cause a deadlock if the inlinee CodeBlock is something we're
1084         already holding a lock for. I've changed the range of the lock holder
1085         to be as narrow as possible.
1086
1087         * dfg/DFGByteCodeParser.cpp:
1088         (JSC::DFG::ByteCodeParser::parseBlock):
1089
1090 2016-11-11  Chris Dumez  <cdumez@apple.com>
1091
1092         Unreviewed, rolling out r208584.
1093
1094         Seems to have regressed Speedometer by 1% on Mac
1095
1096         Reverted changeset:
1097
1098         "We should have a more concise way of determining when we're
1099         varargs calling a function using rest parameters"
1100         https://bugs.webkit.org/show_bug.cgi?id=164258
1101         http://trac.webkit.org/changeset/208584
1102
1103 2016-11-11  Chris Dumez  <cdumez@apple.com>
1104
1105         Unreviewed, rolling out r208117 and r208160.
1106
1107         Regressed Speedometer by >1.5%
1108
1109         Reverted changesets:
1110
1111         "We should have a way of profiling when a get_by_id is pure
1112         and to emit a PureGetById in the DFG/FTL"
1113         https://bugs.webkit.org/show_bug.cgi?id=163305
1114         http://trac.webkit.org/changeset/208117
1115
1116         "Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
1117         out"
1118         https://bugs.webkit.org/show_bug.cgi?id=164227
1119         http://trac.webkit.org/changeset/208160
1120
1121 2016-11-11  Saam Barati  <sbarati@apple.com>
1122
1123         We should have a more concise way of determining when we're varargs calling a function using rest parameters
1124         https://bugs.webkit.org/show_bug.cgi?id=164258
1125
1126         Reviewed by Yusuke Suzuki.
1127
1128         This patch adds two new bytecodes and DFG nodes for the following code patterns:
1129
1130         ```
1131         foo(a, b, ...c)
1132         let x = [a, b, ...c];
1133         ```
1134
1135         To do this, I've introduced two new bytecode operations (and their
1136         corresponding DFG nodes):
1137
1138         op_spread and op_new_array_with_spread.
1139
1140         op_spread takes a single input and performs the ES6 iteration protocol on it.
1141         It returns the result of doing the spread inside a new class I've
1142         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
1143         field and a buffer of values allocated inline in the cell. Abstracting
1144         the protocol into a single node is good because it will make IR analysis
1145         in the future much simpler. For now, it's also good because it allows
1146         us to create fast paths for array iteration (which is quite common).
1147         This fast path allows us to emit really good code for array iteration
1148         inside the DFG/FTL.
1149
1150         op_new_array_with_spread is a variable argument bytecode that also
1151         has a bit vector associated with it. The bit vector indicates if
1152         any particular argument is to be spread or not. Arguments that
1153         are spread are known to be JSFixedArray because we must emit an
1154         op_spread before op_new_array_with_spread consumes the value.
1155         For example, for this array:
1156         [a, b, ...c, d, ...e]
1157         we will have this bit vector:
1158         [0, 0, 1, 0, 1]
1159
1160         The reason I've chosen this IR is that it will make eliminating
1161         a rest allocation for this type of code much easier:
1162
1163         ```
1164         function foo(...args) {
1165             return bar(a, b, ...args);
1166         }
1167         ```
1168
1169         It will be easier to analyze the IR now that the operations
1170         will be described at a high level.
1171
1172         This patch is an ~8% speedup on ES6SampleBench on my MBP.
1173
1174         * CMakeLists.txt:
1175         * DerivedSources.make:
1176         * JavaScriptCore.xcodeproj/project.pbxproj:
1177         * builtins/IteratorHelpers.js: Added.
1178         (performIteration):
1179         * bytecode/BytecodeList.json:
1180         * bytecode/BytecodeUseDef.h:
1181         (JSC::computeUsesForBytecodeOffset):
1182         (JSC::computeDefsForBytecodeOffset):
1183         * bytecode/CodeBlock.cpp:
1184         (JSC::CodeBlock::dumpBytecode):
1185         * bytecode/ObjectPropertyConditionSet.cpp:
1186         (JSC::generateConditionForSelfEquivalence):
1187         * bytecode/ObjectPropertyConditionSet.h:
1188         * bytecode/TrackedReferences.cpp:
1189         (JSC::TrackedReferences::check):
1190         * bytecode/UnlinkedCodeBlock.h:
1191         (JSC::UnlinkedCodeBlock::bitVectors):
1192         (JSC::UnlinkedCodeBlock::bitVector):
1193         (JSC::UnlinkedCodeBlock::addBitVector):
1194         (JSC::UnlinkedCodeBlock::shrinkToFit):
1195         * bytecompiler/BytecodeGenerator.cpp:
1196         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
1197         * bytecompiler/BytecodeGenerator.h:
1198         * bytecompiler/NodesCodegen.cpp:
1199         (JSC::ArrayNode::emitBytecode):
1200         * dfg/DFGAbstractInterpreterInlines.h:
1201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1202         * dfg/DFGByteCodeParser.cpp:
1203         (JSC::DFG::ByteCodeParser::addToGraph):
1204         (JSC::DFG::ByteCodeParser::parseBlock):
1205         * dfg/DFGCapabilities.cpp:
1206         (JSC::DFG::capabilityLevel):
1207         * dfg/DFGClobberize.h:
1208         (JSC::DFG::clobberize):
1209         * dfg/DFGDoesGC.cpp:
1210         (JSC::DFG::doesGC):
1211         * dfg/DFGFixupPhase.cpp:
1212         (JSC::DFG::FixupPhase::fixupNode):
1213         (JSC::DFG::FixupPhase::watchHavingABadTime):
1214         * dfg/DFGGraph.h:
1215         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
1216         * dfg/DFGNode.h:
1217         (JSC::DFG::Node::bitVector):
1218         * dfg/DFGNodeType.h:
1219         * dfg/DFGOperations.cpp:
1220         * dfg/DFGOperations.h:
1221         * dfg/DFGPredictionPropagationPhase.cpp:
1222         * dfg/DFGSafeToExecute.h:
1223         (JSC::DFG::safeToExecute):
1224         * dfg/DFGSpeculativeJIT.cpp:
1225         (JSC::DFG::SpeculativeJIT::compileSpread):
1226         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1227         * dfg/DFGSpeculativeJIT.h:
1228         (JSC::DFG::SpeculativeJIT::callOperation):
1229         * dfg/DFGSpeculativeJIT32_64.cpp:
1230         (JSC::DFG::SpeculativeJIT::compile):
1231         * dfg/DFGSpeculativeJIT64.cpp:
1232         (JSC::DFG::SpeculativeJIT::compile):
1233         * dfg/DFGStructureRegistrationPhase.cpp:
1234         (JSC::DFG::StructureRegistrationPhase::run):
1235         * ftl/FTLAbstractHeapRepository.h:
1236         * ftl/FTLCapabilities.cpp:
1237         (JSC::FTL::canCompile):
1238         * ftl/FTLLowerDFGToB3.cpp:
1239         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1240         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1241         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1242         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1243         * jit/AssemblyHelpers.h:
1244         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1245         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1246         * jit/JIT.cpp:
1247         (JSC::JIT::privateCompileMainPass):
1248         * jit/JIT.h:
1249         * jit/JITOpcodes.cpp:
1250         (JSC::JIT::emit_op_new_array_with_spread):
1251         (JSC::JIT::emit_op_spread):
1252         * jit/JITOperations.h:
1253         * llint/LLIntData.cpp:
1254         (JSC::LLInt::Data::performAssertions):
1255         * llint/LLIntSlowPaths.cpp:
1256         * llint/LowLevelInterpreter.asm:
1257         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
1258         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
1259         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
1260         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
1261         * runtime/CommonSlowPaths.cpp:
1262         (JSC::SLOW_PATH_DECL):
1263         * runtime/CommonSlowPaths.h:
1264         * runtime/IteratorOperations.h:
1265         (JSC::forEachInIterable):
1266         * runtime/JSCInlines.h:
1267         * runtime/JSFixedArray.cpp: Added.
1268         (JSC::JSFixedArray::visitChildren):
1269         * runtime/JSFixedArray.h: Added.
1270         (JSC::JSFixedArray::createStructure):
1271         (JSC::JSFixedArray::createFromArray):
1272         (JSC::JSFixedArray::get):
1273         (JSC::JSFixedArray::buffer):
1274         (JSC::JSFixedArray::size):
1275         (JSC::JSFixedArray::offsetOfSize):
1276         (JSC::JSFixedArray::offsetOfData):
1277         (JSC::JSFixedArray::create):
1278         (JSC::JSFixedArray::JSFixedArray):
1279         (JSC::JSFixedArray::allocationSize):
1280         * runtime/JSGlobalObject.cpp:
1281         (JSC::JSGlobalObject::JSGlobalObject):
1282         (JSC::JSGlobalObject::init):
1283         (JSC::JSGlobalObject::visitChildren):
1284         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
1285         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
1286         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
1287         * runtime/JSGlobalObject.h:
1288         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
1289         (JSC::JSGlobalObject::iteratorProtocolFunction):
1290         * runtime/JSGlobalObjectInlines.h: Added.
1291         (JSC::JSGlobalObject::objectPrototypeIsSane):
1292         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1293         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1294         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
1295         * runtime/JSType.h:
1296         * runtime/VM.cpp:
1297         (JSC::VM::VM):
1298         * runtime/VM.h:
1299
1300 2016-11-10  JF Bastien  <jfbastien@apple.com>
1301
1302         ASSERTION FAILED: length > offset encountered with wasm.yaml/wasm/js-api/test_Module.js.default-wasm
1303         https://bugs.webkit.org/show_bug.cgi?id=164597
1304
1305         Reviewed by Keith Miller.
1306
1307         * wasm/WasmParser.h:
1308         (JSC::Wasm::Parser::parseVarUInt32): move closer to other parsers
1309         (JSC::Wasm::Parser::parseVarUInt64): move closer to other parsers
1310
1311 2016-11-10  Joseph Pecoraro  <pecoraro@apple.com>
1312
1313         test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex)
1314         https://bugs.webkit.org/show_bug.cgi?id=164450
1315
1316         Reviewed by Darin Adler.
1317
1318         * runtime/JSCJSValue.h:
1319         * runtime/JSCJSValueInlines.h:
1320         (JSC::JSValue::toIndex):
1321         Introduce a method for toIndex, which is used by DataView and TypedArrays
1322         to convert an argument to a number with the possibility of throwing
1323         RangeErrors for negative values. We also throw RangeErrors for large
1324         values, because wherever this is used we expect an unsigned.
1325
1326         * runtime/JSArrayBufferConstructor.cpp:
1327         (JSC::constructArrayBuffer):
1328         * runtime/JSDataViewPrototype.cpp:
1329         (JSC::getData):
1330         (JSC::setData):
1331         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1332         (JSC::constructGenericTypedArrayViewWithArguments):
1333         (JSC::constructGenericTypedArrayView):
1334         Use toIndex instead of toUint32 where required.
1335
1336 2016-11-10  Mark Lam  <mark.lam@apple.com>
1337
1338         A few bits of minor code clean up.
1339         https://bugs.webkit.org/show_bug.cgi?id=164523
1340
1341         Reviewed by Yusuke Suzuki.
1342
1343         * interpreter/StackVisitor.cpp:
1344         (JSC::StackVisitor::Frame::dump):
1345         - Insert a space to make the dump more legible.
1346
1347         * runtime/Options.h:
1348         - Fixed some typos.
1349
1350         * runtime/StringPrototype.cpp:
1351         (JSC::stringProtoFuncReplaceUsingRegExp):
1352         (JSC::stringProtoFuncReplaceUsingStringSearch):
1353         - Use the VM& that is already available.
1354
1355 2016-11-10  Mark Lam  <mark.lam@apple.com>
1356
1357         Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node.
1358         https://bugs.webkit.org/show_bug.cgi?id=164600
1359         <rdar://problem/28828676>
1360
1361         Reviewed by Filip Pizlo.
1362
1363         Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG
1364         node that it is provided with always has a different origin than the node that is
1365         using that operand.  For example, in a DFG graph that looks like this:
1366
1367             a: ...
1368             b: ArithAdd(@a, ...)
1369
1370         ... when emitting speculation checks on @a for the ArithAdd node at @b,
1371         Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to
1372         originate from a different bytecode than @b.  The intent here is to get the
1373         profile for @a so that the OSR exit ramp for @b can update @a's profile with the
1374         observed result type from @a so that future type prediction on incoming args for
1375         the ArithAdd node can take this into consideration.
1376
1377         However, op_negate can be compiled into the following series of nodes:
1378
1379             a: ...
1380             b: BooleanToNumber(@a)
1381             c: DoubleRep(@b)
1382             d: ArithNegate(@c)
1383
1384         All 3 nodes @b, @c, and @d maps to the same op_negate bytecode i.e. they have the
1385         same origin.  When the speculativeJIT emits a speculationCheck for DoubleRep, it
1386         calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the
1387         BooleanToNumber node.  But because all 3 nodes have the same origin,
1388         Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for
1389         the op_negate.  Subsequently, the OSR exit ramp will modify the ArithProfile of
1390         the op_negate and corrupt its profile.  Instead, what the OSR exit ramp should be
1391         doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's
1392         operand @a in this case.
1393
1394         The fix is to always pass the current node we're generating code for (in addition
1395         to the operand node) to Graph::methodOfGettingAValueProfileFor().  This way, we
1396         know the profile is valid if and only if the current node and its operand node
1397         does not have the same origin.
1398
1399         In this patch, we also fixed the following:
1400         1. Teach Graph::methodOfGettingAValueProfileFor() to get the profile for
1401            BooleanToNumber's operand if the operand node it is given is BooleanToNumber.
1402         2. Change JITCompiler::appendExceptionHandlingOSRExit() to explicitly pass an
1403            empty MethodOfGettingAValueProfile().  It was implicitly doing this before.
1404         3. Change SpeculativeJIT::emitInvalidationPoint() to pass an empty
1405            MethodOfGettingAValueProfile().  It has no child node.  Hence, it doesn't
1406            make sense to call Graph::methodOfGettingAValueProfileFor() for a child node
1407            that does not exist.
1408
1409         * dfg/DFGGraph.cpp:
1410         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1411         * dfg/DFGGraph.h:
1412         * dfg/DFGJITCompiler.cpp:
1413         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
1414         * dfg/DFGSpeculativeJIT.cpp:
1415         (JSC::DFG::SpeculativeJIT::speculationCheck):
1416         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
1417         * ftl/FTLLowerDFGToB3.cpp:
1418         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
1419
1420 2016-11-10  Aaron Chu  <aaron_chu@apple.com>
1421
1422         Web Inspector: AXI: clarify button roles (e.g. toggle or popup button)
1423         https://bugs.webkit.org/show_bug.cgi?id=130726
1424         <rdar://problem/16420420>
1425
1426         Reviewed by Brian Burg.
1427
1428         Add the isPopupButton flag to the AccessibilityProperties type.
1429
1430         * inspector/protocol/DOM.json:
1431
1432 2016-11-10  Csaba Osztrogon√°c  <ossy@webkit.org>
1433
1434         [ARM] Unreviewed buildfix after r208450.
1435
1436         * assembler/MacroAssemblerARM.h:
1437         (JSC::MacroAssemblerARM::load8SignedExtendTo32): Added.
1438
1439 2016-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1440
1441         [JSC] Avoid cloned arguments allocation in ArrayPrototype methods
1442         https://bugs.webkit.org/show_bug.cgi?id=164502
1443
1444         Reviewed by Saam Barati.
1445
1446         In many builtin functions, we use `arguments` to just get optional parameters.
1447         While FTL argument elimination can drop `arguments` allocations, it leaves
1448         the allocations in LLInt, Baseline, and DFG. And we found that DFG compiled
1449         Array#map is heavily used in ES6SampleBench/Basic. And it always creates
1450         a meaningless ClonedArguments.
1451
1452         Using ES6 default parameter here is not a solution. It increases the number
1453         of parameters of the CodeBlock (not `function.length`). And the optional
1454         parameters in Array.prototype.xxx methods are not typically passed. For
1455         example, we typically do not pass `thisArg` to `Array.prototype.map` function.
1456         In this case, the arity check frequently fails. It requires the additional C
1457         call to fixup arguments and it becomes pure overhead.
1458
1459         To solve this problem, this patch introduces a new bytecode intrinsic @argument().
1460         This offers the way to retrieve the argument value without increasing the
1461         arity of the function. And if the argument is not passed (out of bounds), it
1462         just returns `undefined`. The semantics of this intrinsic is the same to the C++
1463         ExecState::argument(). This operation does not require `arguments` object. And we
1464         can drop the `argument` references even in lower 3 tiers.
1465
1466         We implement op_get_argument for this intrinsic. And later this will be converted
1467         to DFG GetArgument node. All the tiers handles this feature.
1468
1469         This patch improves ES6SampleBench/Basic 13.8% in steady state. And in summary,
1470         it improves 4.5%.
1471
1472         In the future, we can improve the implementation of the default parameters.
1473         Currently, the default parameter always increases the arity of the function. So
1474         if you do not pass the argument, the arity check fails. But since it is the default
1475         parameter, it is likely that we don't pass the argument. Using op_get_argument to
1476         implement the default parameter can decrease the case in which the arity check
1477         frequently fails. And it can change the builtin implementation to use the ES6
1478         default parameters instead of using the special @argument() intrinsic in the future.
1479         And at that case, the user code also receives the benefit.
1480
1481         ES6SampleBench/Basic.
1482             Baseline:
1483                 Running... Basic ( 1  to go)
1484                 firstIteration:     39.38 ms +- 4.48 ms
1485                 averageWorstCase:   20.79 ms +- 0.96 ms
1486                 steadyState:        1959.22 ms +- 65.55 ms
1487
1488             Patched:
1489                 Running... Basic ( 1  to go)
1490                 firstIteration:     37.85 ms +- 4.09 ms
1491                 averageWorstCase:   18.60 ms +- 0.76 ms
1492                 steadyState:        1721.89 ms +- 57.58 ms
1493
1494         All summary.
1495             Baseline:
1496                 summary:            164.34 ms +- 5.01 ms
1497             Patched:
1498                 summary:            157.26 ms +- 5.96 ms
1499
1500         * builtins/ArrayConstructor.js:
1501         * builtins/ArrayPrototype.js:
1502         (reduce):
1503         (reduceRight):
1504         (every):
1505         (forEach):
1506         (filter):
1507         (map):
1508         (some):
1509         (fill):
1510         (find):
1511         (findIndex):
1512         (includes):
1513         (copyWithin):
1514         * builtins/DatePrototype.js:
1515         (toLocaleString):
1516         (toLocaleDateString):
1517         (toLocaleTimeString):
1518         * builtins/MapPrototype.js:
1519         (forEach):
1520         * builtins/NumberPrototype.js:
1521         (toLocaleString):
1522         * builtins/SetPrototype.js:
1523         (forEach):
1524         * builtins/StringPrototype.js:
1525         (padStart):
1526         (padEnd):
1527         (localeCompare):
1528         * builtins/TypedArrayConstructor.js:
1529         * builtins/TypedArrayPrototype.js:
1530         (every):
1531         (fill):
1532         (find):
1533         (findIndex):
1534         (forEach):
1535         (some):
1536         (reduce):
1537         (reduceRight):
1538         (map):
1539         (filter):
1540         * bytecode/BytecodeIntrinsicRegistry.h:
1541         * bytecode/BytecodeList.json:
1542         * bytecode/BytecodeUseDef.h:
1543         (JSC::computeUsesForBytecodeOffset):
1544         (JSC::computeDefsForBytecodeOffset):
1545         * bytecode/CodeBlock.cpp:
1546         (JSC::CodeBlock::dumpBytecode):
1547         (JSC::CodeBlock::finishCreation):
1548         * bytecompiler/BytecodeGenerator.cpp:
1549         (JSC::BytecodeGenerator::emitGetArgument):
1550         * bytecompiler/BytecodeGenerator.h:
1551         * bytecompiler/NodesCodegen.cpp:
1552         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argument):
1553         * dfg/DFGAbstractInterpreterInlines.h:
1554         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1555         * dfg/DFGByteCodeParser.cpp:
1556         (JSC::DFG::ByteCodeParser::parseBlock):
1557         * dfg/DFGCapabilities.cpp:
1558         (JSC::DFG::capabilityLevel):
1559         * dfg/DFGClobberize.h:
1560         (JSC::DFG::clobberize):
1561         * dfg/DFGDoesGC.cpp:
1562         (JSC::DFG::doesGC):
1563         * dfg/DFGFixupPhase.cpp:
1564         (JSC::DFG::FixupPhase::fixupNode):
1565         * dfg/DFGNode.h:
1566         (JSC::DFG::Node::hasHeapPrediction):
1567         (JSC::DFG::Node::hasArgumentIndex):
1568         (JSC::DFG::Node::argumentIndex):
1569         * dfg/DFGNodeType.h:
1570         * dfg/DFGPreciseLocalClobberize.h:
1571         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1572         * dfg/DFGPredictionPropagationPhase.cpp:
1573         * dfg/DFGSafeToExecute.h:
1574         (JSC::DFG::safeToExecute):
1575         * dfg/DFGSpeculativeJIT.cpp:
1576         (JSC::DFG::SpeculativeJIT::compileGetArgument):
1577         * dfg/DFGSpeculativeJIT.h:
1578         * dfg/DFGSpeculativeJIT32_64.cpp:
1579         (JSC::DFG::SpeculativeJIT::compile):
1580         * dfg/DFGSpeculativeJIT64.cpp:
1581         (JSC::DFG::SpeculativeJIT::compile):
1582         * ftl/FTLCapabilities.cpp:
1583         (JSC::FTL::canCompile):
1584         * ftl/FTLLowerDFGToB3.cpp:
1585         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1586         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
1587         * jit/JIT.cpp:
1588         (JSC::JIT::privateCompileMainPass):
1589         * jit/JIT.h:
1590         * jit/JITOpcodes.cpp:
1591         (JSC::JIT::emit_op_get_argument):
1592         * jit/JITOpcodes32_64.cpp:
1593         (JSC::JIT::emit_op_get_argument):
1594         * llint/LowLevelInterpreter32_64.asm:
1595         * llint/LowLevelInterpreter64.asm:
1596
1597 2016-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1598
1599         Web Inspector: DebuggerManager.Event.Resumed introduces test flakiness
1600         https://bugs.webkit.org/show_bug.cgi?id=161951
1601         <rdar://problem/28295767>
1602
1603         Reviewed by Brian Burg.
1604
1605         This removes an ambiguity in the protocol when stepping through
1606         JavaScript. Previously, when paused and issuing a Debugger.step*
1607         command the frontend would always receive a Debugger.resumed event and
1608         then, maybe, a Debugger.paused event indicating we paused again (after
1609         stepping). However, this ambiguity means that the frontend needs to
1610         wait for a short period of time to determine if we really resumed
1611         or not. And even still that decision may be incorrect if the step
1612         takes a sufficiently long period of time.
1613
1614         The new approach removes this ambiguity. Now, in response to a
1615         Debugger.step* command the backend MUST send a single Debugger.paused
1616         event or Debugger.resumed event. Now the frontend knows that the
1617         next Debugger event it receives after issuing the step command is
1618         the result (stepped and paused, or stepped and resumed).
1619
1620         To make resuming consistent in all cases, a Debugger.resume command
1621         will always respond with a Debugger.resumed event.
1622
1623         Finally, Debugger.continueToLocation is treated like a "big step"
1624         in cases where we can resolve the location. If we can't resolve the
1625         location it is treated as a resume, maintaining the old behavior.
1626
1627         * inspector/agents/InspectorDebuggerAgent.h:
1628         * inspector/agents/InspectorDebuggerAgent.cpp:
1629         (Inspector::InspectorDebuggerAgent::stepOver):
1630         (Inspector::InspectorDebuggerAgent::stepInto):
1631         (Inspector::InspectorDebuggerAgent::stepOut):
1632         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
1633         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping):
1634         When stepping register a VM exit observer so that we can issue
1635         a Debugger.resumed event if the step caused us to exit the VM.
1636
1637         (Inspector::InspectorDebuggerAgent::resume):
1638         Set a flag to issue a Debugger.resumed event once we break out
1639         of the nested run loop.
1640
1641         (Inspector::InspectorDebuggerAgent::didPause):
1642         We are issuing Debugger.paused so clear the state to indicate that
1643         we no longer need to issue Debugger.resumed event, we have paused.
1644
1645         (Inspector::InspectorDebuggerAgent::didContinue):
1646         Only issue the Debugger.resumed event if needed (explicitly asked
1647         to resume).
1648
1649         (Inspector::InspectorDebuggerAgent::continueToLocation):
1650         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1651         All places that do continueProgram should be audited. In error cases,
1652         if we are paused and continue we should remember to send Debugger.resumed.
1653
1654         * inspector/protocol/Debugger.json:
1655         Clarify in the protocol description the contract of these methods.
1656
1657 2016-11-09  Joseph Pecoraro  <pecoraro@apple.com>
1658
1659         Web Inspector: Associate Worker Resources with the Worker and not the Page
1660         https://bugs.webkit.org/show_bug.cgi?id=164342
1661         <rdar://problem/29075775>
1662
1663         Reviewed by Timothy Hatcher.
1664
1665         * inspector/protocol/Network.json:
1666         * inspector/protocol/Page.json:
1667         Associate Resource data with a target.
1668
1669 2016-11-09  Keith Miller  <keith_miller@apple.com>
1670
1671         jsc CLI should work with the remote inspector
1672         https://bugs.webkit.org/show_bug.cgi?id=164569
1673
1674         Reviewed by Joseph Pecoraro.
1675
1676         This patch enables using the remote inspector on the jsc CLI.
1677         In order to use the remote inspector, jsc users need to pass an option.
1678
1679         * jsc.cpp:
1680         (CommandLine::parseArguments):
1681         (runJSC):
1682
1683 2016-11-09  Saam Barati  <sbarati@apple.com>
1684
1685         Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser
1686         https://bugs.webkit.org/show_bug.cgi?id=164464
1687         <rdar://problem/29131452>
1688
1689         Reviewed by Darin Adler.
1690
1691         We were incorrectly matching this pattern inside the bytecode parser
1692         to return NaN. Instead, we must return:
1693           Infinity for Math.min()
1694          -Infinity for Math.max()
1695
1696         * dfg/DFGByteCodeParser.cpp:
1697         (JSC::DFG::ByteCodeParser::handleMinMax):
1698
1699 2016-11-09  Saam Barati  <sbarati@apple.com>
1700
1701         TypeProfiler and running GC collection on another thread don't play nicely with each other
1702         https://bugs.webkit.org/show_bug.cgi?id=164441
1703         <rdar://problem/29132174>
1704
1705         Reviewed by Geoffrey Garen.
1706
1707         This fix here is simple: we now treat the type profiler log as a GC root.
1708         GC will make sure that we mark any values/structures that are in the log.
1709         It's easy to reason about the correctness of this, and it also solves
1710         the problem that we were clearing the log on the GC thread. Clearing the
1711         log on the GC thread was a problem because when we clear the log, we may
1712         allocate, which we're not allowed to do from the GC thread.
1713
1714         * heap/Heap.cpp:
1715         (JSC::Heap::markRoots):
1716         (JSC::Heap::visitTypeProfiler):
1717         (JSC::Heap::collectInThread):
1718         * heap/Heap.h:
1719         * runtime/TypeProfilerLog.cpp:
1720         (JSC::TypeProfilerLog::processLogEntries):
1721         (JSC::TypeProfilerLog::visit):
1722         * runtime/TypeProfilerLog.h:
1723
1724 2016-11-09  JF Bastien  <jfbastien@apple.com>
1725
1726         WebAssembly: Silence noisy warning
1727         https://bugs.webkit.org/show_bug.cgi?id=164459
1728
1729         Reviewed by Yusuke Suzuki.
1730
1731         * wasm/WasmPlan.cpp:
1732         (JSC::Wasm::Plan::Plan):
1733
1734 2016-11-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1735
1736         [JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t
1737         https://bugs.webkit.org/show_bug.cgi?id=164432
1738
1739         Reviewed by Michael Saboff.
1740
1741         Except for X86, our supported MacroAssemblers do not have native 8bit instructions.
1742         It means that all the 8bit instructions are converted to 32bit operations by using
1743         scratch registers. For example, ARM64 branch8 implementation is the following.
1744
1745             Jump branch8(RelationCondition cord, Address left, TrustedImm32 right)
1746             {
1747                 TrustedImm32 right8(static_cast<int8_t>(right.m_value));
1748                 load8(left, getCachedMemoryTempRegisterIDAndInvalidate());
1749                 return branch32(cone, memoryTempRegister, right8);
1750             }
1751
1752         The problem is that we exclusively use zero-extended load instruction (load8). Even
1753         for signed RelationConditions, we do not perform sign extension. It makes signed
1754         operations with negative numbers incorrect! Consider the |left| address holds `-1`
1755         in int8_t form. However load8 will load it as 255 into 32bit register. On the other hand,
1756         |right| will be sign extended. If you pass 0 as |right| and LessThan condition, this
1757         branch8 should jump based on the answer of `-1 < 0`. But the current MacroAssembler
1758         performs `255 < 0` in int32_t context and returns the incorrect result.
1759
1760         We should follow the x86 model. So we should select the appropriate load operation and masking
1761         operation based on the RelationCondition. This patch introduces mask8OnCondition and load8OnCondition.
1762         And we use them in 8bit operations including branch8, branchTest8, compare8, and test8.
1763
1764         We intentionally do not change anything on x86 assembler since it has the native signed 8bit operations.
1765
1766         * JavaScriptCore.xcodeproj/project.pbxproj:
1767         * assembler/AbstractMacroAssembler.h:
1768         * assembler/MacroAssembler.h:
1769         (JSC::MacroAssembler::isSigned):
1770         (JSC::MacroAssembler::isUnsigned):
1771         (JSC::MacroAssembler::branchTest8):
1772         * assembler/MacroAssemblerARM.h:
1773         (JSC::MacroAssemblerARM::branch8):
1774         (JSC::MacroAssemblerARM::branchTest8):
1775         (JSC::MacroAssemblerARM::compare8):
1776         (JSC::MacroAssemblerARM::test8):
1777         * assembler/MacroAssemblerARM64.h:
1778         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1779         (JSC::MacroAssemblerARM64::branch8):
1780         (JSC::MacroAssemblerARM64::branchTest8):
1781         (JSC::MacroAssemblerARM64::compare8):
1782         (JSC::MacroAssemblerARM64::test8):
1783         * assembler/MacroAssemblerARMv7.h:
1784         (JSC::MacroAssemblerARMv7::branch8):
1785         (JSC::MacroAssemblerARMv7::branchTest8):
1786         (JSC::MacroAssemblerARMv7::compare8):
1787         (JSC::MacroAssemblerARMv7::test8):
1788         * assembler/MacroAssemblerHelpers.h: Added.
1789         (JSC::MacroAssemblerHelpers::isSigned):
1790         (JSC::MacroAssemblerHelpers::isUnsigned):
1791         (JSC::MacroAssemblerHelpers::mask8OnCondition):
1792         (JSC::MacroAssemblerHelpers::load8OnCondition):
1793         * assembler/MacroAssemblerMIPS.h:
1794         (JSC::MacroAssemblerMIPS::branch8):
1795         (JSC::MacroAssemblerMIPS::compare8):
1796         (JSC::MacroAssemblerMIPS::branchTest8):
1797         (JSC::MacroAssemblerMIPS::test8):
1798         * assembler/MacroAssemblerSH4.h:
1799         (JSC::MacroAssemblerSH4::branchTest8):
1800         (JSC::MacroAssemblerSH4::branch8):
1801         (JSC::MacroAssemblerSH4::compare8):
1802         (JSC::MacroAssemblerSH4::test8):
1803         * assembler/MacroAssemblerX86_64.h:
1804         (JSC::MacroAssemblerX86_64::branch8):
1805
1806 2016-11-08  Geoffrey Garen  <ggaren@apple.com>
1807
1808         REGRESSION: date-format-tofte.js is super slow
1809         https://bugs.webkit.org/show_bug.cgi?id=164499
1810
1811         Reviewed by Sam Weinig.
1812
1813         * bytecode/EvalCodeCache.h:
1814         (JSC::EvalCodeCache::CacheKey::operator==): Use character comparison,
1815         not pointer comparison. (This function was always wrong, but I started
1816         calling it in more places.)
1817
1818 2016-11-08  Saam Barati  <sbarati@apple.com>
1819
1820         REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache
1821         https://bugs.webkit.org/show_bug.cgi?id=164433
1822
1823         Reviewed by Mark Lam.
1824
1825         Clearing the HasOwnPropertyCache will call deref() on the StringImpls
1826         in the cache. We were doing this from the collector thread, which is
1827         not allowed. It must be done from the mutator thread. We now clear the
1828         cache in Heap::finalize() which happens before the mutator begins
1829         executing JS after a collection happens.
1830
1831         * heap/Heap.cpp:
1832         (JSC::Heap::collectInThread):
1833         (JSC::Heap::finalize):
1834
1835 2016-11-05  Konstantin Tokarev  <annulen@yandex.ru>
1836
1837         Fixed compilation of LLInt with MinGW
1838         https://bugs.webkit.org/show_bug.cgi?id=164449
1839
1840         Reviewed by Michael Catanzaro.
1841
1842         MinGW uses LLIntAssembly.h with GNU assembler syntax, just like GCC on
1843         other platforms.
1844
1845         * llint/LowLevelInterpreter.cpp: Include LLIntAssembly.h with
1846         appropriate preamble.
1847
1848 2016-11-04  Filip Pizlo  <fpizlo@apple.com>
1849
1850         WTF::ParkingLot should stop using std::chrono because std::chrono::duration casts are prone to overflows
1851         https://bugs.webkit.org/show_bug.cgi?id=152045
1852
1853         Reviewed by Andy Estes.
1854         
1855         Probably the nicest example of why this patch is a good idea is the change in
1856         AtomicsObject.cpp.
1857
1858         * jit/ICStats.cpp:
1859         (JSC::ICStats::ICStats):
1860         * runtime/AtomicsObject.cpp:
1861         (JSC::atomicsFuncWait):
1862
1863 2016-11-04  JF Bastien  <jfbastien@apple.com>
1864
1865         testWASM should be very sad if no options are provided
1866         https://bugs.webkit.org/show_bug.cgi?id=164444
1867
1868         Reviewed by Saam Barati.
1869
1870         Detect missing or invalid options on the command line.
1871
1872         * testWasm.cpp:
1873         (CommandLine::parseArguments):
1874
1875 2016-11-04  Mark Lam  <mark.lam@apple.com>
1876
1877         Error description code should be able to handle Symbol values.
1878         https://bugs.webkit.org/show_bug.cgi?id=164436
1879         <rdar://problem/29115583>
1880
1881         Reviewed by Filip Pizlo and Saam Barati.
1882
1883         Previously, we try to toString() the Symbol value, resulting in it throwing an
1884         exception in errorDescriptionForValue() which breaks the invariant that
1885         errorDescriptionForValue() should not throw.
1886
1887         We fixed this by making errorDescriptionForValue() aware of the Symbol type, and
1888         not so a toString() on Symbol values.  Also fixed notAFunctionSourceAppender()
1889         to build a nicer message for Symbol values.
1890
1891         * runtime/ExceptionHelpers.cpp:
1892         (JSC::errorDescriptionForValue):
1893         (JSC::notAFunctionSourceAppender):
1894
1895 2016-11-02  Geoffrey Garen  <ggaren@apple.com>
1896
1897         EvalCodeCache should not give up in strict mode and other cases
1898         https://bugs.webkit.org/show_bug.cgi?id=164357
1899
1900         Reviewed by Michael Saboff.
1901
1902         EvalCodeCache gives up in non-trivial cases because generated eval code
1903         can't soundly migrate from, for example, a let scope to a non-let scope.
1904         The number of cases has grown over time.
1905
1906         Instead, let's cache eval code based on the location of the call to
1907         eval(). That way, we never relocate the code, and it's sound to make
1908         normal assumptions about our surrounding scope.
1909
1910         * bytecode/EvalCodeCache.h:
1911         (JSC::EvalCodeCache::CacheKey::CacheKey): Use CallSiteIndex to uniquely
1912         identify the location of our call to eval().
1913
1914         (JSC::EvalCodeCache::CacheKey::hash):
1915         (JSC::EvalCodeCache::CacheKey::operator==):
1916         (JSC::EvalCodeCache::CacheKey::Hash::equal): Use CallSiteIndex instead
1917         of lots of other flags.
1918
1919         (JSC::EvalCodeCache::tryGet): No need to include details that are implied
1920         by our CallSiteIndex.
1921
1922         (JSC::EvalCodeCache::getSlow): No need to skip caching in complex
1923         situations. We promise we'll never relocate the cached code.
1924
1925         (JSC::EvalCodeCache::isCacheableScope): Deleted.
1926         (JSC::EvalCodeCache::isCacheable): Deleted.
1927
1928         * interpreter/Interpreter.cpp:
1929         (JSC::eval): Pass through a CallSiteIndex to uniquely identify this call
1930         to eval().
1931
1932 2016-11-04  Keith Miller  <keith_miller@apple.com>
1933
1934         Add support for Wasm br_table
1935         https://bugs.webkit.org/show_bug.cgi?id=164429
1936
1937         Reviewed by Michael Saboff.
1938
1939         This patch adds support for Wasm br_table. The Wasm br_table
1940         opcode essentially directly maps to B3's switch opcode.
1941
1942         There are also three other minor changes:
1943         1) all non-argument locals should be initialized to zero at function entry.
1944         2) add new setErrorMessage member to WasmFunctionParser.h
1945         3) return does not decode an extra immediate anymore.
1946
1947         * testWasm.cpp:
1948         (runWasmTests):
1949         * wasm/WasmB3IRGenerator.cpp:
1950         * wasm/WasmFunctionParser.h:
1951         (JSC::Wasm::FunctionParser::setErrorMessage):
1952         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1953         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
1954         (JSC::Wasm::FunctionParser<Context>::popExpressionStack):
1955         * wasm/WasmValidate.cpp:
1956         (JSC::Wasm::Validate::checkBranchTarget):
1957         (JSC::Wasm::Validate::addBranch):
1958         (JSC::Wasm::Validate::addSwitch):
1959
1960 2016-11-04  JF Bastien  <jfbastien@apple.com>
1961
1962         WebAssembly JS API: implement more sections
1963         https://bugs.webkit.org/show_bug.cgi?id=164023
1964
1965         Reviewed by Keith Miller.
1966
1967         On the JSC side:
1968
1969          - Put in parser stubs for all WebAssembly sections.
1970          - Parse Import, Export sections.
1971          - Use tryReserveCapacity instead of reserve, and bail out of the parser if it fails. This prevents the parser from bringing everything down when faced with a malicious input.
1972          - Encapsulate all parsed module information into its own structure, making it easier to pass around (from parser to Plan to Module to Instance).
1973          - Create WasmFormat.cpp to hold parsed module information's dtor to avoid including WasmMemory.h needlessly.
1974          - Remove all remainders of polyfill-prototype-1, and update license.
1975          - Add missing WasmOps.h and WasmValidateInlines.h auto-generation for cmake build.
1976
1977         On the Builder.js testing side:
1978
1979          - Implement Type, Import (function only), Export (function only) sections.
1980          - Check section order and uniqueness.
1981          - Optionally auto-generate the Type section from subsequent Export / Import / Code entries.
1982          - Allow re-exporting an import.
1983
1984         * CMakeLists.txt: missing auto-genration
1985         * JavaScriptCore.xcodeproj/project.pbxproj: merge conflict
1986         * testWasm.cpp: update for API changes, no functional change
1987         (checkPlan):
1988         (runWasmTests):
1989         * wasm/WasmFormat.cpp: add a dtor which requires extra headers which I'd rather not include in WasmFormat.h
1990         (JSC::Wasm::ModuleInformation::~ModuleInformation):
1991         * wasm/WasmFormat.h: Add External, Import, Functioninformation, Export, ModuleInformation, CompiledFunction, and remove obsolete stuff which was a holdover from the first implementation (all that code is now gone, so remove its license)
1992         (JSC::Wasm::External::isValid):
1993         * wasm/WasmModuleParser.cpp: simplify some, make names consistent with the WebAssembly section names, check memory allocations so they can fail early
1994         (JSC::Wasm::ModuleParser::parse):
1995         (JSC::Wasm::ModuleParser::parseType):
1996         (JSC::Wasm::ModuleParser::parseImport):
1997         (JSC::Wasm::ModuleParser::parseFunction):
1998         (JSC::Wasm::ModuleParser::parseTable):
1999         (JSC::Wasm::ModuleParser::parseMemory):
2000         (JSC::Wasm::ModuleParser::parseGlobal):
2001         (JSC::Wasm::ModuleParser::parseExport):
2002         (JSC::Wasm::ModuleParser::parseStart):
2003         (JSC::Wasm::ModuleParser::parseElement):
2004         (JSC::Wasm::ModuleParser::parseCode): avoid overflow through function size.
2005         (JSC::Wasm::ModuleParser::parseData):
2006         * wasm/WasmModuleParser.h:
2007         (JSC::Wasm::ModuleParser::moduleInformation):
2008         * wasm/WasmParser.h:
2009         (JSC::Wasm::Parser::consumeUTF8String): add as required by spec
2010         (JSC::Wasm::Parser::parseExternalKind): add as per spec
2011         * wasm/WasmPlan.cpp:
2012         (JSC::Wasm::Plan::Plan): fix some ownership, improve some error messages
2013         * wasm/WasmPlan.h: fix some ownership
2014         (JSC::Wasm::Plan::getModuleInformation):
2015         (JSC::Wasm::Plan::getMemory):
2016         (JSC::Wasm::Plan::compiledFunctionCount):
2017         (JSC::Wasm::Plan::compiledFunction):
2018         (JSC::Wasm::Plan::getCompiledFunctions):
2019         * wasm/WasmSections.h: macroize with description, so that error messages are super pretty. This could be auto-generated.
2020         * wasm/js/JSWebAssemblyModule.cpp:
2021         (JSC::JSWebAssemblyModule::create): take module information
2022         (JSC::JSWebAssemblyModule::JSWebAssemblyModule): ditto
2023         * wasm/js/JSWebAssemblyModule.h:
2024         (JSC::JSWebAssemblyModule::moduleInformation):
2025         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2026         (JSC::constructJSWebAssemblyInstance): check that modules with imports are instantiated with an import object, as per spec. This needs to be tested.
2027         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2028         (JSC::constructJSWebAssemblyMemory):
2029         * wasm/js/WebAssemblyModuleConstructor.cpp:
2030         (JSC::constructJSWebAssemblyModule):
2031         * wasm/js/WebAssemblyTableConstructor.cpp:
2032         (JSC::constructJSWebAssemblyTable):
2033
2034 2016-11-03  Mark Lam  <mark.lam@apple.com>
2035
2036         ClonedArguments need to also support haveABadTime mode.
2037         https://bugs.webkit.org/show_bug.cgi?id=164200
2038         <rdar://problem/27211336>
2039
2040         Reviewed by Geoffrey Garen.
2041
2042         For those who are not familiar with the parlance, "have a bad time" in the VM
2043         means that Object.prototype has been modified in such a way that we can no longer
2044         trivially do indexed property accesses without consulting the Object.prototype.
2045         This defeats JIT indexed put optimizations, and hence, makes the VM "have a
2046         bad time".
2047
2048         Once the VM enters haveABadTime mode, all existing objects are converted to use
2049         slow put storage.  Thereafter, JSArrays are always created with slow put storage.
2050         JSObjects are always created with a blank indexing type.  When a new indexed
2051         property is put into the new object, its indexing type will be converted to the
2052         slow put array indexing type just before we perform the put operation.  This is
2053         how we ensure that the objects will also use slow put storage.
2054
2055         However, ClonedArguments is an object which was previously created unconditionally
2056         to use contiguous storage.  Subsequently, if we try to call Object.preventExtensions()
2057         on that ClonedArguments object, Object.preventExtensions() will:
2058         1. make the ClonedArguments enter dictionary indexing mode, which means it will
2059         2. first ensure that the ClonedArguments is using slow put array storage via
2060            JSObject::ensureArrayStorageSlow().
2061
2062         However, JSObject::ensureArrayStorageSlow() expects that we never see an object
2063         with contiguous storage once we're in haveABadTime mode.  Our ClonedArguments
2064         object did not obey this invariant.
2065
2066         The fix is to make the ClonedArguments factories create objects that use slow put
2067         array storage when in haveABadTime mode.  This means:
2068
2069         1. JSGlobalObject::haveABadTime() now changes m_clonedArgumentsStructure to use
2070            its slow put version.
2071
2072            Also the caching of the slow put version of m_regExpMatchesArrayStructure,
2073            because we only need to create it when we are having a bad time. 
2074
2075         2. The ClonedArguments factories now allocates a butterfly with slow put array
2076            storage if we're in haveABadTime mode.
2077
2078            Also added some assertions in ClonedArguments' factory methods to ensure that
2079            the created object has the slow put indexing type when it needsSlowPutIndexing().
2080
2081         3. DFGFixupPhase now watches the havingABadTimeWatchpoint because ClonedArguments'
2082            structure will change when having a bad time.
2083
2084         4. DFGArgumentEliminationPhase and DFGVarargsForwardingPhase need not be changed
2085            because it is still valid to eliminate the creation of the arguments object
2086            even having a bad time, as long as the arguments object does not escape.
2087
2088         5. The DFGAbstractInterpreterInlines now checks for haveABadTime, and sets the
2089            predicted type to be SpecObject.
2090
2091         Note: this issue does not apply to DirectArguments and ScopedArguments because
2092         they use a blank indexing type (just like JSObject).
2093
2094         * dfg/DFGAbstractInterpreterInlines.h:
2095         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2096         * dfg/DFGArrayMode.cpp:
2097         (JSC::DFG::ArrayMode::dump):
2098         * dfg/DFGFixupPhase.cpp:
2099         (JSC::DFG::FixupPhase::fixupNode):
2100         * runtime/ClonedArguments.cpp:
2101         (JSC::ClonedArguments::createEmpty):
2102         (JSC::ClonedArguments::createWithInlineFrame):
2103         (JSC::ClonedArguments::createWithMachineFrame):
2104         (JSC::ClonedArguments::createByCopyingFrom):
2105         (JSC::ClonedArguments::createStructure):
2106         (JSC::ClonedArguments::createSlowPutStructure):
2107         * runtime/ClonedArguments.h:
2108         * runtime/JSGlobalObject.cpp:
2109         (JSC::JSGlobalObject::init):
2110         (JSC::JSGlobalObject::haveABadTime):
2111         (JSC::JSGlobalObject::visitChildren):
2112         * runtime/JSGlobalObject.h:
2113
2114 2016-11-03  Filip Pizlo  <fpizlo@apple.com>
2115
2116         DFG plays fast and loose with the shadow values of a Phi
2117         https://bugs.webkit.org/show_bug.cgi?id=164309
2118
2119         Reviewed by Saam Barati.
2120         
2121         Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
2122         tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
2123         not a special case for most compiler transforms. It does this by introducing another value
2124         called Upsilon, which stores a value into some Phi.
2125         
2126         B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
2127         the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
2128         times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
2129         Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
2130         the value from its phiTmp to its tmp.
2131         
2132         This is necessary to support scenarios like this:
2133         
2134             a: Phi()
2135             b: Upsilon(@x, ^a)
2136             c: Use(@a)
2137         
2138         Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
2139         the a value (like @a) doesn't change during its lifetime.
2140         
2141         Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
2142         all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
2143         model the Upsilon as storing into the Phi directly.
2144         
2145         Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
2146         shadow value. This change addresses this problem by introducing the concept of a
2147         NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
2148         optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
2149         rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
2150         a good amount of code.
2151         
2152         This looks to be perf-neutral.
2153
2154         Rolled back in after fixing the debug build.
2155
2156         * CMakeLists.txt:
2157         * JavaScriptCore.xcodeproj/project.pbxproj:
2158         * b3/air/AirLiveness.h:
2159         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
2160         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
2161         (JSC::B3::Air::RegLivenessAdapter::numIndices):
2162         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2163         (JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
2164         (JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
2165         (JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
2166         * dfg/DFGAbstractInterpreter.h:
2167         (JSC::DFG::AbstractInterpreter::forNode):
2168         * dfg/DFGAbstractInterpreterInlines.h:
2169         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2170         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2171         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2172         * dfg/DFGAtTailAbstractState.cpp:
2173         (JSC::DFG::AtTailAbstractState::createValueForNode):
2174         (JSC::DFG::AtTailAbstractState::forNode):
2175         * dfg/DFGAtTailAbstractState.h:
2176         * dfg/DFGBasicBlock.h:
2177         * dfg/DFGCombinedLiveness.cpp:
2178         (JSC::DFG::liveNodesAtHead):
2179         * dfg/DFGCombinedLiveness.h:
2180         * dfg/DFGFlowIndexing.cpp: Added.
2181         (JSC::DFG::FlowIndexing::FlowIndexing):
2182         (JSC::DFG::FlowIndexing::~FlowIndexing):
2183         (JSC::DFG::FlowIndexing::recompute):
2184         * dfg/DFGFlowIndexing.h: Added.
2185         (JSC::DFG::FlowIndexing::graph):
2186         (JSC::DFG::FlowIndexing::numIndices):
2187         (JSC::DFG::FlowIndexing::index):
2188         (JSC::DFG::FlowIndexing::shadowIndex):
2189         (JSC::DFG::FlowIndexing::nodeProjection):
2190         * dfg/DFGFlowMap.h: Added.
2191         (JSC::DFG::FlowMap::FlowMap):
2192         (JSC::DFG::FlowMap::resize):
2193         (JSC::DFG::FlowMap::graph):
2194         (JSC::DFG::FlowMap::at):
2195         (JSC::DFG::FlowMap::atShadow):
2196         (WTF::printInternal):
2197         * dfg/DFGGraph.cpp:
2198         (JSC::DFG::Graph::Graph):
2199         * dfg/DFGGraph.h:
2200         (JSC::DFG::Graph::abstractValuesCache): Deleted.
2201         * dfg/DFGInPlaceAbstractState.cpp:
2202         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2203         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2204         (JSC::DFG::setLiveValues):
2205         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2206         (JSC::DFG::InPlaceAbstractState::merge):
2207         * dfg/DFGInPlaceAbstractState.h:
2208         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2209         (JSC::DFG::InPlaceAbstractState::forNode):
2210         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2211         * dfg/DFGLivenessAnalysisPhase.cpp:
2212         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2213         (JSC::DFG::LivenessAnalysisPhase::run):
2214         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2215         (JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
2216         * dfg/DFGNode.h:
2217         (JSC::DFG::NodeComparator::operator()):
2218         (JSC::DFG::nodeListDump):
2219         (JSC::DFG::nodeMapDump):
2220         (JSC::DFG::nodeValuePairListDump):
2221         (JSC::DFG::nodeComparator): Deleted.
2222         * dfg/DFGNodeAbstractValuePair.cpp: Added.
2223         (JSC::DFG::NodeAbstractValuePair::dump):
2224         * dfg/DFGNodeAbstractValuePair.h: Added.
2225         (JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
2226         * dfg/DFGNodeFlowProjection.cpp: Added.
2227         (JSC::DFG::NodeFlowProjection::dump):
2228         * dfg/DFGNodeFlowProjection.h: Added.
2229         (JSC::DFG::NodeFlowProjection::NodeFlowProjection):
2230         (JSC::DFG::NodeFlowProjection::operator bool):
2231         (JSC::DFG::NodeFlowProjection::kind):
2232         (JSC::DFG::NodeFlowProjection::node):
2233         (JSC::DFG::NodeFlowProjection::operator*):
2234         (JSC::DFG::NodeFlowProjection::operator->):
2235         (JSC::DFG::NodeFlowProjection::hash):
2236         (JSC::DFG::NodeFlowProjection::operator==):
2237         (JSC::DFG::NodeFlowProjection::operator!=):
2238         (JSC::DFG::NodeFlowProjection::operator<):
2239         (JSC::DFG::NodeFlowProjection::operator>):
2240         (JSC::DFG::NodeFlowProjection::operator<=):
2241         (JSC::DFG::NodeFlowProjection::operator>=):
2242         (JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
2243         (JSC::DFG::NodeFlowProjection::isStillValid):
2244         (JSC::DFG::NodeFlowProjection::forEach):
2245         (JSC::DFG::NodeFlowProjectionHash::hash):
2246         (JSC::DFG::NodeFlowProjectionHash::equal):
2247         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2248
2249 2016-11-03  Commit Queue  <commit-queue@webkit.org>
2250
2251         Unreviewed, rolling out r208364.
2252         https://bugs.webkit.org/show_bug.cgi?id=164402
2253
2254         broke the build (Requested by smfr on #webkit).
2255
2256         Reverted changeset:
2257
2258         "DFG plays fast and loose with the shadow values of a Phi"
2259         https://bugs.webkit.org/show_bug.cgi?id=164309
2260         http://trac.webkit.org/changeset/208364
2261
2262 2016-11-03  Filip Pizlo  <fpizlo@apple.com>
2263
2264         DFG plays fast and loose with the shadow values of a Phi
2265         https://bugs.webkit.org/show_bug.cgi?id=164309
2266
2267         Reviewed by Saam Barati.
2268         
2269         Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
2270         tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
2271         not a special case for most compiler transforms. It does this by introducing another value
2272         called Upsilon, which stores a value into some Phi.
2273         
2274         B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
2275         the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
2276         times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
2277         Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
2278         the value from its phiTmp to its tmp.
2279         
2280         This is necessary to support scenarios like this:
2281         
2282             a: Phi()
2283             b: Upsilon(@x, ^a)
2284             c: Use(@a)
2285         
2286         Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
2287         the a value (like @a) doesn't change during its lifetime.
2288         
2289         Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
2290         all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
2291         model the Upsilon as storing into the Phi directly.
2292         
2293         Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
2294         shadow value. This change addresses this problem by introducing the concept of a
2295         NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
2296         optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
2297         rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
2298         a good amount of code.
2299         
2300         This looks to be perf-neutral.
2301
2302         * CMakeLists.txt:
2303         * JavaScriptCore.xcodeproj/project.pbxproj:
2304         * b3/air/AirLiveness.h:
2305         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
2306         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
2307         (JSC::B3::Air::RegLivenessAdapter::numIndices):
2308         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2309         (JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
2310         (JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
2311         (JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
2312         * dfg/DFGAbstractInterpreter.h:
2313         (JSC::DFG::AbstractInterpreter::forNode):
2314         * dfg/DFGAbstractInterpreterInlines.h:
2315         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2316         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2317         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2318         * dfg/DFGAtTailAbstractState.cpp:
2319         (JSC::DFG::AtTailAbstractState::createValueForNode):
2320         (JSC::DFG::AtTailAbstractState::forNode):
2321         * dfg/DFGAtTailAbstractState.h:
2322         * dfg/DFGBasicBlock.h:
2323         * dfg/DFGCombinedLiveness.cpp:
2324         (JSC::DFG::liveNodesAtHead):
2325         * dfg/DFGCombinedLiveness.h:
2326         * dfg/DFGFlowIndexing.cpp: Added.
2327         (JSC::DFG::FlowIndexing::FlowIndexing):
2328         (JSC::DFG::FlowIndexing::~FlowIndexing):
2329         (JSC::DFG::FlowIndexing::recompute):
2330         * dfg/DFGFlowIndexing.h: Added.
2331         (JSC::DFG::FlowIndexing::graph):
2332         (JSC::DFG::FlowIndexing::numIndices):
2333         (JSC::DFG::FlowIndexing::index):
2334         (JSC::DFG::FlowIndexing::shadowIndex):
2335         (JSC::DFG::FlowIndexing::nodeProjection):
2336         * dfg/DFGFlowMap.h: Added.
2337         (JSC::DFG::FlowMap::FlowMap):
2338         (JSC::DFG::FlowMap::resize):
2339         (JSC::DFG::FlowMap::graph):
2340         (JSC::DFG::FlowMap::at):
2341         (JSC::DFG::FlowMap::atShadow):
2342         (WTF::printInternal):
2343         * dfg/DFGGraph.cpp:
2344         (JSC::DFG::Graph::Graph):
2345         * dfg/DFGGraph.h:
2346         (JSC::DFG::Graph::abstractValuesCache): Deleted.
2347         * dfg/DFGInPlaceAbstractState.cpp:
2348         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2349         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2350         (JSC::DFG::setLiveValues):
2351         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2352         (JSC::DFG::InPlaceAbstractState::merge):
2353         * dfg/DFGInPlaceAbstractState.h:
2354         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2355         (JSC::DFG::InPlaceAbstractState::forNode):
2356         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2357         * dfg/DFGLivenessAnalysisPhase.cpp:
2358         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2359         (JSC::DFG::LivenessAnalysisPhase::run):
2360         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2361         (JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
2362         * dfg/DFGNode.h:
2363         (JSC::DFG::NodeComparator::operator()):
2364         (JSC::DFG::nodeListDump):
2365         (JSC::DFG::nodeMapDump):
2366         (JSC::DFG::nodeValuePairListDump):
2367         (JSC::DFG::nodeComparator): Deleted.
2368         * dfg/DFGNodeAbstractValuePair.cpp: Added.
2369         (JSC::DFG::NodeAbstractValuePair::dump):
2370         * dfg/DFGNodeAbstractValuePair.h: Added.
2371         (JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
2372         * dfg/DFGNodeFlowProjection.cpp: Added.
2373         (JSC::DFG::NodeFlowProjection::dump):
2374         * dfg/DFGNodeFlowProjection.h: Added.
2375         (JSC::DFG::NodeFlowProjection::NodeFlowProjection):
2376         (JSC::DFG::NodeFlowProjection::operator bool):
2377         (JSC::DFG::NodeFlowProjection::kind):
2378         (JSC::DFG::NodeFlowProjection::node):
2379         (JSC::DFG::NodeFlowProjection::operator*):
2380         (JSC::DFG::NodeFlowProjection::operator->):
2381         (JSC::DFG::NodeFlowProjection::hash):
2382         (JSC::DFG::NodeFlowProjection::operator==):
2383         (JSC::DFG::NodeFlowProjection::operator!=):
2384         (JSC::DFG::NodeFlowProjection::operator<):
2385         (JSC::DFG::NodeFlowProjection::operator>):
2386         (JSC::DFG::NodeFlowProjection::operator<=):
2387         (JSC::DFG::NodeFlowProjection::operator>=):
2388         (JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
2389         (JSC::DFG::NodeFlowProjection::isStillValid):
2390         (JSC::DFG::NodeFlowProjection::forEach):
2391         (JSC::DFG::NodeFlowProjectionHash::hash):
2392         (JSC::DFG::NodeFlowProjectionHash::equal):
2393         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2394
2395 2016-11-03  Keith Miller  <keith_miller@apple.com>
2396
2397         Unreviewed, changelog fix due to failed git rebase..
2398
2399 2016-11-03  Keith Miller  <keith_miller@apple.com>
2400
2401         Wasm starts a new stack whenever it adds a new block and has return types for blocks.
2402         https://bugs.webkit.org/show_bug.cgi?id=164100
2403
2404         Reviewed by Saam Barati.
2405
2406         This patch overhauls much of the Wasm function parser, validator, and B3 IR generator
2407         to work with block return types. In Wasm, blocks can act as expressions and have a
2408         return value. Most of the control flow operators needed to be rewritten in order to
2409         support this feature. To enable return types the function parser needed to be able
2410         to save and restore the expression stack from previous blocks, which is done via the
2411         control stack.
2412
2413         This patch also removes the lazy continuation block system added previously. It's
2414         not clear if there would be any performance win from such a system. There are likely
2415         many other things with orders of magnitude more impact on B3 IR generation. The
2416         complexity cost of such a system is not worth the effort without sufficient evidence
2417         otherwise.
2418
2419         * testWasm.cpp:
2420         (runWasmTests):
2421         * wasm/WasmB3IRGenerator.cpp:
2422         * wasm/WasmFunctionParser.h:
2423         (JSC::Wasm::FunctionParser<Context>::parseBlock):
2424         (JSC::Wasm::FunctionParser<Context>::addReturn):
2425         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2426         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2427         (JSC::Wasm::FunctionParser<Context>::popExpressionStack):
2428         * wasm/WasmValidate.cpp:
2429         (JSC::Wasm::Validate::ControlData::hasNonVoidSignature):
2430         (JSC::Wasm::Validate::addElse):
2431         (JSC::Wasm::Validate::addElseToUnreachable):
2432         (JSC::Wasm::Validate::addBranch):
2433         (JSC::Wasm::Validate::endBlock):
2434         (JSC::Wasm::Validate::addEndToUnreachable):
2435         (JSC::Wasm::Validate::dump):
2436         (JSC::Wasm::validateFunction):
2437         (JSC::Wasm::Validate::isContinuationReachable): Deleted.
2438
2439 2016-11-03  Saam Barati  <sbarati@apple.com>
2440
2441         Asking for a value profile prediction should be defensive against not finding a value profile
2442         https://bugs.webkit.org/show_bug.cgi?id=164306
2443
2444         Reviewed by Mark Lam.
2445
2446         Currently, the code that calls CodeBlock::valueProfilePredictionForBytecodeOffset
2447         in the DFG assumes it will always be at a value producing node. However, this isn't
2448         true if we tail call from an inlined setter. When we're at a tail call, we try
2449         to find the first caller that isn't a tail call to see what value the
2450         tail_call produces. If we inline a setter, however, we will end up finding
2451         the put_by_id as our first non-tail-called "caller", and that won't have a
2452         value profile associated with it since it's not a value producing node.
2453         CodeBlock::valueProfilePredictionForBytecodeOffset should be defensive
2454         against finding a null value profile.
2455
2456         * bytecode/CodeBlock.h:
2457         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
2458         * dfg/DFGByteCodeParser.cpp:
2459         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2460
2461 2016-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2462
2463         Unreviewed, fix CLoop build after r208320.
2464         https://bugs.webkit.org/show_bug.cgi?id=162980
2465
2466         Add required forward declarations.
2467
2468         * domjit/DOMJITHeapRange.cpp:
2469         * domjit/DOMJITSignature.h:
2470         * runtime/VM.h:
2471
2472 2016-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2473
2474         [DOMJIT] Add DOMJIT::Signature
2475         https://bugs.webkit.org/show_bug.cgi?id=162980
2476
2477         Reviewed by Saam Barati and Sam Weinig.
2478
2479         This patch introduces a new mechanism called DOMJIT::Signature. We can annotate the function with DOMJIT::Signature.
2480         DOMJIT::Signature has type information of that function. And it also maintains the effect of the function and the
2481         pointer to the unsafe function. The unsafe function means the function without type and argument count checks.
2482         By using these information, we can separate type and argument count checks from the function. And we can emit
2483         these things as DFG checks and convert the function call itself to CallDOM node. CallDOM node can call the unsafe
2484         function directly without any checks. Furthermore, this CallDOM node can represent its own clobberizing rules based
2485         on DOMJIT::Effect maintained by DOMJIT::Signature. It allows us to make opaque Call node to a CallDOM node that
2486         merely reads some part of heap. These changes (1) can drop duplicate type checks in DFG, (2) offer ability to move
2487         CallDOM node to somewhere, and (3) track more detailed heap reads and writes of CallDOM nodes.
2488
2489         We first emit Call node with DOMJIT::Signature in DFGByteCodeParser. And in the fixup phase, we attempt to lower
2490         Call node to CallDOM node with checks & edge filters. This is because we do not know the type predictions in
2491         DFGByteCodeParser phase. If we always emit CallDOM node in DFGByteCodeParser, if we evaluate `div.getAttribute(true)`
2492         thingy, the Uncountable OSR exits repeatedly happen because AI figures out the abstract value is cleared.
2493
2494         Currently, DOMJIT signature only allows the types that can reside in GPR. This is because the types of the unsafe
2495         function arguments are represented as the sequence of void*. In the future, we will extend to accept other types like
2496         float, double etc.
2497
2498         We annotate several functions in Element. In particular, we annotate Element::getAttribute. This allows us to perform
2499         LICM in Dromaeo dom-attr test. In the Dromaeo dom-attr getAttribute test, we can see 32x improvement. (134974.8 v.s. 4203.4)
2500
2501         * JavaScriptCore.xcodeproj/project.pbxproj:
2502         * bytecode/CallVariant.h:
2503         (JSC::CallVariant::functionExecutable):
2504         (JSC::CallVariant::nativeExecutable):
2505         (JSC::CallVariant::signatureFor):
2506         * bytecode/SpeculatedType.h:
2507         (JSC::isNotStringSpeculation):
2508         (JSC::isNotInt32Speculation):
2509         (JSC::isNotBooleanSpeculation):
2510         * dfg/DFGAbstractInterpreterInlines.h:
2511         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2512         * dfg/DFGByteCodeParser.cpp:
2513         (JSC::DFG::ByteCodeParser::addCall):
2514         (JSC::DFG::ByteCodeParser::handleCall):
2515         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2516         (JSC::DFG::ByteCodeParser::handleInlining):
2517         (JSC::DFG::ByteCodeParser::handleDOMJITCall):
2518         (JSC::DFG::ByteCodeParser::parseBlock):
2519         * dfg/DFGClobberize.h:
2520         (JSC::DFG::clobberize):
2521         * dfg/DFGDoesGC.cpp:
2522         (JSC::DFG::doesGC):
2523         * dfg/DFGFixupPhase.cpp:
2524         (JSC::DFG::FixupPhase::fixupNode):
2525         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2526         (JSC::DFG::FixupPhase::fixupCheckDOM):
2527         (JSC::DFG::FixupPhase::fixupCallDOM):
2528         * dfg/DFGNode.cpp:
2529         (JSC::DFG::Node::convertToCallDOM):
2530         * dfg/DFGNode.h:
2531         (JSC::DFG::Node::hasHeapPrediction):
2532         (JSC::DFG::Node::shouldSpeculateNotInt32):
2533         (JSC::DFG::Node::shouldSpeculateNotBoolean):
2534         (JSC::DFG::Node::shouldSpeculateNotString):
2535         (JSC::DFG::Node::hasSignature):
2536         (JSC::DFG::Node::signature):
2537         * dfg/DFGNodeType.h:
2538         * dfg/DFGPredictionPropagationPhase.cpp:
2539         * dfg/DFGSafeToExecute.h:
2540         (JSC::DFG::safeToExecute):
2541         * dfg/DFGSpeculativeJIT.cpp:
2542         (JSC::DFG::SpeculativeJIT::compileCallDOM):
2543         * dfg/DFGSpeculativeJIT.h:
2544         (JSC::DFG::SpeculativeJIT::callOperation):
2545         * dfg/DFGSpeculativeJIT32_64.cpp:
2546         (JSC::DFG::SpeculativeJIT::compile):
2547         * dfg/DFGSpeculativeJIT64.cpp:
2548         (JSC::DFG::SpeculativeJIT::compile):
2549         * domjit/DOMJITEffect.h:
2550         (JSC::DOMJIT::Effect::Effect):
2551         (JSC::DOMJIT::Effect::forWrite):
2552         (JSC::DOMJIT::Effect::forRead):
2553         (JSC::DOMJIT::Effect::forReadWrite):
2554         (JSC::DOMJIT::Effect::forPure):
2555         (JSC::DOMJIT::Effect::forDef):
2556         (JSC::DOMJIT::Effect::mustGenerate):
2557         In clang, we cannot make this Effect constructor constexpr if we use Optional<HeapRange>.
2558         So we use HeapRange::top() for Nullopt def now.
2559
2560         * domjit/DOMJITHeapRange.h:
2561         (JSC::DOMJIT::HeapRange::fromRaw):
2562         (JSC::DOMJIT::HeapRange::operator bool):
2563         (JSC::DOMJIT::HeapRange::operator==):
2564         (JSC::DOMJIT::HeapRange::operator!=):
2565         (JSC::DOMJIT::HeapRange::fromConstant):
2566         * domjit/DOMJITSignature.h: Copied from Source/JavaScriptCore/domjit/DOMJITEffect.h.
2567         (JSC::DOMJIT::Signature::Signature):
2568         (JSC::DOMJIT::Signature::argumentCount):
2569         (JSC::DOMJIT::Signature::checkDOM):
2570         * ftl/FTLCapabilities.cpp:
2571         (JSC::FTL::canCompile):
2572         * ftl/FTLLowerDFGToB3.cpp:
2573         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2574         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
2575         * jit/JITOperations.h:
2576         * jit/JITThunks.cpp:
2577         (JSC::JITThunks::hostFunctionStub):
2578         * jit/JITThunks.h:
2579         * runtime/JSBoundFunction.cpp:
2580         (JSC::JSBoundFunction::create):
2581         * runtime/JSCell.h:
2582         * runtime/JSFunction.cpp:
2583         (JSC::JSFunction::create):
2584         * runtime/JSFunction.h:
2585         * runtime/JSNativeStdFunction.cpp:
2586         (JSC::JSNativeStdFunction::create):
2587         * runtime/JSObject.cpp:
2588         (JSC::JSObject::putDirectNativeFunction):
2589         * runtime/JSObject.h:
2590         * runtime/Lookup.h:
2591         (JSC::HashTableValue::functionLength):
2592         (JSC::HashTableValue::signature):
2593         (JSC::reifyStaticProperty):
2594         * runtime/NativeExecutable.cpp:
2595         (JSC::NativeExecutable::create):
2596         (JSC::NativeExecutable::NativeExecutable):
2597         * runtime/NativeExecutable.h:
2598         * runtime/PropertySlot.h:
2599         * runtime/VM.cpp:
2600         (JSC::VM::getHostFunction):
2601         * runtime/VM.h:
2602
2603 2016-11-02  Andreas Kling  <akling@apple.com>
2604
2605         MarkedSpace should have specialized size classes for popular engine objects.
2606         <https://webkit.org/b/164345>
2607
2608         Reviewed by Filip Pizlo.
2609
2610         The MarkedSpace size classes were recently reworked to minimize wasted space
2611         at the end of MarkedBlocks.
2612
2613         However, we know that some specific objects will be allocated in very high volume.
2614         Adding specialized size classes for those object sizes achieves greater utilization
2615         since we're basically guaranteed to allocate them all the time.
2616
2617         Inject specialized size classes for these four objects:
2618
2619             - FunctionCodeBlock
2620                 560 bytes instead of 624
2621                 28 per block instead of 26 (+2)
2622
2623             - FunctionExecutable
2624                 176 bytes instead of 224
2625                 92 per block instead of 72 (+20)
2626
2627             - UnlinkedFunctionCodeBlock
2628                 256 bytes instead of 320
2629                 63 per block instead of 50 (+13)
2630
2631             - UnlinkedFunctionExecutable
2632                 192 bytes instead of 224
2633                 84 per block instead of 72 (+12)
2634
2635         * heap/MarkedSpace.cpp:
2636
2637 2016-11-02  Geoffrey Garen  <ggaren@apple.com>
2638
2639         One file per class for UnlinkedCodeBlock.h/.cpp
2640         https://bugs.webkit.org/show_bug.cgi?id=164348
2641
2642         Reviewed by Saam Barati.
2643
2644         * CMakeLists.txt:
2645         * JavaScriptCore.xcodeproj/project.pbxproj:
2646         * bytecode/FunctionCodeBlock.h:
2647         * bytecode/ModuleProgramCodeBlock.h:
2648         * bytecode/ProgramCodeBlock.h:
2649         * bytecode/UnlinkedCodeBlock.cpp:
2650         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
2651         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
2652         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
2653         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
2654         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
2655         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
2656         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
2657         * bytecode/UnlinkedCodeBlock.h:
2658         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
2659         * bytecode/UnlinkedEvalCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
2660         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
2661         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
2662         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
2663         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
2664         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
2665         (JSC::dumpLineColumnEntry): Deleted.
2666         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
2667         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
2668         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
2669         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
2670         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
2671         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
2672         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
2673         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
2674         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
2675         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
2676         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
2677         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
2678         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
2679         (JSC::UnlinkedCodeBlock::instructions): Deleted.
2680         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
2681         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
2682         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
2683         * bytecode/UnlinkedEvalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
2684         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
2685         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
2686         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
2687         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
2688         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
2689         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
2690         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
2691         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2692         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
2693         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
2694         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
2695         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
2696         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
2697         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
2698         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
2699         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
2700         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
2701         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2702         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
2703         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
2704         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2705         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
2706         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2707         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
2708         (JSC::UnlinkedCodeBlock::regexp): Deleted.
2709         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
2710         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2711         (JSC::UnlinkedCodeBlock::identifier): Deleted.
2712         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
2713         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2714         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
2715         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
2716         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
2717         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
2718         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
2719         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
2720         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2721         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
2722         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
2723         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
2724         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
2725         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
2726         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
2727         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2728         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
2729         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
2730         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2731         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
2732         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
2733         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2734         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
2735         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2736         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
2737         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
2738         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2739         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
2740         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
2741         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
2742         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2743         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
2744         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
2745         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
2746         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
2747         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
2748         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
2749         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
2750         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
2751         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
2752         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
2753         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
2754         (JSC::UnlinkedCodeBlock::codeType): Deleted.
2755         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
2756         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
2757         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2758         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
2759         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
2760         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2761         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2762         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2763         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
2764         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
2765         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
2766         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
2767         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
2768         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
2769         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
2770         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
2771         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
2772         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
2773         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
2774         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
2775         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
2776         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
2777         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
2778         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
2779         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
2780         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
2781         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
2782         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
2783         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
2784         * bytecode/UnlinkedFunctionCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
2785         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
2786         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
2787         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
2788         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
2789         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
2790         (JSC::dumpLineColumnEntry): Deleted.
2791         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
2792         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
2793         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
2794         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
2795         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
2796         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
2797         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
2798         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
2799         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
2800         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
2801         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
2802         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
2803         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
2804         (JSC::UnlinkedCodeBlock::instructions): Deleted.
2805         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
2806         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
2807         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
2808         * bytecode/UnlinkedFunctionCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
2809         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
2810         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
2811         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
2812         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
2813         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
2814         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
2815         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
2816         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2817         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
2818         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
2819         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
2820         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
2821         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
2822         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
2823         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
2824         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
2825         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
2826         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2827         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
2828         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
2829         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2830         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
2831         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2832         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
2833         (JSC::UnlinkedCodeBlock::regexp): Deleted.
2834         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
2835         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2836         (JSC::UnlinkedCodeBlock::identifier): Deleted.
2837         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
2838         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2839         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
2840         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
2841         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
2842         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
2843         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
2844         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
2845         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2846         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
2847         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
2848         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
2849         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
2850         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
2851         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
2852         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2853         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
2854         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
2855         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2856         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
2857         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
2858         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2859         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
2860         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2861         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
2862         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
2863         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2864         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
2865         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
2866         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
2867         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2868         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
2869         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
2870         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
2871         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
2872         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
2873         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
2874         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
2875         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
2876         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
2877         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
2878         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
2879         (JSC::UnlinkedCodeBlock::codeType): Deleted.
2880         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
2881         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
2882         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2883         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
2884         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
2885         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2886         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2887         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2888         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
2889         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
2890         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
2891         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
2892         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
2893         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
2894         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
2895         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
2896         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
2897         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
2898         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
2899         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
2900         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
2901         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
2902         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
2903         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
2904         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
2905         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
2906         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
2907         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
2908         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
2909         * bytecode/UnlinkedFunctionExecutable.cpp:
2910         (JSC::UnlinkedFunctionExecutable::destroy):
2911         * bytecode/UnlinkedGlobalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
2912         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2913         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
2914         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
2915         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
2916         (): Deleted.
2917         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
2918         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
2919         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
2920         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
2921         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2922         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
2923         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
2924         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
2925         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
2926         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
2927         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
2928         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
2929         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
2930         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
2931         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2932         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
2933         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
2934         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2935         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
2936         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2937         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
2938         (JSC::UnlinkedCodeBlock::regexp): Deleted.
2939         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
2940         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2941         (JSC::UnlinkedCodeBlock::identifier): Deleted.
2942         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
2943         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2944         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
2945         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
2946         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
2947         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
2948         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
2949         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
2950         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2951         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
2952         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
2953         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
2954         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
2955         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
2956         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
2957         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2958         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
2959         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
2960         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2961         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
2962         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
2963         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2964         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
2965         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2966         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
2967         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
2968         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2969         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
2970         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
2971         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
2972         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2973         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
2974         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
2975         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
2976         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
2977         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
2978         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
2979         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
2980         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
2981         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
2982         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
2983         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
2984         (JSC::UnlinkedCodeBlock::codeType): Deleted.
2985         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
2986         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
2987         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2988         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
2989         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
2990         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2991         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2992         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2993         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
2994         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
2995         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
2996         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
2997         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
2998         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
2999         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
3000         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
3001         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3002         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
3003         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
3004         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
3005         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
3006         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
3007         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
3008         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3009         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
3010         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
3011         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
3012         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
3013         * bytecode/UnlinkedModuleProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
3014         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
3015         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
3016         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
3017         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
3018         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
3019         (JSC::dumpLineColumnEntry): Deleted.
3020         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
3021         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
3022         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
3023         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
3024         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
3025         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3026         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
3027         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
3028         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
3029         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
3030         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
3031         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
3032         (JSC::UnlinkedCodeBlock::instructions): Deleted.
3033         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
3034         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
3035         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
3036         * bytecode/UnlinkedModuleProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
3037         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
3038         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
3039         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
3040         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
3041         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
3042         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
3043         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
3044         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
3045         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
3046         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
3047         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
3048         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
3049         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
3050         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
3051         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
3052         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
3053         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
3054         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
3055         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
3056         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
3057         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
3058         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
3059         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
3060         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
3061         (JSC::UnlinkedCodeBlock::regexp): Deleted.
3062         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
3063         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
3064         (JSC::UnlinkedCodeBlock::identifier): Deleted.
3065         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
3066         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
3067         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
3068         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
3069         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
3070         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
3071         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
3072         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
3073         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
3074         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
3075         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
3076         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
3077         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
3078         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
3079         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
3080         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
3081         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
3082         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
3083         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
3084         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
3085         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
3086         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
3087         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
3088         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
3089         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
3090         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
3091         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
3092         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
3093         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
3094         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
3095         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
3096         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
3097         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
3098         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
3099         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
3100         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
3101         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
3102         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
3103         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
3104         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
3105         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
3106         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
3107         (JSC::UnlinkedCodeBlock::codeType): Deleted.
3108         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
3109         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
3110         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
3111         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
3112         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
3113         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3114         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3115         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3116         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
3117         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
3118         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
3119         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
3120         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
3121         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
3122         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
3123         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
3124         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3125         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
3126         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
3127         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
3128         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
3129         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
3130         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
3131         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3132         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
3133         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
3134         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
3135         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
3136         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
3137         * bytecode/UnlinkedProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
3138         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
3139         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
3140         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
3141         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
3142         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
3143         (JSC::dumpLineColumnEntry): Deleted.
3144         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
3145         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
3146         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
3147         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
3148         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
3149         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3150         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
3151         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
3152         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
3153         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
3154         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
3155         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
3156         (JSC::UnlinkedCodeBlock::instructions): Deleted.
3157         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
3158         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
3159         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
3160         * bytecode/UnlinkedProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
3161         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
3162         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
3163         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
3164         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
3165         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
3166         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
3167         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
3168         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
3169         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
3170         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
3171         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
3172         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
3173         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
3174         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
3175         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
3176         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
3177         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
3178         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
3179         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
3180         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
3181         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
3182         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
3183         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
3184         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
3185         (JSC::UnlinkedCodeBlock::regexp): Deleted.
3186         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
3187         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
3188         (JSC::UnlinkedCodeBlock::identifier): Deleted.
3189         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
3190         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
3191         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
3192         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
3193         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
3194         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
3195         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
3196         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
3197         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
3198         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
3199         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
3200         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
3201         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
3202         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
3203         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
3204         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
3205         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
3206         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
3207         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
3208         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
3209         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
3210         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
3211         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
3212         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
3213         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
3214         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
3215         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
3216         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
3217         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
3218         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
3219         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
3220         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
3221         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
3222         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
3223         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
3224         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
3225         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
3226         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
3227         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
3228         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
3229         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
3230         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
3231         (JSC::UnlinkedCodeBlock::codeType): Deleted.
3232         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
3233         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
3234         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
3235         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
3236         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
3237         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3238         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3239         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3240         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
3241         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
3242         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
3243         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
3244         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
3245         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
3246         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
3247         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
3248         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3249         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
3250         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
3251         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
3252         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
3253         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
3254         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
3255         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3256         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
3257         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
3258         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
3259         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
3260         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
3261         * bytecompiler/BytecodeGenerator.cpp:
3262         * runtime/CodeCache.cpp:
3263         * runtime/EvalExecutable.h:
3264         * runtime/JSModuleRecord.cpp:
3265
3266 2016-11-02  Saam Barati  <sbarati@apple.com>
3267
3268         Allocation elimination of rest parameter doesn't take into account indexed properties on Array.prototype/Object.prototype
3269         https://bugs.webkit.org/show_bug.cgi?id=164301
3270
3271         Reviewed by Geoffrey Garen.
3272
3273         We weren't taking into account indexed properties on the __proto__
3274         of the rest parameter. This made the code for doing out of bound
3275         accesses incorrect since it just assumed it's safe for the result of
3276         an out of bound access to be undefined. This broke the semantics
3277         of JS code when there was an indexed property on the Array.prototype
3278         or Object.prototype.
3279
3280         This patch makes sure we set up the proper watchpoints for making
3281         sure out of bound accesses are safe to return undefined.
3282
3283         * dfg/DFGArgumentsEliminationPhase.cpp:
3284
3285 2016-11-02  Geoffrey Garen  <ggaren@apple.com>
3286
3287         One file per class for CodeBlock.h/.cpp
3288         https://bugs.webkit.org/show_bug.cgi?id=164343
3289
3290         Reviewed by Andreas Kling.
3291
3292         * CMakeLists.txt:
3293         * JavaScriptCore.xcodeproj/project.pbxproj:
3294         * bytecode/CallLinkInfo.cpp:
3295         * bytecode/CodeBlock.cpp:
3296         (JSC::FunctionCodeBlock::destroy): Deleted.
3297         (JSC::WebAssemblyCodeBlock::destroy): Deleted.
3298         (JSC::ProgramCodeBlock::destroy): Deleted.
3299         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
3300         (JSC::EvalCodeBlock::destroy): Deleted.
3301         * bytecode/CodeBlock.h:
3302         (JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
3303         (JSC::ProgramCodeBlock::create): Deleted.
3304         (JSC::ProgramCodeBlock::createStructure): Deleted.
3305         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3306         (JSC::ModuleProgramCodeBlock::create): Deleted.
3307         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3308         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3309         (JSC::EvalCodeBlock::create): Deleted.
3310         (JSC::EvalCodeBlock::createStructure): Deleted.
3311         (JSC::EvalCodeBlock::variable): Deleted.
3312         (JSC::EvalCodeBlock::numVariables): Deleted.
3313         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3314         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock): Deleted.
3315         (JSC::FunctionCodeBlock::create): Deleted.
3316         (JSC::FunctionCodeBlock::createStructure): Deleted.
3317         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
3318         (JSC::WebAssemblyCodeBlock::create): Deleted.
3319         (JSC::WebAssemblyCodeBlock::createStructure): Deleted.
3320         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
3321         (JSC::ScriptExecutable::forEachCodeBlock): Deleted.
3322         * bytecode/EvalCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
3323         (JSC::FunctionCodeBlock::destroy): Deleted.
3324         (JSC::WebAssemblyCodeBlock::destroy): Deleted.
3325         (JSC::ProgramCodeBlock::destroy): Deleted.
3326         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
3327         (JSC::CodeBlock::inferredName): Deleted.
3328         (JSC::CodeBlock::hasHash): Deleted.
3329         (JSC::CodeBlock::isSafeToComputeHash): Deleted.
3330         (JSC::CodeBlock::hash): Deleted.
3331         (JSC::CodeBlock::sourceCodeForTools): Deleted.
3332         (JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
3333         (JSC::CodeBlock::hashAsStringIfPossible): Deleted.
3334         (JSC::CodeBlock::dumpAssumingJITType): Deleted.
3335         (JSC::CodeBlock::dump): Deleted.
3336         (JSC::idName): Deleted.
3337         (JSC::CodeBlock::registerName): Deleted.
3338         (JSC::CodeBlock::constantName): Deleted.
3339         (JSC::regexpToSourceString): Deleted.
3340         (JSC::regexpName): Deleted.
3341         (JSC::debugHookName): Deleted.
3342         (JSC::CodeBlock::printUnaryOp): Deleted.
3343         (JSC::CodeBlock::printBinaryOp): Deleted.
3344         (JSC::CodeBlock::printConditionalJump): Deleted.
3345         (JSC::CodeBlock::printGetByIdOp): Deleted.
3346         (JSC::dumpStructure): Deleted.
3347         (JSC::dumpChain): Deleted.
3348         (JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
3349         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
3350         (JSC::CodeBlock::printCallOp): Deleted.
3351         (JSC::CodeBlock::printPutByIdOp): Deleted.
3352         (JSC::CodeBlock::dumpSource): Deleted.
3353         (JSC::CodeBlock::dumpBytecode): Deleted.
3354         (JSC::CodeBlock::dumpExceptionHandlers): Deleted.
3355         (JSC::CodeBlock::beginDumpProfiling): Deleted.
3356         (JSC::CodeBlock::dumpValueProfiling): Deleted.
3357         (JSC::CodeBlock::dumpArrayProfiling): Deleted.
3358         (JSC::CodeBlock::dumpRareCaseProfile): Deleted.
3359         (JSC::CodeBlock::dumpArithProfile): Deleted.
3360         (JSC::CodeBlock::printLocationAndOp): Deleted.
3361         (JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
3362         (JSC::sizeInBytes): Deleted.
3363         (JSC::CodeBlock::CodeBlock): Deleted.
3364         (JSC::CodeBlock::finishCreation): Deleted.
3365         (JSC::CodeBlock::~CodeBlock): Deleted.
3366         (JSC::CodeBlock::setConstantRegisters): Deleted.
3367         (JSC::CodeBlock::setAlternative): Deleted.
3368         (JSC::CodeBlock::setNumParameters): Deleted.
3369         (JSC::EvalCodeCache::visitAggregate): Deleted.
3370         (JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
3371         (JSC::CodeBlock::visitWeakly): Deleted.
3372         (JSC::CodeBlock::estimatedSize): Deleted.
3373         (JSC::CodeBlock::visitChildren): Deleted.
3374         (JSC::CodeBlock::shouldVisitStrongly): Deleted.
3375         (JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
3376         (JSC::timeToLive): Deleted.
3377         (JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
3378         (JSC::shouldMarkTransition): Deleted.
3379         (JSC::CodeBlock::propagateTransitions): Deleted.
3380         (JSC::CodeBlock::determineLiveness): Deleted.
3381         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3382         (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
3383         (JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
3384         (JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
3385         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3386         (JSC::CodeBlock::getStubInfoMap): Deleted.
3387         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
3388         (JSC::CodeBlock::getByValInfoMap): Deleted.
3389         (JSC::CodeBlock::addStubInfo): Deleted.
3390         (JSC::CodeBlock::addJITAddIC): Deleted.
3391         (JSC::CodeBlock::addJITMulIC): Deleted.
3392         (JSC::CodeBlock::addJITSubIC): Deleted.
3393         (JSC::CodeBlock::addJITNegIC): Deleted.
3394         (JSC::CodeBlock::findStubInfo): Deleted.
3395         (JSC::CodeBlock::addByValInfo): Deleted.
3396         (JSC::CodeBlock::addCallLinkInfo): Deleted.
3397         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
3398         (JSC::CodeBlock::resetJITData): Deleted.
3399         (JSC::CodeBlock::visitOSRExitTargets): Deleted.
3400         (JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
3401         (JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
3402         (JSC::CodeBlock::baselineAlternative): Deleted.
3403         (JSC::CodeBlock::baselineVersion): Deleted.
3404         (JSC::CodeBlock::hasOptimizedReplacement): Deleted.
3405         (JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
3406         (JSC::CodeBlock::handlerForIndex): Deleted.
3407         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
3408         (JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
3409         (JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
3410         (JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
3411         (JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
3412         (JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
3413         (JSC::CodeBlock::shrinkToFit): Deleted.
3414         (JSC::CodeBlock::linkIncomingCall): Deleted.
3415         (JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
3416         (JSC::CodeBlock::unlinkIncomingCalls): Deleted.
3417         (JSC::CodeBlock::newReplacement): Deleted.
3418         (JSC::CodeBlock::replacement): Deleted.
3419         (JSC::CodeBlock::computeCapabilityLevel): Deleted.
3420         (JSC::CodeBlock::jettison): Deleted.
3421         (JSC::CodeBlock::globalObjectFor): Deleted.
3422         (JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
3423         (JSC::RecursionCheckFunctor::operator()): Deleted.
3424         (JSC::RecursionCheckFunctor::didRecurse): Deleted.
3425         (JSC::CodeBlock::noticeIncomingCall): Deleted.
3426         (JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
3427         (JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
3428         (JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
3429         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
3430         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
3431         (JSC::CodeBlock::countReoptimization): Deleted.
3432         (JSC::CodeBlock::numberOfDFGCompiles): Deleted.
3433         (JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
3434         (JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
3435         (JSC::clipThreshold): Deleted.
3436         (JSC::CodeBlock::adjustedCounterValue): Deleted.
3437         (JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
3438         (JSC::CodeBlock::optimizeNextInvocation): Deleted.
3439         (JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
3440         (JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
3441         (JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
3442         (JSC::CodeBlock::optimizeSoon): Deleted.
3443         (JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
3444         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
3445         (JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
3446         (JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
3447         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
3448         (JSC::CodeBlock::shouldReoptimizeNow): Deleted.
3449         (JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
3450         (JSC::CodeBlock::getArrayProfile): Deleted.
3451         (JSC::CodeBlock::addArrayProfile): Deleted.
3452         (JSC::CodeBlock::getOrAddArrayProfile): Deleted.
3453         (JSC::CodeBlock::codeOrigins): Deleted.
3454         (JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
3455         (JSC::CodeBlock::identifier): Deleted.
3456         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
3457         (JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
3458         (JSC::CodeBlock::updateAllArrayPredictions): Deleted.
3459         (JSC::CodeBlock::updateAllPredictions): Deleted.
3460         (JSC::CodeBlock::shouldOptimizeNow): Deleted.
3461         (JSC::CodeBlock::tallyFrequentExitSites): Deleted.
3462         (JSC::CodeBlock::dumpValueProfiles): Deleted.
3463         (JSC::CodeBlock::frameRegisterCount): Deleted.
3464         (JSC::CodeBlock::stackPointerOffset): Deleted.
3465         (JSC::CodeBlock::predictedMachineCodeSize): Deleted.
3466         (JSC::CodeBlock::usesOpcode): Deleted.
3467         (JSC::CodeBlock::nameForRegister): Deleted.
3468         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
3469         (JSC::CodeBlock::validate): Deleted.
3470         (JSC::CodeBlock::beginValidationDidFail): Deleted.
3471         (JSC::CodeBlock::endValidationDidFail): Deleted.
3472         (JSC::CodeBlock::addBreakpoint): Deleted.
3473         (JSC::CodeBlock::setSteppingMode): Deleted.
3474         (JSC::CodeBlock::addRareCaseProfile): Deleted.
3475         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
3476         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
3477         (JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
3478         (JSC::CodeBlock::arithProfileForPC): Deleted.
3479         (JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
3480         (JSC::CodeBlock::capabilityLevel): Deleted.
3481         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): Deleted.
3482         (JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
3483         (JSC::CodeBlock::findPC): Deleted.
3484         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): Deleted.
3485         (JSC::CodeBlock::thresholdForJIT): Deleted.
3486         (JSC::CodeBlock::jitAfterWarmUp): Deleted.
3487         (JSC::CodeBlock::jitSoon): Deleted.
3488         (JSC::CodeBlock::dumpMathICStats): Deleted.
3489         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
3490         * bytecode/EvalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/CodeBlock.h.
3491         (): Deleted.
3492         (JSC::CodeBlock::unlinkedCodeBlock): Deleted.
3493         (JSC::CodeBlock::numParameters): Deleted.
3494         (JSC::CodeBlock::numCalleeLocals): Deleted.
3495         (JSC::CodeBlock::addressOfNumParameters): Deleted.
3496         (JSC::CodeBlock::offsetOfNumParameters): Deleted.
3497         (JSC::CodeBlock::alternative): Deleted.
3498         (JSC::CodeBlock::forEachRelatedCodeBlock): Deleted.
3499         (JSC::CodeBlock::specializationKind): Deleted.
3500         (JSC::CodeBlock::isStrictMode): Deleted.
3501         (JSC::CodeBlock::ecmaMode): Deleted.
3502         (JSC::CodeBlock::isKnownNotImmediate): Deleted.
3503         (JSC::CodeBlock::isTemporaryRegisterIndex): Deleted.
3504         (JSC::CodeBlock::stubInfoBegin): Deleted.
3505         (JSC::CodeBlock::stubInfoEnd): Deleted.
3506         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
3507         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
3508         (JSC::CodeBlock::setJITCodeMap): Deleted.
3509         (JSC::CodeBlock::jitCodeMap): Deleted.
3510         (JSC::CodeBlock::bytecodeOffset): Deleted.
3511         (JSC::CodeBlock::numberOfInstructions): Deleted.
3512         (JSC::CodeBlock::instructions): Deleted.
3513         (JSC::CodeBlock::instructionCount): Deleted.
3514         (JSC::CodeBlock::setJITCode): Deleted.
3515         (JSC::CodeBlock::jitCode): Deleted.
3516         (JSC::CodeBlock::jitCodeOffset): Deleted.
3517         (JSC::CodeBlock::jitType): Deleted.
3518         (JSC::CodeBlock::hasBaselineJITProfiling): Deleted.
3519         (JSC::CodeBlock::capabilityLevelState): Deleted.
3520         (JSC::CodeBlock::ownerExecutable): Deleted.
3521         (JSC::CodeBlock::ownerScriptExecutable): Deleted.
3522         (JSC::CodeBlock::vm): Deleted.
3523         (JSC::CodeBlock::setThisRegister): Deleted.
3524         (JSC::CodeBlock::thisRegister): Deleted.
3525         (JSC::CodeBlock::usesEval): Deleted.
3526         (JSC::CodeBlock::setScopeRegister): Deleted.
3527         (JSC::CodeBlock::scopeRegister): Deleted.
3528         (JSC::CodeBlock::codeType): Deleted.
3529         (JSC::CodeBlock::putByIdContext): Deleted.
3530         (JSC::CodeBlock::source): Deleted.
3531         (JSC::CodeBlock::sourceOffset): Deleted.
3532         (JSC::CodeBlock::firstLineColumnOffset): Deleted.
3533         (JSC::CodeBlock::numberOfJumpTargets): Deleted.
3534         (JSC::CodeBlock::jumpTarget): Deleted.
3535         (JSC::CodeBlock::numberOfArgumentValueProfiles): Deleted.
3536         (JSC::CodeBlock::valueProfileForArgument): Deleted.
3537         (JSC::CodeBlock::numberOfValueProfiles): Deleted.
3538         (JSC::CodeBlock::valueProfile): Deleted.
3539         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): Deleted.
3540         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
3541         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
3542         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
3543         (JSC::CodeBlock::likelyToTakeSlowCase): Deleted.
3544         (JSC::CodeBlock::couldTakeSlowCase): Deleted.
3545         (JSC::CodeBlock::numberOfArrayProfiles): Deleted.
3546         (JSC::CodeBlock::arrayProfiles): Deleted.
3547         (JSC::CodeBlock::numberOfExceptionHandlers): Deleted.
3548         (JSC::CodeBlock::exceptionHandler): Deleted.
3549         (JSC::CodeBlock::hasExpressionInfo): Deleted.
3550         (JSC::CodeBlock::hasCodeOrigins): Deleted.
3551         (JSC::CodeBlock::canGetCodeOrigin): Deleted.
3552         (JSC::CodeBlock::codeOrigin): Deleted.
3553         (JSC::CodeBlock::addFrequentExitSite): Deleted.
3554         (JSC::CodeBlock::hasExitSite): Deleted.
3555         (JSC::CodeBlock::exitProfile): Deleted.
3556         (JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
3557         (JSC::CodeBlock::numberOfIdentifiers): Deleted.
3558         (JSC::CodeBlock::identifier): Deleted.
3559         (JSC::CodeBlock::constants): Deleted.
3560         (JSC::CodeBlock::constantsSourceCodeRepresentation): Deleted.
3561         (JSC::CodeBlock::addConstant): Deleted.
3562         (JSC::CodeBlock::addConstantLazily): Deleted.
3563         (JSC::CodeBlock::constantRegister): Deleted.
3564         (JSC::CodeBlock::isConstantRegisterIndex): Deleted.
3565         (JSC::CodeBlock::getConstant): Deleted.
3566         (JSC::CodeBlock::constantSourceCodeRepresentation): Deleted.
3567         (JSC::CodeBlock::functionDecl): Deleted.
3568         (JSC::CodeBlock::numberOfFunctionDecls): Deleted.
3569         (JSC::CodeBlock::functionExpr): Deleted.
3570         (JSC::CodeBlock::regexp): Deleted.
3571         (JSC::CodeBlock::numberOfConstantBuffers): Deleted.
3572         (JSC::CodeBlock::addConstantBuffer): Deleted.
3573         (JSC::CodeBlock::constantBufferAsVector): Deleted.
3574         (JSC::CodeBlock::constantBuffer): Deleted.
3575         (JSC::CodeBlock::heap): Deleted.
3576         (JSC::CodeBlock::globalObject): Deleted.
3577         (JSC::CodeBlock::livenessAnalysis): Deleted.
3578         (JSC::CodeBlock::numberOfSwitchJumpTables): Deleted.
3579         (JSC::CodeBlock::addSwitchJumpTable): Deleted.
3580         (JSC::CodeBlock::switchJumpTable): Deleted.
3581         (JSC::CodeBlock::clearSwitchJumpTables): Deleted.
3582         (JSC::CodeBlock::numberOfStringSwitchJumpTables): Deleted.
3583         (JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
3584         (JSC::CodeBlock::stringSwitchJumpTable): Deleted.
3585         (JSC::CodeBlock::evalCodeCache): Deleted.
3586         (JSC::CodeBlock::checkIfJITThresholdReached): Deleted.
3587         (JSC::CodeBlock::dontJITAnytimeSoon): Deleted.
3588         (JSC::CodeBlock::llintExecuteCounter): Deleted.
3589         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
3590         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): Deleted.
3591         (JSC::CodeBlock::addressOfJITExecuteCounter): Deleted.
3592         (JSC::CodeBlock::offsetOfJITExecuteCounter): Deleted.
3593         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): Deleted.
3594         (JSC::CodeBlock::offsetOfJITExecutionTotalCount): Deleted.
3595         (JSC::CodeBlock::jitExecuteCounter): Deleted.
3596         (JSC::CodeBlock::optimizationDelayCounter): Deleted.
3597         (JSC::CodeBlock::osrExitCounter): Deleted.
3598         (JSC::CodeBlock::countOSRExit): Deleted.
3599         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
3600         (JSC::CodeBlock::offsetOfOSRExitCounter): Deleted.
3601         (JSC::CodeBlock::calleeSaveRegisters): Deleted.
3602         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
3603         (JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
3604         (JSC::CodeBlock::numberOfDFGCompiles): Deleted.
3605         (JSC::CodeBlock::hasDebuggerRequests): Deleted.
3606         (JSC::CodeBlock::debuggerRequestsAddress): Deleted.
3607         (JSC::CodeBlock::removeBreakpoint): Deleted.
3608         (JSC::CodeBlock::clearDebuggerRequests): Deleted.
3609         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3610         (JSC::CodeBlock::clearExceptionHandlers): Deleted.
3611         (JSC::CodeBlock::appendExceptionHandler): Deleted.
3612         (JSC::CodeBlock::tallyFrequentExitSites): Deleted.
3613         (JSC::CodeBlock::replaceConstant): Deleted.
3614         (JSC::CodeBlock::timeSinceCreation): Deleted.
3615         (JSC::CodeBlock::createRareDataIfNecessary): Deleted.
3616         (JSC::GlobalCodeBlock::GlobalCodeBlock): Deleted.
3617         (JSC::ProgramCodeBlock::create): Deleted.
3618         (JSC::ProgramCodeBlock::createStructure): Deleted.
3619         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3620         (JSC::ModuleProgramCodeBlock::create): Deleted.
3621         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3622         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3623         (JSC::FunctionCodeBlock::create): Deleted.
3624         (JSC::FunctionCodeBlock::createStructure): Deleted.
3625         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
3626         (JSC::WebAssemblyCodeBlock::create): Deleted.
3627         (JSC::WebAssemblyCodeBlock::createStructure): Deleted.
3628         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Deleted.
3629         (JSC::ExecState::r): Deleted.
3630         (JSC::ExecState::uncheckedR): Deleted.
3631         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3632         (JSC::ScriptExecutable::forEachCodeBlock): Deleted.
3633         (JSC::ScriptExecutable::prepareForExecution): Deleted.
3634         * bytecode/FunctionCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/CodeBlock.cpp.
3635         (JSC::WebAssemblyCodeBlock::destroy): Deleted.
3636         (JSC::ProgramCodeBlock::destroy): Deleted.
3637         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
3638         (JSC::EvalCodeBlock::destroy): Deleted.
3639         (JSC::CodeBlock::inferredName): Deleted.
3640         (JSC::CodeBlock::hasHash): Deleted.
3641         (JSC::CodeBlock::isSafeToComputeHash): Deleted.
3642         (JSC::CodeBlock::hash): Deleted.
3643         (JSC::CodeBlock::sourceCodeForTools): Deleted.
3644         (JSC::CodeBlock::sourceCodeOnOneLine): Deleted.
3645         (JSC::CodeBlock::hashAsStringIfPossible): Deleted.
3646         (JSC::CodeBlock::dumpAssumingJITType): Deleted.
3647         (JSC::CodeBlock::dump): Deleted.
3648         (JSC::idName): Deleted.
3649         (JSC::CodeBlock::registerName): Deleted.
3650         (JSC::CodeBlock::constantName): Deleted.
3651         (JSC::regexpToSourceString): Deleted.
3652         (JSC::regexpName): Deleted.
3653         (JSC::debugHookName): Deleted.
3654         (JSC::CodeBlock::printUnaryOp): Deleted.
3655         (JSC::CodeBlock::printBinaryOp): Deleted.
3656         (JSC::CodeBlock::printConditionalJump): Deleted.
3657         (JSC::CodeBlock::printGetByIdOp): Deleted.
3658         (JSC::dumpStructure): Deleted.
3659         (JSC::dumpChain): Deleted.
3660         (JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
3661         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
3662         (JSC::CodeBlock::printCallOp): Deleted.
3663         (JSC::CodeBlock::printPutByIdOp): Deleted.
3664         (JSC::CodeBlock::dumpSource): Deleted.
3665         (JSC::CodeBlock::dumpBytecode): Deleted.
3666         (JSC::CodeBlock::dumpExceptionHandlers): Deleted.
3667         (JSC::CodeBlock::beginDumpProfiling): Deleted.
3668         (JSC::CodeBlock::dumpValueProfiling): Deleted.
3669         (JSC::CodeBlock::dumpArrayProfiling): Deleted.
3670         (JSC::CodeBlock::dumpRareCaseProfile): Deleted.
3671         (JSC::CodeBlock::dumpArithProfile): Deleted.
3672         (JSC::CodeBlock::printLocationAndOp): Deleted.
3673         (JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
3674         (JSC::sizeInBytes): Deleted.
3675         (JSC::CodeBlock::CodeBlock): Deleted.
3676         (JSC::CodeBlock::finishCreation): Deleted.
3677         (JSC::CodeBlock::~CodeBlock): Deleted.
3678         (JSC::CodeBlock::setConstantRegisters): Deleted.
3679         (JSC::CodeBlock::setAlternative): Deleted.
3680         (JSC::CodeBlock::setNumParameters): Deleted.
3681         (JSC::EvalCodeCache::visitAggregate): Deleted.
3682         (JSC::CodeBlock::specialOSREntryBlockOrNull): Deleted.
3683         (JSC::CodeBlock::visitWeakly): Deleted.
3684         (JSC::CodeBlock::estimatedSize): Deleted.
3685         (JSC::CodeBlock::visitChildren): Deleted.
3686         (JSC::CodeBlock::shouldVisitStrongly): Deleted.
3687         (JSC::CodeBlock::shouldJettisonDueToWeakReference): Deleted.
3688         (JSC::timeToLive): Deleted.
3689         (JSC::CodeBlock::shouldJettisonDueToOldAge): Deleted.
3690         (JSC::shouldMarkTransition): Deleted.
3691         (JSC::CodeBlock::propagateTransitions): Deleted.
3692         (JSC::CodeBlock::determineLiveness): Deleted.
3693         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3694         (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
3695         (JSC::CodeBlock::finalizeLLIntInlineCaches): Deleted.
3696         (JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
3697         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3698         (JSC::CodeBlock::getStubInfoMap): Deleted.
3699         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
3700         (JSC::CodeBlock::getByValInfoMap): Deleted.
3701         (JSC::CodeBlock::addStubInfo): Deleted.
3702         (JSC::CodeBlock::addJITAddIC): Deleted.
3703         (JSC::CodeBlock::addJITMulIC): Deleted.
3704         (JSC::CodeBlock::addJITSubIC): Deleted.
3705         (JSC::CodeBlock::addJITNegIC): Deleted.
3706         (JSC::CodeBlock::findStubInfo): Deleted.
3707         (JSC::CodeBlock::addByValInfo): Deleted.
3708         (JSC::CodeBlock::addCallLinkInfo): Deleted.
3709         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted.
3710         (JSC::CodeBlock::resetJITData): Deleted.
3711         (JSC::CodeBlock::visitOSRExitTargets): Deleted.
3712         (JSC::CodeBlock::stronglyVisitStrongReferences): Deleted.
3713         (JSC::CodeBlock::stronglyVisitWeakReferences): Deleted.
3714         (JSC::CodeBlock::baselineAlternative): Deleted.
3715         (JSC::CodeBlock::baselineVersion): Deleted.
3716         (JSC::CodeBlock::hasOptimizedReplacement): Deleted.
3717         (JSC::CodeBlock::handlerForBytecodeOffset): Deleted.
3718         (JSC::CodeBlock::handlerForIndex): Deleted.
3719         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): Deleted.
3720         (JSC::CodeBlock::removeExceptionHandlerForCallSite): Deleted.
3721         (JSC::CodeBlock::lineNumberForBytecodeOffset): Deleted.
3722         (JSC::CodeBlock::columnNumberForBytecodeOffset): Deleted.
3723         (JSC::CodeBlock::expressionRangeForBytecodeOffset): Deleted.
3724         (JSC::CodeBlock::hasOpDebugForLineAndColumn): Deleted.
3725         (JSC::CodeBlock::shrinkToFit): Deleted.
3726         (JSC::CodeBlock::linkIncomingCall): Deleted.
3727         (JSC::CodeBlock::linkIncomingPolymorphicCall): Deleted.
3728         (JSC::CodeBlock::unlinkIncomingCalls): Deleted.
3729         (JSC::CodeBlock::newReplacement): Deleted.
3730         (JSC::CodeBlock::replacement): Deleted.
3731         (JSC::CodeBlock::computeCapabilityLevel): Deleted.
3732         (JSC::CodeBlock::jettison): Deleted.
3733         (JSC::CodeBlock::globalObjectFor): Deleted.
3734         (JSC::RecursionCheckFunctor::RecursionCheckFunctor): Deleted.
3735         (JSC::RecursionCheckFunctor::operator()): Deleted.
3736         (JSC::RecursionCheckFunctor::didRecurse): Deleted.
3737         (JSC::CodeBlock::noticeIncomingCall): Deleted.
3738         (JSC::CodeBlock::reoptimizationRetryCounter): Deleted.
3739         (JSC::CodeBlock::setCalleeSaveRegisters): Deleted.
3740         (JSC::roundCalleeSaveSpaceAsVirtualRegisters): Deleted.
3741         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): Deleted.
3742         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): Deleted.
3743         (JSC::CodeBlock::countReoptimization): Deleted.
3744         (JSC::CodeBlock::numberOfDFGCompiles): Deleted.
3745         (JSC::CodeBlock::codeTypeThresholdMultiplier): Deleted.
3746         (JSC::CodeBlock::optimizationThresholdScalingFactor): Deleted.
3747         (JSC::clipThreshold): Deleted.
3748         (JSC::CodeBlock::adjustedCounterValue): Deleted.
3749         (JSC::CodeBlock::checkIfOptimizationThresholdReached): Deleted.
3750         (JSC::CodeBlock::optimizeNextInvocation): Deleted.
3751         (JSC::CodeBlock::dontOptimizeAnytimeSoon): Deleted.
3752         (JSC::CodeBlock::optimizeAfterWarmUp): Deleted.
3753         (JSC::CodeBlock::optimizeAfterLongWarmUp): Deleted.
3754         (JSC::CodeBlock::optimizeSoon): Deleted.
3755         (JSC::CodeBlock::forceOptimizationSlowPathConcurrently): Deleted.
3756         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Deleted.
3757         (JSC::CodeBlock::adjustedExitCountThreshold): Deleted.
3758         (JSC::CodeBlock::exitCountThresholdForReoptimization): Deleted.
3759         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): Deleted.
3760         (JSC::CodeBlock::shouldReoptimizeNow): Deleted.
3761         (JSC::CodeBlock::shouldReoptimizeFromLoopNow): Deleted.
3762         (JSC::CodeBlock::getArrayProfile): Deleted.
3763         (JSC::CodeBlock::addArrayProfile): Deleted.
3764         (JSC::CodeBlock::getOrAddArrayProfile): Deleted.
3765         (JSC::CodeBlock::codeOrigins): Deleted.
3766         (JSC::CodeBlock::numberOfDFGIdentifiers): Deleted.
3767         (JSC::CodeBlock::identifier): Deleted.
3768         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
3769         (JSC::CodeBlock::updateAllValueProfilePredictions): Deleted.
3770         (JSC::CodeBlock::updateAllArrayPredictions): Deleted.
3771         (JSC::CodeBlock::updateAllPredictions): Deleted.
3772         (JSC::CodeBlock::shouldOptimizeNow): Deleted.
3773         (JSC::CodeBlock::tallyFrequentExitSites): Deleted.
3774         (JSC::CodeBlock::dumpValueProfiles): Deleted.
3775         (JSC::CodeBlock::frameRegisterCount): Deleted.
3776         (JSC::CodeBlock::stackPointerOffset): Deleted.
3777         (JSC::CodeBlock::predictedMachineCodeSize): Deleted.
3778         (JSC::CodeBlock::usesOpcode): Deleted.
3779         (JSC::CodeBlock::nameForRegister): Deleted.
3780         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
3781         (JSC::CodeBlock::validate): Deleted.
3782         (JSC::CodeBlock::beginValidationDidFail): Deleted.
3783         (JSC::CodeBlock::endValidationDidFail): Deleted.
3784         (JSC::CodeBlock::addBreakpoint): Deleted.
3785         (JSC::CodeBlock::setSteppingMode): Deleted.
3786         (JSC::CodeBlock::addRareCaseProfile): Deleted.
3787         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset): Deleted.
3788         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset): Deleted.
3789         (JSC::CodeBlock::arithProfileForBytecodeOffset): Deleted.
3790         (JSC::CodeBlock::arithProfileForPC): Deleted.
3791         (JSC::CodeBlock::couldTakeSpecialFastCase): Deleted.
3792         (JSC::CodeBlock::capabilityLevel): Deleted.