[JSC] Merge PromiseReactions
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-12-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Merge PromiseReactions
4         https://bugs.webkit.org/show_bug.cgi?id=165526
5
6         Reviewed by Sam Weinig.
7
8         Our promise implementation has two arrays per Promise; promiseFulfillReactions and promiseRejectReactions.
9         And everytime we call `promise.then`, we create two promise reactions for fullfill and reject.
10         However, these two reactions and the arrays for reactions can be merged into one array and one reaction.
11         It reduces the unnecessary object allocations.
12
13         No behavior change.
14
15         * builtins/BuiltinNames.h:
16         * builtins/PromiseOperations.js:
17         (globalPrivate.newPromiseReaction):
18         (globalPrivate.triggerPromiseReactions):
19         (globalPrivate.rejectPromise):
20         (globalPrivate.fulfillPromise):
21         (globalPrivate.promiseReactionJob):
22         (globalPrivate.initializePromise):
23         * builtins/PromisePrototype.js:
24         (then):
25         * runtime/JSPromise.cpp:
26         (JSC::JSPromise::finishCreation):
27
28 2016-12-06  Mark Lam  <mark.lam@apple.com>
29
30         GetByID IC is wrongly unwrapping the global proxy this value for getter/setters.
31         https://bugs.webkit.org/show_bug.cgi?id=165401
32
33         Reviewed by Saam Barati.
34
35         When the this value for a property access is the JS global and that property
36         access is via a GetterSetter, the underlying getter / setter functions would
37         expect the this value they receive to be the JSProxy instance instead of the
38         JSGlobalObject.  This is consistent with how the LLINT and runtime code behaves.
39         The IC code should behave the same way.
40
41         Also added some ASSERTs to document invariants in the code, and help detect
42         bugs sooner if the code gets changed in a way that breaks those invariants in
43         the future.
44
45         * bytecode/PolymorphicAccess.cpp:
46         (JSC::AccessCase::generateImpl):
47
48 2016-12-06  Joseph Pecoraro  <pecoraro@apple.com>
49
50         DumpRenderTree ASSERT in JSC::ExecutableBase::isHostFunction seen on bots
51         https://bugs.webkit.org/show_bug.cgi?id=165497
52         <rdar://problem/29538973>
53
54         Reviewed by Saam Barati.
55
56         * inspector/agents/InspectorScriptProfilerAgent.cpp:
57         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
58         Defer collection when extracting and processing the samples to avoid
59         any objects held by the samples from getting collected while processing.
60         This is because while processing we call into functions that can
61         allocate and we must prevent those functions from syncing with the
62         GC thread which may collect other sample data yet to be processed.
63
64 2016-12-06  Alexey Proskuryakov  <ap@apple.com>
65
66         Correct SDKROOT values in xcconfig files
67         https://bugs.webkit.org/show_bug.cgi?id=165487
68         rdar://problem/29539209
69
70         Reviewed by Dan Bernstein.
71
72         Fix suggested by Dan Bernstein.
73
74         * Configurations/DebugRelease.xcconfig:
75
76 2016-12-06  Saam Barati  <sbarati@apple.com>
77
78         Remove old Wasm object model
79         https://bugs.webkit.org/show_bug.cgi?id=165481
80
81         Reviewed by Keith Miller and Mark Lam.
82
83         It's confusing to see code that consults both the old
84         Wasm object model alongside the new one. The old object
85         model is not a thing, and it's not being used. Let's
86         remove it now to prevent further confusion.
87
88         * CMakeLists.txt:
89         * JavaScriptCore.xcodeproj/project.pbxproj:
90         * bytecode/CodeBlock.cpp:
91         (JSC::CodeBlock::finalizeLLIntInlineCaches):
92         (JSC::CodeBlock::replacement):
93         (JSC::CodeBlock::computeCapabilityLevel):
94         (JSC::CodeBlock::updateAllPredictions):
95         * bytecode/CodeBlock.h:
96         * bytecode/WebAssemblyCodeBlock.cpp: Removed.
97         * bytecode/WebAssemblyCodeBlock.h: Removed.
98         * dfg/DFGCapabilities.cpp:
99         (JSC::DFG::isSupportedForInlining):
100         * interpreter/Interpreter.cpp:
101         (JSC::GetStackTraceFunctor::operator()):
102         (JSC::UnwindFunctor::operator()):
103         (JSC::isWebAssemblyExecutable): Deleted.
104         * jit/JITOperations.cpp:
105         * jit/Repatch.cpp:
106         (JSC::linkPolymorphicCall):
107         * llint/LLIntSlowPaths.cpp:
108         (JSC::LLInt::setUpCall):
109         * runtime/ExecutableBase.cpp:
110         (JSC::ExecutableBase::clearCode):
111         * runtime/ExecutableBase.h:
112         (JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
113         * runtime/JSFunction.cpp:
114         * runtime/JSFunction.h:
115         * runtime/JSFunctionInlines.h:
116         (JSC::JSFunction::isBuiltinFunction):
117         * runtime/VM.cpp:
118         (JSC::VM::VM):
119         * runtime/VM.h:
120         * runtime/WebAssemblyExecutable.cpp: Removed.
121         * runtime/WebAssemblyExecutable.h: Removed.
122
123 2016-12-06  JF Bastien  <jfbastien@apple.com>
124
125         PureNaN: fix typo
126         https://bugs.webkit.org/show_bug.cgi?id=165493
127
128         Reviewed by Mark Lam.
129
130         * runtime/PureNaN.h:
131
132 2016-12-06  Mark Lam  <mark.lam@apple.com>
133
134         Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec.
135         https://bugs.webkit.org/show_bug.cgi?id=165227
136         <rdar://problem/29442665>
137
138         Reviewed by Saam Barati.
139
140         * runtime/JSObject.cpp:
141         (JSC::JSObject::setPrototypeWithCycleCheck):
142         - This is where we check for immutable prototype exotic objects and refuse to set
143           the prototype if needed.
144           See https://tc39.github.io/ecma262/#sec-immutable-prototype-exotic-objects.
145
146         * runtime/JSTypeInfo.h:
147         (JSC::TypeInfo::isImmutablePrototypeExoticObject):
148         * runtime/Structure.h:
149         - Add flag for declaring immutable prototype exotic objects.
150
151         * runtime/ObjectPrototype.h:
152         - Declare that Object.prototype is an immutable prototype exotic object.
153           See https://tc39.github.io/ecma262/#sec-properties-of-the-object-prototype-object.
154
155         * runtime/ObjectConstructor.cpp:
156         (JSC::objectConstructorSetPrototypeOf):
157         - Use better error messages.
158
159 2016-12-04  Darin Adler  <darin@apple.com>
160
161         Use ASCIICType more, and improve it a little bit
162         https://bugs.webkit.org/show_bug.cgi?id=165360
163
164         Reviewed by Sam Weinig.
165
166         * inspector/InspectorValues.cpp:
167         (Inspector::readHexDigits): Use isASCIIHexDigit.
168         (Inspector::hextoInt): Deleted.
169         (decodeString): Use toASCIIHexValue.
170
171         * runtime/JSGlobalObjectFunctions.cpp:
172         (JSC::parseDigit): Use isASCIIDigit, isASCIIUpper, and isASCIILower.
173
174         * runtime/StringPrototype.cpp:
175         (JSC::substituteBackreferencesSlow): Use isASCIIDigit.
176
177 2016-12-06  Csaba Osztrogon√°c  <ossy@webkit.org>
178
179         Add storeFence support for ARMv7
180         https://bugs.webkit.org/show_bug.cgi?id=164733
181
182         Reviewed by Saam Barati.
183
184         * assembler/ARMAssembler.h:
185         (JSC::ARMAssembler::dmbISHST): Added.
186         * assembler/ARMv7Assembler.h: Typo fixed, DMB has only T1 encoding.
187         (JSC::ARMv7Assembler::dmbSY):
188         (JSC::ARMv7Assembler::dmbISHST): Added.
189         * assembler/MacroAssemblerARM.h:
190         (JSC::MacroAssemblerARM::storeFence):
191         * assembler/MacroAssemblerARMv7.h:
192         (JSC::MacroAssemblerARMv7::storeFence):
193
194 2016-12-05  Matt Baker  <mattbaker@apple.com>
195
196         Web Inspector: remove ASSERT from InspectorDebuggerAgent::derefAsyncCallData
197         https://bugs.webkit.org/show_bug.cgi?id=165413
198         <rdar://problem/29517587>
199
200         Reviewed by Brian Burg.
201
202         DOMTimer::removeById can call into InspectorInstrumentation with an
203         invalid identifier, so don't assert that async call data exists.
204
205         * inspector/agents/InspectorDebuggerAgent.cpp:
206         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
207
208 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
209
210         Fixed a bug in my last patch.
211
212         Unreviewed.
213
214         * bytecode/UnlinkedFunctionExecutable.h: Restore the conversion to
215         one-based counting.
216
217 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
218
219         Moved start and end column linking into helper functions
220         https://bugs.webkit.org/show_bug.cgi?id=165422
221
222         Reviewed by Sam Weinig.
223
224         * bytecode/UnlinkedFunctionExecutable.cpp:
225         (JSC::UnlinkedFunctionExecutable::link):
226         * bytecode/UnlinkedFunctionExecutable.h:
227
228 2016-12-05  Mark Lam  <mark.lam@apple.com>
229
230         Fix JSC files so that we can build a release build with NDEBUG #undef'ed.
231         https://bugs.webkit.org/show_bug.cgi?id=165409
232
233         Reviewed by Keith Miller.
234
235         This allows us to run a release build with DEBUG ASSERTs enabled.
236
237         * bytecode/BytecodeLivenessAnalysis.cpp:
238         * bytecode/UnlinkedEvalCodeBlock.cpp:
239         * bytecode/UnlinkedFunctionCodeBlock.cpp:
240         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
241         * bytecode/UnlinkedProgramCodeBlock.cpp:
242         * runtime/EvalExecutable.cpp:
243
244 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
245
246         Renamed source => parentSource
247         https://bugs.webkit.org/show_bug.cgi?id=165419
248
249         Reviewed by Saam Barati.
250
251         This should help clarify that a FunctionExecutable holds the source
252         code to its *parent* scope, and not its own SourceCode.
253
254         * builtins/BuiltinExecutables.cpp:
255         (JSC::BuiltinExecutables::createExecutable):
256         * bytecode/UnlinkedFunctionExecutable.cpp:
257         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
258         (JSC::UnlinkedFunctionExecutable::link):
259         * bytecode/UnlinkedFunctionExecutable.h:
260
261 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
262
263         ScriptExecutable should not contain a copy of firstLine and startColumn
264         https://bugs.webkit.org/show_bug.cgi?id=165415
265
266         Reviewed by Keith Miller.
267
268         We already have this data in SourceCode.
269
270         It's super confusing to have two copies of this data, where one is
271         allowed to mutate. In reality, your line and column number never change.
272
273         * bytecode/UnlinkedFunctionExecutable.cpp:
274         (JSC::UnlinkedFunctionExecutable::link):
275         * runtime/CodeCache.cpp:
276         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
277         * runtime/CodeCache.h:
278         (JSC::generateUnlinkedCodeBlock):
279         * runtime/FunctionExecutable.cpp:
280         (JSC::FunctionExecutable::FunctionExecutable):
281         * runtime/FunctionExecutable.h:
282         * runtime/ScriptExecutable.cpp:
283         (JSC::ScriptExecutable::ScriptExecutable):
284         (JSC::ScriptExecutable::newCodeBlockFor):
285         * runtime/ScriptExecutable.h:
286         (JSC::ScriptExecutable::firstLine):
287         (JSC::ScriptExecutable::startColumn):
288         (JSC::ScriptExecutable::recordParse):
289
290 2016-12-05  Caitlin Potter  <caitp@igalia.com>
291
292         [JSC] report unexpected token when "async" is followed by identifier 
293         https://bugs.webkit.org/show_bug.cgi?id=165091
294
295         Reviewed by Mark Lam.
296
297         Report a SyntaxError, in order to report correct error in contexts
298         an async ArrowFunction cannot occur. Also corrects errors in comment
299         describing JSTokenType bitfield, which was added in r209293.
300
301         * parser/Parser.cpp:
302         (JSC::Parser<LexerType>::parseMemberExpression):
303         * parser/ParserTokens.h:
304
305 2016-12-05  Keith Miller  <keith_miller@apple.com>
306
307         Add Wasm i64 to i32 conversion.
308         https://bugs.webkit.org/show_bug.cgi?id=165378
309
310         Reviewed by Filip Pizlo.
311
312         It turns out the wrap operation is just B3's Trunc.
313
314         * wasm/wasm.json:
315
316 2016-12-05  Joseph Pecoraro  <pecoraro@apple.com>
317
318         REGRESSION(r208985): SafariForWebKitDevelopment Symbol Not Found looking for method with WTF::Optional
319         https://bugs.webkit.org/show_bug.cgi?id=165351
320
321         Reviewed by Yusuke Suzuki.
322
323         Some versions of Safari expect:
324
325             Inspector::BackendDispatcher::reportProtocolError(WTF::Optional<long>, Inspector::BackendDispatcher::CommonErrorCode, WTF::String const&)
326         
327         Which we had updated to use std::optional. Expose a version with the original
328         Symbol for these Safaris. This stub will just call through to the new version.
329
330         * inspector/InspectorBackendDispatcher.cpp:
331         (Inspector::BackendDispatcher::reportProtocolError):
332         * inspector/InspectorBackendDispatcher.h:
333
334 2016-12-05  Konstantin Tokarev  <annulen@yandex.ru>
335
336         Add __STDC_FORMAT_MACROS before inttypes.h is included
337         https://bugs.webkit.org/show_bug.cgi?id=165374
338
339         We need formatting macros like PRIu64 to be available in all places where
340         inttypes.h header is used. All these usages get inttypes.h definitions
341         via wtf/Assertions.h header, except SQLiteFileSystem.cpp where formatting
342         macros are not used anymore since r185129.
343
344         This patch fixes multiple build errors with MinGW and reduces number of
345         independent __STDC_FORMAT_MACROS uses in the code base.
346
347         Reviewed by Darin Adler.
348
349         * disassembler/ARM64/A64DOpcode.cpp: Removed __STDC_FORMAT_MACROS
350         because it is obtained via Assertions.h now
351         * disassembler/ARM64Disassembler.cpp: Ditto.
352
353 2016-12-04  Keith Miller  <keith_miller@apple.com>
354
355         Add support for Wasm ctz and popcnt
356         https://bugs.webkit.org/show_bug.cgi?id=165369
357
358         Reviewed by Saam Barati.
359
360         * assembler/MacroAssemblerARM64.h:
361         (JSC::MacroAssemblerARM64::countTrailingZeros32):
362         (JSC::MacroAssemblerARM64::countTrailingZeros64):
363         * assembler/MacroAssemblerX86Common.cpp:
364         * assembler/MacroAssemblerX86Common.h:
365         (JSC::MacroAssemblerX86Common::countTrailingZeros32):
366         (JSC::MacroAssemblerX86Common::supportsBMI1):
367         (JSC::MacroAssemblerX86Common::ctzAfterBsf):
368         * assembler/MacroAssemblerX86_64.h:
369         (JSC::MacroAssemblerX86_64::countTrailingZeros64):
370         * assembler/X86Assembler.h:
371         (JSC::X86Assembler::tzcnt_rr):
372         (JSC::X86Assembler::tzcntq_rr):
373         (JSC::X86Assembler::bsf_rr):
374         (JSC::X86Assembler::bsfq_rr):
375         * wasm/WasmB3IRGenerator.cpp:
376         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Ctz>):
377         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Ctz>):
378         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
379         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
380         * wasm/WasmFunctionParser.h:
381         (JSC::Wasm::FunctionParser<Context>::parseExpression):
382
383 2016-12-04  Saam Barati  <sbarati@apple.com>
384
385         We should have a Wasm callee
386         https://bugs.webkit.org/show_bug.cgi?id=165163
387
388         Reviewed by Keith Miller.
389
390         This patch adds JSWebAssemblyCallee and stores it into the
391         callee slot in the call frame as part of the prologue of a
392         wasm function. This is the first step in implementing
393         unwinding from/through wasm frames. We will use the callee
394         to identify that a machine frame belongs to wasm code.
395
396         * CMakeLists.txt:
397         * JavaScriptCore.xcodeproj/project.pbxproj:
398         * jsc.cpp:
399         (callWasmFunction):
400         (functionTestWasmModuleFunctions):
401         * llint/LowLevelInterpreter64.asm:
402         * runtime/JSGlobalObject.cpp:
403         * runtime/VM.cpp:
404         (JSC::VM::VM):
405         * runtime/VM.h:
406         * wasm/JSWebAssembly.h:
407         * wasm/WasmB3IRGenerator.cpp:
408         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
409         (JSC::Wasm::parseAndCompile):
410         * wasm/WasmCallingConvention.h:
411         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
412         * wasm/WasmFormat.h:
413         * wasm/WasmPlan.cpp:
414         (JSC::Wasm::Plan::initializeCallees):
415         * wasm/WasmPlan.h:
416         (JSC::Wasm::Plan::compiledFunction):
417         (JSC::Wasm::Plan::getCompiledFunctions): Deleted.
418         * wasm/js/JSWebAssemblyCallee.cpp: Added.
419         (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee):
420         (JSC::JSWebAssemblyCallee::finishCreation):
421         (JSC::JSWebAssemblyCallee::destroy):
422         * wasm/js/JSWebAssemblyCallee.h: Added.
423         (JSC::JSWebAssemblyCallee::create):
424         (JSC::JSWebAssemblyCallee::createStructure):
425         (JSC::JSWebAssemblyCallee::jsEntryPoint):
426         * wasm/js/JSWebAssemblyModule.cpp:
427         (JSC::JSWebAssemblyModule::create):
428         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
429         (JSC::JSWebAssemblyModule::visitChildren):
430         * wasm/js/JSWebAssemblyModule.h:
431         (JSC::JSWebAssemblyModule::moduleInformation):
432         (JSC::JSWebAssemblyModule::callee):
433         (JSC::JSWebAssemblyModule::callees):
434         (JSC::JSWebAssemblyModule::offsetOfCallees):
435         (JSC::JSWebAssemblyModule::allocationSize):
436         (JSC::JSWebAssemblyModule::compiledFunctions): Deleted.
437         * wasm/js/WebAssemblyFunction.cpp:
438         (JSC::callWebAssemblyFunction):
439         (JSC::WebAssemblyFunction::create):
440         (JSC::WebAssemblyFunction::visitChildren):
441         (JSC::WebAssemblyFunction::finishCreation):
442         * wasm/js/WebAssemblyFunction.h:
443         (JSC::WebAssemblyFunction::webAssemblyCallee):
444         (JSC::WebAssemblyFunction::instance):
445         (JSC::WebAssemblyFunction::signature):
446         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction): Deleted.
447         (JSC::WebAssemblyFunction::webAssemblyFunctionCell): Deleted.
448         * wasm/js/WebAssemblyFunctionCell.cpp:
449         (JSC::WebAssemblyFunctionCell::create): Deleted.
450         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell): Deleted.
451         (JSC::WebAssemblyFunctionCell::destroy): Deleted.
452         (JSC::WebAssemblyFunctionCell::createStructure): Deleted.
453         * wasm/js/WebAssemblyFunctionCell.h:
454         (JSC::WebAssemblyFunctionCell::function): Deleted.
455         * wasm/js/WebAssemblyModuleConstructor.cpp:
456         (JSC::constructJSWebAssemblyModule):
457         * wasm/js/WebAssemblyModuleRecord.cpp:
458         (JSC::WebAssemblyModuleRecord::link):
459
460 2016-12-04  Matt Baker  <mattbaker@apple.com>
461
462         Web Inspector: Assertion Failures breakpoint should respect global Breakpoints enabled setting
463         https://bugs.webkit.org/show_bug.cgi?id=165277
464         <rdar://problem/29467098>
465
466         Reviewed by Mark Lam.
467
468         * inspector/agents/InspectorDebuggerAgent.cpp:
469         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
470         Check that breakpoints are active before pausing.
471
472 2016-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
473
474         Refactor SymbolImpl layout
475         https://bugs.webkit.org/show_bug.cgi?id=165247
476
477         Reviewed by Darin Adler.
478
479         Use SymbolImpl::{create, createNullSymbol} instead.
480
481         * runtime/PrivateName.h:
482         (JSC::PrivateName::PrivateName):
483
484 2016-12-03  JF Bastien  <jfbastien@apple.com>
485
486         WebAssembly: update binary format to 0xD version
487         https://bugs.webkit.org/show_bug.cgi?id=165345
488
489         Reviewed by Keith Miller.
490
491         As described in the following PR: https://github.com/WebAssembly/design/pull/836
492         Originally committed in r209175, reverted in r209242, and fixed in r209284.
493
494         * wasm/WasmB3IRGenerator.cpp:
495         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
496         (JSC::Wasm::B3IRGenerator::zeroForType):
497         (JSC::Wasm::B3IRGenerator::addConstant):
498         (JSC::Wasm::createJSWrapper):
499         * wasm/WasmCallingConvention.h:
500         (JSC::Wasm::CallingConvention::marshallArgument):
501         * wasm/WasmFormat.cpp:
502         (JSC::Wasm::toString): Deleted.
503         * wasm/WasmFormat.h:
504         (JSC::Wasm::isValueType):
505         (JSC::Wasm::toB3Type): Deleted.
506         * wasm/WasmFunctionParser.h:
507         (JSC::Wasm::FunctionParser<Context>::parseExpression):
508         * wasm/WasmModuleParser.cpp:
509         (JSC::Wasm::ModuleParser::parse):
510         (JSC::Wasm::ModuleParser::parseType):
511         * wasm/WasmModuleParser.h:
512         * wasm/WasmParser.h:
513         (JSC::Wasm::Parser::parseResultType):
514         * wasm/generateWasm.py:
515         (Wasm.__init__):
516         * wasm/generateWasmOpsHeader.py:
517         (cppMacro):
518         (typeMacroizer):
519         (opcodeMacroizer):
520         * wasm/js/WebAssemblyFunction.cpp:
521         (JSC::callWebAssemblyFunction):
522         * wasm/wasm.json:
523
524 2016-12-02  Keith Miller  <keith_miller@apple.com>
525
526         Add Wasm copysign
527         https://bugs.webkit.org/show_bug.cgi?id=165355
528
529         Reviewed by Filip Pizlo.
530
531         This patch also makes two other important changes:
532
533         1) allows for i64 constants in the B3 generator language.
534         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
535            of a Double in B3.
536
537         * wasm/WasmB3IRGenerator.cpp:
538         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
539         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
540         (CodeGenerator.generateOpcode):
541         (generateConstCode):
542         (generateI32ConstCode): Deleted.
543         * wasm/wasm.json:
544
545 2016-12-03  Commit Queue  <commit-queue@webkit.org>
546
547         Unreviewed, rolling out r209298.
548         https://bugs.webkit.org/show_bug.cgi?id=165359
549
550         broke the build (Requested by smfr on #webkit).
551
552         Reverted changeset:
553
554         "Add Wasm copysign"
555         https://bugs.webkit.org/show_bug.cgi?id=165355
556         http://trac.webkit.org/changeset/209298
557
558 2016-12-02  Keith Miller  <keith_miller@apple.com>
559
560         Add Wasm copysign
561         https://bugs.webkit.org/show_bug.cgi?id=165355
562
563         Reviewed by Filip Pizlo.
564
565         This patch also makes two other important changes:
566
567         1) allows for i64 constants in the B3 generator language.
568         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
569            of a Double in B3.
570
571         * wasm/WasmB3IRGenerator.cpp:
572         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
573         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
574         (CodeGenerator.generateOpcode):
575         (generateConstCode):
576         (generateI32ConstCode): Deleted.
577         * wasm/wasm.json:
578
579 2016-12-02  Keith Miller  <keith_miller@apple.com>
580
581         Unreviewed, fix git having a breakdown over trying to reland a rollout.
582
583 2016-12-02  Keith Miller  <keith_miller@apple.com>
584
585         Add Wasm floating point nearest and trunc
586         https://bugs.webkit.org/show_bug.cgi?id=165339
587
588         Reviewed by Saam Barati.
589
590         This patch also allows any wasm primitive type to be passed as a
591         string.
592
593         * assembler/MacroAssemblerARM64.h:
594         (JSC::MacroAssemblerARM64::nearestIntDouble):
595         (JSC::MacroAssemblerARM64::nearestIntFloat):
596         (JSC::MacroAssemblerARM64::truncDouble):
597         (JSC::MacroAssemblerARM64::truncFloat):
598         * assembler/MacroAssemblerX86Common.h:
599         (JSC::MacroAssemblerX86Common::nearestIntDouble):
600         (JSC::MacroAssemblerX86Common::nearestIntFloat):
601         * jsc.cpp:
602         (box):
603         * wasm/WasmB3IRGenerator.cpp:
604         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
605         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
606         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
607         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
608         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
609         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
610         * wasm/WasmFunctionParser.h:
611         (JSC::Wasm::FunctionParser<Context>::parseExpression):
612
613 2016-12-02  Caitlin Potter  <caitp@igalia.com>
614
615 [JSC] add additional bit to JSTokenType bitfield
616         https://bugs.webkit.org/show_bug.cgi?id=165091
617
618         Reviewed by Geoffrey Garen.
619
620         Avoid overflow which causes keyword tokens to be treated as unary
621         tokens now that "async" is tokenized as a keyword, by granting an
622         additional 64 bits to be occupied by token IDs.
623
624         * parser/ParserTokens.h:
625
626 2016-12-02  Andy Estes  <aestes@apple.com>
627
628         [Cocoa] Adopt the PRODUCT_BUNDLE_IDENTIFIER build setting
629         https://bugs.webkit.org/show_bug.cgi?id=164492
630
631         Reviewed by Dan Bernstein.
632
633         * Configurations/JavaScriptCore.xcconfig: Set PRODUCT_BUNDLE_IDENTIFIER to
634         com.apple.$(PRODUCT_NAME:rfc1034identifier).
635         * Info.plist: Changed CFBundleIdentifier's value from com.apple.${PRODUCT_NAME} to
636         ${PRODUCT_BUNDLE_IDENTIFIER}.
637
638 2016-12-02  JF Bastien  <jfbastien@apple.com>
639
640         WebAssembly: mark WasmOps.h as private
641         https://bugs.webkit.org/show_bug.cgi?id=165335
642
643         Reviewed by Mark Lam.
644
645         * JavaScriptCore.xcodeproj/project.pbxproj: WasmOps.h will be used by non-JSC and should therefore be private
646
647 2016-12-02  Commit Queue  <commit-queue@webkit.org>
648
649         Unreviewed, rolling out r209275 and r209276.
650         https://bugs.webkit.org/show_bug.cgi?id=165348
651
652         "broke the arm build" (Requested by keith_miller on #webkit).
653
654         Reverted changesets:
655
656         "Add Wasm floating point nearest and trunc"
657         https://bugs.webkit.org/show_bug.cgi?id=165339
658         http://trac.webkit.org/changeset/209275
659
660         "Unreviewed, forgot to change instruction after renaming."
661         http://trac.webkit.org/changeset/209276
662
663 2016-12-02  Keith Miller  <keith_miller@apple.com>
664
665         Unreviewed, forgot to change instruction after renaming.
666
667         * assembler/MacroAssemblerARM64.h:
668         (JSC::MacroAssemblerARM64::nearestIntDouble):
669         (JSC::MacroAssemblerARM64::nearestIntFloat):
670
671 2016-12-02  Keith Miller  <keith_miller@apple.com>
672
673         Add Wasm floating point nearest and trunc
674         https://bugs.webkit.org/show_bug.cgi?id=165339
675
676         Reviewed by Filip Pizlo.
677
678         This patch also allows any wasm primitive type to be passed as a
679         string.
680
681         * assembler/MacroAssemblerARM64.h:
682         (JSC::MacroAssemblerARM64::nearestIntDouble):
683         (JSC::MacroAssemblerARM64::nearestIntFloat):
684         (JSC::MacroAssemblerARM64::truncDouble):
685         (JSC::MacroAssemblerARM64::truncFloat):
686         * assembler/MacroAssemblerX86Common.h:
687         (JSC::MacroAssemblerX86Common::nearestIntDouble):
688         (JSC::MacroAssemblerX86Common::nearestIntFloat):
689         * jsc.cpp:
690         (box):
691         * wasm/WasmB3IRGenerator.cpp:
692         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
693         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
694         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
695         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
696         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
697         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
698         * wasm/WasmFunctionParser.h:
699         (JSC::Wasm::FunctionParser<Context>::parseExpression):
700
701 2016-12-02  JF Bastien  <jfbastien@apple.com>
702
703         WebAssembly: revert patch causing odd breakage
704         https://bugs.webkit.org/show_bug.cgi?id=165308
705
706         Unreviewed.
707
708         Bug #164724 seems to cause build issues which I haven't tracked down yet. WasmOps.h can't be found:
709         ./Source/JavaScriptCore/wasm/WasmFormat.h:34:10: fatal error: 'WasmOps.h' file not found
710
711         It's weird since the file is auto-generated and has been for a while. #164724 merely includes it in WasmFormat.h.
712
713         * wasm/WasmB3IRGenerator.cpp:
714         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
715         (JSC::Wasm::B3IRGenerator::zeroForType):
716         (JSC::Wasm::B3IRGenerator::addConstant):
717         (JSC::Wasm::createJSWrapper):
718         * wasm/WasmCallingConvention.h:
719         (JSC::Wasm::CallingConvention::marshallArgument):
720         * wasm/WasmFormat.cpp:
721         (JSC::Wasm::toString):
722         * wasm/WasmFormat.h:
723         (JSC::Wasm::toB3Type):
724         * wasm/WasmFunctionParser.h:
725         (JSC::Wasm::FunctionParser<Context>::parseExpression):
726         * wasm/WasmModuleParser.cpp:
727         (JSC::Wasm::ModuleParser::parse):
728         (JSC::Wasm::ModuleParser::parseType):
729         * wasm/WasmModuleParser.h:
730         * wasm/WasmParser.h:
731         (JSC::Wasm::Parser::parseResultType):
732         * wasm/generateWasm.py:
733         (Wasm.__init__):
734         * wasm/generateWasmOpsHeader.py:
735         (cppMacro):
736         (opcodeMacroizer):
737         (typeMacroizer): Deleted.
738         * wasm/js/WebAssemblyFunction.cpp:
739         (JSC::callWebAssemblyFunction):
740         * wasm/wasm.json:
741
742 2016-12-01  Brian Burg  <bburg@apple.com>
743
744         Remote Inspector: fix weird typo in generated ObjC protocol type initializer implementations
745         https://bugs.webkit.org/show_bug.cgi?id=165295
746         <rdar://problem/29427778>
747
748         Reviewed by Joseph Pecoraro.
749
750         Remove a stray semicolon appended after custom initializer signatures.
751         This is a syntax error when building with less lenient compiler warnings.
752
753         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
754         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
755         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
756         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
757         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
758         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
759         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
760         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
761         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
762
763 2016-12-01  Saam Barati  <sbarati@apple.com>
764
765         Rename CallFrame::callee() to CallFrame::jsCallee()
766         https://bugs.webkit.org/show_bug.cgi?id=165293
767
768         Reviewed by Keith Miller.
769
770         Wasm will soon have its own Callee that doesn't derive
771         from JSObject, but derives from JSCell. I want to introduce
772         a new function like:
773         ```
774         CalleeBase* CallFrame::callee()
775         ```
776         
777         once we have a Wasm callee. It only makes sense to name that
778         function callee() and rename the current one turn to:
779         ```
780         JSObject* CallFrame::jsCallee()
781         ```
782
783         * API/APICallbackFunction.h:
784         (JSC::APICallbackFunction::call):
785         (JSC::APICallbackFunction::construct):
786         * API/JSCallbackObjectFunctions.h:
787         (JSC::JSCallbackObject<Parent>::construct):
788         (JSC::JSCallbackObject<Parent>::call):
789         * debugger/DebuggerCallFrame.cpp:
790         (JSC::DebuggerCallFrame::scope):
791         (JSC::DebuggerCallFrame::type):
792         * interpreter/CallFrame.cpp:
793         (JSC::CallFrame::friendlyFunctionName):
794         * interpreter/CallFrame.h:
795         (JSC::ExecState::jsCallee):
796         (JSC::ExecState::callee): Deleted.
797         * interpreter/Interpreter.cpp:
798         (JSC::Interpreter::dumpRegisters):
799         (JSC::notifyDebuggerOfUnwinding):
800         * interpreter/ShadowChicken.cpp:
801         (JSC::ShadowChicken::update):
802         * interpreter/StackVisitor.cpp:
803         (JSC::StackVisitor::readNonInlinedFrame):
804         * llint/LLIntSlowPaths.cpp:
805         (JSC::LLInt::traceFunctionPrologue):
806         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
807         * runtime/ArrayConstructor.cpp:
808         (JSC::constructArrayWithSizeQuirk):
809         * runtime/AsyncFunctionConstructor.cpp:
810         (JSC::callAsyncFunctionConstructor):
811         (JSC::constructAsyncFunctionConstructor):
812         * runtime/BooleanConstructor.cpp:
813         (JSC::constructWithBooleanConstructor):
814         * runtime/ClonedArguments.cpp:
815         (JSC::ClonedArguments::createWithInlineFrame):
816         * runtime/CommonSlowPaths.h:
817         (JSC::CommonSlowPaths::arityCheckFor):
818         * runtime/DateConstructor.cpp:
819         (JSC::constructWithDateConstructor):
820         * runtime/DirectArguments.cpp:
821         (JSC::DirectArguments::createByCopying):
822         * runtime/Error.h:
823         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
824         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
825         * runtime/ErrorConstructor.cpp:
826         (JSC::Interpreter::constructWithErrorConstructor):
827         (JSC::Interpreter::callErrorConstructor):
828         * runtime/FunctionConstructor.cpp:
829         (JSC::constructWithFunctionConstructor):
830         (JSC::callFunctionConstructor):
831         * runtime/GeneratorFunctionConstructor.cpp:
832         (JSC::callGeneratorFunctionConstructor):
833         (JSC::constructGeneratorFunctionConstructor):
834         * runtime/InternalFunction.cpp:
835         (JSC::InternalFunction::createSubclassStructure):
836         * runtime/IntlCollator.cpp:
837         (JSC::IntlCollator::initializeCollator):
838         * runtime/IntlCollatorConstructor.cpp:
839         (JSC::constructIntlCollator):
840         (JSC::callIntlCollator):
841         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
842         * runtime/IntlDateTimeFormat.cpp:
843         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
844         * runtime/IntlDateTimeFormatConstructor.cpp:
845         (JSC::constructIntlDateTimeFormat):
846         (JSC::callIntlDateTimeFormat):
847         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
848         * runtime/IntlNumberFormat.cpp:
849         (JSC::IntlNumberFormat::initializeNumberFormat):
850         * runtime/IntlNumberFormatConstructor.cpp:
851         (JSC::constructIntlNumberFormat):
852         (JSC::callIntlNumberFormat):
853         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
854         * runtime/IntlObject.cpp:
855         (JSC::canonicalizeLocaleList):
856         (JSC::defaultLocale):
857         (JSC::lookupSupportedLocales):
858         (JSC::intlObjectFuncGetCanonicalLocales):
859         * runtime/JSArrayBufferConstructor.cpp:
860         (JSC::constructArrayBuffer):
861         * runtime/JSArrayBufferPrototype.cpp:
862         (JSC::arrayBufferProtoFuncSlice):
863         * runtime/JSBoundFunction.cpp:
864         (JSC::boundThisNoArgsFunctionCall):
865         (JSC::boundFunctionCall):
866         (JSC::boundThisNoArgsFunctionConstruct):
867         (JSC::boundFunctionConstruct):
868         * runtime/JSCellInlines.h:
869         (JSC::ExecState::vm):
870         * runtime/JSCustomGetterSetterFunction.cpp:
871         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
872         * runtime/JSFunction.cpp:
873         (JSC::callHostFunctionAsConstructor):
874         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
875         (JSC::constructGenericTypedArrayView):
876         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
877         (JSC::genericTypedArrayViewProtoFuncSlice):
878         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
879         * runtime/JSGlobalObjectFunctions.cpp:
880         (JSC::globalFuncEval):
881         * runtime/JSInternalPromiseConstructor.cpp:
882         (JSC::constructPromise):
883         * runtime/JSMapIterator.cpp:
884         (JSC::JSMapIterator::createPair):
885         (JSC::JSMapIterator::clone):
886         * runtime/JSNativeStdFunction.cpp:
887         (JSC::runStdFunction):
888         * runtime/JSPromiseConstructor.cpp:
889         (JSC::constructPromise):
890         * runtime/JSPropertyNameIterator.cpp:
891         (JSC::JSPropertyNameIterator::clone):
892         * runtime/JSScope.h:
893         (JSC::ExecState::lexicalGlobalObject):
894         * runtime/JSSetIterator.cpp:
895         (JSC::JSSetIterator::createPair):
896         (JSC::JSSetIterator::clone):
897         * runtime/JSStringIterator.cpp:
898         (JSC::JSStringIterator::clone):
899         * runtime/MapConstructor.cpp:
900         (JSC::constructMap):
901         * runtime/MapPrototype.cpp:
902         (JSC::mapProtoFuncValues):
903         (JSC::mapProtoFuncEntries):
904         (JSC::mapProtoFuncKeys):
905         (JSC::privateFuncMapIterator):
906         * runtime/NativeErrorConstructor.cpp:
907         (JSC::Interpreter::constructWithNativeErrorConstructor):
908         (JSC::Interpreter::callNativeErrorConstructor):
909         * runtime/ObjectConstructor.cpp:
910         (JSC::constructObject):
911         * runtime/ProxyObject.cpp:
912         (JSC::performProxyCall):
913         (JSC::performProxyConstruct):
914         * runtime/ProxyRevoke.cpp:
915         (JSC::performProxyRevoke):
916         * runtime/RegExpConstructor.cpp:
917         (JSC::constructWithRegExpConstructor):
918         (JSC::callRegExpConstructor):
919         * runtime/ScopedArguments.cpp:
920         (JSC::ScopedArguments::createByCopying):
921         * runtime/SetConstructor.cpp:
922         (JSC::constructSet):
923         * runtime/SetPrototype.cpp:
924         (JSC::setProtoFuncValues):
925         (JSC::setProtoFuncEntries):
926         (JSC::privateFuncSetIterator):
927         * runtime/StringConstructor.cpp:
928         (JSC::constructWithStringConstructor):
929         * runtime/StringPrototype.cpp:
930         (JSC::stringProtoFuncIterator):
931         * runtime/WeakMapConstructor.cpp:
932         (JSC::constructWeakMap):
933         * runtime/WeakSetConstructor.cpp:
934         (JSC::constructWeakSet):
935         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
936         (JSC::constructJSWebAssemblyCompileError):
937         * wasm/js/WebAssemblyFunction.cpp:
938         (JSC::callWebAssemblyFunction):
939         * wasm/js/WebAssemblyModuleConstructor.cpp:
940         (JSC::constructJSWebAssemblyModule):
941         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
942         (JSC::constructJSWebAssemblyRuntimeError):
943
944 2016-12-01  Brian Burg  <bburg@apple.com>
945
946         Web Inspector: generated code should use a framework-style import for *ProtocolArrayConversions.h
947         https://bugs.webkit.org/show_bug.cgi?id=165281
948         <rdar://problem/29427778>
949
950         Reviewed by Joseph Pecoraro.
951
952         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
953         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
954         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
955         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
956         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
957         * inspector/scripts/tests/expected/enum-values.json-result:
958         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
959         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
960         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
961         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
962         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
963         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
964         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
965         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
966         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
967
968 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
969
970         SourceCodeKey should use unlinked source code
971         https://bugs.webkit.org/show_bug.cgi?id=165286
972
973         Reviewed by Saam Barati.
974
975         This patch splits out UnlinkedSourceCode from SourceCode, and deploys
976         UnlinkedSourceCode in SourceCodeKey.
977
978         It's misleading to store SourceCode in SourceCodeKey because SourceCode
979         has an absolute location whereas unlinked cached code has no location.
980
981         I plan to deploy UnlinkedSourceCode in more places, to indicate code
982         that has no absolute location.
983
984         * JavaScriptCore.xcodeproj/project.pbxproj:
985         * parser/SourceCode.cpp:
986         (JSC::UnlinkedSourceCode::toUTF8):
987         (JSC::SourceCode::toUTF8): Deleted.
988         * parser/SourceCode.h:
989         (JSC::SourceCode::SourceCode):
990         (JSC::SourceCode::startColumn):
991         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
992         (JSC::SourceCode::hash): Deleted.
993         (JSC::SourceCode::view): Deleted.
994         (JSC::SourceCode::providerID): Deleted.
995         (JSC::SourceCode::isNull): Deleted.
996         (JSC::SourceCode::provider): Deleted.
997         (JSC::SourceCode::startOffset): Deleted.
998         (JSC::SourceCode::endOffset): Deleted.
999         (JSC::SourceCode::length): Deleted. Move a bunch of stuff in to a new
1000         base class, UnlinkedSourceCode.
1001
1002         * parser/SourceCodeKey.h:
1003         (JSC::SourceCodeKey::SourceCodeKey): Use UnlinkedSourceCode since code
1004         in the cache has no location.
1005
1006         * parser/UnlinkedSourceCode.h: Copied from Source/JavaScriptCore/parser/SourceCode.h.
1007         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
1008         (JSC::UnlinkedSourceCode::provider):
1009         (JSC::SourceCode::SourceCode): Deleted.
1010         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
1011         (JSC::SourceCode::hash): Deleted.
1012         (JSC::SourceCode::view): Deleted.
1013         (JSC::SourceCode::providerID): Deleted.
1014         (JSC::SourceCode::isNull): Deleted.
1015         (JSC::SourceCode::provider): Deleted.
1016         (JSC::SourceCode::firstLine): Deleted.
1017         (JSC::SourceCode::startColumn): Deleted.
1018         (JSC::SourceCode::startOffset): Deleted.
1019         (JSC::SourceCode::endOffset): Deleted.
1020         (JSC::SourceCode::length): Deleted.
1021         (JSC::makeSource): Deleted.
1022         (JSC::SourceCode::subExpression): Deleted.
1023
1024         * runtime/CodeCache.h: Use UnlinkedSourceCode in the cache.
1025
1026 2016-12-01  Keith Miller  <keith_miller@apple.com>
1027
1028         Add wasm int to floating point opcodes
1029         https://bugs.webkit.org/show_bug.cgi?id=165252
1030
1031         Reviewed by Geoffrey Garen.
1032
1033         This patch adds support for the Wasm integral type => floating point
1034         type conversion opcodes. Most of these were already supported by B3
1035         however there was no support for uint64 to float/double. Unfortunately,
1036         AFAIK x86_64 does not have a single instruction that performs this
1037         conversion. Since there is a signed conversion instruction on x86 we
1038         use that for all uint64s that don't have the top bit set. If they do have
1039         the top bit set we need to divide by 2 (rounding up) then convert the number
1040         with the signed conversion then double the result.
1041
1042         * assembler/MacroAssemblerX86_64.h:
1043         (JSC::MacroAssemblerX86_64::convertUInt64ToDouble):
1044         (JSC::MacroAssemblerX86_64::convertUInt64ToFloat):
1045         * jsc.cpp:
1046         (valueWithTypeOfWasmValue):
1047         (box):
1048         (functionTestWasmModuleFunctions):
1049         * wasm/WasmB3IRGenerator.cpp:
1050         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1051         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
1052         * wasm/WasmFunctionParser.h:
1053         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1054         * wasm/wasm.json:
1055
1056 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1057
1058         Renamed EvalCodeCache => DirectEvalCodeCache
1059         https://bugs.webkit.org/show_bug.cgi?id=165271
1060
1061         Reviewed by Saam Barati.
1062
1063         We only use this cache for DirectEval, not IndirectEval.
1064
1065         * JavaScriptCore.xcodeproj/project.pbxproj:
1066         * bytecode/CodeBlock.cpp:
1067         (JSC::DirectEvalCodeCache::visitAggregate):
1068         (JSC::CodeBlock::stronglyVisitStrongReferences):
1069         (JSC::EvalCodeCache::visitAggregate): Deleted.
1070         * bytecode/CodeBlock.h:
1071         (JSC::CodeBlock::directEvalCodeCache):
1072         (JSC::CodeBlock::evalCodeCache): Deleted.
1073         * bytecode/DirectEvalCodeCache.h: Copied from Source/JavaScriptCore/bytecode/EvalCodeCache.h.
1074         (JSC::EvalCodeCache::CacheKey::CacheKey): Deleted.
1075         (JSC::EvalCodeCache::CacheKey::hash): Deleted.
1076         (JSC::EvalCodeCache::CacheKey::isEmptyValue): Deleted.
1077         (JSC::EvalCodeCache::CacheKey::operator==): Deleted.
1078         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue): Deleted.
1079         (JSC::EvalCodeCache::CacheKey::Hash::hash): Deleted.
1080         (JSC::EvalCodeCache::CacheKey::Hash::equal): Deleted.
1081         (JSC::EvalCodeCache::tryGet): Deleted.
1082         (JSC::EvalCodeCache::set): Deleted.
1083         (JSC::EvalCodeCache::isEmpty): Deleted.
1084         (JSC::EvalCodeCache::clear): Deleted.
1085         * bytecode/EvalCodeCache.h: Removed.
1086         * interpreter/Interpreter.cpp:
1087         (JSC::eval):
1088         * runtime/DirectEvalExecutable.cpp:
1089         (JSC::DirectEvalExecutable::create):
1090
1091 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1092
1093         Removed some unnecessary indirection in code generation
1094         https://bugs.webkit.org/show_bug.cgi?id=165264
1095
1096         Reviewed by Keith Miller.
1097
1098         There's no need to route through JSGlobalObject when producing code --
1099         it just made the code harder to read.
1100
1101         This patch moves functions from JSGlobalObject to their singleton
1102         call sites.
1103
1104         * runtime/CodeCache.cpp:
1105         (JSC::CodeCache::getUnlinkedEvalCodeBlock):
1106         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock): Deleted.
1107         * runtime/CodeCache.h:
1108         * runtime/DirectEvalExecutable.cpp:
1109         (JSC::DirectEvalExecutable::create):
1110         * runtime/IndirectEvalExecutable.cpp:
1111         (JSC::IndirectEvalExecutable::create):
1112         * runtime/JSGlobalObject.cpp:
1113         (JSC::JSGlobalObject::createProgramCodeBlock): Deleted.
1114         (JSC::JSGlobalObject::createLocalEvalCodeBlock): Deleted.
1115         (JSC::JSGlobalObject::createGlobalEvalCodeBlock): Deleted.
1116         (JSC::JSGlobalObject::createModuleProgramCodeBlock): Deleted.
1117         * runtime/JSGlobalObject.h:
1118         * runtime/ModuleProgramExecutable.cpp:
1119         (JSC::ModuleProgramExecutable::create):
1120         * runtime/ProgramExecutable.cpp:
1121         (JSC::ProgramExecutable::initializeGlobalProperties):
1122         * runtime/ProgramExecutable.h:
1123
1124 2016-11-30  Darin Adler  <darin@apple.com>
1125
1126         Roll out StringBuilder changes from the previous patch.
1127         They were a slowdown on a Kraken JSON test.
1128
1129         * runtime/JSONObject.cpp:
1130         Roll out changes from below.
1131
1132 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1133
1134         [JSC] Specifying same module entry point multiple times cause TypeError
1135         https://bugs.webkit.org/show_bug.cgi?id=164858
1136
1137         Reviewed by Saam Barati.
1138
1139         Allow importing the same module multiple times. Previously, when specifying the same
1140         module in the <script type="module" src="here">, it throws TypeError.
1141
1142         * builtins/ModuleLoaderPrototype.js:
1143         (requestFetch):
1144         (requestTranslate):
1145         (requestInstantiate):
1146         (requestSatisfy):
1147
1148 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1149
1150         WebAssembly JS API: export a module namespace object instead of a module environment
1151         https://bugs.webkit.org/show_bug.cgi?id=165121
1152
1153         Reviewed by Saam Barati.
1154
1155         This patch setup AbstractModuleRecord further for WebAssemblyModuleRecord.
1156         For exported entries in a wasm instance, we set up exported entries for
1157         AbstractModuleRecord. This allows us to export WASM exported functions in
1158         the module handling code.
1159
1160         Since the exported entries in the abstract module record are correctly
1161         instantiated, the module namespace object for WASM module also starts
1162         working correctly. So we start exposing the module namespace object
1163         as `instance.exports` instead of the module environment object.
1164
1165         And we move SourceCode, lexicalVariables, and declaredVariables fields to
1166         JSModuleRecord since they are related to JS source code (in the spec words,
1167         they are related to the source text module record).
1168
1169         * runtime/AbstractModuleRecord.cpp:
1170         (JSC::AbstractModuleRecord::AbstractModuleRecord):
1171         * runtime/AbstractModuleRecord.h:
1172         (JSC::AbstractModuleRecord::sourceCode): Deleted.
1173         (JSC::AbstractModuleRecord::declaredVariables): Deleted.
1174         (JSC::AbstractModuleRecord::lexicalVariables): Deleted.
1175         * runtime/JSModuleRecord.cpp:
1176         (JSC::JSModuleRecord::JSModuleRecord):
1177         * runtime/JSModuleRecord.h:
1178         (JSC::JSModuleRecord::sourceCode):
1179         (JSC::JSModuleRecord::declaredVariables):
1180         (JSC::JSModuleRecord::lexicalVariables):
1181         * wasm/WasmFormat.cpp:
1182         * wasm/js/JSWebAssemblyInstance.cpp:
1183         (JSC::JSWebAssemblyInstance::finishCreation):
1184         * wasm/js/WebAssemblyFunction.cpp:
1185         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1186         (JSC::constructJSWebAssemblyInstance):
1187         * wasm/js/WebAssemblyModuleRecord.cpp:
1188         (JSC::WebAssemblyModuleRecord::create):
1189         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
1190         (JSC::WebAssemblyModuleRecord::finishCreation):
1191         WebAssemblyModuleRecord::link should perform linking things.
1192         So allocating exported entries should be done here.
1193         (JSC::WebAssemblyModuleRecord::link):
1194         * wasm/js/WebAssemblyModuleRecord.h:
1195
1196 2016-11-30  Mark Lam  <mark.lam@apple.com>
1197
1198         TypeInfo::OutOfLineTypeFlags should be 16 bits in size.
1199         https://bugs.webkit.org/show_bug.cgi?id=165224
1200
1201         Reviewed by Saam Barati.
1202
1203         There's no reason for OutOfLineTypeFlags to be constraint to 8 bits since the
1204         space is available to us.  Making OutOfLineTypeFlags 16 bits brings TypeInfo up
1205         to 32 bits in size from the current 24 bits.
1206
1207         * runtime/JSTypeInfo.h:
1208         (JSC::TypeInfo::TypeInfo):
1209
1210 2016-11-30  Joseph Pecoraro  <pecoraro@apple.com>
1211
1212         REGRESSION: inspector/sampling-profiler/* LayoutTests are flaky timeouts
1213         https://bugs.webkit.org/show_bug.cgi?id=164388
1214         <rdar://problem/29101555>
1215
1216         Reviewed by Saam Barati.
1217
1218         There was a possibility of a deadlock between the main thread and the GC thread
1219         with the SamplingProfiler lock when Inspector is processing samples to send to
1220         the frontend. The Inspector (main thread) was holding the SamplingProfiler lock
1221         while processing samples, which runs JavaScript that could trigger a GC, and
1222         GC then tries to acquire the SamplingProfiler lock to process unprocessed samples.
1223
1224         A simple solution here is to tighten the bounds of when Inspector holds the
1225         SamplingProfiler lock. It only needs the lock when extracting samples from
1226         the SamplingProfiler. It doesn't need to hold the lock for processing those
1227         samples, which is what can run script and cause a GC.
1228
1229         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1230         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1231         Tighten bounds of this lock to only where it is needed.
1232
1233 2016-11-30  Mark Lam  <mark.lam@apple.com>
1234
1235         Proxy is not allowed in the global prototype chain.
1236         https://bugs.webkit.org/show_bug.cgi?id=165205
1237
1238         Reviewed by Geoffrey Garen.
1239
1240         * runtime/ProgramExecutable.cpp:
1241         (JSC::ProgramExecutable::initializeGlobalProperties):
1242         - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
1243
1244 2016-11-30  Commit Queue  <commit-queue@webkit.org>
1245
1246         Unreviewed, rolling out r209112.
1247         https://bugs.webkit.org/show_bug.cgi?id=165208
1248
1249         "It regressed Octane/Raytrace and JetStream" (Requested by
1250         saamyjoon on #webkit).
1251
1252         Reverted changeset:
1253
1254         "We should support CreateThis in the FTL"
1255         https://bugs.webkit.org/show_bug.cgi?id=164904
1256         http://trac.webkit.org/changeset/209112
1257
1258 2016-11-30  Darin Adler  <darin@apple.com>
1259
1260         Streamline and speed up tokenizer and segmented string classes
1261         https://bugs.webkit.org/show_bug.cgi?id=165003
1262
1263         Reviewed by Sam Weinig.
1264
1265         * runtime/JSONObject.cpp:
1266         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
1267         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
1268         no benefit in creating a String for that function if one doesn't already exist.
1269
1270 2016-11-29  JF Bastien  <jfbastien@apple.com>
1271
1272         WebAssembly JS API: improve Instance
1273         https://bugs.webkit.org/show_bug.cgi?id=164757
1274
1275         Reviewed by Keith Miller.
1276
1277         An Instance's `exports` property wasn't populated with exports.
1278
1279         According to the spec [0], `exports` should present itself as a WebAssembly
1280         Module Record. In order to do this we need to split JSModuleRecord into
1281         AbstractModuleRecord (without the `link` and `evaluate` functions), and
1282         JSModuleRecord (which implements link and evaluate). We can then have a separate
1283         WebAssemblyModuleRecord which shares most of the implementation.
1284
1285         `exports` then maps function names to WebAssemblyFunction and
1286         WebAssemblyFunctionCell, which call into the B3-generated WebAssembly code.
1287
1288         A follow-up patch will do imports.
1289
1290         A few things of note:
1291
1292          - Use Identifier instead of String. They get uniqued, we need them for the JSModuleNamespaceObject. This is safe because JSWebAssemblyModule creation is on the main thread.
1293          - JSWebAssemblyInstance needs to refer to the JSWebAssemblyModule used to create it, because the module owns the code, identifiers, etc. The world would be very sad if it got GC'd.
1294          - Instance.exports shouldn't use putWithoutTransition because it affects all Structures, whereas here each instance needs its own exports.
1295          - Expose the compiled functions, and pipe them to the InstanceConstructor. Start moving things around to split JSModuleRecord out into JS and WebAssembly parts.
1296
1297           [0]: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-constructor
1298
1299         * CMakeLists.txt:
1300         * JavaScriptCore.xcodeproj/project.pbxproj:
1301         * runtime/AbstractModuleRecord.cpp: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.cpp, which I split in two
1302         (JSC::AbstractModuleRecord::AbstractModuleRecord):
1303         (JSC::AbstractModuleRecord::destroy):
1304         (JSC::AbstractModuleRecord::finishCreation):
1305         (JSC::AbstractModuleRecord::visitChildren):
1306         (JSC::AbstractModuleRecord::appendRequestedModule):
1307         (JSC::AbstractModuleRecord::addStarExportEntry):
1308         (JSC::AbstractModuleRecord::addImportEntry):
1309         (JSC::AbstractModuleRecord::addExportEntry):
1310         (JSC::identifierToJSValue):
1311         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1312         (JSC::AbstractModuleRecord::ResolveQuery::ResolveQuery):
1313         (JSC::AbstractModuleRecord::ResolveQuery::isEmptyValue):
1314         (JSC::AbstractModuleRecord::ResolveQuery::isDeletedValue):
1315         (JSC::AbstractModuleRecord::ResolveQuery::Hash::hash):
1316         (JSC::AbstractModuleRecord::ResolveQuery::Hash::equal):
1317         (JSC::AbstractModuleRecord::cacheResolution):
1318         (JSC::getExportedNames):
1319         (JSC::AbstractModuleRecord::getModuleNamespace):
1320         (JSC::printableName):
1321         (JSC::AbstractModuleRecord::dump):
1322         * runtime/AbstractModuleRecord.h: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.h.
1323         (JSC::AbstractModuleRecord::ImportEntry::isNamespace):
1324         (JSC::AbstractModuleRecord::sourceCode):
1325         (JSC::AbstractModuleRecord::moduleKey):
1326         (JSC::AbstractModuleRecord::requestedModules):
1327         (JSC::AbstractModuleRecord::exportEntries):
1328         (JSC::AbstractModuleRecord::importEntries):
1329         (JSC::AbstractModuleRecord::starExportEntries):
1330         (JSC::AbstractModuleRecord::declaredVariables):
1331         (JSC::AbstractModuleRecord::lexicalVariables):
1332         (JSC::AbstractModuleRecord::moduleEnvironment):
1333         * runtime/JSGlobalObject.cpp:
1334         (JSC::JSGlobalObject::init):
1335         (JSC::JSGlobalObject::visitChildren):
1336         * runtime/JSGlobalObject.h:
1337         (JSC::JSGlobalObject::webAssemblyModuleRecordStructure):
1338         (JSC::JSGlobalObject::webAssemblyFunctionStructure):
1339         * runtime/JSModuleEnvironment.cpp:
1340         (JSC::JSModuleEnvironment::create):
1341         (JSC::JSModuleEnvironment::finishCreation):
1342         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1343         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1344         (JSC::JSModuleEnvironment::put):
1345         (JSC::JSModuleEnvironment::deleteProperty):
1346         * runtime/JSModuleEnvironment.h:
1347         (JSC::JSModuleEnvironment::create):
1348         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
1349         (JSC::JSModuleEnvironment::allocationSize):
1350         (JSC::JSModuleEnvironment::moduleRecord):
1351         (JSC::JSModuleEnvironment::moduleRecordSlot):
1352         * runtime/JSModuleNamespaceObject.cpp:
1353         (JSC::JSModuleNamespaceObject::finishCreation):
1354         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1355         * runtime/JSModuleNamespaceObject.h:
1356         (JSC::JSModuleNamespaceObject::create):
1357         (JSC::JSModuleNamespaceObject::moduleRecord):
1358         * runtime/JSModuleRecord.cpp:
1359         (JSC::JSModuleRecord::createStructure):
1360         (JSC::JSModuleRecord::create):
1361         (JSC::JSModuleRecord::JSModuleRecord):
1362         (JSC::JSModuleRecord::destroy):
1363         (JSC::JSModuleRecord::finishCreation):
1364         (JSC::JSModuleRecord::visitChildren):
1365         (JSC::JSModuleRecord::instantiateDeclarations):
1366         * runtime/JSModuleRecord.h:
1367         * runtime/JSScope.cpp:
1368         (JSC::abstractAccess):
1369         (JSC::JSScope::collectClosureVariablesUnderTDZ):
1370         * runtime/VM.cpp:
1371         (JSC::VM::VM):
1372         * runtime/VM.h:
1373         * wasm/JSWebAssembly.h:
1374         * wasm/WasmFormat.h: use Identifier instead of String
1375         * wasm/WasmModuleParser.cpp:
1376         (JSC::Wasm::ModuleParser::parse):
1377         (JSC::Wasm::ModuleParser::parseType):
1378         (JSC::Wasm::ModuleParser::parseImport): fix off-by-one
1379         (JSC::Wasm::ModuleParser::parseFunction):
1380         (JSC::Wasm::ModuleParser::parseExport):
1381         * wasm/WasmModuleParser.h:
1382         (JSC::Wasm::ModuleParser::ModuleParser):
1383         * wasm/WasmPlan.cpp:
1384         (JSC::Wasm::Plan::run):
1385         * wasm/js/JSWebAssemblyInstance.cpp:
1386         (JSC::JSWebAssemblyInstance::create):
1387         (JSC::JSWebAssemblyInstance::finishCreation):
1388         (JSC::JSWebAssemblyInstance::visitChildren):
1389         * wasm/js/JSWebAssemblyInstance.h:
1390         (JSC::JSWebAssemblyInstance::module):
1391         * wasm/js/JSWebAssemblyModule.cpp:
1392         (JSC::JSWebAssemblyModule::create):
1393         (JSC::JSWebAssemblyModule::finishCreation):
1394         (JSC::JSWebAssemblyModule::visitChildren):
1395         * wasm/js/JSWebAssemblyModule.h:
1396         (JSC::JSWebAssemblyModule::moduleInformation):
1397         (JSC::JSWebAssemblyModule::compiledFunctions):
1398         (JSC::JSWebAssemblyModule::exportSymbolTable):
1399         * wasm/js/WebAssemblyFunction.cpp: Added.
1400         (JSC::callWebAssemblyFunction):
1401         (JSC::WebAssemblyFunction::create):
1402         (JSC::WebAssemblyFunction::createStructure):
1403         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1404         (JSC::WebAssemblyFunction::visitChildren):
1405         (JSC::WebAssemblyFunction::finishCreation):
1406         * wasm/js/WebAssemblyFunction.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
1407         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction):
1408         (JSC::WebAssemblyFunction::webAssemblyFunctionCell):
1409         * wasm/js/WebAssemblyFunctionCell.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
1410         (JSC::WebAssemblyFunctionCell::create):
1411         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell):
1412         (JSC::WebAssemblyFunctionCell::destroy):
1413         (JSC::WebAssemblyFunctionCell::createStructure):
1414         * wasm/js/WebAssemblyFunctionCell.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
1415         (JSC::WebAssemblyFunctionCell::function):
1416         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1417         (JSC::constructJSWebAssemblyInstance):
1418         * wasm/js/WebAssemblyModuleConstructor.cpp:
1419         (JSC::constructJSWebAssemblyModule):
1420         * wasm/js/WebAssemblyModuleRecord.cpp: Added.
1421         (JSC::WebAssemblyModuleRecord::createStructure):
1422         (JSC::WebAssemblyModuleRecord::create):
1423         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
1424         (JSC::WebAssemblyModuleRecord::destroy):
1425         (JSC::WebAssemblyModuleRecord::finishCreation):
1426         (JSC::WebAssemblyModuleRecord::visitChildren):
1427         (JSC::WebAssemblyModuleRecord::link):
1428         (JSC::WebAssemblyModuleRecord::evaluate):
1429         * wasm/js/WebAssemblyModuleRecord.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
1430
1431 2016-11-29  Saam Barati  <sbarati@apple.com>
1432
1433         We should be able optimize the pattern where we spread a function's rest parameter to another call
1434         https://bugs.webkit.org/show_bug.cgi?id=163865
1435
1436         Reviewed by Filip Pizlo.
1437
1438         This patch optimizes the following patterns to prevent both the allocation
1439         of the rest parameter, and the execution of the iterator protocol:
1440         
1441         ```
1442         function foo(...args) {
1443             let arr = [...args];
1444         }
1445         
1446         and
1447         
1448         function foo(...args) {
1449             bar(...args);
1450         }
1451         ```
1452         
1453         To do this, I've extended the arguments elimination phase to reason
1454         about Spread and NewArrayWithSpread. I've added two new nodes, PhantomSpread
1455         and PhantomNewArrayWithSpread. PhantomSpread is only allowed over rest
1456         parameters that don't escape. If the rest parameter *does* escape, we can't
1457         convert the spread into a phantom because it would not be sound w.r.t JS
1458         semantics because we would be reading from the call frame even though
1459         the rest array may have changed.
1460         
1461         Note that NewArrayWithSpread also understands what to do when one of its
1462         arguments is PhantomSpread(@PhantomCreateRest) even if it itself is escaped.
1463         
1464         PhantomNewArrayWithSpread is only allowed over a series of
1465         PhantomSpread(@PhantomCreateRest) nodes. Like with PhantomSpread, PhantomNewArrayWithSpread
1466         is only allowed if none of its arguments that are being spread are escaped
1467         and if it itself is not escaped.
1468         
1469         Because there is a dependency between a node being a candidate and
1470         the escaped state of the node's children, I've extended the notion
1471         of escaping a node inside the arguments elimination phase. Now, when
1472         any node is escaped, we must consider all other candidates that are may
1473         now no longer be valid.
1474         
1475         For example:
1476         
1477         ```
1478         function foo(...args) {
1479             escape(args);
1480             bar(...args);
1481         }
1482         ```
1483         
1484         In the above program, we don't know if the function call to escape()
1485         modifies args, therefore, the spread can not become phantom because
1486         the execution of the spread may not be as simple as reading the
1487         arguments from the call frame.
1488         
1489         Unfortunately, the arguments elimination phase does not consider control
1490         flow when doing its escape analysis. It would be good to integrate this
1491         phase with the object allocation sinking phase. To see why, consider
1492         an example where we don't eliminate the spread and allocation of the rest
1493         parameter even though we could:
1494         
1495         ```
1496         function foo(rareCondition, ...args) {
1497             bar(...args);
1498             if (rareCondition)
1499                 baz(args);
1500         }
1501         ```
1502         
1503         There are only a few users of the PhantomSpread and PhantomNewArrayWithSpread
1504         nodes. PhantomSpread is only used by PhantomNewArrayWithSpread and NewArrayWithSpread.
1505         PhantomNewArrayWithSpread is only used by ForwardVarargs and the various
1506         *Call*ForwardVarargs nodes. The users of these phantoms know how to produce
1507         what the phantom node would have produced. For example, NewArrayWithSpread
1508         knows how to produce the values that would have been produced by PhantomSpread(@PhantomCreateRest)
1509         by directly reading from the call frame.
1510         
1511         This patch is a 6% speedup on my MBP on ES6SampleBench.
1512
1513         * b3/B3LowerToAir.cpp:
1514         (JSC::B3::Air::LowerToAir::tryAppendLea):
1515         * b3/B3ValueRep.h:
1516         * builtins/BuiltinExecutables.cpp:
1517         (JSC::BuiltinExecutables::createDefaultConstructor):
1518         * dfg/DFGAbstractInterpreterInlines.h:
1519         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1520         * dfg/DFGArgumentsEliminationPhase.cpp:
1521         * dfg/DFGClobberize.h:
1522         (JSC::DFG::clobberize):
1523         * dfg/DFGDoesGC.cpp:
1524         (JSC::DFG::doesGC):
1525         * dfg/DFGFixupPhase.cpp:
1526         (JSC::DFG::FixupPhase::fixupNode):
1527         * dfg/DFGForAllKills.h:
1528         (JSC::DFG::forAllKillsInBlock):
1529         * dfg/DFGNode.h:
1530         (JSC::DFG::Node::hasConstant):
1531         (JSC::DFG::Node::constant):
1532         (JSC::DFG::Node::bitVector):
1533         (JSC::DFG::Node::isPhantomAllocation):
1534         * dfg/DFGNodeType.h:
1535         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1536         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1537         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
1538         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1539         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1540         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1541         * dfg/DFGPreciseLocalClobberize.h:
1542         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1543         * dfg/DFGPredictionPropagationPhase.cpp:
1544         * dfg/DFGPromotedHeapLocation.cpp:
1545         (WTF::printInternal):
1546         * dfg/DFGPromotedHeapLocation.h:
1547         * dfg/DFGSafeToExecute.h:
1548         (JSC::DFG::safeToExecute):
1549         * dfg/DFGSpeculativeJIT32_64.cpp:
1550         (JSC::DFG::SpeculativeJIT::compile):
1551         * dfg/DFGSpeculativeJIT64.cpp:
1552         (JSC::DFG::SpeculativeJIT::compile):
1553         * dfg/DFGValidate.cpp:
1554         * ftl/FTLCapabilities.cpp:
1555         (JSC::FTL::canCompile):
1556         * ftl/FTLLowerDFGToB3.cpp:
1557         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1558         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1559         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1560         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1561         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1562         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1563         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1564         (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame):
1565         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1566         * ftl/FTLOperations.cpp:
1567         (JSC::FTL::operationPopulateObjectInOSR):
1568         (JSC::FTL::operationMaterializeObjectInOSR):
1569         * jit/SetupVarargsFrame.cpp:
1570         (JSC::emitSetupVarargsFrameFastCase):
1571         * jsc.cpp:
1572         (GlobalObject::finishCreation):
1573         (functionMaxArguments):
1574         * runtime/JSFixedArray.h:
1575         (JSC::JSFixedArray::createFromArray):
1576
1577 2016-11-29  Commit Queue  <commit-queue@webkit.org>
1578
1579         Unreviewed, rolling out r209058 and r209074.
1580         https://bugs.webkit.org/show_bug.cgi?id=165188
1581
1582         These changes caused API test StringBuilderTest.Equal to crash
1583         and/or fail. (Requested by ryanhaddad on #webkit).
1584
1585         Reverted changesets:
1586
1587         "Streamline and speed up tokenizer and segmented string
1588         classes"
1589         https://bugs.webkit.org/show_bug.cgi?id=165003
1590         http://trac.webkit.org/changeset/209058
1591
1592         "REGRESSION (r209058): API test StringBuilderTest.Equal
1593         crashing"
1594         https://bugs.webkit.org/show_bug.cgi?id=165142
1595         http://trac.webkit.org/changeset/209074
1596
1597 2016-11-29  Caitlin Potter  <caitp@igalia.com>
1598
1599         [JSC] always wrap AwaitExpression operand in a new Promise
1600         https://bugs.webkit.org/show_bug.cgi?id=165181
1601
1602         Reviewed by Yusuke Suzuki.
1603
1604         Ensure operand of AwaitExpression is wrapped in a new Promise by
1605         explicitly creating a new Promise Capability and invoking its
1606         resolve callback. This avoids the specified short-circuit for
1607         Promise.resolve().
1608
1609         * builtins/AsyncFunctionPrototype.js:
1610         (globalPrivate.asyncFunctionResume):
1611
1612 2016-11-29  Saam Barati  <sbarati@apple.com>
1613
1614         We should support CreateThis in the FTL
1615         https://bugs.webkit.org/show_bug.cgi?id=164904
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         * ftl/FTLAbstractHeapRepository.h:
1620         * ftl/FTLCapabilities.cpp:
1621         (JSC::FTL::canCompile):
1622         * ftl/FTLLowerDFGToB3.cpp:
1623         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1624         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1625         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1626         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1627         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1628         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1629         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1630         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1631         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1632         * runtime/Structure.h:
1633
1634 2016-11-29  Mark Lam  <mark.lam@apple.com>
1635
1636         Fix exception scope verification failures in runtime/RegExp* files.
1637         https://bugs.webkit.org/show_bug.cgi?id=165054
1638
1639         Reviewed by Saam Barati.
1640
1641         Also replaced returning JSValue() with returning { }.
1642
1643         * runtime/RegExpConstructor.cpp:
1644         (JSC::toFlags):
1645         (JSC::regExpCreate):
1646         (JSC::constructRegExp):
1647         * runtime/RegExpObject.cpp:
1648         (JSC::RegExpObject::defineOwnProperty):
1649         (JSC::collectMatches):
1650         (JSC::RegExpObject::matchGlobal):
1651         * runtime/RegExpObjectInlines.h:
1652         (JSC::getRegExpObjectLastIndexAsUnsigned):
1653         (JSC::RegExpObject::execInline):
1654         (JSC::RegExpObject::matchInline):
1655         * runtime/RegExpPrototype.cpp:
1656         (JSC::regExpProtoFuncCompile):
1657         (JSC::flagsString):
1658         (JSC::regExpProtoFuncToString):
1659         (JSC::regExpProtoFuncSplitFast):
1660
1661 2016-11-29  Andy Estes  <aestes@apple.com>
1662
1663         [Cocoa] Enable two clang warnings recommended by Xcode
1664         https://bugs.webkit.org/show_bug.cgi?id=164498
1665
1666         Reviewed by Mark Lam.
1667
1668         * Configurations/Base.xcconfig: Enabled CLANG_WARN_INFINITE_RECURSION and CLANG_WARN_SUSPICIOUS_MOVE.
1669
1670 2016-11-29  Keith Miller  <keith_miller@apple.com>
1671
1672         Add simple way to implement Wasm ops that require more than one B3 opcode
1673         https://bugs.webkit.org/show_bug.cgi?id=165129
1674
1675         Reviewed by Geoffrey Garen.
1676
1677         This patch adds a simple way to show the B3IRGenerator opcode script how
1678         to generate code for Wasm opcodes that do not have a one to one mapping.
1679         The syntax is pretty simple right now. There are only three things one
1680         can use as of this patch (although more things might be added in the future)
1681         1) Wasm opcode arguments: These are referred to as @<argument_number>. For example,
1682            I32.sub would map to Sub(@0, @1).
1683         2) 32-bit int constants: These are reffered to as i32(<value>). For example, i32.inc
1684            would map to Add(@0, i32(1))
1685         3) B3 opcodes: These are referred to as the B3 opcode name followed by the B3Value's constructor
1686            arguments. A value may take the result of another value as an argument. For example, you can do
1687            Div(Mul(@0, Add(@0, i32(1))), i32(2)) if there was a b3 opcode that computed the sum from 1 to n.
1688
1689         These scripts are used to implement Wasm's eqz and floating point max/min opcodes. This patch
1690         also adds missing support for the Wasm Neg opcodes.
1691
1692         * jsc.cpp:
1693         (box):
1694         (functionTestWasmModuleFunctions):
1695         * wasm/WasmB3IRGenerator.cpp:
1696         (JSC::Wasm::toB3Op): Deleted.
1697         * wasm/WasmFunctionParser.h:
1698         (JSC::Wasm::FunctionParser<Context>::parseBody):
1699         * wasm/WasmModuleParser.cpp:
1700         (JSC::Wasm::ModuleParser::parseType):
1701         * wasm/WasmParser.h:
1702         (JSC::Wasm::Parser::parseUInt8):
1703         (JSC::Wasm::Parser::parseValueType):
1704         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
1705         (Source):
1706         (Source.__init__):
1707         (read):
1708         (lex):
1709         (CodeGenerator):
1710         (CodeGenerator.__init__):
1711         (CodeGenerator.advance):
1712         (CodeGenerator.token):
1713         (CodeGenerator.parseError):
1714         (CodeGenerator.consume):
1715         (CodeGenerator.generateParameters):
1716         (CodeGenerator.generateOpcode):
1717         (CodeGenerator.generate):
1718         (temp):
1719         (generateB3OpCode):
1720         (generateI32ConstCode):
1721         (generateB3Code):
1722         (generateSimpleCode):
1723         * wasm/wasm.json:
1724
1725 2016-11-29  Mark Lam  <mark.lam@apple.com>
1726
1727         Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
1728         https://bugs.webkit.org/show_bug.cgi?id=165053
1729
1730         Reviewed by Saam Barati.
1731
1732         Also replaced returning JSValue() with returning { }.
1733
1734         * runtime/ProxyConstructor.cpp:
1735         (JSC::constructProxyObject):
1736         * runtime/ProxyObject.cpp:
1737         (JSC::ProxyObject::structureForTarget):
1738         (JSC::performProxyGet):
1739         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1740         (JSC::ProxyObject::performHasProperty):
1741         (JSC::ProxyObject::getOwnPropertySlotCommon):
1742         (JSC::ProxyObject::performPut):
1743         (JSC::ProxyObject::putByIndexCommon):
1744         (JSC::performProxyCall):
1745         (JSC::performProxyConstruct):
1746         (JSC::ProxyObject::performDelete):
1747         (JSC::ProxyObject::performPreventExtensions):
1748         (JSC::ProxyObject::performIsExtensible):
1749         (JSC::ProxyObject::performDefineOwnProperty):
1750         (JSC::ProxyObject::performGetOwnPropertyNames):
1751         (JSC::ProxyObject::performSetPrototype):
1752         (JSC::ProxyObject::performGetPrototype):
1753
1754 2016-11-28  Matt Baker  <mattbaker@apple.com>
1755
1756         Web Inspector: Debugger should have an option for showing asynchronous call stacks
1757         https://bugs.webkit.org/show_bug.cgi?id=163230
1758         <rdar://problem/28698683>
1759
1760         Reviewed by Joseph Pecoraro.
1761
1762         * inspector/ScriptCallFrame.cpp:
1763         (Inspector::ScriptCallFrame::isNative):
1764         Encapsulate check for native code source URL.
1765
1766         * inspector/ScriptCallFrame.h:
1767         * inspector/ScriptCallStack.cpp:
1768         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1769         (Inspector::ScriptCallStack::buildInspectorArray):
1770         * inspector/ScriptCallStack.h:
1771         Replace use of Console::StackTrace with Array<Console::CallFrame>.
1772
1773         * inspector/agents/InspectorDebuggerAgent.cpp:
1774         (Inspector::InspectorDebuggerAgent::disable):
1775         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1776         Set number of async frames to store (including boundary frames).
1777         A value of zero disables recording of async call stacks.
1778
1779         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace):
1780         Helper function for building a linked list StackTraces.
1781         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1782         Store a call stack for the script that scheduled the async call.
1783         If the call repeats (e.g. setInterval), the starting reference count is
1784         set to 1. This ensures that dereffing after dispatch won't clear the stack.
1785         If another async call is currently being dispatched, increment the
1786         AsyncCallData reference count for that call.
1787
1788         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1789         Decrement the reference count for the canceled call.
1790
1791         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1792         Set the identifier for the async callback currently being dispatched,
1793         so that if the debugger pauses during dispatch a stack trace can be
1794         associated with the pause location. If an async call is already being
1795         dispatched, which could be the case when a script schedules an async
1796         call in a nested runloop, do nothing.
1797
1798         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
1799         Decrement the reference count for the canceled call.
1800         (Inspector::InspectorDebuggerAgent::didPause):
1801         If a stored stack trace exists for this location, convert to a protocol
1802         object and send to the frontend.
1803
1804         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1805         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1806         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
1807         Increment AsyncCallData reference count.
1808         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
1809         Decrement AsyncCallData reference count. If zero, deref its parent
1810         (if it exists) and remove the AsyncCallData entry.
1811
1812         * inspector/agents/InspectorDebuggerAgent.h:
1813
1814         * inspector/protocol/Console.json:
1815         * inspector/protocol/Network.json:
1816         Replace use of Console.StackTrace with array of Console.CallFrame.
1817
1818         * inspector/protocol/Debugger.json:
1819         New protocol command and event data.
1820
1821 2016-11-28  Darin Adler  <darin@apple.com>
1822
1823         Streamline and speed up tokenizer and segmented string classes
1824         https://bugs.webkit.org/show_bug.cgi?id=165003
1825
1826         Reviewed by Sam Weinig.
1827
1828         * runtime/JSONObject.cpp:
1829         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
1830         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
1831         no benefit in creating a String for that function if one doesn't already exist.
1832
1833 2016-11-21  Mark Lam  <mark.lam@apple.com>
1834
1835         Fix exception scope verification failures in runtime/Intl* files.
1836         https://bugs.webkit.org/show_bug.cgi?id=165014
1837
1838         Reviewed by Saam Barati.
1839
1840         * runtime/IntlCollatorConstructor.cpp:
1841         (JSC::constructIntlCollator):
1842         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1843         * runtime/IntlCollatorPrototype.cpp:
1844         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1845         * runtime/IntlDateTimeFormatConstructor.cpp:
1846         (JSC::constructIntlDateTimeFormat):
1847         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1848         * runtime/IntlDateTimeFormatPrototype.cpp:
1849         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1850         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1851         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1852         * runtime/IntlNumberFormatConstructor.cpp:
1853         (JSC::constructIntlNumberFormat):
1854         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1855         * runtime/IntlNumberFormatPrototype.cpp:
1856         (JSC::IntlNumberFormatFuncFormatNumber):
1857         (JSC::IntlNumberFormatPrototypeGetterFormat):
1858         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1859         * runtime/IntlObject.cpp:
1860         (JSC::lookupSupportedLocales):
1861         * runtime/IntlObjectInlines.h:
1862         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1863
1864 2016-11-28  Mark Lam  <mark.lam@apple.com>
1865
1866         Fix exception scope verification failures in IteratorOperations.h.
1867         https://bugs.webkit.org/show_bug.cgi?id=165015
1868
1869         Reviewed by Saam Barati.
1870
1871         * runtime/IteratorOperations.h:
1872         (JSC::forEachInIterable):
1873
1874 2016-11-28  Mark Lam  <mark.lam@apple.com>
1875
1876         Fix exception scope verification failures in JSArray* files.
1877         https://bugs.webkit.org/show_bug.cgi?id=165016
1878
1879         Reviewed by Saam Barati.
1880
1881         * runtime/JSArray.cpp:
1882         (JSC::JSArray::defineOwnProperty):
1883         (JSC::JSArray::put):
1884         (JSC::JSArray::setLength):
1885         (JSC::JSArray::pop):
1886         (JSC::JSArray::push):
1887         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1888         * runtime/JSArrayBuffer.cpp:
1889         (JSC::JSArrayBuffer::put):
1890         (JSC::JSArrayBuffer::defineOwnProperty):
1891         * runtime/JSArrayInlines.h:
1892         (JSC::getLength):
1893         (JSC::toLength):
1894
1895 2016-11-28  Mark Lam  <mark.lam@apple.com>
1896
1897         Fix exception scope verification failures in JSDataView.cpp.
1898         https://bugs.webkit.org/show_bug.cgi?id=165020
1899
1900         Reviewed by Saam Barati.
1901
1902         * runtime/JSDataView.cpp:
1903         (JSC::JSDataView::put):
1904
1905 2016-11-28  Mark Lam  <mark.lam@apple.com>
1906
1907         Fix exception scope verification failures in JSFunction.cpp.
1908         https://bugs.webkit.org/show_bug.cgi?id=165021
1909
1910         Reviewed by Saam Barati.
1911
1912         * runtime/JSFunction.cpp:
1913         (JSC::JSFunction::put):
1914         (JSC::JSFunction::defineOwnProperty):
1915
1916 2016-11-28  Mark Lam  <mark.lam@apple.com>
1917
1918         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
1919         https://bugs.webkit.org/show_bug.cgi?id=165022
1920
1921         Reviewed by Saam Barati.
1922
1923         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1924         (JSC::constructGenericTypedArrayViewFromIterator):
1925         (JSC::constructGenericTypedArrayViewWithArguments):
1926         (JSC::constructGenericTypedArrayView):
1927         * runtime/JSGenericTypedArrayViewInlines.h:
1928         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1929         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1930         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1931         (JSC::speciesConstruct):
1932         (JSC::genericTypedArrayViewProtoFuncSet):
1933         (JSC::genericTypedArrayViewProtoFuncJoin):
1934         (JSC::genericTypedArrayViewProtoFuncSlice):
1935         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1936
1937 2016-11-28  Mark Lam  <mark.lam@apple.com>
1938
1939         Fix exception scope verification failures in runtime/Operations.cpp/h.
1940         https://bugs.webkit.org/show_bug.cgi?id=165046
1941
1942         Reviewed by Saam Barati.
1943
1944         Also switched to using returning { } instead of JSValue().
1945
1946         * runtime/Operations.cpp:
1947         (JSC::jsAddSlowCase):
1948         (JSC::jsIsObjectTypeOrNull):
1949         * runtime/Operations.h:
1950         (JSC::jsStringFromRegisterArray):
1951         (JSC::jsStringFromArguments):
1952         (JSC::jsLess):
1953         (JSC::jsLessEq):
1954
1955 2016-11-28  Mark Lam  <mark.lam@apple.com>
1956
1957         Fix exception scope verification failures in JSScope.cpp.
1958         https://bugs.webkit.org/show_bug.cgi?id=165047
1959
1960         Reviewed by Saam Barati.
1961
1962         * runtime/JSScope.cpp:
1963         (JSC::JSScope::resolve):
1964
1965 2016-11-28  Mark Lam  <mark.lam@apple.com>
1966
1967         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
1968         https://bugs.webkit.org/show_bug.cgi?id=165049
1969
1970         Reviewed by Saam Barati.
1971
1972         * runtime/JSTypedArrayViewPrototype.cpp:
1973         (JSC::typedArrayViewPrivateFuncSort):
1974         (JSC::typedArrayViewProtoFuncSet):
1975         (JSC::typedArrayViewProtoFuncCopyWithin):
1976         (JSC::typedArrayViewProtoFuncIncludes):
1977         (JSC::typedArrayViewProtoFuncLastIndexOf):
1978         (JSC::typedArrayViewProtoFuncIndexOf):
1979         (JSC::typedArrayViewProtoFuncJoin):
1980         (JSC::typedArrayViewProtoGetterFuncBuffer):
1981         (JSC::typedArrayViewProtoGetterFuncLength):
1982         (JSC::typedArrayViewProtoGetterFuncByteLength):
1983         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1984         (JSC::typedArrayViewProtoFuncReverse):
1985         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1986         (JSC::typedArrayViewProtoFuncSlice):
1987
1988 2016-11-28  Mark Lam  <mark.lam@apple.com>
1989
1990         Fix exception scope verification failures in runtime/Map* files.
1991         https://bugs.webkit.org/show_bug.cgi?id=165050
1992
1993         Reviewed by Saam Barati.
1994
1995         * runtime/MapConstructor.cpp:
1996         (JSC::constructMap):
1997         * runtime/MapIteratorPrototype.cpp:
1998         (JSC::MapIteratorPrototypeFuncNext):
1999         * runtime/MapPrototype.cpp:
2000         (JSC::privateFuncMapIteratorNext):
2001
2002 2016-11-28  Mark Lam  <mark.lam@apple.com>
2003
2004         Fix exception scope verification failures in more miscellaneous files.
2005         https://bugs.webkit.org/show_bug.cgi?id=165102
2006
2007         Reviewed by Saam Barati.
2008
2009         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2010         (JSC::constructJSWebAssemblyInstance):
2011
2012 2016-11-28  Mark Lam  <mark.lam@apple.com>
2013
2014         Fix exception scope verification failures in runtime/Weak* files.
2015         https://bugs.webkit.org/show_bug.cgi?id=165096
2016
2017         Reviewed by Geoffrey Garen.
2018
2019         * runtime/WeakMapConstructor.cpp:
2020         (JSC::constructWeakMap):
2021         * runtime/WeakMapPrototype.cpp:
2022         (JSC::protoFuncWeakMapSet):
2023         * runtime/WeakSetConstructor.cpp:
2024         (JSC::constructWeakSet):
2025         * runtime/WeakSetPrototype.cpp:
2026         (JSC::protoFuncWeakSetAdd):
2027
2028 2016-11-28  Mark Lam  <mark.lam@apple.com>
2029
2030         Fix exception scope verification failures in runtime/String* files.
2031         https://bugs.webkit.org/show_bug.cgi?id=165067
2032
2033         Reviewed by Saam Barati.
2034
2035         * runtime/StringConstructor.cpp:
2036         (JSC::stringFromCodePoint):
2037         (JSC::constructWithStringConstructor):
2038         * runtime/StringObject.cpp:
2039         (JSC::StringObject::put):
2040         (JSC::StringObject::putByIndex):
2041         (JSC::StringObject::defineOwnProperty):
2042         * runtime/StringPrototype.cpp:
2043         (JSC::jsSpliceSubstrings):
2044         (JSC::jsSpliceSubstringsWithSeparators):
2045         (JSC::replaceUsingRegExpSearch):
2046         (JSC::replaceUsingStringSearch):
2047         (JSC::repeatCharacter):
2048         (JSC::replace):
2049         (JSC::stringProtoFuncReplaceUsingStringSearch):
2050         (JSC::stringProtoFuncCharAt):
2051         (JSC::stringProtoFuncCodePointAt):
2052         (JSC::stringProtoFuncConcat):
2053         (JSC::stringProtoFuncIndexOf):
2054         (JSC::stringProtoFuncLastIndexOf):
2055         (JSC::splitStringByOneCharacterImpl):
2056         (JSC::stringProtoFuncSplitFast):
2057         (JSC::stringProtoFuncSubstring):
2058         (JSC::stringProtoFuncToLowerCase):
2059         (JSC::stringProtoFuncToUpperCase):
2060         (JSC::toLocaleCase):
2061         (JSC::trimString):
2062         (JSC::stringProtoFuncIncludes):
2063         (JSC::builtinStringIncludesInternal):
2064         (JSC::stringProtoFuncIterator):
2065         (JSC::normalize):
2066         (JSC::stringProtoFuncNormalize):
2067
2068 2016-11-28  Mark Lam  <mark.lam@apple.com>
2069
2070         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
2071         https://bugs.webkit.org/show_bug.cgi?id=165051
2072
2073         Reviewed by Saam Barati.
2074
2075         Also,
2076         1. Replaced returning JSValue() with returning { }.
2077         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
2078
2079         * runtime/ObjectConstructor.cpp:
2080         (JSC::constructObject):
2081         (JSC::objectConstructorGetPrototypeOf):
2082         (JSC::objectConstructorGetOwnPropertyDescriptor):
2083         (JSC::objectConstructorGetOwnPropertyDescriptors):
2084         (JSC::objectConstructorGetOwnPropertyNames):
2085         (JSC::objectConstructorGetOwnPropertySymbols):
2086         (JSC::objectConstructorKeys):
2087         (JSC::ownEnumerablePropertyKeys):
2088         (JSC::toPropertyDescriptor):
2089         (JSC::defineProperties):
2090         (JSC::objectConstructorDefineProperties):
2091         (JSC::objectConstructorCreate):
2092         (JSC::setIntegrityLevel):
2093         (JSC::objectConstructorSeal):
2094         (JSC::objectConstructorPreventExtensions):
2095         (JSC::objectConstructorIsSealed):
2096         (JSC::objectConstructorIsFrozen):
2097         (JSC::ownPropertyKeys):
2098         * runtime/ObjectPrototype.cpp:
2099         (JSC::objectProtoFuncValueOf):
2100         (JSC::objectProtoFuncHasOwnProperty):
2101         (JSC::objectProtoFuncIsPrototypeOf):
2102         (JSC::objectProtoFuncDefineGetter):
2103         (JSC::objectProtoFuncDefineSetter):
2104         (JSC::objectProtoFuncLookupGetter):
2105         (JSC::objectProtoFuncLookupSetter):
2106         (JSC::objectProtoFuncToLocaleString):
2107         (JSC::objectProtoFuncToString):
2108
2109 2016-11-26  Mark Lam  <mark.lam@apple.com>
2110
2111         Fix exception scope verification failures in miscellaneous files.
2112         https://bugs.webkit.org/show_bug.cgi?id=165055
2113
2114         Reviewed by Saam Barati.
2115
2116         * runtime/MathObject.cpp:
2117         (JSC::mathProtoFuncIMul):
2118         * runtime/ModuleLoaderPrototype.cpp:
2119         (JSC::moduleLoaderPrototypeParseModule):
2120         (JSC::moduleLoaderPrototypeRequestedModules):
2121         * runtime/NativeErrorConstructor.cpp:
2122         (JSC::Interpreter::constructWithNativeErrorConstructor):
2123         * runtime/NumberConstructor.cpp:
2124         (JSC::constructWithNumberConstructor):
2125         * runtime/SetConstructor.cpp:
2126         (JSC::constructSet):
2127         * runtime/SetIteratorPrototype.cpp:
2128         (JSC::SetIteratorPrototypeFuncNext):
2129         * runtime/SparseArrayValueMap.cpp:
2130         (JSC::SparseArrayValueMap::putEntry):
2131         (JSC::SparseArrayEntry::put):
2132         * runtime/TemplateRegistry.cpp:
2133         (JSC::TemplateRegistry::getTemplateObject):
2134
2135 2016-11-28  Mark Lam  <mark.lam@apple.com>
2136
2137         Fix exception scope verification failures in ReflectObject.cpp.
2138         https://bugs.webkit.org/show_bug.cgi?id=165066
2139
2140         Reviewed by Saam Barati.
2141
2142         * runtime/ReflectObject.cpp:
2143         (JSC::reflectObjectConstruct):
2144         (JSC::reflectObjectDefineProperty):
2145         (JSC::reflectObjectEnumerate):
2146         (JSC::reflectObjectGet):
2147         (JSC::reflectObjectGetOwnPropertyDescriptor):
2148         (JSC::reflectObjectGetPrototypeOf):
2149         (JSC::reflectObjectOwnKeys):
2150         (JSC::reflectObjectSet):
2151
2152 2016-11-24  Mark Lam  <mark.lam@apple.com>
2153
2154         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
2155         https://bugs.webkit.org/show_bug.cgi?id=164972
2156
2157         Reviewed by Geoffrey Garen.
2158
2159         * runtime/ArrayConstructor.cpp:
2160         (JSC::constructArrayWithSizeQuirk):
2161         * runtime/ArrayPrototype.cpp:
2162         (JSC::getProperty):
2163         (JSC::putLength):
2164         (JSC::speciesWatchpointsValid):
2165         (JSC::speciesConstructArray):
2166         (JSC::shift):
2167         (JSC::unshift):
2168         (JSC::arrayProtoFuncToString):
2169         (JSC::arrayProtoFuncToLocaleString):
2170         (JSC::slowJoin):
2171         (JSC::fastJoin):
2172         (JSC::arrayProtoFuncJoin):
2173         (JSC::arrayProtoFuncPop):
2174         (JSC::arrayProtoFuncPush):
2175         (JSC::arrayProtoFuncReverse):
2176         (JSC::arrayProtoFuncShift):
2177         (JSC::arrayProtoFuncSlice):
2178         (JSC::arrayProtoFuncSplice):
2179         (JSC::arrayProtoFuncUnShift):
2180         (JSC::arrayProtoFuncIndexOf):
2181         (JSC::arrayProtoFuncLastIndexOf):
2182         (JSC::concatAppendOne):
2183         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2184         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
2185
2186 2016-11-28  Mark Lam  <mark.lam@apple.com>
2187
2188         Fix exception scope verification failures in LLIntSlowPaths.cpp.
2189         https://bugs.webkit.org/show_bug.cgi?id=164969
2190
2191         Reviewed by Geoffrey Garen.
2192
2193         * llint/LLIntSlowPaths.cpp:
2194         (JSC::LLInt::getByVal):
2195         (JSC::LLInt::setUpCall):
2196         (JSC::LLInt::varargsSetup):
2197         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2198
2199 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2200
2201         [WTF] Import std::optional reference implementation as WTF::Optional
2202         https://bugs.webkit.org/show_bug.cgi?id=164199
2203
2204         Reviewed by Saam Barati and Sam Weinig.
2205
2206         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
2207         std::optional::emplace has the same semantics to the previous one.
2208         So we change the code to use it.
2209
2210         * Scripts/builtins/builtins_templates.py:
2211         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2212         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2213         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2214         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2215         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2216         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2217         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2218         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2219         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2220         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2221         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2222         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2223         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2224         * assembler/MacroAssemblerARM64.h:
2225         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
2226         * assembler/MacroAssemblerX86Common.h:
2227         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
2228         * b3/B3CheckSpecial.cpp:
2229         (JSC::B3::CheckSpecial::forEachArg):
2230         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2231         * b3/B3CheckSpecial.h:
2232         * b3/B3LowerToAir.cpp:
2233         (JSC::B3::Air::LowerToAir::scaleForShl):
2234         (JSC::B3::Air::LowerToAir::effectiveAddr):
2235         (JSC::B3::Air::LowerToAir::tryAppendLea):
2236         * b3/B3Opcode.cpp:
2237         (JSC::B3::invertedCompare):
2238         * b3/B3Opcode.h:
2239         * b3/B3PatchpointSpecial.cpp:
2240         (JSC::B3::PatchpointSpecial::forEachArg):
2241         * b3/B3StackmapSpecial.cpp:
2242         (JSC::B3::StackmapSpecial::forEachArgImpl):
2243         * b3/B3StackmapSpecial.h:
2244         * b3/B3Value.cpp:
2245         (JSC::B3::Value::invertedCompare):
2246         * b3/air/AirArg.h:
2247         (JSC::B3::Air::Arg::isValidScale):
2248         (JSC::B3::Air::Arg::isValidAddrForm):
2249         (JSC::B3::Air::Arg::isValidIndexForm):
2250         (JSC::B3::Air::Arg::isValidForm):
2251         * b3/air/AirCustom.h:
2252         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2253         * b3/air/AirFixObviousSpills.cpp:
2254         * b3/air/AirInst.h:
2255         * b3/air/AirInstInlines.h:
2256         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2257         * b3/air/AirIteratedRegisterCoalescing.cpp:
2258         * b3/air/AirSpecial.cpp:
2259         (JSC::B3::Air::Special::shouldTryAliasingDef):
2260         * b3/air/AirSpecial.h:
2261         * bytecode/BytecodeGeneratorification.cpp:
2262         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2263         * bytecode/CodeBlock.cpp:
2264         (JSC::CodeBlock::findPC):
2265         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2266         * bytecode/CodeBlock.h:
2267         * bytecode/UnlinkedFunctionExecutable.cpp:
2268         (JSC::UnlinkedFunctionExecutable::link):
2269         * bytecode/UnlinkedFunctionExecutable.h:
2270         * bytecompiler/BytecodeGenerator.h:
2271         * bytecompiler/NodesCodegen.cpp:
2272         (JSC::PropertyListNode::emitPutConstantProperty):
2273         (JSC::ObjectPatternNode::bindValue):
2274         * debugger/Debugger.cpp:
2275         (JSC::Debugger::resolveBreakpoint):
2276         * debugger/DebuggerCallFrame.cpp:
2277         (JSC::DebuggerCallFrame::currentPosition):
2278         * debugger/DebuggerParseData.cpp:
2279         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
2280         * debugger/DebuggerParseData.h:
2281         * debugger/ScriptProfilingScope.h:
2282         * dfg/DFGAbstractInterpreterInlines.h:
2283         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2284         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2285         * dfg/DFGJITCode.cpp:
2286         (JSC::DFG::JITCode::findPC):
2287         * dfg/DFGJITCode.h:
2288         * dfg/DFGOperations.cpp:
2289         (JSC::DFG::operationPutByValInternal):
2290         * dfg/DFGSlowPathGenerator.h:
2291         (JSC::DFG::SlowPathGenerator::generate):
2292         * dfg/DFGSpeculativeJIT.cpp:
2293         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2294         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2295         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2296         (JSC::DFG::SpeculativeJIT::compileMathIC):
2297         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2298         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2299         * dfg/DFGSpeculativeJIT.h:
2300         * dfg/DFGSpeculativeJIT32_64.cpp:
2301         (JSC::DFG::SpeculativeJIT::compile):
2302         * dfg/DFGSpeculativeJIT64.cpp:
2303         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2304         (JSC::DFG::SpeculativeJIT::emitBranch):
2305         (JSC::DFG::SpeculativeJIT::compile):
2306         * dfg/DFGStrengthReductionPhase.cpp:
2307         (JSC::DFG::StrengthReductionPhase::handleNode):
2308         * ftl/FTLJITCode.cpp:
2309         (JSC::FTL::JITCode::findPC):
2310         * ftl/FTLJITCode.h:
2311         * heap/Heap.cpp:
2312         (JSC::Heap::collectAsync):
2313         (JSC::Heap::collectSync):
2314         (JSC::Heap::collectInThread):
2315         (JSC::Heap::requestCollection):
2316         (JSC::Heap::willStartCollection):
2317         (JSC::Heap::didFinishCollection):
2318         (JSC::Heap::shouldDoFullCollection):
2319         * heap/Heap.h:
2320         (JSC::Heap::collectionScope):
2321         * heap/HeapSnapshot.cpp:
2322         (JSC::HeapSnapshot::nodeForCell):
2323         (JSC::HeapSnapshot::nodeForObjectIdentifier):
2324         * heap/HeapSnapshot.h:
2325         * inspector/InspectorBackendDispatcher.cpp:
2326         (Inspector::BackendDispatcher::dispatch):
2327         (Inspector::BackendDispatcher::sendPendingErrors):
2328         (Inspector::BackendDispatcher::reportProtocolError):
2329         * inspector/InspectorBackendDispatcher.h:
2330         * inspector/agents/InspectorHeapAgent.cpp:
2331         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2332         (Inspector::InspectorHeapAgent::getPreview):
2333         (Inspector::InspectorHeapAgent::getRemoteObject):
2334         * inspector/agents/InspectorHeapAgent.h:
2335         * inspector/remote/RemoteConnectionToTarget.h:
2336         * inspector/remote/RemoteConnectionToTarget.mm:
2337         (Inspector::RemoteConnectionToTarget::targetIdentifier):
2338         (Inspector::RemoteConnectionToTarget::setup):
2339         * inspector/remote/RemoteInspector.h:
2340         * inspector/remote/RemoteInspector.mm:
2341         (Inspector::RemoteInspector::updateClientCapabilities):
2342         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2343         (_generate_declarations_for_enum_conversion_methods):
2344         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
2345         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2346         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
2347         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2348         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2349         * inspector/scripts/tests/expected/enum-values.json-result:
2350         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2351         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2352         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2353         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2354         * jit/JITCode.h:
2355         (JSC::JITCode::findPC):
2356         * jit/JITDivGenerator.cpp:
2357         (JSC::JITDivGenerator::generateFastPath):
2358         * jit/JITOperations.cpp:
2359         * jit/PCToCodeOriginMap.cpp:
2360         (JSC::PCToCodeOriginMap::findPC):
2361         * jit/PCToCodeOriginMap.h:
2362         * jsc.cpp:
2363         (WTF::RuntimeArray::getOwnPropertySlot):
2364         * llint/LLIntSlowPaths.cpp:
2365         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2366         * parser/ModuleAnalyzer.cpp:
2367         (JSC::ModuleAnalyzer::exportVariable):
2368         * runtime/ConcurrentJSLock.h:
2369         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
2370         * runtime/DefinePropertyAttributes.h:
2371         (JSC::DefinePropertyAttributes::writable):
2372         (JSC::DefinePropertyAttributes::configurable):
2373         (JSC::DefinePropertyAttributes::enumerable):
2374         * runtime/GenericArgumentsInlines.h:
2375         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2376         (JSC::GenericArguments<Type>::put):
2377         (JSC::GenericArguments<Type>::deleteProperty):
2378         (JSC::GenericArguments<Type>::defineOwnProperty):
2379         * runtime/HasOwnPropertyCache.h:
2380         (JSC::HasOwnPropertyCache::get):
2381         * runtime/HashMapImpl.h:
2382         (JSC::concurrentJSMapHash):
2383         * runtime/Identifier.h:
2384         (JSC::parseIndex):
2385         * runtime/JSArray.cpp:
2386         (JSC::JSArray::defineOwnProperty):
2387         * runtime/JSCJSValue.cpp:
2388         (JSC::JSValue::toNumberFromPrimitive):
2389         (JSC::JSValue::putToPrimitive):
2390         * runtime/JSCJSValue.h:
2391         * runtime/JSGenericTypedArrayView.h:
2392         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
2393         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2394         (JSC::constructGenericTypedArrayViewWithArguments):
2395         (JSC::constructGenericTypedArrayView):
2396         * runtime/JSGenericTypedArrayViewInlines.h:
2397         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2398         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2399         * runtime/JSModuleRecord.cpp:
2400         * runtime/JSModuleRecord.h:
2401         * runtime/JSObject.cpp:
2402         (JSC::JSObject::putDirectAccessor):
2403         (JSC::JSObject::deleteProperty):
2404         (JSC::JSObject::putDirectMayBeIndex):
2405         (JSC::JSObject::defineOwnProperty):
2406         * runtime/JSObject.h:
2407         (JSC::JSObject::getOwnPropertySlot):
2408         (JSC::JSObject::getPropertySlot):
2409         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
2410         * runtime/JSObjectInlines.h:
2411         (JSC::JSObject::putInline):
2412         * runtime/JSString.cpp:
2413         (JSC::JSString::getStringPropertyDescriptor):
2414         * runtime/JSString.h:
2415         (JSC::JSString::getStringPropertySlot):
2416         * runtime/LiteralParser.cpp:
2417         (JSC::LiteralParser<CharType>::parse):
2418         * runtime/MathCommon.h:
2419         (JSC::safeReciprocalForDivByConst):
2420         * runtime/ObjectPrototype.cpp:
2421         (JSC::objectProtoFuncHasOwnProperty):
2422         * runtime/PropertyDescriptor.h:
2423         (JSC::toPropertyDescriptor):
2424         * runtime/PropertyName.h:
2425         (JSC::parseIndex):
2426         * runtime/SamplingProfiler.cpp:
2427         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2428         * runtime/StringObject.cpp:
2429         (JSC::StringObject::put):
2430         (JSC::isStringOwnProperty):
2431         (JSC::StringObject::deleteProperty):
2432         * runtime/ToNativeFromValue.h:
2433         (JSC::toNativeFromValueWithoutCoercion):
2434         * runtime/TypedArrayAdaptors.h:
2435         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2436         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
2437         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2438         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2439         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2440         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
2441         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
2442
2443 2016-11-26  Sam Weinig  <sam@webkit.org>
2444
2445         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
2446         https://bugs.webkit.org/show_bug.cgi?id=164965
2447
2448         Reviewed by Simon Fraser.
2449
2450         * runtime/CommonIdentifiers.h:
2451         Add identifiers needed for RuntimeEnabledFeatures.
2452
2453 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
2454
2455         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
2456         https://bugs.webkit.org/show_bug.cgi?id=165027
2457
2458         Reviewed by Darin Adler.
2459
2460         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
2461         No port enables this and the guarded code doesn't build at all,
2462         so it's safe to say it's abandoned.
2463
2464         * jit/ExecutableAllocator.cpp:
2465         (JSC::ExecutableAllocator::initializeAllocator):
2466         (JSC::ExecutableAllocator::ExecutableAllocator):
2467         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
2468
2469 2016-11-18  Mark Lam  <mark.lam@apple.com>
2470
2471         Fix exception scope verification failures in JSC profiler files.
2472         https://bugs.webkit.org/show_bug.cgi?id=164971
2473
2474         Reviewed by Saam Barati.
2475
2476         * profiler/ProfilerBytecodeSequence.cpp:
2477         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
2478         * profiler/ProfilerCompilation.cpp:
2479         (JSC::Profiler::Compilation::toJS):
2480         * profiler/ProfilerDatabase.cpp:
2481         (JSC::Profiler::Database::toJS):
2482         (JSC::Profiler::Database::toJSON):
2483         * profiler/ProfilerOSRExitSite.cpp:
2484         (JSC::Profiler::OSRExitSite::toJS):
2485         * profiler/ProfilerOriginStack.cpp:
2486         (JSC::Profiler::OriginStack::toJS):
2487
2488 2016-11-22  Mark Lam  <mark.lam@apple.com>
2489
2490         Fix exception scope verification failures in JSONObject.cpp.
2491         https://bugs.webkit.org/show_bug.cgi?id=165025
2492
2493         Reviewed by Saam Barati.
2494
2495         * runtime/JSONObject.cpp:
2496         (JSC::gap):
2497         (JSC::Stringifier::Stringifier):
2498         (JSC::Stringifier::stringify):
2499         (JSC::Stringifier::toJSON):
2500         (JSC::Stringifier::appendStringifiedValue):
2501         (JSC::Stringifier::Holder::appendNextProperty):
2502         (JSC::Walker::walk):
2503         (JSC::JSONProtoFuncParse):
2504         (JSC::JSONProtoFuncStringify):
2505         (JSC::JSONStringify):
2506
2507 2016-11-21  Mark Lam  <mark.lam@apple.com>
2508
2509         Removed an extra space character at the end of line.
2510
2511         Not reviewed.
2512
2513         * runtime/JSCell.cpp:
2514         (JSC::JSCell::toNumber):
2515
2516 2016-11-21  Mark Lam  <mark.lam@apple.com>
2517
2518         Fix exception scope verification failures in FunctionConstructor.cpp.
2519         https://bugs.webkit.org/show_bug.cgi?id=165011
2520
2521         Reviewed by Saam Barati.
2522
2523         * runtime/FunctionConstructor.cpp:
2524         (JSC::constructFunction):
2525         (JSC::constructFunctionSkippingEvalEnabledCheck):
2526
2527 2016-11-21  Mark Lam  <mark.lam@apple.com>
2528
2529         Fix exception scope verification failures in GetterSetter.cpp.
2530         https://bugs.webkit.org/show_bug.cgi?id=165013
2531
2532         Reviewed by Saam Barati.
2533
2534         * runtime/GetterSetter.cpp:
2535         (JSC::callGetter):
2536         (JSC::callSetter):
2537
2538 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2539
2540         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
2541         https://bugs.webkit.org/show_bug.cgi?id=164898
2542
2543         Reviewed by Darin Adler.
2544
2545         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
2546         same tagged template literal need to return an identical object.
2547         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
2548         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
2549         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
2550         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
2551         while this TemplateRegistryKey is allocated in the main thread.
2552
2553         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
2554         while the entry of the WeakGCMap is alive, the callsite object has the reference to
2555         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
2556
2557         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
2558         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
2559         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
2560         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
2561         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
2562
2563         * CMakeLists.txt:
2564         * JavaScriptCore.xcodeproj/project.pbxproj:
2565         * builtins/BuiltinNames.h:
2566         * bytecompiler/BytecodeGenerator.cpp:
2567         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
2568         (JSC::BytecodeGenerator::emitGetTemplateObject):
2569         * bytecompiler/BytecodeGenerator.h:
2570         * runtime/JSGlobalObject.cpp:
2571         (JSC::getTemplateObject):
2572         * runtime/JSTemplateRegistryKey.cpp:
2573         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
2574         (JSC::JSTemplateRegistryKey::create):
2575         * runtime/JSTemplateRegistryKey.h:
2576         * runtime/TemplateRegistry.cpp:
2577         (JSC::TemplateRegistry::getTemplateObject):
2578         * runtime/TemplateRegistry.h:
2579         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
2580         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
2581         * runtime/TemplateRegistryKey.h:
2582         (JSC::TemplateRegistryKey::calculateHash):
2583         (JSC::TemplateRegistryKey::create):
2584         (JSC::TemplateRegistryKey::TemplateRegistryKey):
2585         * runtime/TemplateRegistryKeyTable.cpp: Added.
2586         (JSC::TemplateRegistryKeyTranslator::hash):
2587         (JSC::TemplateRegistryKeyTranslator::equal):
2588         (JSC::TemplateRegistryKeyTranslator::translate):
2589         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
2590         (JSC::TemplateRegistryKeyTable::createKey):
2591         (JSC::TemplateRegistryKeyTable::unregister):
2592         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
2593         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
2594         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
2595         * runtime/VM.h:
2596         (JSC::VM::templateRegistryKeyTable):
2597
2598 2016-11-21  Mark Lam  <mark.lam@apple.com>
2599
2600         Fix exception scope verification failures in runtime/Error* files.
2601         https://bugs.webkit.org/show_bug.cgi?id=164998
2602
2603         Reviewed by Darin Adler.
2604
2605         * runtime/ErrorConstructor.cpp:
2606         (JSC::Interpreter::constructWithErrorConstructor):
2607         * runtime/ErrorInstance.cpp:
2608         (JSC::ErrorInstance::create):
2609         * runtime/ErrorInstance.h:
2610         * runtime/ErrorPrototype.cpp:
2611         (JSC::errorProtoFuncToString):
2612
2613 2016-11-21  Mark Lam  <mark.lam@apple.com>
2614
2615         Fix exception scope verification failures in *Executable.cpp files.
2616         https://bugs.webkit.org/show_bug.cgi?id=164996
2617
2618         Reviewed by Darin Adler.
2619
2620         * runtime/DirectEvalExecutable.cpp:
2621         (JSC::DirectEvalExecutable::create):
2622         * runtime/IndirectEvalExecutable.cpp:
2623         (JSC::IndirectEvalExecutable::create):
2624         * runtime/ProgramExecutable.cpp:
2625         (JSC::ProgramExecutable::initializeGlobalProperties):
2626         * runtime/ScriptExecutable.cpp:
2627         (JSC::ScriptExecutable::prepareForExecutionImpl):
2628
2629 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
2630
2631         [EncryptedMedia] Make EME API runtime-enabled
2632         https://bugs.webkit.org/show_bug.cgi?id=164927
2633
2634         Reviewed by Jer Noble.
2635
2636         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
2637
2638 2016-11-20  Mark Lam  <mark.lam@apple.com>
2639
2640         Fix exception scope verification failures in ConstructData.cpp.
2641         https://bugs.webkit.org/show_bug.cgi?id=164976
2642
2643         Reviewed by Darin Adler.
2644
2645         * runtime/ConstructData.cpp:
2646         (JSC::construct):
2647
2648 2016-11-20  Mark Lam  <mark.lam@apple.com>
2649
2650         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
2651         https://bugs.webkit.org/show_bug.cgi?id=164975
2652
2653         Reviewed by Darin Adler.
2654
2655         * runtime/CommonSlowPaths.cpp:
2656         (JSC::SLOW_PATH_DECL):
2657         * runtime/CommonSlowPaths.h:
2658         (JSC::CommonSlowPaths::opIn):
2659
2660 2016-11-20  Mark Lam  <mark.lam@apple.com>
2661
2662         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
2663         https://bugs.webkit.org/show_bug.cgi?id=164995
2664
2665         Reviewed by Darin Adler.
2666
2667         * runtime/DateConstructor.cpp:
2668         (JSC::millisecondsFromComponents):
2669         (JSC::constructDate):
2670         * runtime/DatePrototype.cpp:
2671         (JSC::dateProtoFuncToPrimitiveSymbol):
2672
2673 2016-11-20  Caitlin Potter  <caitp@igalia.com>
2674
2675         [JSC] speed up parsing of async functions
2676         https://bugs.webkit.org/show_bug.cgi?id=164808
2677
2678         Reviewed by Yusuke Suzuki.
2679
2680         Minor adjustments to Parser in order to mitigate slowdown with async
2681         function parsing enabled:
2682
2683           - Tokenize "async" as a keyword
2684           - Perform less branching in various areas of the Parser
2685
2686         * parser/Keywords.table:
2687         * parser/Parser.cpp:
2688         (JSC::Parser<LexerType>::parseStatementListItem):
2689         (JSC::Parser<LexerType>::parseStatement):
2690         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2691         (JSC::Parser<LexerType>::parseClass):
2692         (JSC::Parser<LexerType>::parseExportDeclaration):
2693         (JSC::Parser<LexerType>::parseAssignmentExpression):
2694         (JSC::Parser<LexerType>::parseProperty):
2695         (JSC::Parser<LexerType>::createResolveAndUseVariable):
2696         (JSC::Parser<LexerType>::parsePrimaryExpression):
2697         (JSC::Parser<LexerType>::parseMemberExpression):
2698         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2699         * parser/Parser.h:
2700         (JSC::isAnyContextualKeyword):
2701         (JSC::isIdentifierOrAnyContextualKeyword):
2702         (JSC::isSafeContextualKeyword):
2703         (JSC::Parser::matchSpecIdentifier):
2704         * parser/ParserTokens.h:
2705         * runtime/CommonIdentifiers.h:
2706
2707 2016-11-19  Mark Lam  <mark.lam@apple.com>
2708
2709         Add --timeoutMultiplier option to allow some tests more time to run.
2710         https://bugs.webkit.org/show_bug.cgi?id=164951
2711
2712         Reviewed by Yusuke Suzuki.
2713
2714         * jsc.cpp:
2715         (timeoutThreadMain):
2716         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
2717         (startTimeoutThreadIfNeeded):
2718         - Moved the code that starts the timeout thread here from main() so that we can
2719         call it after command line args have been parsed instead.
2720         (main):
2721         - Deleted old timeout thread starting code.
2722         (CommandLine::parseArguments):
2723         - Added parsing of the --timeoutMultiplier option.
2724         (jscmain):
2725         - Start the timeout thread if needed after we've parsed the command line args.
2726
2727 2016-11-19  Mark Lam  <mark.lam@apple.com>
2728
2729         Fix missing exception checks in JSC inspector files.
2730         https://bugs.webkit.org/show_bug.cgi?id=164959
2731
2732         Reviewed by Saam Barati.
2733
2734         * inspector/JSInjectedScriptHost.cpp:
2735         (Inspector::JSInjectedScriptHost::getInternalProperties):
2736         (Inspector::JSInjectedScriptHost::weakMapEntries):
2737         (Inspector::JSInjectedScriptHost::weakSetEntries):
2738         (Inspector::JSInjectedScriptHost::iteratorEntries):
2739         * inspector/JSJavaScriptCallFrame.cpp:
2740         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2741
2742 2016-11-18  Mark Lam  <mark.lam@apple.com>
2743
2744         Fix missing exception checks in DFGOperations.cpp.
2745         https://bugs.webkit.org/show_bug.cgi?id=164958
2746
2747         Reviewed by Geoffrey Garen.
2748
2749         * dfg/DFGOperations.cpp:
2750
2751 2016-11-18  Mark Lam  <mark.lam@apple.com>
2752
2753         Fix exception scope verification failures in ShadowChicken.cpp.
2754         https://bugs.webkit.org/show_bug.cgi?id=164966
2755
2756         Reviewed by Saam Barati.
2757
2758         * interpreter/ShadowChicken.cpp:
2759         (JSC::ShadowChicken::functionsOnStack):
2760
2761 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
2762
2763         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
2764         https://bugs.webkit.org/show_bug.cgi?id=163801
2765
2766         Reviewed by Simon Fraser.
2767
2768         * Configurations/FeatureDefines.xcconfig:
2769
2770 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
2771
2772         Unreviewed, fix cloop.
2773
2774         * bytecode/CodeBlock.cpp:
2775         (JSC::CodeBlock::stronglyVisitStrongReferences):
2776
2777 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
2778
2779         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
2780         https://bugs.webkit.org/show_bug.cgi?id=164282
2781
2782         Reviewed by Geoffrey Garen and Oliver Hunt.
2783         
2784         The two three remaining bugs were:
2785
2786         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
2787           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
2788           That proved a bit tricky. On the other hand, this means that we could probably remove the
2789           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
2790           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
2791           anything.
2792         
2793         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
2794           their friends now hold locks) and incremental-safe (we need to update predictions in the
2795           finalizer to make sure we clear anything that was put into a value profile towards the end
2796           of GC).
2797         
2798         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
2799           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
2800           I found that they would do many useless iterations of GC because they wouldn't pause long
2801           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
2802           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
2803           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
2804           the amount of allocation that the mutator had done is low. Having a utilization ceiling
2805           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
2806           huge heaps (like CDjs in its "large" configuration).
2807         
2808         This preserves splay performance, makes the concurrent GC more stable, and makes the
2809         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
2810         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
2811
2812         * bytecode/CodeBlock.cpp:
2813         (JSC::CodeBlock::CodeBlock):
2814         (JSC::CodeBlock::visitWeakly):
2815         (JSC::CodeBlock::visitChildren):
2816         (JSC::CodeBlock::shouldVisitStrongly):
2817         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2818         (JSC::CodeBlock::propagateTransitions):
2819         (JSC::CodeBlock::determineLiveness):
2820         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
2821         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
2822         (JSC::CodeBlock::visitOSRExitTargets):
2823         (JSC::CodeBlock::stronglyVisitStrongReferences):
2824         (JSC::CodeBlock::stronglyVisitWeakReferences):
2825         * bytecode/CodeBlock.h:
2826         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2827         * heap/CodeBlockSet.cpp:
2828         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2829         * heap/Heap.cpp:
2830         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2831         (JSC::Heap::markToFixpoint):
2832         (JSC::Heap::beginMarking):
2833         (JSC::Heap::addToRememberedSet):
2834         (JSC::Heap::collectInThread):
2835         * heap/Heap.h:
2836         * heap/HeapInlines.h:
2837         (JSC::Heap::mutatorFence):
2838         * heap/MarkedBlock.cpp:
2839         * runtime/JSCellInlines.h:
2840         (JSC::JSCell::finishCreation):
2841         * runtime/JSObjectInlines.h:
2842         (JSC::JSObject::putDirectWithoutTransition):
2843         (JSC::JSObject::putDirectInternal):
2844         * runtime/Options.h:
2845         * runtime/Structure.cpp:
2846         (JSC::Structure::add):
2847         * runtime/Structure.h:
2848         * runtime/StructureInlines.h:
2849         (JSC::Structure::add):
2850
2851 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
2852
2853         Web Inspector: Generator functions should have a displayable name when shown in stack traces
2854         https://bugs.webkit.org/show_bug.cgi?id=164844
2855         <rdar://problem/29300697>
2856
2857         Reviewed by Yusuke Suzuki.
2858
2859         * parser/SyntaxChecker.h:
2860         (JSC::SyntaxChecker::createGeneratorFunctionBody):
2861         * parser/ASTBuilder.h:
2862         (JSC::ASTBuilder::createGeneratorFunctionBody):
2863         New way to create a generator function with an inferred name.
2864
2865         * parser/Parser.cpp:
2866         (JSC::Parser<LexerType>::parseInner):
2867         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2868         * parser/Parser.h:
2869         Pass on the name of the generator wrapper function so we can
2870         use it on the inner generator function.
2871
2872 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
2873
2874         Add an experimental API to find elements across shadow boundaries
2875         https://bugs.webkit.org/show_bug.cgi?id=164851
2876         <rdar://problem/28220092>
2877
2878         Reviewed by Sam Weinig.
2879
2880         * runtime/CommonIdentifiers.h:
2881
2882 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2883
2884         [JSC] Drop arguments.caller
2885         https://bugs.webkit.org/show_bug.cgi?id=164859
2886
2887         Reviewed by Saam Barati.
2888
2889         Originally, some JavaScript engine has `arguments.caller` property.
2890         But it easily causes some information leaks and it becomes obstacles
2891         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
2892         mode. To do so, we explicitly set "caller" getter throwing TypeError
2893         to arguments in strict mode.
2894
2895         But now, there is no modern engine which supports `arguments.caller`
2896         in sloppy mode. So the original compatibility problem is gone and
2897         "caller" getter in the strict mode arguments becomes meaningless.
2898
2899         ES2017 drops this from the spec. In this patch, we also drop this
2900         `arguments.caller` in strict mode support.
2901
2902         Note that Function#caller is still alive.
2903
2904         * runtime/ClonedArguments.cpp:
2905         (JSC::ClonedArguments::getOwnPropertySlot):
2906         (JSC::ClonedArguments::put):
2907         (JSC::ClonedArguments::deleteProperty):
2908         (JSC::ClonedArguments::defineOwnProperty):
2909         (JSC::ClonedArguments::materializeSpecials):
2910
2911 2016-11-17  Mark Lam  <mark.lam@apple.com>
2912
2913         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
2914         https://bugs.webkit.org/show_bug.cgi?id=164893
2915         <rdar://problem/29146436>
2916
2917         Reviewed by Saam Barati.
2918
2919         * runtime/Options.cpp:
2920         (JSC::recomputeDependentOptions):
2921
2922 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
2923
2924         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
2925         https://bugs.webkit.org/show_bug.cgi?id=164885
2926
2927         Reviewed by Mark Lam.
2928         
2929         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
2930         related fences. It currently returns true only on x86().
2931         
2932         The goal here is to get the bots to tell us if this code is responsible for perf issues on
2933         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
2934         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
2935         we could get rid of it and instead teach B3 how to think about fences.
2936
2937         * assembler/CPU.h:
2938         (JSC::useGCFences):
2939         * bytecode/PolymorphicAccess.cpp:
2940         (JSC::AccessCase::generateImpl):
2941         * dfg/DFGSpeculativeJIT.cpp:
2942         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2943         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2944         * ftl/FTLLowerDFGToB3.cpp:
2945         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2946         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2947         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2948         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2949         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2950         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2951         * jit/AssemblyHelpers.h:
2952         (JSC::AssemblyHelpers::mutatorFence):
2953         (JSC::AssemblyHelpers::storeButterfly):
2954         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
2955         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2956
2957 2016-11-17  Keith Miller  <keith_miller@apple.com>
2958
2959         Add rotate to Wasm
2960         https://bugs.webkit.org/show_bug.cgi?id=164871
2961
2962         Reviewed by Filip Pizlo.
2963
2964         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
2965         This also moves arm specific transformations of rotate left to lower macros
2966         after optimization. It's a bad idea to have platform specific canonicalizations
2967         in reduce strength since other optimizations may not be aware of it.
2968
2969         Add a bug to do pure CSE after lower macros after optimization since we want to
2970         clean up RotL(value, Neg(Neg(shift))).
2971
2972         * b3/B3Generate.cpp:
2973         (JSC::B3::generateToAir):
2974         * b3/B3LowerMacrosAfterOptimizations.cpp:
2975         * b3/B3ReduceStrength.cpp:
2976         * wasm/wasm.json:
2977
2978 2016-11-17  Keith Miller  <keith_miller@apple.com>
2979
2980         Add sqrt to Wasm
2981         https://bugs.webkit.org/show_bug.cgi?id=164877
2982
2983         Reviewed by Mark Lam.
2984
2985         B3 already has a Sqrt opcode we just need to map Wasm to it.
2986
2987         * wasm/wasm.json:
2988
2989 2016-11-17  Keith Miller  <keith_miller@apple.com>
2990
2991         Add support for rotate in B3 and the relevant assemblers
2992         https://bugs.webkit.org/show_bug.cgi?id=164869
2993
2994         Reviewed by Geoffrey Garen.
2995
2996         This patch runs RotR and RotL (rotate right and left respectively)
2997         through B3 and B3's assemblers. One thing of note is that ARM64 does
2998         not support rotate left instead it allows negative right rotations.
2999
3000         This patch also fixes a theoretical bug in the assembler where
3001         on X86 doing someShiftOp(reg, edx) would instead shift the shift
3002         amount by the value. Additionally, this patch refactors some
3003         of the X86 assembler to use templates when deciding how to format
3004         the appropriate shift instruction.
3005
3006         * assembler/MacroAssemblerARM64.h:
3007         (JSC::MacroAssemblerARM64::rotateRight32):
3008         (JSC::MacroAssemblerARM64::rotateRight64):
3009         * assembler/MacroAssemblerX86Common.h:
3010         (JSC::MacroAssemblerX86Common::rotateRight32):
3011         (JSC::MacroAssemblerX86Common::rotateLeft32):
3012         * assembler/MacroAssemblerX86_64.h:
3013         (JSC::MacroAssemblerX86_64::lshift64):
3014         (JSC::MacroAssemblerX86_64::rshift64):
3015         (JSC::MacroAssemblerX86_64::urshift64):
3016         (JSC::MacroAssemblerX86_64::rotateRight64):
3017         (JSC::MacroAssemblerX86_64::rotateLeft64):
3018         (JSC::MacroAssemblerX86_64::or64):
3019         * assembler/X86Assembler.h:
3020         (JSC::X86Assembler::xorq_rm):
3021         (JSC::X86Assembler::shiftInstruction32):
3022         (JSC::X86Assembler::sarl_i8r):
3023         (JSC::X86Assembler::shrl_i8r):
3024         (JSC::X86Assembler::shll_i8r):
3025         (JSC::X86Assembler::rorl_i8r):
3026         (JSC::X86Assembler::rorl_CLr):
3027         (JSC::X86Assembler::roll_i8r):
3028         (JSC::X86Assembler::roll_CLr):
3029         (JSC::X86Assembler::shiftInstruction64):
3030         (JSC::X86Assembler::sarq_CLr):
3031         (JSC::X86Assembler::sarq_i8r):
3032         (JSC::X86Assembler::shrq_i8r):
3033         (JSC::X86Assembler::shlq_i8r):
3034         (JSC::X86Assembler::rorq_i8r):
3035         (JSC::X86Assembler::rorq_CLr):
3036         (JSC::X86Assembler::rolq_i8r):
3037         (JSC::X86Assembler::rolq_CLr):
3038         * b3/B3Common.h:
3039         (JSC::B3::rotateRight):
3040         (JSC::B3::rotateLeft):
3041         * b3/B3Const32Value.cpp:
3042         (JSC::B3::Const32Value::rotRConstant):
3043         (JSC::B3::Const32Value::rotLConstant):
3044         * b3/B3Const32Value.h:
3045         * b3/B3Const64Value.cpp:
3046         (JSC::B3::Const64Value::rotRConstant):
3047         (JSC::B3::Const64Value::rotLConstant):
3048         * b3/B3Const64Value.h:
3049         * b3/B3LowerToAir.cpp:
3050         (JSC::B3::Air::LowerToAir::lower):
3051         * b3/B3Opcode.cpp:
3052         (WTF::printInternal):
3053         * b3/B3Opcode.h:
3054         * b3/B3ReduceStrength.cpp:
3055         * b3/B3Validate.cpp:
3056         * b3/B3Value.cpp:
3057         (JSC::B3::Value::rotRConstant):
3058         (JSC::B3::Value::rotLConstant):
3059         (JSC::B3::Value::effects):
3060         (JSC::B3::Value::key):
3061         (JSC::B3::Value::typeFor):
3062         * b3/B3Value.h:
3063         * b3/B3ValueKey.cpp:
3064         (JSC::B3::ValueKey::materialize):
3065         * b3/air/AirInstInlines.h:
3066         (JSC::B3::Air::isRotateRight32Valid):
3067         (JSC::B3::Air::isRotateLeft32Valid):
3068         (JSC::B3::Air::isRotateRight64Valid):
3069         (JSC::B3::Air::isRotateLeft64Valid):
3070         * b3/air/AirOpcode.opcodes:
3071         * b3/testb3.cpp:
3072         (JSC::B3::testRotR):
3073         (JSC::B3::testRotL):
3074         (JSC::B3::testRotRWithImmShift):
3075         (JSC::B3::testRotLWithImmShift):
3076         (JSC::B3::run):
3077
3078 2016-11-17  Saam Barati  <sbarati@apple.com>
3079
3080         Remove async/await compile time flag and enable tests
3081         https://bugs.webkit.org/show_bug.cgi?id=164828
3082         <rdar://problem/28639334>
3083
3084         Reviewed by Yusuke Suzuki.
3085
3086         * Configurations/FeatureDefines.xcconfig:
3087         * parser/Parser.cpp:
3088         (JSC::Parser<LexerType>::parseStatementListItem):
3089         (JSC::Parser<LexerType>::parseStatement):
3090         (JSC::Parser<LexerType>::parseClass):
3091         (JSC::Parser<LexerType>::parseExportDeclaration):
3092         (JSC::Parser<LexerType>::parseAssignmentExpression):
3093         (JSC::Parser<LexerType>::parseProperty):
3094         (JSC::Parser<LexerType>::parsePrimaryExpression):
3095         (JSC::Parser<LexerType>::parseMemberExpression):
3096         (JSC::Parser<LexerType>::parseUnaryExpression):
3097
3098 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3099
3100         [JSC] WTF::TemporaryChange with WTF::SetForScope
3101         https://bugs.webkit.org/show_bug.cgi?id=164761
3102
3103         Reviewed by Saam Barati.
3104
3105         * bytecompiler/BytecodeGenerator.h:
3106         * bytecompiler/SetForScope.h: Removed.
3107         * debugger/Debugger.cpp:
3108         * inspector/InspectorBackendDispatcher.cpp:
3109         (Inspector::BackendDispatcher::dispatch):
3110         * inspector/ScriptDebugServer.cpp:
3111         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
3112         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
3113         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
3114         (Inspector::ScriptDebugServer::sourceParsed):
3115         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
3116         * parser/Parser.cpp:
3117
3118 2016-11-16  Mark Lam  <mark.lam@apple.com>
3119
3120         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
3121         https://bugs.webkit.org/show_bug.cgi?id=164843
3122
3123         Reviewed by Keith Miller.
3124
3125         The ThrowScope will check for unchecked simulated exceptions before throwing a
3126         new exception.  This ensures that we don't quietly overwrite a pending exception
3127         (which should never happen, with the only exception being to rethrow the same
3128         exception).  However, ExceptionFuzz works by intentionally throwing its own
3129         exception even when one may already exist thereby potentially overwriting an
3130         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
3131         the exception check verifier before ExceptionFuzz throws its own exception.
3132
3133         * runtime/ExceptionFuzz.cpp:
3134         (JSC::doExceptionFuzzing):
3135
3136 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
3137
3138         UnlinkedCodeBlock should not have a starting line number
3139         https://bugs.webkit.org/show_bug.cgi?id=164838
3140
3141         Reviewed by Mark Lam.
3142
3143         Here's how the starting line number in UnlinkedCodeBlock used to work:
3144
3145         (1) Assign the source code starting line number to the parser starting
3146         line number.
3147
3148         (2) Assign (1) to the AST.
3149
3150         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
3151
3152         Then, when linking:
3153
3154         (4) Add (3) to (1).
3155
3156         This was an awesome no-op.
3157
3158         Generally, unlinked code is code that is not tied to any particular
3159         web page or resource. So, it's inappropriate to think of it having a
3160         starting line number.
3161
3162         * bytecode/UnlinkedCodeBlock.cpp:
3163         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3164         * bytecode/UnlinkedCodeBlock.h:
3165         (JSC::UnlinkedCodeBlock::recordParse):
3166         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
3167         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3168         * runtime/CodeCache.cpp:
3169         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3170         * runtime/CodeCache.h:
3171         (JSC::generateUnlinkedCodeBlock):
3172
3173 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3174
3175         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
3176         https://bugs.webkit.org/show_bug.cgi?id=164827
3177
3178         Reviewed by Ryosuke Niwa.
3179
3180         * Configurations/FeatureDefines.xcconfig:
3181
3182 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
3183
3184         Unreviewed, roll out r208811. It's not sound.
3185
3186         * ftl/FTLLowerDFGToB3.cpp:
3187         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3188         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3189         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3190         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3191         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3192         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3193         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
3194
3195 2016-11-16  Keith Miller  <keith_miller@apple.com>
3196
3197         Wasm function parser should use template functions for each binary and unary opcode
3198         https://bugs.webkit.org/show_bug.cgi?id=164835
3199
3200         Reviewed by Mark Lam.
3201
3202         This patch changes the wasm function parser to call into a template specialization
3203         for each binary/unary opcode. This change makes it easier to have custom implementations
3204         of various opcodes. It is also, in theory a speedup since it does not require switching
3205         on the opcode twice.
3206
3207         * CMakeLists.txt:
3208         * DerivedSources.make:
3209         * wasm/WasmB3IRGenerator.cpp:
3210         (): Deleted.
3211         * wasm/WasmFunctionParser.h:
3212         (JSC::Wasm::FunctionParser<Context>::binaryCase):
3213         (JSC::Wasm::FunctionParser<Context>::unaryCase):
3214         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3215         * wasm/WasmValidate.cpp:
3216         * wasm/generateWasm.py:
3217         (isBinary):
3218         (isSimple):
3219         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
3220         (generateSimpleCode):
3221         * wasm/generateWasmOpsHeader.py:
3222         (opcodeMacroizer):
3223         * wasm/generateWasmValidateInlinesHeader.py:
3224
3225 2016-11-16  Mark Lam  <mark.lam@apple.com>
3226
3227         ExceptionFuzz functions should use its client's ThrowScope.
3228         https://bugs.webkit.org/show_bug.cgi?id=164834
3229
3230         Reviewed by Geoffrey Garen.
3231
3232         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
3233         exception check sites.  Using the client's ThrowScope solves 2 problems:
3234
3235         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
3236            mis-attributed to ExceptionFuzz when it should be attributed to its client.
3237
3238         2. One way exception scope verification works is by having ThrowScopes assert
3239            that there are no unchecked simulated exceptions when the ThrowScope is
3240            instantiated.  However, ExceptionFuzz necessarily works by inserting
3241            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
3242            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
3243            we will be instantiating the ThrowScope between the point where a simulated
3244            throw occurs and where the needed exception check can occur.  Hence, having
3245            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
3246            verification every time.
3247
3248         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
3249
3250         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
3251         already exists in every slow path function instead of creating a new one.
3252
3253         * jit/JITOperations.cpp:
3254         * llint/LLIntSlowPaths.cpp:
3255         * runtime/CommonSlowPaths.cpp:
3256         * runtime/ExceptionFuzz.cpp:
3257         (JSC::doExceptionFuzzing):
3258         * runtime/ExceptionFuzz.h:
3259         (JSC::doExceptionFuzzingIfEnabled):
3260
3261 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
3262
3263         Slight Octane regression from concurrent GC's eager object zero-fill
3264         https://bugs.webkit.org/show_bug.cgi?id=164823
3265
3266         Reviewed by Geoffrey Garen.
3267         
3268         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
3269         executing the end-of-allocation fence. This causes some regressions. This is an attempt
3270         to fix those regressions by making them conditional on whether the mutator is fenced.
3271         
3272         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
3273         regression.
3274
3275         * ftl/FTLLowerDFGToB3.cpp:
3276         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3277         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
3278         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3279         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3280         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3281         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3282         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3283
3284 2016-11-16  Mark Lam  <mark.lam@apple.com>
3285
3286         Fix exception scope checking in JSGlobalObject.cpp.
3287         https://bugs.webkit.org/show_bug.cgi?id=164831
3288
3289         Reviewed by Saam Barati.
3290
3291         * runtime/JSGlobalObject.cpp:
3292         (JSC::JSGlobalObject::init):
3293         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
3294           to fail with errors.
3295         (JSC::JSGlobalObject::put):
3296         - Fix exception check requirements.
3297
3298 2016-11-16  Keith Miller  <keith_miller@apple.com>
3299
3300         Unreviewed, ARM build fix.
3301
3302         * b3/B3LowerToAir.cpp:
3303         (JSC::B3::Air::LowerToAir::lower):
3304         (JSC::B3::Air::LowerToAir::lowerX86Div):
3305         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
3306
3307 2016-11-15  Mark Lam  <mark.lam@apple.com>
3308
3309         Make JSC test functions more robust.
3310         https://bugs.webkit.org/show_bug.cgi?id=164807
3311
3312         Reviewed by Keith Miller.
3313
3314         * jsc.cpp:
3315         (functionGetHiddenValue):
3316         (functionSetHiddenValue):
3317
3318 2016-11-15  Keith Miller  <keith_miller@apple.com>
3319
3320         B3 should support UDiv/UMod
3321         https://bugs.webkit.org/show_bug.cgi?id=164811
3322
3323         Reviewed by Filip Pizlo.
3324
3325         This patch adds support for UDiv and UMod in B3. Many of the magic number
3326         cases have been ommited for now since they are unlikely to happen in wasm
3327         code. Most wasm code we will see is generated via llvm, which has more
3328         robust versions of what we would do anyway. Additionally, this patch
3329         links the new opcodes up to the wasm parser.
3330
3331         * assembler/MacroAssemblerARM64.h:
3332         (JSC::MacroAssemblerARM64::uDiv32):
3333         (JSC::MacroAssemblerARM64::uDiv64):
3334         * assembler/MacroAssemblerX86Common.h:
3335         (JSC::MacroAssemblerX86Common::x86UDiv32):
3336         * assembler/MacroAssemblerX86_64.h:
3337         (JSC::MacroAssemblerX86_64::x86UDiv64):
3338         * assembler/X86Assembler.h:
3339         (JSC::X86Assembler::divq_r):
3340         * b3/B3Common.h:
3341         (JSC::B3::chillUDiv):
3342         (JSC::B3::chillUMod):
3343         * b3/B3Const32Value.cpp:
3344         (JSC::B3::Const32Value::uDivConstant):
3345         (JSC::B3::Const32Value::uModConstant):
3346         * b3/B3Const32Value.h:
3347         * b3/B3Const64Value.cpp:
3348         (JSC::B3::Const64Value::uDivConstant):
3349         (JSC::B3::Const64Value::uModConstant):
3350         * b3/B3Const64Value.h:
3351         * b3/B3LowerMacros.cpp:
3352         * b3/B3LowerToAir.cpp:
3353         (JSC::B3::Air::LowerToAir::lower):
3354         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
3355         * b3/B3Opcode.cpp:
3356         (WTF::printInternal):
3357         * b3/B3Opcode.h:
3358         * b3/B3ReduceStrength.cpp:
3359         * b3/B3Validate.cpp:
3360         * b3/B3Value.cpp:
3361         (JSC::B3::Value::uDivConstant):
3362         (JSC::B3::Value::uModConstant):
3363         (JSC::B3::Value::effects):
3364         (JSC::B3::Value::key):
3365         (JSC::B3::Value::typeFor):
3366         * b3/B3Value.h:
3367         * b3/B3ValueKey.cpp:
3368         (JSC::B3::ValueKey::materialize):
3369         * b3/air/AirInstInlines.h:
3370         (JSC::B3::Air::isX86UDiv32Valid):
3371         (JSC::B3::Air::isX86UDiv64Valid):
3372         * b3/air/AirOpcode.opcodes:
3373         * b3/testb3.cpp:
3374         (JSC::B3::testUDivArgsInt32):
3375         (JSC::B3::testUDivArgsInt64):
3376         (JSC::B3::testUModArgsInt32):
3377         (JSC::B3::testUModArgsInt64):
3378         (JSC::B3::run):
3379         * wasm/wasm.json:
3380
3381 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3382
3383         Web Inspector: Preview other CSS @media in browser window (print)
3384         https://bugs.webkit.org/show_bug.cgi?id=13530
3385         <rdar://problem/5712928>
3386
3387         Reviewed by Timothy Hatcher.
3388
3389         * inspector/protocol/Page.json:
3390         Update to preferred JSON style.
3391
3392 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3393
3394         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
3395
3396         * dfg/DFGDriver.cpp:
3397         (JSC::DFG::compileImpl):
3398         * heap/Heap.cpp:
3399         (JSC::Heap::addToRememberedSet):
3400         * jit/JITWorklist.cpp:
3401         (JSC::JITWorklist::compileLater):
3402         (JSC::JITWorklist::compileNow):
3403         * runtime/Options.cpp:
3404         (JSC::recomputeDependentOptions):
3405         * runtime/Options.h:
3406         * runtime/WriteBarrierInlines.h:
3407         (JSC::WriteBarrierBase<T>::set):
3408         (JSC::WriteBarrierBase<Unknown>::set):
3409
3410 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
3411
3412         Debugging and other tools should not disable the code cache
3413         https://bugs.webkit.org/show_bug.cgi?id=164802
3414
3415         Reviewed by Mark Lam.
3416
3417         * bytecode/UnlinkedFunctionExecutable.cpp:
3418         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
3419         change.
3420
3421         * parser/SourceCodeKey.h:
3422         (JSC::SourceCodeFlags::SourceCodeFlags):
3423         (JSC::SourceCodeFlags::bits):
3424         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools