62670304f321bf779b18e7310cf56042688018bc
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-11-28  Mark Lam  <mark.lam@apple.com>
2
3         Fix exception scope verification failures in IteratorOperations.h.
4         https://bugs.webkit.org/show_bug.cgi?id=165015
5
6         Reviewed by Saam Barati.
7
8         * runtime/IteratorOperations.h:
9         (JSC::forEachInIterable):
10
11 2016-11-28  Mark Lam  <mark.lam@apple.com>
12
13         Fix exception scope verification failures in JSArray* files.
14         https://bugs.webkit.org/show_bug.cgi?id=165016
15
16         Reviewed by Saam Barati.
17
18         * runtime/JSArray.cpp:
19         (JSC::JSArray::defineOwnProperty):
20         (JSC::JSArray::put):
21         (JSC::JSArray::setLength):
22         (JSC::JSArray::pop):
23         (JSC::JSArray::push):
24         (JSC::JSArray::unshiftCountWithAnyIndexingType):
25         * runtime/JSArrayBuffer.cpp:
26         (JSC::JSArrayBuffer::put):
27         (JSC::JSArrayBuffer::defineOwnProperty):
28         * runtime/JSArrayInlines.h:
29         (JSC::getLength):
30         (JSC::toLength):
31
32 2016-11-28  Mark Lam  <mark.lam@apple.com>
33
34         Fix exception scope verification failures in JSDataView.cpp.
35         https://bugs.webkit.org/show_bug.cgi?id=165020
36
37         Reviewed by Saam Barati.
38
39         * runtime/JSDataView.cpp:
40         (JSC::JSDataView::put):
41
42 2016-11-28  Mark Lam  <mark.lam@apple.com>
43
44         Fix exception scope verification failures in JSFunction.cpp.
45         https://bugs.webkit.org/show_bug.cgi?id=165021
46
47         Reviewed by Saam Barati.
48
49         * runtime/JSFunction.cpp:
50         (JSC::JSFunction::put):
51         (JSC::JSFunction::defineOwnProperty):
52
53 2016-11-28  Mark Lam  <mark.lam@apple.com>
54
55         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
56         https://bugs.webkit.org/show_bug.cgi?id=165022
57
58         Reviewed by Saam Barati.
59
60         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
61         (JSC::constructGenericTypedArrayViewFromIterator):
62         (JSC::constructGenericTypedArrayViewWithArguments):
63         (JSC::constructGenericTypedArrayView):
64         * runtime/JSGenericTypedArrayViewInlines.h:
65         (JSC::JSGenericTypedArrayView<Adaptor>::set):
66         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
67         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
68         (JSC::speciesConstruct):
69         (JSC::genericTypedArrayViewProtoFuncSet):
70         (JSC::genericTypedArrayViewProtoFuncJoin):
71         (JSC::genericTypedArrayViewProtoFuncSlice):
72         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
73
74 2016-11-28  Mark Lam  <mark.lam@apple.com>
75
76         Fix exception scope verification failures in runtime/Operations.cpp/h.
77         https://bugs.webkit.org/show_bug.cgi?id=165046
78
79         Reviewed by Saam Barati.
80
81         Also switched to using returning { } instead of JSValue().
82
83         * runtime/Operations.cpp:
84         (JSC::jsAddSlowCase):
85         (JSC::jsIsObjectTypeOrNull):
86         * runtime/Operations.h:
87         (JSC::jsStringFromRegisterArray):
88         (JSC::jsStringFromArguments):
89         (JSC::jsLess):
90         (JSC::jsLessEq):
91
92 2016-11-28  Mark Lam  <mark.lam@apple.com>
93
94         Fix exception scope verification failures in JSScope.cpp.
95         https://bugs.webkit.org/show_bug.cgi?id=165047
96
97         Reviewed by Saam Barati.
98
99         * runtime/JSScope.cpp:
100         (JSC::JSScope::resolve):
101
102 2016-11-28  Mark Lam  <mark.lam@apple.com>
103
104         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
105         https://bugs.webkit.org/show_bug.cgi?id=165049
106
107         Reviewed by Saam Barati.
108
109         * runtime/JSTypedArrayViewPrototype.cpp:
110         (JSC::typedArrayViewPrivateFuncSort):
111         (JSC::typedArrayViewProtoFuncSet):
112         (JSC::typedArrayViewProtoFuncCopyWithin):
113         (JSC::typedArrayViewProtoFuncIncludes):
114         (JSC::typedArrayViewProtoFuncLastIndexOf):
115         (JSC::typedArrayViewProtoFuncIndexOf):
116         (JSC::typedArrayViewProtoFuncJoin):
117         (JSC::typedArrayViewProtoGetterFuncBuffer):
118         (JSC::typedArrayViewProtoGetterFuncLength):
119         (JSC::typedArrayViewProtoGetterFuncByteLength):
120         (JSC::typedArrayViewProtoGetterFuncByteOffset):
121         (JSC::typedArrayViewProtoFuncReverse):
122         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
123         (JSC::typedArrayViewProtoFuncSlice):
124
125 2016-11-28  Mark Lam  <mark.lam@apple.com>
126
127         Fix exception scope verification failures in runtime/Map* files.
128         https://bugs.webkit.org/show_bug.cgi?id=165050
129
130         Reviewed by Saam Barati.
131
132         * runtime/MapConstructor.cpp:
133         (JSC::constructMap):
134         * runtime/MapIteratorPrototype.cpp:
135         (JSC::MapIteratorPrototypeFuncNext):
136         * runtime/MapPrototype.cpp:
137         (JSC::privateFuncMapIteratorNext):
138
139 2016-11-28  Mark Lam  <mark.lam@apple.com>
140
141         Fix exception scope verification failures in more miscellaneous files.
142         https://bugs.webkit.org/show_bug.cgi?id=165102
143
144         Reviewed by Saam Barati.
145
146         * wasm/js/WebAssemblyInstanceConstructor.cpp:
147         (JSC::constructJSWebAssemblyInstance):
148
149 2016-11-28  Mark Lam  <mark.lam@apple.com>
150
151         Fix exception scope verification failures in runtime/Weak* files.
152         https://bugs.webkit.org/show_bug.cgi?id=165096
153
154         Reviewed by Geoffrey Garen.
155
156         * runtime/WeakMapConstructor.cpp:
157         (JSC::constructWeakMap):
158         * runtime/WeakMapPrototype.cpp:
159         (JSC::protoFuncWeakMapSet):
160         * runtime/WeakSetConstructor.cpp:
161         (JSC::constructWeakSet):
162         * runtime/WeakSetPrototype.cpp:
163         (JSC::protoFuncWeakSetAdd):
164
165 2016-11-28  Mark Lam  <mark.lam@apple.com>
166
167         Fix exception scope verification failures in runtime/String* files.
168         https://bugs.webkit.org/show_bug.cgi?id=165067
169
170         Reviewed by Saam Barati.
171
172         * runtime/StringConstructor.cpp:
173         (JSC::stringFromCodePoint):
174         (JSC::constructWithStringConstructor):
175         * runtime/StringObject.cpp:
176         (JSC::StringObject::put):
177         (JSC::StringObject::putByIndex):
178         (JSC::StringObject::defineOwnProperty):
179         * runtime/StringPrototype.cpp:
180         (JSC::jsSpliceSubstrings):
181         (JSC::jsSpliceSubstringsWithSeparators):
182         (JSC::replaceUsingRegExpSearch):
183         (JSC::replaceUsingStringSearch):
184         (JSC::repeatCharacter):
185         (JSC::replace):
186         (JSC::stringProtoFuncReplaceUsingStringSearch):
187         (JSC::stringProtoFuncCharAt):
188         (JSC::stringProtoFuncCodePointAt):
189         (JSC::stringProtoFuncConcat):
190         (JSC::stringProtoFuncIndexOf):
191         (JSC::stringProtoFuncLastIndexOf):
192         (JSC::splitStringByOneCharacterImpl):
193         (JSC::stringProtoFuncSplitFast):
194         (JSC::stringProtoFuncSubstring):
195         (JSC::stringProtoFuncToLowerCase):
196         (JSC::stringProtoFuncToUpperCase):
197         (JSC::toLocaleCase):
198         (JSC::trimString):
199         (JSC::stringProtoFuncIncludes):
200         (JSC::builtinStringIncludesInternal):
201         (JSC::stringProtoFuncIterator):
202         (JSC::normalize):
203         (JSC::stringProtoFuncNormalize):
204
205 2016-11-28  Mark Lam  <mark.lam@apple.com>
206
207         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
208         https://bugs.webkit.org/show_bug.cgi?id=165051
209
210         Reviewed by Saam Barati.
211
212         Also,
213         1. Replaced returning JSValue() with returning { }.
214         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
215
216         * runtime/ObjectConstructor.cpp:
217         (JSC::constructObject):
218         (JSC::objectConstructorGetPrototypeOf):
219         (JSC::objectConstructorGetOwnPropertyDescriptor):
220         (JSC::objectConstructorGetOwnPropertyDescriptors):
221         (JSC::objectConstructorGetOwnPropertyNames):
222         (JSC::objectConstructorGetOwnPropertySymbols):
223         (JSC::objectConstructorKeys):
224         (JSC::ownEnumerablePropertyKeys):
225         (JSC::toPropertyDescriptor):
226         (JSC::defineProperties):
227         (JSC::objectConstructorDefineProperties):
228         (JSC::objectConstructorCreate):
229         (JSC::setIntegrityLevel):
230         (JSC::objectConstructorSeal):
231         (JSC::objectConstructorPreventExtensions):
232         (JSC::objectConstructorIsSealed):
233         (JSC::objectConstructorIsFrozen):
234         (JSC::ownPropertyKeys):
235         * runtime/ObjectPrototype.cpp:
236         (JSC::objectProtoFuncValueOf):
237         (JSC::objectProtoFuncHasOwnProperty):
238         (JSC::objectProtoFuncIsPrototypeOf):
239         (JSC::objectProtoFuncDefineGetter):
240         (JSC::objectProtoFuncDefineSetter):
241         (JSC::objectProtoFuncLookupGetter):
242         (JSC::objectProtoFuncLookupSetter):
243         (JSC::objectProtoFuncToLocaleString):
244         (JSC::objectProtoFuncToString):
245
246 2016-11-26  Mark Lam  <mark.lam@apple.com>
247
248         Fix exception scope verification failures in miscellaneous files.
249         https://bugs.webkit.org/show_bug.cgi?id=165055
250
251         Reviewed by Saam Barati.
252
253         * runtime/MathObject.cpp:
254         (JSC::mathProtoFuncIMul):
255         * runtime/ModuleLoaderPrototype.cpp:
256         (JSC::moduleLoaderPrototypeParseModule):
257         (JSC::moduleLoaderPrototypeRequestedModules):
258         * runtime/NativeErrorConstructor.cpp:
259         (JSC::Interpreter::constructWithNativeErrorConstructor):
260         * runtime/NumberConstructor.cpp:
261         (JSC::constructWithNumberConstructor):
262         * runtime/SetConstructor.cpp:
263         (JSC::constructSet):
264         * runtime/SetIteratorPrototype.cpp:
265         (JSC::SetIteratorPrototypeFuncNext):
266         * runtime/SparseArrayValueMap.cpp:
267         (JSC::SparseArrayValueMap::putEntry):
268         (JSC::SparseArrayEntry::put):
269         * runtime/TemplateRegistry.cpp:
270         (JSC::TemplateRegistry::getTemplateObject):
271
272 2016-11-28  Mark Lam  <mark.lam@apple.com>
273
274         Fix exception scope verification failures in ReflectObject.cpp.
275         https://bugs.webkit.org/show_bug.cgi?id=165066
276
277         Reviewed by Saam Barati.
278
279         * runtime/ReflectObject.cpp:
280         (JSC::reflectObjectConstruct):
281         (JSC::reflectObjectDefineProperty):
282         (JSC::reflectObjectEnumerate):
283         (JSC::reflectObjectGet):
284         (JSC::reflectObjectGetOwnPropertyDescriptor):
285         (JSC::reflectObjectGetPrototypeOf):
286         (JSC::reflectObjectOwnKeys):
287         (JSC::reflectObjectSet):
288
289 2016-11-24  Mark Lam  <mark.lam@apple.com>
290
291         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
292         https://bugs.webkit.org/show_bug.cgi?id=164972
293
294         Reviewed by Geoffrey Garen.
295
296         * runtime/ArrayConstructor.cpp:
297         (JSC::constructArrayWithSizeQuirk):
298         * runtime/ArrayPrototype.cpp:
299         (JSC::getProperty):
300         (JSC::putLength):
301         (JSC::speciesWatchpointsValid):
302         (JSC::speciesConstructArray):
303         (JSC::shift):
304         (JSC::unshift):
305         (JSC::arrayProtoFuncToString):
306         (JSC::arrayProtoFuncToLocaleString):
307         (JSC::slowJoin):
308         (JSC::fastJoin):
309         (JSC::arrayProtoFuncJoin):
310         (JSC::arrayProtoFuncPop):
311         (JSC::arrayProtoFuncPush):
312         (JSC::arrayProtoFuncReverse):
313         (JSC::arrayProtoFuncShift):
314         (JSC::arrayProtoFuncSlice):
315         (JSC::arrayProtoFuncSplice):
316         (JSC::arrayProtoFuncUnShift):
317         (JSC::arrayProtoFuncIndexOf):
318         (JSC::arrayProtoFuncLastIndexOf):
319         (JSC::concatAppendOne):
320         (JSC::arrayProtoPrivateFuncConcatMemcpy):
321         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
322
323 2016-11-28  Mark Lam  <mark.lam@apple.com>
324
325         Fix exception scope verification failures in LLIntSlowPaths.cpp.
326         https://bugs.webkit.org/show_bug.cgi?id=164969
327
328         Reviewed by Geoffrey Garen.
329
330         * llint/LLIntSlowPaths.cpp:
331         (JSC::LLInt::getByVal):
332         (JSC::LLInt::setUpCall):
333         (JSC::LLInt::varargsSetup):
334         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
335
336 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
337
338         [WTF] Import std::optional reference implementation as WTF::Optional
339         https://bugs.webkit.org/show_bug.cgi?id=164199
340
341         Reviewed by Saam Barati and Sam Weinig.
342
343         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
344         std::optional::emplace has the same semantics to the previous one.
345         So we change the code to use it.
346
347         * Scripts/builtins/builtins_templates.py:
348         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
349         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
350         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
351         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
352         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
353         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
354         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
355         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
356         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
357         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
358         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
359         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
360         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
361         * assembler/MacroAssemblerARM64.h:
362         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
363         * assembler/MacroAssemblerX86Common.h:
364         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
365         * b3/B3CheckSpecial.cpp:
366         (JSC::B3::CheckSpecial::forEachArg):
367         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
368         * b3/B3CheckSpecial.h:
369         * b3/B3LowerToAir.cpp:
370         (JSC::B3::Air::LowerToAir::scaleForShl):
371         (JSC::B3::Air::LowerToAir::effectiveAddr):
372         (JSC::B3::Air::LowerToAir::tryAppendLea):
373         * b3/B3Opcode.cpp:
374         (JSC::B3::invertedCompare):
375         * b3/B3Opcode.h:
376         * b3/B3PatchpointSpecial.cpp:
377         (JSC::B3::PatchpointSpecial::forEachArg):
378         * b3/B3StackmapSpecial.cpp:
379         (JSC::B3::StackmapSpecial::forEachArgImpl):
380         * b3/B3StackmapSpecial.h:
381         * b3/B3Value.cpp:
382         (JSC::B3::Value::invertedCompare):
383         * b3/air/AirArg.h:
384         (JSC::B3::Air::Arg::isValidScale):
385         (JSC::B3::Air::Arg::isValidAddrForm):
386         (JSC::B3::Air::Arg::isValidIndexForm):
387         (JSC::B3::Air::Arg::isValidForm):
388         * b3/air/AirCustom.h:
389         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
390         * b3/air/AirFixObviousSpills.cpp:
391         * b3/air/AirInst.h:
392         * b3/air/AirInstInlines.h:
393         (JSC::B3::Air::Inst::shouldTryAliasingDef):
394         * b3/air/AirIteratedRegisterCoalescing.cpp:
395         * b3/air/AirSpecial.cpp:
396         (JSC::B3::Air::Special::shouldTryAliasingDef):
397         * b3/air/AirSpecial.h:
398         * bytecode/BytecodeGeneratorification.cpp:
399         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
400         * bytecode/CodeBlock.cpp:
401         (JSC::CodeBlock::findPC):
402         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
403         * bytecode/CodeBlock.h:
404         * bytecode/UnlinkedFunctionExecutable.cpp:
405         (JSC::UnlinkedFunctionExecutable::link):
406         * bytecode/UnlinkedFunctionExecutable.h:
407         * bytecompiler/BytecodeGenerator.h:
408         * bytecompiler/NodesCodegen.cpp:
409         (JSC::PropertyListNode::emitPutConstantProperty):
410         (JSC::ObjectPatternNode::bindValue):
411         * debugger/Debugger.cpp:
412         (JSC::Debugger::resolveBreakpoint):
413         * debugger/DebuggerCallFrame.cpp:
414         (JSC::DebuggerCallFrame::currentPosition):
415         * debugger/DebuggerParseData.cpp:
416         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
417         * debugger/DebuggerParseData.h:
418         * debugger/ScriptProfilingScope.h:
419         * dfg/DFGAbstractInterpreterInlines.h:
420         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
421         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
422         * dfg/DFGJITCode.cpp:
423         (JSC::DFG::JITCode::findPC):
424         * dfg/DFGJITCode.h:
425         * dfg/DFGOperations.cpp:
426         (JSC::DFG::operationPutByValInternal):
427         * dfg/DFGSlowPathGenerator.h:
428         (JSC::DFG::SlowPathGenerator::generate):
429         * dfg/DFGSpeculativeJIT.cpp:
430         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
431         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
432         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
433         (JSC::DFG::SpeculativeJIT::compileMathIC):
434         (JSC::DFG::SpeculativeJIT::compileArithDiv):
435         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
436         * dfg/DFGSpeculativeJIT.h:
437         * dfg/DFGSpeculativeJIT32_64.cpp:
438         (JSC::DFG::SpeculativeJIT::compile):
439         * dfg/DFGSpeculativeJIT64.cpp:
440         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
441         (JSC::DFG::SpeculativeJIT::emitBranch):
442         (JSC::DFG::SpeculativeJIT::compile):
443         * dfg/DFGStrengthReductionPhase.cpp:
444         (JSC::DFG::StrengthReductionPhase::handleNode):
445         * ftl/FTLJITCode.cpp:
446         (JSC::FTL::JITCode::findPC):
447         * ftl/FTLJITCode.h:
448         * heap/Heap.cpp:
449         (JSC::Heap::collectAsync):
450         (JSC::Heap::collectSync):
451         (JSC::Heap::collectInThread):
452         (JSC::Heap::requestCollection):
453         (JSC::Heap::willStartCollection):
454         (JSC::Heap::didFinishCollection):
455         (JSC::Heap::shouldDoFullCollection):
456         * heap/Heap.h:
457         (JSC::Heap::collectionScope):
458         * heap/HeapSnapshot.cpp:
459         (JSC::HeapSnapshot::nodeForCell):
460         (JSC::HeapSnapshot::nodeForObjectIdentifier):
461         * heap/HeapSnapshot.h:
462         * inspector/InspectorBackendDispatcher.cpp:
463         (Inspector::BackendDispatcher::dispatch):
464         (Inspector::BackendDispatcher::sendPendingErrors):
465         (Inspector::BackendDispatcher::reportProtocolError):
466         * inspector/InspectorBackendDispatcher.h:
467         * inspector/agents/InspectorHeapAgent.cpp:
468         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
469         (Inspector::InspectorHeapAgent::getPreview):
470         (Inspector::InspectorHeapAgent::getRemoteObject):
471         * inspector/agents/InspectorHeapAgent.h:
472         * inspector/remote/RemoteConnectionToTarget.h:
473         * inspector/remote/RemoteConnectionToTarget.mm:
474         (Inspector::RemoteConnectionToTarget::targetIdentifier):
475         (Inspector::RemoteConnectionToTarget::setup):
476         * inspector/remote/RemoteInspector.h:
477         * inspector/remote/RemoteInspector.mm:
478         (Inspector::RemoteInspector::updateClientCapabilities):
479         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
480         (_generate_declarations_for_enum_conversion_methods):
481         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
482         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
483         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
484         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
485         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
486         * inspector/scripts/tests/expected/enum-values.json-result:
487         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
488         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
489         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
490         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
491         * jit/JITCode.h:
492         (JSC::JITCode::findPC):
493         * jit/JITDivGenerator.cpp:
494         (JSC::JITDivGenerator::generateFastPath):
495         * jit/JITOperations.cpp:
496         * jit/PCToCodeOriginMap.cpp:
497         (JSC::PCToCodeOriginMap::findPC):
498         * jit/PCToCodeOriginMap.h:
499         * jsc.cpp:
500         (WTF::RuntimeArray::getOwnPropertySlot):
501         * llint/LLIntSlowPaths.cpp:
502         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
503         * parser/ModuleAnalyzer.cpp:
504         (JSC::ModuleAnalyzer::exportVariable):
505         * runtime/ConcurrentJSLock.h:
506         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
507         * runtime/DefinePropertyAttributes.h:
508         (JSC::DefinePropertyAttributes::writable):
509         (JSC::DefinePropertyAttributes::configurable):
510         (JSC::DefinePropertyAttributes::enumerable):
511         * runtime/GenericArgumentsInlines.h:
512         (JSC::GenericArguments<Type>::getOwnPropertySlot):
513         (JSC::GenericArguments<Type>::put):
514         (JSC::GenericArguments<Type>::deleteProperty):
515         (JSC::GenericArguments<Type>::defineOwnProperty):
516         * runtime/HasOwnPropertyCache.h:
517         (JSC::HasOwnPropertyCache::get):
518         * runtime/HashMapImpl.h:
519         (JSC::concurrentJSMapHash):
520         * runtime/Identifier.h:
521         (JSC::parseIndex):
522         * runtime/JSArray.cpp:
523         (JSC::JSArray::defineOwnProperty):
524         * runtime/JSCJSValue.cpp:
525         (JSC::JSValue::toNumberFromPrimitive):
526         (JSC::JSValue::putToPrimitive):
527         * runtime/JSCJSValue.h:
528         * runtime/JSGenericTypedArrayView.h:
529         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
530         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
531         (JSC::constructGenericTypedArrayViewWithArguments):
532         (JSC::constructGenericTypedArrayView):
533         * runtime/JSGenericTypedArrayViewInlines.h:
534         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
535         (JSC::JSGenericTypedArrayView<Adaptor>::put):
536         * runtime/JSModuleRecord.cpp:
537         * runtime/JSModuleRecord.h:
538         * runtime/JSObject.cpp:
539         (JSC::JSObject::putDirectAccessor):
540         (JSC::JSObject::deleteProperty):
541         (JSC::JSObject::putDirectMayBeIndex):
542         (JSC::JSObject::defineOwnProperty):
543         * runtime/JSObject.h:
544         (JSC::JSObject::getOwnPropertySlot):
545         (JSC::JSObject::getPropertySlot):
546         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
547         * runtime/JSObjectInlines.h:
548         (JSC::JSObject::putInline):
549         * runtime/JSString.cpp:
550         (JSC::JSString::getStringPropertyDescriptor):
551         * runtime/JSString.h:
552         (JSC::JSString::getStringPropertySlot):
553         * runtime/LiteralParser.cpp:
554         (JSC::LiteralParser<CharType>::parse):
555         * runtime/MathCommon.h:
556         (JSC::safeReciprocalForDivByConst):
557         * runtime/ObjectPrototype.cpp:
558         (JSC::objectProtoFuncHasOwnProperty):
559         * runtime/PropertyDescriptor.h:
560         (JSC::toPropertyDescriptor):
561         * runtime/PropertyName.h:
562         (JSC::parseIndex):
563         * runtime/SamplingProfiler.cpp:
564         (JSC::SamplingProfiler::processUnverifiedStackTraces):
565         * runtime/StringObject.cpp:
566         (JSC::StringObject::put):
567         (JSC::isStringOwnProperty):
568         (JSC::StringObject::deleteProperty):
569         * runtime/ToNativeFromValue.h:
570         (JSC::toNativeFromValueWithoutCoercion):
571         * runtime/TypedArrayAdaptors.h:
572         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
573         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
574         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
575         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
576         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
577         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
578         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
579
580 2016-11-26  Sam Weinig  <sam@webkit.org>
581
582         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
583         https://bugs.webkit.org/show_bug.cgi?id=164965
584
585         Reviewed by Simon Fraser.
586
587         * runtime/CommonIdentifiers.h:
588         Add identifiers needed for RuntimeEnabledFeatures.
589
590 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
591
592         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
593         https://bugs.webkit.org/show_bug.cgi?id=165027
594
595         Reviewed by Darin Adler.
596
597         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
598         No port enables this and the guarded code doesn't build at all,
599         so it's safe to say it's abandoned.
600
601         * jit/ExecutableAllocator.cpp:
602         (JSC::ExecutableAllocator::initializeAllocator):
603         (JSC::ExecutableAllocator::ExecutableAllocator):
604         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
605
606 2016-11-18  Mark Lam  <mark.lam@apple.com>
607
608         Fix exception scope verification failures in JSC profiler files.
609         https://bugs.webkit.org/show_bug.cgi?id=164971
610
611         Reviewed by Saam Barati.
612
613         * profiler/ProfilerBytecodeSequence.cpp:
614         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
615         * profiler/ProfilerCompilation.cpp:
616         (JSC::Profiler::Compilation::toJS):
617         * profiler/ProfilerDatabase.cpp:
618         (JSC::Profiler::Database::toJS):
619         (JSC::Profiler::Database::toJSON):
620         * profiler/ProfilerOSRExitSite.cpp:
621         (JSC::Profiler::OSRExitSite::toJS):
622         * profiler/ProfilerOriginStack.cpp:
623         (JSC::Profiler::OriginStack::toJS):
624
625 2016-11-22  Mark Lam  <mark.lam@apple.com>
626
627         Fix exception scope verification failures in JSONObject.cpp.
628         https://bugs.webkit.org/show_bug.cgi?id=165025
629
630         Reviewed by Saam Barati.
631
632         * runtime/JSONObject.cpp:
633         (JSC::gap):
634         (JSC::Stringifier::Stringifier):
635         (JSC::Stringifier::stringify):
636         (JSC::Stringifier::toJSON):
637         (JSC::Stringifier::appendStringifiedValue):
638         (JSC::Stringifier::Holder::appendNextProperty):
639         (JSC::Walker::walk):
640         (JSC::JSONProtoFuncParse):
641         (JSC::JSONProtoFuncStringify):
642         (JSC::JSONStringify):
643
644 2016-11-21  Mark Lam  <mark.lam@apple.com>
645
646         Removed an extra space character at the end of line.
647
648         Not reviewed.
649
650         * runtime/JSCell.cpp:
651         (JSC::JSCell::toNumber):
652
653 2016-11-21  Mark Lam  <mark.lam@apple.com>
654
655         Fix exception scope verification failures in FunctionConstructor.cpp.
656         https://bugs.webkit.org/show_bug.cgi?id=165011
657
658         Reviewed by Saam Barati.
659
660         * runtime/FunctionConstructor.cpp:
661         (JSC::constructFunction):
662         (JSC::constructFunctionSkippingEvalEnabledCheck):
663
664 2016-11-21  Mark Lam  <mark.lam@apple.com>
665
666         Fix exception scope verification failures in GetterSetter.cpp.
667         https://bugs.webkit.org/show_bug.cgi?id=165013
668
669         Reviewed by Saam Barati.
670
671         * runtime/GetterSetter.cpp:
672         (JSC::callGetter):
673         (JSC::callSetter):
674
675 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
676
677         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
678         https://bugs.webkit.org/show_bug.cgi?id=164898
679
680         Reviewed by Darin Adler.
681
682         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
683         same tagged template literal need to return an identical object.
684         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
685         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
686         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
687         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
688         while this TemplateRegistryKey is allocated in the main thread.
689
690         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
691         while the entry of the WeakGCMap is alive, the callsite object has the reference to
692         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
693
694         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
695         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
696         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
697         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
698         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
699
700         * CMakeLists.txt:
701         * JavaScriptCore.xcodeproj/project.pbxproj:
702         * builtins/BuiltinNames.h:
703         * bytecompiler/BytecodeGenerator.cpp:
704         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
705         (JSC::BytecodeGenerator::emitGetTemplateObject):
706         * bytecompiler/BytecodeGenerator.h:
707         * runtime/JSGlobalObject.cpp:
708         (JSC::getTemplateObject):
709         * runtime/JSTemplateRegistryKey.cpp:
710         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
711         (JSC::JSTemplateRegistryKey::create):
712         * runtime/JSTemplateRegistryKey.h:
713         * runtime/TemplateRegistry.cpp:
714         (JSC::TemplateRegistry::getTemplateObject):
715         * runtime/TemplateRegistry.h:
716         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
717         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
718         * runtime/TemplateRegistryKey.h:
719         (JSC::TemplateRegistryKey::calculateHash):
720         (JSC::TemplateRegistryKey::create):
721         (JSC::TemplateRegistryKey::TemplateRegistryKey):
722         * runtime/TemplateRegistryKeyTable.cpp: Added.
723         (JSC::TemplateRegistryKeyTranslator::hash):
724         (JSC::TemplateRegistryKeyTranslator::equal):
725         (JSC::TemplateRegistryKeyTranslator::translate):
726         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
727         (JSC::TemplateRegistryKeyTable::createKey):
728         (JSC::TemplateRegistryKeyTable::unregister):
729         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
730         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
731         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
732         * runtime/VM.h:
733         (JSC::VM::templateRegistryKeyTable):
734
735 2016-11-21  Mark Lam  <mark.lam@apple.com>
736
737         Fix exception scope verification failures in runtime/Error* files.
738         https://bugs.webkit.org/show_bug.cgi?id=164998
739
740         Reviewed by Darin Adler.
741
742         * runtime/ErrorConstructor.cpp:
743         (JSC::Interpreter::constructWithErrorConstructor):
744         * runtime/ErrorInstance.cpp:
745         (JSC::ErrorInstance::create):
746         * runtime/ErrorInstance.h:
747         * runtime/ErrorPrototype.cpp:
748         (JSC::errorProtoFuncToString):
749
750 2016-11-21  Mark Lam  <mark.lam@apple.com>
751
752         Fix exception scope verification failures in *Executable.cpp files.
753         https://bugs.webkit.org/show_bug.cgi?id=164996
754
755         Reviewed by Darin Adler.
756
757         * runtime/DirectEvalExecutable.cpp:
758         (JSC::DirectEvalExecutable::create):
759         * runtime/IndirectEvalExecutable.cpp:
760         (JSC::IndirectEvalExecutable::create):
761         * runtime/ProgramExecutable.cpp:
762         (JSC::ProgramExecutable::initializeGlobalProperties):
763         * runtime/ScriptExecutable.cpp:
764         (JSC::ScriptExecutable::prepareForExecutionImpl):
765
766 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
767
768         [EncryptedMedia] Make EME API runtime-enabled
769         https://bugs.webkit.org/show_bug.cgi?id=164927
770
771         Reviewed by Jer Noble.
772
773         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
774
775 2016-11-20  Mark Lam  <mark.lam@apple.com>
776
777         Fix exception scope verification failures in ConstructData.cpp.
778         https://bugs.webkit.org/show_bug.cgi?id=164976
779
780         Reviewed by Darin Adler.
781
782         * runtime/ConstructData.cpp:
783         (JSC::construct):
784
785 2016-11-20  Mark Lam  <mark.lam@apple.com>
786
787         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
788         https://bugs.webkit.org/show_bug.cgi?id=164975
789
790         Reviewed by Darin Adler.
791
792         * runtime/CommonSlowPaths.cpp:
793         (JSC::SLOW_PATH_DECL):
794         * runtime/CommonSlowPaths.h:
795         (JSC::CommonSlowPaths::opIn):
796
797 2016-11-20  Mark Lam  <mark.lam@apple.com>
798
799         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
800         https://bugs.webkit.org/show_bug.cgi?id=164995
801
802         Reviewed by Darin Adler.
803
804         * runtime/DateConstructor.cpp:
805         (JSC::millisecondsFromComponents):
806         (JSC::constructDate):
807         * runtime/DatePrototype.cpp:
808         (JSC::dateProtoFuncToPrimitiveSymbol):
809
810 2016-11-20  Caitlin Potter  <caitp@igalia.com>
811
812         [JSC] speed up parsing of async functions
813         https://bugs.webkit.org/show_bug.cgi?id=164808
814
815         Reviewed by Yusuke Suzuki.
816
817         Minor adjustments to Parser in order to mitigate slowdown with async
818         function parsing enabled:
819
820           - Tokenize "async" as a keyword
821           - Perform less branching in various areas of the Parser
822
823         * parser/Keywords.table:
824         * parser/Parser.cpp:
825         (JSC::Parser<LexerType>::parseStatementListItem):
826         (JSC::Parser<LexerType>::parseStatement):
827         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
828         (JSC::Parser<LexerType>::parseClass):
829         (JSC::Parser<LexerType>::parseExportDeclaration):
830         (JSC::Parser<LexerType>::parseAssignmentExpression):
831         (JSC::Parser<LexerType>::parseProperty):
832         (JSC::Parser<LexerType>::createResolveAndUseVariable):
833         (JSC::Parser<LexerType>::parsePrimaryExpression):
834         (JSC::Parser<LexerType>::parseMemberExpression):
835         (JSC::Parser<LexerType>::printUnexpectedTokenText):
836         * parser/Parser.h:
837         (JSC::isAnyContextualKeyword):
838         (JSC::isIdentifierOrAnyContextualKeyword):
839         (JSC::isSafeContextualKeyword):
840         (JSC::Parser::matchSpecIdentifier):
841         * parser/ParserTokens.h:
842         * runtime/CommonIdentifiers.h:
843
844 2016-11-19  Mark Lam  <mark.lam@apple.com>
845
846         Add --timeoutMultiplier option to allow some tests more time to run.
847         https://bugs.webkit.org/show_bug.cgi?id=164951
848
849         Reviewed by Yusuke Suzuki.
850
851         * jsc.cpp:
852         (timeoutThreadMain):
853         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
854         (startTimeoutThreadIfNeeded):
855         - Moved the code that starts the timeout thread here from main() so that we can
856         call it after command line args have been parsed instead.
857         (main):
858         - Deleted old timeout thread starting code.
859         (CommandLine::parseArguments):
860         - Added parsing of the --timeoutMultiplier option.
861         (jscmain):
862         - Start the timeout thread if needed after we've parsed the command line args.
863
864 2016-11-19  Mark Lam  <mark.lam@apple.com>
865
866         Fix missing exception checks in JSC inspector files.
867         https://bugs.webkit.org/show_bug.cgi?id=164959
868
869         Reviewed by Saam Barati.
870
871         * inspector/JSInjectedScriptHost.cpp:
872         (Inspector::JSInjectedScriptHost::getInternalProperties):
873         (Inspector::JSInjectedScriptHost::weakMapEntries):
874         (Inspector::JSInjectedScriptHost::weakSetEntries):
875         (Inspector::JSInjectedScriptHost::iteratorEntries):
876         * inspector/JSJavaScriptCallFrame.cpp:
877         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
878
879 2016-11-18  Mark Lam  <mark.lam@apple.com>
880
881         Fix missing exception checks in DFGOperations.cpp.
882         https://bugs.webkit.org/show_bug.cgi?id=164958
883
884         Reviewed by Geoffrey Garen.
885
886         * dfg/DFGOperations.cpp:
887
888 2016-11-18  Mark Lam  <mark.lam@apple.com>
889
890         Fix exception scope verification failures in ShadowChicken.cpp.
891         https://bugs.webkit.org/show_bug.cgi?id=164966
892
893         Reviewed by Saam Barati.
894
895         * interpreter/ShadowChicken.cpp:
896         (JSC::ShadowChicken::functionsOnStack):
897
898 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
899
900         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
901         https://bugs.webkit.org/show_bug.cgi?id=163801
902
903         Reviewed by Simon Fraser.
904
905         * Configurations/FeatureDefines.xcconfig:
906
907 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
908
909         Unreviewed, fix cloop.
910
911         * bytecode/CodeBlock.cpp:
912         (JSC::CodeBlock::stronglyVisitStrongReferences):
913
914 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
915
916         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
917         https://bugs.webkit.org/show_bug.cgi?id=164282
918
919         Reviewed by Geoffrey Garen and Oliver Hunt.
920         
921         The two three remaining bugs were:
922
923         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
924           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
925           That proved a bit tricky. On the other hand, this means that we could probably remove the
926           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
927           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
928           anything.
929         
930         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
931           their friends now hold locks) and incremental-safe (we need to update predictions in the
932           finalizer to make sure we clear anything that was put into a value profile towards the end
933           of GC).
934         
935         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
936           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
937           I found that they would do many useless iterations of GC because they wouldn't pause long
938           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
939           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
940           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
941           the amount of allocation that the mutator had done is low. Having a utilization ceiling
942           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
943           huge heaps (like CDjs in its "large" configuration).
944         
945         This preserves splay performance, makes the concurrent GC more stable, and makes the
946         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
947         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
948
949         * bytecode/CodeBlock.cpp:
950         (JSC::CodeBlock::CodeBlock):
951         (JSC::CodeBlock::visitWeakly):
952         (JSC::CodeBlock::visitChildren):
953         (JSC::CodeBlock::shouldVisitStrongly):
954         (JSC::CodeBlock::shouldJettisonDueToOldAge):
955         (JSC::CodeBlock::propagateTransitions):
956         (JSC::CodeBlock::determineLiveness):
957         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
958         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
959         (JSC::CodeBlock::visitOSRExitTargets):
960         (JSC::CodeBlock::stronglyVisitStrongReferences):
961         (JSC::CodeBlock::stronglyVisitWeakReferences):
962         * bytecode/CodeBlock.h:
963         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
964         * heap/CodeBlockSet.cpp:
965         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
966         * heap/Heap.cpp:
967         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
968         (JSC::Heap::markToFixpoint):
969         (JSC::Heap::beginMarking):
970         (JSC::Heap::addToRememberedSet):
971         (JSC::Heap::collectInThread):
972         * heap/Heap.h:
973         * heap/HeapInlines.h:
974         (JSC::Heap::mutatorFence):
975         * heap/MarkedBlock.cpp:
976         * runtime/JSCellInlines.h:
977         (JSC::JSCell::finishCreation):
978         * runtime/JSObjectInlines.h:
979         (JSC::JSObject::putDirectWithoutTransition):
980         (JSC::JSObject::putDirectInternal):
981         * runtime/Options.h:
982         * runtime/Structure.cpp:
983         (JSC::Structure::add):
984         * runtime/Structure.h:
985         * runtime/StructureInlines.h:
986         (JSC::Structure::add):
987
988 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
989
990         Web Inspector: Generator functions should have a displayable name when shown in stack traces
991         https://bugs.webkit.org/show_bug.cgi?id=164844
992         <rdar://problem/29300697>
993
994         Reviewed by Yusuke Suzuki.
995
996         * parser/SyntaxChecker.h:
997         (JSC::SyntaxChecker::createGeneratorFunctionBody):
998         * parser/ASTBuilder.h:
999         (JSC::ASTBuilder::createGeneratorFunctionBody):
1000         New way to create a generator function with an inferred name.
1001
1002         * parser/Parser.cpp:
1003         (JSC::Parser<LexerType>::parseInner):
1004         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1005         * parser/Parser.h:
1006         Pass on the name of the generator wrapper function so we can
1007         use it on the inner generator function.
1008
1009 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
1010
1011         Add an experimental API to find elements across shadow boundaries
1012         https://bugs.webkit.org/show_bug.cgi?id=164851
1013         <rdar://problem/28220092>
1014
1015         Reviewed by Sam Weinig.
1016
1017         * runtime/CommonIdentifiers.h:
1018
1019 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1020
1021         [JSC] Drop arguments.caller
1022         https://bugs.webkit.org/show_bug.cgi?id=164859
1023
1024         Reviewed by Saam Barati.
1025
1026         Originally, some JavaScript engine has `arguments.caller` property.
1027         But it easily causes some information leaks and it becomes obstacles
1028         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
1029         mode. To do so, we explicitly set "caller" getter throwing TypeError
1030         to arguments in strict mode.
1031
1032         But now, there is no modern engine which supports `arguments.caller`
1033         in sloppy mode. So the original compatibility problem is gone and
1034         "caller" getter in the strict mode arguments becomes meaningless.
1035
1036         ES2017 drops this from the spec. In this patch, we also drop this
1037         `arguments.caller` in strict mode support.
1038
1039         Note that Function#caller is still alive.
1040
1041         * runtime/ClonedArguments.cpp:
1042         (JSC::ClonedArguments::getOwnPropertySlot):
1043         (JSC::ClonedArguments::put):
1044         (JSC::ClonedArguments::deleteProperty):
1045         (JSC::ClonedArguments::defineOwnProperty):
1046         (JSC::ClonedArguments::materializeSpecials):
1047
1048 2016-11-17  Mark Lam  <mark.lam@apple.com>
1049
1050         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
1051         https://bugs.webkit.org/show_bug.cgi?id=164893
1052         <rdar://problem/29146436>
1053
1054         Reviewed by Saam Barati.
1055
1056         * runtime/Options.cpp:
1057         (JSC::recomputeDependentOptions):
1058
1059 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
1060
1061         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
1062         https://bugs.webkit.org/show_bug.cgi?id=164885
1063
1064         Reviewed by Mark Lam.
1065         
1066         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
1067         related fences. It currently returns true only on x86().
1068         
1069         The goal here is to get the bots to tell us if this code is responsible for perf issues on
1070         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
1071         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
1072         we could get rid of it and instead teach B3 how to think about fences.
1073
1074         * assembler/CPU.h:
1075         (JSC::useGCFences):
1076         * bytecode/PolymorphicAccess.cpp:
1077         (JSC::AccessCase::generateImpl):
1078         * dfg/DFGSpeculativeJIT.cpp:
1079         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1080         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1081         * ftl/FTLLowerDFGToB3.cpp:
1082         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1083         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1084         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1085         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1086         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1087         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1088         * jit/AssemblyHelpers.h:
1089         (JSC::AssemblyHelpers::mutatorFence):
1090         (JSC::AssemblyHelpers::storeButterfly):
1091         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
1092         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
1093
1094 2016-11-17  Keith Miller  <keith_miller@apple.com>
1095
1096         Add rotate to Wasm
1097         https://bugs.webkit.org/show_bug.cgi?id=164871
1098
1099         Reviewed by Filip Pizlo.
1100
1101         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
1102         This also moves arm specific transformations of rotate left to lower macros
1103         after optimization. It's a bad idea to have platform specific canonicalizations
1104         in reduce strength since other optimizations may not be aware of it.
1105
1106         Add a bug to do pure CSE after lower macros after optimization since we want to
1107         clean up RotL(value, Neg(Neg(shift))).
1108
1109         * b3/B3Generate.cpp:
1110         (JSC::B3::generateToAir):
1111         * b3/B3LowerMacrosAfterOptimizations.cpp:
1112         * b3/B3ReduceStrength.cpp:
1113         * wasm/wasm.json:
1114
1115 2016-11-17  Keith Miller  <keith_miller@apple.com>
1116
1117         Add sqrt to Wasm
1118         https://bugs.webkit.org/show_bug.cgi?id=164877
1119
1120         Reviewed by Mark Lam.
1121
1122         B3 already has a Sqrt opcode we just need to map Wasm to it.
1123
1124         * wasm/wasm.json:
1125
1126 2016-11-17  Keith Miller  <keith_miller@apple.com>
1127
1128         Add support for rotate in B3 and the relevant assemblers
1129         https://bugs.webkit.org/show_bug.cgi?id=164869
1130
1131         Reviewed by Geoffrey Garen.
1132
1133         This patch runs RotR and RotL (rotate right and left respectively)
1134         through B3 and B3's assemblers. One thing of note is that ARM64 does
1135         not support rotate left instead it allows negative right rotations.
1136
1137         This patch also fixes a theoretical bug in the assembler where
1138         on X86 doing someShiftOp(reg, edx) would instead shift the shift
1139         amount by the value. Additionally, this patch refactors some
1140         of the X86 assembler to use templates when deciding how to format
1141         the appropriate shift instruction.
1142
1143         * assembler/MacroAssemblerARM64.h:
1144         (JSC::MacroAssemblerARM64::rotateRight32):
1145         (JSC::MacroAssemblerARM64::rotateRight64):
1146         * assembler/MacroAssemblerX86Common.h:
1147         (JSC::MacroAssemblerX86Common::rotateRight32):
1148         (JSC::MacroAssemblerX86Common::rotateLeft32):
1149         * assembler/MacroAssemblerX86_64.h:
1150         (JSC::MacroAssemblerX86_64::lshift64):
1151         (JSC::MacroAssemblerX86_64::rshift64):
1152         (JSC::MacroAssemblerX86_64::urshift64):
1153         (JSC::MacroAssemblerX86_64::rotateRight64):
1154         (JSC::MacroAssemblerX86_64::rotateLeft64):
1155         (JSC::MacroAssemblerX86_64::or64):
1156         * assembler/X86Assembler.h:
1157         (JSC::X86Assembler::xorq_rm):
1158         (JSC::X86Assembler::shiftInstruction32):
1159         (JSC::X86Assembler::sarl_i8r):
1160         (JSC::X86Assembler::shrl_i8r):
1161         (JSC::X86Assembler::shll_i8r):
1162         (JSC::X86Assembler::rorl_i8r):
1163         (JSC::X86Assembler::rorl_CLr):
1164         (JSC::X86Assembler::roll_i8r):
1165         (JSC::X86Assembler::roll_CLr):
1166         (JSC::X86Assembler::shiftInstruction64):
1167         (JSC::X86Assembler::sarq_CLr):
1168         (JSC::X86Assembler::sarq_i8r):
1169         (JSC::X86Assembler::shrq_i8r):
1170         (JSC::X86Assembler::shlq_i8r):
1171         (JSC::X86Assembler::rorq_i8r):
1172         (JSC::X86Assembler::rorq_CLr):
1173         (JSC::X86Assembler::rolq_i8r):
1174         (JSC::X86Assembler::rolq_CLr):
1175         * b3/B3Common.h:
1176         (JSC::B3::rotateRight):
1177         (JSC::B3::rotateLeft):
1178         * b3/B3Const32Value.cpp:
1179         (JSC::B3::Const32Value::rotRConstant):
1180         (JSC::B3::Const32Value::rotLConstant):
1181         * b3/B3Const32Value.h:
1182         * b3/B3Const64Value.cpp:
1183         (JSC::B3::Const64Value::rotRConstant):
1184         (JSC::B3::Const64Value::rotLConstant):
1185         * b3/B3Const64Value.h:
1186         * b3/B3LowerToAir.cpp:
1187         (JSC::B3::Air::LowerToAir::lower):
1188         * b3/B3Opcode.cpp:
1189         (WTF::printInternal):
1190         * b3/B3Opcode.h:
1191         * b3/B3ReduceStrength.cpp:
1192         * b3/B3Validate.cpp:
1193         * b3/B3Value.cpp:
1194         (JSC::B3::Value::rotRConstant):
1195         (JSC::B3::Value::rotLConstant):
1196         (JSC::B3::Value::effects):
1197         (JSC::B3::Value::key):
1198         (JSC::B3::Value::typeFor):
1199         * b3/B3Value.h:
1200         * b3/B3ValueKey.cpp:
1201         (JSC::B3::ValueKey::materialize):
1202         * b3/air/AirInstInlines.h:
1203         (JSC::B3::Air::isRotateRight32Valid):
1204         (JSC::B3::Air::isRotateLeft32Valid):
1205         (JSC::B3::Air::isRotateRight64Valid):
1206         (JSC::B3::Air::isRotateLeft64Valid):
1207         * b3/air/AirOpcode.opcodes:
1208         * b3/testb3.cpp:
1209         (JSC::B3::testRotR):
1210         (JSC::B3::testRotL):
1211         (JSC::B3::testRotRWithImmShift):
1212         (JSC::B3::testRotLWithImmShift):
1213         (JSC::B3::run):
1214
1215 2016-11-17  Saam Barati  <sbarati@apple.com>
1216
1217         Remove async/await compile time flag and enable tests
1218         https://bugs.webkit.org/show_bug.cgi?id=164828
1219         <rdar://problem/28639334>
1220
1221         Reviewed by Yusuke Suzuki.
1222
1223         * Configurations/FeatureDefines.xcconfig:
1224         * parser/Parser.cpp:
1225         (JSC::Parser<LexerType>::parseStatementListItem):
1226         (JSC::Parser<LexerType>::parseStatement):
1227         (JSC::Parser<LexerType>::parseClass):
1228         (JSC::Parser<LexerType>::parseExportDeclaration):
1229         (JSC::Parser<LexerType>::parseAssignmentExpression):
1230         (JSC::Parser<LexerType>::parseProperty):
1231         (JSC::Parser<LexerType>::parsePrimaryExpression):
1232         (JSC::Parser<LexerType>::parseMemberExpression):
1233         (JSC::Parser<LexerType>::parseUnaryExpression):
1234
1235 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1236
1237         [JSC] WTF::TemporaryChange with WTF::SetForScope
1238         https://bugs.webkit.org/show_bug.cgi?id=164761
1239
1240         Reviewed by Saam Barati.
1241
1242         * bytecompiler/BytecodeGenerator.h:
1243         * bytecompiler/SetForScope.h: Removed.
1244         * debugger/Debugger.cpp:
1245         * inspector/InspectorBackendDispatcher.cpp:
1246         (Inspector::BackendDispatcher::dispatch):
1247         * inspector/ScriptDebugServer.cpp:
1248         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
1249         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
1250         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
1251         (Inspector::ScriptDebugServer::sourceParsed):
1252         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1253         * parser/Parser.cpp:
1254
1255 2016-11-16  Mark Lam  <mark.lam@apple.com>
1256
1257         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
1258         https://bugs.webkit.org/show_bug.cgi?id=164843
1259
1260         Reviewed by Keith Miller.
1261
1262         The ThrowScope will check for unchecked simulated exceptions before throwing a
1263         new exception.  This ensures that we don't quietly overwrite a pending exception
1264         (which should never happen, with the only exception being to rethrow the same
1265         exception).  However, ExceptionFuzz works by intentionally throwing its own
1266         exception even when one may already exist thereby potentially overwriting an
1267         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
1268         the exception check verifier before ExceptionFuzz throws its own exception.
1269
1270         * runtime/ExceptionFuzz.cpp:
1271         (JSC::doExceptionFuzzing):
1272
1273 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
1274
1275         UnlinkedCodeBlock should not have a starting line number
1276         https://bugs.webkit.org/show_bug.cgi?id=164838
1277
1278         Reviewed by Mark Lam.
1279
1280         Here's how the starting line number in UnlinkedCodeBlock used to work:
1281
1282         (1) Assign the source code starting line number to the parser starting
1283         line number.
1284
1285         (2) Assign (1) to the AST.
1286
1287         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
1288
1289         Then, when linking:
1290
1291         (4) Add (3) to (1).
1292
1293         This was an awesome no-op.
1294
1295         Generally, unlinked code is code that is not tied to any particular
1296         web page or resource. So, it's inappropriate to think of it having a
1297         starting line number.
1298
1299         * bytecode/UnlinkedCodeBlock.cpp:
1300         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1301         * bytecode/UnlinkedCodeBlock.h:
1302         (JSC::UnlinkedCodeBlock::recordParse):
1303         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
1304         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
1305         * runtime/CodeCache.cpp:
1306         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1307         * runtime/CodeCache.h:
1308         (JSC::generateUnlinkedCodeBlock):
1309
1310 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1311
1312         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
1313         https://bugs.webkit.org/show_bug.cgi?id=164827
1314
1315         Reviewed by Ryosuke Niwa.
1316
1317         * Configurations/FeatureDefines.xcconfig:
1318
1319 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
1320
1321         Unreviewed, roll out r208811. It's not sound.
1322
1323         * ftl/FTLLowerDFGToB3.cpp:
1324         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1325         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1326         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1327         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1328         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1329         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1330         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
1331
1332 2016-11-16  Keith Miller  <keith_miller@apple.com>
1333
1334         Wasm function parser should use template functions for each binary and unary opcode
1335         https://bugs.webkit.org/show_bug.cgi?id=164835
1336
1337         Reviewed by Mark Lam.
1338
1339         This patch changes the wasm function parser to call into a template specialization
1340         for each binary/unary opcode. This change makes it easier to have custom implementations
1341         of various opcodes. It is also, in theory a speedup since it does not require switching
1342         on the opcode twice.
1343
1344         * CMakeLists.txt:
1345         * DerivedSources.make:
1346         * wasm/WasmB3IRGenerator.cpp:
1347         (): Deleted.
1348         * wasm/WasmFunctionParser.h:
1349         (JSC::Wasm::FunctionParser<Context>::binaryCase):
1350         (JSC::Wasm::FunctionParser<Context>::unaryCase):
1351         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1352         * wasm/WasmValidate.cpp:
1353         * wasm/generateWasm.py:
1354         (isBinary):
1355         (isSimple):
1356         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
1357         (generateSimpleCode):
1358         * wasm/generateWasmOpsHeader.py:
1359         (opcodeMacroizer):
1360         * wasm/generateWasmValidateInlinesHeader.py:
1361
1362 2016-11-16  Mark Lam  <mark.lam@apple.com>
1363
1364         ExceptionFuzz functions should use its client's ThrowScope.
1365         https://bugs.webkit.org/show_bug.cgi?id=164834
1366
1367         Reviewed by Geoffrey Garen.
1368
1369         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
1370         exception check sites.  Using the client's ThrowScope solves 2 problems:
1371
1372         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
1373            mis-attributed to ExceptionFuzz when it should be attributed to its client.
1374
1375         2. One way exception scope verification works is by having ThrowScopes assert
1376            that there are no unchecked simulated exceptions when the ThrowScope is
1377            instantiated.  However, ExceptionFuzz necessarily works by inserting
1378            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
1379            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
1380            we will be instantiating the ThrowScope between the point where a simulated
1381            throw occurs and where the needed exception check can occur.  Hence, having
1382            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
1383            verification every time.
1384
1385         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
1386
1387         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
1388         already exists in every slow path function instead of creating a new one.
1389
1390         * jit/JITOperations.cpp:
1391         * llint/LLIntSlowPaths.cpp:
1392         * runtime/CommonSlowPaths.cpp:
1393         * runtime/ExceptionFuzz.cpp:
1394         (JSC::doExceptionFuzzing):
1395         * runtime/ExceptionFuzz.h:
1396         (JSC::doExceptionFuzzingIfEnabled):
1397
1398 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
1399
1400         Slight Octane regression from concurrent GC's eager object zero-fill
1401         https://bugs.webkit.org/show_bug.cgi?id=164823
1402
1403         Reviewed by Geoffrey Garen.
1404         
1405         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
1406         executing the end-of-allocation fence. This causes some regressions. This is an attempt
1407         to fix those regressions by making them conditional on whether the mutator is fenced.
1408         
1409         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
1410         regression.
1411
1412         * ftl/FTLLowerDFGToB3.cpp:
1413         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1414         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
1415         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1416         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1417         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1418         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
1419         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
1420
1421 2016-11-16  Mark Lam  <mark.lam@apple.com>
1422
1423         Fix exception scope checking in JSGlobalObject.cpp.
1424         https://bugs.webkit.org/show_bug.cgi?id=164831
1425
1426         Reviewed by Saam Barati.
1427
1428         * runtime/JSGlobalObject.cpp:
1429         (JSC::JSGlobalObject::init):
1430         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
1431           to fail with errors.
1432         (JSC::JSGlobalObject::put):
1433         - Fix exception check requirements.
1434
1435 2016-11-16  Keith Miller  <keith_miller@apple.com>
1436
1437         Unreviewed, ARM build fix.
1438
1439         * b3/B3LowerToAir.cpp:
1440         (JSC::B3::Air::LowerToAir::lower):
1441         (JSC::B3::Air::LowerToAir::lowerX86Div):
1442         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
1443
1444 2016-11-15  Mark Lam  <mark.lam@apple.com>
1445
1446         Make JSC test functions more robust.
1447         https://bugs.webkit.org/show_bug.cgi?id=164807
1448
1449         Reviewed by Keith Miller.
1450
1451         * jsc.cpp:
1452         (functionGetHiddenValue):
1453         (functionSetHiddenValue):
1454
1455 2016-11-15  Keith Miller  <keith_miller@apple.com>
1456
1457         B3 should support UDiv/UMod
1458         https://bugs.webkit.org/show_bug.cgi?id=164811
1459
1460         Reviewed by Filip Pizlo.
1461
1462         This patch adds support for UDiv and UMod in B3. Many of the magic number
1463         cases have been ommited for now since they are unlikely to happen in wasm
1464         code. Most wasm code we will see is generated via llvm, which has more
1465         robust versions of what we would do anyway. Additionally, this patch
1466         links the new opcodes up to the wasm parser.
1467
1468         * assembler/MacroAssemblerARM64.h:
1469         (JSC::MacroAssemblerARM64::uDiv32):
1470         (JSC::MacroAssemblerARM64::uDiv64):
1471         * assembler/MacroAssemblerX86Common.h:
1472         (JSC::MacroAssemblerX86Common::x86UDiv32):
1473         * assembler/MacroAssemblerX86_64.h:
1474         (JSC::MacroAssemblerX86_64::x86UDiv64):
1475         * assembler/X86Assembler.h:
1476         (JSC::X86Assembler::divq_r):
1477         * b3/B3Common.h:
1478         (JSC::B3::chillUDiv):
1479         (JSC::B3::chillUMod):
1480         * b3/B3Const32Value.cpp:
1481         (JSC::B3::Const32Value::uDivConstant):
1482         (JSC::B3::Const32Value::uModConstant):
1483         * b3/B3Const32Value.h:
1484         * b3/B3Const64Value.cpp:
1485         (JSC::B3::Const64Value::uDivConstant):
1486         (JSC::B3::Const64Value::uModConstant):
1487         * b3/B3Const64Value.h:
1488         * b3/B3LowerMacros.cpp:
1489         * b3/B3LowerToAir.cpp:
1490         (JSC::B3::Air::LowerToAir::lower):
1491         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
1492         * b3/B3Opcode.cpp:
1493         (WTF::printInternal):
1494         * b3/B3Opcode.h:
1495         * b3/B3ReduceStrength.cpp:
1496         * b3/B3Validate.cpp:
1497         * b3/B3Value.cpp:
1498         (JSC::B3::Value::uDivConstant):
1499         (JSC::B3::Value::uModConstant):
1500         (JSC::B3::Value::effects):
1501         (JSC::B3::Value::key):
1502         (JSC::B3::Value::typeFor):
1503         * b3/B3Value.h:
1504         * b3/B3ValueKey.cpp:
1505         (JSC::B3::ValueKey::materialize):
1506         * b3/air/AirInstInlines.h:
1507         (JSC::B3::Air::isX86UDiv32Valid):
1508         (JSC::B3::Air::isX86UDiv64Valid):
1509         * b3/air/AirOpcode.opcodes:
1510         * b3/testb3.cpp:
1511         (JSC::B3::testUDivArgsInt32):
1512         (JSC::B3::testUDivArgsInt64):
1513         (JSC::B3::testUModArgsInt32):
1514         (JSC::B3::testUModArgsInt64):
1515         (JSC::B3::run):
1516         * wasm/wasm.json:
1517
1518 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1519
1520         Web Inspector: Preview other CSS @media in browser window (print)
1521         https://bugs.webkit.org/show_bug.cgi?id=13530
1522         <rdar://problem/5712928>
1523
1524         Reviewed by Timothy Hatcher.
1525
1526         * inspector/protocol/Page.json:
1527         Update to preferred JSON style.
1528
1529 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1530
1531         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
1532
1533         * dfg/DFGDriver.cpp:
1534         (JSC::DFG::compileImpl):
1535         * heap/Heap.cpp:
1536         (JSC::Heap::addToRememberedSet):
1537         * jit/JITWorklist.cpp:
1538         (JSC::JITWorklist::compileLater):
1539         (JSC::JITWorklist::compileNow):
1540         * runtime/Options.cpp:
1541         (JSC::recomputeDependentOptions):
1542         * runtime/Options.h:
1543         * runtime/WriteBarrierInlines.h:
1544         (JSC::WriteBarrierBase<T>::set):
1545         (JSC::WriteBarrierBase<Unknown>::set):
1546
1547 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
1548
1549         Debugging and other tools should not disable the code cache
1550         https://bugs.webkit.org/show_bug.cgi?id=164802
1551
1552         Reviewed by Mark Lam.
1553
1554         * bytecode/UnlinkedFunctionExecutable.cpp:
1555         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
1556         change.
1557
1558         * parser/SourceCodeKey.h:
1559         (JSC::SourceCodeFlags::SourceCodeFlags):
1560         (JSC::SourceCodeFlags::bits):
1561         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
1562         as part of our key so that we can cache code while using tools. Be sure
1563         to include these bits in our hash function so you don't get storms of
1564         collisions as you open and close the Web Inspector.
1565
1566         * runtime/CodeCache.cpp:
1567         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1568         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
1569         a part of our key instead of as a reason to disable caching.
1570
1571         * runtime/CodeCache.h:
1572
1573 2016-11-15  Mark Lam  <mark.lam@apple.com>
1574
1575         Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
1576         https://bugs.webkit.org/show_bug.cgi?id=164777
1577
1578         Reviewed by Geoffrey Garen.
1579
1580         JSString::SafeView no longer achieves its intended goal to make it easier to
1581         handle strings safely.  Its clients still need to do explicit exception checks in
1582         order to be correct.  We'll remove it and replace its uses with
1583         StringViewWithUnderlyingString instead which serves to gets the a StringView
1584         (which is what we really wanted from SafeView) and keeps the backing String alive
1585         while the view is in use.
1586
1587         Also added some missing exception checks.
1588
1589         * jsc.cpp:
1590         (printInternal):
1591         (functionDebug):
1592         * runtime/ArrayPrototype.cpp:
1593         (JSC::arrayProtoFuncJoin):
1594         * runtime/FunctionConstructor.cpp:
1595         (JSC::constructFunctionSkippingEvalEnabledCheck):
1596         * runtime/IntlCollatorPrototype.cpp:
1597         (JSC::IntlCollatorFuncCompare):
1598         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1599         (JSC::genericTypedArrayViewProtoFuncJoin):
1600         * runtime/JSGlobalObjectFunctions.cpp:
1601         (JSC::toStringView):
1602         (JSC::globalFuncParseFloat):
1603         * runtime/JSONObject.cpp:
1604         (JSC::JSONProtoFuncParse):
1605         * runtime/JSString.h:
1606         (JSC::JSString::SafeView::is8Bit): Deleted.
1607         (JSC::JSString::SafeView::length): Deleted.
1608         (JSC::JSString::SafeView::SafeView): Deleted.
1609         (JSC::JSString::SafeView::get): Deleted.
1610         (JSC::JSString::view): Deleted.
1611         * runtime/StringPrototype.cpp:
1612         (JSC::stringProtoFuncRepeatCharacter):
1613         (JSC::stringProtoFuncCharAt):
1614         (JSC::stringProtoFuncCharCodeAt):
1615         (JSC::stringProtoFuncIndexOf):
1616         (JSC::stringProtoFuncNormalize):
1617
1618 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1619
1620         Unreviewed, remove bogus assertion.
1621
1622         * heap/Heap.cpp:
1623         (JSC::Heap::markToFixpoint):
1624
1625 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1626
1627         [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
1628         https://bugs.webkit.org/show_bug.cgi?id=162986
1629
1630         Reviewed by Saam Barati.
1631         
1632         This assertion is wrong for concurrent GC anyway, so this removes it.
1633
1634         * runtime/Structure.cpp:
1635         (JSC::Structure::visitChildren):
1636
1637 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1638
1639         Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
1640         https://bugs.webkit.org/show_bug.cgi?id=164791
1641
1642         Reviewed by Geoffrey Garen.
1643         
1644         Just renaming.
1645
1646         * JavaScriptCore.xcodeproj/project.pbxproj:
1647         * bytecode/ArrayProfile.cpp:
1648         (JSC::ArrayProfile::computeUpdatedPrediction):
1649         (JSC::ArrayProfile::briefDescription):
1650         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1651         * bytecode/ArrayProfile.h:
1652         (JSC::ArrayProfile::observedArrayModes):
1653         (JSC::ArrayProfile::mayInterceptIndexedAccesses):
1654         (JSC::ArrayProfile::mayStoreToHole):
1655         (JSC::ArrayProfile::outOfBounds):
1656         (JSC::ArrayProfile::usesOriginalArrayStructures):
1657         * bytecode/CallLinkStatus.cpp:
1658         (JSC::CallLinkStatus::computeFromLLInt):
1659         (JSC::CallLinkStatus::computeFor):
1660         (JSC::CallLinkStatus::computeExitSiteData):
1661         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1662         (JSC::CallLinkStatus::computeDFGStatuses):
1663         * bytecode/CallLinkStatus.h:
1664         * bytecode/CodeBlock.cpp:
1665         (JSC::CodeBlock::dumpValueProfiling):
1666         (JSC::CodeBlock::dumpArrayProfiling):
1667         (JSC::CodeBlock::finishCreation):
1668         (JSC::CodeBlock::setConstantRegisters):
1669         (JSC::CodeBlock::getStubInfoMap):
1670         (JSC::CodeBlock::getCallLinkInfoMap):
1671         (JSC::CodeBlock::getByValInfoMap):
1672         (JSC::CodeBlock::addStubInfo):
1673         (JSC::CodeBlock::addByValInfo):
1674         (JSC::CodeBlock::addCallLinkInfo):
1675         (JSC::CodeBlock::resetJITData):
1676         (JSC::CodeBlock::shrinkToFit):
1677         (JSC::CodeBlock::getArrayProfile):
1678         (JSC::CodeBlock::addArrayProfile):
1679         (JSC::CodeBlock::getOrAddArrayProfile):
1680         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1681         (JSC::CodeBlock::updateAllArrayPredictions):
1682         (JSC::CodeBlock::nameForRegister):
1683         (JSC::CodeBlock::livenessAnalysisSlow):
1684         * bytecode/CodeBlock.h:
1685         (JSC::CodeBlock::setJITCode):
1686         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1687         (JSC::CodeBlock::addFrequentExitSite):
1688         (JSC::CodeBlock::hasExitSite):
1689         (JSC::CodeBlock::livenessAnalysis):
1690         * bytecode/DFGExitProfile.cpp:
1691         (JSC::DFG::ExitProfile::add):
1692         (JSC::DFG::ExitProfile::hasExitSite):
1693         (JSC::DFG::QueryableExitProfile::initialize):
1694         * bytecode/DFGExitProfile.h:
1695         (JSC::DFG::ExitProfile::hasExitSite):
1696         * bytecode/GetByIdStatus.cpp:
1697         (JSC::GetByIdStatus::hasExitSite):
1698         (JSC::GetByIdStatus::computeFor):
1699         (JSC::GetByIdStatus::computeForStubInfo):
1700         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1701         * bytecode/GetByIdStatus.h:
1702         * bytecode/LazyOperandValueProfile.cpp:
1703         (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
1704         (JSC::CompressedLazyOperandValueProfileHolder::add):
1705         (JSC::LazyOperandValueProfileParser::initialize):
1706         (JSC::LazyOperandValueProfileParser::prediction):
1707         * bytecode/LazyOperandValueProfile.h:
1708         * bytecode/MethodOfGettingAValueProfile.cpp:
1709         (JSC::MethodOfGettingAValueProfile::emitReportValue):
1710         * bytecode/PutByIdStatus.cpp:
1711         (JSC::PutByIdStatus::hasExitSite):
1712         (JSC::PutByIdStatus::computeFor):
1713         (JSC::PutByIdStatus::computeForStubInfo):
1714         * bytecode/PutByIdStatus.h:
1715         * bytecode/StructureStubClearingWatchpoint.cpp:
1716         (JSC::StructureStubClearingWatchpoint::fireInternal):
1717         * bytecode/ValueProfile.h:
1718         (JSC::ValueProfileBase::briefDescription):
1719         (JSC::ValueProfileBase::computeUpdatedPrediction):
1720         * dfg/DFGArrayMode.cpp:
1721         (JSC::DFG::ArrayMode::fromObserved):
1722         * dfg/DFGArrayMode.h:
1723         (JSC::DFG::ArrayMode::withSpeculationFromProfile):
1724         (JSC::DFG::ArrayMode::withProfile):
1725         * dfg/DFGByteCodeParser.cpp:
1726         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1727         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1728         (JSC::DFG::ByteCodeParser::getArrayMode):
1729         (JSC::DFG::ByteCodeParser::handleInlining):
1730         (JSC::DFG::ByteCodeParser::parseBlock):
1731         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1732         * dfg/DFGDriver.cpp:
1733         (JSC::DFG::compileImpl):
1734         * dfg/DFGFixupPhase.cpp:
1735         (JSC::DFG::FixupPhase::fixupNode):
1736         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1737         * dfg/DFGGraph.cpp:
1738         (JSC::DFG::Graph::tryGetConstantClosureVar):
1739         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1740         * dfg/DFGPredictionInjectionPhase.cpp:
1741         (JSC::DFG::PredictionInjectionPhase::run):
1742         * ftl/FTLLowerDFGToB3.cpp:
1743         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1744         * ftl/FTLOperations.cpp:
1745         (JSC::FTL::operationMaterializeObjectInOSR):
1746         * heap/Heap.cpp:
1747         (JSC::Heap::addToRememberedSet):
1748         * jit/JIT.cpp:
1749         (JSC::JIT::compileWithoutLinking):
1750         * jit/JITInlines.h:
1751         (JSC::JIT::chooseArrayMode):
1752         * jit/JITOperations.cpp:
1753         (JSC::tryGetByValOptimize):
1754         * jit/JITPropertyAccess.cpp:
1755         (JSC::JIT::privateCompileGetByValWithCachedId):
1756         (JSC::JIT::privateCompilePutByValWithCachedId):
1757         * jit/JITWorklist.cpp:
1758         (JSC::JITWorklist::compileLater):
1759         (JSC::JITWorklist::compileNow):
1760         * jit/Repatch.cpp:
1761         (JSC::repatchGetByID):
1762         (JSC::repatchPutByID):
1763         * llint/LLIntSlowPaths.cpp:
1764         (JSC::LLInt::setupGetByIdPrototypeCache):
1765         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1766         (JSC::LLInt::setUpCall):
1767         * profiler/ProfilerBytecodeSequence.cpp:
1768         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1769         * runtime/CommonSlowPaths.cpp:
1770         (JSC::SLOW_PATH_DECL):
1771         * runtime/CommonSlowPaths.h:
1772         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1773         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1774         * runtime/ConcurrentJITLock.h: Removed.
1775         * runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
1776         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
1777         (JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
1778         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
1779         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
1780         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
1781         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
1782         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
1783         (JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
1784         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
1785         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
1786         (JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
1787         * runtime/InferredType.cpp:
1788         (JSC::InferredType::canWatch):
1789         (JSC::InferredType::addWatchpoint):
1790         (JSC::InferredType::willStoreValueSlow):
1791         (JSC::InferredType::makeTopSlow):
1792         (JSC::InferredType::set):
1793         (JSC::InferredType::removeStructure):
1794         * runtime/InferredType.h:
1795         * runtime/InferredTypeTable.cpp:
1796         (JSC::InferredTypeTable::visitChildren):
1797         (JSC::InferredTypeTable::get):
1798         (JSC::InferredTypeTable::willStoreValue):
1799         (JSC::InferredTypeTable::makeTop):
1800         * runtime/InferredTypeTable.h:
1801         * runtime/JSEnvironmentRecord.cpp:
1802         (JSC::JSEnvironmentRecord::heapSnapshot):
1803         * runtime/JSGlobalObject.cpp:
1804         (JSC::JSGlobalObject::addGlobalVar):
1805         (JSC::JSGlobalObject::addStaticGlobals):
1806         * runtime/JSLexicalEnvironment.cpp:
1807         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1808         * runtime/JSObject.cpp:
1809         (JSC::JSObject::deleteProperty):
1810         (JSC::JSObject::shiftButterflyAfterFlattening):
1811         * runtime/JSObject.h:
1812         * runtime/JSObjectInlines.h:
1813         (JSC::JSObject::putDirectWithoutTransition):
1814         (JSC::JSObject::putDirectInternal):
1815         * runtime/JSScope.cpp:
1816         (JSC::abstractAccess):
1817         (JSC::JSScope::collectClosureVariablesUnderTDZ):
1818         * runtime/JSSegmentedVariableObject.cpp:
1819         (JSC::JSSegmentedVariableObject::findVariableIndex):
1820         (JSC::JSSegmentedVariableObject::addVariables):
1821         (JSC::JSSegmentedVariableObject::heapSnapshot):
1822         * runtime/JSSegmentedVariableObject.h:
1823         * runtime/JSSymbolTableObject.cpp:
1824         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1825         * runtime/JSSymbolTableObject.h:
1826         (JSC::symbolTableGet):
1827         (JSC::symbolTablePut):
1828         * runtime/Options.cpp:
1829         (JSC::recomputeDependentOptions):
1830         * runtime/Options.h:
1831         * runtime/ProgramExecutable.cpp:
1832         (JSC::ProgramExecutable::initializeGlobalProperties):
1833         * runtime/RegExp.cpp:
1834         (JSC::RegExp::compile):
1835         (JSC::RegExp::matchConcurrently):
1836         (JSC::RegExp::compileMatchOnly):
1837         (JSC::RegExp::deleteCode):
1838         * runtime/RegExp.h:
1839         * runtime/Structure.cpp:
1840         (JSC::Structure::materializePropertyTable):
1841         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1842         (JSC::Structure::addNewPropertyTransition):
1843         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1844         (JSC::Structure::nonPropertyTransition):
1845         (JSC::Structure::flattenDictionaryStructure):
1846         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1847         (JSC::Structure::add):
1848         (JSC::Structure::remove):
1849         (JSC::Structure::visitChildren):
1850         * runtime/Structure.h:
1851         * runtime/StructureInlines.h:
1852         (JSC::Structure::propertyReplacementWatchpointSet):
1853         (JSC::Structure::add):
1854         (JSC::Structure::remove):
1855         * runtime/SymbolTable.cpp:
1856         (JSC::SymbolTable::visitChildren):
1857         (JSC::SymbolTable::localToEntry):
1858         (JSC::SymbolTable::entryFor):
1859         (JSC::SymbolTable::prepareForTypeProfiling):
1860         (JSC::SymbolTable::uniqueIDForVariable):
1861         (JSC::SymbolTable::uniqueIDForOffset):
1862         (JSC::SymbolTable::globalTypeSetForOffset):
1863         (JSC::SymbolTable::globalTypeSetForVariable):
1864         * runtime/SymbolTable.h:
1865         * runtime/TypeSet.cpp:
1866         (JSC::TypeSet::addTypeInformation):
1867         (JSC::TypeSet::invalidateCache):
1868         * runtime/TypeSet.h:
1869         (JSC::TypeSet::structureSet):
1870         * runtime/VM.h:
1871         * runtime/WriteBarrierInlines.h:
1872         (JSC::WriteBarrierBase<T>::set):
1873         (JSC::WriteBarrierBase<Unknown>::set):
1874         * yarr/YarrInterpreter.cpp:
1875         (JSC::Yarr::ByteCompiler::compile):
1876         (JSC::Yarr::byteCompile):
1877         * yarr/YarrInterpreter.h:
1878         (JSC::Yarr::BytecodePattern::BytecodePattern):
1879
1880 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1881
1882         Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
1883         https://bugs.webkit.org/show_bug.cgi?id=164793
1884
1885         Reviewed by Matt Baker.
1886
1887         * inspector/protocol/Page.json:
1888
1889 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1890
1891         Unreviewed, build fix for Windows debug build after r208738
1892         https://bugs.webkit.org/show_bug.cgi?id=164727
1893
1894         This static member variable can be touched outside of the JSC project
1895         since inlined MacroAssembler member functions read / write it.
1896         So it should be exported.
1897
1898         * assembler/MacroAssemblerX86Common.h:
1899
1900 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
1901
1902         Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
1903         https://bugs.webkit.org/show_bug.cgi?id=164787
1904
1905         Reviewed by Timothy Hatcher.
1906
1907         * inspector/agents/InspectorDebuggerAgent.cpp:
1908         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1909         Clear this DebuggerAgent state when we resume.
1910
1911 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1912
1913         It should be possible to disable concurrent GC timeslicing
1914         https://bugs.webkit.org/show_bug.cgi?id=164788
1915
1916         Reviewed by Saam Barati.
1917         
1918         Collector timeslicing means that the collector will try to pause once every 2ms. This is
1919         great because it throttles the mutator and prevents it from outpacing the collector. But
1920         it reduces some of the efficacy of the collectContinuously=true configuration: while
1921         it's great that collecting continuously means that the collector will also pause more
1922         frequently and so it will test the pausing code, it also means that the collector will
1923         spend less time running concurrently. The primary purpose of collectContinuously is to
1924         maximize the amount of time that the collector is running concurrently to the mutator to
1925         maximize the likelihood that a race will cause a detectable error.
1926         
1927         This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
1928         The idea is that we will usually use this in conjunction with collectContinuously=true
1929         to find race conditions during marking, but we can also use the two options
1930         independently to focus our testing on other things.
1931
1932         * heap/Heap.cpp:
1933         (JSC::Heap::markToFixpoint):
1934         * heap/SlotVisitor.cpp:
1935         (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
1936         * heap/SlotVisitor.h:
1937         * runtime/Options.h:
1938
1939 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
1940
1941         The concurrent GC should have a timeslicing controller
1942         https://bugs.webkit.org/show_bug.cgi?id=164783
1943
1944         Reviewed by Geoffrey Garen.
1945         
1946         This adds a simple control system for deciding when the collector should let the mutator run
1947         and when it should stop the mutator. We definitely have to stop the mutator during certain
1948         collector phases, but during marking - which takes the most time - we can go either way.
1949         Normally we want to let the mutator run, but if the heap size starts to grow then we have to
1950         stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
1951         lead to memory exhaustion, so it's better to just stop in that case.
1952         
1953         The controller tries to never stop the mutator for longer than short timeslices. It slices on
1954         a 2ms period (configurable via Options). The amount of that period that the collector spends
1955         with the mutator stopped is determined by the fraction of the collector's concurrent headroom
1956         that has been allocated over. The headroom is currently configured at 50% of what was
1957         allocated before the collector started.
1958         
1959         This moves a bunch of parameters into Options so that it's easier to play with different
1960         configurations.
1961         
1962         I tried these different values for the period:
1963         
1964         1ms: 30% worse than 2ms on splay-latency.
1965         2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
1966         3ms: 40% worse than 2ms on splay-latency.
1967         4ms: 40% worse than 2ms on splay-latency.
1968         
1969         I also tried 100% headroom as an alternate to 50% and found it to be a worse.
1970         
1971         This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
1972         enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
1973         would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
1974         concurrent GC.
1975
1976         * heap/Heap.cpp:
1977         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
1978         (JSC::Heap::markToFixpoint):
1979         (JSC::Heap::collectInThread):
1980         * runtime/Options.h:
1981
1982 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1983
1984         Unreviewed, build fix for CLoop after r208738
1985         https://bugs.webkit.org/show_bug.cgi?id=164727
1986
1987         * jsc.cpp:
1988         (WTF::DOMJITFunctionObject::unsafeFunction):
1989         (WTF::DOMJITFunctionObject::finishCreation):
1990
1991 2016-11-15  Mark Lam  <mark.lam@apple.com>
1992
1993         The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
1994         https://bugs.webkit.org/show_bug.cgi?id=164781
1995         <rdar://problem/28418590>
1996
1997         Reviewed by Geoffrey Garen and Michael Saboff.
1998
1999         * jsc.cpp:
2000         (functionSetImpureGetterDelegate):
2001
2002 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2003
2004         [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
2005         https://bugs.webkit.org/show_bug.cgi?id=164727
2006
2007         Reviewed by Filip Pizlo.
2008
2009         While CallDOMGetter can use macro assembler scratch registers, we previiously
2010         assumed that CheckDOM code generator does not use macro assembler scratch registers.
2011         It is currently true in x86 environment. But it is not true in the other environments.
2012
2013         We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
2014         arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
2015         CheckDOM to use macro assembler scratch registers.
2016
2017         * ftl/FTLLowerDFGToB3.cpp:
2018         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
2019         * jsc.cpp:
2020         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2021         (WTF::DOMJITFunctionObject::createStructure):
2022         (WTF::DOMJITFunctionObject::create):
2023         (WTF::DOMJITFunctionObject::unsafeFunction):
2024         (WTF::DOMJITFunctionObject::safeFunction):
2025         (WTF::DOMJITFunctionObject::checkDOMJITNode):
2026         (WTF::DOMJITFunctionObject::finishCreation):
2027         (GlobalObject::finishCreation):
2028         (functionCreateDOMJITFunctionObject):
2029
2030 2016-11-14  Geoffrey Garen  <ggaren@apple.com>
2031
2032         CodeCache should stop pretending to cache builtins
2033         https://bugs.webkit.org/show_bug.cgi?id=164750
2034
2035         Reviewed by Saam Barati.
2036
2037         We were passing JSParserBuiltinMode to all CodeCache functions, but the
2038         passed-in value was always NotBuiltin.
2039
2040         Let's stop passing it.
2041
2042         * parser/SourceCodeKey.h:
2043         (JSC::SourceCodeFlags::SourceCodeFlags):
2044         (JSC::SourceCodeKey::SourceCodeKey):
2045         * runtime/CodeCache.cpp:
2046         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2047         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
2048         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
2049         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
2050         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2051         * runtime/CodeCache.h:
2052         (JSC::generateUnlinkedCodeBlock):
2053         * runtime/JSGlobalObject.cpp:
2054         (JSC::JSGlobalObject::createProgramCodeBlock):
2055         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
2056         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
2057         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2058
2059 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2060
2061         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
2062         https://bugs.webkit.org/show_bug.cgi?id=164775
2063
2064         Reviewed by Mark Lam and Keith Miller.
2065         
2066         We were calling inlineStorage() which asserts that inline storage is not empty. But we
2067         were calling it in a context where it could be empty and that's fine. So, we now call
2068         inlineStorageUnsafe().
2069
2070         * runtime/JSObject.h:
2071         (JSC::JSFinalObject::JSFinalObject):
2072
2073 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
2074
2075         [ARM] Unreviewed buildfix after r208720.
2076
2077         * assembler/MacroAssemblerARM.h:
2078         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
2079
2080 2016-11-14  Caitlin Potter  <caitp@igalia.com>
2081
2082         [JSC] do not reference AwaitExpression Promises in async function Promise chain
2083         https://bugs.webkit.org/show_bug.cgi?id=164753
2084
2085         Reviewed by Yusuke Suzuki.
2086
2087         Previously, long-running async functions which contained many AwaitExpressions
2088         would allocate and retain references to intermediate Promise objects for each `await`,
2089         resulting in a memory leak.
2090
2091         To mitigate this leak, a reference to the original Promise (and its resolve and reject
2092         functions) associated with the async function are kept, and passed to each call to
2093         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
2094         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
2095         with an async function wrapper. The capability is used to reject the Promise if an
2096         exception is thrown during parameter initialization, and is used to store the resulting
2097         value once the async function has terminated.
2098
2099         * builtins/AsyncFunctionPrototype.js:
2100         (globalPrivate.asyncFunctionResume):
2101         * bytecompiler/BytecodeGenerator.cpp:
2102         (JSC::BytecodeGenerator::BytecodeGenerator):
2103         * bytecompiler/BytecodeGenerator.h:
2104         (JSC::BytecodeGenerator::promiseCapabilityRegister):
2105         * bytecompiler/NodesCodegen.cpp:
2106         (JSC::FunctionNode::emitBytecode):
2107
2108 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2109
2110         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
2111         https://bugs.webkit.org/show_bug.cgi?id=164305
2112         <rdar://problem/29056192>
2113
2114         Reviewed by Timothy Hatcher.
2115
2116         * inspector/InjectedScriptSource.js:
2117         (InjectedScript.prototype._propertyDescriptors):
2118         Accessing __proto__ does a ToThis(...) conversion on the receiver.
2119         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
2120         this would return undefined and throw an exception. We can use
2121         Object.getPrototypeOf to avoid that conversion and possible error.
2122
2123         * inspector/protocol/Debugger.json:
2124         Provide a new way to effectively `resume` + `pause` immediately.
2125         This must be implemented on the backend to correctly synchronize
2126         the resuming and pausing.
2127
2128         * inspector/agents/InspectorDebuggerAgent.h:
2129         * inspector/agents/InspectorDebuggerAgent.cpp:
2130         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
2131         Treat this as `resume` and `pause`. Resume now, and trigger
2132         a pause if the VM becomes idle and we didn't pause before then
2133         (such as hitting a breakpoint after we resumed).
2134
2135         (Inspector::InspectorDebuggerAgent::pause):
2136         (Inspector::InspectorDebuggerAgent::resume):
2137         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2138         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2139         Clean up and correct pause on next statement logic.
2140
2141         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
2142         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
2143         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
2144         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
2145         The idle handler may now also trigger a pause in the case
2146         where continueUntilNextRunLoop resumed and wants to pause.
2147
2148         (Inspector::InspectorDebuggerAgent::didPause):
2149         Eliminate the useless didPause. The DOMDebugger was keeping track
2150         of its own state that was worse then the state in DebuggerAgent.
2151
2152 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
2153
2154         Unreviewed, fix cloop.
2155
2156         * runtime/JSCellInlines.h:
2157
2158 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
2159
2160         The GC should be optionally concurrent and disabled by default
2161         https://bugs.webkit.org/show_bug.cgi?id=164454
2162
2163         Reviewed by Geoffrey Garen.
2164         
2165         This started out as a patch to have the GC scan the stack at the end, and then the
2166         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
2167         mode that can be enabled at runtime, and whose only effect is that it turns on the
2168         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
2169         thread is running solo with the world stopped and the parallel markers converged and
2170         waiting. We have a parallel work scope to enable the parallel markers and now we have a
2171         ResumeTheWorldScope that will optionally resume the world and then stop it again.
2172         
2173         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
2174         this one won't do that when you run it. I set a specific goal: I wanted to do >10
2175         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
2176         disabled.
2177         
2178         To reach this milestone, I needed to do a bunch of stuff:
2179         
2180         - The mutator needs a separate mark stack for the barrier, since it will mutate this
2181           stack concurrently to the collector's slot visitors.
2182         
2183         - The use of CellState to indicate whether an object is being scanned the first time or
2184           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
2185           time as visitChildren is running or if the barrier runs at the same time as the GC
2186           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
2187           you know why you're being scanned by looking at which stack you came off of.
2188         
2189         - All of root marking must be in the collector fixpoint. I renamed markRoots to
2190           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
2191           this way. We never gained anything from forcing people to make a choice between
2192           scanning something in the fixpoint versus outside of it. Because root scanning is
2193           cheap, we can afford to do it repeatedly, which means all root scanning can now do
2194           constraint-based marking (like: I'll mark you if that thing is marked).
2195         
2196         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
2197           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
2198           reshaping functions - like the one that flattens a dictionary and some sneaky
2199           ArrayStorage transformations. Many of these can be fixed by using store-store fences
2200           in the mutator and load-load fences in the collector. I've adopted the rule that the
2201           collector must always see either a butterfly and structure that match or a newer
2202           butterfly with an older structure, where their age is just one transition apart. This
2203           can be achieved with fences. For the cases where it breaks down, I added a lock to
2204           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
2205           the indexingType. See the WTF ChangeLog for details.
2206           
2207           The mutator fencing rules are as follows:
2208           
2209           - Store-store fence before and after setting the butterfly.
2210           - Store-store fence before setting structure if you had changed the shape of the
2211             butterfly.
2212           - Store-store fence after initializing all fields in an allocation.
2213         
2214         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
2215           So, JSObject::visitChildren will now grab the object's structure's lock if the
2216           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
2217           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
2218           scan an object from two threads).
2219         
2220         - The GC can blow away a Structure's property table at any time. As a small consolation,
2221           it's now holding the Structure's lock when it does so. But there was tons of code in
2222           Structure that uses DeferGC to prevent the GC from blowing away the property table.
2223           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
2224           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
2225           marking and it was the Structure::visitChildren that would delete the table. It turns
2226           out that Structure's reliance on the property table not being deleted was the product
2227           of code rot. We already had functions that would materialize the table on demand. We
2228           were simply making the mistake of saying:
2229           
2230               structure->materializePropertyMap();
2231               ...
2232               structure->propertyTable()->things
2233           
2234           Instead of saying:
2235           
2236               PropertyTable* table = structure->ensurePropertyTable();
2237               ...
2238               table->things
2239           
2240           Switching the code to use the latter idiom allowed me to simplify the code a lot while
2241           fixing the race.
2242         
2243         - The LLInt's get_by_val handling was broken because the indexing shape constants were
2244           wrong. Once I started putting more things into the IndexingType, that started causing
2245           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
2246           had rotted in subtle ways.
2247         
2248         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
2249         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
2250         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
2251         is disabled: in all of the places where it would have resumed the world to run marking
2252         concurrently to the mutator, it will just skip the resume step. When you enable
2253         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
2254         It seems to perform quite well: on my machine, it improves both splay-throughput and
2255         splay-latency. It's probably unstable for other programs.
2256
2257         * API/JSVirtualMachine.mm:
2258         (-[JSVirtualMachine isOldExternalObject:]):
2259         * assembler/MacroAssemblerARMv7.h:
2260         (JSC::MacroAssemblerARMv7::storeFence):
2261         * bytecode/InlineAccess.cpp:
2262         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2263         (JSC::InlineAccess::generateSelfPropertyAccess):
2264         (JSC::InlineAccess::generateArrayLength):
2265         * bytecode/ObjectAllocationProfile.h:
2266         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
2267         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
2268         (JSC::ObjectAllocationProfile::initialize):
2269         (JSC::ObjectAllocationProfile::inlineCapacity):
2270         (JSC::ObjectAllocationProfile::clear):
2271         * bytecode/PolymorphicAccess.cpp:
2272         (JSC::AccessCase::generateWithGuard):
2273         (JSC::AccessCase::generateImpl):
2274         * dfg/DFGArrayifySlowPathGenerator.h:
2275         * dfg/DFGClobberize.h:
2276         (JSC::DFG::clobberize):
2277         * dfg/DFGOSRExitCompiler32_64.cpp:
2278         (JSC::DFG::OSRExitCompiler::compileExit):
2279         * dfg/DFGOSRExitCompiler64.cpp:
2280         (JSC::DFG::OSRExitCompiler::compileExit):
2281         * dfg/DFGOperations.cpp:
2282         * dfg/DFGPlan.cpp:
2283         (JSC::DFG::Plan::markCodeBlocks):
2284         (JSC::DFG::Plan::rememberCodeBlocks):
2285         * dfg/DFGPlan.h:
2286         * dfg/DFGSpeculativeJIT.cpp:
2287         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2288         (JSC::DFG::SpeculativeJIT::checkArray):
2289         (JSC::DFG::SpeculativeJIT::arrayify):
2290         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2291         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2292         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2293         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2294         (JSC::DFG::SpeculativeJIT::compileSpread):
2295         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2296         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2297         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2298         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2299         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2300         * dfg/DFGSpeculativeJIT64.cpp:
2301         (JSC::DFG::SpeculativeJIT::compile):
2302         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2303         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2304         (JSC::DFG::TierUpCheckInjectionPhase::run):
2305         * dfg/DFGWorklist.cpp:
2306         (JSC::DFG::Worklist::markCodeBlocks):
2307         (JSC::DFG::Worklist::rememberCodeBlocks):
2308         (JSC::DFG::markCodeBlocks):
2309         (JSC::DFG::completeAllPlansForVM):
2310         (JSC::DFG::rememberCodeBlocks):
2311         * dfg/DFGWorklist.h:
2312         * ftl/FTLAbstractHeapRepository.cpp:
2313         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2314         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
2315         * ftl/FTLAbstractHeapRepository.h:
2316         * ftl/FTLJITCode.cpp:
2317         (JSC::FTL::JITCode::~JITCode):
2318         * ftl/FTLLowerDFGToB3.cpp:
2319         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
2320         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2321         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2322         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2323         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2324         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
2325         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2326         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2327         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2328         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2329         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2330         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2331         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2332         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2333         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2334         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2335         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2336         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2337         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2338         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2339         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
2340         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2341         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2342         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2343         * ftl/FTLOSRExitCompiler.cpp:
2344         (JSC::FTL::compileStub):
2345         * ftl/FTLOutput.cpp:
2346         (JSC::FTL::Output::signExt32ToPtr):
2347         (JSC::FTL::Output::fence):
2348         * ftl/FTLOutput.h:
2349         * heap/CellState.h:
2350         * heap/GCSegmentedArray.h:
2351         * heap/Heap.cpp:
2352         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2353         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
2354         (JSC::Heap::Heap):
2355         (JSC::Heap::~Heap):
2356         (JSC::Heap::harvestWeakReferences):
2357         (JSC::Heap::finalizeUnconditionalFinalizers):
2358         (JSC::Heap::completeAllJITPlans):
2359         (JSC::Heap::markToFixpoint):
2360         (JSC::Heap::gatherStackRoots):
2361         (JSC::Heap::beginMarking):
2362         (JSC::Heap::visitConservativeRoots):
2363         (JSC::Heap::visitCompilerWorklistWeakReferences):
2364         (JSC::Heap::updateObjectCounts):
2365         (JSC::Heap::endMarking):
2366         (JSC::Heap::addToRememberedSet):
2367         (JSC::Heap::collectInThread):
2368         (JSC::Heap::stopTheWorld):
2369         (JSC::Heap::resumeTheWorld):
2370         (JSC::Heap::setGCDidJIT):
2371         (JSC::Heap::setNeedFinalize):
2372         (JSC::Heap::setMutatorWaiting):
2373         (JSC::Heap::clearMutatorWaiting):
2374         (JSC::Heap::finalize):
2375         (JSC::Heap::flushWriteBarrierBuffer):
2376         (JSC::Heap::writeBarrierSlowPath):
2377         (JSC::Heap::canCollect):
2378         (JSC::Heap::reportExtraMemoryVisited):
2379         (JSC::Heap::reportExternalMemoryVisited):
2380         (JSC::Heap::notifyIsSafeToCollect):
2381         (JSC::Heap::markRoots): Deleted.
2382         (JSC::Heap::visitExternalRememberedSet): Deleted.
2383         (JSC::Heap::visitSmallStrings): Deleted.
2384         (JSC::Heap::visitProtectedObjects): Deleted.
2385         (JSC::Heap::visitArgumentBuffers): Deleted.
2386         (JSC::Heap::visitException): Deleted.
2387         (JSC::Heap::visitStrongHandles): Deleted.
2388         (JSC::Heap::visitHandleStack): Deleted.
2389         (JSC::Heap::visitSamplingProfiler): Deleted.
2390         (JSC::Heap::visitTypeProfiler): Deleted.
2391         (JSC::Heap::visitShadowChicken): Deleted.
2392         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
2393         (JSC::Heap::visitWeakHandles): Deleted.
2394         (JSC::Heap::flushOldStructureIDTables): Deleted.
2395         (JSC::Heap::stopAllocation): Deleted.
2396         * heap/Heap.h:
2397         (JSC::Heap::collectorSlotVisitor):
2398         (JSC::Heap::mutatorMarkStack):
2399         (JSC::Heap::mutatorShouldBeFenced):
2400         (JSC::Heap::addressOfMutatorShouldBeFenced):
2401         (JSC::Heap::slotVisitor): Deleted.
2402         (JSC::Heap::notifyIsSafeToCollect): Deleted.
2403         (JSC::Heap::barrierShouldBeFenced): Deleted.
2404         (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
2405         * heap/MarkStack.cpp:
2406         (JSC::MarkStackArray::transferTo):
2407         * heap/MarkStack.h:
2408         * heap/MarkedAllocator.cpp:
2409         (JSC::MarkedAllocator::tryAllocateIn):
2410         * heap/MarkedBlock.cpp:
2411         (JSC::MarkedBlock::MarkedBlock):
2412         (JSC::MarkedBlock::Handle::specializedSweep):
2413         (JSC::MarkedBlock::Handle::sweep):
2414         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
2415         (JSC::MarkedBlock::Handle::stopAllocating):
2416         (JSC::MarkedBlock::Handle::resumeAllocating):
2417         (JSC::MarkedBlock::aboutToMarkSlow):
2418         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2419         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
2420         (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
2421         * heap/MarkedBlock.h:
2422         * heap/MarkedSpace.cpp:
2423         (JSC::MarkedSpace::resumeAllocating):
2424         * heap/SlotVisitor.cpp:
2425         (JSC::SlotVisitor::SlotVisitor):
2426         (JSC::SlotVisitor::~SlotVisitor):
2427         (JSC::SlotVisitor::reset):
2428         (JSC::SlotVisitor::clearMarkStacks):
2429         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2430         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2431         (JSC::SlotVisitor::appendToMarkStack):
2432         (JSC::SlotVisitor::appendToMutatorMarkStack):
2433         (JSC::SlotVisitor::visitChildren):
2434         (JSC::SlotVisitor::donateKnownParallel):
2435         (JSC::SlotVisitor::drain):
2436         (JSC::SlotVisitor::drainFromShared):
2437         (JSC::SlotVisitor::containsOpaqueRoot):
2438         (JSC::SlotVisitor::donateAndDrain):
2439         (JSC::SlotVisitor::mergeOpaqueRoots):
2440         (JSC::SlotVisitor::dump):
2441         (JSC::SlotVisitor::clearMarkStack): Deleted.
2442         (JSC::SlotVisitor::opaqueRootCount): Deleted.
2443         * heap/SlotVisitor.h:
2444         (JSC::SlotVisitor::collectorMarkStack):
2445         (JSC::SlotVisitor::mutatorMarkStack):
2446         (JSC::SlotVisitor::isEmpty):
2447         (JSC::SlotVisitor::bytesVisited):
2448         (JSC::SlotVisitor::markStack): Deleted.
2449         (JSC::SlotVisitor::bytesCopied): Deleted.
2450         * heap/SlotVisitorInlines.h:
2451         (JSC::SlotVisitor::reportExtraMemoryVisited):
2452         (JSC::SlotVisitor::reportExternalMemoryVisited):
2453         * jit/AssemblyHelpers.cpp:
2454         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2455         * jit/AssemblyHelpers.h:
2456         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2457         (JSC::AssemblyHelpers::barrierStoreLoadFence):
2458         (JSC::AssemblyHelpers::mutatorFence):
2459         (JSC::AssemblyHelpers::storeButterfly):
2460         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
2461         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
2462         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2463         (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
2464         * jit/JITInlines.h:
2465         (JSC::JIT::emitArrayProfilingSiteWithCell):
2466         * jit/JITOperations.cpp:
2467         * jit/JITPropertyAccess.cpp:
2468         (JSC::JIT::emit_op_put_to_scope):
2469         (JSC::JIT::emit_op_put_to_arguments):
2470         * llint/LLIntData.cpp:
2471         (JSC::LLInt::Data::performAssertions):
2472         * llint/LowLevelInterpreter.asm:
2473         * llint/LowLevelInterpreter64.asm:
2474         * runtime/ButterflyInlines.h:
2475         (JSC::Butterfly::create):
2476         (JSC::Butterfly::createOrGrowPropertyStorage):
2477         * runtime/ConcurrentJITLock.h:
2478         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
2479         * runtime/GenericArgumentsInlines.h:
2480         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2481         (JSC::GenericArguments<Type>::putByIndex):
2482         * runtime/IndexingType.h:
2483         * runtime/JSArray.cpp:
2484         (JSC::JSArray::unshiftCountSlowCase):
2485         (JSC::JSArray::unshiftCountWithArrayStorage):
2486         * runtime/JSCell.h:
2487         (JSC::JSCell::InternalLocker::InternalLocker):
2488         (JSC::JSCell::InternalLocker::~InternalLocker):
2489         (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
2490         (JSC::JSCell::atomicCompareExchangeCellStateStrong):
2491         (JSC::JSCell::indexingTypeAndMiscOffset):
2492         (JSC::JSCell::indexingTypeOffset): Deleted.
2493         * runtime/JSCellInlines.h:
2494         (JSC::JSCell::JSCell):
2495         (JSC::JSCell::finishCreation):
2496         (JSC::JSCell::indexingTypeAndMisc):
2497         (JSC::JSCell::indexingType):
2498         (JSC::JSCell::setStructure):
2499         (JSC::JSCell::callDestructor):
2500         (JSC::JSCell::lockInternalLock):
2501         (JSC::JSCell::unlockInternalLock):
2502         * runtime/JSObject.cpp:
2503         (JSC::JSObject::visitButterfly):
2504         (JSC::JSObject::visitChildren):
2505         (JSC::JSFinalObject::visitChildren):
2506         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2507         (JSC::JSObject::createInitialUndecided):
2508         (JSC::JSObject::createInitialInt32):
2509         (JSC::JSObject::createInitialDouble):
2510         (JSC::JSObject::createInitialContiguous):
2511         (JSC::JSObject::createArrayStorage):
2512         (JSC::JSObject::convertUndecidedToArrayStorage):
2513         (JSC::JSObject::convertInt32ToArrayStorage):
2514         (JSC::JSObject::convertDoubleToArrayStorage):
2515         (JSC::JSObject::convertContiguousToArrayStorage):
2516         (JSC::JSObject::deleteProperty):
2517         (JSC::JSObject::defineOwnIndexedProperty):
2518         (JSC::JSObject::increaseVectorLength):
2519         (JSC::JSObject::ensureLengthSlow):
2520         (JSC::JSObject::reallocateAndShrinkButterfly):
2521         (JSC::JSObject::allocateMoreOutOfLineStorage):
2522         (JSC::JSObject::shiftButterflyAfterFlattening):
2523         (JSC::JSObject::growOutOfLineStorage): Deleted.
2524         * runtime/JSObject.h:
2525         (JSC::JSFinalObject::JSFinalObject):
2526         (JSC::JSObject::setButterfly):
2527         (JSC::JSObject::getOwnNonIndexPropertySlot):
2528         (JSC::JSObject::fillCustomGetterPropertySlot):
2529         (JSC::JSObject::getOwnPropertySlot):
2530         (JSC::JSObject::getPropertySlot):
2531         (JSC::JSObject::setStructureAndButterfly): Deleted.
2532         (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
2533         (JSC::JSObject::putDirectInternal): Deleted.
2534         (JSC::JSObject::putDirectWithoutTransition): Deleted.
2535         * runtime/JSObjectInlines.h:
2536         (JSC::JSObject::getPropertySlot):
2537         (JSC::JSObject::getNonIndexPropertySlot):
2538         (JSC::JSObject::putDirectWithoutTransition):
2539         (JSC::JSObject::putDirectInternal):
2540         * runtime/Options.h:
2541         * runtime/SparseArrayValueMap.h:
2542         * runtime/Structure.cpp:
2543         (JSC::Structure::dumpStatistics):
2544         (JSC::Structure::findStructuresAndMapForMaterialization):
2545         (JSC::Structure::materializePropertyTable):
2546         (JSC::Structure::addNewPropertyTransition):
2547         (JSC::Structure::changePrototypeTransition):
2548         (JSC::Structure::attributeChangeTransition):
2549         (JSC::Structure::toDictionaryTransition):
2550         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2551         (JSC::Structure::nonPropertyTransition):
2552         (JSC::Structure::isSealed):
2553         (JSC::Structure::isFrozen):
2554         (JSC::Structure::flattenDictionaryStructure):
2555         (JSC::Structure::pin):
2556         (JSC::Structure::pinForCaching):
2557         (JSC::Structure::willStoreValueSlow):
2558         (JSC::Structure::copyPropertyTableForPinning):
2559         (JSC::Structure::add):
2560         (JSC::Structure::remove):
2561         (JSC::Structure::getPropertyNamesFromStructure):
2562         (JSC::Structure::visitChildren):
2563         (JSC::Structure::materializePropertyMap): Deleted.
2564         (JSC::Structure::addPropertyWithoutTransition): Deleted.
2565         (JSC::Structure::removePropertyWithoutTransition): Deleted.
2566         (JSC::Structure::copyPropertyTable): Deleted.
2567         (JSC::Structure::createPropertyMap): Deleted.
2568         (JSC::PropertyTable::checkConsistency): Deleted.
2569         (JSC::Structure::checkConsistency): Deleted.
2570         * runtime/Structure.h:
2571         * runtime/StructureIDBlob.h:
2572         (JSC::StructureIDBlob::StructureIDBlob):
2573         (JSC::StructureIDBlob::indexingTypeIncludingHistory):
2574         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
2575         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
2576         (JSC::StructureIDBlob::indexingType): Deleted.
2577         (JSC::StructureIDBlob::setIndexingType): Deleted.
2578         (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
2579         * runtime/StructureInlines.h:
2580         (JSC::Structure::get):
2581         (JSC::Structure::checkOffsetConsistency):
2582         (JSC::Structure::checkConsistency):
2583         (JSC::Structure::add):
2584         (JSC::Structure::remove):
2585         (JSC::Structure::addPropertyWithoutTransition):
2586         (JSC::Structure::removePropertyWithoutTransition):
2587         (JSC::Structure::setPropertyTable):
2588         (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
2589         (JSC::Structure::propertyTable): Deleted.
2590         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2591
2592 2016-11-14  Keith Miller  <keith_miller@apple.com>
2593
2594         Add Wasm select
2595         https://bugs.webkit.org/show_bug.cgi?id=164743
2596
2597         Reviewed by Saam Barati.
2598
2599         Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
2600         when they shouldn't be.
2601
2602         * jsc.cpp:
2603         (box):
2604         * wasm/WasmB3IRGenerator.cpp:
2605         * wasm/WasmFunctionParser.h:
2606         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2607         * wasm/WasmValidate.cpp:
2608         (JSC::Wasm::Validate::addSelect):
2609
2610 2016-11-11  Geoffrey Garen  <ggaren@apple.com>
2611
2612         JSC should distinguish between local and global eval
2613         https://bugs.webkit.org/show_bug.cgi?id=164628
2614
2615         Reviewed by Saam Barati.
2616
2617         Local use of the 'eval' keyword and invocation of the global window.eval
2618         function are distinct operations in JavaScript.
2619
2620         This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
2621         order to help distinguish these operations in code.
2622
2623         Our code used to do some silly things for lack of distinguishing these
2624         cases. For example, it would double cache local eval in CodeCache and
2625         EvalCodeCache. This made CodeCache seem more complicated than it really
2626         was.
2627
2628         * CMakeLists.txt:
2629         * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
2630
2631         * bytecode/CodeBlock.h:
2632
2633         * bytecode/EvalCodeCache.h:
2634         (JSC::EvalCodeCache::tryGet):
2635         (JSC::EvalCodeCache::set):
2636         (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
2637         the cache to avoid tight coupling. Now the cache just caches.
2638
2639         * bytecode/UnlinkedEvalCodeBlock.h:
2640         * bytecode/UnlinkedFunctionExecutable.cpp:
2641         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2642         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2643         * bytecode/UnlinkedProgramCodeBlock.h:
2644         * debugger/DebuggerCallFrame.cpp:
2645         (JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
2646         changes.
2647
2648         * interpreter/Interpreter.cpp:
2649         (JSC::eval): Moved code generation here so the cache didn't need to build
2650         it in.
2651
2652         * llint/LLIntOffsetsExtractor.cpp:
2653
2654         * runtime/CodeCache.cpp:
2655         (JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
2656         variables any more. We only cache global programs, and global variable
2657         access always does TDZ checks.
2658
2659         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
2660         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
2661         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
2662         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2663
2664         (JSC::CodeCache::CodeCache): Deleted.
2665         (JSC::CodeCache::~CodeCache): Deleted.
2666         (JSC::CodeCache::getGlobalCodeBlock): Deleted.
2667         (JSC::CodeCache::getProgramCodeBlock): Deleted.
2668         (JSC::CodeCache::getEvalCodeBlock): Deleted.
2669         (JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
2670         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.
2671
2672         * runtime/CodeCache.h:
2673         (JSC::CodeCache::clear):
2674         (JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
2675         out of the CodeCache class and into a stand-alone function because
2676         we need it for local eval, which does not live in CodeCache.
2677
2678         * runtime/EvalExecutable.cpp:
2679         (JSC::EvalExecutable::create): Deleted.
2680         * runtime/EvalExecutable.h:
2681         (): Deleted.
2682         * runtime/GlobalEvalExecutable.cpp: Added.
2683         (JSC::GlobalEvalExecutable::create):
2684         (JSC::GlobalEvalExecutable::GlobalEvalExecutable):
2685         * runtime/GlobalEvalExecutable.h: Added.
2686         * runtime/LocalEvalExecutable.cpp: Added.
2687         (JSC::LocalEvalExecutable::create):
2688         (JSC::LocalEvalExecutable::LocalEvalExecutable):
2689         * runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
2690         EvalExecutable classes to distinguish these operations in code. The key
2691         difference is that LocalEvalExecutable does not live in the CodeCache
2692         and only lives in the EvalCodeCache.
2693
2694         * runtime/JSGlobalObject.cpp:
2695         (JSC::JSGlobalObject::createProgramCodeBlock):
2696         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
2697         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
2698         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2699         (JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
2700         * runtime/JSGlobalObject.h:
2701         * runtime/JSGlobalObjectFunctions.cpp:
2702         (JSC::globalFuncEval):
2703
2704         * runtime/JSScope.cpp:
2705         (JSC::JSScope::collectClosureVariablesUnderTDZ):
2706         (JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
2707         global lexical variables in our concept of TDZ scopes anymore. Global
2708         variable access always does TDZ checks unconditionally. So, only closure
2709         scope accesses give specific consideration to TDZ checks.
2710
2711         * runtime/JSScope.h:
2712
2713 2016-11-14  Caitlin Potter  <caitp@igalia.com>
2714
2715         [JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
2716         https://bugs.webkit.org/show_bug.cgi?id=164037
2717
2718         Reviewed by Yusuke Suzuki.
2719
2720         This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
2721         in much the same capacity that https://trac.webkit.org/changeset/194216 added
2722         DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
2723         PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.
2724
2725         Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
2726         async wrapper functions may be deferred or eliminated during the allocation sinking
2727         phase.
2728
2729         * dfg/DFGAbstractInterpreterInlines.h:
2730         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2731         * dfg/DFGByteCodeParser.cpp:
2732         (JSC::DFG::ByteCodeParser::parseBlock):
2733         * dfg/DFGCapabilities.cpp:
2734         (JSC::DFG::capabilityLevel):
2735         * dfg/DFGClobberize.h:
2736         (JSC::DFG::clobberize):
2737         * dfg/DFGClobbersExitState.cpp:
2738         (JSC::DFG::clobbersExitState):
2739         * dfg/DFGDoesGC.cpp:
2740         (JSC::DFG::doesGC):
2741         * dfg/DFGFixupPhase.cpp:
2742         (JSC::DFG::FixupPhase::fixupNode):
2743         * dfg/DFGMayExit.cpp:
2744         * dfg/DFGNode.h:
2745         (JSC::DFG::Node::convertToPhantomNewFunction):
2746         (JSC::DFG::Node::convertToPhantomNewAsyncFunction):
2747         (JSC::DFG::Node::hasCellOperand):
2748         (JSC::DFG::Node::isFunctionAllocation):
2749         (JSC::DFG::Node::isPhantomFunctionAllocation):
2750         (JSC::DFG::Node::isPhantomAllocation):
2751         * dfg/DFGNodeType.h:
2752         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2753         * dfg/DFGPredictionPropagationPhase.cpp:
2754         * dfg/DFGSafeToExecute.h:
2755         (JSC::DFG::safeToExecute):
2756         * dfg/DFGSpeculativeJIT.cpp:
2757         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2758         * dfg/DFGSpeculativeJIT32_64.cpp:
2759         (JSC::DFG::SpeculativeJIT::compile):
2760         * dfg/DFGSpeculativeJIT64.cpp:
2761         (JSC::DFG::SpeculativeJIT::compile):
2762         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2763         * dfg/DFGStructureRegistrationPhase.cpp:
2764         (JSC::DFG::StructureRegistrationPhase::run):
2765         * dfg/DFGValidate.cpp:
2766         * ftl/FTLCapabilities.cpp:
2767         (JSC::FTL::canCompile):
2768         * ftl/FTLLowerDFGToB3.cpp:
2769         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2770         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2771         * ftl/FTLOperations.cpp:
2772         (JSC::FTL::operationPopulateObjectInOSR):
2773         (JSC::FTL::operationMaterializeObjectInOSR):
2774         * runtime/JSGlobalObject.cpp:
2775         (JSC::JSGlobalObject::init):
2776         (JSC::JSGlobalObject::visitChildren):
2777         * runtime/JSGlobalObject.h:
2778         (JSC::JSGlobalObject::asyncFunctionPrototype):
2779         (JSC::JSGlobalObject::asyncFunctionStructure):
2780         (JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
2781         (JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
2782         (JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.
2783
2784 2016-11-14  Mark Lam  <mark.lam@apple.com>
2785
2786         Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
2787         https://bugs.webkit.org/show_bug.cgi?id=164701
2788         <rdar://problem/27462104>
2789
2790         Reviewed by Darin Adler.
2791
2792         The characters8(), characters16(), and operator[] in JSString::SafeView converts
2793         the underlying JSString to a StringView via get(), and then uses the StringView
2794         without first checking if an exception was thrown during the conversion.  This is
2795         unsafe because the conversion may have failed.
2796         
2797         Instead, we should remove these 3 convenience methods, and make the caller
2798         explicitly call get() and do the appropriate exception checks before using the
2799         StringView.
2800
2801         * runtime/JSGlobalObjectFunctions.cpp:
2802         (JSC::toStringView):
2803         (JSC::encode):
2804         (JSC::decode):
2805         (JSC::globalFuncParseInt):
2806         (JSC::globalFuncEscape):
2807         (JSC::globalFuncUnescape):
2808         (JSC::toSafeView): Deleted.
2809         * runtime/JSONObject.cpp:
2810         (JSC::JSONProtoFuncParse):
2811         * runtime/JSString.h:
2812         (JSC::JSString::SafeView::length):
2813         (JSC::JSString::SafeView::characters8): Deleted.
2814         (JSC::JSString::SafeView::characters16): Deleted.
2815         (JSC::JSString::SafeView::operator[]): Deleted.
2816         * runtime/StringPrototype.cpp:
2817         (JSC::stringProtoFuncRepeatCharacter):
2818         (JSC::stringProtoFuncCharAt):
2819         (JSC::stringProtoFuncCharCodeAt):
2820         (JSC::stringProtoFuncNormalize):
2821
2822 2016-11-14  Mark Lam  <mark.lam@apple.com>
2823
2824         RegExpObject::exec/match should handle errors gracefully.
2825         https://bugs.webkit.org/show_bug.cgi?id=155145
2826         <rdar://problem/27435934>
2827
2828         Reviewed by Keith Miller.
2829
2830         1. Added some missing exception checks to RegExpObject::execInline() and
2831            RegExpObject::matchInline().
2832         2. Updated related code to work with ExceptionScope verification requirements.
2833
2834         * dfg/DFGOperations.cpp:
2835         * runtime/RegExpObjectInlines.h:
2836         (JSC::RegExpObject::execInline):
2837         (JSC::RegExpObject::matchInline):
2838         * runtime/RegExpPrototype.cpp:
2839         (JSC::regExpProtoFuncTestFast):
2840         (JSC::regExpProtoFuncExec):
2841         (JSC::regExpProtoFuncMatchFast):
2842
2843 2016-11-13  Mark Lam  <mark.lam@apple.com>
2844
2845         Add debugging facility to limit the max single allocation size.
2846         https://bugs.webkit.org/show_bug.cgi?id=164681
2847
2848         Reviewed by Keith Miller.
2849
2850         Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
2851         This option is only available on Debug builds.
2852
2853         * runtime/Options.cpp:
2854         (JSC::Options::isAvailable):
2855         (JSC::recomputeDependentOptions):
2856         * runtime/Options.h:
2857
2858 2016-11-12  Joseph Pecoraro  <pecoraro@apple.com>
2859
2860         Follow-up fix to r208639.
2861
2862         Unreviewed fix. This is a straightfoward change where I forgot to
2863         switch from uncheckedArgument() to argument() in once case after
2864         dropping an argumentCount check. All other cases do this properly.
2865         This addresses an ASSERT seen on the bots running tests.
2866
2867         * runtime/JSDataViewPrototype.cpp:
2868         (JSC::setData):
2869
2870 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
2871
2872         test262: DataView with explicit undefined byteLength should be the same as it not being present
2873         https://bugs.webkit.org/show_bug.cgi?id=164453
2874
2875         Reviewed by Darin Adler.
2876
2877         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2878         (JSC::constructGenericTypedArrayView):
2879         Handle the special case of DataView construction with an undefined byteLength value.
2880
2881 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
2882
2883         test262: DataView get methods should allow for missing offset, set methods should allow for missing value
2884         https://bugs.webkit.org/show_bug.cgi?id=164451
2885
2886         Reviewed by Darin Adler.
2887
2888         * runtime/JSDataViewPrototype.cpp:
2889         (JSC::getData):
2890         Missing offset is still valid and will be coerced to 0.
2891
2892         (JSC::setData):
2893         Missing value is still valid and will be coerced to 0.
2894
2895 2016-11-11  Saam Barati  <sbarati@apple.com>
2896
2897         We should have a more concise way of determining when we're varargs calling a function using rest parameters
2898         https://bugs.webkit.org/show_bug.cgi?id=164258
2899
2900         Reviewed by Yusuke Suzuki.
2901
2902         This patch adds two new bytecodes and DFG nodes for the following code patterns:
2903
2904         ```
2905         foo(a, b, ...c)
2906         let x = [a, b, ...c];
2907         ```
2908
2909         To do this, I've introduced two new bytecode operations (and their
2910         corresponding DFG nodes):
2911
2912         op_spread and op_new_array_with_spread.
2913
2914         op_spread takes a single input and performs the ES6 iteration protocol on it.
2915         It returns the result of doing the spread inside a new class I've
2916         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
2917         field and a buffer of values allocated inline in the cell. Abstracting
2918         the protocol into a single node is good because it will make IR analysis
2919         in the future much simpler. For now, it's also good because it allows
2920         us to create fast paths for array iteration (which is quite common).
2921         This fast path allows us to emit really good code for array iteration
2922         inside the DFG/FTL.
2923
2924         op_new_array_with_spread is a variable argument bytecode that also
2925         has a bit vector associated with it. The bit vector indicates if
2926         any particular argument is to be spread or not. Arguments that
2927         are spread are known to be JSFixedArray because we must emit an
2928         op_spread before op_new_array_with_spread consumes the value.
2929         For example, for this array:
2930         [a, b, ...c, d, ...e]
2931         we will have this bit vector:
2932         [0, 0, 1, 0, 1]
2933
2934         The reason I've chosen this IR is that it will make eliminating
2935         a rest allocation for this type of code much easier:
2936
2937         ```
2938         function foo(...args) {
2939             return bar(a, b, ...args);
2940         }
2941         ```
2942
2943         It will be easier to analyze the IR now that the operations
2944         will be described at a high level.
2945
2946         This patch is an ~8% speedup on ES6SampleBench on my MBP.
2947
2948         * CMakeLists.txt:
2949         * DerivedSources.make:
2950         * JavaScriptCore.xcodeproj/project.pbxproj:
2951         * builtins/IteratorHelpers.js: Added.
2952         (performIteration):
2953         * bytecode/BytecodeList.json:
2954         * bytecode/BytecodeUseDef.h:
2955         (JSC::computeUsesForBytecodeOffset):
2956         (JSC::computeDefsForBytecodeOffset):
2957         * bytecode/CodeBlock.cpp:
2958         (JSC::CodeBlock::dumpBytecode):
2959         * bytecode/ObjectPropertyConditionSet.cpp:
2960         (JSC::generateConditionForSelfEquivalence):
2961         * bytecode/ObjectPropertyConditionSet.h:
2962         * bytecode/TrackedReferences.cpp:
2963         (JSC::TrackedReferences::check):
2964         * bytecode/UnlinkedCodeBlock.h:
2965         (JSC::UnlinkedCodeBlock::bitVectors):
2966         (JSC::UnlinkedCodeBlock::bitVector):
2967         (JSC::UnlinkedCodeBlock::addBitVector):
2968         (JSC::UnlinkedCodeBlock::shrinkToFit):
2969         * bytecompiler/BytecodeGenerator.cpp:
2970         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
2971         * bytecompiler/BytecodeGenerator.h:
2972         * bytecompiler/NodesCodegen.cpp:
2973         (JSC::ArrayNode::emitBytecode):
2974         * dfg/DFGAbstractInterpreterInlines.h:
2975         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2976         * dfg/DFGByteCodeParser.cpp:
2977         (JSC::DFG::ByteCodeParser::addToGraph):
2978         (JSC::DFG::ByteCodeParser::parseBlock):
2979         * dfg/DFGCapabilities.cpp:
2980         (JSC::DFG::capabilityLevel):
2981         * dfg/DFGClobberize.h:
2982         (JSC::DFG::clobberize):
2983         * dfg/DFGDoesGC.cpp:
2984         (JSC::DFG::doesGC):
2985         * dfg/DFGFixupPhase.cpp:
2986         (JSC::DFG::FixupPhase::fixupNode):
2987         (JSC::DFG::FixupPhase::watchHavingABadTime):
2988         * dfg/DFGGraph.h:
2989         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2990         * dfg/DFGNode.h:
2991         (JSC::DFG::Node::bitVector):
2992         * dfg/DFGNodeType.h:
2993         * dfg/DFGOperations.cpp:
2994         * dfg/DFGOperations.h:
2995         * dfg/DFGPredictionPropagationPhase.cpp:
2996         * dfg/DFGSafeToExecute.h:
2997         (JSC::DFG::safeToExecute):
2998         * dfg/DFGSpeculativeJIT.cpp:
2999         (JSC::DFG::SpeculativeJIT::compileSpread):
3000         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3001         * dfg/DFGSpeculativeJIT.h:
3002         (JSC::DFG::SpeculativeJIT::callOperation):
3003         * dfg/DFGSpeculativeJIT32_64.cpp:
3004         (JSC::DFG::SpeculativeJIT::compile):
3005         * dfg/DFGSpeculativeJIT64.cpp:
3006         (JSC::DFG::SpeculativeJIT::compile):
3007         * dfg/DFGStructureRegistrationPhase.cpp:
3008         (JSC::DFG::StructureRegistrationPhase::run):
3009         * ftl/FTLAbstractHeapRepository.h:
3010         * ftl/FTLCapabilities.cpp:
3011         (JSC::FTL::canCompile):
3012         * ftl/FTLLowerDFGToB3.cpp:
3013         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3014         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3015         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3016         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
3017         * jit/AssemblyHelpers.h:
3018         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3019         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3020         * jit/JIT.cpp:
3021         (JSC::JIT::privateCompileMainPass):
3022         * jit/JIT.h:
3023         * jit/JITOpcodes.cpp:
3024         (JSC::JIT::emit_op_new_array_with_spread):
3025         (JSC::JIT::emit_op_spread):
3026         * jit/JITOperations.h:
3027         * llint/LLIntData.cpp:
3028         (JSC::LLInt::Data::performAssertions):
3029         * llint/LLIntSlowPaths.cpp:
3030         * llint/LowLevelInterpreter.asm:
3031         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
3032         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
3033         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
3034         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
3035         * runtime/CommonSlowPaths.cpp:
3036         (JSC::SLOW_PATH_DECL):
3037         * runtime/CommonSlowPaths.h:
3038         * runtime/IteratorOperations.h:
3039         (JSC::forEachInIterable):
3040         * runtime/JSCInlines.h:
3041         * runtime/JSFixedArray.cpp: Added.
3042         (JSC::JSFixedArray::visitChildren):
3043         * runtime/JSFixedArray.h: Added.
3044         (JSC::JSFixedArray::createStructure):
3045         (JSC::JSFixedArray::createFromArray):
3046         (JSC::JSFixedArray::get):
3047         (JSC::JSFixedArray::buffer):
3048         (JSC::JSFixedArray::size):
3049         (JSC::JSFixedArray::offsetOfSize):
3050         (JSC::JSFixedArray::offsetOfData):
3051         (JSC::JSFixedArray::create):
3052         (JSC::JSFixedArray::JSFixedArray):
3053         (JSC::JSFixedArray::allocationSize):
3054         * runtime/JSGlobalObject.cpp:
3055         (JSC::JSGlobalObject::JSGlobalObject):
3056         (JSC::JSGlobalObject::init):
3057         (JSC::JSGlobalObject::visitChildren):
3058         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
3059         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
3060         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
3061         * runtime/JSGlobalObject.h:
3062         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
3063         (JSC::JSGlobalObject::iteratorProtocolFunction):
3064         * runtime/JSGlobalObjectInlines.h: Added.
3065         (JSC::JSGlobalObject::objectPrototypeIsSane):
3066         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3067         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3068         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
3069         * runtime/JSType.h:
3070         * runtime/VM.cpp:
3071         (JSC::VM::VM):
3072         * runtime/VM.h:
3073
3074 2016-11-11  Keith Miller  <keith_miller@apple.com>
3075
3076         Move Wasm tests to JS
3077         https://bugs.webkit.org/show_bug.cgi?id=164611
3078
3079         Reviewed by Geoffrey Garen.
3080
3081         This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
3082         ommited tests were earliest tests, which tested trivial things, like adding two
3083         constants. Some tests are ommited for other reasons, however. These are:
3084
3085         1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers.  2)
3086         Tests that would validate the memory of the module once wasm was done with it since that's
3087         not really possible in JS.
3088
3089         In order to make such a translation easier this patch also adds some features to the JS
3090         testing api:
3091
3092         1) Blocks can now be done lexically by adding a lambda as the last argument of the block
3093         opcode. For example one can do:
3094             ...
3095             .Block("i32", b => b.I32Const(1) )
3096
3097         and the nested lambda will automatically have an end attached.
3098
3099         2) The JS testing api can now handle inline signature types.
3100
3101         3) Relocate some code to make it easier to follow and prevent 44 space indentation.
3102
3103         4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
3104         wasm.json without being remapped.
3105
3106         5) Add support for Memory and Function sections to the Builder.
3107
3108         6) Add support for local variables.
3109
3110         On the JSC side, we needed to expose a new function to validate the compiled wasm code
3111         behaves the way we expect. At least until the JS Wasm API is finished. The new validation
3112         function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
3113         number of functions in the blob and tests for each of those functions.
3114
3115         * jsc.cpp:
3116         (GlobalObject::finishCreation):
3117         (box):
3118         (callWasmFunction):
3119         (functionTestWasmModuleFunctions):
3120         * testWasm.cpp:
3121         (checkPlan):
3122         (runWasmTests):
3123         * wasm/WasmB3IRGenerator.cpp:
3124         (JSC::Wasm::parseAndCompile):
3125         * wasm/WasmFunctionParser.h:
3126         (JSC::Wasm::FunctionParser<Context>::parse):
3127         (JSC::Wasm::FunctionParser<Context>::parseBody):
3128         (JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
3129         * wasm/WasmModuleParser.cpp:
3130         (JSC::Wasm::ModuleParser::parseMemory):
3131         (JSC::Wasm::ModuleParser::parseExport):
3132         * wasm/WasmPlan.cpp:
3133         (JSC::Wasm::Plan::Plan):
3134         (JSC::Wasm::Plan::run):
3135         * wasm/WasmPlan.h:
3136         * wasm/js/WebAssemblyModuleConstructor.cpp:
3137         (JSC::constructJSWebAssemblyModule):
3138
3139 2016-11-11  Saam Barati  <sbarati@apple.com>
3140
3141         Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650
3142
3143         * dfg/DFGByteCodeParser.cpp:
3144         (JSC::DFG::ByteCodeParser::parseBlock):
3145
3146 2016-11-11  Saam Barati  <sbarati@apple.com>
3147
3148         We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
3149         https://bugs.webkit.org/show_bug.cgi?id=164650
3150
3151         Reviewed by Geoffrey Garen.
3152
3153         Some code was incorrectly holding a lock when recursively calling
3154         back into the bytecode parser's via inlining a put_by_val as a put_by_id.
3155         This can cause a deadlock if the inlinee CodeBlock is something we're
3156         already holding a lock for. I've changed the range of the lock holder
3157         to be as narrow as possible.
3158
3159         * dfg/DFGByteCodeParser.cpp:
3160         (JSC::DFG::ByteCodeParser::parseBlock):
3161
3162 2016-11-11  Chris Dumez  <cdumez@apple.com>
3163
3164         Unreviewed, rolling out r208584.
3165
3166         Seems to have regressed Speedometer by 1% on Mac
3167
3168         Reverted changeset:
3169
3170         "We should have a more concise way of determining when we're
3171         varargs calling a function using rest parameters"
3172         https://bugs.webkit.org/show_bug.cgi?id=164258
3173         http://trac.webkit.org/changeset/208584
3174
3175 2016-11-11  Chris Dumez  <cdumez@apple.com>
3176
3177         Unreviewed, rolling out r208117 and r208160.
3178
3179         Regressed Speedometer by >1.5%
3180
3181         Reverted changesets:
3182
3183         "We should have a way of profiling when a get_by_id is pure
3184         and to emit a PureGetById in the DFG/FTL"
3185         https://bugs.webkit.org/show_bug.cgi?id=163305
3186         http://trac.webkit.org/changeset/208117
3187
3188         "Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
3189         out"
3190         https://bugs.webkit.org/show_bug.cgi?id=164227
3191         http://trac.webkit.org/changeset/208160
3192
3193 2016-11-11  Saam Barati  <sbarati@apple.com>
3194
3195         We should have a more concise way of determining when we're varargs calling a function using rest parameters
3196         https://bugs.webkit.org/show_bug.cgi?id=164258
3197
3198         Reviewed by Yusuke Suzuki.
3199
3200         This patch adds two new bytecodes and DFG nodes for the following code patterns:
3201
3202         ```
3203         foo(a, b, ...c)
3204         let x = [a, b, ...c];
3205         ```
3206
3207         To do this, I've introduced two new bytecode operations (and their
3208         corresponding DFG nodes):
3209
3210         op_spread and op_new_array_with_spread.
3211
3212         op_spread takes a single input and performs the ES6 iteration protocol on it.
3213         It returns the result of doing the spread inside a new class I've
3214         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
3215         field and a buffer of values allocated inline in the cell. Abstracting
3216         the protocol into a single node is good because it will make IR analysis
3217         in the future much simpler. For now, it's also good because it allows
3218         us to create fast paths for array iteration (which is quite common).
3219         This fast path allows us to emit really good code for array iteration
3220         inside the DFG/FTL.
3221
3222         op_new_array_with_spread is a variable argument bytecode that also
3223         has a bit vector associated with it. The bit vector indicates if
3224         any particular argument is to be spread or not. Arguments that
3225         are spread are known to be JSFixedArray because we must emit an
3226         op_spread before op_new_array_with_spread consumes the value.
3227         For example, for this array:
3228         [a, b, ...c, d, ...e]
3229         we will have this bit vector:
3230         [0, 0, 1, 0, 1]
3231
3232         The reason I've chosen this IR is that it will make eliminating
3233         a rest allocation for this type of code much easier:
3234
3235         ```
3236         function foo(...args) {
3237             return bar(a, b, ...args);
3238         }
3239         ```
3240
3241         It will be easier to analyze the IR now that the operations
3242         will be described at a high level.
3243
3244         This patch is an ~8% speedup on ES6SampleBench on my MBP.
3245
3246         * CMakeLists.txt:
3247         * DerivedSources.make:
3248         * JavaScriptCore.xcodeproj/project.pbxproj:
3249         * builtins/IteratorHelpers.js: Added.
3250         (performIteration):
3251         * bytecode/BytecodeList.json:
3252         * bytecode/BytecodeUseDef.h:
3253         (JSC::computeUsesForBytecodeOffset):
3254         (JSC::computeDefsForBytecodeOffset):
3255         * bytecode/CodeBlock.cpp:
3256         (JSC::CodeBlock::dumpBytecode):
3257         * bytecode/ObjectPropertyConditionSet.cpp:
3258         (JSC::generateConditionForSelfEquivalence):
3259         * bytecode/ObjectPropertyConditionSet.h:
3260         * bytecode/TrackedReferences.cpp:
3261         (JSC::TrackedReferences::check):
3262         * bytecode/UnlinkedCodeBlock.h:
3263         (JSC::UnlinkedCodeBlock::bitVectors):
3264         (JSC::UnlinkedCodeBlock::bitVector):
3265         (JSC::UnlinkedCodeBlock::addBitVector):
3266         (JSC::UnlinkedCodeBlock::shrinkToFit):
3267         * bytecompiler/BytecodeGenerator.cpp:
3268         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
3269         * bytecompiler/BytecodeGenerator.h:
3270         * bytecompiler/NodesCodegen.cpp:
3271         (JSC::ArrayNode::emitBytecode):
3272         * dfg/DFGAbstractInterpreterInlines.h:
3273         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3274         * dfg/DFGByteCodeParser.cpp:
3275         (JSC::DFG::ByteCodeParser::addToGraph):
3276         (JSC::DFG::ByteCodeParser::parseBlock):
3277         * dfg/DFGCapabilities.cpp:
3278         (JSC::DFG::capabilityLevel):
3279         * dfg/DFGClobberize.h:
3280         (JSC::DFG::clobberize):
3281         * dfg/DFGDoesGC.cpp:
3282         (JSC::DFG::doesGC):
3283         * dfg/DFGFixupPhase.cpp:
3284         (JSC::DFG::FixupPhase::fixupNode):
3285         (JSC::DFG::FixupPhase::watchHavingABadTime):
3286         * dfg/DFGGraph.h:
3287         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3288         * dfg/DFGNode.h:
3289         (JSC::DFG::Node::bitVector):
3290         * dfg/DFGNodeType.h:
3291         * dfg/DFGOperations.cpp:
3292         * dfg/DFGOperations.h:
3293         * dfg/DFGPredictionPropagationPhase.cpp:
3294         * dfg/DFGSafeToExecute.h:
3295         (JSC::DFG::safeToExecute):
3296         * dfg/DFGSpeculativeJIT.cpp:
3297         (JSC::DFG::SpeculativeJIT::compileSpread):
3298         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3299         * dfg/DFGSpeculativeJIT.h:
3300         (JSC::DFG::SpeculativeJIT::callOperation):
3301         * dfg/DFGSpeculativeJIT32_64.cpp:
3302         (JSC::DFG::SpeculativeJIT::compile):
3303         * dfg/DFGSpeculativeJIT64.cpp:
3304         (JSC::DFG::SpeculativeJIT::compile):
3305         * dfg/DFGStructureRegistrationPhase.cpp:
3306         (JSC::DFG::StructureRegistrationPhase::run):
3307         * ftl/FTLAbstractHeapRepository.h:
3308         * ftl/FTLCapabilities.cpp:
3309         (JSC::FTL::canCompile):
3310         * ftl/FTLLowerDFGToB3.cpp:
3311         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3312         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3313         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3314         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
3315         * jit/AssemblyHelpers.h:
3316         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3317         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3318         * jit/JIT.cpp:
3319         (JSC::JIT::privateCompileMainPass):
3320         * jit/JIT.h:
3321         * jit/JITOpcodes.cpp:
3322         (JSC::JIT::emit_op_new_array_with_spread):
3323         (JSC::JIT::emit_op_spread):
3324         * jit/JITOperations.h:
3325         * llint/LLIntData.cpp:
3326         (JSC::LLInt::Data::performAssertions):
3327         * llint/LLIntSlowPaths.cpp:
3328         * llint/LowLevelInterpreter.asm:
3329         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
3330         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
3331         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
3332         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
3333         * runtime/CommonSlowPaths.cpp:
3334         (JSC::SLOW_PATH_DECL):
3335         * runtime/CommonSlowPaths.h:
3336         * runtime/IteratorOperations.h:
3337         (JSC::forEachInIterable):
3338         * runtime/JSCInlines.h:
3339         * runtime/JSFixedArray.cpp: Added.
3340         (JSC::JSFixedArray::visitChildren):
3341         * runtime/JSFixedArray.h: Added.
3342         (JSC::JSFixedArray::createStructure):
3343         (JSC::JSFixedArray::createFromArray):
3344         (JSC::JSFixedArray::get):
3345         (JSC::JSFixedArray::buffer):
3346         (JSC::JSFixedArray::size):
3347         (JSC::JSFixedArray::offsetOfSize):
3348         (JSC::JSFixedArray::offsetOfData):
3349         (JSC::JSFixedArray::create):
3350         (JSC::JSFixedArray::JSFixedArray):
3351         (JSC::JSFixedArray::allocationSize):
3352         * runtime/JSGlobalObject.cpp:
3353         (JSC::JSGlobalObject::JSGlobalObject):
3354         (JSC::JSGlobalObject::init):
3355         (JSC::JSGlobalObject::visitChildren):
3356         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
3357         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
3358         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
3359         * runtime/JSGlobalObject.h:
3360         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
3361         (JSC::JSGlobalObject::iteratorProtocolFunction):
3362         * runtime/JSGlobalObjectInlines.h: Added.
3363         (JSC::JSGlobalObject::objectPrototypeIsSane):
3364         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3365         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3366         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
3367         * runtime/JSType.h:
3368         * runtime/VM.cpp:
3369         (JSC::VM::VM):
3370         * runtime/VM.h:
3371
3372 2016-11-10  JF Bastien  <jfbastien@apple.com>
3373
3374         ASSERTION FAILED: length > offset encountered with wasm.yaml/wasm/js-api/test_Module.js.default-wasm
3375         https://bugs.webkit.org/show_bug.cgi?id=164597
3376
3377         Reviewed by Keith Miller.
3378
3379         * wasm/WasmParser.h:
3380         (JSC::Wasm::Parser::parseVarUInt32): move closer to other parsers
3381         (JSC::Wasm::Parser::parseVarUInt64): move closer to other parsers
3382
3383 2016-11-10  Joseph Pecoraro  <pecoraro@apple.com>
3384
3385         test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex)
3386         https://bugs.webkit.org/show_bug.cgi?id=164450
3387
3388         Reviewed by Darin Adler.