Fix exception scope verification failures in runtime/Intl* files.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-11-21  Mark Lam  <mark.lam@apple.com>
2
3         Fix exception scope verification failures in runtime/Intl* files.
4         https://bugs.webkit.org/show_bug.cgi?id=165014
5
6         Reviewed by Saam Barati.
7
8         * runtime/IntlCollatorConstructor.cpp:
9         (JSC::constructIntlCollator):
10         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
11         * runtime/IntlCollatorPrototype.cpp:
12         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
13         * runtime/IntlDateTimeFormatConstructor.cpp:
14         (JSC::constructIntlDateTimeFormat):
15         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
16         * runtime/IntlDateTimeFormatPrototype.cpp:
17         (JSC::IntlDateTimeFormatFuncFormatDateTime):
18         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
19         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
20         * runtime/IntlNumberFormatConstructor.cpp:
21         (JSC::constructIntlNumberFormat):
22         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
23         * runtime/IntlNumberFormatPrototype.cpp:
24         (JSC::IntlNumberFormatFuncFormatNumber):
25         (JSC::IntlNumberFormatPrototypeGetterFormat):
26         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
27         * runtime/IntlObject.cpp:
28         (JSC::lookupSupportedLocales):
29         * runtime/IntlObjectInlines.h:
30         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
31
32 2016-11-28  Mark Lam  <mark.lam@apple.com>
33
34         Fix exception scope verification failures in IteratorOperations.h.
35         https://bugs.webkit.org/show_bug.cgi?id=165015
36
37         Reviewed by Saam Barati.
38
39         * runtime/IteratorOperations.h:
40         (JSC::forEachInIterable):
41
42 2016-11-28  Mark Lam  <mark.lam@apple.com>
43
44         Fix exception scope verification failures in JSArray* files.
45         https://bugs.webkit.org/show_bug.cgi?id=165016
46
47         Reviewed by Saam Barati.
48
49         * runtime/JSArray.cpp:
50         (JSC::JSArray::defineOwnProperty):
51         (JSC::JSArray::put):
52         (JSC::JSArray::setLength):
53         (JSC::JSArray::pop):
54         (JSC::JSArray::push):
55         (JSC::JSArray::unshiftCountWithAnyIndexingType):
56         * runtime/JSArrayBuffer.cpp:
57         (JSC::JSArrayBuffer::put):
58         (JSC::JSArrayBuffer::defineOwnProperty):
59         * runtime/JSArrayInlines.h:
60         (JSC::getLength):
61         (JSC::toLength):
62
63 2016-11-28  Mark Lam  <mark.lam@apple.com>
64
65         Fix exception scope verification failures in JSDataView.cpp.
66         https://bugs.webkit.org/show_bug.cgi?id=165020
67
68         Reviewed by Saam Barati.
69
70         * runtime/JSDataView.cpp:
71         (JSC::JSDataView::put):
72
73 2016-11-28  Mark Lam  <mark.lam@apple.com>
74
75         Fix exception scope verification failures in JSFunction.cpp.
76         https://bugs.webkit.org/show_bug.cgi?id=165021
77
78         Reviewed by Saam Barati.
79
80         * runtime/JSFunction.cpp:
81         (JSC::JSFunction::put):
82         (JSC::JSFunction::defineOwnProperty):
83
84 2016-11-28  Mark Lam  <mark.lam@apple.com>
85
86         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
87         https://bugs.webkit.org/show_bug.cgi?id=165022
88
89         Reviewed by Saam Barati.
90
91         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
92         (JSC::constructGenericTypedArrayViewFromIterator):
93         (JSC::constructGenericTypedArrayViewWithArguments):
94         (JSC::constructGenericTypedArrayView):
95         * runtime/JSGenericTypedArrayViewInlines.h:
96         (JSC::JSGenericTypedArrayView<Adaptor>::set):
97         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
98         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
99         (JSC::speciesConstruct):
100         (JSC::genericTypedArrayViewProtoFuncSet):
101         (JSC::genericTypedArrayViewProtoFuncJoin):
102         (JSC::genericTypedArrayViewProtoFuncSlice):
103         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
104
105 2016-11-28  Mark Lam  <mark.lam@apple.com>
106
107         Fix exception scope verification failures in runtime/Operations.cpp/h.
108         https://bugs.webkit.org/show_bug.cgi?id=165046
109
110         Reviewed by Saam Barati.
111
112         Also switched to using returning { } instead of JSValue().
113
114         * runtime/Operations.cpp:
115         (JSC::jsAddSlowCase):
116         (JSC::jsIsObjectTypeOrNull):
117         * runtime/Operations.h:
118         (JSC::jsStringFromRegisterArray):
119         (JSC::jsStringFromArguments):
120         (JSC::jsLess):
121         (JSC::jsLessEq):
122
123 2016-11-28  Mark Lam  <mark.lam@apple.com>
124
125         Fix exception scope verification failures in JSScope.cpp.
126         https://bugs.webkit.org/show_bug.cgi?id=165047
127
128         Reviewed by Saam Barati.
129
130         * runtime/JSScope.cpp:
131         (JSC::JSScope::resolve):
132
133 2016-11-28  Mark Lam  <mark.lam@apple.com>
134
135         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
136         https://bugs.webkit.org/show_bug.cgi?id=165049
137
138         Reviewed by Saam Barati.
139
140         * runtime/JSTypedArrayViewPrototype.cpp:
141         (JSC::typedArrayViewPrivateFuncSort):
142         (JSC::typedArrayViewProtoFuncSet):
143         (JSC::typedArrayViewProtoFuncCopyWithin):
144         (JSC::typedArrayViewProtoFuncIncludes):
145         (JSC::typedArrayViewProtoFuncLastIndexOf):
146         (JSC::typedArrayViewProtoFuncIndexOf):
147         (JSC::typedArrayViewProtoFuncJoin):
148         (JSC::typedArrayViewProtoGetterFuncBuffer):
149         (JSC::typedArrayViewProtoGetterFuncLength):
150         (JSC::typedArrayViewProtoGetterFuncByteLength):
151         (JSC::typedArrayViewProtoGetterFuncByteOffset):
152         (JSC::typedArrayViewProtoFuncReverse):
153         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
154         (JSC::typedArrayViewProtoFuncSlice):
155
156 2016-11-28  Mark Lam  <mark.lam@apple.com>
157
158         Fix exception scope verification failures in runtime/Map* files.
159         https://bugs.webkit.org/show_bug.cgi?id=165050
160
161         Reviewed by Saam Barati.
162
163         * runtime/MapConstructor.cpp:
164         (JSC::constructMap):
165         * runtime/MapIteratorPrototype.cpp:
166         (JSC::MapIteratorPrototypeFuncNext):
167         * runtime/MapPrototype.cpp:
168         (JSC::privateFuncMapIteratorNext):
169
170 2016-11-28  Mark Lam  <mark.lam@apple.com>
171
172         Fix exception scope verification failures in more miscellaneous files.
173         https://bugs.webkit.org/show_bug.cgi?id=165102
174
175         Reviewed by Saam Barati.
176
177         * wasm/js/WebAssemblyInstanceConstructor.cpp:
178         (JSC::constructJSWebAssemblyInstance):
179
180 2016-11-28  Mark Lam  <mark.lam@apple.com>
181
182         Fix exception scope verification failures in runtime/Weak* files.
183         https://bugs.webkit.org/show_bug.cgi?id=165096
184
185         Reviewed by Geoffrey Garen.
186
187         * runtime/WeakMapConstructor.cpp:
188         (JSC::constructWeakMap):
189         * runtime/WeakMapPrototype.cpp:
190         (JSC::protoFuncWeakMapSet):
191         * runtime/WeakSetConstructor.cpp:
192         (JSC::constructWeakSet):
193         * runtime/WeakSetPrototype.cpp:
194         (JSC::protoFuncWeakSetAdd):
195
196 2016-11-28  Mark Lam  <mark.lam@apple.com>
197
198         Fix exception scope verification failures in runtime/String* files.
199         https://bugs.webkit.org/show_bug.cgi?id=165067
200
201         Reviewed by Saam Barati.
202
203         * runtime/StringConstructor.cpp:
204         (JSC::stringFromCodePoint):
205         (JSC::constructWithStringConstructor):
206         * runtime/StringObject.cpp:
207         (JSC::StringObject::put):
208         (JSC::StringObject::putByIndex):
209         (JSC::StringObject::defineOwnProperty):
210         * runtime/StringPrototype.cpp:
211         (JSC::jsSpliceSubstrings):
212         (JSC::jsSpliceSubstringsWithSeparators):
213         (JSC::replaceUsingRegExpSearch):
214         (JSC::replaceUsingStringSearch):
215         (JSC::repeatCharacter):
216         (JSC::replace):
217         (JSC::stringProtoFuncReplaceUsingStringSearch):
218         (JSC::stringProtoFuncCharAt):
219         (JSC::stringProtoFuncCodePointAt):
220         (JSC::stringProtoFuncConcat):
221         (JSC::stringProtoFuncIndexOf):
222         (JSC::stringProtoFuncLastIndexOf):
223         (JSC::splitStringByOneCharacterImpl):
224         (JSC::stringProtoFuncSplitFast):
225         (JSC::stringProtoFuncSubstring):
226         (JSC::stringProtoFuncToLowerCase):
227         (JSC::stringProtoFuncToUpperCase):
228         (JSC::toLocaleCase):
229         (JSC::trimString):
230         (JSC::stringProtoFuncIncludes):
231         (JSC::builtinStringIncludesInternal):
232         (JSC::stringProtoFuncIterator):
233         (JSC::normalize):
234         (JSC::stringProtoFuncNormalize):
235
236 2016-11-28  Mark Lam  <mark.lam@apple.com>
237
238         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
239         https://bugs.webkit.org/show_bug.cgi?id=165051
240
241         Reviewed by Saam Barati.
242
243         Also,
244         1. Replaced returning JSValue() with returning { }.
245         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
246
247         * runtime/ObjectConstructor.cpp:
248         (JSC::constructObject):
249         (JSC::objectConstructorGetPrototypeOf):
250         (JSC::objectConstructorGetOwnPropertyDescriptor):
251         (JSC::objectConstructorGetOwnPropertyDescriptors):
252         (JSC::objectConstructorGetOwnPropertyNames):
253         (JSC::objectConstructorGetOwnPropertySymbols):
254         (JSC::objectConstructorKeys):
255         (JSC::ownEnumerablePropertyKeys):
256         (JSC::toPropertyDescriptor):
257         (JSC::defineProperties):
258         (JSC::objectConstructorDefineProperties):
259         (JSC::objectConstructorCreate):
260         (JSC::setIntegrityLevel):
261         (JSC::objectConstructorSeal):
262         (JSC::objectConstructorPreventExtensions):
263         (JSC::objectConstructorIsSealed):
264         (JSC::objectConstructorIsFrozen):
265         (JSC::ownPropertyKeys):
266         * runtime/ObjectPrototype.cpp:
267         (JSC::objectProtoFuncValueOf):
268         (JSC::objectProtoFuncHasOwnProperty):
269         (JSC::objectProtoFuncIsPrototypeOf):
270         (JSC::objectProtoFuncDefineGetter):
271         (JSC::objectProtoFuncDefineSetter):
272         (JSC::objectProtoFuncLookupGetter):
273         (JSC::objectProtoFuncLookupSetter):
274         (JSC::objectProtoFuncToLocaleString):
275         (JSC::objectProtoFuncToString):
276
277 2016-11-26  Mark Lam  <mark.lam@apple.com>
278
279         Fix exception scope verification failures in miscellaneous files.
280         https://bugs.webkit.org/show_bug.cgi?id=165055
281
282         Reviewed by Saam Barati.
283
284         * runtime/MathObject.cpp:
285         (JSC::mathProtoFuncIMul):
286         * runtime/ModuleLoaderPrototype.cpp:
287         (JSC::moduleLoaderPrototypeParseModule):
288         (JSC::moduleLoaderPrototypeRequestedModules):
289         * runtime/NativeErrorConstructor.cpp:
290         (JSC::Interpreter::constructWithNativeErrorConstructor):
291         * runtime/NumberConstructor.cpp:
292         (JSC::constructWithNumberConstructor):
293         * runtime/SetConstructor.cpp:
294         (JSC::constructSet):
295         * runtime/SetIteratorPrototype.cpp:
296         (JSC::SetIteratorPrototypeFuncNext):
297         * runtime/SparseArrayValueMap.cpp:
298         (JSC::SparseArrayValueMap::putEntry):
299         (JSC::SparseArrayEntry::put):
300         * runtime/TemplateRegistry.cpp:
301         (JSC::TemplateRegistry::getTemplateObject):
302
303 2016-11-28  Mark Lam  <mark.lam@apple.com>
304
305         Fix exception scope verification failures in ReflectObject.cpp.
306         https://bugs.webkit.org/show_bug.cgi?id=165066
307
308         Reviewed by Saam Barati.
309
310         * runtime/ReflectObject.cpp:
311         (JSC::reflectObjectConstruct):
312         (JSC::reflectObjectDefineProperty):
313         (JSC::reflectObjectEnumerate):
314         (JSC::reflectObjectGet):
315         (JSC::reflectObjectGetOwnPropertyDescriptor):
316         (JSC::reflectObjectGetPrototypeOf):
317         (JSC::reflectObjectOwnKeys):
318         (JSC::reflectObjectSet):
319
320 2016-11-24  Mark Lam  <mark.lam@apple.com>
321
322         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
323         https://bugs.webkit.org/show_bug.cgi?id=164972
324
325         Reviewed by Geoffrey Garen.
326
327         * runtime/ArrayConstructor.cpp:
328         (JSC::constructArrayWithSizeQuirk):
329         * runtime/ArrayPrototype.cpp:
330         (JSC::getProperty):
331         (JSC::putLength):
332         (JSC::speciesWatchpointsValid):
333         (JSC::speciesConstructArray):
334         (JSC::shift):
335         (JSC::unshift):
336         (JSC::arrayProtoFuncToString):
337         (JSC::arrayProtoFuncToLocaleString):
338         (JSC::slowJoin):
339         (JSC::fastJoin):
340         (JSC::arrayProtoFuncJoin):
341         (JSC::arrayProtoFuncPop):
342         (JSC::arrayProtoFuncPush):
343         (JSC::arrayProtoFuncReverse):
344         (JSC::arrayProtoFuncShift):
345         (JSC::arrayProtoFuncSlice):
346         (JSC::arrayProtoFuncSplice):
347         (JSC::arrayProtoFuncUnShift):
348         (JSC::arrayProtoFuncIndexOf):
349         (JSC::arrayProtoFuncLastIndexOf):
350         (JSC::concatAppendOne):
351         (JSC::arrayProtoPrivateFuncConcatMemcpy):
352         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
353
354 2016-11-28  Mark Lam  <mark.lam@apple.com>
355
356         Fix exception scope verification failures in LLIntSlowPaths.cpp.
357         https://bugs.webkit.org/show_bug.cgi?id=164969
358
359         Reviewed by Geoffrey Garen.
360
361         * llint/LLIntSlowPaths.cpp:
362         (JSC::LLInt::getByVal):
363         (JSC::LLInt::setUpCall):
364         (JSC::LLInt::varargsSetup):
365         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
366
367 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
368
369         [WTF] Import std::optional reference implementation as WTF::Optional
370         https://bugs.webkit.org/show_bug.cgi?id=164199
371
372         Reviewed by Saam Barati and Sam Weinig.
373
374         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
375         std::optional::emplace has the same semantics to the previous one.
376         So we change the code to use it.
377
378         * Scripts/builtins/builtins_templates.py:
379         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
380         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
381         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
382         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
383         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
384         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
385         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
386         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
387         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
388         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
389         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
390         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
391         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
392         * assembler/MacroAssemblerARM64.h:
393         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
394         * assembler/MacroAssemblerX86Common.h:
395         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
396         * b3/B3CheckSpecial.cpp:
397         (JSC::B3::CheckSpecial::forEachArg):
398         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
399         * b3/B3CheckSpecial.h:
400         * b3/B3LowerToAir.cpp:
401         (JSC::B3::Air::LowerToAir::scaleForShl):
402         (JSC::B3::Air::LowerToAir::effectiveAddr):
403         (JSC::B3::Air::LowerToAir::tryAppendLea):
404         * b3/B3Opcode.cpp:
405         (JSC::B3::invertedCompare):
406         * b3/B3Opcode.h:
407         * b3/B3PatchpointSpecial.cpp:
408         (JSC::B3::PatchpointSpecial::forEachArg):
409         * b3/B3StackmapSpecial.cpp:
410         (JSC::B3::StackmapSpecial::forEachArgImpl):
411         * b3/B3StackmapSpecial.h:
412         * b3/B3Value.cpp:
413         (JSC::B3::Value::invertedCompare):
414         * b3/air/AirArg.h:
415         (JSC::B3::Air::Arg::isValidScale):
416         (JSC::B3::Air::Arg::isValidAddrForm):
417         (JSC::B3::Air::Arg::isValidIndexForm):
418         (JSC::B3::Air::Arg::isValidForm):
419         * b3/air/AirCustom.h:
420         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
421         * b3/air/AirFixObviousSpills.cpp:
422         * b3/air/AirInst.h:
423         * b3/air/AirInstInlines.h:
424         (JSC::B3::Air::Inst::shouldTryAliasingDef):
425         * b3/air/AirIteratedRegisterCoalescing.cpp:
426         * b3/air/AirSpecial.cpp:
427         (JSC::B3::Air::Special::shouldTryAliasingDef):
428         * b3/air/AirSpecial.h:
429         * bytecode/BytecodeGeneratorification.cpp:
430         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
431         * bytecode/CodeBlock.cpp:
432         (JSC::CodeBlock::findPC):
433         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
434         * bytecode/CodeBlock.h:
435         * bytecode/UnlinkedFunctionExecutable.cpp:
436         (JSC::UnlinkedFunctionExecutable::link):
437         * bytecode/UnlinkedFunctionExecutable.h:
438         * bytecompiler/BytecodeGenerator.h:
439         * bytecompiler/NodesCodegen.cpp:
440         (JSC::PropertyListNode::emitPutConstantProperty):
441         (JSC::ObjectPatternNode::bindValue):
442         * debugger/Debugger.cpp:
443         (JSC::Debugger::resolveBreakpoint):
444         * debugger/DebuggerCallFrame.cpp:
445         (JSC::DebuggerCallFrame::currentPosition):
446         * debugger/DebuggerParseData.cpp:
447         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
448         * debugger/DebuggerParseData.h:
449         * debugger/ScriptProfilingScope.h:
450         * dfg/DFGAbstractInterpreterInlines.h:
451         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
452         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
453         * dfg/DFGJITCode.cpp:
454         (JSC::DFG::JITCode::findPC):
455         * dfg/DFGJITCode.h:
456         * dfg/DFGOperations.cpp:
457         (JSC::DFG::operationPutByValInternal):
458         * dfg/DFGSlowPathGenerator.h:
459         (JSC::DFG::SlowPathGenerator::generate):
460         * dfg/DFGSpeculativeJIT.cpp:
461         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
462         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
463         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
464         (JSC::DFG::SpeculativeJIT::compileMathIC):
465         (JSC::DFG::SpeculativeJIT::compileArithDiv):
466         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
467         * dfg/DFGSpeculativeJIT.h:
468         * dfg/DFGSpeculativeJIT32_64.cpp:
469         (JSC::DFG::SpeculativeJIT::compile):
470         * dfg/DFGSpeculativeJIT64.cpp:
471         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
472         (JSC::DFG::SpeculativeJIT::emitBranch):
473         (JSC::DFG::SpeculativeJIT::compile):
474         * dfg/DFGStrengthReductionPhase.cpp:
475         (JSC::DFG::StrengthReductionPhase::handleNode):
476         * ftl/FTLJITCode.cpp:
477         (JSC::FTL::JITCode::findPC):
478         * ftl/FTLJITCode.h:
479         * heap/Heap.cpp:
480         (JSC::Heap::collectAsync):
481         (JSC::Heap::collectSync):
482         (JSC::Heap::collectInThread):
483         (JSC::Heap::requestCollection):
484         (JSC::Heap::willStartCollection):
485         (JSC::Heap::didFinishCollection):
486         (JSC::Heap::shouldDoFullCollection):
487         * heap/Heap.h:
488         (JSC::Heap::collectionScope):
489         * heap/HeapSnapshot.cpp:
490         (JSC::HeapSnapshot::nodeForCell):
491         (JSC::HeapSnapshot::nodeForObjectIdentifier):
492         * heap/HeapSnapshot.h:
493         * inspector/InspectorBackendDispatcher.cpp:
494         (Inspector::BackendDispatcher::dispatch):
495         (Inspector::BackendDispatcher::sendPendingErrors):
496         (Inspector::BackendDispatcher::reportProtocolError):
497         * inspector/InspectorBackendDispatcher.h:
498         * inspector/agents/InspectorHeapAgent.cpp:
499         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
500         (Inspector::InspectorHeapAgent::getPreview):
501         (Inspector::InspectorHeapAgent::getRemoteObject):
502         * inspector/agents/InspectorHeapAgent.h:
503         * inspector/remote/RemoteConnectionToTarget.h:
504         * inspector/remote/RemoteConnectionToTarget.mm:
505         (Inspector::RemoteConnectionToTarget::targetIdentifier):
506         (Inspector::RemoteConnectionToTarget::setup):
507         * inspector/remote/RemoteInspector.h:
508         * inspector/remote/RemoteInspector.mm:
509         (Inspector::RemoteInspector::updateClientCapabilities):
510         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
511         (_generate_declarations_for_enum_conversion_methods):
512         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
513         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
514         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
515         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
516         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
517         * inspector/scripts/tests/expected/enum-values.json-result:
518         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
519         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
520         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
521         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
522         * jit/JITCode.h:
523         (JSC::JITCode::findPC):
524         * jit/JITDivGenerator.cpp:
525         (JSC::JITDivGenerator::generateFastPath):
526         * jit/JITOperations.cpp:
527         * jit/PCToCodeOriginMap.cpp:
528         (JSC::PCToCodeOriginMap::findPC):
529         * jit/PCToCodeOriginMap.h:
530         * jsc.cpp:
531         (WTF::RuntimeArray::getOwnPropertySlot):
532         * llint/LLIntSlowPaths.cpp:
533         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
534         * parser/ModuleAnalyzer.cpp:
535         (JSC::ModuleAnalyzer::exportVariable):
536         * runtime/ConcurrentJSLock.h:
537         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
538         * runtime/DefinePropertyAttributes.h:
539         (JSC::DefinePropertyAttributes::writable):
540         (JSC::DefinePropertyAttributes::configurable):
541         (JSC::DefinePropertyAttributes::enumerable):
542         * runtime/GenericArgumentsInlines.h:
543         (JSC::GenericArguments<Type>::getOwnPropertySlot):
544         (JSC::GenericArguments<Type>::put):
545         (JSC::GenericArguments<Type>::deleteProperty):
546         (JSC::GenericArguments<Type>::defineOwnProperty):
547         * runtime/HasOwnPropertyCache.h:
548         (JSC::HasOwnPropertyCache::get):
549         * runtime/HashMapImpl.h:
550         (JSC::concurrentJSMapHash):
551         * runtime/Identifier.h:
552         (JSC::parseIndex):
553         * runtime/JSArray.cpp:
554         (JSC::JSArray::defineOwnProperty):
555         * runtime/JSCJSValue.cpp:
556         (JSC::JSValue::toNumberFromPrimitive):
557         (JSC::JSValue::putToPrimitive):
558         * runtime/JSCJSValue.h:
559         * runtime/JSGenericTypedArrayView.h:
560         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
561         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
562         (JSC::constructGenericTypedArrayViewWithArguments):
563         (JSC::constructGenericTypedArrayView):
564         * runtime/JSGenericTypedArrayViewInlines.h:
565         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
566         (JSC::JSGenericTypedArrayView<Adaptor>::put):
567         * runtime/JSModuleRecord.cpp:
568         * runtime/JSModuleRecord.h:
569         * runtime/JSObject.cpp:
570         (JSC::JSObject::putDirectAccessor):
571         (JSC::JSObject::deleteProperty):
572         (JSC::JSObject::putDirectMayBeIndex):
573         (JSC::JSObject::defineOwnProperty):
574         * runtime/JSObject.h:
575         (JSC::JSObject::getOwnPropertySlot):
576         (JSC::JSObject::getPropertySlot):
577         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
578         * runtime/JSObjectInlines.h:
579         (JSC::JSObject::putInline):
580         * runtime/JSString.cpp:
581         (JSC::JSString::getStringPropertyDescriptor):
582         * runtime/JSString.h:
583         (JSC::JSString::getStringPropertySlot):
584         * runtime/LiteralParser.cpp:
585         (JSC::LiteralParser<CharType>::parse):
586         * runtime/MathCommon.h:
587         (JSC::safeReciprocalForDivByConst):
588         * runtime/ObjectPrototype.cpp:
589         (JSC::objectProtoFuncHasOwnProperty):
590         * runtime/PropertyDescriptor.h:
591         (JSC::toPropertyDescriptor):
592         * runtime/PropertyName.h:
593         (JSC::parseIndex):
594         * runtime/SamplingProfiler.cpp:
595         (JSC::SamplingProfiler::processUnverifiedStackTraces):
596         * runtime/StringObject.cpp:
597         (JSC::StringObject::put):
598         (JSC::isStringOwnProperty):
599         (JSC::StringObject::deleteProperty):
600         * runtime/ToNativeFromValue.h:
601         (JSC::toNativeFromValueWithoutCoercion):
602         * runtime/TypedArrayAdaptors.h:
603         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
604         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
605         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
606         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
607         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
608         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
609         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
610
611 2016-11-26  Sam Weinig  <sam@webkit.org>
612
613         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
614         https://bugs.webkit.org/show_bug.cgi?id=164965
615
616         Reviewed by Simon Fraser.
617
618         * runtime/CommonIdentifiers.h:
619         Add identifiers needed for RuntimeEnabledFeatures.
620
621 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
622
623         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
624         https://bugs.webkit.org/show_bug.cgi?id=165027
625
626         Reviewed by Darin Adler.
627
628         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
629         No port enables this and the guarded code doesn't build at all,
630         so it's safe to say it's abandoned.
631
632         * jit/ExecutableAllocator.cpp:
633         (JSC::ExecutableAllocator::initializeAllocator):
634         (JSC::ExecutableAllocator::ExecutableAllocator):
635         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
636
637 2016-11-18  Mark Lam  <mark.lam@apple.com>
638
639         Fix exception scope verification failures in JSC profiler files.
640         https://bugs.webkit.org/show_bug.cgi?id=164971
641
642         Reviewed by Saam Barati.
643
644         * profiler/ProfilerBytecodeSequence.cpp:
645         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
646         * profiler/ProfilerCompilation.cpp:
647         (JSC::Profiler::Compilation::toJS):
648         * profiler/ProfilerDatabase.cpp:
649         (JSC::Profiler::Database::toJS):
650         (JSC::Profiler::Database::toJSON):
651         * profiler/ProfilerOSRExitSite.cpp:
652         (JSC::Profiler::OSRExitSite::toJS):
653         * profiler/ProfilerOriginStack.cpp:
654         (JSC::Profiler::OriginStack::toJS):
655
656 2016-11-22  Mark Lam  <mark.lam@apple.com>
657
658         Fix exception scope verification failures in JSONObject.cpp.
659         https://bugs.webkit.org/show_bug.cgi?id=165025
660
661         Reviewed by Saam Barati.
662
663         * runtime/JSONObject.cpp:
664         (JSC::gap):
665         (JSC::Stringifier::Stringifier):
666         (JSC::Stringifier::stringify):
667         (JSC::Stringifier::toJSON):
668         (JSC::Stringifier::appendStringifiedValue):
669         (JSC::Stringifier::Holder::appendNextProperty):
670         (JSC::Walker::walk):
671         (JSC::JSONProtoFuncParse):
672         (JSC::JSONProtoFuncStringify):
673         (JSC::JSONStringify):
674
675 2016-11-21  Mark Lam  <mark.lam@apple.com>
676
677         Removed an extra space character at the end of line.
678
679         Not reviewed.
680
681         * runtime/JSCell.cpp:
682         (JSC::JSCell::toNumber):
683
684 2016-11-21  Mark Lam  <mark.lam@apple.com>
685
686         Fix exception scope verification failures in FunctionConstructor.cpp.
687         https://bugs.webkit.org/show_bug.cgi?id=165011
688
689         Reviewed by Saam Barati.
690
691         * runtime/FunctionConstructor.cpp:
692         (JSC::constructFunction):
693         (JSC::constructFunctionSkippingEvalEnabledCheck):
694
695 2016-11-21  Mark Lam  <mark.lam@apple.com>
696
697         Fix exception scope verification failures in GetterSetter.cpp.
698         https://bugs.webkit.org/show_bug.cgi?id=165013
699
700         Reviewed by Saam Barati.
701
702         * runtime/GetterSetter.cpp:
703         (JSC::callGetter):
704         (JSC::callSetter):
705
706 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
707
708         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
709         https://bugs.webkit.org/show_bug.cgi?id=164898
710
711         Reviewed by Darin Adler.
712
713         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
714         same tagged template literal need to return an identical object.
715         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
716         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
717         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
718         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
719         while this TemplateRegistryKey is allocated in the main thread.
720
721         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
722         while the entry of the WeakGCMap is alive, the callsite object has the reference to
723         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
724
725         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
726         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
727         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
728         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
729         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
730
731         * CMakeLists.txt:
732         * JavaScriptCore.xcodeproj/project.pbxproj:
733         * builtins/BuiltinNames.h:
734         * bytecompiler/BytecodeGenerator.cpp:
735         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
736         (JSC::BytecodeGenerator::emitGetTemplateObject):
737         * bytecompiler/BytecodeGenerator.h:
738         * runtime/JSGlobalObject.cpp:
739         (JSC::getTemplateObject):
740         * runtime/JSTemplateRegistryKey.cpp:
741         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
742         (JSC::JSTemplateRegistryKey::create):
743         * runtime/JSTemplateRegistryKey.h:
744         * runtime/TemplateRegistry.cpp:
745         (JSC::TemplateRegistry::getTemplateObject):
746         * runtime/TemplateRegistry.h:
747         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
748         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
749         * runtime/TemplateRegistryKey.h:
750         (JSC::TemplateRegistryKey::calculateHash):
751         (JSC::TemplateRegistryKey::create):
752         (JSC::TemplateRegistryKey::TemplateRegistryKey):
753         * runtime/TemplateRegistryKeyTable.cpp: Added.
754         (JSC::TemplateRegistryKeyTranslator::hash):
755         (JSC::TemplateRegistryKeyTranslator::equal):
756         (JSC::TemplateRegistryKeyTranslator::translate):
757         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
758         (JSC::TemplateRegistryKeyTable::createKey):
759         (JSC::TemplateRegistryKeyTable::unregister):
760         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
761         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
762         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
763         * runtime/VM.h:
764         (JSC::VM::templateRegistryKeyTable):
765
766 2016-11-21  Mark Lam  <mark.lam@apple.com>
767
768         Fix exception scope verification failures in runtime/Error* files.
769         https://bugs.webkit.org/show_bug.cgi?id=164998
770
771         Reviewed by Darin Adler.
772
773         * runtime/ErrorConstructor.cpp:
774         (JSC::Interpreter::constructWithErrorConstructor):
775         * runtime/ErrorInstance.cpp:
776         (JSC::ErrorInstance::create):
777         * runtime/ErrorInstance.h:
778         * runtime/ErrorPrototype.cpp:
779         (JSC::errorProtoFuncToString):
780
781 2016-11-21  Mark Lam  <mark.lam@apple.com>
782
783         Fix exception scope verification failures in *Executable.cpp files.
784         https://bugs.webkit.org/show_bug.cgi?id=164996
785
786         Reviewed by Darin Adler.
787
788         * runtime/DirectEvalExecutable.cpp:
789         (JSC::DirectEvalExecutable::create):
790         * runtime/IndirectEvalExecutable.cpp:
791         (JSC::IndirectEvalExecutable::create):
792         * runtime/ProgramExecutable.cpp:
793         (JSC::ProgramExecutable::initializeGlobalProperties):
794         * runtime/ScriptExecutable.cpp:
795         (JSC::ScriptExecutable::prepareForExecutionImpl):
796
797 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
798
799         [EncryptedMedia] Make EME API runtime-enabled
800         https://bugs.webkit.org/show_bug.cgi?id=164927
801
802         Reviewed by Jer Noble.
803
804         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
805
806 2016-11-20  Mark Lam  <mark.lam@apple.com>
807
808         Fix exception scope verification failures in ConstructData.cpp.
809         https://bugs.webkit.org/show_bug.cgi?id=164976
810
811         Reviewed by Darin Adler.
812
813         * runtime/ConstructData.cpp:
814         (JSC::construct):
815
816 2016-11-20  Mark Lam  <mark.lam@apple.com>
817
818         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
819         https://bugs.webkit.org/show_bug.cgi?id=164975
820
821         Reviewed by Darin Adler.
822
823         * runtime/CommonSlowPaths.cpp:
824         (JSC::SLOW_PATH_DECL):
825         * runtime/CommonSlowPaths.h:
826         (JSC::CommonSlowPaths::opIn):
827
828 2016-11-20  Mark Lam  <mark.lam@apple.com>
829
830         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
831         https://bugs.webkit.org/show_bug.cgi?id=164995
832
833         Reviewed by Darin Adler.
834
835         * runtime/DateConstructor.cpp:
836         (JSC::millisecondsFromComponents):
837         (JSC::constructDate):
838         * runtime/DatePrototype.cpp:
839         (JSC::dateProtoFuncToPrimitiveSymbol):
840
841 2016-11-20  Caitlin Potter  <caitp@igalia.com>
842
843         [JSC] speed up parsing of async functions
844         https://bugs.webkit.org/show_bug.cgi?id=164808
845
846         Reviewed by Yusuke Suzuki.
847
848         Minor adjustments to Parser in order to mitigate slowdown with async
849         function parsing enabled:
850
851           - Tokenize "async" as a keyword
852           - Perform less branching in various areas of the Parser
853
854         * parser/Keywords.table:
855         * parser/Parser.cpp:
856         (JSC::Parser<LexerType>::parseStatementListItem):
857         (JSC::Parser<LexerType>::parseStatement):
858         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
859         (JSC::Parser<LexerType>::parseClass):
860         (JSC::Parser<LexerType>::parseExportDeclaration):
861         (JSC::Parser<LexerType>::parseAssignmentExpression):
862         (JSC::Parser<LexerType>::parseProperty):
863         (JSC::Parser<LexerType>::createResolveAndUseVariable):
864         (JSC::Parser<LexerType>::parsePrimaryExpression):
865         (JSC::Parser<LexerType>::parseMemberExpression):
866         (JSC::Parser<LexerType>::printUnexpectedTokenText):
867         * parser/Parser.h:
868         (JSC::isAnyContextualKeyword):
869         (JSC::isIdentifierOrAnyContextualKeyword):
870         (JSC::isSafeContextualKeyword):
871         (JSC::Parser::matchSpecIdentifier):
872         * parser/ParserTokens.h:
873         * runtime/CommonIdentifiers.h:
874
875 2016-11-19  Mark Lam  <mark.lam@apple.com>
876
877         Add --timeoutMultiplier option to allow some tests more time to run.
878         https://bugs.webkit.org/show_bug.cgi?id=164951
879
880         Reviewed by Yusuke Suzuki.
881
882         * jsc.cpp:
883         (timeoutThreadMain):
884         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
885         (startTimeoutThreadIfNeeded):
886         - Moved the code that starts the timeout thread here from main() so that we can
887         call it after command line args have been parsed instead.
888         (main):
889         - Deleted old timeout thread starting code.
890         (CommandLine::parseArguments):
891         - Added parsing of the --timeoutMultiplier option.
892         (jscmain):
893         - Start the timeout thread if needed after we've parsed the command line args.
894
895 2016-11-19  Mark Lam  <mark.lam@apple.com>
896
897         Fix missing exception checks in JSC inspector files.
898         https://bugs.webkit.org/show_bug.cgi?id=164959
899
900         Reviewed by Saam Barati.
901
902         * inspector/JSInjectedScriptHost.cpp:
903         (Inspector::JSInjectedScriptHost::getInternalProperties):
904         (Inspector::JSInjectedScriptHost::weakMapEntries):
905         (Inspector::JSInjectedScriptHost::weakSetEntries):
906         (Inspector::JSInjectedScriptHost::iteratorEntries):
907         * inspector/JSJavaScriptCallFrame.cpp:
908         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
909
910 2016-11-18  Mark Lam  <mark.lam@apple.com>
911
912         Fix missing exception checks in DFGOperations.cpp.
913         https://bugs.webkit.org/show_bug.cgi?id=164958
914
915         Reviewed by Geoffrey Garen.
916
917         * dfg/DFGOperations.cpp:
918
919 2016-11-18  Mark Lam  <mark.lam@apple.com>
920
921         Fix exception scope verification failures in ShadowChicken.cpp.
922         https://bugs.webkit.org/show_bug.cgi?id=164966
923
924         Reviewed by Saam Barati.
925
926         * interpreter/ShadowChicken.cpp:
927         (JSC::ShadowChicken::functionsOnStack):
928
929 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
930
931         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
932         https://bugs.webkit.org/show_bug.cgi?id=163801
933
934         Reviewed by Simon Fraser.
935
936         * Configurations/FeatureDefines.xcconfig:
937
938 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
939
940         Unreviewed, fix cloop.
941
942         * bytecode/CodeBlock.cpp:
943         (JSC::CodeBlock::stronglyVisitStrongReferences):
944
945 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
946
947         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
948         https://bugs.webkit.org/show_bug.cgi?id=164282
949
950         Reviewed by Geoffrey Garen and Oliver Hunt.
951         
952         The two three remaining bugs were:
953
954         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
955           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
956           That proved a bit tricky. On the other hand, this means that we could probably remove the
957           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
958           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
959           anything.
960         
961         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
962           their friends now hold locks) and incremental-safe (we need to update predictions in the
963           finalizer to make sure we clear anything that was put into a value profile towards the end
964           of GC).
965         
966         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
967           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
968           I found that they would do many useless iterations of GC because they wouldn't pause long
969           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
970           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
971           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
972           the amount of allocation that the mutator had done is low. Having a utilization ceiling
973           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
974           huge heaps (like CDjs in its "large" configuration).
975         
976         This preserves splay performance, makes the concurrent GC more stable, and makes the
977         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
978         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
979
980         * bytecode/CodeBlock.cpp:
981         (JSC::CodeBlock::CodeBlock):
982         (JSC::CodeBlock::visitWeakly):
983         (JSC::CodeBlock::visitChildren):
984         (JSC::CodeBlock::shouldVisitStrongly):
985         (JSC::CodeBlock::shouldJettisonDueToOldAge):
986         (JSC::CodeBlock::propagateTransitions):
987         (JSC::CodeBlock::determineLiveness):
988         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
989         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
990         (JSC::CodeBlock::visitOSRExitTargets):
991         (JSC::CodeBlock::stronglyVisitStrongReferences):
992         (JSC::CodeBlock::stronglyVisitWeakReferences):
993         * bytecode/CodeBlock.h:
994         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
995         * heap/CodeBlockSet.cpp:
996         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
997         * heap/Heap.cpp:
998         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
999         (JSC::Heap::markToFixpoint):
1000         (JSC::Heap::beginMarking):
1001         (JSC::Heap::addToRememberedSet):
1002         (JSC::Heap::collectInThread):
1003         * heap/Heap.h:
1004         * heap/HeapInlines.h:
1005         (JSC::Heap::mutatorFence):
1006         * heap/MarkedBlock.cpp:
1007         * runtime/JSCellInlines.h:
1008         (JSC::JSCell::finishCreation):
1009         * runtime/JSObjectInlines.h:
1010         (JSC::JSObject::putDirectWithoutTransition):
1011         (JSC::JSObject::putDirectInternal):
1012         * runtime/Options.h:
1013         * runtime/Structure.cpp:
1014         (JSC::Structure::add):
1015         * runtime/Structure.h:
1016         * runtime/StructureInlines.h:
1017         (JSC::Structure::add):
1018
1019 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
1020
1021         Web Inspector: Generator functions should have a displayable name when shown in stack traces
1022         https://bugs.webkit.org/show_bug.cgi?id=164844
1023         <rdar://problem/29300697>
1024
1025         Reviewed by Yusuke Suzuki.
1026
1027         * parser/SyntaxChecker.h:
1028         (JSC::SyntaxChecker::createGeneratorFunctionBody):
1029         * parser/ASTBuilder.h:
1030         (JSC::ASTBuilder::createGeneratorFunctionBody):
1031         New way to create a generator function with an inferred name.
1032
1033         * parser/Parser.cpp:
1034         (JSC::Parser<LexerType>::parseInner):
1035         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1036         * parser/Parser.h:
1037         Pass on the name of the generator wrapper function so we can
1038         use it on the inner generator function.
1039
1040 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
1041
1042         Add an experimental API to find elements across shadow boundaries
1043         https://bugs.webkit.org/show_bug.cgi?id=164851
1044         <rdar://problem/28220092>
1045
1046         Reviewed by Sam Weinig.
1047
1048         * runtime/CommonIdentifiers.h:
1049
1050 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1051
1052         [JSC] Drop arguments.caller
1053         https://bugs.webkit.org/show_bug.cgi?id=164859
1054
1055         Reviewed by Saam Barati.
1056
1057         Originally, some JavaScript engine has `arguments.caller` property.
1058         But it easily causes some information leaks and it becomes obstacles
1059         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
1060         mode. To do so, we explicitly set "caller" getter throwing TypeError
1061         to arguments in strict mode.
1062
1063         But now, there is no modern engine which supports `arguments.caller`
1064         in sloppy mode. So the original compatibility problem is gone and
1065         "caller" getter in the strict mode arguments becomes meaningless.
1066
1067         ES2017 drops this from the spec. In this patch, we also drop this
1068         `arguments.caller` in strict mode support.
1069
1070         Note that Function#caller is still alive.
1071
1072         * runtime/ClonedArguments.cpp:
1073         (JSC::ClonedArguments::getOwnPropertySlot):
1074         (JSC::ClonedArguments::put):
1075         (JSC::ClonedArguments::deleteProperty):
1076         (JSC::ClonedArguments::defineOwnProperty):
1077         (JSC::ClonedArguments::materializeSpecials):
1078
1079 2016-11-17  Mark Lam  <mark.lam@apple.com>
1080
1081         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
1082         https://bugs.webkit.org/show_bug.cgi?id=164893
1083         <rdar://problem/29146436>
1084
1085         Reviewed by Saam Barati.
1086
1087         * runtime/Options.cpp:
1088         (JSC::recomputeDependentOptions):
1089
1090 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
1091
1092         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
1093         https://bugs.webkit.org/show_bug.cgi?id=164885
1094
1095         Reviewed by Mark Lam.
1096         
1097         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
1098         related fences. It currently returns true only on x86().
1099         
1100         The goal here is to get the bots to tell us if this code is responsible for perf issues on
1101         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
1102         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
1103         we could get rid of it and instead teach B3 how to think about fences.
1104
1105         * assembler/CPU.h:
1106         (JSC::useGCFences):
1107         * bytecode/PolymorphicAccess.cpp:
1108         (JSC::AccessCase::generateImpl):
1109         * dfg/DFGSpeculativeJIT.cpp:
1110         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1111         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1112         * ftl/FTLLowerDFGToB3.cpp:
1113         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1114         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1115         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1116         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1117         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1118         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1119         * jit/AssemblyHelpers.h:
1120         (JSC::AssemblyHelpers::mutatorFence):
1121         (JSC::AssemblyHelpers::storeButterfly):
1122         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
1123         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
1124
1125 2016-11-17  Keith Miller  <keith_miller@apple.com>
1126
1127         Add rotate to Wasm
1128         https://bugs.webkit.org/show_bug.cgi?id=164871
1129
1130         Reviewed by Filip Pizlo.
1131
1132         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
1133         This also moves arm specific transformations of rotate left to lower macros
1134         after optimization. It's a bad idea to have platform specific canonicalizations
1135         in reduce strength since other optimizations may not be aware of it.
1136
1137         Add a bug to do pure CSE after lower macros after optimization since we want to
1138         clean up RotL(value, Neg(Neg(shift))).
1139
1140         * b3/B3Generate.cpp:
1141         (JSC::B3::generateToAir):
1142         * b3/B3LowerMacrosAfterOptimizations.cpp:
1143         * b3/B3ReduceStrength.cpp:
1144         * wasm/wasm.json:
1145
1146 2016-11-17  Keith Miller  <keith_miller@apple.com>
1147
1148         Add sqrt to Wasm
1149         https://bugs.webkit.org/show_bug.cgi?id=164877
1150
1151         Reviewed by Mark Lam.
1152
1153         B3 already has a Sqrt opcode we just need to map Wasm to it.
1154
1155         * wasm/wasm.json:
1156
1157 2016-11-17  Keith Miller  <keith_miller@apple.com>
1158
1159         Add support for rotate in B3 and the relevant assemblers
1160         https://bugs.webkit.org/show_bug.cgi?id=164869
1161
1162         Reviewed by Geoffrey Garen.
1163
1164         This patch runs RotR and RotL (rotate right and left respectively)
1165         through B3 and B3's assemblers. One thing of note is that ARM64 does
1166         not support rotate left instead it allows negative right rotations.
1167
1168         This patch also fixes a theoretical bug in the assembler where
1169         on X86 doing someShiftOp(reg, edx) would instead shift the shift
1170         amount by the value. Additionally, this patch refactors some
1171         of the X86 assembler to use templates when deciding how to format
1172         the appropriate shift instruction.
1173
1174         * assembler/MacroAssemblerARM64.h:
1175         (JSC::MacroAssemblerARM64::rotateRight32):
1176         (JSC::MacroAssemblerARM64::rotateRight64):
1177         * assembler/MacroAssemblerX86Common.h:
1178         (JSC::MacroAssemblerX86Common::rotateRight32):
1179         (JSC::MacroAssemblerX86Common::rotateLeft32):
1180         * assembler/MacroAssemblerX86_64.h:
1181         (JSC::MacroAssemblerX86_64::lshift64):
1182         (JSC::MacroAssemblerX86_64::rshift64):
1183         (JSC::MacroAssemblerX86_64::urshift64):
1184         (JSC::MacroAssemblerX86_64::rotateRight64):
1185         (JSC::MacroAssemblerX86_64::rotateLeft64):
1186         (JSC::MacroAssemblerX86_64::or64):
1187         * assembler/X86Assembler.h:
1188         (JSC::X86Assembler::xorq_rm):
1189         (JSC::X86Assembler::shiftInstruction32):
1190         (JSC::X86Assembler::sarl_i8r):
1191         (JSC::X86Assembler::shrl_i8r):
1192         (JSC::X86Assembler::shll_i8r):
1193         (JSC::X86Assembler::rorl_i8r):
1194         (JSC::X86Assembler::rorl_CLr):
1195         (JSC::X86Assembler::roll_i8r):
1196         (JSC::X86Assembler::roll_CLr):
1197         (JSC::X86Assembler::shiftInstruction64):
1198         (JSC::X86Assembler::sarq_CLr):
1199         (JSC::X86Assembler::sarq_i8r):
1200         (JSC::X86Assembler::shrq_i8r):
1201         (JSC::X86Assembler::shlq_i8r):
1202         (JSC::X86Assembler::rorq_i8r):
1203         (JSC::X86Assembler::rorq_CLr):
1204         (JSC::X86Assembler::rolq_i8r):
1205         (JSC::X86Assembler::rolq_CLr):
1206         * b3/B3Common.h:
1207         (JSC::B3::rotateRight):
1208         (JSC::B3::rotateLeft):
1209         * b3/B3Const32Value.cpp:
1210         (JSC::B3::Const32Value::rotRConstant):
1211         (JSC::B3::Const32Value::rotLConstant):
1212         * b3/B3Const32Value.h:
1213         * b3/B3Const64Value.cpp:
1214         (JSC::B3::Const64Value::rotRConstant):
1215         (JSC::B3::Const64Value::rotLConstant):
1216         * b3/B3Const64Value.h:
1217         * b3/B3LowerToAir.cpp:
1218         (JSC::B3::Air::LowerToAir::lower):
1219         * b3/B3Opcode.cpp:
1220         (WTF::printInternal):
1221         * b3/B3Opcode.h:
1222         * b3/B3ReduceStrength.cpp:
1223         * b3/B3Validate.cpp:
1224         * b3/B3Value.cpp:
1225         (JSC::B3::Value::rotRConstant):
1226         (JSC::B3::Value::rotLConstant):
1227         (JSC::B3::Value::effects):
1228         (JSC::B3::Value::key):
1229         (JSC::B3::Value::typeFor):
1230         * b3/B3Value.h:
1231         * b3/B3ValueKey.cpp:
1232         (JSC::B3::ValueKey::materialize):
1233         * b3/air/AirInstInlines.h:
1234         (JSC::B3::Air::isRotateRight32Valid):
1235         (JSC::B3::Air::isRotateLeft32Valid):
1236         (JSC::B3::Air::isRotateRight64Valid):
1237         (JSC::B3::Air::isRotateLeft64Valid):
1238         * b3/air/AirOpcode.opcodes:
1239         * b3/testb3.cpp:
1240         (JSC::B3::testRotR):
1241         (JSC::B3::testRotL):
1242         (JSC::B3::testRotRWithImmShift):
1243         (JSC::B3::testRotLWithImmShift):
1244         (JSC::B3::run):
1245
1246 2016-11-17  Saam Barati  <sbarati@apple.com>
1247
1248         Remove async/await compile time flag and enable tests
1249         https://bugs.webkit.org/show_bug.cgi?id=164828
1250         <rdar://problem/28639334>
1251
1252         Reviewed by Yusuke Suzuki.
1253
1254         * Configurations/FeatureDefines.xcconfig:
1255         * parser/Parser.cpp:
1256         (JSC::Parser<LexerType>::parseStatementListItem):
1257         (JSC::Parser<LexerType>::parseStatement):
1258         (JSC::Parser<LexerType>::parseClass):
1259         (JSC::Parser<LexerType>::parseExportDeclaration):
1260         (JSC::Parser<LexerType>::parseAssignmentExpression):
1261         (JSC::Parser<LexerType>::parseProperty):
1262         (JSC::Parser<LexerType>::parsePrimaryExpression):
1263         (JSC::Parser<LexerType>::parseMemberExpression):
1264         (JSC::Parser<LexerType>::parseUnaryExpression):
1265
1266 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1267
1268         [JSC] WTF::TemporaryChange with WTF::SetForScope
1269         https://bugs.webkit.org/show_bug.cgi?id=164761
1270
1271         Reviewed by Saam Barati.
1272
1273         * bytecompiler/BytecodeGenerator.h:
1274         * bytecompiler/SetForScope.h: Removed.
1275         * debugger/Debugger.cpp:
1276         * inspector/InspectorBackendDispatcher.cpp:
1277         (Inspector::BackendDispatcher::dispatch):
1278         * inspector/ScriptDebugServer.cpp:
1279         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
1280         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
1281         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
1282         (Inspector::ScriptDebugServer::sourceParsed):
1283         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1284         * parser/Parser.cpp:
1285
1286 2016-11-16  Mark Lam  <mark.lam@apple.com>
1287
1288         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
1289         https://bugs.webkit.org/show_bug.cgi?id=164843
1290
1291         Reviewed by Keith Miller.
1292
1293         The ThrowScope will check for unchecked simulated exceptions before throwing a
1294         new exception.  This ensures that we don't quietly overwrite a pending exception
1295         (which should never happen, with the only exception being to rethrow the same
1296         exception).  However, ExceptionFuzz works by intentionally throwing its own
1297         exception even when one may already exist thereby potentially overwriting an
1298         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
1299         the exception check verifier before ExceptionFuzz throws its own exception.
1300
1301         * runtime/ExceptionFuzz.cpp:
1302         (JSC::doExceptionFuzzing):
1303
1304 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
1305
1306         UnlinkedCodeBlock should not have a starting line number
1307         https://bugs.webkit.org/show_bug.cgi?id=164838
1308
1309         Reviewed by Mark Lam.
1310
1311         Here's how the starting line number in UnlinkedCodeBlock used to work:
1312
1313         (1) Assign the source code starting line number to the parser starting
1314         line number.
1315
1316         (2) Assign (1) to the AST.
1317
1318         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
1319
1320         Then, when linking:
1321
1322         (4) Add (3) to (1).
1323
1324         This was an awesome no-op.
1325
1326         Generally, unlinked code is code that is not tied to any particular
1327         web page or resource. So, it's inappropriate to think of it having a
1328         starting line number.
1329
1330         * bytecode/UnlinkedCodeBlock.cpp:
1331         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1332         * bytecode/UnlinkedCodeBlock.h:
1333         (JSC::UnlinkedCodeBlock::recordParse):
1334         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
1335         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
1336         * runtime/CodeCache.cpp:
1337         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1338         * runtime/CodeCache.h:
1339         (JSC::generateUnlinkedCodeBlock):
1340
1341 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1342
1343         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
1344         https://bugs.webkit.org/show_bug.cgi?id=164827
1345
1346         Reviewed by Ryosuke Niwa.
1347
1348         * Configurations/FeatureDefines.xcconfig:
1349
1350 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
1351
1352         Unreviewed, roll out r208811. It's not sound.
1353
1354         * ftl/FTLLowerDFGToB3.cpp:
1355         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1356         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1357         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1358         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1359         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1360         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1361         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
1362
1363 2016-11-16  Keith Miller  <keith_miller@apple.com>
1364
1365         Wasm function parser should use template functions for each binary and unary opcode
1366         https://bugs.webkit.org/show_bug.cgi?id=164835
1367
1368         Reviewed by Mark Lam.
1369
1370         This patch changes the wasm function parser to call into a template specialization
1371         for each binary/unary opcode. This change makes it easier to have custom implementations
1372         of various opcodes. It is also, in theory a speedup since it does not require switching
1373         on the opcode twice.
1374
1375         * CMakeLists.txt:
1376         * DerivedSources.make:
1377         * wasm/WasmB3IRGenerator.cpp:
1378         (): Deleted.
1379         * wasm/WasmFunctionParser.h:
1380         (JSC::Wasm::FunctionParser<Context>::binaryCase):
1381         (JSC::Wasm::FunctionParser<Context>::unaryCase):
1382         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1383         * wasm/WasmValidate.cpp:
1384         * wasm/generateWasm.py:
1385         (isBinary):
1386         (isSimple):
1387         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
1388         (generateSimpleCode):
1389         * wasm/generateWasmOpsHeader.py:
1390         (opcodeMacroizer):
1391         * wasm/generateWasmValidateInlinesHeader.py:
1392
1393 2016-11-16  Mark Lam  <mark.lam@apple.com>
1394
1395         ExceptionFuzz functions should use its client's ThrowScope.
1396         https://bugs.webkit.org/show_bug.cgi?id=164834
1397
1398         Reviewed by Geoffrey Garen.
1399
1400         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
1401         exception check sites.  Using the client's ThrowScope solves 2 problems:
1402
1403         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
1404            mis-attributed to ExceptionFuzz when it should be attributed to its client.
1405
1406         2. One way exception scope verification works is by having ThrowScopes assert
1407            that there are no unchecked simulated exceptions when the ThrowScope is
1408            instantiated.  However, ExceptionFuzz necessarily works by inserting
1409            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
1410            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
1411            we will be instantiating the ThrowScope between the point where a simulated
1412            throw occurs and where the needed exception check can occur.  Hence, having
1413            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
1414            verification every time.
1415
1416         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
1417
1418         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
1419         already exists in every slow path function instead of creating a new one.
1420
1421         * jit/JITOperations.cpp:
1422         * llint/LLIntSlowPaths.cpp:
1423         * runtime/CommonSlowPaths.cpp:
1424         * runtime/ExceptionFuzz.cpp:
1425         (JSC::doExceptionFuzzing):
1426         * runtime/ExceptionFuzz.h:
1427         (JSC::doExceptionFuzzingIfEnabled):
1428
1429 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
1430
1431         Slight Octane regression from concurrent GC's eager object zero-fill
1432         https://bugs.webkit.org/show_bug.cgi?id=164823
1433
1434         Reviewed by Geoffrey Garen.
1435         
1436         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
1437         executing the end-of-allocation fence. This causes some regressions. This is an attempt
1438         to fix those regressions by making them conditional on whether the mutator is fenced.
1439         
1440         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
1441         regression.
1442
1443         * ftl/FTLLowerDFGToB3.cpp:
1444         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1445         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
1446         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1447         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1448         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1449         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1450         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1451
1452 2016-11-16  Mark Lam  <mark.lam@apple.com>
1453
1454         Fix exception scope checking in JSGlobalObject.cpp.
1455         https://bugs.webkit.org/show_bug.cgi?id=164831
1456
1457         Reviewed by Saam Barati.
1458
1459         * runtime/JSGlobalObject.cpp:
1460         (JSC::JSGlobalObject::init):
1461         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
1462           to fail with errors.
1463         (JSC::JSGlobalObject::put):
1464         - Fix exception check requirements.
1465
1466 2016-11-16  Keith Miller  <keith_miller@apple.com>
1467
1468         Unreviewed, ARM build fix.
1469
1470         * b3/B3LowerToAir.cpp:
1471         (JSC::B3::Air::LowerToAir::lower):
1472         (JSC::B3::Air::LowerToAir::lowerX86Div):
1473         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
1474
1475 2016-11-15  Mark Lam  <mark.lam@apple.com>
1476
1477         Make JSC test functions more robust.
1478         https://bugs.webkit.org/show_bug.cgi?id=164807
1479
1480         Reviewed by Keith Miller.
1481
1482         * jsc.cpp:
1483         (functionGetHiddenValue):
1484         (functionSetHiddenValue):
1485
1486 2016-11-15  Keith Miller  <keith_miller@apple.com>
1487
1488         B3 should support UDiv/UMod
1489         https://bugs.webkit.org/show_bug.cgi?id=164811
1490
1491         Reviewed by Filip Pizlo.
1492
1493         This patch adds support for UDiv and UMod in B3. Many of the magic number
1494         cases have been ommited for now since they are unlikely to happen in wasm
1495         code. Most wasm code we will see is generated via llvm, which has more
1496         robust versions of what we would do anyway. Additionally, this patch
1497         links the new opcodes up to the wasm parser.
1498
1499         * assembler/MacroAssemblerARM64.h:
1500         (JSC::MacroAssemblerARM64::uDiv32):
1501         (JSC::MacroAssemblerARM64::uDiv64):
1502         * assembler/MacroAssemblerX86Common.h:
1503         (JSC::MacroAssemblerX86Common::x86UDiv32):
1504         * assembler/MacroAssemblerX86_64.h:
1505         (JSC::MacroAssemblerX86_64::x86UDiv64):
1506         * assembler/X86Assembler.h:
1507         (JSC::X86Assembler::divq_r):
1508         * b3/B3Common.h:
1509         (JSC::B3::chillUDiv):
1510         (JSC::B3::chillUMod):
1511         * b3/B3Const32Value.cpp:
1512         (JSC::B3::Const32Value::uDivConstant):
1513         (JSC::B3::Const32Value::uModConstant):
1514         * b3/B3Const32Value.h:
1515         * b3/B3Const64Value.cpp:
1516         (JSC::B3::Const64Value::uDivConstant):
1517         (JSC::B3::Const64Value::uModConstant):
1518         * b3/B3Const64Value.h:
1519         * b3/B3LowerMacros.cpp:
1520         * b3/B3LowerToAir.cpp:
1521         (JSC::B3::Air::LowerToAir::lower):
1522         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
1523         * b3/B3Opcode.cpp:
1524         (WTF::printInternal):
1525         * b3/B3Opcode.h:
1526         * b3/B3ReduceStrength.cpp:
1527         * b3/B3Validate.cpp:
1528         * b3/B3Value.cpp:
1529         (JSC::B3::Value::uDivConstant):
1530         (JSC::B3::Value::uModConstant):
1531         (JSC::B3::Value::effects):
1532         (JSC::B3::Value::key):
1533         (JSC::B3::Value::typeFor):
1534         * b3/B3Value.h:
1535         * b3/B3ValueKey.cpp:
1536         (JSC::B3::ValueKey::materialize):
1537         * b3/air/AirInstInlines.h:
1538         (JSC::B3::Air::isX86UDiv32Valid):
1539         (JSC::B3::Air::isX86UDiv64Valid):
1540         * b3/air/AirOpcode.opcodes:
1541         * b3/testb3.cpp:
1542         (JSC::B3::testUDivArgsInt32):
1543         (JSC::B3::testUDivArgsInt64):
1544         (JSC::B3::testUModArgsInt32):
1545         (JSC::B3::testUModArgsInt64):
1546         (JSC::B3::run):
1547         * wasm/wasm.json:
1548
1549 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1550
1551         Web Inspector: Preview other CSS @media in browser window (print)
1552         https://bugs.webkit.org/show_bug.cgi?id=13530
1553         <rdar://problem/5712928>
1554
1555         Reviewed by Timothy Hatcher.
1556
1557         * inspector/protocol/Page.json:
1558         Update to preferred JSON style.
1559
1560 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1561
1562         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
1563
1564         * dfg/DFGDriver.cpp:
1565         (JSC::DFG::compileImpl):
1566         * heap/Heap.cpp:
1567         (JSC::Heap::addToRememberedSet):
1568         * jit/JITWorklist.cpp:
1569         (JSC::JITWorklist::compileLater):
1570         (JSC::JITWorklist::compileNow):
1571         * runtime/Options.cpp:
1572         (JSC::recomputeDependentOptions):
1573         * runtime/Options.h:
1574         * runtime/WriteBarrierInlines.h:
1575         (JSC::WriteBarrierBase<T>::set):
1576         (JSC::WriteBarrierBase<Unknown>::set):
1577
1578 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
1579
1580         Debugging and other tools should not disable the code cache
1581         https://bugs.webkit.org/show_bug.cgi?id=164802
1582
1583         Reviewed by Mark Lam.
1584
1585         * bytecode/UnlinkedFunctionExecutable.cpp:
1586         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
1587         change.
1588
1589         * parser/SourceCodeKey.h:
1590         (JSC::SourceCodeFlags::SourceCodeFlags):
1591         (JSC::SourceCodeFlags::bits):
1592         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
1593         as part of our key so that we can cache code while using tools. Be sure
1594         to include these bits in our hash function so you don't get storms of
1595         collisions as you open and close the Web Inspector.
1596
1597         * runtime/CodeCache.cpp:
1598         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1599         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
1600         a part of our key instead of as a reason to disable caching.
1601
1602         * runtime/CodeCache.h:
1603
1604 2016-11-15  Mark Lam  <mark.lam@apple.com>
1605
1606         Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
1607         https://bugs.webkit.org/show_bug.cgi?id=164777
1608
1609         Reviewed by Geoffrey Garen.
1610
1611         JSString::SafeView no longer achieves its intended goal to make it easier to
1612         handle strings safely.  Its clients still need to do explicit exception checks in
1613         order to be correct.  We'll remove it and replace its uses with
1614         StringViewWithUnderlyingString instead which serves to gets the a StringView
1615         (which is what we really wanted from SafeView) and keeps the backing String alive
1616         while the view is in use.
1617
1618         Also added some missing exception checks.
1619
1620         * jsc.cpp:
1621         (printInternal):
1622         (functionDebug):
1623         * runtime/ArrayPrototype.cpp:
1624         (JSC::arrayProtoFuncJoin):
1625         * runtime/FunctionConstructor.cpp:
1626         (JSC::constructFunctionSkippingEvalEnabledCheck):
1627         * runtime/IntlCollatorPrototype.cpp:
1628         (JSC::IntlCollatorFuncCompare):
1629         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1630         (JSC::genericTypedArrayViewProtoFuncJoin):
1631         * runtime/JSGlobalObjectFunctions.cpp:
1632         (JSC::toStringView):
1633         (JSC::globalFuncParseFloat):
1634         * runtime/JSONObject.cpp:
1635         (JSC::JSONProtoFuncParse):
1636         * runtime/JSString.h:
1637         (JSC::JSString::SafeView::is8Bit): Deleted.
1638         (JSC::JSString::SafeView::length): Deleted.
1639         (JSC::JSString::SafeView::SafeView): Deleted.
1640         (JSC::JSString::SafeView::get): Deleted.
1641         (JSC::JSString::view): Deleted.
1642         * runtime/StringPrototype.cpp:
1643         (JSC::stringProtoFuncRepeatCharacter):
1644         (JSC::stringProtoFuncCharAt):
1645         (JSC::stringProtoFuncCharCodeAt):
1646         (JSC::stringProtoFuncIndexOf):
1647         (JSC::stringProtoFuncNormalize):
1648
1649 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1650
1651         Unreviewed, remove bogus assertion.
1652
1653         * heap/Heap.cpp:
1654         (JSC::Heap::markToFixpoint):
1655
1656 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1657
1658         [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
1659         https://bugs.webkit.org/show_bug.cgi?id=162986
1660
1661         Reviewed by Saam Barati.
1662         
1663         This assertion is wrong for concurrent GC anyway, so this removes it.
1664
1665         * runtime/Structure.cpp:
1666         (JSC::Structure::visitChildren):
1667
1668 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1669
1670         Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
1671         https://bugs.webkit.org/show_bug.cgi?id=164791
1672
1673         Reviewed by Geoffrey Garen.
1674         
1675         Just renaming.
1676
1677         * JavaScriptCore.xcodeproj/project.pbxproj:
1678         * bytecode/ArrayProfile.cpp:
1679         (JSC::ArrayProfile::computeUpdatedPrediction):
1680         (JSC::ArrayProfile::briefDescription):
1681         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1682         * bytecode/ArrayProfile.h:
1683         (JSC::ArrayProfile::observedArrayModes):
1684         (JSC::ArrayProfile::mayInterceptIndexedAccesses):
1685         (JSC::ArrayProfile::mayStoreToHole):
1686         (JSC::ArrayProfile::outOfBounds):
1687         (JSC::ArrayProfile::usesOriginalArrayStructures):
1688         * bytecode/CallLinkStatus.cpp:
1689         (JSC::CallLinkStatus::computeFromLLInt):
1690         (JSC::CallLinkStatus::computeFor):
1691         (JSC::CallLinkStatus::computeExitSiteData):
1692         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1693         (JSC::CallLinkStatus::computeDFGStatuses):
1694         * bytecode/CallLinkStatus.h:
1695         * bytecode/CodeBlock.cpp:
1696         (JSC::CodeBlock::dumpValueProfiling):
1697         (JSC::CodeBlock::dumpArrayProfiling):
1698         (JSC::CodeBlock::finishCreation):
1699         (JSC::CodeBlock::setConstantRegisters):
1700         (JSC::CodeBlock::getStubInfoMap):
1701         (JSC::CodeBlock::getCallLinkInfoMap):
1702         (JSC::CodeBlock::getByValInfoMap):
1703         (JSC::CodeBlock::addStubInfo):
1704         (JSC::CodeBlock::addByValInfo):
1705         (JSC::CodeBlock::addCallLinkInfo):
1706         (JSC::CodeBlock::resetJITData):
1707         (JSC::CodeBlock::shrinkToFit):
1708         (JSC::CodeBlock::getArrayProfile):
1709         (JSC::CodeBlock::addArrayProfile):
1710         (JSC::CodeBlock::getOrAddArrayProfile):
1711         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1712         (JSC::CodeBlock::updateAllArrayPredictions):
1713         (JSC::CodeBlock::nameForRegister):
1714         (JSC::CodeBlock::livenessAnalysisSlow):
1715         * bytecode/CodeBlock.h:
1716         (JSC::CodeBlock::setJITCode):
1717         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1718         (JSC::CodeBlock::addFrequentExitSite):
1719         (JSC::CodeBlock::hasExitSite):
1720         (JSC::CodeBlock::livenessAnalysis):
1721         * bytecode/DFGExitProfile.cpp:
1722         (JSC::DFG::ExitProfile::add):
1723         (JSC::DFG::ExitProfile::hasExitSite):
1724         (JSC::DFG::QueryableExitProfile::initialize):
1725         * bytecode/DFGExitProfile.h:
1726         (JSC::DFG::ExitProfile::hasExitSite):
1727         * bytecode/GetByIdStatus.cpp:
1728         (JSC::GetByIdStatus::hasExitSite):
1729         (JSC::GetByIdStatus::computeFor):
1730         (JSC::GetByIdStatus::computeForStubInfo):
1731         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1732         * bytecode/GetByIdStatus.h:
1733         * bytecode/LazyOperandValueProfile.cpp:
1734         (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
1735         (JSC::CompressedLazyOperandValueProfileHolder::add):
1736         (JSC::LazyOperandValueProfileParser::initialize):
1737         (JSC::LazyOperandValueProfileParser::prediction):
1738         * bytecode/LazyOperandValueProfile.h:
1739         * bytecode/MethodOfGettingAValueProfile.cpp:
1740         (JSC::MethodOfGettingAValueProfile::emitReportValue):
1741         * bytecode/PutByIdStatus.cpp:
1742         (JSC::PutByIdStatus::hasExitSite):
1743         (JSC::PutByIdStatus::computeFor):
1744         (JSC::PutByIdStatus::computeForStubInfo):
1745         * bytecode/PutByIdStatus.h:
1746         * bytecode/StructureStubClearingWatchpoint.cpp:
1747         (JSC::StructureStubClearingWatchpoint::fireInternal):
1748         * bytecode/ValueProfile.h:
1749         (JSC::ValueProfileBase::briefDescription):
1750         (JSC::ValueProfileBase::computeUpdatedPrediction):
1751         * dfg/DFGArrayMode.cpp:
1752         (JSC::DFG::ArrayMode::fromObserved):
1753         * dfg/DFGArrayMode.h:
1754         (JSC::DFG::ArrayMode::withSpeculationFromProfile):
1755         (JSC::DFG::ArrayMode::withProfile):
1756         * dfg/DFGByteCodeParser.cpp:
1757         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1758         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1759         (JSC::DFG::ByteCodeParser::getArrayMode):
1760         (JSC::DFG::ByteCodeParser::handleInlining):
1761         (JSC::DFG::ByteCodeParser::parseBlock):
1762         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1763         * dfg/DFGDriver.cpp:
1764         (JSC::DFG::compileImpl):
1765         * dfg/DFGFixupPhase.cpp:
1766         (JSC::DFG::FixupPhase::fixupNode):
1767         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1768         * dfg/DFGGraph.cpp:
1769         (JSC::DFG::Graph::tryGetConstantClosureVar):
1770         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1771         * dfg/DFGPredictionInjectionPhase.cpp:
1772         (JSC::DFG::PredictionInjectionPhase::run):
1773         * ftl/FTLLowerDFGToB3.cpp:
1774         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1775         * ftl/FTLOperations.cpp:
1776         (JSC::FTL::operationMaterializeObjectInOSR):
1777         * heap/Heap.cpp:
1778         (JSC::Heap::addToRememberedSet):
1779         * jit/JIT.cpp:
1780         (JSC::JIT::compileWithoutLinking):
1781         * jit/JITInlines.h:
1782         (JSC::JIT::chooseArrayMode):
1783         * jit/JITOperations.cpp:
1784         (JSC::tryGetByValOptimize):
1785         * jit/JITPropertyAccess.cpp:
1786         (JSC::JIT::privateCompileGetByValWithCachedId):
1787         (JSC::JIT::privateCompilePutByValWithCachedId):
1788         * jit/JITWorklist.cpp:
1789         (JSC::JITWorklist::compileLater):
1790         (JSC::JITWorklist::compileNow):
1791         * jit/Repatch.cpp:
1792         (JSC::repatchGetByID):
1793         (JSC::repatchPutByID):
1794         * llint/LLIntSlowPaths.cpp:
1795         (JSC::LLInt::setupGetByIdPrototypeCache):
1796         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1797         (JSC::LLInt::setUpCall):
1798         * profiler/ProfilerBytecodeSequence.cpp:
1799         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1800         * runtime/CommonSlowPaths.cpp:
1801         (JSC::SLOW_PATH_DECL):
1802         * runtime/CommonSlowPaths.h:
1803         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1804         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1805         * runtime/ConcurrentJITLock.h: Removed.
1806         * runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
1807         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
1808         (JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
1809         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
1810         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
1811         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
1812         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
1813         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
1814         (JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
1815         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
1816         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
1817         (JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
1818         * runtime/InferredType.cpp:
1819         (JSC::InferredType::canWatch):
1820         (JSC::InferredType::addWatchpoint):
1821         (JSC::InferredType::willStoreValueSlow):
1822         (JSC::InferredType::makeTopSlow):
1823         (JSC::InferredType::set):
1824         (JSC::InferredType::removeStructure):
1825         * runtime/InferredType.h:
1826         * runtime/InferredTypeTable.cpp:
1827         (JSC::InferredTypeTable::visitChildren):
1828         (JSC::InferredTypeTable::get):
1829         (JSC::InferredTypeTable::willStoreValue):
1830         (JSC::InferredTypeTable::makeTop):
1831         * runtime/InferredTypeTable.h:
1832         * runtime/JSEnvironmentRecord.cpp:
1833         (JSC::JSEnvironmentRecord::heapSnapshot):
1834         * runtime/JSGlobalObject.cpp:
1835         (JSC::JSGlobalObject::addGlobalVar):
1836         (JSC::JSGlobalObject::addStaticGlobals):
1837         * runtime/JSLexicalEnvironment.cpp:
1838         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1839         * runtime/JSObject.cpp:
1840         (JSC::JSObject::deleteProperty):
1841         (JSC::JSObject::shiftButterflyAfterFlattening):
1842         * runtime/JSObject.h:
1843         * runtime/JSObjectInlines.h:
1844         (JSC::JSObject::putDirectWithoutTransition):
1845         (JSC::JSObject::putDirectInternal):
1846         * runtime/JSScope.cpp:
1847         (JSC::abstractAccess):
1848         (JSC::JSScope::collectClosureVariablesUnderTDZ):
1849         * runtime/JSSegmentedVariableObject.cpp:
1850         (JSC::JSSegmentedVariableObject::findVariableIndex):
1851         (JSC::JSSegmentedVariableObject::addVariables):
1852         (JSC::JSSegmentedVariableObject::heapSnapshot):
1853         * runtime/JSSegmentedVariableObject.h:
1854         * runtime/JSSymbolTableObject.cpp:
1855         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1856         * runtime/JSSymbolTableObject.h:
1857         (JSC::symbolTableGet):
1858         (JSC::symbolTablePut):
1859         * runtime/Options.cpp:
1860         (JSC::recomputeDependentOptions):
1861         * runtime/Options.h:
1862         * runtime/ProgramExecutable.cpp:
1863         (JSC::ProgramExecutable::initializeGlobalProperties):
1864         * runtime/RegExp.cpp:
1865         (JSC::RegExp::compile):
1866         (JSC::RegExp::matchConcurrently):
1867         (JSC::RegExp::compileMatchOnly):
1868         (JSC::RegExp::deleteCode):
1869         * runtime/RegExp.h:
1870         * runtime/Structure.cpp:
1871         (JSC::Structure::materializePropertyTable):
1872         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1873         (JSC::Structure::addNewPropertyTransition):
1874         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1875         (JSC::Structure::nonPropertyTransition):
1876         (JSC::Structure::flattenDictionaryStructure):
1877         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1878         (JSC::Structure::add):
1879         (JSC::Structure::remove):
1880         (JSC::Structure::visitChildren):
1881         * runtime/Structure.h:
1882         * runtime/StructureInlines.h:
1883         (JSC::Structure::propertyReplacementWatchpointSet):
1884         (JSC::Structure::add):
1885         (JSC::Structure::remove):
1886         * runtime/SymbolTable.cpp:
1887         (JSC::SymbolTable::visitChildren):
1888         (JSC::SymbolTable::localToEntry):
1889         (JSC::SymbolTable::entryFor):
1890         (JSC::SymbolTable::prepareForTypeProfiling):
1891         (JSC::SymbolTable::uniqueIDForVariable):
1892         (JSC::SymbolTable::uniqueIDForOffset):
1893         (JSC::SymbolTable::globalTypeSetForOffset):
1894         (JSC::SymbolTable::globalTypeSetForVariable):
1895         * runtime/SymbolTable.h:
1896         * runtime/TypeSet.cpp:
1897         (JSC::TypeSet::addTypeInformation):
1898         (JSC::TypeSet::invalidateCache):
1899         * runtime/TypeSet.h:
1900         (JSC::TypeSet::structureSet):
1901         * runtime/VM.h:
1902         * runtime/WriteBarrierInlines.h:
1903         (JSC::WriteBarrierBase<T>::set):
1904         (JSC::WriteBarrierBase<Unknown>::set):
1905         * yarr/YarrInterpreter.cpp:
1906         (JSC::Yarr::ByteCompiler::compile):
1907         (JSC::Yarr::byteCompile):
1908         * yarr/YarrInterpreter.h:
1909         (JSC::Yarr::BytecodePattern::BytecodePattern):
1910
1911 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1912
1913         Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
1914         https://bugs.webkit.org/show_bug.cgi?id=164793
1915
1916         Reviewed by Matt Baker.
1917
1918         * inspector/protocol/Page.json:
1919
1920 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1921
1922         Unreviewed, build fix for Windows debug build after r208738
1923         https://bugs.webkit.org/show_bug.cgi?id=164727
1924
1925         This static member variable can be touched outside of the JSC project
1926         since inlined MacroAssembler member functions read / write it.
1927         So it should be exported.
1928
1929         * assembler/MacroAssemblerX86Common.h:
1930
1931 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1932
1933         Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
1934         https://bugs.webkit.org/show_bug.cgi?id=164787
1935
1936         Reviewed by Timothy Hatcher.
1937
1938         * inspector/agents/InspectorDebuggerAgent.cpp:
1939         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1940         Clear this DebuggerAgent state when we resume.
1941
1942 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1943
1944         It should be possible to disable concurrent GC timeslicing
1945         https://bugs.webkit.org/show_bug.cgi?id=164788
1946
1947         Reviewed by Saam Barati.
1948         
1949         Collector timeslicing means that the collector will try to pause once every 2ms. This is
1950         great because it throttles the mutator and prevents it from outpacing the collector. But
1951         it reduces some of the efficacy of the collectContinuously=true configuration: while
1952         it's great that collecting continuously means that the collector will also pause more
1953         frequently and so it will test the pausing code, it also means that the collector will
1954         spend less time running concurrently. The primary purpose of collectContinuously is to
1955         maximize the amount of time that the collector is running concurrently to the mutator to
1956         maximize the likelihood that a race will cause a detectable error.
1957         
1958         This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
1959         The idea is that we will usually use this in conjunction with collectContinuously=true
1960         to find race conditions during marking, but we can also use the two options
1961         independently to focus our testing on other things.
1962
1963         * heap/Heap.cpp:
1964         (JSC::Heap::markToFixpoint):
1965         * heap/SlotVisitor.cpp:
1966         (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
1967         * heap/SlotVisitor.h:
1968         * runtime/Options.h:
1969
1970 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1971
1972         The concurrent GC should have a timeslicing controller
1973         https://bugs.webkit.org/show_bug.cgi?id=164783
1974
1975         Reviewed by Geoffrey Garen.
1976         
1977         This adds a simple control system for deciding when the collector should let the mutator run
1978         and when it should stop the mutator. We definitely have to stop the mutator during certain
1979         collector phases, but during marking - which takes the most time - we can go either way.
1980         Normally we want to let the mutator run, but if the heap size starts to grow then we have to
1981         stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
1982         lead to memory exhaustion, so it's better to just stop in that case.
1983         
1984         The controller tries to never stop the mutator for longer than short timeslices. It slices on
1985         a 2ms period (configurable via Options). The amount of that period that the collector spends
1986         with the mutator stopped is determined by the fraction of the collector's concurrent headroom
1987         that has been allocated over. The headroom is currently configured at 50% of what was
1988         allocated before the collector started.
1989         
1990         This moves a bunch of parameters into Options so that it's easier to play with different
1991         configurations.
1992         
1993         I tried these different values for the period:
1994         
1995         1ms: 30% worse than 2ms on splay-latency.
1996         2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
1997         3ms: 40% worse than 2ms on splay-latency.
1998         4ms: 40% worse than 2ms on splay-latency.
1999         
2000         I also tried 100% headroom as an alternate to 50% and found it to be a worse.
2001         
2002         This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
2003         enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
2004         would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
2005         concurrent GC.
2006
2007         * heap/Heap.cpp:
2008         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2009         (JSC::Heap::markToFixpoint):
2010         (JSC::Heap::collectInThread):
2011         * runtime/Options.h:
2012
2013 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2014
2015         Unreviewed, build fix for CLoop after r208738
2016         https://bugs.webkit.org/show_bug.cgi?id=164727
2017
2018         * jsc.cpp:
2019         (WTF::DOMJITFunctionObject::unsafeFunction):
2020         (WTF::DOMJITFunctionObject::finishCreation):
2021
2022 2016-11-15  Mark Lam  <mark.lam@apple.com>
2023
2024         The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
2025         https://bugs.webkit.org/show_bug.cgi?id=164781
2026         <rdar://problem/28418590>
2027
2028         Reviewed by Geoffrey Garen and Michael Saboff.
2029
2030         * jsc.cpp:
2031         (functionSetImpureGetterDelegate):
2032
2033 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2034
2035         [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
2036         https://bugs.webkit.org/show_bug.cgi?id=164727
2037
2038         Reviewed by Filip Pizlo.
2039
2040         While CallDOMGetter can use macro assembler scratch registers, we previiously
2041         assumed that CheckDOM code generator does not use macro assembler scratch registers.
2042         It is currently true in x86 environment. But it is not true in the other environments.
2043
2044         We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
2045         arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
2046         CheckDOM to use macro assembler scratch registers.
2047
2048         * ftl/FTLLowerDFGToB3.cpp:
2049         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
2050         * jsc.cpp:
2051         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2052         (WTF::DOMJITFunctionObject::createStructure):
2053         (WTF::DOMJITFunctionObject::create):
2054         (WTF::DOMJITFunctionObject::unsafeFunction):
2055         (WTF::DOMJITFunctionObject::safeFunction):
2056         (WTF::DOMJITFunctionObject::checkDOMJITNode):
2057         (WTF::DOMJITFunctionObject::finishCreation):
2058         (GlobalObject::finishCreation):
2059         (functionCreateDOMJITFunctionObject):
2060
2061 2016-11-14  Geoffrey Garen  <ggaren@apple.com>
2062
2063         CodeCache should stop pretending to cache builtins
2064         https://bugs.webkit.org/show_bug.cgi?id=164750
2065
2066         Reviewed by Saam Barati.
2067
2068         We were passing JSParserBuiltinMode to all CodeCache functions, but the
2069         passed-in value was always NotBuiltin.
2070
2071         Let's stop passing it.
2072
2073         * parser/SourceCodeKey.h:
2074         (JSC::SourceCodeFlags::SourceCodeFlags):
2075         (JSC::SourceCodeKey::SourceCodeKey):
2076         * runtime/CodeCache.cpp:
2077         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2078         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
2079         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
2080         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
2081         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2082         * runtime/CodeCache.h:
2083         (JSC::generateUnlinkedCodeBlock):
2084         * runtime/JSGlobalObject.cpp:
2085         (JSC::JSGlobalObject::createProgramCodeBlock):
2086         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
2087         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
2088         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2089
2090 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2091
2092         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
2093         https://bugs.webkit.org/show_bug.cgi?id=164775
2094
2095         Reviewed by Mark Lam and Keith Miller.
2096         
2097         We were calling inlineStorage() which asserts that inline storage is not empty. But we
2098         were calling it in a context where it could be empty and that's fine. So, we now call
2099         inlineStorageUnsafe().
2100
2101         * runtime/JSObject.h:
2102         (JSC::JSFinalObject::JSFinalObject):
2103
2104 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
2105
2106         [ARM] Unreviewed buildfix after r208720.
2107
2108         * assembler/MacroAssemblerARM.h:
2109         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
2110
2111 2016-11-14  Caitlin Potter  <caitp@igalia.com>
2112
2113         [JSC] do not reference AwaitExpression Promises in async function Promise chain
2114         https://bugs.webkit.org/show_bug.cgi?id=164753
2115
2116         Reviewed by Yusuke Suzuki.
2117
2118         Previously, long-running async functions which contained many AwaitExpressions
2119         would allocate and retain references to intermediate Promise objects for each `await`,
2120         resulting in a memory leak.
2121
2122         To mitigate this leak, a reference to the original Promise (and its resolve and reject
2123         functions) associated with the async function are kept, and passed to each call to
2124         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
2125         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
2126         with an async function wrapper. The capability is used to reject the Promise if an
2127         exception is thrown during parameter initialization, and is used to store the resulting
2128         value once the async function has terminated.
2129
2130         * builtins/AsyncFunctionPrototype.js:
2131         (globalPrivate.asyncFunctionResume):
2132         * bytecompiler/BytecodeGenerator.cpp:
2133         (JSC::BytecodeGenerator::BytecodeGenerator):
2134         * bytecompiler/BytecodeGenerator.h:
2135         (JSC::BytecodeGenerator::promiseCapabilityRegister):
2136         * bytecompiler/NodesCodegen.cpp:
2137         (JSC::FunctionNode::emitBytecode):
2138
2139 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2140
2141         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
2142         https://bugs.webkit.org/show_bug.cgi?id=164305
2143         <rdar://problem/29056192>
2144
2145         Reviewed by Timothy Hatcher.
2146
2147         * inspector/InjectedScriptSource.js:
2148         (InjectedScript.prototype._propertyDescriptors):
2149         Accessing __proto__ does a ToThis(...) conversion on the receiver.
2150         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
2151         this would return undefined and throw an exception. We can use
2152         Object.getPrototypeOf to avoid that conversion and possible error.
2153
2154         * inspector/protocol/Debugger.json:
2155         Provide a new way to effectively `resume` + `pause` immediately.
2156         This must be implemented on the backend to correctly synchronize
2157         the resuming and pausing.
2158
2159         * inspector/agents/InspectorDebuggerAgent.h:
2160         * inspector/agents/InspectorDebuggerAgent.cpp:
2161         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
2162         Treat this as `resume` and `pause`. Resume now, and trigger
2163         a pause if the VM becomes idle and we didn't pause before then
2164         (such as hitting a breakpoint after we resumed).
2165
2166         (Inspector::InspectorDebuggerAgent::pause):
2167         (Inspector::InspectorDebuggerAgent::resume):
2168         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2169         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2170         Clean up and correct pause on next statement logic.
2171
2172         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
2173         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
2174         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
2175         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
2176         The idle handler may now also trigger a pause in the case
2177         where continueUntilNextRunLoop resumed and wants to pause.
2178
2179         (Inspector::InspectorDebuggerAgent::didPause):
2180         Eliminate the useless didPause. The DOMDebugger was keeping track
2181         of its own state that was worse then the state in DebuggerAgent.
2182
2183 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
2184
2185         Unreviewed, fix cloop.
2186
2187         * runtime/JSCellInlines.h:
2188
2189 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
2190
2191         The GC should be optionally concurrent and disabled by default
2192         https://bugs.webkit.org/show_bug.cgi?id=164454
2193
2194         Reviewed by Geoffrey Garen.
2195         
2196         This started out as a patch to have the GC scan the stack at the end, and then the
2197         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
2198         mode that can be enabled at runtime, and whose only effect is that it turns on the
2199         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
2200         thread is running solo with the world stopped and the parallel markers converged and
2201         waiting. We have a parallel work scope to enable the parallel markers and now we have a
2202         ResumeTheWorldScope that will optionally resume the world and then stop it again.
2203         
2204         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
2205         this one won't do that when you run it. I set a specific goal: I wanted to do >10
2206         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
2207         disabled.
2208         
2209         To reach this milestone, I needed to do a bunch of stuff:
2210         
2211         - The mutator needs a separate mark stack for the barrier, since it will mutate this
2212           stack concurrently to the collector's slot visitors.
2213         
2214         - The use of CellState to indicate whether an object is being scanned the first time or
2215           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
2216           time as visitChildren is running or if the barrier runs at the same time as the GC
2217           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
2218           you know why you're being scanned by looking at which stack you came off of.
2219         
2220         - All of root marking must be in the collector fixpoint. I renamed markRoots to
2221           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
2222           this way. We never gained anything from forcing people to make a choice between
2223           scanning something in the fixpoint versus outside of it. Because root scanning is
2224           cheap, we can afford to do it repeatedly, which means all root scanning can now do
2225           constraint-based marking (like: I'll mark you if that thing is marked).
2226         
2227         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
2228           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
2229           reshaping functions - like the one that flattens a dictionary and some sneaky
2230           ArrayStorage transformations. Many of these can be fixed by using store-store fences
2231           in the mutator and load-load fences in the collector. I've adopted the rule that the
2232           collector must always see either a butterfly and structure that match or a newer
2233           butterfly with an older structure, where their age is just one transition apart. This
2234           can be achieved with fences. For the cases where it breaks down, I added a lock to
2235           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
2236           the indexingType. See the WTF ChangeLog for details.
2237           
2238           The mutator fencing rules are as follows:
2239           
2240           - Store-store fence before and after setting the butterfly.
2241           - Store-store fence before setting structure if you had changed the shape of the
2242             butterfly.
2243           - Store-store fence after initializing all fields in an allocation.
2244         
2245         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
2246           So, JSObject::visitChildren will now grab the object's structure's lock if the
2247           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
2248           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
2249           scan an object from two threads).
2250         
2251         - The GC can blow away a Structure's property table at any time. As a small consolation,
2252           it's now holding the Structure's lock when it does so. But there was tons of code in
2253           Structure that uses DeferGC to prevent the GC from blowing away the property table.
2254           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
2255           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
2256           marking and it was the Structure::visitChildren that would delete the table. It turns
2257           out that Structure's reliance on the property table not being deleted was the product
2258           of code rot. We already had functions that would materialize the table on demand. We
2259           were simply making the mistake of saying:
2260           
2261               structure->materializePropertyMap();
2262               ...
2263               structure->propertyTable()->things
2264           
2265           Instead of saying:
2266           
2267               PropertyTable* table = structure->ensurePropertyTable();
2268               ...
2269               table->things
2270           
2271           Switching the code to use the latter idiom allowed me to simplify the code a lot while
2272           fixing the race.
2273         
2274         - The LLInt's get_by_val handling was broken because the indexing shape constants were
2275           wrong. Once I started putting more things into the IndexingType, that started causing
2276           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
2277           had rotted in subtle ways.
2278         
2279         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
2280         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
2281         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
2282         is disabled: in all of the places where it would have resumed the world to run marking
2283         concurrently to the mutator, it will just skip the resume step. When you enable
2284         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
2285         It seems to perform quite well: on my machine, it improves both splay-throughput and
2286         splay-latency. It's probably unstable for other programs.
2287
2288         * API/JSVirtualMachine.mm:
2289         (-[JSVirtualMachine isOldExternalObject:]):
2290         * assembler/MacroAssemblerARMv7.h:
2291         (JSC::MacroAssemblerARMv7::storeFence):
2292         * bytecode/InlineAccess.cpp:
2293         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2294         (JSC::InlineAccess::generateSelfPropertyAccess):
2295         (JSC::InlineAccess::generateArrayLength):
2296         * bytecode/ObjectAllocationProfile.h:
2297         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
2298         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
2299         (JSC::ObjectAllocationProfile::initialize):
2300         (JSC::ObjectAllocationProfile::inlineCapacity):
2301         (JSC::ObjectAllocationProfile::clear):
2302         * bytecode/PolymorphicAccess.cpp:
2303         (JSC::AccessCase::generateWithGuard):
2304         (JSC::AccessCase::generateImpl):
2305         * dfg/DFGArrayifySlowPathGenerator.h:
2306         * dfg/DFGClobberize.h:
2307         (JSC::DFG::clobberize):
2308         * dfg/DFGOSRExitCompiler32_64.cpp:
2309         (JSC::DFG::OSRExitCompiler::compileExit):
2310         * dfg/DFGOSRExitCompiler64.cpp:
2311         (JSC::DFG::OSRExitCompiler::compileExit):
2312         * dfg/DFGOperations.cpp:
2313         * dfg/DFGPlan.cpp:
2314         (JSC::DFG::Plan::markCodeBlocks):
2315         (JSC::DFG::Plan::rememberCodeBlocks):
2316         * dfg/DFGPlan.h:
2317         * dfg/DFGSpeculativeJIT.cpp:
2318         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2319         (JSC::DFG::SpeculativeJIT::checkArray):
2320         (JSC::DFG::SpeculativeJIT::arrayify):
2321         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2322         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2323         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2324         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2325         (JSC::DFG::SpeculativeJIT::compileSpread):
2326         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2327         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2328         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2329         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2330         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2331         * dfg/DFGSpeculativeJIT64.cpp:
2332         (JSC::DFG::SpeculativeJIT::compile):
2333         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2334         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2335         (JSC::DFG::TierUpCheckInjectionPhase::run):
2336         * dfg/DFGWorklist.cpp:
2337         (JSC::DFG::Worklist::markCodeBlocks):
2338         (JSC::DFG::Worklist::rememberCodeBlocks):
2339         (JSC::DFG::markCodeBlocks):
2340         (JSC::DFG::completeAllPlansForVM):
2341         (JSC::DFG::rememberCodeBlocks):
2342         * dfg/DFGWorklist.h:
2343         * ftl/FTLAbstractHeapRepository.cpp:
2344         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2345         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
2346         * ftl/FTLAbstractHeapRepository.h:
2347         * ftl/FTLJITCode.cpp:
2348         (JSC::FTL::JITCode::~JITCode):
2349         * ftl/FTLLowerDFGToB3.cpp:
2350         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
2351         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2352         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2353         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2354         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2355         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
2356         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2357         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2358         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2359         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2360         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2361         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2362         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2363         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2364         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2365         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2366         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2367         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2368         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2369         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2370         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
2371         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2372         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2373         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2374         * ftl/FTLOSRExitCompiler.cpp:
2375         (JSC::FTL::compileStub):
2376         * ftl/FTLOutput.cpp:
2377         (JSC::FTL::Output::signExt32ToPtr):
2378         (JSC::FTL::Output::fence):
2379         * ftl/FTLOutput.h:
2380         * heap/CellState.h:
2381         * heap/GCSegmentedArray.h:
2382         * heap/Heap.cpp:
2383         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2384         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
2385         (JSC::Heap::Heap):
2386         (JSC::Heap::~Heap):
2387         (JSC::Heap::harvestWeakReferences):
2388         (JSC::Heap::finalizeUnconditionalFinalizers):
2389         (JSC::Heap::completeAllJITPlans):
2390         (JSC::Heap::markToFixpoint):
2391         (JSC::Heap::gatherStackRoots):
2392         (JSC::Heap::beginMarking):
2393         (JSC::Heap::visitConservativeRoots):
2394         (JSC::Heap::visitCompilerWorklistWeakReferences):
2395         (JSC::Heap::updateObjectCounts):
2396         (JSC::Heap::endMarking):
2397         (JSC::Heap::addToRememberedSet):
2398         (JSC::Heap::collectInThread):
2399         (JSC::Heap::stopTheWorld):
2400         (JSC::Heap::resumeTheWorld):
2401         (JSC::Heap::setGCDidJIT):
2402         (JSC::Heap::setNeedFinalize):
2403         (JSC::Heap::setMutatorWaiting):
2404         (JSC::Heap::clearMutatorWaiting):
2405         (JSC::Heap::finalize):
2406         (JSC::Heap::flushWriteBarrierBuffer):
2407         (JSC::Heap::writeBarrierSlowPath):
2408         (JSC::Heap::canCollect):
2409         (JSC::Heap::reportExtraMemoryVisited):
2410         (JSC::Heap::reportExternalMemoryVisited):
2411         (JSC::Heap::notifyIsSafeToCollect):
2412         (JSC::Heap::markRoots): Deleted.
2413         (JSC::Heap::visitExternalRememberedSet): Deleted.
2414         (JSC::Heap::visitSmallStrings): Deleted.
2415         (JSC::Heap::visitProtectedObjects): Deleted.
2416         (JSC::Heap::visitArgumentBuffers): Deleted.
2417         (JSC::Heap::visitException): Deleted.
2418         (JSC::Heap::visitStrongHandles): Deleted.
2419         (JSC::Heap::visitHandleStack): Deleted.
2420         (JSC::Heap::visitSamplingProfiler): Deleted.
2421         (JSC::Heap::visitTypeProfiler): Deleted.
2422         (JSC::Heap::visitShadowChicken): Deleted.
2423         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
2424         (JSC::Heap::visitWeakHandles): Deleted.
2425         (JSC::Heap::flushOldStructureIDTables): Deleted.
2426         (JSC::Heap::stopAllocation): Deleted.
2427         * heap/Heap.h:
2428         (JSC::Heap::collectorSlotVisitor):
2429         (JSC::Heap::mutatorMarkStack):
2430         (JSC::Heap::mutatorShouldBeFenced):
2431         (JSC::Heap::addressOfMutatorShouldBeFenced):
2432         (JSC::Heap::slotVisitor): Deleted.
2433         (JSC::Heap::notifyIsSafeToCollect): Deleted.
2434         (JSC::Heap::barrierShouldBeFenced): Deleted.
2435         (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
2436         * heap/MarkStack.cpp:
2437         (JSC::MarkStackArray::transferTo):
2438         * heap/MarkStack.h:
2439         * heap/MarkedAllocator.cpp:
2440         (JSC::MarkedAllocator::tryAllocateIn):
2441         * heap/MarkedBlock.cpp:
2442         (JSC::MarkedBlock::MarkedBlock):
2443         (JSC::MarkedBlock::Handle::specializedSweep):
2444         (JSC::MarkedBlock::Handle::sweep):
2445         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
2446         (JSC::MarkedBlock::Handle::stopAllocating):
2447         (JSC::MarkedBlock::Handle::resumeAllocating):
2448         (JSC::MarkedBlock::aboutToMarkSlow):
2449         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2450         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
2451         (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
2452         * heap/MarkedBlock.h:
2453         * heap/MarkedSpace.cpp:
2454         (JSC::MarkedSpace::resumeAllocating):
2455         * heap/SlotVisitor.cpp:
2456         (JSC::SlotVisitor::SlotVisitor):
2457         (JSC::SlotVisitor::~SlotVisitor):
2458         (JSC::SlotVisitor::reset):
2459         (JSC::SlotVisitor::clearMarkStacks):
2460         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2461         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2462         (JSC::SlotVisitor::appendToMarkStack):
2463         (JSC::SlotVisitor::appendToMutatorMarkStack):
2464         (JSC::SlotVisitor::visitChildren):
2465         (JSC::SlotVisitor::donateKnownParallel):
2466         (JSC::SlotVisitor::drain):
2467         (JSC::SlotVisitor::drainFromShared):
2468         (JSC::SlotVisitor::containsOpaqueRoot):
2469         (JSC::SlotVisitor::donateAndDrain):
2470         (JSC::SlotVisitor::mergeOpaqueRoots):
2471         (JSC::SlotVisitor::dump):
2472         (JSC::SlotVisitor::clearMarkStack): Deleted.
2473         (JSC::SlotVisitor::opaqueRootCount): Deleted.
2474         * heap/SlotVisitor.h:
2475         (JSC::SlotVisitor::collectorMarkStack):
2476         (JSC::SlotVisitor::mutatorMarkStack):
2477         (JSC::SlotVisitor::isEmpty):
2478         (JSC::SlotVisitor::bytesVisited):
2479         (JSC::SlotVisitor::markStack): Deleted.
2480         (JSC::SlotVisitor::bytesCopied): Deleted.
2481         * heap/SlotVisitorInlines.h:
2482         (JSC::SlotVisitor::reportExtraMemoryVisited):
2483         (JSC::SlotVisitor::reportExternalMemoryVisited):
2484         * jit/AssemblyHelpers.cpp:
2485         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2486         * jit/AssemblyHelpers.h:
2487         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2488         (JSC::AssemblyHelpers::barrierStoreLoadFence):
2489         (JSC::AssemblyHelpers::mutatorFence):
2490         (JSC::AssemblyHelpers::storeButterfly):
2491         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
2492         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
2493         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2494         (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
2495         * jit/JITInlines.h:
2496         (JSC::JIT::emitArrayProfilingSiteWithCell):
2497         * jit/JITOperations.cpp:
2498         * jit/JITPropertyAccess.cpp:
2499         (JSC::JIT::emit_op_put_to_scope):
2500         (JSC::JIT::emit_op_put_to_arguments):
2501         * llint/LLIntData.cpp:
2502         (JSC::LLInt::Data::performAssertions):
2503         * llint/LowLevelInterpreter.asm:
2504         * llint/LowLevelInterpreter64.asm:
2505         * runtime/ButterflyInlines.h:
2506         (JSC::Butterfly::create):
2507         (JSC::Butterfly::createOrGrowPropertyStorage):
2508         * runtime/ConcurrentJITLock.h:
2509         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
2510         * runtime/GenericArgumentsInlines.h:
2511         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2512         (JSC::GenericArguments<Type>::putByIndex):
2513         * runtime/IndexingType.h:
2514         * runtime/JSArray.cpp:
2515         (JSC::JSArray::unshiftCountSlowCase):
2516         (JSC::JSArray::unshiftCountWithArrayStorage):
2517         * runtime/JSCell.h:
2518         (JSC::JSCell::InternalLocker::InternalLocker):
2519         (JSC::JSCell::InternalLocker::~InternalLocker):
2520         (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
2521         (JSC::JSCell::atomicCompareExchangeCellStateStrong):
2522         (JSC::JSCell::indexingTypeAndMiscOffset):
2523         (JSC::JSCell::indexingTypeOffset): Deleted.
2524         * runtime/JSCellInlines.h:
2525         (JSC::JSCell::JSCell):
2526         (JSC::JSCell::finishCreation):
2527         (JSC::JSCell::indexingTypeAndMisc):
2528         (JSC::JSCell::indexingType):
2529         (JSC::JSCell::setStructure):
2530         (JSC::JSCell::callDestructor):
2531         (JSC::JSCell::lockInternalLock):
2532         (JSC::JSCell::unlockInternalLock):
2533         * runtime/JSObject.cpp:
2534         (JSC::JSObject::visitButterfly):
2535         (JSC::JSObject::visitChildren):
2536         (JSC::JSFinalObject::visitChildren):
2537         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2538         (JSC::JSObject::createInitialUndecided):
2539         (JSC::JSObject::createInitialInt32):
2540         (JSC::JSObject::createInitialDouble):
2541         (JSC::JSObject::createInitialContiguous):
2542         (JSC::JSObject::createArrayStorage):
2543         (JSC::JSObject::convertUndecidedToArrayStorage):
2544         (JSC::JSObject::convertInt32ToArrayStorage):
2545         (JSC::JSObject::convertDoubleToArrayStorage):
2546         (JSC::JSObject::convertContiguousToArrayStorage):
2547         (JSC::JSObject::deleteProperty):
2548         (JSC::JSObject::defineOwnIndexedProperty):
2549         (JSC::JSObject::increaseVectorLength):
2550         (JSC::JSObject::ensureLengthSlow):
2551         (JSC::JSObject::reallocateAndShrinkButterfly):
2552         (JSC::JSObject::allocateMoreOutOfLineStorage):
2553         (JSC::JSObject::shiftButterflyAfterFlattening):
2554         (JSC::JSObject::growOutOfLineStorage): Deleted.
2555         * runtime/JSObject.h:
2556         (JSC::JSFinalObject::JSFinalObject):
2557         (JSC::JSObject::setButterfly):
2558         (JSC::JSObject::getOwnNonIndexPropertySlot):
2559         (JSC::JSObject::fillCustomGetterPropertySlot):
2560         (JSC::JSObject::getOwnPropertySlot):
2561         (JSC::JSObject::getPropertySlot):
2562         (JSC::JSObject::setStructureAndButterfly): Deleted.
2563         (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
2564         (JSC::JSObject::putDirectInternal): Deleted.
2565         (JSC::JSObject::putDirectWithoutTransition): Deleted.
2566         * runtime/JSObjectInlines.h:
2567         (JSC::JSObject::getPropertySlot):
2568         (JSC::JSObject::getNonIndexPropertySlot):
2569         (JSC::JSObject::putDirectWithoutTransition):
2570         (JSC::JSObject::putDirectInternal):
2571         * runtime/Options.h:
2572         * runtime/SparseArrayValueMap.h:
2573         * runtime/Structure.cpp:
2574         (JSC::Structure::dumpStatistics):
2575         (JSC::Structure::findStructuresAndMapForMaterialization):
2576         (JSC::Structure::materializePropertyTable):
2577         (JSC::Structure::addNewPropertyTransition):
2578         (JSC::Structure::changePrototypeTransition):
2579         (JSC::Structure::attributeChangeTransition):
2580         (JSC::Structure::toDictionaryTransition):
2581         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2582         (JSC::Structure::nonPropertyTransition):
2583         (JSC::Structure::isSealed):
2584         (JSC::Structure::isFrozen):
2585         (JSC::Structure::flattenDictionaryStructure):
2586         (JSC::Structure::pin):
2587         (JSC::Structure::pinForCaching):
2588         (JSC::Structure::willStoreValueSlow):
2589         (JSC::Structure::copyPropertyTableForPinning):
2590         (JSC::Structure::add):
2591         (JSC::Structure::remove):
2592         (JSC::Structure::getPropertyNamesFromStructure):
2593         (JSC::Structure::visitChildren):
2594         (JSC::Structure::materializePropertyMap): Deleted.
2595         (JSC::Structure::addPropertyWithoutTransition): Deleted.
2596         (JSC::Structure::removePropertyWithoutTransition): Deleted.
2597         (JSC::Structure::copyPropertyTable): Deleted.
2598         (JSC::Structure::createPropertyMap): Deleted.
2599         (JSC::PropertyTable::checkConsistency): Deleted.
2600         (JSC::Structure::checkConsistency): Deleted.
2601         * runtime/Structure.h:
2602         * runtime/StructureIDBlob.h:
2603         (JSC::StructureIDBlob::StructureIDBlob):
2604         (JSC::StructureIDBlob::indexingTypeIncludingHistory):
2605         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
2606         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
2607         (JSC::StructureIDBlob::indexingType): Deleted.
2608         (JSC::StructureIDBlob::setIndexingType): Deleted.
2609         (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
2610         * runtime/StructureInlines.h:
2611         (JSC::Structure::get):
2612         (JSC::Structure::checkOffsetConsistency):
2613         (JSC::Structure::checkConsistency):
2614         (JSC::Structure::add):
2615         (JSC::Structure::remove):
2616         (JSC::Structure::addPropertyWithoutTransition):
2617         (JSC::Structure::removePropertyWithoutTransition):
2618         (JSC::Structure::setPropertyTable):
2619         (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
2620         (JSC::Structure::propertyTable): Deleted.
2621         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2622
2623 2016-11-14  Keith Miller  <keith_miller@apple.com>
2624
2625         Add Wasm select
2626         https://bugs.webkit.org/show_bug.cgi?id=164743
2627
2628         Reviewed by Saam Barati.
2629
2630         Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
2631         when they shouldn't be.
2632
2633         * jsc.cpp:
2634         (box):
2635         * wasm/WasmB3IRGenerator.cpp:
2636         * wasm/WasmFunctionParser.h:
2637         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2638         * wasm/WasmValidate.cpp:
2639         (JSC::Wasm::Validate::addSelect):
2640
2641 2016-11-11  Geoffrey Garen  <ggaren@apple.com>
2642
2643         JSC should distinguish between local and global eval
2644         https://bugs.webkit.org/show_bug.cgi?id=164628
2645
2646         Reviewed by Saam Barati.
2647
2648         Local use of the 'eval' keyword and invocation of the global window.eval
2649         function are distinct operations in JavaScript.
2650
2651         This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
2652         order to help distinguish these operations in code.
2653
2654         Our code used to do some silly things for lack of distinguishing these
2655         cases. For example, it would double cache local eval in CodeCache and
2656         EvalCodeCache. This made CodeCache seem more complicated than it really
2657         was.
2658
2659         * CMakeLists.txt:
2660         * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
2661
2662         * bytecode/CodeBlock.h:
2663
2664         * bytecode/EvalCodeCache.h:
2665         (JSC::EvalCodeCache::tryGet):
2666         (JSC::EvalCodeCache::set):
2667         (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
2668         the cache to avoid tight coupling. Now the cache just caches.
2669
2670         * bytecode/UnlinkedEvalCodeBlock.h:
2671         * bytecode/UnlinkedFunctionExecutable.cpp:
2672         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2673         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2674         * bytecode/UnlinkedProgramCodeBlock.h:
2675         * debugger/DebuggerCallFrame.cpp:
2676         (JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
2677         changes.
2678
2679         * interpreter/Interpreter.cpp:
2680         (JSC::eval): Moved code generation here so the cache didn't need to build
2681         it in.
2682
2683         * llint/LLIntOffsetsExtractor.cpp:
2684
2685         * runtime/CodeCache.cpp:
2686         (JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
2687         variables any more. We only cache global programs, and global variable
2688         access always does TDZ checks.
2689
2690         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
2691         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
2692         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
2693         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2694
2695         (JSC::CodeCache::CodeCache): Deleted.
2696         (JSC::CodeCache::~CodeCache): Deleted.
2697         (JSC::CodeCache::getGlobalCodeBlock): Deleted.
2698         (JSC::CodeCache::getProgramCodeBlock): Deleted.
2699         (JSC::CodeCache::getEvalCodeBlock): Deleted.
2700         (JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
2701         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.
2702
2703         * runtime/CodeCache.h:
2704         (JSC::CodeCache::clear):
2705         (JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
2706         out of the CodeCache class and into a stand-alone function because
2707         we need it for local eval, which does not live in CodeCache.
2708
2709         * runtime/EvalExecutable.cpp:
2710         (JSC::EvalExecutable::create): Deleted.
2711         * runtime/EvalExecutable.h:
2712         (): Deleted.
2713         * runtime/GlobalEvalExecutable.cpp: Added.
2714         (JSC::GlobalEvalExecutable::create):
2715         (JSC::GlobalEvalExecutable::GlobalEvalExecutable):
2716         * runtime/GlobalEvalExecutable.h: Added.
2717         * runtime/LocalEvalExecutable.cpp: Added.
2718         (JSC::LocalEvalExecutable::create):
2719         (JSC::LocalEvalExecutable::LocalEvalExecutable):
2720         * runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
2721         EvalExecutable classes to distinguish these operations in code. The key
2722         difference is that LocalEvalExecutable does not live in the CodeCache
2723         and only lives in the EvalCodeCache.
2724
2725         * runtime/JSGlobalObject.cpp:
2726         (JSC::JSGlobalObject::createProgramCodeBlock):
2727         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
2728         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
2729         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2730         (JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
2731         * runtime/JSGlobalObject.h:
2732         * runtime/JSGlobalObjectFunctions.cpp:
2733         (JSC::globalFuncEval):
2734
2735         * runtime/JSScope.cpp:
2736         (JSC::JSScope::collectClosureVariablesUnderTDZ):
2737         (JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
2738         global lexical variables in our concept of TDZ scopes anymore. Global
2739         variable access always does TDZ checks unconditionally. So, only closure
2740         scope accesses give specific consideration to TDZ checks.
2741
2742         * runtime/JSScope.h:
2743
2744 2016-11-14  Caitlin Potter  <caitp@igalia.com>
2745
2746         [JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
2747         https://bugs.webkit.org/show_bug.cgi?id=164037
2748
2749         Reviewed by Yusuke Suzuki.
2750
2751         This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
2752         in much the same capacity that https://trac.webkit.org/changeset/194216 added
2753         DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
2754         PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.
2755
2756         Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
2757         async wrapper functions may be deferred or eliminated during the allocation sinking
2758         phase.
2759
2760         * dfg/DFGAbstractInterpreterInlines.h:
2761         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2762         * dfg/DFGByteCodeParser.cpp:
2763         (JSC::DFG::ByteCodeParser::parseBlock):
2764         * dfg/DFGCapabilities.cpp:
2765         (JSC::DFG::capabilityLevel):
2766         * dfg/DFGClobberize.h:
2767         (JSC::DFG::clobberize):
2768         * dfg/DFGClobbersExitState.cpp:
2769         (JSC::DFG::clobbersExitState):
2770         * dfg/DFGDoesGC.cpp:
2771         (JSC::DFG::doesGC):
2772         * dfg/DFGFixupPhase.cpp:
2773         (JSC::DFG::FixupPhase::fixupNode):
2774         * dfg/DFGMayExit.cpp:
2775         * dfg/DFGNode.h:
2776         (JSC::DFG::Node::convertToPhantomNewFunction):
2777         (JSC::DFG::Node::convertToPhantomNewAsyncFunction):
2778         (JSC::DFG::Node::hasCellOperand):
2779         (JSC::DFG::Node::isFunctionAllocation):
2780         (JSC::DFG::Node::isPhantomFunctionAllocation):
2781         (JSC::DFG::Node::isPhantomAllocation):
2782         * dfg/DFGNodeType.h:
2783         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2784         * dfg/DFGPredictionPropagationPhase.cpp:
2785         * dfg/DFGSafeToExecute.h:
2786         (JSC::DFG::safeToExecute):
2787         * dfg/DFGSpeculativeJIT.cpp:
2788         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2789         * dfg/DFGSpeculativeJIT32_64.cpp:
2790         (JSC::DFG::SpeculativeJIT::compile):
2791         * dfg/DFGSpeculativeJIT64.cpp:
2792         (JSC::DFG::SpeculativeJIT::compile):
2793         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2794         * dfg/DFGStructureRegistrationPhase.cpp:
2795         (JSC::DFG::StructureRegistrationPhase::run):
2796         * dfg/DFGValidate.cpp:
2797         * ftl/FTLCapabilities.cpp:
2798         (JSC::FTL::canCompile):
2799         * ftl/FTLLowerDFGToB3.cpp:
2800         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2801         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2802         * ftl/FTLOperations.cpp:
2803         (JSC::FTL::operationPopulateObjectInOSR):
2804         (JSC::FTL::operationMaterializeObjectInOSR):
2805         * runtime/JSGlobalObject.cpp:
2806         (JSC::JSGlobalObject::init):
2807         (JSC::JSGlobalObject::visitChildren):
2808         * runtime/JSGlobalObject.h:
2809         (JSC::JSGlobalObject::asyncFunctionPrototype):
2810         (JSC::JSGlobalObject::asyncFunctionStructure):
2811         (JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
2812         (JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
2813         (JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.
2814
2815 2016-11-14  Mark Lam  <mark.lam@apple.com>
2816
2817         Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
2818         https://bugs.webkit.org/show_bug.cgi?id=164701
2819         <rdar://problem/27462104>
2820
2821         Reviewed by Darin Adler.
2822
2823         The characters8(), characters16(), and operator[] in JSString::SafeView converts
2824         the underlying JSString to a StringView via get(), and then uses the StringView
2825         without first checking if an exception was thrown during the conversion.  This is
2826         unsafe because the conversion may have failed.
2827         
2828         Instead, we should remove these 3 convenience methods, and make the caller
2829         explicitly call get() and do the appropriate exception checks before using the
2830         StringView.
2831
2832         * runtime/JSGlobalObjectFunctions.cpp:
2833         (JSC::toStringView):
2834         (JSC::encode):
2835         (JSC::decode):
2836         (JSC::globalFuncParseInt):
2837         (JSC::globalFuncEscape):
2838         (JSC::globalFuncUnescape):
2839         (JSC::toSafeView): Deleted.
2840         * runtime/JSONObject.cpp:
2841         (JSC::JSONProtoFuncParse):
2842         * runtime/JSString.h:
2843         (JSC::JSString::SafeView::length):
2844         (JSC::JSString::SafeView::characters8): Deleted.
2845         (JSC::JSString::SafeView::characters16): Deleted.
2846         (JSC::JSString::SafeView::operator[]): Deleted.
2847         * runtime/StringPrototype.cpp:
2848         (JSC::stringProtoFuncRepeatCharacter):
2849         (JSC::stringProtoFuncCharAt):
2850         (JSC::stringProtoFuncCharCodeAt):
2851         (JSC::stringProtoFuncNormalize):
2852
2853 2016-11-14  Mark Lam  <mark.lam@apple.com>
2854
2855         RegExpObject::exec/match should handle errors gracefully.
2856         https://bugs.webkit.org/show_bug.cgi?id=155145
2857         <rdar://problem/27435934>
2858
2859         Reviewed by Keith Miller.
2860
2861         1. Added some missing exception checks to RegExpObject::execInline() and
2862            RegExpObject::matchInline().
2863         2. Updated related code to work with ExceptionScope verification requirements.
2864
2865         * dfg/DFGOperations.cpp:
2866         * runtime/RegExpObjectInlines.h:
2867         (JSC::RegExpObject::execInline):
2868         (JSC::RegExpObject::matchInline):
2869         * runtime/RegExpPrototype.cpp:
2870         (JSC::regExpProtoFuncTestFast):
2871         (JSC::regExpProtoFuncExec):
2872         (JSC::regExpProtoFuncMatchFast):
2873
2874 2016-11-13  Mark Lam  <mark.lam@apple.com>
2875
2876         Add debugging facility to limit the max single allocation size.
2877         https://bugs.webkit.org/show_bug.cgi?id=164681
2878
2879         Reviewed by Keith Miller.
2880
2881         Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
2882         This option is only available on Debug builds.
2883
2884         * runtime/Options.cpp:
2885         (JSC::Options::isAvailable):
2886         (JSC::recomputeDependentOptions):
2887         * runtime/Options.h:
2888
2889 2016-11-12  Joseph Pecoraro  <pecoraro@apple.com>
2890
2891         Follow-up fix to r208639.
2892
2893         Unreviewed fix. This is a straightfoward change where I forgot to
2894         switch from uncheckedArgument() to argument() in once case after
2895         dropping an argumentCount check. All other cases do this properly.
2896         This addresses an ASSERT seen on the bots running tests.
2897
2898         * runtime/JSDataViewPrototype.cpp:
2899         (JSC::setData):
2900
2901 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
2902
2903         test262: DataView with explicit undefined byteLength should be the same as it not being present
2904         https://bugs.webkit.org/show_bug.cgi?id=164453
2905
2906         Reviewed by Darin Adler.
2907
2908         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2909         (JSC::constructGenericTypedArrayView):
2910         Handle the special case of DataView construction with an undefined byteLength value.
2911
2912 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
2913
2914         test262: DataView get methods should allow for missing offset, set methods should allow for missing value
2915         https://bugs.webkit.org/show_bug.cgi?id=164451
2916
2917         Reviewed by Darin Adler.
2918
2919         * runtime/JSDataViewPrototype.cpp:
2920         (JSC::getData):
2921         Missing offset is still valid and will be coerced to 0.
2922
2923         (JSC::setData):
2924         Missing value is still valid and will be coerced to 0.
2925
2926 2016-11-11  Saam Barati  <sbarati@apple.com>
2927
2928         We should have a more concise way of determining when we're varargs calling a function using rest parameters
2929         https://bugs.webkit.org/show_bug.cgi?id=164258
2930
2931         Reviewed by Yusuke Suzuki.
2932
2933         This patch adds two new bytecodes and DFG nodes for the following code patterns:
2934
2935         ```
2936         foo(a, b, ...c)
2937         let x = [a, b, ...c];
2938         ```
2939
2940         To do this, I've introduced two new bytecode operations (and their
2941         corresponding DFG nodes):
2942
2943         op_spread and op_new_array_with_spread.
2944
2945         op_spread takes a single input and performs the ES6 iteration protocol on it.
2946         It returns the result of doing the spread inside a new class I've
2947         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
2948         field and a buffer of values allocated inline in the cell. Abstracting
2949         the protocol into a single node is good because it will make IR analysis
2950         in the future much simpler. For now, it's also good because it allows
2951         us to create fast paths for array iteration (which is quite common).
2952         This fast path allows us to emit really good code for array iteration
2953         inside the DFG/FTL.
2954
2955         op_new_array_with_spread is a variable argument bytecode that also
2956         has a bit vector associated with it. The bit vector indicates if
2957         any particular argument is to be spread or not. Arguments that
2958         are spread are known to be JSFixedArray because we must emit an
2959         op_spread before op_new_array_with_spread consumes the value.
2960         For example, for this array:
2961         [a, b, ...c, d, ...e]
2962         we will have this bit vector:
2963         [0, 0, 1, 0, 1]
2964
2965         The reason I've chosen this IR is that it will make eliminating
2966         a rest allocation for this type of code much easier:
2967
2968         ```
2969         function foo(...args) {
2970             return bar(a, b, ...args);
2971         }
2972         ```
2973
2974         It will be easier to analyze the IR now that the operations
2975         will be described at a high level.
2976
2977         This patch is an ~8% speedup on ES6SampleBench on my MBP.
2978
2979         * CMakeLists.txt:
2980         * DerivedSources.make:
2981         * JavaScriptCore.xcodeproj/project.pbxproj:
2982         * builtins/IteratorHelpers.js: Added.
2983         (performIteration):
2984         * bytecode/BytecodeList.json:
2985         * bytecode/BytecodeUseDef.h:
2986         (JSC::computeUsesForBytecodeOffset):
2987         (JSC::computeDefsForBytecodeOffset):
2988         * bytecode/CodeBlock.cpp:
2989         (JSC::CodeBlock::dumpBytecode):
2990         * bytecode/ObjectPropertyConditionSet.cpp:
2991         (JSC::generateConditionForSelfEquivalence):
2992         * bytecode/ObjectPropertyConditionSet.h:
2993         * bytecode/TrackedReferences.cpp:
2994         (JSC::TrackedReferences::check):
2995         * bytecode/UnlinkedCodeBlock.h:
2996         (JSC::UnlinkedCodeBlock::bitVectors):
2997         (JSC::UnlinkedCodeBlock::bitVector):
2998         (JSC::UnlinkedCodeBlock::addBitVector):
2999         (JSC::UnlinkedCodeBlock::shrinkToFit):
3000         * bytecompiler/BytecodeGenerator.cpp:
3001         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
3002         * bytecompiler/BytecodeGenerator.h:
3003         * bytecompiler/NodesCodegen.cpp:
3004         (JSC::ArrayNode::emitBytecode):
3005         * dfg/DFGAbstractInterpreterInlines.h:
3006         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3007         * dfg/DFGByteCodeParser.cpp:
3008         (JSC::DFG::ByteCodeParser::addToGraph):
3009         (JSC::DFG::ByteCodeParser::parseBlock):
3010         * dfg/DFGCapabilities.cpp:
3011         (JSC::DFG::capabilityLevel):
3012         * dfg/DFGClobberize.h:
3013         (JSC::DFG::clobberize):
3014         * dfg/DFGDoesGC.cpp:
3015         (JSC::DFG::doesGC):
3016         * dfg/DFGFixupPhase.cpp:
3017         (JSC::DFG::FixupPhase::fixupNode):
3018         (JSC::DFG::FixupPhase::watchHavingABadTime):
3019         * dfg/DFGGraph.h:
3020         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3021         * dfg/DFGNode.h:
3022         (JSC::DFG::Node::bitVector):
3023         * dfg/DFGNodeType.h:
3024         * dfg/DFGOperations.cpp:
3025         * dfg/DFGOperations.h:
3026         * dfg/DFGPredictionPropagationPhase.cpp:
3027         * dfg/DFGSafeToExecute.h:
3028         (JSC::DFG::safeToExecute):
3029         * dfg/DFGSpeculativeJIT.cpp:
3030         (JSC::DFG::SpeculativeJIT::compileSpread):
3031         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3032         * dfg/DFGSpeculativeJIT.h:
3033         (JSC::DFG::SpeculativeJIT::callOperation):
3034         * dfg/DFGSpeculativeJIT32_64.cpp:
3035         (JSC::DFG::SpeculativeJIT::compile):
3036         * dfg/DFGSpeculativeJIT64.cpp:
3037         (JSC::DFG::SpeculativeJIT::compile):
3038         * dfg/DFGStructureRegistrationPhase.cpp:
3039         (JSC::DFG::StructureRegistrationPhase::run):
3040         * ftl/FTLAbstractHeapRepository.h:
3041         * ftl/FTLCapabilities.cpp:
3042         (JSC::FTL::canCompile):
3043         * ftl/FTLLowerDFGToB3.cpp:
3044         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3045         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3046         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3047         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
3048         * jit/AssemblyHelpers.h:
3049         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3050         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3051         * jit/JIT.cpp:
3052         (JSC::JIT::privateCompileMainPass):
3053         * jit/JIT.h:
3054         * jit/JITOpcodes.cpp:
3055         (JSC::JIT::emit_op_new_array_with_spread):
3056         (JSC::JIT::emit_op_spread):
3057         * jit/JITOperations.h:
3058         * llint/LLIntData.cpp:
3059         (JSC::LLInt::Data::performAssertions):
3060         * llint/LLIntSlowPaths.cpp:
3061         * llint/LowLevelInterpreter.asm:
3062         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
3063         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
3064         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
3065         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
3066         * runtime/CommonSlowPaths.cpp:
3067         (JSC::SLOW_PATH_DECL):
3068         * runtime/CommonSlowPaths.h:
3069         * runtime/IteratorOperations.h:
3070         (JSC::forEachInIterable):
3071         * runtime/JSCInlines.h:
3072         * runtime/JSFixedArray.cpp: Added.
3073         (JSC::JSFixedArray::visitChildren):
3074         * runtime/JSFixedArray.h: Added.
3075         (JSC::JSFixedArray::createStructure):
3076         (JSC::JSFixedArray::createFromArray):
3077         (JSC::JSFixedArray::get):
3078         (JSC::JSFixedArray::buffer):
3079         (JSC::JSFixedArray::size):
3080         (JSC::JSFixedArray::offsetOfSize):
3081         (JSC::JSFixedArray::offsetOfData):
3082         (JSC::JSFixedArray::create):
3083         (JSC::JSFixedArray::JSFixedArray):
3084         (JSC::JSFixedArray::allocationSize):
3085         * runtime/JSGlobalObject.cpp:
3086         (JSC::JSGlobalObject::JSGlobalObject):
3087         (JSC::JSGlobalObject::init):
3088         (JSC::JSGlobalObject::visitChildren):
3089         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
3090         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
3091         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
3092         * runtime/JSGlobalObject.h:
3093         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
3094         (JSC::JSGlobalObject::iteratorProtocolFunction):
3095         * runtime/JSGlobalObjectInlines.h: Added.
3096         (JSC::JSGlobalObject::objectPrototypeIsSane):
3097         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3098         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3099         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
3100         * runtime/JSType.h:
3101         * runtime/VM.cpp:
3102         (JSC::VM::VM):
3103         * runtime/VM.h:
3104
3105 2016-11-11  Keith Miller  <keith_miller@apple.com>
3106
3107         Move Wasm tests to JS
3108         https://bugs.webkit.org/show_bug.cgi?id=164611
3109
3110         Reviewed by Geoffrey Garen.
3111
3112         This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
3113         ommited tests were earliest tests, which tested trivial things, like adding two
3114         constants. Some tests are ommited for other reasons, however. These are:
3115
3116         1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers.  2)
3117         Tests that would validate the memory of the module once wasm was done with it since that's
3118         not really possible in JS.
3119
3120         In order to make such a translation easier this patch also adds some features to the JS
3121         testing api:
3122
3123         1) Blocks can now be done lexically by adding a lambda as the last argument of the block
3124         opcode. For example one can do:
3125             ...
3126             .Block("i32", b => b.I32Const(1) )
3127
3128         and the nested lambda will automatically have an end attached.
3129
3130         2) The JS testing api can now handle inline signature types.
3131
3132         3) Relocate some code to make it easier to follow and prevent 44 space indentation.
3133
3134         4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
3135         wasm.json without being remapped.
3136
3137         5) Add support for Memory and Function sections to the Builder.
3138
3139         6) Add support for local variables.
3140
3141         On the JSC side, we needed to expose a new function to validate the compiled wasm code
3142         behaves the way we expect. At least until the JS Wasm API is finished. The new validation
3143         function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
3144         number of functions in the blob and tests for each of those functions.
3145
3146         * jsc.cpp:
3147         (GlobalObject::finishCreation):
3148         (box):
3149         (callWasmFunction):
3150         (functionTestWasmModuleFunctions):
3151         * testWasm.cpp:
3152         (checkPlan):
3153         (runWasmTests):
3154         * wasm/WasmB3IRGenerator.cpp:
3155         (JSC::Wasm::parseAndCompile):
3156         * wasm/WasmFunctionParser.h:
3157         (JSC::Wasm::FunctionParser<Context>::parse):
3158         (JSC::Wasm::FunctionParser<Context>::parseBody):
3159         (JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
3160         * wasm/WasmModuleParser.cpp:
3161         (JSC::Wasm::ModuleParser::parseMemory):
3162         (JSC::Wasm::ModuleParser::parseExport):
3163         * wasm/WasmPlan.cpp:
3164         (JSC::Wasm::Plan::Plan):
3165         (JSC::Wasm::Plan::run):
3166         * wasm/WasmPlan.h:
3167         * wasm/js/WebAssemblyModuleConstructor.cpp:
3168         (JSC::constructJSWebAssemblyModule):
3169
3170 2016-11-11  Saam Barati  <sbarati@apple.com>
3171
3172         Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650
3173
3174         * dfg/DFGByteCodeParser.cpp:
3175         (JSC::DFG::ByteCodeParser::parseBlock):
3176
3177 2016-11-11  Saam Barati  <sbarati@apple.com>
3178
3179         We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
3180         https://bugs.webkit.org/show_bug.cgi?id=164650
3181
3182         Reviewed by Geoffrey Garen.
3183
3184         Some code was incorrectly holding a lock when recursively calling
3185         back into the bytecode parser's via inlining a put_by_val as a put_by_id.
3186         This can cause a deadlock if the inlinee CodeBlock is something we're
3187         already holding a lock for. I've changed the range of the lock holder
3188         to be as narrow as possible.
3189
3190         * dfg/DFGByteCodeParser.cpp:
3191         (JSC::DFG::ByteCodeParser::parseBlock):
3192
3193 2016-11-11  Chris Dumez  <cdumez@apple.com>
3194
3195         Unreviewed, rolling out r208584.
3196
3197         Seems to have regressed Speedometer by 1% on Mac
3198
3199         Reverted changeset:
3200
3201         "We should have a more concise way of determining when we're
3202         varargs calling a function using rest parameters"
3203         https://bugs.webkit.org/show_bug.cgi?id=164258
3204         http://trac.webkit.org/changeset/208584
3205
3206 2016-11-11  Chris Dumez  <cdumez@apple.com>
3207
3208         Unreviewed, rolling out r208117 and r208160.
3209
3210         Regressed Speedometer by >1.5%
3211
3212         Reverted changesets:
3213
3214         "We should have a way of profiling when a get_by_id is pure
3215         and to emit a PureGetById in the DFG/FTL"
3216         https://bugs.webkit.org/show_bug.cgi?id=163305
3217         http://trac.webkit.org/changeset/208117
3218
3219         "Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
3220         out"
3221         https://bugs.webkit.org/show_bug.cgi?id=164227
3222         http://trac.webkit.org/changeset/208160
3223
3224 2016-11-11  Saam Barati  <sbarati@apple.com>
3225
3226         We should have a more concise way of determining when we're varargs calling a function using rest parameters
3227         https://bugs.webkit.org/show_bug.cgi?id=164258
3228
3229         Reviewed by Yusuke Suzuki.
3230
3231         This patch adds two new bytecodes and DFG nodes for the following code patterns:
3232
3233         ```
3234         foo(a, b, ...c)
3235         let x = [a, b, ...c];
3236         ```
3237
3238         To do this, I've introduced two new bytecode operations (and their
3239         corresponding DFG nodes):
3240
3241         op_spread and op_new_array_with_spread.
3242
3243         op_spread takes a single input and performs the ES6 iteration protocol on it.
3244         It returns the result of doing the spread inside a new class I've
3245         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
3246         field and a buffer of values allocated inline in the cell. Abstracting
3247         the protocol into a single node is good because it will make IR analysis
3248         in the future much simpler. For now, it's also good because it allows
3249         us to create fast paths for array iteration (which is quite common).
3250         This fast path allows us to emit really good code for array iteration
3251         inside the DFG/FTL.
3252
3253         op_new_array_with_spread is a variable argument bytecode that also
3254         has a bit vector associated with it. The bit vector indicates if
3255         any particular argument is to be spread or not. Arguments that
3256         are spread are known to be JSFixedArray because we must emit an
3257         op_spread before op_new_array_with_spread consumes the value.
3258         For example, for this array:
3259         [a, b, ...c, d, ...e]
3260         we will have this bit vector:
3261         [0, 0, 1, 0, 1]
3262
3263         The reason I've chosen this IR is that it will make eliminating
3264         a rest allocation for this type of code much easier:
3265
3266         ```
3267         function foo(...args) {
3268             return bar(a, b, ...args);
3269         }
3270         ```
3271
3272         It will be easier to analyze the IR now that the operations
3273         will be described at a high level.
3274
3275         This patch is an ~8% speedup on ES6SampleBench on my MBP.
3276
3277         * CMakeLists.txt:
3278         * DerivedSources.make:
3279         * JavaScriptCore.xcodeproj/project.pbxproj:
3280         * builtins/IteratorHelpers.js: Added.
3281         (performIteration):
3282         * bytecode/BytecodeList.json:
3283         * bytecode/BytecodeUseDef.h:
3284         (JSC::computeUsesForBytecodeOffset):
3285         (JSC::computeDefsForBytecodeOffset):
3286         * bytecode/CodeBlock.cpp:
3287         (JSC::CodeBlock::dumpBytecode):
3288         * bytecode/ObjectPropertyConditionSet.cpp:
3289         (JSC::generateConditionForSelfEquivalence):
3290         * bytecode/ObjectPropertyConditionSet.h:
3291         * bytecode/TrackedReferences.cpp:
3292         (JSC::TrackedReferences::check):
3293         * bytecode/UnlinkedCodeBlock.h:
3294         (JSC::UnlinkedCodeBlock::bitVectors):
3295         (JSC::UnlinkedCodeBlock::bitVector):
3296         (JSC::UnlinkedCodeBlock::addBitVector):
3297         (JSC::UnlinkedCodeBlock::shrinkToFit):
3298         * bytecompiler/BytecodeGenerator.cpp:
3299         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
3300         * bytecompiler/BytecodeGenerator.h:
3301         * bytecompiler/NodesCodegen.cpp:
3302         (JSC::ArrayNode::emitBytecode):
3303         * dfg/DFGAbstractInterpreterInlines.h:
3304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3305         * dfg/DFGByteCodeParser.cpp:
3306         (JSC::DFG::ByteCodeParser::addToGraph):
3307         (JSC::DFG::ByteCodeParser::parseBlock):
3308         * dfg/DFGCapabilities.cpp:
3309         (JSC::DFG::capabilityLevel):
3310         * dfg/DFGClobberize.h:
3311         (JSC::DFG::clobberize):
3312         * dfg/DFGDoesGC.cpp:
3313         (JSC::DFG::doesGC):
3314         * dfg/DFGFixupPhase.cpp:
3315         (JSC::DFG::FixupPhase::fixupNode):
3316         (JSC::DFG::FixupPhase::watchHavingABadTime):
3317         * dfg/DFGGraph.h:
3318         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3319         * dfg/DFGNode.h:
3320         (JSC::DFG::Node::bitVector):
3321         * dfg/DFGNodeType.h:
3322         * dfg/DFGOperations.cpp:
3323         * dfg/DFGOperations.h:
3324         * dfg/DFGPredictionPropagationPhase.cpp:
3325         * dfg/DFGSafeToExecute.h:
3326         (JSC::DFG::safeToExecute):
3327         * dfg/DFGSpeculativeJIT.cpp:
3328         (JSC::DFG::SpeculativeJIT::compileSpread):
3329         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3330         * dfg/DFGSpeculativeJIT.h:
3331         (JSC::DFG::SpeculativeJIT::callOperation):
3332         * dfg/DFGSpeculativeJIT32_64.cpp:
3333         (JSC::DFG::SpeculativeJIT::compile):
3334         * dfg/DFGSpeculativeJIT64.cpp:
3335         (JSC::DFG::SpeculativeJIT::compile):
3336         * dfg/DFGStructureRegistrationPhase.cpp:
3337         (JSC::DFG::StructureRegistrationPhase::run):
3338         * ftl/FTLAbstractHeapRepository.h:
3339         * ftl/FTLCapabilities.cpp:
3340         (JSC::FTL::canCompile):
3341         * ftl/FTLLowerDFGToB3.cpp:
3342         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3343         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3344         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3345         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
3346         * jit/AssemblyHelpers.h:
3347         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3348         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3349         * jit/JIT.cpp:
3350         (JSC::JIT::privateCompileMainPass):
3351         * jit/JIT.h:
3352         * jit/JITOpcodes.cpp:
3353         (JSC::JIT::emit_op_new_array_with_spread):
3354         (JSC::JIT::emit_op_spread):
3355         * jit/JITOperations.h:
3356         * llint/LLIntData.cpp:
3357         (JSC::LLInt::Data::performAssertions):
3358         * llint/LLIntSlowPaths.cpp:
3359         * llint/LowLevelInterpreter.asm:
3360         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
3361         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
3362         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
3363         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
3364         * runtime/CommonSlowPaths.cpp:
3365         (JSC::SLOW_PATH_DECL):
3366         * runtime/CommonSlowPaths.h:
3367         * runtime/IteratorOperations.h:
3368         (JSC::forEachInIterable):
3369         * runtime/JSCInlines.h:
3370         * runtime/JSFixedArray.cpp: Added.
3371         (JSC::JSFixedArray::visitChildren):
3372         * runtime/JSFixedArray.h: Added.
3373         (JSC::JSFixedArray::createStructure):
3374         (JSC::JSFixedArray::createFromArray):
3375         (JSC::JSFixedArray::get):
3376         (JSC::JSFixedArray::buffer):
3377         (JSC::JSFixedArray::size):
3378         (JSC::JSFixedArray::offsetOfSize):
3379         (JSC::JSFixedArray::offsetOfData):
3380         (JSC::JSFixedArray::create):
3381         (JSC::JSFixedArray::JSFixedArray):
3382         (JSC::JSFixedArray::allocationSize):
3383         * runtime/JSGlobalObject.cpp:
3384         (JSC::JSGlobalObject::JSGlobalObject):