8872a5e1481f1324f5f301c8643105e348349998
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-03-02  Alex Christensen  <achristensen@webkit.org>
2
3         Continue enabling WebRTC
4         https://bugs.webkit.org/show_bug.cgi?id=169056
5
6         Reviewed by Jon Lee.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2017-03-02  Tomas Popela  <tpopela@redhat.com>
11
12         Incorrect RELEASE_ASSERT in JSGlobalObject::addStaticGlobals()
13         https://bugs.webkit.org/show_bug.cgi?id=169034
14
15         Reviewed by Mark Lam.
16
17         It should not assign to offset, but compare to offset.
18
19         * runtime/JSGlobalObject.cpp:
20         (JSC::JSGlobalObject::addStaticGlobals):
21
22 2017-03-01  Alex Christensen  <achristensen@webkit.org>
23
24         Unreviewed, rolling out r213259.
25
26         Broke an internal build
27
28         Reverted changeset:
29
30         "Continue enabling WebRTC"
31         https://bugs.webkit.org/show_bug.cgi?id=169056
32         http://trac.webkit.org/changeset/213259
33
34 2017-03-01  Alex Christensen  <achristensen@webkit.org>
35
36         Continue enabling WebRTC
37         https://bugs.webkit.org/show_bug.cgi?id=169056
38
39         Reviewed by Jon Lee.
40
41         * Configurations/FeatureDefines.xcconfig:
42
43 2017-03-01  Michael Saboff  <msaboff@apple.com>
44
45         Source/JavaScriptCore/ChangeLog
46         https://bugs.webkit.org/show_bug.cgi?id=169055
47
48         Reviewed by Mark Lam.
49
50         Made local copies of options strings for OptionRange and string typed options.
51
52         * runtime/Options.cpp:
53         (JSC::parse):
54         (JSC::OptionRange::init):
55
56 2017-03-01  Mark Lam  <mark.lam@apple.com>
57
58         [Re-landing] Change JSLock to stash PlatformThread instead of std::thread::id.
59         https://bugs.webkit.org/show_bug.cgi?id=168996
60
61         Reviewed by Filip Pizlo and Saam Barati.
62
63         PlatformThread is more useful because it allows us to:
64         1. find the MachineThreads::Thread which is associated with it.
65         2. suspend / resume threads.
66         3. send a signal to a thread.
67
68         We can't do those with std::thread::id.  We will need one or more of these
69         capabilities to implement non-polling VM traps later.
70
71         Update: Since we don't have a canonical "uninitialized" value for PlatformThread,
72         we now have a JSLock::m_hasOwnerThread flag that is set to true if and only the
73         m_ownerThread value is valid.  JSLock::currentThreadIsHoldingLock() now checks
74         JSLock::m_hasOwnerThread before doing the thread identity comparison.
75
76         * JavaScriptCore.xcodeproj/project.pbxproj:
77         * heap/MachineStackMarker.cpp:
78         (JSC::MachineThreads::Thread::createForCurrentThread):
79         (JSC::MachineThreads::machineThreadForCurrentThread):
80         (JSC::MachineThreads::removeThread):
81         (JSC::MachineThreads::Thread::suspend):
82         (JSC::MachineThreads::tryCopyOtherThreadStacks):
83         (JSC::getCurrentPlatformThread): Deleted.
84         * heap/MachineStackMarker.h:
85         * runtime/JSCellInlines.h:
86         (JSC::JSCell::classInfo):
87         * runtime/JSLock.cpp:
88         (JSC::JSLock::JSLock):
89         (JSC::JSLock::lock):
90         (JSC::JSLock::unlock):
91         (JSC::JSLock::currentThreadIsHoldingLock): Deleted.
92         * runtime/JSLock.h:
93         (JSC::JSLock::ownerThread):
94         (JSC::JSLock::currentThreadIsHoldingLock):
95         * runtime/PlatformThread.h: Added.
96         (JSC::currentPlatformThread):
97         * runtime/VM.cpp:
98         (JSC::VM::~VM):
99         * runtime/VM.h:
100         (JSC::VM::ownerThread):
101         * runtime/Watchdog.cpp:
102         (JSC::Watchdog::setTimeLimit):
103         (JSC::Watchdog::shouldTerminate):
104         (JSC::Watchdog::startTimer):
105         (JSC::Watchdog::stopTimer):
106         * tools/JSDollarVMPrototype.cpp:
107         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
108         * tools/VMInspector.cpp:
109
110 2017-03-01  Saam Barati  <sbarati@apple.com>
111
112         Implement a mega-disassembler that'll be used in the FTL
113         https://bugs.webkit.org/show_bug.cgi?id=168685
114
115         Reviewed by Mark Lam.
116
117         This patch extends the previous Air disassembler to print the
118         DFG and B3 nodes belonging to particular Air instructions.
119         The algorithm I'm using to do this is not perfect. For example,
120         it won't try to print the entire DFG/B3 graph. It'll just print
121         the related nodes for particular Air instructions. We can make the
122         algorithm more sophisticated as we get more experience looking at
123         these IR dumps and get a better feel for what we want out of them.
124
125         This is an example of the output:
126
127         ...
128         ...
129         200:<!0:->  InvalidationPoint(MustGen, W:SideState, Exits, bc#28, exit: bc#25 --> _getEntry#DlGw2r:<0x10276f980> bc#37)
130            Void @54 = Patchpoint(@29:ColdAny, @29:ColdAny, @53:ColdAny, DFG:@200, generator = 0x1015d6c18, earlyClobbered = [], lateClobbered = [], usedRegisters = [%r0, %r19, %r20, %r21, %r22, %fp], resultConstraint = WarmAny, ExitsSideways|WritesPinned|ReadsPinned|Reads:Top)
131                Patch &Patchpoint2, %r20, %r20, %r0, @54
132          76:< 6:->  GetByOffset(KnownCell:@44, KnownCell:@44, JS|UseAsOther, Array, id3{_elementData}, 2, inferredType = Object, R:NamedProperties(3), Exits, bc#37)  predicting Array
133            Int64 @57 = Load(@29, DFG:@76, offset = 32, ControlDependent|Reads:100...101)
134                Move 32(%r20), %r5, @57
135                       0x389cc9ac0:    ldur   x5, [x20, #32]
136         115:<!0:->  CheckStructure(Cell:@76, MustGen, [0x1027eae20:[Array, {}, ArrayWithContiguous, Proto:0x1027e0140]], R:JSCell_structureID, Exits, bc#46)
137            Int32 @58 = Load(@57, DFG:@115, ControlDependent|Reads:16...17)
138                Move32 (%r5), %r1, @58
139                       0x389cc9ac4:    ldur   w1, [x5]
140            Int32 @59 = Const32(DFG:@115, 92)
141            Int32 @60 = NotEqual(@58, $92(@59), DFG:@115)
142            Void @61 = Check(@60:WarmAny, @57:ColdAny, @29:ColdAny, @29:ColdAny, @53:ColdAny, @57:ColdAny, DFG:@115, generator = 0x1057991e0, earlyClobbered = [], lateClobbered = [], usedRegisters = [%r0, %r5, %r19, %r20, %r21, %r22, %fp], ExitsSideways|Reads:Top)
143                Patch &Branch32(3,SameAsRep)1, NotEqual, %r1, $92, %r5, %r20, %r20, %r0, %r5, @61
144                       0x389cc9ac8:    cmp    w1, #92
145                       0x389cc9acc:    b.ne   0x389cc9dac
146         117:< 2:->  GetButterfly(Cell:@76, Storage|PureInt, R:JSObject_butterfly, Exits, bc#46)
147            Int64 @64 = Load(@57, DFG:@117, offset = 8, ControlDependent|Reads:24...25)
148                Move 8(%r5), %r4, @64
149                       0x389cc9ad0:    ldur   x4, [x5, #8]
150          79:< 2:->  GetArrayLength(KnownCell:@76, Untyped:@117, JS|PureInt|UseAsInt, Nonboolint32, Contiguous+OriginalArray+InBounds+AsIs, R:Butterfly_publicLength, Exits, bc#46)
151            Int32 @67 = Load(@64, DFG:@79, offset = -8, ControlDependent|Reads:3...4)
152                Move32 -8(%r4), %r2, @67
153                       0x389cc9ad4:    ldur   w2, [x4, #-8]
154       192:< 1:->  JSConstant(JS|PureInt, Nonboolint32, Int32: -1, bc#0)
155            Int32 @68 = Const32(DFG:@192, -1)
156                Move $0xffffffffffffffff, %r1, $-1(@68)
157                       0x389cc9ad8:    mov    x1, #-1
158          83:<!2:->  ArithAdd(Int32:Kill:@79, Int32:Kill:@192, Number|MustGen|PureInt|UseAsInt, Int32, Unchecked, Exits, bc#55)
159            Int32 @69 = Add(@67, $-1(@68), DFG:@83)
160                Add32 %r2, %r1, %r1, @69
161                       0x389cc9adc:    add    w1, w2, w1
162          86:< 3:->  BitAnd(Check:Int32:@71, Int32:Kill:@83, Int32|UseAsOther|UseAsInt|ReallyWantsInt, Int32, Exits, bc#60)
163            Int32 @70 = Below(@53, $-281474976710656(@15), DFG:@86)
164            Void @71 = Check(@70:WarmAny, @53:ColdAny, @29:ColdAny, @29:ColdAny, @53:ColdAny, @69:ColdAny, DFG:@86, generator = 0x105799370, earlyClobbered = [], lateClobbered = [], usedRegisters = [%r0, %r1, %r2, %r4, %r5, %r19, %r20, %r21, %r22, %fp], ExitsSideways|Reads:Top)
165                Patch &Branch64(3,SameAsRep)0, Below, %r0, %r22, %r0, %r20, %r20, %r0, %r1, @71
166                       0x389cc9ae0:    cmp    x0, x22
167                       0x389cc9ae4:    b.lo   0x389cc9dc0
168            Int32 @72 = Trunc(@53, DFG:@86)
169            Int32 @73 = BitAnd(@69, @72, DFG:@86)
170                And32 %r1, %r0, %r1, @73
171                       0x389cc9ae8:    and    w1, w1, w0
172            16:<!0:->  PutStack(KnownInt32:@71, MustGen, loc27, machine:loc3, FlushedInt32, W:Stack(-28), bc#19)
173            Int32 @72 = Trunc(@53, DFG:@86)
174            Int64 @11 = SlotBase(stack0)
175            Void @76 = Store(@72, @11, DFG:@16, offset = 32, ControlDependent|Writes:94...95)
176                Move32 %r0, -64(%fp), @76
177                       0x389cc9aec:    stur   w0, [fp, #-64]
178            12:<!0:->  PutStack(Untyped:@86, MustGen, loc28, machine:loc4, FlushedJSValue, W:Stack(-29), bc#19)
179            Int64 @77 = ZExt32(@73, DFG:@12)
180            Int64 @78 = Add(@77, $-281474976710656(@15), DFG:@12)
181                Add64 %r1, %r22, %r3, @78
182                       0x389cc9af0:    add    x3, x1, x22
183            Int64 @11 = SlotBase(stack0)
184            Void @81 = Store(@78, @11, DFG:@12, offset = 24, ControlDependent|Writes:95...96)
185                Move %r3, -72(%fp), @81
186                       0x389cc9af4:    stur   x3, [fp, #-72]
187            10:<!0:->  PutStack(KnownInt32:@46, MustGen, loc29, machine:loc5, FlushedInt32, W:Stack(-30), bc#19)
188            Int32 @82 = Trunc(@24, DFG:@10)
189            Int64 @11 = SlotBase(stack0)
190            Void @85 = Store(@82, @11, DFG:@10, offset = 16, ControlDependent|Writes:96...97)
191                Move32 %r21, -80(%fp), @85
192                       0x389cc9af8:    stur   w21, [fp, #-80]
193           129:<!10:->  GetByVal(KnownCell:Kill:@76, Int32:Kill:@86, Untyped:Kill:@117, JS|MustGen|UseAsOther, FinalOther, Contiguous+OriginalArray+OutOfBounds+AsIs, R:World, W:Heap, Exits, ClobbersExit, bc#19)  predicting FinalOther
194            Int32 @89 = AboveEqual(@73, @67, DFG:@129)
195            Void @90 = Branch(@89, DFG:@129, Terminal)
196                Branch32 AboveOrEqual, %r1, %r2, @90
197                       0x389cc9afc:    cmp    w1, w2
198                       0x389cc9b00:    b.hs   0x389cc9bec
199         ...
200         ...
201
202         * b3/air/AirDisassembler.cpp:
203         (JSC::B3::Air::Disassembler::dump):
204         * b3/air/AirDisassembler.h:
205         * ftl/FTLCompile.cpp:
206         (JSC::FTL::compile):
207         * ftl/FTLLowerDFGToB3.cpp:
208         (JSC::FTL::DFG::LowerDFGToB3::lower):
209         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
210         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
211         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
212         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
213
214 2017-03-01  Mark Lam  <mark.lam@apple.com>
215
216         REGRESSION (r213202?): Assertion failed: (!"initialized()"), function operator().
217         https://bugs.webkit.org/show_bug.cgi?id=169042
218
219         Not reviewed.
220
221         Rolling out r213229 and r213202.
222
223         * JavaScriptCore.xcodeproj/project.pbxproj:
224         * heap/MachineStackMarker.cpp:
225         (JSC::getCurrentPlatformThread):
226         (JSC::MachineThreads::Thread::createForCurrentThread):
227         (JSC::MachineThreads::machineThreadForCurrentThread):
228         (JSC::MachineThreads::removeThread):
229         (JSC::MachineThreads::Thread::suspend):
230         (JSC::MachineThreads::tryCopyOtherThreadStacks):
231         * heap/MachineStackMarker.h:
232         * runtime/JSCellInlines.h:
233         (JSC::JSCell::classInfo):
234         * runtime/JSLock.cpp:
235         (JSC::JSLock::JSLock):
236         (JSC::JSLock::lock):
237         (JSC::JSLock::unlock):
238         (JSC::JSLock::currentThreadIsHoldingLock):
239         * runtime/JSLock.h:
240         (JSC::JSLock::ownerThread):
241         (JSC::JSLock::currentThreadIsHoldingLock): Deleted.
242         * runtime/PlatformThread.h: Removed.
243         * runtime/VM.cpp:
244         (JSC::VM::~VM):
245         * runtime/VM.h:
246         (JSC::VM::ownerThread):
247         * runtime/Watchdog.cpp:
248         (JSC::Watchdog::setTimeLimit):
249         (JSC::Watchdog::shouldTerminate):
250         (JSC::Watchdog::startTimer):
251         (JSC::Watchdog::stopTimer):
252         * tools/JSDollarVMPrototype.cpp:
253         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
254         * tools/VMInspector.cpp:
255
256 2017-03-01  Mark Lam  <mark.lam@apple.com>
257
258         REGRESSION (r213202?): Assertion failed: (!"initialized()"), function operator()
259         https://bugs.webkit.org/show_bug.cgi?id=169042
260
261         Reviewed by Filip Pizlo.
262
263         * runtime/JSLock.h:
264         (JSC::JSLock::currentThreadIsHoldingLock):
265
266 2017-02-28  Brian Burg  <bburg@apple.com>
267
268         REGRESSION(r211344): Remote Inspector: listingForAutomationTarget() is called off-main-thread, causing assertions
269         https://bugs.webkit.org/show_bug.cgi?id=168695
270         <rdar://problem/30643899>
271
272         Reviewed by Joseph Pecoraro.
273
274         The aforementioned commit added some new calls to update target listings. This causes RemoteInspector
275         to update some listings underneath an incoming setup message on the XPC queue, which is not a safe place
276         to gather listing information for RemoteAutomationTargets.
277
278         Update the listing asynchronously since we don't need it immediately. Since this really only happens when
279         the connection to the target is set up and shut down, we can trigger listings to be refreshed from
280         the async block that's called on the target's queue inside RemoteConnectionToTarget::{setup,close}.
281
282         * inspector/remote/RemoteInspector.h:
283         Make updateListingForTarget(unsigned) usable from RemoteConnectionToTarget.
284
285         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
286         (Inspector::RemoteConnectionToTarget::setup):
287         (Inspector::RemoteConnectionToTarget::close):
288         Grab the target identifier while the RemoteControllableTarget pointer is still valid,
289         and use it inside the block later after it may have been destructed already. If that happens,
290         then updateTargetListing will bail out because the targetIdentifier cannot be found in the mapping.
291
292         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
293         (Inspector::RemoteInspector::updateTargetListing):
294         We need to make sure to request a listing push after the target is updated, so implicitly call
295         pushListingsSoon() from here. That method doesn't require any particular queue or holding a lock.
296
297         (Inspector::RemoteInspector::receivedSetupMessage):
298         (Inspector::RemoteInspector::receivedDidCloseMessage):
299         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
300         Remove calls to updateTargetListing() and pushListingsSoon(), as these happen implicitly
301         and asynchronously on the target's queue when the connection to target is opened or closed.
302
303 2017-03-01  Tomas Popela  <tpopela@redhat.com>
304
305         Leak under Options::setOptions
306         https://bugs.webkit.org/show_bug.cgi?id=169029
307
308         Reviewed by Michael Saboff.
309
310         Don't leak the optionsStrCopy variable.
311
312         * runtime/Options.cpp:
313         (JSC::Options::setOptions):
314
315 2017-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
316
317         [JSC] Allow UnlinkedCodeBlock to dump its bytecode sequence
318         https://bugs.webkit.org/show_bug.cgi?id=168968
319
320         Reviewed by Saam Barati.
321
322         This patch decouples dumping bytecode sequence from CodeBlock.
323         This change allows UnlinkedCodeBlock to dump its bytecode sequence.
324         It is useful because we now have complex phase between UnlinkedCodeBlock and CodeBlock,
325         called Generatorification.
326
327         We introduce BytecodeDumper<Block>. Both CodeBlock and UnlinkedCodeBlock can use
328         this class to dump bytecode sequence.
329
330         And this patch also adds Option::dumpBytecodesBeforeGeneratorification,
331         which dumps unlinked bytecode sequence before generatorification if it is enabled.
332
333         * CMakeLists.txt:
334         * JavaScriptCore.xcodeproj/project.pbxproj:
335         * bytecode/BytecodeDumper.cpp: Added.
336         (JSC::getStructureID):
337         (JSC::getSpecialPointer):
338         (JSC::getPutByIdFlags):
339         (JSC::getToThisStatus):
340         (JSC::getPointer):
341         (JSC::getStructureChain):
342         (JSC::getStructure):
343         (JSC::getCallLinkInfo):
344         (JSC::getBasicBlockLocation):
345         (JSC::BytecodeDumper<Block>::actualPointerFor):
346         (JSC::BytecodeDumper<CodeBlock>::actualPointerFor):
347         (JSC::beginDumpProfiling):
348         (JSC::BytecodeDumper<Block>::dumpValueProfiling):
349         (JSC::BytecodeDumper<CodeBlock>::dumpValueProfiling):
350         (JSC::BytecodeDumper<Block>::dumpArrayProfiling):
351         (JSC::BytecodeDumper<CodeBlock>::dumpArrayProfiling):
352         (JSC::BytecodeDumper<Block>::dumpProfilesForBytecodeOffset):
353         (JSC::dumpRareCaseProfile):
354         (JSC::dumpArithProfile):
355         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
356         (JSC::BytecodeDumper<Block>::vm):
357         (JSC::BytecodeDumper<Block>::identifier):
358         (JSC::regexpToSourceString):
359         (JSC::regexpName):
360         (JSC::printLocationAndOp):
361         (JSC::isConstantRegisterIndex):
362         (JSC::debugHookName):
363         (JSC::BytecodeDumper<Block>::registerName):
364         (JSC::idName):
365         (JSC::BytecodeDumper<Block>::constantName):
366         (JSC::BytecodeDumper<Block>::printUnaryOp):
367         (JSC::BytecodeDumper<Block>::printBinaryOp):
368         (JSC::BytecodeDumper<Block>::printConditionalJump):
369         (JSC::BytecodeDumper<Block>::printGetByIdOp):
370         (JSC::dumpStructure):
371         (JSC::dumpChain):
372         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
373         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
374         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
375         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
376         (JSC::BytecodeDumper<Block>::printCallOp):
377         (JSC::BytecodeDumper<Block>::printPutByIdOp):
378         (JSC::BytecodeDumper<Block>::printLocationOpAndRegisterOperand):
379         (JSC::BytecodeDumper<Block>::dumpBytecode):
380         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
381         (JSC::BytecodeDumper<Block>::dumpConstants):
382         (JSC::BytecodeDumper<Block>::dumpRegExps):
383         (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
384         (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
385         (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
386         (JSC::BytecodeDumper<Block>::dumpBlock):
387         * bytecode/BytecodeDumper.h: Added.
388         (JSC::BytecodeDumper::BytecodeDumper):
389         (JSC::BytecodeDumper::block):
390         (JSC::BytecodeDumper::instructionsBegin):
391         * bytecode/BytecodeGeneratorification.cpp:
392         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
393         (JSC::performGeneratorification):
394         * bytecode/BytecodeLivenessAnalysis.cpp:
395         (JSC::BytecodeLivenessAnalysis::dumpResults):
396         * bytecode/CodeBlock.cpp:
397         (JSC::CodeBlock::dumpBytecode):
398         (JSC::CodeBlock::finishCreation):
399         (JSC::CodeBlock::propagateTransitions):
400         (JSC::CodeBlock::finalizeLLIntInlineCaches):
401         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
402         (JSC::CodeBlock::usesOpcode):
403         (JSC::CodeBlock::valueProfileForBytecodeOffset):
404         (JSC::CodeBlock::arithProfileForPC):
405         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
406         (JSC::idName): Deleted.
407         (JSC::CodeBlock::registerName): Deleted.
408         (JSC::CodeBlock::constantName): Deleted.
409         (JSC::regexpToSourceString): Deleted.
410         (JSC::regexpName): Deleted.
411         (JSC::debugHookName): Deleted.
412         (JSC::CodeBlock::printUnaryOp): Deleted.
413         (JSC::CodeBlock::printBinaryOp): Deleted.
414         (JSC::CodeBlock::printConditionalJump): Deleted.
415         (JSC::CodeBlock::printGetByIdOp): Deleted.
416         (JSC::dumpStructure): Deleted.
417         (JSC::dumpChain): Deleted.
418         (JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
419         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
420         (JSC::CodeBlock::printCallOp): Deleted.
421         (JSC::CodeBlock::printPutByIdOp): Deleted.
422         (JSC::CodeBlock::dumpExceptionHandlers): Deleted.
423         (JSC::CodeBlock::beginDumpProfiling): Deleted.
424         (JSC::CodeBlock::dumpValueProfiling): Deleted.
425         (JSC::CodeBlock::dumpArrayProfiling): Deleted.
426         (JSC::CodeBlock::dumpRareCaseProfile): Deleted.
427         (JSC::CodeBlock::dumpArithProfile): Deleted.
428         (JSC::CodeBlock::printLocationAndOp): Deleted.
429         (JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
430         * bytecode/CodeBlock.h:
431         (JSC::CodeBlock::constantRegisters):
432         (JSC::CodeBlock::numberOfRegExps):
433         (JSC::CodeBlock::bitVectors):
434         (JSC::CodeBlock::bitVector):
435         * bytecode/HandlerInfo.h:
436         (JSC::HandlerInfoBase::typeName):
437         * bytecode/UnlinkedCodeBlock.cpp:
438         (JSC::UnlinkedCodeBlock::dump):
439         * bytecode/UnlinkedCodeBlock.h:
440         (JSC::UnlinkedCodeBlock::getConstant):
441         * bytecode/UnlinkedInstructionStream.cpp:
442         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
443         * bytecode/UnlinkedInstructionStream.h:
444         (JSC::UnlinkedInstructionStream::Reader::next):
445         * runtime/Options.h:
446
447 2017-02-28  Mark Lam  <mark.lam@apple.com>
448
449         Change JSLock to stash PlatformThread instead of std::thread::id.
450         https://bugs.webkit.org/show_bug.cgi?id=168996
451
452         Reviewed by Filip Pizlo.
453
454         PlatformThread is more useful because it allows us to:
455         1. find the MachineThreads::Thread which is associated with it.
456         2. suspend / resume threads.
457         3. send a signal to a thread.
458
459         We can't do those with std::thread::id.  We will need one or more of these
460         capabilities to implement non-polling VM traps later.
461
462         * JavaScriptCore.xcodeproj/project.pbxproj:
463         * heap/MachineStackMarker.cpp:
464         (JSC::MachineThreads::Thread::createForCurrentThread):
465         (JSC::MachineThreads::machineThreadForCurrentThread):
466         (JSC::MachineThreads::removeThread):
467         (JSC::MachineThreads::Thread::suspend):
468         (JSC::MachineThreads::tryCopyOtherThreadStacks):
469         (JSC::getCurrentPlatformThread): Deleted.
470         * heap/MachineStackMarker.h:
471         * runtime/JSCellInlines.h:
472         (JSC::JSCell::classInfo):
473         * runtime/JSLock.cpp:
474         (JSC::JSLock::lock):
475         (JSC::JSLock::unlock):
476         (JSC::JSLock::currentThreadIsHoldingLock): Deleted.
477         * runtime/JSLock.h:
478         (JSC::JSLock::ownerThread):
479         (JSC::JSLock::currentThreadIsHoldingLock):
480         * runtime/PlatformThread.h: Added.
481         (JSC::currentPlatformThread):
482         * runtime/VM.cpp:
483         (JSC::VM::~VM):
484         * runtime/VM.h:
485         (JSC::VM::ownerThread):
486         * runtime/Watchdog.cpp:
487         (JSC::Watchdog::setTimeLimit):
488         (JSC::Watchdog::shouldTerminate):
489         (JSC::Watchdog::startTimer):
490         (JSC::Watchdog::stopTimer):
491         * tools/JSDollarVMPrototype.cpp:
492         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
493         * tools/VMInspector.cpp:
494
495 2017-02-28  Mark Lam  <mark.lam@apple.com>
496
497         Enable the SigillCrashAnalyzer by default for iOS.
498         https://bugs.webkit.org/show_bug.cgi?id=168989
499
500         Reviewed by Keith Miller.
501
502         * runtime/Options.cpp:
503         (JSC::overrideDefaults):
504
505 2017-02-28  Mark Lam  <mark.lam@apple.com>
506
507         Remove setExclusiveThread() and peers from the JSLock.
508         https://bugs.webkit.org/show_bug.cgi?id=168977
509
510         Reviewed by Filip Pizlo.
511
512         JSLock::setExclusiveThread() was only used by WebCore.  Benchmarking with
513         Speedometer, we see that removal of exclusive thread status has no measurable
514         impact on performance.  So, let's remove the code for handling exclusive thread
515         status, and simplify the JSLock code.
516
517         For the records, exclusive thread status does improve JSLock locking/unlocking
518         time by up to 20%.  However, this difference is not measurable in the way WebCore
519         uses the JSLock as confirmed by Speedometer.
520
521         Also applied a minor optimization in JSLock::lock() to assume the initial lock
522         entry case (as opposed to the re-entry case).  This appears to shows a small
523         fractional improvement (about 5%) in JSLock cumulative locking and unlocking
524         time in a micro-benchmark.
525
526         * heap/Heap.cpp:
527         (JSC::Heap::Heap):
528         * heap/MachineStackMarker.cpp:
529         (JSC::MachineThreads::MachineThreads):
530         (JSC::MachineThreads::addCurrentThread):
531         * heap/MachineStackMarker.h:
532         * runtime/JSLock.cpp:
533         (JSC::JSLock::JSLock):
534         (JSC::JSLock::lock):
535         (JSC::JSLock::unlock):
536         (JSC::JSLock::currentThreadIsHoldingLock):
537         (JSC::JSLock::dropAllLocks):
538         (JSC::JSLock::grabAllLocks):
539         (JSC::JSLock::setExclusiveThread): Deleted.
540         * runtime/JSLock.h:
541         (JSC::JSLock::ownerThread):
542         (JSC::JSLock::hasExclusiveThread): Deleted.
543         (JSC::JSLock::exclusiveThread): Deleted.
544         * runtime/VM.h:
545         (JSC::VM::hasExclusiveThread): Deleted.
546         (JSC::VM::exclusiveThread): Deleted.
547         (JSC::VM::setExclusiveThread): Deleted.
548
549 2017-02-28  Saam Barati  <sbarati@apple.com>
550
551         Arm64 disassembler prints "ars" instead of "asr"
552         https://bugs.webkit.org/show_bug.cgi?id=168923
553
554         Rubber stamped by Michael Saboff.
555
556         * disassembler/ARM64/A64DOpcode.cpp:
557         (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
558
559 2017-02-28  Oleksandr Skachkov  <gskachkov@gmail.com>
560
561         Use of arguments in arrow function is slow
562         https://bugs.webkit.org/show_bug.cgi?id=168829
563
564         Reviewed by Saam Barati.
565
566         Current patch improves performance access to arguments within arrow functuion
567         by preventing create arguments variable within arrow function, also allow to cache 
568         arguments variable. Before arguments variable always have Dynamic resolve type, after 
569         patch it can be ClosureVar, that increase performance of access to arguments variable
570         in 9 times inside of the arrow function. 
571
572         * bytecompiler/BytecodeGenerator.cpp:
573         (JSC::BytecodeGenerator::BytecodeGenerator):
574         * runtime/JSScope.cpp:
575         (JSC::abstractAccess):
576
577 2017-02-28  Michael Saboff  <msaboff@apple.com>
578
579         Add ability to configure JSC options from a file
580         https://bugs.webkit.org/show_bug.cgi?id=168914
581
582         Reviewed by Filip Pizlo.
583
584         Added the ability to set options and DataLog file location via a configuration file.
585         The configuration file is specified with the --configFile option to JSC or the
586         JSC_configFile environment variable.
587
588         The file format allows for options conditionally dependent on various attributes.
589         Currently those attributes are the process name, parent process name and build
590         type (Release or Debug).  In this patch, the parent process type is not set.
591         That will be set up in WebKit code with a follow up patch.
592
593         Here is an example config file:
594
595             logFile = "/tmp/jscLog.%pid.txt"
596
597             jscOptions {
598                 dumpOptions = 2
599             }
600
601             build == "Debug" {
602                 jscOptions {
603                     useConcurrentJIT = false
604                     dumpDisassembly = true
605                 }
606             }
607
608             build == "Release" && processName == "jsc" {
609                 jscOptions {
610                     asyncDisassembly = true
611                 }
612             }
613
614         Eliminated the prior options file code.
615
616         * CMakeLists.txt:
617         * JavaScriptCore.xcodeproj/project.pbxproj:
618         * jsc.cpp:
619         (jscmain):
620         * runtime/ConfigFile.cpp: Added.
621         (JSC::ConfigFileScanner::ConfigFileScanner):
622         (JSC::ConfigFileScanner::start):
623         (JSC::ConfigFileScanner::lineNumber):
624         (JSC::ConfigFileScanner::currentBuffer):
625         (JSC::ConfigFileScanner::atFileEnd):
626         (JSC::ConfigFileScanner::tryConsume):
627         (JSC::ConfigFileScanner::tryConsumeString):
628         (JSC::ConfigFileScanner::tryConsumeUpto):
629         (JSC::ConfigFileScanner::fillBufferIfNeeded):
630         (JSC::ConfigFileScanner::fillBuffer):
631         (JSC::ConfigFile::ConfigFile):
632         (JSC::ConfigFile::setProcessName):
633         (JSC::ConfigFile::setParentProcessName):
634         (JSC::ConfigFile::parse):
635         * runtime/ConfigFile.h: Added.
636         * runtime/Options.cpp:
637         (JSC::Options::initialize):
638         (JSC::Options::setOptions):
639         * runtime/Options.h:
640
641 2017-02-27  Alex Christensen  <achristensen@webkit.org>
642
643         Begin enabling WebRTC on 64-bit
644         https://bugs.webkit.org/show_bug.cgi?id=168915
645
646         Reviewed by Eric Carlson.
647
648         * Configurations/FeatureDefines.xcconfig:
649
650 2017-02-27  Mark Lam  <mark.lam@apple.com>
651
652         Introduce a VM Traps mechanism and refactor Watchdog to use it.
653         https://bugs.webkit.org/show_bug.cgi?id=168842
654
655         Reviewed by Filip Pizlo.
656
657         Currently, the traps mechanism is only used for the JSC watchdog, and for
658         asynchronous termination requests (which is currently only used for worker
659         threads termination).
660
661         This first cut of the traps mechanism still relies on polling from DFG and FTL
662         code.  This is done to keep the patch as small as possible.  The work to do
663         a non-polling version of the traps mechanism for DFG and FTL code is deferred to
664         another patch.
665
666         In this patch, worker threads still need to set the VM::m_needAsynchronousTerminationSupport
667         flag to enable the traps polling in the DFG and FTL code.  When we have the
668         non-polling version of the DFG and FTL traps mechanism, we can remove the use of
669         the VM::m_needAsynchronousTerminationSupport flag.
670
671         Note: this patch also separates asynchronous termination support from the JSC
672         watchdog.  This separation allows us to significantly simplify the locking
673         requirements in the watchdog code, and make it easier to reason about its
674         correctness.
675
676         * CMakeLists.txt:
677         * JavaScriptCore.xcodeproj/project.pbxproj:
678         * bytecode/BytecodeList.json:
679         * bytecode/BytecodeUseDef.h:
680         (JSC::computeUsesForBytecodeOffset):
681         (JSC::computeDefsForBytecodeOffset):
682         * bytecode/CodeBlock.cpp:
683         (JSC::CodeBlock::dumpBytecode):
684         * bytecompiler/BytecodeGenerator.cpp:
685         (JSC::BytecodeGenerator::BytecodeGenerator):
686         (JSC::BytecodeGenerator::emitLoopHint):
687         (JSC::BytecodeGenerator::emitCheckTraps):
688         (JSC::BytecodeGenerator::emitWatchdog): Deleted.
689         * bytecompiler/BytecodeGenerator.h:
690         * dfg/DFGAbstractInterpreterInlines.h:
691         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
692         * dfg/DFGByteCodeParser.cpp:
693         (JSC::DFG::ByteCodeParser::parseBlock):
694         * dfg/DFGCapabilities.cpp:
695         (JSC::DFG::capabilityLevel):
696         * dfg/DFGClobberize.h:
697         (JSC::DFG::clobberize):
698         * dfg/DFGDoesGC.cpp:
699         (JSC::DFG::doesGC):
700         * dfg/DFGFixupPhase.cpp:
701         (JSC::DFG::FixupPhase::fixupNode):
702         * dfg/DFGNodeType.h:
703         * dfg/DFGPredictionPropagationPhase.cpp:
704         * dfg/DFGSafeToExecute.h:
705         (JSC::DFG::safeToExecute):
706         * dfg/DFGSpeculativeJIT.cpp:
707         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
708         * dfg/DFGSpeculativeJIT.h:
709         * dfg/DFGSpeculativeJIT32_64.cpp:
710         (JSC::DFG::SpeculativeJIT::compile):
711         * dfg/DFGSpeculativeJIT64.cpp:
712         (JSC::DFG::SpeculativeJIT::compile):
713         * ftl/FTLCapabilities.cpp:
714         (JSC::FTL::canCompile):
715         * ftl/FTLLowerDFGToB3.cpp:
716         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
717         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
718         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer): Deleted.
719         * interpreter/Interpreter.cpp:
720         (JSC::Interpreter::executeProgram):
721         (JSC::Interpreter::executeCall):
722         (JSC::Interpreter::executeConstruct):
723         (JSC::Interpreter::execute):
724         * jit/JIT.cpp:
725         (JSC::JIT::privateCompileMainPass):
726         (JSC::JIT::privateCompileSlowCases):
727         * jit/JIT.h:
728         * jit/JITOpcodes.cpp:
729         (JSC::JIT::emit_op_check_traps):
730         (JSC::JIT::emitSlow_op_check_traps):
731         (JSC::JIT::emit_op_watchdog): Deleted.
732         (JSC::JIT::emitSlow_op_watchdog): Deleted.
733         * jit/JITOperations.cpp:
734         * jit/JITOperations.h:
735         * llint/LLIntSlowPaths.cpp:
736         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
737         * llint/LLIntSlowPaths.h:
738         * llint/LowLevelInterpreter.asm:
739         * llint/LowLevelInterpreter32_64.asm:
740         * llint/LowLevelInterpreter64.asm:
741         * runtime/VM.cpp:
742         (JSC::VM::~VM):
743         (JSC::VM::ensureWatchdog):
744         (JSC::VM::handleTraps):
745         * runtime/VM.h:
746         (JSC::VM::ownerThread):
747         (JSC::VM::needTrapHandling):
748         (JSC::VM::needTrapHandlingAddress):
749         (JSC::VM::notifyNeedTermination):
750         (JSC::VM::notifyNeedWatchdogCheck):
751         (JSC::VM::needAsynchronousTerminationSupport):
752         (JSC::VM::setNeedAsynchronousTerminationSupport):
753         * runtime/VMInlines.h:
754         (JSC::VM::shouldTriggerTermination): Deleted.
755         * runtime/VMTraps.cpp: Added.
756         (JSC::VMTraps::fireTrap):
757         (JSC::VMTraps::takeTrap):
758         * runtime/VMTraps.h: Added.
759         (JSC::VMTraps::needTrapHandling):
760         (JSC::VMTraps::needTrapHandlingAddress):
761         (JSC::VMTraps::hasTrapForEvent):
762         (JSC::VMTraps::setTrapForEvent):
763         (JSC::VMTraps::clearTrapForEvent):
764         * runtime/Watchdog.cpp:
765         (JSC::Watchdog::Watchdog):
766         (JSC::Watchdog::setTimeLimit):
767         (JSC::Watchdog::shouldTerminate):
768         (JSC::Watchdog::enteredVM):
769         (JSC::Watchdog::exitedVM):
770         (JSC::Watchdog::startTimer):
771         (JSC::Watchdog::stopTimer):
772         (JSC::Watchdog::willDestroyVM):
773         (JSC::Watchdog::terminateSoon): Deleted.
774         (JSC::Watchdog::shouldTerminateSlow): Deleted.
775         * runtime/Watchdog.h:
776         (JSC::Watchdog::shouldTerminate): Deleted.
777         (JSC::Watchdog::timerDidFireAddress): Deleted.
778
779 2017-02-27  Commit Queue  <commit-queue@webkit.org>
780
781         Unreviewed, rolling out r213019.
782         https://bugs.webkit.org/show_bug.cgi?id=168925
783
784         "It broke 32-bit jsc tests in debug builds" (Requested by
785         saamyjoon on #webkit).
786
787         Reverted changeset:
788
789         "op_get_by_id_with_this should use inline caching"
790         https://bugs.webkit.org/show_bug.cgi?id=162124
791         http://trac.webkit.org/changeset/213019
792
793 2017-02-27  JF Bastien  <jfbastien@apple.com>
794
795         WebAssembly: miscellaneous spec fixes part deux
796         https://bugs.webkit.org/show_bug.cgi?id=168861
797
798         Reviewed by Keith Miller.
799
800         * wasm/WasmFunctionParser.h: add some FIXME
801
802 2017-02-27  Alex Christensen  <achristensen@webkit.org>
803
804         [libwebrtc] Enable WebRTC in some Production Builds
805         https://bugs.webkit.org/show_bug.cgi?id=168858
806
807         * Configurations/FeatureDefines.xcconfig:
808
809 2017-02-26  Caio Lima  <ticaiolima@gmail.com>
810
811         op_get_by_id_with_this should use inline caching
812         https://bugs.webkit.org/show_bug.cgi?id=162124
813
814         Reviewed by Saam Barati.
815
816         This patch is enabling inline cache for op_get_by_id_with_this in all
817         tiers. It means that operations using ```super.member``` are going to
818         be able to be optimized by PIC. To enable it, we introduced a new
819         member of StructureStubInfo.patch named thisGPR, created a new class
820         to manage the IC named JITGetByIdWithThisGenerator and changed
821         PolymorphicAccess.regenerate that uses StructureStubInfo.patch.thisGPR
822         to decide the correct this value on inline caches.
823         With inline cached enabled, ```super.member``` are ~4.5x faster,
824         according microbenchmarks.
825
826         * bytecode/AccessCase.cpp:
827         (JSC::AccessCase::generateImpl):
828         * bytecode/PolymorphicAccess.cpp:
829         (JSC::PolymorphicAccess::regenerate):
830         * bytecode/PolymorphicAccess.h:
831         * bytecode/StructureStubInfo.cpp:
832         (JSC::StructureStubInfo::reset):
833         * bytecode/StructureStubInfo.h:
834         * dfg/DFGFixupPhase.cpp:
835         (JSC::DFG::FixupPhase::fixupNode):
836         * dfg/DFGJITCompiler.cpp:
837         (JSC::DFG::JITCompiler::link):
838         * dfg/DFGJITCompiler.h:
839         (JSC::DFG::JITCompiler::addGetByIdWithThis):
840         * dfg/DFGSpeculativeJIT.cpp:
841         (JSC::DFG::SpeculativeJIT::compileIn):
842         * dfg/DFGSpeculativeJIT.h:
843         (JSC::DFG::SpeculativeJIT::callOperation):
844         * dfg/DFGSpeculativeJIT32_64.cpp:
845         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
846         (JSC::DFG::SpeculativeJIT::compile):
847         * dfg/DFGSpeculativeJIT64.cpp:
848         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
849         (JSC::DFG::SpeculativeJIT::compile):
850         * ftl/FTLLowerDFGToB3.cpp:
851         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
852         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
853         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
854         * jit/CCallHelpers.h:
855         (JSC::CCallHelpers::setupArgumentsWithExecState):
856         * jit/ICStats.h:
857         * jit/JIT.cpp:
858         (JSC::JIT::JIT):
859         (JSC::JIT::privateCompileSlowCases):
860         (JSC::JIT::link):
861         * jit/JIT.h:
862         * jit/JITInlineCacheGenerator.cpp:
863         (JSC::JITByIdGenerator::JITByIdGenerator):
864         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
865         (JSC::JITGetByIdWithThisGenerator::generateFastPath):
866         * jit/JITInlineCacheGenerator.h:
867         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
868         * jit/JITInlines.h:
869         (JSC::JIT::callOperation):
870         * jit/JITOperations.cpp:
871         * jit/JITOperations.h:
872         * jit/JITPropertyAccess.cpp:
873         (JSC::JIT::emit_op_get_by_id_with_this):
874         (JSC::JIT::emitSlow_op_get_by_id_with_this):
875         * jit/JITPropertyAccess32_64.cpp:
876         (JSC::JIT::emit_op_get_by_id_with_this):
877         (JSC::JIT::emitSlow_op_get_by_id_with_this):
878         * jit/Repatch.cpp:
879         (JSC::appropriateOptimizingGetByIdFunction):
880         (JSC::appropriateGenericGetByIdFunction):
881         (JSC::tryCacheGetByID):
882         * jit/Repatch.h:
883         * jsc.cpp:
884         (WTF::CustomGetter::getOwnPropertySlot):
885         (WTF::CustomGetter::customGetterAcessor):
886
887 2017-02-24  JF Bastien  <jfbastien@apple.com>
888
889         WebAssembly: miscellaneous spec fixes
890         https://bugs.webkit.org/show_bug.cgi?id=168822
891
892         Reviewed by Saam Barati.
893
894         * wasm/WasmModuleParser.cpp: "unknown" sections are now called "custom" sections
895         * wasm/WasmSections.h:
896         (JSC::Wasm::validateOrder):
897         (JSC::Wasm::makeString): fix ASSERT_UNREACHABLE bug in printing
898         * wasm/js/WebAssemblyInstanceConstructor.cpp:
899         (JSC::constructJSWebAssemblyInstance): disallow i64 import
900         * wasm/js/WebAssemblyModuleRecord.cpp:
901         (JSC::WebAssemblyModuleRecord::link): disallow i64 export
902         (JSC::WebAssemblyModuleRecord::evaluate):
903
904 2017-02-24  Filip Pizlo  <fpizlo@apple.com>
905
906         Move Arg::Type and Arg::Width out into the B3 namespace, since they are general concepts
907         https://bugs.webkit.org/show_bug.cgi?id=168833
908
909         Reviewed by Saam Barati.
910         
911         I want to use the Air::Arg::Type and Air::Arg::Width concepts in B3. We are already
912         doing this a bit, and it's akward because of the namespacing. Throughout B3 we take the
913         approach that if something is not specific to Air, then it should be in the B3
914         namespace.
915         
916         This moves Air::Arg::Type to B3::Bank. This moves Air::Arg::Width to B3::Width.
917         
918         I renamed Arg::Type to Bank because there is already a B3::Type and because Arg::Type
919         was never really a type. Its purpose was always to identify register banks, and we use
920         this enum when the thing we care about is whether the value is most appropriate for
921         GPRs or FPRs.
922         
923         I kept both as non-enum classes because I think that we've learned that terse compiler
924         code is a good thing. I don't want to say Bank::GP when I can say GP. With Width, the
925         argument is even stronger, since you cannot say Width::8 but you can say Width8.
926
927         * CMakeLists.txt:
928         * JavaScriptCore.xcodeproj/project.pbxproj:
929         * b3/B3Bank.cpp: Added.
930         (WTF::printInternal):
931         * b3/B3Bank.h: Added.
932         (JSC::B3::forEachBank):
933         (JSC::B3::bankForType):
934         * b3/B3CheckSpecial.cpp:
935         (JSC::B3::CheckSpecial::forEachArg):
936         * b3/B3LegalizeMemoryOffsets.cpp:
937         * b3/B3LowerToAir.cpp:
938         (JSC::B3::Air::LowerToAir::run):
939         (JSC::B3::Air::LowerToAir::tmp):
940         (JSC::B3::Air::LowerToAir::scaleForShl):
941         (JSC::B3::Air::LowerToAir::effectiveAddr):
942         (JSC::B3::Air::LowerToAir::addr):
943         (JSC::B3::Air::LowerToAir::createGenericCompare):
944         (JSC::B3::Air::LowerToAir::createBranch):
945         (JSC::B3::Air::LowerToAir::createCompare):
946         (JSC::B3::Air::LowerToAir::createSelect):
947         (JSC::B3::Air::LowerToAir::lower):
948         * b3/B3MemoryValue.cpp:
949         (JSC::B3::MemoryValue::accessWidth):
950         * b3/B3MemoryValue.h:
951         * b3/B3MoveConstants.cpp:
952         * b3/B3PatchpointSpecial.cpp:
953         (JSC::B3::PatchpointSpecial::forEachArg):
954         * b3/B3StackmapSpecial.cpp:
955         (JSC::B3::StackmapSpecial::forEachArgImpl):
956         * b3/B3Value.h:
957         * b3/B3Variable.h:
958         (JSC::B3::Variable::width):
959         (JSC::B3::Variable::bank):
960         * b3/B3WasmAddressValue.h:
961         * b3/B3Width.cpp: Added.
962         (WTF::printInternal):
963         * b3/B3Width.h: Added.
964         (JSC::B3::pointerWidth):
965         (JSC::B3::widthForType):
966         (JSC::B3::conservativeWidth):
967         (JSC::B3::minimumWidth):
968         (JSC::B3::bytes):
969         (JSC::B3::widthForBytes):
970         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
971         * b3/air/AirAllocateStack.cpp:
972         (JSC::B3::Air::allocateStack):
973         * b3/air/AirArg.cpp:
974         (JSC::B3::Air::Arg::canRepresent):
975         (JSC::B3::Air::Arg::isCompatibleBank):
976         (JSC::B3::Air::Arg::isCompatibleType): Deleted.
977         * b3/air/AirArg.h:
978         (JSC::B3::Air::Arg::hasBank):
979         (JSC::B3::Air::Arg::bank):
980         (JSC::B3::Air::Arg::isBank):
981         (JSC::B3::Air::Arg::forEachTmp):
982         (JSC::B3::Air::Arg::forEachType): Deleted.
983         (JSC::B3::Air::Arg::pointerWidth): Deleted.
984         (JSC::B3::Air::Arg::typeForB3Type): Deleted.
985         (JSC::B3::Air::Arg::widthForB3Type): Deleted.
986         (JSC::B3::Air::Arg::conservativeWidth): Deleted.
987         (JSC::B3::Air::Arg::minimumWidth): Deleted.
988         (JSC::B3::Air::Arg::bytes): Deleted.
989         (JSC::B3::Air::Arg::widthForBytes): Deleted.
990         (JSC::B3::Air::Arg::hasType): Deleted.
991         (JSC::B3::Air::Arg::type): Deleted.
992         (JSC::B3::Air::Arg::isType): Deleted.
993         * b3/air/AirArgInlines.h:
994         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
995         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
996         (JSC::B3::Air::ArgThingHelper<Reg>::forEach):
997         (JSC::B3::Air::Arg::forEach):
998         * b3/air/AirCCallSpecial.cpp:
999         (JSC::B3::Air::CCallSpecial::forEachArg):
1000         * b3/air/AirCCallingConvention.cpp:
1001         * b3/air/AirCode.cpp:
1002         (JSC::B3::Air::Code::Code):
1003         (JSC::B3::Air::Code::setRegsInPriorityOrder):
1004         (JSC::B3::Air::Code::pinRegister):
1005         * b3/air/AirCode.h:
1006         (JSC::B3::Air::Code::regsInPriorityOrder):
1007         (JSC::B3::Air::Code::newTmp):
1008         (JSC::B3::Air::Code::numTmps):
1009         (JSC::B3::Air::Code::regsInPriorityOrderImpl):
1010         * b3/air/AirCustom.cpp:
1011         (JSC::B3::Air::PatchCustom::isValidForm):
1012         (JSC::B3::Air::ShuffleCustom::isValidForm):
1013         * b3/air/AirCustom.h:
1014         (JSC::B3::Air::PatchCustom::forEachArg):
1015         (JSC::B3::Air::CCallCustom::forEachArg):
1016         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1017         (JSC::B3::Air::ShuffleCustom::forEachArg):
1018         (JSC::B3::Air::WasmBoundsCheckCustom::forEachArg):
1019         * b3/air/AirDumpAsJS.cpp:
1020         (JSC::B3::Air::dumpAsJS):
1021         * b3/air/AirEliminateDeadCode.cpp:
1022         (JSC::B3::Air::eliminateDeadCode):
1023         * b3/air/AirEmitShuffle.cpp:
1024         (JSC::B3::Air::emitShuffle):
1025         * b3/air/AirEmitShuffle.h:
1026         (JSC::B3::Air::ShufflePair::ShufflePair):
1027         (JSC::B3::Air::ShufflePair::width):
1028         * b3/air/AirFixObviousSpills.cpp:
1029         * b3/air/AirFixPartialRegisterStalls.cpp:
1030         (JSC::B3::Air::fixPartialRegisterStalls):
1031         * b3/air/AirInst.cpp:
1032         (JSC::B3::Air::Inst::hasArgEffects):
1033         * b3/air/AirInst.h:
1034         (JSC::B3::Air::Inst::forEachTmp):
1035         * b3/air/AirInstInlines.h:
1036         (JSC::B3::Air::Inst::forEach):
1037         (JSC::B3::Air::Inst::forEachDef):
1038         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
1039         * b3/air/AirLiveness.h:
1040         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
1041         (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
1042         (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
1043         (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
1044         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
1045         (JSC::B3::Air::RegLivenessAdapter::acceptsBank):
1046         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1047         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1048         (JSC::B3::Air::TmpLivenessAdapter::acceptsType): Deleted.
1049         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsType): Deleted.
1050         (JSC::B3::Air::RegLivenessAdapter::acceptsType): Deleted.
1051         * b3/air/AirLogRegisterPressure.cpp:
1052         (JSC::B3::Air::logRegisterPressure):
1053         * b3/air/AirLowerAfterRegAlloc.cpp:
1054         (JSC::B3::Air::lowerAfterRegAlloc):
1055         * b3/air/AirLowerMacros.cpp:
1056         (JSC::B3::Air::lowerMacros):
1057         * b3/air/AirPadInterference.cpp:
1058         (JSC::B3::Air::padInterference):
1059         * b3/air/AirReportUsedRegisters.cpp:
1060         (JSC::B3::Air::reportUsedRegisters):
1061         * b3/air/AirSpillEverything.cpp:
1062         (JSC::B3::Air::spillEverything):
1063         * b3/air/AirTmpInlines.h:
1064         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::absoluteIndex): Deleted.
1065         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex): Deleted.
1066         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::tmpFromAbsoluteIndex): Deleted.
1067         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::absoluteIndex): Deleted.
1068         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex): Deleted.
1069         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::tmpFromAbsoluteIndex): Deleted.
1070         * b3/air/AirTmpWidth.cpp:
1071         (JSC::B3::Air::TmpWidth::recompute):
1072         * b3/air/AirTmpWidth.h:
1073         (JSC::B3::Air::TmpWidth::width):
1074         (JSC::B3::Air::TmpWidth::requiredWidth):
1075         (JSC::B3::Air::TmpWidth::defWidth):
1076         (JSC::B3::Air::TmpWidth::useWidth):
1077         (JSC::B3::Air::TmpWidth::Widths::Widths):
1078         * b3/air/AirUseCounts.h:
1079         (JSC::B3::Air::UseCounts::UseCounts):
1080         * b3/air/AirValidate.cpp:
1081         * b3/air/opcode_generator.rb:
1082         * b3/air/testair.cpp:
1083         (JSC::B3::Air::compile): Deleted.
1084         (JSC::B3::Air::invoke): Deleted.
1085         (JSC::B3::Air::compileAndRun): Deleted.
1086         (JSC::B3::Air::testSimple): Deleted.
1087         (JSC::B3::Air::loadConstantImpl): Deleted.
1088         (JSC::B3::Air::loadConstant): Deleted.
1089         (JSC::B3::Air::loadDoubleConstant): Deleted.
1090         (JSC::B3::Air::testShuffleSimpleSwap): Deleted.
1091         (JSC::B3::Air::testShuffleSimpleShift): Deleted.
1092         (JSC::B3::Air::testShuffleLongShift): Deleted.
1093         (JSC::B3::Air::testShuffleLongShiftBackwards): Deleted.
1094         (JSC::B3::Air::testShuffleSimpleRotate): Deleted.
1095         (JSC::B3::Air::testShuffleSimpleBroadcast): Deleted.
1096         (JSC::B3::Air::testShuffleBroadcastAllRegs): Deleted.
1097         (JSC::B3::Air::testShuffleTreeShift): Deleted.
1098         (JSC::B3::Air::testShuffleTreeShiftBackward): Deleted.
1099         (JSC::B3::Air::testShuffleTreeShiftOtherBackward): Deleted.
1100         (JSC::B3::Air::testShuffleMultipleShifts): Deleted.
1101         (JSC::B3::Air::testShuffleRotateWithFringe): Deleted.
1102         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder): Deleted.
1103         (JSC::B3::Air::testShuffleRotateWithLongFringe): Deleted.
1104         (JSC::B3::Air::testShuffleMultipleRotates): Deleted.
1105         (JSC::B3::Air::testShuffleShiftAndRotate): Deleted.
1106         (JSC::B3::Air::testShuffleShiftAllRegs): Deleted.
1107         (JSC::B3::Air::testShuffleRotateAllRegs): Deleted.
1108         (JSC::B3::Air::testShuffleSimpleSwap64): Deleted.
1109         (JSC::B3::Air::testShuffleSimpleShift64): Deleted.
1110         (JSC::B3::Air::testShuffleSwapMixedWidth): Deleted.
1111         (JSC::B3::Air::testShuffleShiftMixedWidth): Deleted.
1112         (JSC::B3::Air::testShuffleShiftMemory): Deleted.
1113         (JSC::B3::Air::testShuffleShiftMemoryLong): Deleted.
1114         (JSC::B3::Air::testShuffleShiftMemoryAllRegs): Deleted.
1115         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64): Deleted.
1116         (JSC::B3::Air::combineHiLo): Deleted.
1117         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth): Deleted.
1118         (JSC::B3::Air::testShuffleRotateMemory): Deleted.
1119         (JSC::B3::Air::testShuffleRotateMemory64): Deleted.
1120         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth): Deleted.
1121         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64): Deleted.
1122         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth): Deleted.
1123         (JSC::B3::Air::testShuffleSwapDouble): Deleted.
1124         (JSC::B3::Air::testShuffleShiftDouble): Deleted.
1125         (JSC::B3::Air::testX86VMULSD): Deleted.
1126         (JSC::B3::Air::testX86VMULSDDestRex): Deleted.
1127         (JSC::B3::Air::testX86VMULSDOp1DestRex): Deleted.
1128         (JSC::B3::Air::testX86VMULSDOp2DestRex): Deleted.
1129         (JSC::B3::Air::testX86VMULSDOpsDestRex): Deleted.
1130         (JSC::B3::Air::testX86VMULSDAddr): Deleted.
1131         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr): Deleted.
1132         (JSC::B3::Air::testX86VMULSDDestRexAddr): Deleted.
1133         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr): Deleted.
1134         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr): Deleted.
1135         (JSC::B3::Air::testX86VMULSDBaseNeedsRex): Deleted.
1136         (JSC::B3::Air::testX86VMULSDIndexNeedsRex): Deleted.
1137         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex): Deleted.
1138         (JSC::B3::Air::run): Deleted.
1139
1140 2017-02-24  Keith Miller  <keith_miller@apple.com>
1141
1142         We should be able to use std::tuples as keys in HashMap
1143         https://bugs.webkit.org/show_bug.cgi?id=168805
1144
1145         Reviewed by Filip Pizlo.
1146
1147         Convert the mess of std::pairs we used as the keys in PrototypeMap
1148         to a std::tuple. I also plan on using this for a HashMap in wasm.
1149
1150         * JavaScriptCore.xcodeproj/project.pbxproj:
1151         * runtime/PrototypeMap.cpp:
1152         (JSC::PrototypeMap::createEmptyStructure):
1153         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1154         * runtime/PrototypeMap.h:
1155
1156 2017-02-24  Saam Barati  <sbarati@apple.com>
1157
1158         Unreviewed. Remove inaccurate copy-paste comment from r212939.
1159
1160         * dfg/DFGOperations.cpp:
1161
1162 2017-02-23  Saam Barati  <sbarati@apple.com>
1163
1164         Intrinsicify parseInt
1165         https://bugs.webkit.org/show_bug.cgi?id=168627
1166
1167         Reviewed by Filip Pizlo.
1168
1169         This patch makes parseInt an intrinsic in the DFG and FTL.
1170         We do our best to eliminate this node. If we speculate that
1171         the first operand to the operation is an int32, and that there
1172         isn't a second operand, we convert to the identity of the first
1173         operand. That's because parseInt(someInt) === someInt.
1174         
1175         If the first operand is proven to be an integer, and the second
1176         operand is the integer 0 or the integer 10, we can eliminate the
1177         node by making it an identity over its first operand. That's
1178         because parseInt(someInt, 0) === someInt and parseInt(someInt, 10) === someInt.
1179         
1180         If we are not able to constant fold the node away, we try to remove
1181         checks. The most common use case of parseInt is that its first operand
1182         is a proven string. The DFG might be able to remove type checks in this
1183         case. We also set up CSE rules for parseInt(someString, someIntRadix)
1184         because it's a "pure" operation (modulo resolving a rope).
1185
1186         This looks to be a 4% Octane/Box2D progression.
1187
1188         * dfg/DFGAbstractInterpreterInlines.h:
1189         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1190         * dfg/DFGByteCodeParser.cpp:
1191         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1192         * dfg/DFGClobberize.h:
1193         (JSC::DFG::clobberize):
1194         * dfg/DFGConstantFoldingPhase.cpp:
1195         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1196         * dfg/DFGDoesGC.cpp:
1197         (JSC::DFG::doesGC):
1198         * dfg/DFGFixupPhase.cpp:
1199         (JSC::DFG::FixupPhase::fixupNode):
1200         * dfg/DFGNode.h:
1201         (JSC::DFG::Node::hasHeapPrediction):
1202         * dfg/DFGNodeType.h:
1203         * dfg/DFGOperations.cpp:
1204         (JSC::DFG::parseIntResult):
1205         * dfg/DFGOperations.h:
1206         * dfg/DFGPredictionPropagationPhase.cpp:
1207         * dfg/DFGSafeToExecute.h:
1208         (JSC::DFG::safeToExecute):
1209         * dfg/DFGSpeculativeJIT.cpp:
1210         (JSC::DFG::SpeculativeJIT::compileParseInt):
1211         * dfg/DFGSpeculativeJIT.h:
1212         (JSC::DFG::SpeculativeJIT::callOperation):
1213         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1214         * dfg/DFGSpeculativeJIT32_64.cpp:
1215         (JSC::DFG::SpeculativeJIT::compile):
1216         * dfg/DFGSpeculativeJIT64.cpp:
1217         (JSC::DFG::SpeculativeJIT::compile):
1218         * ftl/FTLCapabilities.cpp:
1219         (JSC::FTL::canCompile):
1220         * ftl/FTLLowerDFGToB3.cpp:
1221         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1222         (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
1223         * jit/JITOperations.h:
1224         * parser/Lexer.cpp:
1225         * runtime/ErrorInstance.cpp:
1226         * runtime/Intrinsic.h:
1227         * runtime/JSGlobalObject.cpp:
1228         (JSC::JSGlobalObject::init):
1229         * runtime/JSGlobalObjectFunctions.cpp:
1230         (JSC::toStringView): Deleted.
1231         (JSC::isStrWhiteSpace): Deleted.
1232         (JSC::parseDigit): Deleted.
1233         (JSC::parseIntOverflow): Deleted.
1234         (JSC::parseInt): Deleted.
1235         * runtime/JSGlobalObjectFunctions.h:
1236         * runtime/ParseInt.h: Added.
1237         (JSC::parseDigit):
1238         (JSC::parseIntOverflow):
1239         (JSC::isStrWhiteSpace):
1240         (JSC::parseInt):
1241         (JSC::toStringView):
1242         * runtime/StringPrototype.cpp:
1243
1244 2017-02-23  JF Bastien  <jfbastien@apple.com>
1245
1246         WebAssembly: support 0x1 version
1247         https://bugs.webkit.org/show_bug.cgi?id=168672
1248
1249         Reviewed by Keith Miller.
1250
1251         * wasm/wasm.json: update the version number, everything is based
1252         on its value
1253
1254 2017-02-23  Saam Barati  <sbarati@apple.com>
1255
1256         Make Briggs fixpoint validation run only with validateGraphAtEachPhase
1257         https://bugs.webkit.org/show_bug.cgi?id=168795
1258
1259         Rubber stamped by Keith Miller.
1260
1261         The Briggs allocator was running intensive validation
1262         on each step of the fixpoint. Instead, it now will just
1263         do it when shouldValidateIRAtEachPhase() is true because
1264         doing this for all !ASSERT_DISABLED builds takes too long.
1265
1266         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1267
1268 2017-02-23  Filip Pizlo  <fpizlo@apple.com>
1269
1270         SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check
1271         https://bugs.webkit.org/show_bug.cgi?id=168787
1272
1273         Reviewed by Michael Saboff and Mark Lam.
1274
1275         * dfg/DFGSpeculativeJIT.cpp:
1276         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1277
1278 2017-02-23  Mark Lam  <mark.lam@apple.com>
1279
1280         Ensure that the end of the last invalidation point does not extend beyond the end of the buffer.
1281         https://bugs.webkit.org/show_bug.cgi?id=168786
1282
1283         Reviewed by Filip Pizlo.
1284
1285         In practice, we will always have multiple instructions after invalidation points,
1286         and have enough room in the JIT buffer for the invalidation point to work with.
1287         However, as a precaution, we can guarantee that there's enough room by always
1288         emitting a label just before we link the buffer.  The label will emit nop padding
1289         if needed.
1290
1291         * assembler/LinkBuffer.cpp:
1292         (JSC::LinkBuffer::linkCode):
1293
1294 2017-02-23  Keith Miller  <keith_miller@apple.com>
1295
1296         Unreviewed, fix the cloop build. Needed a #if.
1297
1298         * jit/ExecutableAllocator.cpp:
1299
1300 2017-02-22  Carlos Garcia Campos  <cgarcia@igalia.com>
1301
1302         Better handle Thread and RunLoop initialization
1303         https://bugs.webkit.org/show_bug.cgi?id=167828
1304
1305         Reviewed by Yusuke Suzuki.
1306
1307         * runtime/InitializeThreading.cpp:
1308         (JSC::initializeThreading): Do not initialize double_conversion, that is already initialized by WTF, and GC
1309         threads that will be initialized by WTF main thread when needed.
1310
1311 2017-02-22  JF Bastien  <jfbastien@apple.com>
1312
1313         WebAssembly: clear out insignificant i32 bits when calling JavaScript
1314         https://bugs.webkit.org/show_bug.cgi?id=166677
1315
1316         Reviewed by Keith Miller.
1317
1318         When WebAssembly calls JavaScript it needs to clear out the
1319         insignificant bits of int32 values:
1320
1321           +------------------- tag
1322           |  +---------------- insignificant
1323           |  |   +------------ 32-bit integer value
1324           |  |   |
1325           |--|---|-------|
1326         0xffff0000ffffffff
1327
1328         At least some JavaScript code assumes that these bits are all
1329         zero. In the wasm-to-wasm.js example we store a 64-bit value in an
1330         object with lo / hi fields, each containing 32-bit integers. We
1331         then load these back, and the baseline compiler fails its
1332         comparison because it first checks the value are the same type
1333         (yes, because the int32 tag is set in both), and then whether they
1334         have the same value (no, because comparing the two registers
1335         fails). We could argue that the baseline compiler is wrong for
1336         performing a 64-bit comparison, but it doesn't really matter
1337         because there's not much of a point in breaking that invariant for
1338         WebAssembly's sake.
1339
1340         * wasm/WasmBinding.cpp:
1341         (JSC::Wasm::wasmToJs):
1342
1343 2017-02-22  Keith Miller  <keith_miller@apple.com>
1344
1345         Remove the demand executable allocator
1346         https://bugs.webkit.org/show_bug.cgi?id=168754
1347
1348         Reviewed by Saam Barati.
1349
1350         We currently only use the demand executable allocator for non-iOS 32-bit platforms.
1351         Benchmark results on a MBP indicate there is no appreciable performance difference
1352         between a the fixed and demand allocators. In a future patch I will go back through
1353         this code and remove more of the abstractions.
1354
1355         * JavaScriptCore.xcodeproj/project.pbxproj:
1356         * jit/ExecutableAllocator.cpp:
1357         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1358         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1359         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1360         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
1361         (JSC::ExecutableAllocator::initializeAllocator):
1362         (JSC::ExecutableAllocator::ExecutableAllocator):
1363         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
1364         (JSC::ExecutableAllocator::isValid):
1365         (JSC::ExecutableAllocator::underMemoryPressure):
1366         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1367         (JSC::ExecutableAllocator::allocate):
1368         (JSC::ExecutableAllocator::isValidExecutableMemory):
1369         (JSC::ExecutableAllocator::getLock):
1370         (JSC::ExecutableAllocator::committedByteCount):
1371         (JSC::ExecutableAllocator::dumpProfile):
1372         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1373         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1374         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1375         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1376         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1377         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1378         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1379         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1380         (JSC::DemandExecutableAllocator::allocators): Deleted.
1381         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1382         * jit/ExecutableAllocator.h:
1383         * jit/ExecutableAllocatorFixedVMPool.cpp: Removed.
1384         * jit/JITStubRoutine.h:
1385         (JSC::JITStubRoutine::canPerformRangeFilter):
1386         (JSC::JITStubRoutine::filteringStartAddress):
1387         (JSC::JITStubRoutine::filteringExtentSize):
1388
1389 2017-02-22  Saam Barati  <sbarati@apple.com>
1390
1391         Add biased coloring to Briggs and IRC
1392         https://bugs.webkit.org/show_bug.cgi?id=168611
1393
1394         Reviewed by Filip Pizlo.
1395
1396         This patch implements biased coloring as proposed by Briggs. See section
1397         5.3.3 of his thesis for more information: http://www.cs.utexas.edu/users/mckinley/380C/lecs/briggs-thesis-1992.pdf
1398
1399         The main idea of biased coloring is this:
1400         We try to coalesce a move between u and v, but the conservative heuristic
1401         fails. We don't want coalesce the move because we don't want to risk
1402         creating an uncolorable graph. However, if the conservative heuristic fails,
1403         it's not proof that the graph is uncolorable if the move were indeed coalesced.
1404         So, when we go to color the tmps, we'll remember that we really want the
1405         same register for u and v, and if legal during coloring, we will
1406         assign them to the same register.
1407
1408         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1409
1410 2017-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1411
1412         JSModuleNamespace object should have IC
1413         https://bugs.webkit.org/show_bug.cgi?id=160590
1414
1415         Reviewed by Saam Barati.
1416
1417         This patch optimizes accesses to module namespace objects.
1418
1419         1. Cache the resolutions for module namespace objects.
1420
1421             When constructing the module namespace object, we already resolves all the exports.
1422             The module namespace object caches this result and leverage it in the later access in
1423             getOwnPropertySlot. This avoids resolving bindings through resolveExport.
1424
1425         2. Introduce ModuleNamespaceLoad IC.
1426
1427             This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
1428             tells us about module namespace object resolution. The IC first checks whether the given object
1429             is an expected module namespace object. If this check succeeds, we load the value from the module
1430             environment.
1431
1432         3. Introduce DFG/FTL optimization.
1433
1434             After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
1435             DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
1436             At that time, we have a chance to fold it to the constant.
1437
1438         This optimization improves the performance of accessing to module namespace objects.
1439
1440         Before
1441             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
1442             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
1443             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
1444             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total
1445
1446         After
1447             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
1448             ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
1449             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
1450             ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total
1451
1452         * CMakeLists.txt:
1453         * JavaScriptCore.xcodeproj/project.pbxproj:
1454         * bytecode/AccessCase.cpp:
1455         (JSC::AccessCase::create):
1456         (JSC::AccessCase::guardedByStructureCheck):
1457         (JSC::AccessCase::canReplace):
1458         (JSC::AccessCase::visitWeak):
1459         (JSC::AccessCase::generateWithGuard):
1460         (JSC::AccessCase::generateImpl):
1461         * bytecode/AccessCase.h:
1462         * bytecode/GetByIdStatus.cpp:
1463         (JSC::GetByIdStatus::GetByIdStatus):
1464         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1465         (JSC::GetByIdStatus::makesCalls):
1466         (JSC::GetByIdStatus::dump):
1467         * bytecode/GetByIdStatus.h:
1468         (JSC::GetByIdStatus::isModuleNamespace):
1469         (JSC::GetByIdStatus::takesSlowPath):
1470         (JSC::GetByIdStatus::moduleNamespaceObject):
1471         (JSC::GetByIdStatus::moduleEnvironment):
1472         (JSC::GetByIdStatus::scopeOffset):
1473         * bytecode/ModuleNamespaceAccessCase.cpp: Added.
1474         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
1475         (JSC::ModuleNamespaceAccessCase::create):
1476         (JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
1477         (JSC::ModuleNamespaceAccessCase::clone):
1478         (JSC::ModuleNamespaceAccessCase::emit):
1479         * bytecode/ModuleNamespaceAccessCase.h: Added.
1480         (JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
1481         (JSC::ModuleNamespaceAccessCase::moduleEnvironment):
1482         (JSC::ModuleNamespaceAccessCase::scopeOffset):
1483         * bytecode/PolymorphicAccess.cpp:
1484         (WTF::printInternal):
1485         * dfg/DFGByteCodeParser.cpp:
1486         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1487         (JSC::DFG::ByteCodeParser::handleGetById):
1488         * jit/AssemblyHelpers.h:
1489         (JSC::AssemblyHelpers::loadValue):
1490         * jit/Repatch.cpp:
1491         (JSC::tryCacheGetByID):
1492         * runtime/AbstractModuleRecord.cpp:
1493         (JSC::AbstractModuleRecord::getModuleNamespace):
1494         * runtime/JSModuleNamespaceObject.cpp:
1495         (JSC::JSModuleNamespaceObject::finishCreation):
1496         (JSC::JSModuleNamespaceObject::visitChildren):
1497         (JSC::getValue):
1498         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1499         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
1500         * runtime/JSModuleNamespaceObject.h:
1501         (JSC::isJSModuleNamespaceObject):
1502         (JSC::JSModuleNamespaceObject::create): Deleted.
1503         (JSC::JSModuleNamespaceObject::createStructure): Deleted.
1504         (JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
1505         * runtime/JSModuleRecord.h:
1506         (JSC::JSModuleRecord::moduleEnvironment): Deleted.
1507         * runtime/PropertySlot.h:
1508         (JSC::PropertySlot::PropertySlot):
1509         (JSC::PropertySlot::domJIT):
1510         (JSC::PropertySlot::moduleNamespaceSlot):
1511         (JSC::PropertySlot::setValueModuleNamespace):
1512         (JSC::PropertySlot::setCacheableCustom):
1513
1514 2017-02-22  Saam Barati  <sbarati@apple.com>
1515
1516         Unreviewed. Rename AirGraphColoring.* files to AirAllocateRegistersByGraphColoring.* to be more consistent with the rest of the Air file names.
1517
1518         * CMakeLists.txt:
1519         * JavaScriptCore.xcodeproj/project.pbxproj:
1520         * b3/air/AirAllocateRegistersByGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirGraphColoring.cpp.
1521         * b3/air/AirAllocateRegistersByGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirGraphColoring.h.
1522         * b3/air/AirGenerate.cpp:
1523         * b3/air/AirGraphColoring.cpp: Removed.
1524         * b3/air/AirGraphColoring.h: Removed.
1525
1526 2017-02-21  Youenn Fablet  <youenn@apple.com>
1527
1528         [WebRTC][Mac] Activate libwebrtc
1529         https://bugs.webkit.org/show_bug.cgi?id=167293
1530         <rdar://problem/30401864>
1531
1532         Reviewed by Alex Christensen.
1533
1534         * Configurations/FeatureDefines.xcconfig:
1535
1536 2017-02-21  Saam Barati  <sbarati@apple.com>
1537
1538         Add the Briggs optimistic allocator to run on ARM64
1539         https://bugs.webkit.org/show_bug.cgi?id=168454
1540
1541         Reviewed by Filip Pizlo.
1542
1543         This patch adds the Briggs allocator to Air:
1544         http://www.cs.utexas.edu/users/mckinley/380C/lecs/briggs-thesis-1992.pdf
1545         It uses it by default on ARM64. I was measuring an 8-10% speedup
1546         in the phase because of this. I also wasn't able to detect a slowdown 
1547         for generated code on ARM64. There are still a few things we can do
1548         to speed things up even further. Moving the interference graph into
1549         a BitVector was another 10-20% speedup. We should consider doing this
1550         in a follow up patch. This is especially important now, since making
1551         register allocation faster has a direct impact on startup time for
1552         Wasm modules.
1553         
1554         I abstracted away the common bits between Briggs and IRC, and moved
1555         them into a common super class. In a follow up to this patch, I plan
1556         on implementing biased coloring for both Briggs and IRC (this is
1557         described in Briggs's thesis). I was able to detect a 1% slowdown
1558         with Briggs on Octane for x86-64. This is because the register file
1559         for x86-64 is smaller than ARM64. When I implemented biased coloring,
1560         I was no longer able to detect this slowdown. I still think it's a
1561         sensible plan to run Briggs on ARM64 and IRC on x86-64.
1562
1563         * CMakeLists.txt:
1564         * JavaScriptCore.xcodeproj/project.pbxproj:
1565         * b3/air/AirGenerate.cpp:
1566         (JSC::B3::Air::prepareForGeneration):
1567         * b3/air/AirGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.cpp.
1568         (JSC::B3::Air::allocateRegistersByGraphColoring):
1569         (JSC::B3::Air::iteratedRegisterCoalescing): Deleted.
1570         * b3/air/AirGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.h.
1571         * b3/air/AirIteratedRegisterCoalescing.cpp: Removed.
1572         * b3/air/AirIteratedRegisterCoalescing.h: Removed.
1573         * runtime/Options.h:
1574
1575 2017-02-21  Mark Lam  <mark.lam@apple.com>
1576
1577         Add more missing exception checks detected by running marathon.js.
1578         https://bugs.webkit.org/show_bug.cgi?id=168697
1579
1580         Reviewed by Saam Barati.
1581
1582         * runtime/StringPrototype.cpp:
1583         (JSC::replaceUsingRegExpSearch):
1584         (JSC::replaceUsingStringSearch):
1585
1586 2017-02-21  JF Bastien  <jfbastien@apple.com>
1587
1588         FullCodeOrigin for CodeBlock+CodeOrigin printing
1589         https://bugs.webkit.org/show_bug.cgi?id=168673
1590
1591         Reviewed by Filip Pizlo.
1592
1593         WebAssembly doesn't have a CodeBlock, so printing it isn't
1594         valid. This patch adds FullCodeOrigin to handle the
1595         CodeBlock+CodeOrigin printing pattern, and uses it through all the
1596         places I could find, including Repatch.cpp where it's relevant for
1597         WebAssembly.
1598
1599         * CMakeLists.txt:
1600         * JavaScriptCore.xcodeproj/project.pbxproj:
1601         * bytecode/CodeBlock.cpp:
1602         (JSC::CodeBlock::noticeIncomingCall):
1603         * bytecode/FullCodeOrigin.cpp: Added.
1604         (JSC::FullCodeOrigin::dump):
1605         (JSC::FullCodeOrigin::dumpInContext):
1606         * bytecode/FullCodeOrigin.h: Added.
1607         (JSC::FullCodeOrigin::FullCodeOrigin):
1608         * bytecode/PolymorphicAccess.cpp:
1609         (JSC::PolymorphicAccess::regenerate):
1610         * jit/PolymorphicCallStubRoutine.cpp:
1611         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1612         * jit/Repatch.cpp:
1613         (JSC::linkFor):
1614         (JSC::linkDirectFor):
1615         (JSC::linkVirtualFor):
1616
1617 2017-02-21  Filip Pizlo  <fpizlo@apple.com>
1618
1619         Unreviewed, fix cloop. I managed to have my local patch for relanding be the one without the cloop
1620         fix. I keep forgetting about cloop!
1621
1622         * heap/Heap.cpp:
1623         (JSC::Heap::stopThePeriphery):
1624         * runtime/JSLock.cpp:
1625
1626 2017-02-21  Mark Lam  <mark.lam@apple.com>
1627
1628         Add missing exception checks detected by running marathon.js.
1629         https://bugs.webkit.org/show_bug.cgi?id=168687
1630
1631         Reviewed by Saam Barati.
1632
1633         When running the marathon.js test from https://bugs.webkit.org/show_bug.cgi?id=168580,
1634         we get some crashes due to missing exception checks.  This patch adds those
1635         missing exception checks.
1636
1637         * runtime/JSCJSValueInlines.h:
1638         (JSC::JSValue::toPropertyKey):
1639         * runtime/JSObject.cpp:
1640         (JSC::JSObject::getPrimitiveNumber):
1641
1642 2017-02-20  Filip Pizlo  <fpizlo@apple.com>
1643
1644         The collector thread should only start when the mutator doesn't have heap access
1645         https://bugs.webkit.org/show_bug.cgi?id=167737
1646
1647         Reviewed by Keith Miller.
1648         
1649         This turns the collector thread's workflow into a state machine, so that the mutator thread can
1650         run it directly. This reduces the amount of synchronization we do with the collector thread, and
1651         means that most apps will never start the collector thread. The collector thread will still start
1652         when we need to finish collecting and we don't have heap access.
1653         
1654         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
1655         This means tracking who is conducting collection. I use the GCConductor enum to say who is
1656         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
1657         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
1658         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
1659         collector the conn.
1660         
1661         This meant bringing back the conservative scan of the calling thread. It turns out that this
1662         scan was too slow to be called on each GC increment because apparently setjmp() now does system
1663         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
1664         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
1665         state. I think we still want to use my register saving code instead of setjmp because setjmp
1666         seems to save things we don't need, and that could make us overly conservative.
1667         
1668         It turns out that this new scheduling discipline makes the old space-time scheduler perform
1669         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
1670         because the mutator having the conn enables us to time the mutator<->collector context switches
1671         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
1672         space-time schduler to shine like it hadn't before.
1673         
1674         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
1675         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
1676         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
1677         effect.
1678
1679         * CMakeLists.txt:
1680         * JavaScriptCore.xcodeproj/project.pbxproj:
1681         * bytecode/CodeBlock.cpp:
1682         (JSC::CodeBlock::visitChildren):
1683         * dfg/DFGWorklist.cpp:
1684         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1685         (JSC::DFG::Worklist::dump):
1686         (JSC::DFG::numberOfWorklists):
1687         (JSC::DFG::ensureWorklistForIndex):
1688         (JSC::DFG::existingWorklistForIndexOrNull):
1689         (JSC::DFG::existingWorklistForIndex):
1690         * dfg/DFGWorklist.h:
1691         (JSC::DFG::numberOfWorklists): Deleted.
1692         (JSC::DFG::ensureWorklistForIndex): Deleted.
1693         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
1694         (JSC::DFG::existingWorklistForIndex): Deleted.
1695         * heap/CollectingScope.h: Added.
1696         (JSC::CollectingScope::CollectingScope):
1697         (JSC::CollectingScope::~CollectingScope):
1698         * heap/CollectorPhase.cpp: Added.
1699         (JSC::worldShouldBeSuspended):
1700         (WTF::printInternal):
1701         * heap/CollectorPhase.h: Added.
1702         * heap/EdenGCActivityCallback.cpp:
1703         (JSC::EdenGCActivityCallback::lastGCLength):
1704         * heap/FullGCActivityCallback.cpp:
1705         (JSC::FullGCActivityCallback::doCollection):
1706         (JSC::FullGCActivityCallback::lastGCLength):
1707         * heap/GCConductor.cpp: Added.
1708         (JSC::gcConductorShortName):
1709         (WTF::printInternal):
1710         * heap/GCConductor.h: Added.
1711         * heap/GCFinalizationCallback.cpp: Added.
1712         (JSC::GCFinalizationCallback::GCFinalizationCallback):
1713         (JSC::GCFinalizationCallback::~GCFinalizationCallback):
1714         * heap/GCFinalizationCallback.h: Added.
1715         (JSC::GCFinalizationCallbackFuncAdaptor::GCFinalizationCallbackFuncAdaptor):
1716         (JSC::createGCFinalizationCallback):
1717         * heap/Heap.cpp:
1718         (JSC::Heap::Thread::Thread):
1719         (JSC::Heap::Heap):
1720         (JSC::Heap::lastChanceToFinalize):
1721         (JSC::Heap::gatherStackRoots):
1722         (JSC::Heap::updateObjectCounts):
1723         (JSC::Heap::sweepSynchronously):
1724         (JSC::Heap::collectAllGarbage):
1725         (JSC::Heap::collectAsync):
1726         (JSC::Heap::collectSync):
1727         (JSC::Heap::shouldCollectInCollectorThread):
1728         (JSC::Heap::collectInCollectorThread):
1729         (JSC::Heap::checkConn):
1730         (JSC::Heap::runNotRunningPhase):
1731         (JSC::Heap::runBeginPhase):
1732         (JSC::Heap::runFixpointPhase):
1733         (JSC::Heap::runConcurrentPhase):
1734         (JSC::Heap::runReloopPhase):
1735         (JSC::Heap::runEndPhase):
1736         (JSC::Heap::changePhase):
1737         (JSC::Heap::finishChangingPhase):
1738         (JSC::Heap::stopThePeriphery):
1739         (JSC::Heap::resumeThePeriphery):
1740         (JSC::Heap::stopTheMutator):
1741         (JSC::Heap::resumeTheMutator):
1742         (JSC::Heap::stopIfNecessarySlow):
1743         (JSC::Heap::collectInMutatorThread):
1744         (JSC::Heap::waitForCollector):
1745         (JSC::Heap::acquireAccessSlow):
1746         (JSC::Heap::releaseAccessSlow):
1747         (JSC::Heap::relinquishConn):
1748         (JSC::Heap::finishRelinquishingConn):
1749         (JSC::Heap::handleNeedFinalize):
1750         (JSC::Heap::notifyThreadStopping):
1751         (JSC::Heap::finalize):
1752         (JSC::Heap::addFinalizationCallback):
1753         (JSC::Heap::requestCollection):
1754         (JSC::Heap::waitForCollection):
1755         (JSC::Heap::updateAllocationLimits):
1756         (JSC::Heap::didFinishCollection):
1757         (JSC::Heap::collectIfNecessaryOrDefer):
1758         (JSC::Heap::notifyIsSafeToCollect):
1759         (JSC::Heap::preventCollection):
1760         (JSC::Heap::performIncrement):
1761         (JSC::Heap::markToFixpoint): Deleted.
1762         (JSC::Heap::shouldCollectInThread): Deleted.
1763         (JSC::Heap::collectInThread): Deleted.
1764         (JSC::Heap::stopTheWorld): Deleted.
1765         (JSC::Heap::resumeTheWorld): Deleted.
1766         * heap/Heap.h:
1767         (JSC::Heap::machineThreads):
1768         (JSC::Heap::lastFullGCLength):
1769         (JSC::Heap::lastEdenGCLength):
1770         (JSC::Heap::increaseLastFullGCLength):
1771         * heap/HeapInlines.h:
1772         (JSC::Heap::mutatorIsStopped): Deleted.
1773         * heap/HeapStatistics.cpp: Removed.
1774         * heap/HeapStatistics.h: Removed.
1775         * heap/HelpingGCScope.h: Removed.
1776         * heap/IncrementalSweeper.cpp:
1777         (JSC::IncrementalSweeper::stopSweeping):
1778         (JSC::IncrementalSweeper::willFinishSweeping): Deleted.
1779         * heap/IncrementalSweeper.h:
1780         * heap/MachineStackMarker.cpp:
1781         (JSC::MachineThreads::gatherFromCurrentThread):
1782         (JSC::MachineThreads::gatherConservativeRoots):
1783         (JSC::callWithCurrentThreadState):
1784         * heap/MachineStackMarker.h:
1785         * heap/MarkedAllocator.cpp:
1786         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1787         * heap/MarkedBlock.cpp:
1788         (JSC::MarkedBlock::Handle::sweep):
1789         * heap/MarkedSpace.cpp:
1790         (JSC::MarkedSpace::sweep):
1791         * heap/MutatorState.cpp:
1792         (WTF::printInternal):
1793         * heap/MutatorState.h:
1794         * heap/RegisterState.h: Added.
1795         * heap/RunningScope.h: Added.
1796         (JSC::RunningScope::RunningScope):
1797         (JSC::RunningScope::~RunningScope):
1798         * heap/SlotVisitor.cpp:
1799         (JSC::SlotVisitor::SlotVisitor):
1800         (JSC::SlotVisitor::drain):
1801         (JSC::SlotVisitor::drainFromShared):
1802         (JSC::SlotVisitor::drainInParallelPassively):
1803         (JSC::SlotVisitor::donateAll):
1804         (JSC::SlotVisitor::donate):
1805         * heap/SlotVisitor.h:
1806         (JSC::SlotVisitor::codeName):
1807         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
1808         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
1809         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
1810         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
1811         * heap/SweepingScope.h: Added.
1812         (JSC::SweepingScope::SweepingScope):
1813         (JSC::SweepingScope::~SweepingScope):
1814         * jit/JITWorklist.cpp:
1815         (JSC::JITWorklist::Thread::Thread):
1816         * jsc.cpp:
1817         (GlobalObject::finishCreation):
1818         (functionFlashHeapAccess):
1819         * runtime/InitializeThreading.cpp:
1820         (JSC::initializeThreading):
1821         * runtime/JSCellInlines.h:
1822         (JSC::JSCell::classInfo):
1823         * runtime/Options.cpp:
1824         (JSC::overrideDefaults):
1825         * runtime/Options.h:
1826         * runtime/TestRunnerUtils.cpp:
1827         (JSC::finalizeStatsAtEndOfTesting):
1828
1829 2017-02-21  Saam Barati  <sbarati@apple.com>
1830
1831         Air should have a disassembly mode that dumps IR and assembly intermixed
1832         https://bugs.webkit.org/show_bug.cgi?id=168629
1833
1834         Reviewed by Filip Pizlo.
1835
1836         This will make dumping FTL disassembly dump Air intermixed
1837         with the assembly generated by each Air Inst. This is similar
1838         to how dumpDFGDisassembly dumps the generated assembly for each
1839         Node.
1840         
1841         Here is what the output will look like:
1842         
1843         Generated FTL JIT code for foo#CUaFiQ:[0x10b76c960->0x10b76c2d0->0x10b7b6da0, FTLFunctionCall, 40 (NeverInline)], instruction count = 40:
1844         BB#0: ; frequency = 1.000000
1845                 0x469004e02e00: push %rbp
1846                 0x469004e02e01: mov %rsp, %rbp
1847                 0x469004e02e04: add $0xffffffffffffffd0, %rsp
1848             Move $0x10b76c960, %rax, $4487301472(@16)
1849                 0x469004e02e08: mov $0x10b76c960, %rax
1850             Move %rax, 16(%rbp), @19
1851                 0x469004e02e12: mov %rax, 0x10(%rbp)
1852             Patch &Patchpoint2, %rbp, %rax, @20
1853                 0x469004e02e16: lea -0x50(%rbp), %rax
1854                 0x469004e02e1a: mov $0x1084081e0, %r11
1855                 0x469004e02e24: cmp %rax, (%r11)
1856                 0x469004e02e27: ja 0x469004e02e9a
1857             Move 56(%rbp), %rdx, @23
1858                 0x469004e02e2d: mov 0x38(%rbp), %rdx
1859             Move $0xffff000000000002, %rax, $-281474976710654(@15)
1860                 0x469004e02e31: mov $0xffff000000000002, %rax
1861             Patch &BranchTest64(3,SameAsRep)1, NonZero, %rdx, %rax, %rdx, @26
1862                 0x469004e02e3b: test %rdx, %rax
1863                 0x469004e02e3e: jnz 0x469004e02f08
1864             Move 48(%rbp), %rax, @29
1865                 0x469004e02e44: mov 0x30(%rbp), %rax
1866             Move %rax, %rcx, @31
1867                 0x469004e02e48: mov %rax, %rcx
1868             Xor64 $6, %rcx, @31
1869                 0x469004e02e4b: xor $0x6, %rcx
1870             Patch &BranchTest64(3,SameAsRep)1, NonZero, %rcx, $-2, %rax, @35
1871                 0x469004e02e4f: test $0xfffffffffffffffe, %rcx
1872                 0x469004e02e56: jnz 0x469004e02f12
1873             Patch &Branch32(3,SameAsRep)0, NotEqual, (%rdx), $266, %rdx, @45
1874                 0x469004e02e5c: cmp $0x10a, (%rdx)
1875                 0x469004e02e62: jnz 0x469004e02f1c
1876             BranchTest32 NonZero, %rax, $1, @49
1877                 0x469004e02e68: test $0x1, %al
1878                 0x469004e02e6a: jnz 0x469004e02e91
1879           Successors: #3, #1
1880         BB#1: ; frequency = 1.000000
1881           Predecessors: #0
1882             Move $0, %rcx, @65
1883                 0x469004e02e70: xor %rcx, %rcx
1884             Jump @66
1885           Successors: #2
1886         BB#2: ; frequency = 1.000000
1887           Predecessors: #1, #3
1888             Move 24(%rdx), %rax, @58
1889                 0x469004e02e73: mov 0x18(%rdx), %rax
1890             Patch &BranchAdd32(4,ForceLateUseUnlessRecoverable)3, Overflow, %rcx, %rax, %rcx, %rcx, %rax, @60
1891                 0x469004e02e77: add %eax, %ecx
1892                 0x469004e02e79: jo 0x469004e02f26
1893             Move $0xffff000000000000, %rax, $-281474976710656(@14)
1894                 0x469004e02e7f: mov $0xffff000000000000, %rax
1895             Add64 %rcx, %rax, %rax, @62
1896                 0x469004e02e89: add %rcx, %rax
1897             Ret64 %rax, @63
1898                 0x469004e02e8c: mov %rbp, %rsp
1899                 0x469004e02e8f: pop %rbp
1900                 0x469004e02e90: ret 
1901         BB#3: ; frequency = 1.000000
1902           Predecessors: #0
1903             Move 16(%rdx), %rcx, @52
1904                 0x469004e02e91: mov 0x10(%rdx), %rcx
1905             Jump @55
1906                 0x469004e02e95: jmp 0x469004e02e73
1907           Successors: #2
1908
1909         * CMakeLists.txt:
1910         * JavaScriptCore.xcodeproj/project.pbxproj:
1911         * b3/air/AirCode.h:
1912         (JSC::B3::Air::Code::setDisassembler):
1913         (JSC::B3::Air::Code::disassembler):
1914         * b3/air/AirDisassembler.cpp: Added.
1915         (JSC::B3::Air::Disassembler::startEntrypoint):
1916         (JSC::B3::Air::Disassembler::endEntrypoint):
1917         (JSC::B3::Air::Disassembler::startLatePath):
1918         (JSC::B3::Air::Disassembler::endLatePath):
1919         (JSC::B3::Air::Disassembler::startBlock):
1920         (JSC::B3::Air::Disassembler::addInst):
1921         (JSC::B3::Air::Disassembler::dump):
1922         * b3/air/AirDisassembler.h: Added.
1923         * b3/air/AirGenerate.cpp:
1924         (JSC::B3::Air::generate):
1925         * ftl/FTLCompile.cpp:
1926         (JSC::FTL::compile):
1927
1928 2017-02-21  Ryan Haddad  <ryanhaddad@apple.com>
1929
1930         Unreviewed, rolling out r212712.
1931
1932         This change broke the CLoop build.
1933
1934         Reverted changeset:
1935
1936         "JSModuleNamespace object should have IC"
1937         https://bugs.webkit.org/show_bug.cgi?id=160590
1938         http://trac.webkit.org/changeset/212712
1939
1940 2017-02-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1941
1942         JSModuleNamespace object should have IC
1943         https://bugs.webkit.org/show_bug.cgi?id=160590
1944
1945         Reviewed by Saam Barati.
1946
1947         This patch optimizes accesses to module namespace objects.
1948
1949         1. Cache the resolutions for module namespace objects.
1950
1951             When constructing the module namespace object, we already resolves all the exports.
1952             The module namespace object caches this result and leverage it in the later access in
1953             getOwnPropertySlot. This avoids resolving bindings through resolveExport.
1954
1955         2. Introduce ModuleNamespaceLoad IC.
1956
1957             This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
1958             tells us about module namespace object resolution. The IC first checks whether the given object
1959             is an expected module namespace object. If this check succeeds, we load the value from the module
1960             environment.
1961
1962         3. Introduce DFG/FTL optimization.
1963
1964             After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
1965             DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
1966             At that time, we have a chance to fold it to the constant.
1967
1968         This optimization improves the performance of accessing to module namespace objects.
1969
1970         Before
1971             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
1972             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
1973             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
1974             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total
1975
1976         After
1977             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
1978             ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
1979             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
1980             ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total
1981
1982         * CMakeLists.txt:
1983         * JavaScriptCore.xcodeproj/project.pbxproj:
1984         * bytecode/AccessCase.cpp:
1985         (JSC::AccessCase::create):
1986         (JSC::AccessCase::guardedByStructureCheck):
1987         (JSC::AccessCase::canReplace):
1988         (JSC::AccessCase::visitWeak):
1989         (JSC::AccessCase::generateWithGuard):
1990         (JSC::AccessCase::generateImpl):
1991         * bytecode/AccessCase.h:
1992         * bytecode/GetByIdStatus.cpp:
1993         (JSC::GetByIdStatus::GetByIdStatus):
1994         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1995         (JSC::GetByIdStatus::makesCalls):
1996         (JSC::GetByIdStatus::dump):
1997         * bytecode/GetByIdStatus.h:
1998         (JSC::GetByIdStatus::isModuleNamespace):
1999         (JSC::GetByIdStatus::takesSlowPath):
2000         (JSC::GetByIdStatus::moduleNamespaceObject):
2001         (JSC::GetByIdStatus::moduleEnvironment):
2002         (JSC::GetByIdStatus::scopeOffset):
2003         * bytecode/ModuleNamespaceAccessCase.cpp: Added.
2004         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
2005         (JSC::ModuleNamespaceAccessCase::create):
2006         (JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
2007         (JSC::ModuleNamespaceAccessCase::clone):
2008         (JSC::ModuleNamespaceAccessCase::emit):
2009         * bytecode/ModuleNamespaceAccessCase.h: Added.
2010         (JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
2011         (JSC::ModuleNamespaceAccessCase::moduleEnvironment):
2012         (JSC::ModuleNamespaceAccessCase::scopeOffset):
2013         * bytecode/PolymorphicAccess.cpp:
2014         (WTF::printInternal):
2015         * dfg/DFGByteCodeParser.cpp:
2016         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2017         (JSC::DFG::ByteCodeParser::handleGetById):
2018         * jit/AssemblyHelpers.h:
2019         (JSC::AssemblyHelpers::loadValue):
2020         * jit/Repatch.cpp:
2021         (JSC::tryCacheGetByID):
2022         * runtime/AbstractModuleRecord.cpp:
2023         (JSC::AbstractModuleRecord::getModuleNamespace):
2024         * runtime/JSModuleNamespaceObject.cpp:
2025         (JSC::JSModuleNamespaceObject::finishCreation):
2026         (JSC::JSModuleNamespaceObject::visitChildren):
2027         (JSC::getValue):
2028         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2029         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
2030         * runtime/JSModuleNamespaceObject.h:
2031         (JSC::isJSModuleNamespaceObject):
2032         (JSC::JSModuleNamespaceObject::create): Deleted.
2033         (JSC::JSModuleNamespaceObject::createStructure): Deleted.
2034         (JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
2035         * runtime/JSModuleRecord.h:
2036         (JSC::JSModuleRecord::moduleEnvironment): Deleted.
2037         * runtime/PropertySlot.h:
2038         (JSC::PropertySlot::PropertySlot):
2039         (JSC::PropertySlot::domJIT):
2040         (JSC::PropertySlot::moduleNamespaceSlot):
2041         (JSC::PropertySlot::setValueModuleNamespace):
2042         (JSC::PropertySlot::setCacheableCustom):
2043
2044 2017-02-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2045
2046         ASSERTION FAILED: "!scope.exception()" with Object.isSealed/isFrozen and uninitialized module bindings
2047         https://bugs.webkit.org/show_bug.cgi?id=168605
2048
2049         Reviewed by Saam Barati.
2050
2051         We should check exception state after calling getOwnPropertyDescriptor() since it can throw errors.
2052
2053         * runtime/ObjectConstructor.cpp:
2054         (JSC::objectConstructorIsSealed):
2055         (JSC::objectConstructorIsFrozen):
2056
2057 2017-02-20  Mark Lam  <mark.lam@apple.com>
2058
2059         [Re-landing] CachedCall should let GC know to keep its arguments alive.
2060         https://bugs.webkit.org/show_bug.cgi?id=168567
2061         <rdar://problem/30475767>
2062
2063         Reviewed by Saam Barati.
2064
2065         We fix this by having CachedCall use a MarkedArgumentBuffer to store its
2066         arguments instead of a Vector.
2067
2068         Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
2069         WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
2070         correctness.
2071
2072         Update: the original patch has a bug in MarkedArgumentBuffer::expandCapacity()
2073         where it was copying and calling addMarkSet() on values in m_buffer beyond m_size
2074         (up to m_capacity).  As a result, depending on the pre-existing values in
2075         m_inlineBuffer, this may result in a computed Heap pointer that is wrong, and
2076         subsequently, manifest as a crash.  This is likely to be the cause of the PLT
2077         regression.
2078
2079         I don't have a new test for this fix because the issue relies on sufficiently bad
2080         values randomly showing up in m_inlineBuffer when we do an ensureCapacity() which
2081         calls expandCapacity().
2082
2083         * interpreter/CachedCall.h:
2084         (JSC::CachedCall::CachedCall):
2085         (JSC::CachedCall::call):
2086         (JSC::CachedCall::clearArguments):
2087         (JSC::CachedCall::appendArgument):
2088         (JSC::CachedCall::setArgument): Deleted.
2089         * interpreter/CallFrame.h:
2090         (JSC::ExecState::emptyList):
2091         * interpreter/Interpreter.cpp:
2092         (JSC::Interpreter::prepareForRepeatCall):
2093         * interpreter/Interpreter.h:
2094         * interpreter/ProtoCallFrame.h:
2095         * runtime/ArgList.cpp:
2096         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2097         (JSC::MarkedArgumentBuffer::expandCapacity):
2098         (JSC::MarkedArgumentBuffer::slowAppend):
2099         * runtime/ArgList.h:
2100         (JSC::MarkedArgumentBuffer::append):
2101         (JSC::MarkedArgumentBuffer::ensureCapacity):
2102         * runtime/StringPrototype.cpp:
2103         (JSC::replaceUsingRegExpSearch):
2104         * runtime/VM.cpp:
2105         (JSC::VM::VM):
2106         * runtime/VM.h:
2107
2108 2017-02-20  Commit Queue  <commit-queue@webkit.org>
2109
2110         Unreviewed, rolling out r212618.
2111         https://bugs.webkit.org/show_bug.cgi?id=168609
2112
2113         "Appears to cause PLT regression" (Requested by mlam on
2114         #webkit).
2115
2116         Reverted changeset:
2117
2118         "CachedCall should let GC know to keep its arguments alive."
2119         https://bugs.webkit.org/show_bug.cgi?id=168567
2120         http://trac.webkit.org/changeset/212618
2121
2122 2017-02-19  Mark Lam  <mark.lam@apple.com>
2123
2124         BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
2125         https://bugs.webkit.org/show_bug.cgi?id=168585
2126
2127         Reviewed by Yusuke Suzuki.
2128
2129         This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
2130         consecutive indices in the vector are not guaranteed to be consecutive in memory
2131         layout.  Instead, we should be using indexing instead.
2132
2133         This issue was detected by the marathon.js test from
2134         https://bugs.webkit.org/show_bug.cgi?id=168580.
2135
2136         * bytecompiler/BytecodeGenerator.cpp:
2137         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2138         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
2139
2140 2017-02-20  Manuel Rego Casasnovas  <rego@igalia.com>
2141
2142         [css-grid] Remove compilation flag ENABLE_CSS_GRID_LAYOUT
2143         https://bugs.webkit.org/show_bug.cgi?id=167693
2144
2145         Reviewed by Sergio Villar Senin.
2146
2147         * Configurations/FeatureDefines.xcconfig:
2148
2149 2017-02-19  Commit Queue  <commit-queue@webkit.org>
2150
2151         Unreviewed, rolling out r212472.
2152         https://bugs.webkit.org/show_bug.cgi?id=168584
2153
2154         Broke CLoop builds when r212466 was rolled out in r212616
2155         (Requested by rniwa on #webkit).
2156
2157         Reverted changeset:
2158
2159         "Unreviewed, fix cloop build."
2160         http://trac.webkit.org/changeset/212472
2161
2162 2017-02-19  Mark Lam  <mark.lam@apple.com>
2163
2164         functionTestWasmModuleFunctions() should use a MarkedArgumentBuffer for storing args instead of a Vector.
2165         https://bugs.webkit.org/show_bug.cgi?id=168574
2166
2167         Reviewed by Filip Pizlo.
2168
2169         * jsc.cpp:
2170         (callWasmFunction):
2171         (functionTestWasmModuleFunctions):
2172         * runtime/ArgList.h:
2173
2174 2017-02-19  Mark Lam  <mark.lam@apple.com>
2175
2176         CachedCall should let GC know to keep its arguments alive.
2177         https://bugs.webkit.org/show_bug.cgi?id=168567
2178         <rdar://problem/30475767>
2179
2180         Reviewed by Saam Barati.
2181
2182         We fix this by having CachedCall use a MarkedArgumentBuffer to store its
2183         arguments instead of a Vector.
2184
2185         Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
2186         WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
2187         correctness.
2188
2189         * interpreter/CachedCall.h:
2190         (JSC::CachedCall::CachedCall):
2191         (JSC::CachedCall::call):
2192         (JSC::CachedCall::clearArguments):
2193         (JSC::CachedCall::appendArgument):
2194         (JSC::CachedCall::setArgument): Deleted.
2195         * interpreter/CallFrame.h:
2196         (JSC::ExecState::emptyList):
2197         * interpreter/Interpreter.cpp:
2198         (JSC::Interpreter::prepareForRepeatCall):
2199         * interpreter/Interpreter.h:
2200         * interpreter/ProtoCallFrame.h:
2201         * runtime/ArgList.cpp:
2202         (JSC::MarkedArgumentBuffer::expandCapacity):
2203         * runtime/ArgList.h:
2204         (JSC::MarkedArgumentBuffer::ensureCapacity):
2205         * runtime/StringPrototype.cpp:
2206         (JSC::replaceUsingRegExpSearch):
2207         * runtime/VM.cpp:
2208         (JSC::VM::VM):
2209         * runtime/VM.h:
2210
2211 2017-02-19  Commit Queue  <commit-queue@webkit.org>
2212
2213         Unreviewed, rolling out r212466.
2214         https://bugs.webkit.org/show_bug.cgi?id=168577
2215
2216         causes crashes on AArch64 on linux, maybe it's causing crashes
2217         on iOS too (Requested by pizlo on #webkit).
2218
2219         Reverted changeset:
2220
2221         "The collector thread should only start when the mutator
2222         doesn't have heap access"
2223         https://bugs.webkit.org/show_bug.cgi?id=167737
2224         http://trac.webkit.org/changeset/212466
2225
2226 2017-02-17  Michael Saboff  <msaboff@apple.com>
2227
2228         Improve ARM64 disassembler handling of pseudo ops, unsupported opcodes and zero reg
2229         https://bugs.webkit.org/show_bug.cgi?id=168527
2230
2231         Reviewed by Filip Pizlo.
2232
2233         Added support for data processing 1 source instructions like rbit, rev, clz and cls.
2234         Added support for the FP conditional select instruction, fcsel.  Consolidated the
2235         two classes for handling dmb instructions into one class.  Fixed the instruction
2236         selection mask in the integer conditional select class, A64DOpcodeConditionalSelect.
2237         Fixed the processing of extract instruction (extr) including the rotate right (ror)
2238         pseudo instruction.  Changed the printing of x31 and w31 to xzr and wzr as operands
2239         according to the spec.  Added support for common pseudo instructions.  This includes:
2240         - mvn x1, X2 in place of orn x1, xzr, x2
2241         - lsl x3, x4, #count in place of ubfiz x3, x4, #count, #count
2242         - smull x5, w6, w7 in place of smaddl x5, w6, w7, XZR
2243         - More understandable mov x8, #-304 in place of movn x8, #0x12f
2244         - Eliminated xzr from register index loads and stores, outputing
2245           ldr x10, [x11] instead of ldr x10, [x11, xzr]
2246
2247         Changed the move wide instructions to use hex literals for movz and movk.
2248         This makes it much easier to decifer sequences of wide moves for large literals.
2249                 Before                       After
2250           movz   x17, #26136           movz   x17, #0x6618
2251           movk   x17, #672, lsl #16    movk   x17, #0x2a0, lsl #16
2252           movk   x17, #1, lsl #32      movk   x17, #0x1, lsl #32
2253
2254         Verified that all instructions currently generated by the JSC stress tests are
2255         disassembled.
2256
2257         * disassembler/ARM64/A64DOpcode.cpp:
2258         (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
2259         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
2260         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
2261         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::format):
2262         (JSC::ARM64Disassembler::A64DOpcodeExtract::format):
2263         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::format):
2264         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::format):
2265         (JSC::ARM64Disassembler::A64DOpcodeDmb::format):
2266         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::format):
2267         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::format):
2268         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterPair::format):
2269         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::format):
2270         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::format):
2271         (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
2272         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::format): Deleted.
2273         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::format): Deleted.
2274         * disassembler/ARM64/A64DOpcode.h:
2275         (JSC::ARM64Disassembler::A64DOpcode::appendSignedImmediate64):
2276         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedHexImmediate):
2277         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opName):
2278         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::sBit):
2279         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode):
2280         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode2):
2281         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opNameIndex):
2282         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opName):
2283         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::opName):
2284         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::condition):
2285         (JSC::ARM64Disassembler::A64DOpcodeDmb::option):
2286         (JSC::ARM64Disassembler::A64DOpcodeDmb::crM):
2287         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isMov):
2288         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::opName): Deleted.
2289         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::opName): Deleted.
2290
2291 2017-02-17  Zan Dobersek  <zdobersek@igalia.com>
2292
2293         [GLib] GCActivityCallback::scheduleTimer() keeps pushing dispatch into the future
2294         https://bugs.webkit.org/show_bug.cgi?id=168363
2295
2296         Reviewed by Carlos Garcia Campos.
2297
2298         Mimic the USE(CF) implementation of GCActivityCallback and HeapTimer by
2299         scheduling the timer a decade into the future instead of completely
2300         cancelling it. That way new dispatch times for GCActivityCallback can be
2301         computed by simply deducting the difference in the new and previous
2302         delay from the GSource's current dispatch time. Previously we handled an
2303         extra 'paused' state (where m_delay was -1) and allowed for a delay of
2304         an infinite value to be valid, complicating the next dispatch time
2305         computation.
2306
2307         HeapTimer gains the static s_decade variable. The dispatch function in
2308         heapTimerSourceFunctions only dispatches the callback, which now delays
2309         the GSource by a decade. HeapTimer::scheduleTimer() simply schedules the
2310         source to dispatch in the specified amount of time, and cancelTimer()
2311         'cancels' the source by setting the dispatch time to a decade.
2312
2313         GCActivityCallback constructor initializes the delay to the s_decade
2314         value and immediately sets the ready time for GSource a decade into the
2315         future, avoiding the default -1 value as the ready time that would cause
2316         problems in scheduleTimer(). scheduleTimer() doesn't special-case the
2317         zero-delay value anymore, instead it just computes the difference
2318         between the old and the new delay and rolls back the GSource's ready
2319         time for that amount. cancelTimer() sets m_delay to the decade value and
2320         delays the GSource for that same amount.
2321
2322         * heap/GCActivityCallback.cpp:
2323         (JSC::GCActivityCallback::GCActivityCallback):
2324         (JSC::GCActivityCallback::scheduleTimer):
2325         (JSC::GCActivityCallback::cancelTimer):
2326         * heap/GCActivityCallback.h:
2327         * heap/HeapTimer.cpp:
2328         (JSC::HeapTimer::HeapTimer):
2329         (JSC::HeapTimer::scheduleTimer):
2330         (JSC::HeapTimer::cancelTimer):
2331         * heap/HeapTimer.h:
2332
2333 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2334
2335         [JSC] Drop PassRefPtr from ArrayBuffer
2336         https://bugs.webkit.org/show_bug.cgi?id=168455
2337
2338         Reviewed by Geoffrey Garen.
2339
2340         This patch finally drops all the PassRefPtr in JSC.
2341         We changed PassRefPtr<ArrayBuffer> to RefPtr<ArrayBuffer>&&.
2342         Since ArrayBuffer may be nullptr if the array is neutered,
2343         we hold it as RefPtr<> instead of Ref<>.
2344
2345         And we also drops 2 files, TypedArrayBase.h and IntegralTypedArrayBase.h.
2346         They are not used (and they are not referenced from the project file).
2347
2348         * inspector/JavaScriptCallFrame.h:
2349         * jsc.cpp:
2350         (functionDollarAgentReceiveBroadcast):
2351         * runtime/ArrayBufferView.cpp:
2352         (JSC::ArrayBufferView::ArrayBufferView):
2353         * runtime/ArrayBufferView.h:
2354         (JSC::ArrayBufferView::possiblySharedBuffer):
2355         (JSC::ArrayBufferView::unsharedBuffer):
2356         (JSC::ArrayBufferView::verifySubRangeLength):
2357         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2358         * runtime/ClassInfo.h:
2359         * runtime/DataView.cpp:
2360         (JSC::DataView::DataView):
2361         (JSC::DataView::create):
2362         * runtime/DataView.h:
2363         * runtime/GenericTypedArrayView.h:
2364         * runtime/GenericTypedArrayViewInlines.h:
2365         (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
2366         (JSC::GenericTypedArrayView<Adaptor>::create):
2367         (JSC::GenericTypedArrayView<Adaptor>::subarray):
2368         * runtime/IntegralTypedArrayBase.h: Removed.
2369         * runtime/JSArrayBuffer.cpp:
2370         (JSC::JSArrayBuffer::JSArrayBuffer):
2371         (JSC::JSArrayBuffer::create):
2372         * runtime/JSArrayBuffer.h:
2373         * runtime/JSArrayBufferPrototype.cpp:
2374         (JSC::arrayBufferProtoFuncSlice):
2375         * runtime/JSArrayBufferView.cpp:
2376         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2377         * runtime/JSArrayBufferView.h:
2378         * runtime/JSArrayBufferViewInlines.h:
2379         (JSC::JSArrayBufferView::possiblySharedImpl):
2380         (JSC::JSArrayBufferView::unsharedImpl):
2381         * runtime/JSCell.cpp:
2382         (JSC::JSCell::slowDownAndWasteMemory):
2383         (JSC::JSCell::getTypedArrayImpl):
2384         * runtime/JSCell.h:
2385         * runtime/JSDataView.cpp:
2386         (JSC::JSDataView::create):
2387         (JSC::JSDataView::possiblySharedTypedImpl):
2388         (JSC::JSDataView::unsharedTypedImpl):
2389         (JSC::JSDataView::getTypedArrayImpl):
2390         * runtime/JSDataView.h:
2391         * runtime/JSGenericTypedArrayView.h:
2392         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2393         (JSC::constructGenericTypedArrayViewWithArguments):
2394         * runtime/JSGenericTypedArrayViewInlines.h:
2395         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2396         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
2397         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
2398         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl):
2399         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2400         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2401         * runtime/JSTypedArrays.cpp:
2402         (JSC::createUint8TypedArray):
2403         * runtime/TypedArrayBase.h: Removed.
2404
2405 2017-02-16  Keith Miller  <keith_miller@apple.com>
2406
2407         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
2408         https://bugs.webkit.org/show_bug.cgi?id=168354
2409
2410         Reviewed by Geoffrey Garen.
2411
2412         Instead of adding a custom vmEntryGlobalObject for the debugger
2413         we can just have it use vmEntryScope instead.
2414
2415         * debugger/Debugger.cpp:
2416         (JSC::Debugger::detach):
2417         * interpreter/CallFrame.cpp:
2418         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach): Deleted.
2419         * interpreter/CallFrame.h:
2420
2421 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
2422
2423         Unreviewed, fix cloop build.
2424
2425         * heap/Heap.cpp:
2426         (JSC::Heap::stopThePeriphery):
2427         * runtime/JSLock.cpp:
2428
2429 2017-02-10  Filip Pizlo  <fpizlo@apple.com>
2430
2431         The collector thread should only start when the mutator doesn't have heap access
2432         https://bugs.webkit.org/show_bug.cgi?id=167737
2433
2434         Reviewed by Keith Miller.
2435         
2436         This turns the collector thread's workflow into a state machine, so that the mutator thread can
2437         run it directly. This reduces the amount of synchronization we do with the collector thread, and
2438         means that most apps will never start the collector thread. The collector thread will still start
2439         when we need to finish collecting and we don't have heap access.
2440         
2441         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
2442         This means tracking who is conducting collection. I use the GCConductor enum to say who is
2443         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
2444         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
2445         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
2446         collector the conn.
2447         
2448         This meant bringing back the conservative scan of the calling thread. It turns out that this
2449         scan was too slow to be called on each GC increment because apparently setjmp() now does system
2450         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
2451         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
2452         state. I think we still want to use my register saving code instead of setjmp because setjmp
2453         seems to save things we don't need, and that could make us overly conservative.
2454         
2455         It turns out that this new scheduling discipline makes the old space-time scheduler perform
2456         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
2457         because the mutator having the conn enables us to time the mutator<->collector context switches
2458         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
2459         space-time schduler to shine like it hadn't before.
2460         
2461         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
2462         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
2463         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
2464         effect.
2465
2466         * CMakeLists.txt:
2467         * JavaScriptCore.xcodeproj/project.pbxproj:
2468         * dfg/DFGWorklist.cpp:
2469         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
2470         (JSC::DFG::Worklist::dump):
2471         (JSC::DFG::numberOfWorklists):
2472         (JSC::DFG::ensureWorklistForIndex):
2473         (JSC::DFG::existingWorklistForIndexOrNull):
2474         (JSC::DFG::existingWorklistForIndex):
2475         * dfg/DFGWorklist.h:
2476         (JSC::DFG::numberOfWorklists): Deleted.
2477         (JSC::DFG::ensureWorklistForIndex): Deleted.
2478         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
2479         (JSC::DFG::existingWorklistForIndex): Deleted.
2480         * heap/CollectingScope.h: Added.
2481         (JSC::CollectingScope::CollectingScope):
2482         (JSC::CollectingScope::~CollectingScope):
2483         * heap/CollectorPhase.cpp: Added.
2484         (JSC::worldShouldBeSuspended):
2485         (WTF::printInternal):
2486         * heap/CollectorPhase.h: Added.
2487         * heap/EdenGCActivityCallback.cpp:
2488         (JSC::EdenGCActivityCallback::lastGCLength):
2489         * heap/FullGCActivityCallback.cpp:
2490         (JSC::FullGCActivityCallback::doCollection):
2491         (JSC::FullGCActivityCallback::lastGCLength):
2492         * heap/GCConductor.cpp: Added.
2493         (JSC::gcConductorShortName):
2494         (WTF::printInternal):
2495         * heap/GCConductor.h: Added.
2496         * heap/Heap.cpp:
2497         (JSC::Heap::Thread::Thread):
2498         (JSC::Heap::Heap):
2499         (JSC::Heap::lastChanceToFinalize):
2500         (JSC::Heap::gatherStackRoots):
2501         (JSC::Heap::updateObjectCounts):
2502         (JSC::Heap::shouldCollectInCollectorThread):
2503         (JSC::Heap::collectInCollectorThread):
2504         (JSC::Heap::checkConn):
2505         (JSC::Heap::runCurrentPhase):
2506         (JSC::Heap::runNotRunningPhase):
2507         (JSC::Heap::runBeginPhase):
2508         (JSC::Heap::runFixpointPhase):
2509         (JSC::Heap::runConcurrentPhase):
2510         (JSC::Heap::runReloopPhase):
2511         (JSC::Heap::runEndPhase):
2512         (JSC::Heap::changePhase):
2513         (JSC::Heap::finishChangingPhase):
2514         (JSC::Heap::stopThePeriphery):
2515         (JSC::Heap::resumeThePeriphery):
2516         (JSC::Heap::stopTheMutator):
2517         (JSC::Heap::resumeTheMutator):
2518         (JSC::Heap::stopIfNecessarySlow):
2519         (JSC::Heap::collectInMutatorThread):
2520         (JSC::Heap::collectInMutatorThreadImpl):
2521         (JSC::Heap::waitForCollector):
2522         (JSC::Heap::acquireAccessSlow):
2523         (JSC::Heap::releaseAccessSlow):
2524         (JSC::Heap::relinquishConn):
2525         (JSC::Heap::finishRelinquishingConn):
2526         (JSC::Heap::handleNeedFinalize):
2527         (JSC::Heap::notifyThreadStopping):
2528         (JSC::Heap::finalize):
2529         (JSC::Heap::requestCollection):
2530         (JSC::Heap::waitForCollection):
2531         (JSC::Heap::updateAllocationLimits):
2532         (JSC::Heap::didFinishCollection):
2533         (JSC::Heap::collectIfNecessaryOrDefer):
2534         (JSC::Heap::preventCollection):
2535         (JSC::Heap::performIncrement):
2536         (JSC::Heap::markToFixpoint): Deleted.
2537         (JSC::Heap::shouldCollectInThread): Deleted.
2538         (JSC::Heap::collectInThread): Deleted.
2539         (JSC::Heap::stopTheWorld): Deleted.
2540         (JSC::Heap::resumeTheWorld): Deleted.
2541         * heap/Heap.h:
2542         (JSC::Heap::machineThreads):
2543         (JSC::Heap::lastFullGCLength):
2544         (JSC::Heap::lastEdenGCLength):
2545         (JSC::Heap::increaseLastFullGCLength):
2546         * heap/HeapInlines.h:
2547         (JSC::Heap::mutatorIsStopped): Deleted.
2548         * heap/HeapStatistics.cpp: Removed.
2549         * heap/HeapStatistics.h: Removed.
2550         * heap/HelpingGCScope.h: Removed.
2551         * heap/MachineStackMarker.cpp:
2552         (JSC::MachineThreads::gatherFromCurrentThread):
2553         (JSC::MachineThreads::gatherConservativeRoots):
2554         * heap/MachineStackMarker.h:
2555         * heap/MarkedBlock.cpp:
2556         (JSC::MarkedBlock::Handle::sweep):
2557         * heap/MutatorState.cpp:
2558         (WTF::printInternal):
2559         * heap/MutatorState.h:
2560         * heap/RegisterState.h: Added.
2561         * heap/SlotVisitor.cpp:
2562         (JSC::SlotVisitor::drainFromShared):
2563         (JSC::SlotVisitor::drainInParallelPassively):
2564         (JSC::SlotVisitor::donateAll):
2565         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
2566         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
2567         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
2568         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
2569         * heap/SweepingScope.h: Added.
2570         (JSC::SweepingScope::SweepingScope):
2571         (JSC::SweepingScope::~SweepingScope):
2572         * jit/JITWorklist.cpp:
2573         (JSC::JITWorklist::Thread::Thread):
2574         * jsc.cpp:
2575         (GlobalObject::finishCreation):
2576         (functionFlashHeapAccess):
2577         * runtime/InitializeThreading.cpp:
2578         (JSC::initializeThreading):
2579         * runtime/JSCellInlines.h:
2580         (JSC::JSCell::classInfo):
2581         * runtime/Options.cpp:
2582         (JSC::overrideDefaults):
2583         * runtime/Options.h:
2584         * runtime/TestRunnerUtils.cpp:
2585         (JSC::finalizeStatsAtEndOfTesting):
2586
2587 2017-02-16  Anders Carlsson  <andersca@apple.com>
2588
2589         Remove EFL from JavaScriptCore
2590         https://bugs.webkit.org/show_bug.cgi?id=168459
2591
2592         Reviewed by Geoffrey Garen.
2593
2594         * heap/GCActivityCallback.cpp:
2595         (JSC::GCActivityCallback::GCActivityCallback):
2596         (JSC::GCActivityCallback::cancelTimer):
2597         (JSC::GCActivityCallback::didAllocate):
2598         * heap/GCActivityCallback.h:
2599         * heap/HeapTimer.cpp:
2600         (JSC::HeapTimer::add): Deleted.
2601         (JSC::HeapTimer::stop): Deleted.
2602         (JSC::HeapTimer::timerEvent): Deleted.
2603         * heap/HeapTimer.h:
2604         * inspector/EventLoop.cpp:
2605         (Inspector::EventLoop::cycle):
2606         * jsc.cpp:
2607         (main):
2608         * tools/CodeProfiling.cpp:
2609         (JSC::CodeProfiling::begin):
2610         (JSC::CodeProfiling::end):
2611
2612 2017-02-15  Brian Burg  <bburg@apple.com>
2613
2614         [Cocoa] Web Inspector: Inspector::fromProtocolString<T> should return std::optional<T>
2615         https://bugs.webkit.org/show_bug.cgi?id=168018
2616         <rdar://problem/30468779>
2617
2618         Reviewed by Joseph Pecoraro.
2619
2620         These methods parse untrusted string inputs, so they should return an optional instead
2621         of asserting or crashing when the input is not usable.
2622
2623         Update various pieces of generated code to handle the error case gracefully.
2624
2625         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2626         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
2627         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
2628         The local variable holding the ObjC-friendly converted value should take a std::optional
2629         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
2630         is not optional, then send a response with a command failure message and return.
2631
2632         The optional enum parameter case is not handled correctly, but no existing code requires it.
2633
2634         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2635         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_from_protocol_string):
2636         Fix signature and remove default case ASSERT_NOT_REACHED.
2637
2638         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2639         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation):
2640         Since this code assumes all inputs to be valid and throws an exception otherwise, we
2641         try to convert the enum and throw an exception if it's nullopt. If it's valid, write to outValue.
2642
2643         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2644         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
2645         The local variable holding the ObjC-friendly converted value should take a std::optional
2646         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
2647         is not optional, then throw an exception if the value is nullopt. Otherwise, allow it to be empty.
2648
2649         * inspector/scripts/codegen/objc_generator.py:
2650         (ObjCGenerator.protocol_to_objc_expression_for_member):
2651         Unconditionally unwrap the optional. This expression is only used inside the typechecked
2652         ObjC protocol objects. In this case we are guaranteed to have already initialized the enum with a valid
2653         value, but must store it as a string inside a wrapped InspectorObject. The getter needs to
2654         re-convert the stored string into an NS_ENUM value.
2655
2656         * inspector/scripts/codegen/objc_generator_templates.py:
2657         Update type template for fromProtocolString<T>().
2658
2659         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2660         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2661         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2662         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2663         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2664         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2665         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2666         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2667         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2668         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2669         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2670         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2671         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2672         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2673         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2674         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2675         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2676         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2677         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2678         Rebaseline tests.
2679
2680 2017-02-16  Keith Miller  <keith_miller@apple.com>
2681
2682         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
2683         https://bugs.webkit.org/show_bug.cgi?id=168354
2684
2685         Reviewed by Filip Pizlo.
2686
2687         Add a new vmEntryGlobalObject method for the debugger so that
2688         the debugger does not crash in debug builds when trying to
2689         detach itself from a global object.
2690
2691         * debugger/Debugger.cpp:
2692         (JSC::Debugger::detach):
2693         * interpreter/CallFrame.cpp:
2694         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach):
2695         * interpreter/CallFrame.h:
2696
2697 2017-02-16  Keith Miller  <keith_miller@apple.com>
2698
2699         Refactor AccessCase to be more like B3Value
2700         https://bugs.webkit.org/show_bug.cgi?id=168408
2701
2702         Reviewed by Filip Pizlo.
2703
2704         This patch makes AccessCase (and new subclasses) more like B3Value. In the new system each
2705         type has an associated AccessCase subclass. For instance any getter should use the
2706         GetterSetterAccessCase subclass. The new system is easier to follow since you no longer need
2707         to know exactly which members are used by which types. The subclass to AccessType mapping is:
2708
2709         GetterSetterAccessCase:
2710             Getter
2711             CustomAccessorGetter
2712             CustomValueGetter
2713             Setter
2714
2715         ProxyableAccessCase:
2716             Load
2717             Miss
2718             GetGetter
2719
2720         IntrinsicGetterAccessCase:
2721             IntrinsicGetter
2722
2723         AccessCase:
2724             Everything else
2725
2726         It also has the additional advantage that it uses less memory for the cases where we would have needed
2727         rare data in the past but that case would only use a small bit of it.
2728
2729         This patch also removes megamorphic loads and renames some TryGetById related enum values from Pure to Try.
2730
2731         * CMakeLists.txt:
2732         * JavaScriptCore.xcodeproj/project.pbxproj:
2733         * bytecode/AccessCase.cpp: Added.
2734         (JSC::AccessCase::AccessCase):
2735         (JSC::AccessCase::create):
2736         (JSC::AccessCase::~AccessCase):
2737         (JSC::AccessCase::fromStructureStubInfo):
2738         (JSC::AccessCase::clone):
2739         (JSC::AccessCase::commit):
2740         (JSC::AccessCase::guardedByStructureCheck):
2741         (JSC::AccessCase::doesCalls):
2742         (JSC::AccessCase::couldStillSucceed):
2743         (JSC::AccessCase::canReplace):
2744         (JSC::AccessCase::dump):
2745         (JSC::AccessCase::visitWeak):
2746         (JSC::AccessCase::propagateTransitions):
2747         (JSC::AccessCase::generateWithGuard):
2748         (JSC::AccessCase::generate):
2749         (JSC::AccessCase::generateImpl):
2750         * bytecode/AccessCase.h: Added.
2751         (JSC::AccessCase::as):
2752         (JSC::AccessCase::create):
2753         (JSC::AccessCase::type):
2754         (JSC::AccessCase::state):
2755         (JSC::AccessCase::offset):
2756         (JSC::AccessCase::structure):
2757         (JSC::AccessCase::newStructure):
2758         (JSC::AccessCase::conditionSet):
2759         (JSC::AccessCase::alternateBase):
2760         (JSC::AccessCase::additionalSet):
2761         (JSC::AccessCase::viaProxy):
2762         (JSC::AccessCase::isGetter):
2763         (JSC::AccessCase::isAccessor):
2764         (JSC::AccessCase::dumpImpl):
2765         (JSC::AccessCase::resetState):
2766         * bytecode/GetByIdStatus.cpp:
2767         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2768         * bytecode/GetterSetterAccessCase.cpp: Added.
2769         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2770         (JSC::GetterSetterAccessCase::create):
2771         (JSC::GetterSetterAccessCase::~GetterSetterAccessCase):
2772         (JSC::GetterSetterAccessCase::clone):
2773         (JSC::GetterSetterAccessCase::alternateBase):
2774         (JSC::GetterSetterAccessCase::dumpImpl):
2775         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2776         * bytecode/GetterSetterAccessCase.h: Added.
2777         (JSC::GetterSetterAccessCase::callLinkInfo):
2778         (JSC::GetterSetterAccessCase::customSlotBase):
2779         (JSC::GetterSetterAccessCase::domJIT):
2780         * bytecode/IntrinsicGetterAccessCase.cpp: Added.
2781         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2782         (JSC::IntrinsicGetterAccessCase::create):
2783         (JSC::IntrinsicGetterAccessCase::~IntrinsicGetterAccessCase):
2784         (JSC::IntrinsicGetterAccessCase::clone):
2785         * bytecode/IntrinsicGetterAccessCase.h: Added.
2786         (JSC::IntrinsicGetterAccessCase::intrinsicFunction):
2787         (JSC::IntrinsicGetterAccessCase::intrinsic):
2788         * bytecode/PolymorphicAccess.cpp:
2789         (JSC::PolymorphicAccess::regenerate):
2790         (WTF::printInternal):
2791         (JSC::AccessCase::AccessCase): Deleted.
2792         (JSC::AccessCase::tryGet): Deleted.
2793         (JSC::AccessCase::get): Deleted.
2794         (JSC::AccessCase::megamorphicLoad): Deleted.
2795         (JSC::AccessCase::replace): Deleted.
2796         (JSC::AccessCase::transition): Deleted.
2797         (JSC::AccessCase::setter): Deleted.
2798         (JSC::AccessCase::in): Deleted.
2799         (JSC::AccessCase::getLength): Deleted.
2800         (JSC::AccessCase::getIntrinsic): Deleted.
2801         (JSC::AccessCase::~AccessCase): Deleted.
2802         (JSC::AccessCase::fromStructureStubInfo): Deleted.
2803         (JSC::AccessCase::clone): Deleted.
2804         (JSC::AccessCase::commit): Deleted.
2805         (JSC::AccessCase::guardedByStructureCheck): Deleted.
2806         (JSC::AccessCase::alternateBase): Deleted.
2807         (JSC::AccessCase::doesCalls): Deleted.
2808         (JSC::AccessCase::couldStillSucceed): Deleted.
2809         (JSC::AccessCase::canBeReplacedByMegamorphicLoad): Deleted.
2810         (JSC::AccessCase::canReplace): Deleted.
2811         (JSC::AccessCase::dump): Deleted.
2812         (JSC::AccessCase::visitWeak): Deleted.
2813         (JSC::AccessCase::propagateTransitions): Deleted.
2814         (JSC::AccessCase::generateWithGuard): Deleted.
2815         (JSC::AccessCase::generate): Deleted.
2816         (JSC::AccessCase::generateImpl): Deleted.
2817         (JSC::AccessCase::emitDOMJITGetter): Deleted.
2818         * bytecode/PolymorphicAccess.h:
2819         (JSC::AccessCase::type): Deleted.
2820         (JSC::AccessCase::state): Deleted.
2821         (JSC::AccessCase::offset): Deleted.
2822         (JSC::AccessCase::viaProxy): Deleted.
2823         (JSC::AccessCase::structure): Deleted.
2824         (JSC::AccessCase::newStructure): Deleted.
2825         (JSC::AccessCase::conditionSet): Deleted.
2826         (JSC::AccessCase::intrinsicFunction): Deleted.
2827         (JSC::AccessCase::intrinsic): Deleted.
2828         (JSC::AccessCase::domJIT): Deleted.
2829         (JSC::AccessCase::additionalSet): Deleted.
2830         (JSC::AccessCase::customSlotBase): Deleted.
2831         (JSC::AccessCase::isGetter): Deleted.
2832         (JSC::AccessCase::callLinkInfo): Deleted.
2833         (JSC::AccessCase::RareData::RareData): Deleted.
2834         * bytecode/ProxyableAccessCase.cpp: Added.
2835         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2836         (JSC::ProxyableAccessCase::create):
2837         (JSC::ProxyableAccessCase::~ProxyableAccessCase):
2838         (JSC::ProxyableAccessCase::clone):
2839         (JSC::ProxyableAccessCase::dumpImpl):
2840         * bytecode/ProxyableAccessCase.h: Added.
2841         * bytecode/PutByIdStatus.cpp:
2842         (JSC::PutByIdStatus::computeForStubInfo):
2843         * bytecode/StructureStubInfo.cpp:
2844         (JSC::StructureStubInfo::reset):
2845         * bytecode/StructureStubInfo.h:
2846         * dfg/DFGByteCodeParser.cpp:
2847         (JSC::DFG::ByteCodeParser::parseBlock):
2848         * dfg/DFGSpeculativeJIT.cpp:
2849         (JSC::DFG::SpeculativeJIT::compileTryGetById):
2850         * ftl/FTLLowerDFGToB3.cpp:
2851         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2852         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2853         * jit/IntrinsicEmitter.cpp:
2854         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2855         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2856         (JSC::AccessCase::canEmitIntrinsicGetter): Deleted.
2857         (JSC::AccessCase::emitIntrinsicGetter): Deleted.
2858         * jit/JITOperations.cpp:
2859         * jit/JITPropertyAccess.cpp:
2860         (JSC::JIT::emit_op_try_get_by_id):
2861         * jit/JITPropertyAccess32_64.cpp:
2862         (JSC::JIT::emit_op_try_get_by_id):
2863         * jit/Repatch.cpp:
2864         (JSC::tryCacheGetByID):
2865         (JSC::tryCachePutByID):
2866         (JSC::tryRepatchIn):
2867         * jit/Repatch.h:
2868         * runtime/Options.h:
2869
2870 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
2871
2872         JSONParseTest needs to hold the lock when the VM is destroyed
2873         https://bugs.webkit.org/show_bug.cgi?id=168450
2874
2875         Rubber stamped by Alex Christensen.
2876
2877         * API/tests/JSONParseTest.cpp:
2878         (testJSONParse):
2879
2880 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2881
2882         [JSC] Drop PassRefPtr in inspector/
2883         https://bugs.webkit.org/show_bug.cgi?id=168420
2884
2885         Reviewed by Alex Christensen.
2886
2887         Drop PassRefPtr uses.
2888         And use Ref<Inspector::ScriptArguments> and Ref<ScriptCallStack> as much as possible.
2889         It drops some unnecessary null checks.
2890
2891         * debugger/Debugger.cpp:
2892         (JSC::Debugger::hasBreakpoint):
2893         (JSC::Debugger::currentDebuggerCallFrame):
2894         * debugger/Debugger.h:
2895         * inspector/AsyncStackTrace.cpp:
2896         (Inspector::AsyncStackTrace::create):
2897         (Inspector::AsyncStackTrace::AsyncStackTrace):
2898         (Inspector::AsyncStackTrace::buildInspectorObject):
2899         (Inspector::AsyncStackTrace::truncate):
2900         * inspector/AsyncStackTrace.h:
2901         * inspector/ConsoleMessage.cpp:
2902         (Inspector::ConsoleMessage::ConsoleMessage):
2903         * inspector/ConsoleMessage.h:
2904         * inspector/InjectedScriptManager.cpp:
2905         (Inspector::InjectedScriptManager::InjectedScriptManager):
2906         (Inspector::InjectedScriptManager::injectedScriptHost):
2907         * inspector/InjectedScriptManager.h:
2908         * inspector/JSGlobalObjectConsoleClient.cpp:
2909         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2910         (Inspector::JSGlobalObjectConsoleClient::count):
2911         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
2912         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
2913         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2914         * inspector/JSGlobalObjectConsoleClient.h:
2915         ConsoleClient now takes Ref<ScriptArgument>&& instead of RefPtr<ScriptArgument>&&.
2916
2917         * inspector/JSGlobalObjectInspectorController.cpp:
2918         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2919         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2920         * inspector/JSGlobalObjectInspectorController.h:
2921         * inspector/JSJavaScriptCallFrame.cpp:
2922         (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
2923         (Inspector::toJS):
2924         * inspector/JSJavaScriptCallFrame.h:
2925         (Inspector::JSJavaScriptCallFrame::create):
2926         * inspector/JavaScriptCallFrame.cpp:
2927         (Inspector::JavaScriptCallFrame::JavaScriptCallFrame):
2928         (Inspector::JavaScriptCallFrame::caller):
2929         * inspector/JavaScriptCallFrame.h:
2930         (Inspector::JavaScriptCallFrame::create):
2931         * inspector/ScriptDebugServer.cpp:
2932         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2933         (Inspector::ScriptDebugServer::dispatchDidPause):
2934         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
2935         * inspector/agents/InspectorConsoleAgent.cpp:
2936         (Inspector::InspectorConsoleAgent::stopTiming):
2937         (Inspector::InspectorConsoleAgent::count):
2938         * inspector/agents/InspectorConsoleAgent.h:
2939         * inspector/agents/InspectorDebuggerAgent.cpp:
2940         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2941         * runtime/ConsoleClient.cpp:
2942         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2943         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2944         (JSC::ConsoleClient::logWithLevel):
2945         (JSC::ConsoleClient::dir):
2946         (JSC::ConsoleClient::dirXML):
2947         (JSC::ConsoleClient::table):
2948         (JSC::ConsoleClient::trace):
2949         (JSC::ConsoleClient::assertion):
2950         (JSC::ConsoleClient::group):
2951         (JSC::ConsoleClient::groupCollapsed):
2952         (JSC::ConsoleClient::groupEnd):
2953         * runtime/ConsoleClient.h:
2954         * runtime/ConsoleObject.cpp:
2955         (JSC::consoleLogWithLevel):
2956         (JSC::consoleProtoFuncDir):
2957         (JSC::consoleProtoFuncDirXML):
2958         (JSC::consoleProtoFuncTable):
2959         (JSC::consoleProtoFuncTrace):
2960         (JSC::consoleProtoFuncAssert):
2961         (JSC::consoleProtoFuncCount):
2962         (JSC::consoleProtoFuncTimeStamp):
2963         (JSC::consoleProtoFuncGroup):
2964         (JSC::consoleProtoFuncGroupCollapsed):
2965         (JSC::consoleProtoFuncGroupEnd):
2966
2967 2017-02-15  Keith Miller  <keith_miller@apple.com>
2968
2969         Weak should not use jsCast in its accessors
2970         https://bugs.webkit.org/show_bug.cgi?id=168406
2971
2972         Reviewed by Filip Pizlo.
2973
2974         This can cause assertion failures in WebCore where classes might remove themselves
2975         from a data structure in a weak reference, if that reference is still alive.
2976
2977         * heap/WeakInlines.h:
2978         (JSC::>):
2979         (JSC::Weak<T>::operator):
2980         (JSC::Weak<T>::get):
2981
2982 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2983
2984         Web Inspector: allow import() inside the inspector
2985         https://bugs.webkit.org/show_bug.cgi?id=167457
2986
2987         Reviewed by Ryosuke Niwa.
2988
2989         We relax import module hook to accept null SourceOrigin.
2990         Such a script can be evaluated from the inspector console.
2991
2992         * jsc.cpp:
2993         (GlobalObject::moduleLoaderImportModule):
2994         * runtime/JSGlobalObjectFunctions.cpp:
2995         (JSC::globalFuncImportModule):
2996
2997 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2998
2999         [JSC] Update module namespace object according to the latest ECMA262
3000         https://bugs.webkit.org/show_bug.cgi?id=168280
3001
3002         Reviewed by Saam Barati.
3003
3004         Reflect updates to the module namespace object.
3005
3006         1. @@iterator property is dropped[1].
3007         2. @@toStringTag property becomes non-configurable[1].
3008         3. delete with Symbol should be delegated to the JSObject's one[2].
3009
3010         [1]: https://tc39.github.io/ecma262/#sec-module-namespace-objects
3011         [2]: https://github.com/tc39/ecma262/pull/767
3012
3013         * runtime/JSModuleNamespaceObject.cpp:
3014         (JSC::JSModuleNamespaceObject::finishCreation):
3015         (JSC::JSModuleNamespaceObject::deleteProperty):
3016         (JSC::moduleNamespaceObjectSymbolIterator): Deleted.
3017
3018 2017-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>
3019
3020         Unreviewed. Fix the build after r212424.
3021
3022         Add missing file.
3023
3024         * inspector/remote/RemoteInspector.cpp: Added.
3025         (Inspector::RemoteInspector::startDisabled):
3026         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
3027         (Inspector::RemoteInspector::registerTarget):
3028         (Inspector::RemoteInspector::unregisterTarget):
3029         (Inspector::RemoteInspector::updateTarget):
3030         (Inspector::RemoteInspector::updateClientCapabilities):
3031         (Inspector::RemoteInspector::setRemoteInspectorClient):
3032         (Inspector::RemoteInspector::setupFailed):
3033         (Inspector::RemoteInspector::setupCompleted):
3034         (Inspector::RemoteInspector::waitingForAutomaticInspection):
3035         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
3036         (Inspector::RemoteInspector::stop):
3037         (Inspector::RemoteInspector::listingForTarget):
3038         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3039
3040 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3041
3042         [JSC] Drop PassRefPtr in bytecompiler/
3043         https://bugs.webkit.org/show_bug.cgi?id=168374
3044
3045         Reviewed by Sam Weinig.
3046
3047         This patch drops PassRefPtr in bytecompiler directory.
3048         We carefully change this to Ref<>. And we use Ref<Label>
3049         as much as possible instead of using RefPtr<Label>.
3050         And use Label& instead of Label* as much as possible.
3051
3052         Currently we do not apply this change for RefPtr<RegisterID>,
3053         to reduce the size of this patch.
3054
3055         * bytecompiler/BytecodeGenerator.cpp:
3056         (JSC::BytecodeGenerator::BytecodeGenerator):
3057         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
3058         (JSC::BytecodeGenerator::newLabelScope):
3059         (JSC::BytecodeGenerator::newLabel):
3060         (JSC::BytecodeGenerator::newEmittedLabel):
3061         Introduce a new helper function, which returns new label that is emitted right here.
3062
3063         (JSC::BytecodeGenerator::emitLabel):
3064         (JSC::BytecodeGenerator::emitJump):
3065         (JSC::BytecodeGenerator::emitJumpIfTrue):
3066         (JSC::BytecodeGenerator::emitJumpIfFalse):
3067         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3068         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3069         Drop returning Ref<Label> since nobody uses it.
3070
3071         (JSC::BytecodeGenerator::emitGetByVal):
3072         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3073         (JSC::BytecodeGenerator::emitCall):
3074         (JSC::BytecodeGenerator::emitReturn):
3075         (JSC::BytecodeGenerator::emitConstruct):
3076         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
3077         (JSC::BytecodeGenerator::breakTarget):
3078         (JSC::BytecodeGenerator::pushTry):
3079         (JSC::BytecodeGenerator::popTry):
3080         (JSC::prepareJumpTableForSwitch):
3081         (JSC::prepareJumpTableForStringSwitch):
3082         (JSC::BytecodeGenerator::endSwitch):
3083         (JSC::BytecodeGenerator::emitEnumeration):
3084         (JSC::BytecodeGenerator::emitIteratorNext):
3085         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
3086         (JSC::BytecodeGenerator::emitIteratorClose):
3087         (JSC::BytecodeGenerator::pushIndexedForInScope):
3088         (JSC::BytecodeGenerator::pushStructureForInScope):
3089         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3090         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
3091         (JSC::BytecodeGenerator::emitYieldPoint):
3092         (JSC::BytecodeGenerator::emitYield):
3093         (JSC::BytecodeGenerator::emitDelegateYield):
3094         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3095         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3096         (JSC::BytecodeGenerator::emitFinallyCompletion):
3097         (JSC::BytecodeGenerator::emitJumpIf):
3098         * bytecompiler/BytecodeGenerator.h:
3099         FinallyJump, FinallyContext, TryData, TryContext and TryRange hold Ref<Label>
3100         instead of RefPtr<Label>. They are never nullptr.
3101
3102         (JSC::FinallyJump::FinallyJump):
3103         (JSC::FinallyContext::FinallyContext):
3104         (JSC::FinallyContext::registerJump):
3105         (JSC::BytecodeGenerator::emitNodeInConditionContext):
3106         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
3107         * bytecompiler/Label.h:
3108         Make Label noncopyable.
3109
3110         * bytecompiler/LabelScope.h:
3111         (JSC::LabelScope::LabelScope):
3112         (JSC::LabelScope::breakTarget):
3113         breakTarget always returns Label&. On the other hand, continueTarget may be nullptr.
3114         So it returns Label*.
3115
3116         * bytecompiler/NodesCodegen.cpp:
3117         (JSC::ExpressionNode::emitBytecodeInConditionContext):
3118         (JSC::ConstantNode::emitBytecodeInConditionContext):
3119         (JSC::FunctionCallValueNode::emitBytecode):
3120         (JSC::CallFunctionCallDotNode::emitBytecode):
3121         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3122         (JSC::LogicalNotNode::emitBytecodeInConditionContext):
3123         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
3124         (JSC::InstanceOfNode::emitBytecode):
3125         (JSC::LogicalOpNode::emitBytecode):
3126         (JSC::LogicalOpNode::emitBytecodeInConditionContext):
3127         (JSC::ConditionalNode::emitBytecode):
3128         (JSC::IfElseNode::emitBytecode):
3129         (JSC::DoWhileNode::emitBytecode):
3130         (JSC::WhileNode::emitBytecode):
3131         (JSC::ForNode::emitBytecode):
3132         (JSC::ForInNode::emitBytecode):
3133         (JSC::ContinueNode::trivialTarget):
3134         (JSC::ContinueNode::emitBytecode):
3135         (JSC::BreakNode::trivialTarget):
3136         (JSC::CaseBlockNode::emitBytecodeForBlock):
3137         (JSC::TryNode::emitBytecode):
3138         (JSC::FunctionNode::emitBytecode):
3139         (JSC::ClassExprNode::emitBytecode):
3140         (JSC::assignDefaultValueIfUndefined):
3141         (JSC::ArrayPatternNode::bindValue):
3142         Use Ref<Label> and Label&.
3143
3144         * parser/Nodes.h:
3145
3146 2017-02-15  Alex Christensen  <achristensen@webkit.org>
3147
3148         Unreviewed, rolling out r212394.
3149
3150         Fixed iOS WebInspector
3151
3152         Reverted changeset:
3153
3154         "Unreviewed, rolling out r212169."
3155         https://bugs.webkit.org/show_bug.cgi?id=166681
3156         http://trac.webkit.org/changeset/212394
3157
3158 2017-02-15  Guillaume Emont  <guijemont@igalia.com>
3159
3160         MIPS: add missing implementations of load8SignedExtendTo32()
3161
3162         JSC: missing implementations of MacroAssemblerMIPS::load8SignedExtendTo32()
3163         https://bugs.webkit.org/show_bug.cgi?id=168350
3164
3165         Reviewed by Yusuke Suzuki.
3166
3167         * assembler/MacroAssemblerMIPS.h:
3168         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3169         Add missing implementations
3170
3171 2017-02-15  Alex Christensen  <achristensen@webkit.org>
3172
3173         Unreviewed, rolling out r212169.
3174
3175         Broke iOS WebInspector
3176
3177         Reverted changeset:
3178
3179         "WebInspector: refactor RemoteInspector to move cocoa specific
3180         code to their own files"
3181         https://bugs.webkit.org/show_bug.cgi?id=166681
3182         http://trac.webkit.org/changeset/212169
3183
3184 2017-02-15  Chris Dumez  <cdumez@apple.com>
3185
3186         Expose Symbol.toPrimitive / valueOf on Location instances
3187         https://bugs.webkit.org/show_bug.cgi?id=168295
3188
3189         Reviewed by Geoffrey Garen, Keith Miller and Mark Lam.
3190
3191         Cache origin objectProtoValueOf function on JSGlobalObject.
3192
3193         * runtime/JSGlobalObject.cpp:
3194         (JSC::JSGlobalObject::init):
3195         * runtime/JSGlobalObject.h:
3196         (JSC::JSGlobalObject::objectProtoValueOfFunction):
3197
3198 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3199
3200         [JSC] Drop PassRefPtr
3201         https://bugs.webkit.org/show_bug.cgi?id=168320
3202
3203         Reviewed by Saam Barati.
3204
3205         * API/JSContextRef.cpp:
3206         (JSGlobalContextCreateInGroup):
3207         Use Ref<VM> from the factory function.
3208
3209         * API/JSScriptRef.cpp:
3210         (OpaqueJSScript::create):
3211         Return Ref<> instead.
3212
3213         * API/tests/JSONParseTest.cpp:
3214         (testJSONParse):
3215         Use Ref<VM>.
3216
3217         * assembler/LinkBuffer.cpp:
3218         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
3219         Use reference since we already perform null check.
3220
3221         * assembler/MacroAssemblerCodeRef.h:
3222         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3223         Take Ref<>&& instead of PassRefPtr<>.
3224
3225         * bytecode/CallLinkInfo.h:
3226         (JSC::CallLinkInfo::setStub):
3227         (JSC::CallLinkInfo::setSlowStub):
3228         Take Ref<>&& instead of PassRefPtr<>.
3229
3230         * bytecode/CodeBlock.cpp:
3231         (JSC::CodeBlock::CodeBlock):
3232         Take RefPtr<SourceProvider>. Currently, the SourceProvider would be nullptr.
3233         We will change it to Ref<SourceProvider> in https://bugs.webkit.org/show_bug.cgi?id=168325.
3234
3235         (JSC::CodeBlock::finishCreation):
3236         Take Ref<TypeSet>&&.
3237
3238         * bytecode/CodeBlock.h:
3239         (JSC::CodeBlock::setJITCode):
3240         Take Ref<>&& instead.
3241
3242         (JSC::CodeBlock::jitCode):
3243         Return RefPtr<> instead.
3244
3245         * bytecode/EvalCodeBlock.h:
3246         (JSC::EvalCodeBlock::create):
3247         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3248
3249         (JSC::EvalCodeBlock::EvalCodeBlock):
3250         * bytecode/FunctionCodeBlock.h:
3251         (JSC::FunctionCodeBlock::create):
3252         (JSC::FunctionCodeBlock::FunctionCodeBlock):
3253         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3254
3255         * bytecode/GlobalCodeBlock.h:
3256         (JSC::GlobalCodeBlock::GlobalCodeBlock):
3257         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3258
3259         * bytecode/ModuleProgramCodeBlock.h:
3260         (JSC::ModuleProgramCodeBlock::create):
3261         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
3262         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3263
3264         * bytecode/ProgramCodeBlock.h:
3265         (JSC::ProgramCodeBlock::create):
3266         (JSC::ProgramCodeBlock::ProgramCodeBlock):
3267         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3268
3269         * debugger/DebuggerParseData.cpp:
3270         (JSC::gatherDebuggerParseDataForSource):
3271         Ensure the provider is not nullptr. It is OK because we already
3272         touch `provider->xxx` values.
3273
3274         * dfg/DFGBlockInsertionSet.cpp:
3275         (JSC::DFG::BlockInsertionSet::insert):
3276         Take Ref<>&& instead.
3277
3278         * dfg/DFGBlockInsertionSet.h:
3279         * dfg/DFGByteCodeParser.cpp:
3280         (JSC::DFG::ByteCodeParser::inlineCall):
3281         (JSC::DFG::ByteCodeParser::handleInlining):
3282         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3283         Pass Ref<>&& to appendBlock.
3284
3285         * dfg/DFGDriver.cpp:
3286         (JSC::DFG::compileImpl):
3287         (JSC::DFG::compile):
3288         Pass Ref<Plan>&&. And take Ref<>&& callback.
3289
3290         * dfg/DFGDriver.h:
3291         * dfg/DFGGraph.h:
3292         appendBlock takes Ref<>&&.
3293
3294         (JSC::DFG::Graph::appendBlock):
3295         * dfg/DFGJITCompiler.cpp:
3296         (JSC::DFG::JITCompiler::compile):
3297         (JSC::DFG::JITCompiler::compileFunction):
3298         * dfg/DFGJITCompiler.h:
3299         (JSC::DFG::JITCompiler::jitCode):
3300         * dfg/DFGJITFinalizer.cpp:
3301         (JSC::DFG::JITFinalizer::JITFinalizer):
3302         Take Ref<JITCode>&&.
3303
3304         (JSC::DFG::JITFinalizer::finalize):
3305         (JSC::DFG::JITFinalizer::finalizeFunction):
3306         (JSC::DFG::JITFinalizer::finalizeCommon):
3307         Pass compilation reference since we already perform null check.
3308
3309         * dfg/DFGJITFinalizer.h:
3310         * dfg/DFGWorklist.cpp:
3311         (JSC::DFG::Worklist::enqueue):
3312         Take Ref<Plan>&&.
3313
3314         * dfg/DFGWorklist.h:
3315         * ftl/FTLJITFinalizer.cpp:
3316         (JSC::FTL::JITFinalizer::finalizeFunction):
3317         Dereference and pass jitCode & compilation references.
3318
3319         * jit/GCAwareJITStubRoutine.cpp:
3320         (JSC::createJITStubRoutine):
3321         Return Ref<> instead.
3322
3323         * jit/GCAwareJITStubRoutine.h:
3324         (JSC::createJITStubRoutine):
3325         * jit/JIT.cpp:
3326         (JSC::JIT::link):
3327         Pass compilation reference since we already perform null check.
3328
3329         * jit/JITStubRoutine.h:
3330         (JSC::JITStubRoutine::asCodePtr):
3331         Take Ref<>&& instead. And this drops unnecessary null check.
3332
3333         * jit/JITThunks.cpp:
3334         (JSC::JITThunks::hostFunctionStub):
3335         Pass Ref<> to NativeExecutable::create.
3336
3337         * llint/LLIntEntrypoint.cpp:
3338         (JSC::LLInt::setFunctionEntrypoint):
3339         (JSC::LLInt::setEvalEntrypoint):
3340         (JSC::LLInt::setProgramEntrypoint):
3341         (JSC::LLInt::setModuleProgramEntrypoint):
3342         Use Ref<>&& instead.
3343
3344         * parser/SourceCode.h:
3345         (JSC::SourceCode::SourceCode):
3346         (JSC::SourceCode::subExpression):
3347         Add constructors taking Ref<>&&.
3348         We still have constructors that take RefPtr<>&&.
3349         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
3350
3351         * parser/UnlinkedSourceCode.h:
3352         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
3353         Add constructors taking Ref<>&&.
3354         We still have constructors that take RefPtr<>&&.
3355         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
3356
3357         * profiler/ProfilerDatabase.cpp:
3358         (JSC::Profiler::Database::addCompilation):
3359         Take Ref<Compilation>&&.
3360
3361         * profiler/ProfilerDatabase.h:
3362         Change data structures to hold Ref<> instead of RefPtr<>.
3363
3364         * runtime/EvalExecutable.h:
3365         (JSC::EvalExecutable::generatedJITCode):
3366         Return Ref<> instead.
3367
3368         * runtime/ExecutableBase.h:
3369         (JSC::ExecutableBase::generatedJITCodeForCall):
3370         (JSC::ExecutableBase::generatedJITCodeForConstruct):
3371         (JSC::ExecutableBase::generatedJITCodeFor):
3372         Return Ref<> instead.
3373
3374         * runtime/Identifier.cpp:
3375         (JSC::Identifier::add):
3376         (JSC::Identifier::add8):
3377         * runtime/Identifier.h:
3378         (JSC::Identifier::add):
3379         * runtime/JSGlobalObject.cpp:
3380         (JSC::JSGlobalObject::setInputCursor):
3381         And take Ref<> in this method.
3382
3383         * runtime/JSGlobalObject.h:
3384         (JSC::JSGlobalObject::inputCursor):
3385         Change m_inputCursor from RefPtr<> to Ref<>.
3386
3387         * runtime/JSPropertyNameEnumerator.cpp:
3388         (JSC::JSPropertyNameEnumerator::create):
3389         (JSC::JSPropertyNameEnumerator::finishCreation):
3390         Take Ref<PropertyNameArray>&&.
3391
3392         * runtime/JSPropertyNameEnumerator.h:
3393         (JSC::propertyNameEnumerator):
3394         * runtime/JSString.h:
3395         (JSC::JSString::JSString):
3396         Take Ref<StringImpl>&& since we do not allow nullptr in this constructor.
3397
3398         (JSC::JSString::create):
3399         (JSC::JSString::createHasOtherOwner):
3400         Take Ref<StringImpl>&& in these factory functions. And drop unnecessary assertions.
3401
3402         (JSC::jsSingleCharacterString):
3403         Use StringImpl::create() which returns Ref<>.
3404
3405         (JSC::jsNontrivialString):
3406         Dereference impl() since we ensure that `s.length() > 1`.
3407
3408         (JSC::jsString):
3409         Use releaseNonNull() since we ensure that `s.length() > 1`.
3410
3411         (JSC::jsOwnedString):
3412         Use releaseNonNull() since we ensure that `s.length() > 1`.
3413
3414         * runtime/ModuleProgramExecutable.h:
3415         * runtime/NativeExecutable.cpp:
3416         (JSC::NativeExecutable::create):
3417         (JSC::NativeExecutable::finishCreation):
3418         Take Ref<JITCode>&&.
3419
3420         * runtime/NativeExecutable.h:
3421         * runtime/ProgramExecutable.h:
3422         Return Ref<JITCode>.
3423
3424         * runtime/PropertyNameArray.h:
3425         (JSC::PropertyNameArray::releaseData):
3426         (JSC::PropertyNameArray::setData): Deleted.
3427         This is not used.
3428
3429         * runtime/RegExpKey.h:
3430         (JSC::RegExpKey::RegExpKey):
3431         Take RefPtr<>&&.
3432
3433         * runtime/SmallStrings.cpp:
3434         (JSC::SmallStringsStorage::rep):
3435         Return StringImpl& since m_reps is already initialized in the constructor.
3436
3437         (JSC::SmallStrings::createEmptyString):
3438         Dereference StringImpl::empty().
3439
3440         (JSC::SmallStrings::createSingleCharacterString):
3441         Use StringImpl&.
3442
3443         (JSC::SmallStrings::singleCharacterStringRep):
3444         Return StringImpl&.
3445
3446         (JSC::SmallStrings::initialize):
3447         Use AtomicStringImpl::add instead.
3448
3449         * runtime/SmallStrings.h:
3450         * runtime/Structure.cpp:
3451         (JSC::Structure::toStructureShape):
3452         Return Ref<>.
3453
3454         * runtime/Structure.h:
3455         * runtime/TypeLocationCache.cpp:
3456         (JSC::TypeLocationCache::getTypeLocation):
3457         Take RefPtr<TypeSet>&&.
3458
3459         * runtime/TypeLocationCache.h:
3460         * runtime/TypeProfilerLog.cpp:
3461         Pass Ref<>&&.
3462
3463         (JSC::TypeProfilerLog::processLogEntries):
3464         * runtime/TypeSet.cpp:
3465         (JSC::TypeSet::addTypeInformation):
3466         Take RefPtr<>&& since it can be nullptr.
3467         And clean up "not found" code.
3468
3469         (JSC::TypeSet::allStructureRepresentations):
3470         Use range based iteration.
3471
3472         (JSC::StructureShape::leastCommonAncestor):
3473         We found that this method accidentally takes `const Vector<>` instead of `const Vector<>&`.
3474         And internally, we just use raw pointers since these StructureShapes are owned by the m_proto trees which starts from the given Vector<>.
3475
3476         (JSC::StructureShape::hasSamePrototypeChain):
3477         Take const reference instead. And use raw pointers internally.
3478
3479         (JSC::StructureShape::merge):
3480         Take Ref<>&&.
3481
3482         * runtime/TypeSet.h:
3483         (JSC::StructureShape::setProto):
3484         Take Ref<>&&.
3485
3486         * runtime/VM.cpp:
3487         (JSC::VM::getHostFunction):
3488         Pass Ref<>&&.
3489
3490         (JSC::VM::queueMicrotask):
3491         Take and pass Ref<>&&.
3492
3493         * runtime/VM.h:
3494         (JSC::QueuedTask::QueuedTask):
3495         Take Ref<>&&.
3496
3497         * tools/FunctionOverrides.cpp:
3498         (JSC::initializeOverrideInfo):
3499         We need this change due to Ref<>&& and RefPtr<>&& ambiguity of SourceCode constructors.
3500         Once SourceCode is fixed to only take Ref<>&&, this change is unnecessary.
3501
3502 2017-02-15  Csaba Osztrogon√°c  <ossy@webkit.org>
3503
3504         [Mac][cmake] Unreviewed trivial buildfix after r212169.
3505         https://bugs.webkit.org/show_bug.cgi?id=166681
3506
3507         * PlatformMac.cmake: Removed inspector/remote/RemoteInspectorXPCConnection.mm.
3508
3509 2017-02-14  Mark Lam  <mark.lam@apple.com>
3510
3511         Add JSC_sweepSynchronously and fix JSC_useZombieMode options.
3512         https://bugs.webkit.org/show_bug.cgi?id=168257
3513         <rdar://problem/30451496>
3514
3515         Reviewed by Filip Pizlo.
3516
3517         JSC_useZombieMode now basically enables JSC_sweepSynchronously and
3518         JSC_scribbleFreeCells, which together does the job of zombifying dead objects
3519         immediately after a GC.
3520
3521         * heap/Heap.cpp:
3522         (JSC::Heap::sweepSynchronously):
3523         (JSC::Heap::collectAllGarbage):
3524         (JSC::Heap::finalize):
3525         (JSC::Heap::didFinishCollection):
3526         (JSC::Zombify::visit): Deleted.
3527         (JSC::Zombify::operator()): Deleted.
3528         (JSC::Heap::zombifyDeadObjects): Deleted.
3529         * heap/Heap.h:
3530         (JSC::Heap::isZombified): Deleted.
3531         * runtime/Options.cpp:
3532         (JSC::recomputeDependentOptions):
3533         * runtime/Options.h:
3534
3535 2017-02-13  Michael Saboff  <msaboff@apple.com>
3536
3537         asyncDisassembly crashes on iOS
3538         https://bugs.webkit.org/show_bug.cgi?id=168259
3539
3540         Reviewed by Filip Pizlo.
3541
3542         Eliminated the dumping of  the disassembly for the JIT write thunk.
3543         Not only does it fix the crash, but given the nature of the JIT
3544         write thunk, we probably don't want to disassemble it anyway.
3545         
3546         * jit/ExecutableAllocatorFixedVMPool.cpp:
3547         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3548
3549 2017-02-12  Ryosuke Niwa  <rniwa@webkit.org>
3550
3551         C loop build fix attempt after r212207.
3552
3553         * runtime/Lookup.h:
3554
3555 2017-02-11  Sam Weinig  <sam@webkit.org>
3556
3557         Remove the remaining functions out of JSDOMBinding
3558         https://bugs.webkit.org/show_bug.cgi?id=168179
3559
3560         Reviewed by Darin Adler.
3561
3562         Move utility functions into more appropriate locations.
3563         - Move hasIteratorMethod to IteratorOperations.
3564         - Move nonCachingStaticFunctionGetter to Lookup
3565
3566         * runtime/IteratorOperations.cpp:
3567         (JSC::hasIteratorMethod):
3568         * runtime/IteratorOperations.h:
3569         * runtime/Lookup.h:
3570         (JSC::nonCachingStaticFunctionGetter):
3571
3572 2017-02-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3573
3574         [JSC] Implement (Shared)ArrayBuffer.prototype.byteLength
3575         https://bugs.webkit.org/show_bug.cgi?id=166476
3576
3577         Reviewed by Saam Barati.
3578
3579         `byteLength` becomes getter and is set in ArrayBuffer.prototype
3580         and SharedArrayBuffer.prototype. This patch implements the
3581         above getter in native function. We do not have any optimization
3582         path for that for now since ArrayBuffer.prototype.byteLength is
3583         not considered a hot function: while TypedArrays have [] accesses,
3584         ArrayBuffer does not have that. Thus byteLength getter is not so
3585         meaningful for a hot paths like iterations.
3586
3587         * runtime/JSArrayBuffer.cpp:
3588         (JSC::JSArrayBuffer::getOwnPropertySlot): Deleted.
3589         (JSC::JSArrayBuffer::put): Deleted.
3590         (JSC::JSArrayBuffer::defineOwnProperty): Deleted.
3591         (JSC::JSArrayBuffer::deleteProperty): Deleted.
3592         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): Deleted.
3593         * runtime/JSArrayBuffer.h:
3594         (JSC::JSArrayBuffer::impl): Deleted.
3595         * runtime/JSArrayBufferPrototype.cpp:
3596         (JSC::arrayBufferProtoGetterFuncByteLength):
3597         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
3598         (JSC::JSArrayBufferPrototype::finishCreation):
3599
3600 2017-02-10  Saam Barati  <sbarati@apple.com>
3601
3602         Object allocation sinking phase doesn't properly handle control flow when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object
3603         https://bugs.webkit.org/show_bug.cgi?id=168140
3604         <rdar://problem/30205880>
3605
3606         Reviewed by Filip Pizlo.
3607
3608         This patch fixes a bug in allocation sinking phase where
3609         we don't properly handle control flow when materializing
3610         an object and also PutHinting that materialization into
3611         a still sunken object. We were performing the PutHint
3612         for the materialization at the point of materialization,
3613         however, we may have materialized along both edges
3614         of a control flow diamond, in which case, we need to
3615         also PutHint at the join point. Consider this program:
3616         
3617         ```
3618         bb#0:
3619         b: PhantomActivation()
3620         a: PhantomNewFunction()
3621         c: PutHint(@a, @b, ActivationLoc)
3622         Branch(#1, #2)
3623         
3624         bb#1:
3625         d: MaterializeActivation()
3626         e: PutHint(@a, @d, ActivationLoc)
3627         f: Upsilon(@d, ^p)
3628         Jump(#3)
3629         
3630         bb#2:
3631         g: MaterializeActivation()
3632         h: PutHint(@a, @g, ActivationLoc)
3633         i: Upsilon(@d, ^p)
3634         Jump(#3)
3635         
3636         bb#3:
3637         p: Phi()
3638         // What is PromotedHeapLocation(@a, ActivationLoc) here?
3639         // What would we do if we exited?
3640         ```
3641         Before this patch, we didn't perform a PutHint of the Phi.
3642         However, we need to, otherwise when exit, we won't know
3643         the value of PromotedHeapLocation(@a, ActivationLoc)
3644         
3645         The program we need then, for correctness, is this:
3646         ```
3647         bb#0:
3648         b: PhantomActivation()
3649         a: PhantomNewFunction()
3650         c: PutHint(@a, @b, ActivationLoc)
3651         Branch(#1, #2)
3652         
3653         bb#1:
3654         d: MaterializeActivation()
3655         e: PutHint(@a, @d, ActivationLoc)
3656         f: Upsilon(@d, ^p)
3657         Jump(#3)
3658         
3659         bb#2:
3660         g: MaterializeActivation()
3661         h: PutHint(@a, @g, ActivationLoc)
3662         i: Upsilon(@d, ^p)
3663         Jump(#3)
3664         
3665         bb#3:
3666         p: Phi()
3667         j: PutHint(@a, @p, ActivationLoc)
3668         ```
3669         
3670         This patch makes it so that we emit the necessary PutHint at node `j`.
3671         I've also added more validation to the OSRAvailabilityAnalysisPhase
3672         to catch this problem during validation.
3673
3674         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3675         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3676         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3677         * ftl/FTLOperations.cpp:
3678         (JSC::FTL::operationMaterializeObjectInOSR):
3679
3680 2017-02-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3681
3682         WebInspector: refactor RemoteInspector to move cocoa specific code to their own files
3683         https://bugs.webkit.org/show_bug.cgi?id=166681
3684
3685         Reviewed by Michael Catanzaro.
3686
3687         Move RemoteConnectionToTarget.mm and RemoteInspector.mm to a cocoa directory renamed with a Cocoa prefix,
3688         because those are now the cocoa implementation of RemoteConnectionToTarget and RemoteInspector. The
3689         cross-platform parts of RemoteInspector have been moced to a new RemoteInspector.cpp file. Also moved to cocoa
3690         directory RemoteInspectorXPCConnection.h and RemoteInspectorXPCConnection.mm keeping the same name. Other than
3691         that there aren't important code changes, only some cocoa specific types like NSString used in common headers,
3692         and some other platform ifdefs needed. This is in preparation for adding a remote inspector implementation for
3693         the GTK+ port.
3694
3695         * API/JSRemoteInspector.cpp:
3696         (JSRemoteInspectorSetParentProcessInformation): Add PLATFORM(COCOA) to the ifdef.
3697         * JavaScriptCore.xcodeproj/project.pbxproj:
3698         * PlatformMac.cmake:
3699         * inspector/remote/RemoteConnectionToTarget.h: Add platform ifdefs for cocoa specific parts and change
3700         sendMessageToTarget to receive a WTF String instead of an NSString.
3701         * inspector/remote/RemoteControllableTarget.h: Add platform ifdefs for CF specific parts.
3702         * inspector/remote/RemoteInspectionTarget.h:
3703         * inspector/remote/RemoteInspector.cpp: Added.
3704         (Inspector::RemoteInspector::startDisabled):
3705         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
3706         (Inspector::RemoteInspector::registerTarget):
3707         (Inspector::RemoteInspector::unregisterTarget):
3708         (Inspector::RemoteInspector::updateTarget):
3709         (Inspector::RemoteInspector::updateClientCapabilities):
3710         (Inspector::RemoteInspector::setRemoteInspectorClient):
3711         (Inspector::RemoteInspector::setupFailed):
3712         (Inspector::RemoteInspector::setupCompleted):
3713         (Inspector::RemoteInspector::waitingForAutomaticInspection):
3714         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
3715         (Inspector::RemoteInspector::stop):
3716         (Inspector::RemoteInspector::listingForTarget):
3717         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3718         * inspector/remote/RemoteInspector.h: Add platform ifdefs for cocoa specific parts. Also add TargetListing
3719         typedef to define platform specific types for the listings without more ifdefs.
3720         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.mm.
3721         (Inspector::RemoteTargetInitializeGlobalQueue):
3722         (Inspector::RemoteConnectionToTarget::setup):
3723         (Inspector::RemoteConnectionToTarget::close):
3724         (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
3725         (Inspector::RemoteConnectionToTarget::setupRunLoop):
3726         * inspector/remote/cocoa/RemoteInspectorCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspector.mm.
3727         (Inspector::canAccessWebInspectorMachPort):
3728         (Inspector::RemoteInspector::singleton):
3729         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3730         (Inspector::RemoteInspector::start):
3731         (Inspector::RemoteInspector::pushListingsSoon):
3732         (Inspector::RemoteInspector::receivedIndicateMessage):
3733         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3734         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.h.
3735         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.mm.
3736         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
3737
3738 2017-02-10  Brian Burg  <bburg@apple.com>
3739
3740         [Cocoa] Web Inspector: payload initializers for ObjC protocol types handles special-cased property names incorrectly
3741         https://bugs.webkit.org/show_bug.cgi?id=168141
3742
3743         Reviewed by Joseph Pecoraro.
3744
3745         The generated code erroneously uses the ObjC variable name as the payload key,
3746         rather than the raw type member name. For example, 'identifier' would be used instead of 'id'.
3747
3748         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3749         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
3750
3751         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3752         Rebaseline an affected test.
3753
3754 2017-02-10  Mark Lam  <mark.lam@apple.com>
3755
3756         StructureStubInfo::considerCaching() should write barrier its owner CodeBlock when buffering a new Structure.
3757         https://bugs.webkit.org/show_bug.cgi?id=168137
3758         <rdar://problem/28656664>
3759
3760         Reviewed by Filip Pizlo.
3761
3762         If we're adding a new structure to StructureStubInfo's bufferedStructures, we
3763         should write barrier the StubInfo's owner CodeBlock because that structure may be
3764         collected during the next GC.  Write barrier-ing the owner CodeBlock ensures that
3765         CodeBlock::finalizeBaselineJITInlineCaches() is called on it during the GC,
3766         which, in turn, gives the StructureStubInfo the opportunity to filter out the
3767         dead structure.
3768
3769         * bytecode/StructureStubInfo.h:
3770         (JSC::StructureStubInfo::considerCaching):
3771         * jit/JITOperations.cpp:
3772
3773 2017-02-10  Brian Burg  <bburg@apple.com>
3774
3775         [Cocoa] Web Inspector: generate an NS_ENUM containing platforms supported by the protocol code generator
3776         https://bugs.webkit.org/show_bug.cgi?id=168019
3777         <rdar://problem/28718990>
3778
3779         Reviewed by Joseph Pecoraro.
3780
3781         It's useful to have an symbolic value (not a string) for each of the supported platform values.
3782         Generate this once per protocol for the Objective-C bindings. Covered by existing tests.
3783
3784         * inspector/scripts/codegen/generate_objc_header.py:
3785         (ObjCHeaderGenerator.generate_output):
3786         (ObjCHeaderGenerator._generate_enum_for_platforms):
3787         Create an NS_ENUM for Platform values in Platforms.
3788
3789         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3790         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
3791         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_for_platforms):
3792         Add type conversion/parsing methods for the newly added enum.
3793
3794         * inspector/scripts/codegen/generator.py:
3795         (Generator.stylized_name_for_enum_value):
3796         (Generator.stylized_name_for_enum_value.replaceCallback):
3797         Support arbitrary special-cased substrings in enums, not just all-caps. Add 'IOS' and 'MacOS'.
3798
3799         * inspector/scripts/codegen/models.py:
3800         (Platforms):
3801         Use lower-case string values for platform names, to avoid guesswork.
3802
3803         (Platforms.__metaclass__):
3804         (Platforms.__metaclass__.__iter__):
3805         Make it possible to iterate over Platform instances of Platforms.
3806
3807         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3808         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3809         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3810         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3811         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3812         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3813         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3814         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3815         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3816         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3817         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3818         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3819         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3820         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3821         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3822         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3823         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3824         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3825         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3826         Rebaseline results.
3827
3828 2017-02-09  Filip Pizlo  <fpizlo@apple.com>
3829
3830         SharedArrayBuffer does not need to be in the transfer list
3831         https://bugs.webkit.org/show_bug.cgi?id=168079
3832
3833         Reviewed by Geoffrey Garen and Keith Miller.
3834         
3835         Exposes a simple shareWith() API for when you know you want to share the contents of
3836         a shared buffer. Also a useful explicit operator bool.
3837
3838         * runtime/ArrayBuffer.cpp:
3839         (JSC::ArrayBuffer::shareWith):
3840         * runtime/ArrayBuffer.h:
3841         (JSC::ArrayBufferContents::operator bool):
3842
3843 2017-02-09  Mark Lam  <mark.lam@apple.com>
3844
3845         B3::Procedure::deleteOrphans() should neutralize upsilons with dead phis.
3846         https://bugs.webkit.org/show_bug.cgi?id=167437
3847         <rdar://problem/30198083>
3848
3849         Reviewed by Filip Pizlo.
3850
3851         * b3/B3Procedure.cpp:
3852         (JSC::B3::Procedure::deleteOrphans):
3853
3854 2017-02-09  Saam Barati  <sbarati@apple.com>
3855
3856         Sloppy mode: We don't properly hoist functions names "arguments" when we have a non-simple parameter list
3857         https://bugs.webkit.org/show_bug.cgi?id=167319
3858         <rdar://problem/30149432>
3859
3860         Reviewed by Mark Lam.
3861
3862         When hoisting a function inside sloppy mode, we were assuming all "var"s are inside
3863         what we call the "var" SymbolTableEntry. This was almost true, execpt for "arguments",
3864         which has sufficiently weird behavior. "arguments" can be visible to the default
3865         parameter expressions inside a function, therefore can't go inside the "var"
3866         SymbolTableEntry since the parameter SymbolTableEntry comes before the "var"
3867         SymbolTableEntry in the scope chain.  Therefore, if we hoist a function named
3868         "arguments", then we must also look for that variable inside the parameter scope
3869         stack entry.
3870
3871         * bytecompiler/BytecodeGenerator.cpp:
3872         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
3873
3874 2017-02-09  Mark Lam  <mark.lam@apple.com>
3875
3876         Fix max length check in ArrayPrototype.js' concatSlowPath().
3877         https://bugs.webkit.org/show_bug.cgi?id=167270
3878         <rdar://problem/30128133>
3879
3880         Reviewed by Filip Pizlo.
3881
3882         1. Fixed concatSlowPath() to ensure that the result array length does not exceed
3883            @MAX_ARRAY_INDEX.  The old code was checking against @MAX_SAFE_INTEGER in some
3884            cases, but this is overly permissive.
3885
3886         2. Changed concatSlowPath() to throw a RangeError instead of a TypeError to be
3887            consistent with the C++ runtime functions in JSArray.cpp.
3888
3889         3. Changed the RangeError message in concatSlowPath() and JSArray.cpp to "Length
3890            exceeded the maximum array length" when the error is that the result length