8bba55b50000c97cf583cd9f73092f8b056429e9
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-12-06  Mark Lam  <mark.lam@apple.com>
2
3         GetByID IC is wrongly unwrapping the global proxy this value for getter/setters.
4         https://bugs.webkit.org/show_bug.cgi?id=165401
5
6         Reviewed by Saam Barati.
7
8         When the this value for a property access is the JS global and that property
9         access is via a GetterSetter, the underlying getter / setter functions would
10         expect the this value they receive to be the JSProxy instance instead of the
11         JSGlobalObject.  This is consistent with how the LLINT and runtime code behaves.
12         The IC code should behave the same way.
13
14         Also added some ASSERTs to document invariants in the code, and help detect
15         bugs sooner if the code gets changed in a way that breaks those invariants in
16         the future.
17
18         * bytecode/PolymorphicAccess.cpp:
19         (JSC::AccessCase::generateImpl):
20
21 2016-12-06  Joseph Pecoraro  <pecoraro@apple.com>
22
23         DumpRenderTree ASSERT in JSC::ExecutableBase::isHostFunction seen on bots
24         https://bugs.webkit.org/show_bug.cgi?id=165497
25         <rdar://problem/29538973>
26
27         Reviewed by Saam Barati.
28
29         * inspector/agents/InspectorScriptProfilerAgent.cpp:
30         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
31         Defer collection when extracting and processing the samples to avoid
32         any objects held by the samples from getting collected while processing.
33         This is because while processing we call into functions that can
34         allocate and we must prevent those functions from syncing with the
35         GC thread which may collect other sample data yet to be processed.
36
37 2016-12-06  Alexey Proskuryakov  <ap@apple.com>
38
39         Correct SDKROOT values in xcconfig files
40         https://bugs.webkit.org/show_bug.cgi?id=165487
41         rdar://problem/29539209
42
43         Reviewed by Dan Bernstein.
44
45         Fix suggested by Dan Bernstein.
46
47         * Configurations/DebugRelease.xcconfig:
48
49 2016-12-06  Saam Barati  <sbarati@apple.com>
50
51         Remove old Wasm object model
52         https://bugs.webkit.org/show_bug.cgi?id=165481
53
54         Reviewed by Keith Miller and Mark Lam.
55
56         It's confusing to see code that consults both the old
57         Wasm object model alongside the new one. The old object
58         model is not a thing, and it's not being used. Let's
59         remove it now to prevent further confusion.
60
61         * CMakeLists.txt:
62         * JavaScriptCore.xcodeproj/project.pbxproj:
63         * bytecode/CodeBlock.cpp:
64         (JSC::CodeBlock::finalizeLLIntInlineCaches):
65         (JSC::CodeBlock::replacement):
66         (JSC::CodeBlock::computeCapabilityLevel):
67         (JSC::CodeBlock::updateAllPredictions):
68         * bytecode/CodeBlock.h:
69         * bytecode/WebAssemblyCodeBlock.cpp: Removed.
70         * bytecode/WebAssemblyCodeBlock.h: Removed.
71         * dfg/DFGCapabilities.cpp:
72         (JSC::DFG::isSupportedForInlining):
73         * interpreter/Interpreter.cpp:
74         (JSC::GetStackTraceFunctor::operator()):
75         (JSC::UnwindFunctor::operator()):
76         (JSC::isWebAssemblyExecutable): Deleted.
77         * jit/JITOperations.cpp:
78         * jit/Repatch.cpp:
79         (JSC::linkPolymorphicCall):
80         * llint/LLIntSlowPaths.cpp:
81         (JSC::LLInt::setUpCall):
82         * runtime/ExecutableBase.cpp:
83         (JSC::ExecutableBase::clearCode):
84         * runtime/ExecutableBase.h:
85         (JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
86         * runtime/JSFunction.cpp:
87         * runtime/JSFunction.h:
88         * runtime/JSFunctionInlines.h:
89         (JSC::JSFunction::isBuiltinFunction):
90         * runtime/VM.cpp:
91         (JSC::VM::VM):
92         * runtime/VM.h:
93         * runtime/WebAssemblyExecutable.cpp: Removed.
94         * runtime/WebAssemblyExecutable.h: Removed.
95
96 2016-12-06  JF Bastien  <jfbastien@apple.com>
97
98         PureNaN: fix typo
99         https://bugs.webkit.org/show_bug.cgi?id=165493
100
101         Reviewed by Mark Lam.
102
103         * runtime/PureNaN.h:
104
105 2016-12-06  Mark Lam  <mark.lam@apple.com>
106
107         Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec.
108         https://bugs.webkit.org/show_bug.cgi?id=165227
109         <rdar://problem/29442665>
110
111         Reviewed by Saam Barati.
112
113         * runtime/JSObject.cpp:
114         (JSC::JSObject::setPrototypeWithCycleCheck):
115         - This is where we check for immutable prototype exotic objects and refuse to set
116           the prototype if needed.
117           See https://tc39.github.io/ecma262/#sec-immutable-prototype-exotic-objects.
118
119         * runtime/JSTypeInfo.h:
120         (JSC::TypeInfo::isImmutablePrototypeExoticObject):
121         * runtime/Structure.h:
122         - Add flag for declaring immutable prototype exotic objects.
123
124         * runtime/ObjectPrototype.h:
125         - Declare that Object.prototype is an immutable prototype exotic object.
126           See https://tc39.github.io/ecma262/#sec-properties-of-the-object-prototype-object.
127
128         * runtime/ObjectConstructor.cpp:
129         (JSC::objectConstructorSetPrototypeOf):
130         - Use better error messages.
131
132 2016-12-04  Darin Adler  <darin@apple.com>
133
134         Use ASCIICType more, and improve it a little bit
135         https://bugs.webkit.org/show_bug.cgi?id=165360
136
137         Reviewed by Sam Weinig.
138
139         * inspector/InspectorValues.cpp:
140         (Inspector::readHexDigits): Use isASCIIHexDigit.
141         (Inspector::hextoInt): Deleted.
142         (decodeString): Use toASCIIHexValue.
143
144         * runtime/JSGlobalObjectFunctions.cpp:
145         (JSC::parseDigit): Use isASCIIDigit, isASCIIUpper, and isASCIILower.
146
147         * runtime/StringPrototype.cpp:
148         (JSC::substituteBackreferencesSlow): Use isASCIIDigit.
149
150 2016-12-06  Csaba Osztrogon√°c  <ossy@webkit.org>
151
152         Add storeFence support for ARMv7
153         https://bugs.webkit.org/show_bug.cgi?id=164733
154
155         Reviewed by Saam Barati.
156
157         * assembler/ARMAssembler.h:
158         (JSC::ARMAssembler::dmbISHST): Added.
159         * assembler/ARMv7Assembler.h: Typo fixed, DMB has only T1 encoding.
160         (JSC::ARMv7Assembler::dmbSY):
161         (JSC::ARMv7Assembler::dmbISHST): Added.
162         * assembler/MacroAssemblerARM.h:
163         (JSC::MacroAssemblerARM::storeFence):
164         * assembler/MacroAssemblerARMv7.h:
165         (JSC::MacroAssemblerARMv7::storeFence):
166
167 2016-12-05  Matt Baker  <mattbaker@apple.com>
168
169         Web Inspector: remove ASSERT from InspectorDebuggerAgent::derefAsyncCallData
170         https://bugs.webkit.org/show_bug.cgi?id=165413
171         <rdar://problem/29517587>
172
173         Reviewed by Brian Burg.
174
175         DOMTimer::removeById can call into InspectorInstrumentation with an
176         invalid identifier, so don't assert that async call data exists.
177
178         * inspector/agents/InspectorDebuggerAgent.cpp:
179         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
180
181 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
182
183         Fixed a bug in my last patch.
184
185         Unreviewed.
186
187         * bytecode/UnlinkedFunctionExecutable.h: Restore the conversion to
188         one-based counting.
189
190 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
191
192         Moved start and end column linking into helper functions
193         https://bugs.webkit.org/show_bug.cgi?id=165422
194
195         Reviewed by Sam Weinig.
196
197         * bytecode/UnlinkedFunctionExecutable.cpp:
198         (JSC::UnlinkedFunctionExecutable::link):
199         * bytecode/UnlinkedFunctionExecutable.h:
200
201 2016-12-05  Mark Lam  <mark.lam@apple.com>
202
203         Fix JSC files so that we can build a release build with NDEBUG #undef'ed.
204         https://bugs.webkit.org/show_bug.cgi?id=165409
205
206         Reviewed by Keith Miller.
207
208         This allows us to run a release build with DEBUG ASSERTs enabled.
209
210         * bytecode/BytecodeLivenessAnalysis.cpp:
211         * bytecode/UnlinkedEvalCodeBlock.cpp:
212         * bytecode/UnlinkedFunctionCodeBlock.cpp:
213         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
214         * bytecode/UnlinkedProgramCodeBlock.cpp:
215         * runtime/EvalExecutable.cpp:
216
217 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
218
219         Renamed source => parentSource
220         https://bugs.webkit.org/show_bug.cgi?id=165419
221
222         Reviewed by Saam Barati.
223
224         This should help clarify that a FunctionExecutable holds the source
225         code to its *parent* scope, and not its own SourceCode.
226
227         * builtins/BuiltinExecutables.cpp:
228         (JSC::BuiltinExecutables::createExecutable):
229         * bytecode/UnlinkedFunctionExecutable.cpp:
230         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
231         (JSC::UnlinkedFunctionExecutable::link):
232         * bytecode/UnlinkedFunctionExecutable.h:
233
234 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
235
236         ScriptExecutable should not contain a copy of firstLine and startColumn
237         https://bugs.webkit.org/show_bug.cgi?id=165415
238
239         Reviewed by Keith Miller.
240
241         We already have this data in SourceCode.
242
243         It's super confusing to have two copies of this data, where one is
244         allowed to mutate. In reality, your line and column number never change.
245
246         * bytecode/UnlinkedFunctionExecutable.cpp:
247         (JSC::UnlinkedFunctionExecutable::link):
248         * runtime/CodeCache.cpp:
249         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
250         * runtime/CodeCache.h:
251         (JSC::generateUnlinkedCodeBlock):
252         * runtime/FunctionExecutable.cpp:
253         (JSC::FunctionExecutable::FunctionExecutable):
254         * runtime/FunctionExecutable.h:
255         * runtime/ScriptExecutable.cpp:
256         (JSC::ScriptExecutable::ScriptExecutable):
257         (JSC::ScriptExecutable::newCodeBlockFor):
258         * runtime/ScriptExecutable.h:
259         (JSC::ScriptExecutable::firstLine):
260         (JSC::ScriptExecutable::startColumn):
261         (JSC::ScriptExecutable::recordParse):
262
263 2016-12-05  Caitlin Potter  <caitp@igalia.com>
264
265         [JSC] report unexpected token when "async" is followed by identifier 
266         https://bugs.webkit.org/show_bug.cgi?id=165091
267
268         Reviewed by Mark Lam.
269
270         Report a SyntaxError, in order to report correct error in contexts
271         an async ArrowFunction cannot occur. Also corrects errors in comment
272         describing JSTokenType bitfield, which was added in r209293.
273
274         * parser/Parser.cpp:
275         (JSC::Parser<LexerType>::parseMemberExpression):
276         * parser/ParserTokens.h:
277
278 2016-12-05  Keith Miller  <keith_miller@apple.com>
279
280         Add Wasm i64 to i32 conversion.
281         https://bugs.webkit.org/show_bug.cgi?id=165378
282
283         Reviewed by Filip Pizlo.
284
285         It turns out the wrap operation is just B3's Trunc.
286
287         * wasm/wasm.json:
288
289 2016-12-05  Joseph Pecoraro  <pecoraro@apple.com>
290
291         REGRESSION(r208985): SafariForWebKitDevelopment Symbol Not Found looking for method with WTF::Optional
292         https://bugs.webkit.org/show_bug.cgi?id=165351
293
294         Reviewed by Yusuke Suzuki.
295
296         Some versions of Safari expect:
297
298             Inspector::BackendDispatcher::reportProtocolError(WTF::Optional<long>, Inspector::BackendDispatcher::CommonErrorCode, WTF::String const&)
299         
300         Which we had updated to use std::optional. Expose a version with the original
301         Symbol for these Safaris. This stub will just call through to the new version.
302
303         * inspector/InspectorBackendDispatcher.cpp:
304         (Inspector::BackendDispatcher::reportProtocolError):
305         * inspector/InspectorBackendDispatcher.h:
306
307 2016-12-05  Konstantin Tokarev  <annulen@yandex.ru>
308
309         Add __STDC_FORMAT_MACROS before inttypes.h is included
310         https://bugs.webkit.org/show_bug.cgi?id=165374
311
312         We need formatting macros like PRIu64 to be available in all places where
313         inttypes.h header is used. All these usages get inttypes.h definitions
314         via wtf/Assertions.h header, except SQLiteFileSystem.cpp where formatting
315         macros are not used anymore since r185129.
316
317         This patch fixes multiple build errors with MinGW and reduces number of
318         independent __STDC_FORMAT_MACROS uses in the code base.
319
320         Reviewed by Darin Adler.
321
322         * disassembler/ARM64/A64DOpcode.cpp: Removed __STDC_FORMAT_MACROS
323         because it is obtained via Assertions.h now
324         * disassembler/ARM64Disassembler.cpp: Ditto.
325
326 2016-12-04  Keith Miller  <keith_miller@apple.com>
327
328         Add support for Wasm ctz and popcnt
329         https://bugs.webkit.org/show_bug.cgi?id=165369
330
331         Reviewed by Saam Barati.
332
333         * assembler/MacroAssemblerARM64.h:
334         (JSC::MacroAssemblerARM64::countTrailingZeros32):
335         (JSC::MacroAssemblerARM64::countTrailingZeros64):
336         * assembler/MacroAssemblerX86Common.cpp:
337         * assembler/MacroAssemblerX86Common.h:
338         (JSC::MacroAssemblerX86Common::countTrailingZeros32):
339         (JSC::MacroAssemblerX86Common::supportsBMI1):
340         (JSC::MacroAssemblerX86Common::ctzAfterBsf):
341         * assembler/MacroAssemblerX86_64.h:
342         (JSC::MacroAssemblerX86_64::countTrailingZeros64):
343         * assembler/X86Assembler.h:
344         (JSC::X86Assembler::tzcnt_rr):
345         (JSC::X86Assembler::tzcntq_rr):
346         (JSC::X86Assembler::bsf_rr):
347         (JSC::X86Assembler::bsfq_rr):
348         * wasm/WasmB3IRGenerator.cpp:
349         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Ctz>):
350         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Ctz>):
351         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
352         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
353         * wasm/WasmFunctionParser.h:
354         (JSC::Wasm::FunctionParser<Context>::parseExpression):
355
356 2016-12-04  Saam Barati  <sbarati@apple.com>
357
358         We should have a Wasm callee
359         https://bugs.webkit.org/show_bug.cgi?id=165163
360
361         Reviewed by Keith Miller.
362
363         This patch adds JSWebAssemblyCallee and stores it into the
364         callee slot in the call frame as part of the prologue of a
365         wasm function. This is the first step in implementing
366         unwinding from/through wasm frames. We will use the callee
367         to identify that a machine frame belongs to wasm code.
368
369         * CMakeLists.txt:
370         * JavaScriptCore.xcodeproj/project.pbxproj:
371         * jsc.cpp:
372         (callWasmFunction):
373         (functionTestWasmModuleFunctions):
374         * llint/LowLevelInterpreter64.asm:
375         * runtime/JSGlobalObject.cpp:
376         * runtime/VM.cpp:
377         (JSC::VM::VM):
378         * runtime/VM.h:
379         * wasm/JSWebAssembly.h:
380         * wasm/WasmB3IRGenerator.cpp:
381         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
382         (JSC::Wasm::parseAndCompile):
383         * wasm/WasmCallingConvention.h:
384         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
385         * wasm/WasmFormat.h:
386         * wasm/WasmPlan.cpp:
387         (JSC::Wasm::Plan::initializeCallees):
388         * wasm/WasmPlan.h:
389         (JSC::Wasm::Plan::compiledFunction):
390         (JSC::Wasm::Plan::getCompiledFunctions): Deleted.
391         * wasm/js/JSWebAssemblyCallee.cpp: Added.
392         (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee):
393         (JSC::JSWebAssemblyCallee::finishCreation):
394         (JSC::JSWebAssemblyCallee::destroy):
395         * wasm/js/JSWebAssemblyCallee.h: Added.
396         (JSC::JSWebAssemblyCallee::create):
397         (JSC::JSWebAssemblyCallee::createStructure):
398         (JSC::JSWebAssemblyCallee::jsEntryPoint):
399         * wasm/js/JSWebAssemblyModule.cpp:
400         (JSC::JSWebAssemblyModule::create):
401         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
402         (JSC::JSWebAssemblyModule::visitChildren):
403         * wasm/js/JSWebAssemblyModule.h:
404         (JSC::JSWebAssemblyModule::moduleInformation):
405         (JSC::JSWebAssemblyModule::callee):
406         (JSC::JSWebAssemblyModule::callees):
407         (JSC::JSWebAssemblyModule::offsetOfCallees):
408         (JSC::JSWebAssemblyModule::allocationSize):
409         (JSC::JSWebAssemblyModule::compiledFunctions): Deleted.
410         * wasm/js/WebAssemblyFunction.cpp:
411         (JSC::callWebAssemblyFunction):
412         (JSC::WebAssemblyFunction::create):
413         (JSC::WebAssemblyFunction::visitChildren):
414         (JSC::WebAssemblyFunction::finishCreation):
415         * wasm/js/WebAssemblyFunction.h:
416         (JSC::WebAssemblyFunction::webAssemblyCallee):
417         (JSC::WebAssemblyFunction::instance):
418         (JSC::WebAssemblyFunction::signature):
419         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction): Deleted.
420         (JSC::WebAssemblyFunction::webAssemblyFunctionCell): Deleted.
421         * wasm/js/WebAssemblyFunctionCell.cpp:
422         (JSC::WebAssemblyFunctionCell::create): Deleted.
423         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell): Deleted.
424         (JSC::WebAssemblyFunctionCell::destroy): Deleted.
425         (JSC::WebAssemblyFunctionCell::createStructure): Deleted.
426         * wasm/js/WebAssemblyFunctionCell.h:
427         (JSC::WebAssemblyFunctionCell::function): Deleted.
428         * wasm/js/WebAssemblyModuleConstructor.cpp:
429         (JSC::constructJSWebAssemblyModule):
430         * wasm/js/WebAssemblyModuleRecord.cpp:
431         (JSC::WebAssemblyModuleRecord::link):
432
433 2016-12-04  Matt Baker  <mattbaker@apple.com>
434
435         Web Inspector: Assertion Failures breakpoint should respect global Breakpoints enabled setting
436         https://bugs.webkit.org/show_bug.cgi?id=165277
437         <rdar://problem/29467098>
438
439         Reviewed by Mark Lam.
440
441         * inspector/agents/InspectorDebuggerAgent.cpp:
442         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
443         Check that breakpoints are active before pausing.
444
445 2016-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
446
447         Refactor SymbolImpl layout
448         https://bugs.webkit.org/show_bug.cgi?id=165247
449
450         Reviewed by Darin Adler.
451
452         Use SymbolImpl::{create, createNullSymbol} instead.
453
454         * runtime/PrivateName.h:
455         (JSC::PrivateName::PrivateName):
456
457 2016-12-03  JF Bastien  <jfbastien@apple.com>
458
459         WebAssembly: update binary format to 0xD version
460         https://bugs.webkit.org/show_bug.cgi?id=165345
461
462         Reviewed by Keith Miller.
463
464         As described in the following PR: https://github.com/WebAssembly/design/pull/836
465         Originally committed in r209175, reverted in r209242, and fixed in r209284.
466
467         * wasm/WasmB3IRGenerator.cpp:
468         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
469         (JSC::Wasm::B3IRGenerator::zeroForType):
470         (JSC::Wasm::B3IRGenerator::addConstant):
471         (JSC::Wasm::createJSWrapper):
472         * wasm/WasmCallingConvention.h:
473         (JSC::Wasm::CallingConvention::marshallArgument):
474         * wasm/WasmFormat.cpp:
475         (JSC::Wasm::toString): Deleted.
476         * wasm/WasmFormat.h:
477         (JSC::Wasm::isValueType):
478         (JSC::Wasm::toB3Type): Deleted.
479         * wasm/WasmFunctionParser.h:
480         (JSC::Wasm::FunctionParser<Context>::parseExpression):
481         * wasm/WasmModuleParser.cpp:
482         (JSC::Wasm::ModuleParser::parse):
483         (JSC::Wasm::ModuleParser::parseType):
484         * wasm/WasmModuleParser.h:
485         * wasm/WasmParser.h:
486         (JSC::Wasm::Parser::parseResultType):
487         * wasm/generateWasm.py:
488         (Wasm.__init__):
489         * wasm/generateWasmOpsHeader.py:
490         (cppMacro):
491         (typeMacroizer):
492         (opcodeMacroizer):
493         * wasm/js/WebAssemblyFunction.cpp:
494         (JSC::callWebAssemblyFunction):
495         * wasm/wasm.json:
496
497 2016-12-02  Keith Miller  <keith_miller@apple.com>
498
499         Add Wasm copysign
500         https://bugs.webkit.org/show_bug.cgi?id=165355
501
502         Reviewed by Filip Pizlo.
503
504         This patch also makes two other important changes:
505
506         1) allows for i64 constants in the B3 generator language.
507         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
508            of a Double in B3.
509
510         * wasm/WasmB3IRGenerator.cpp:
511         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
512         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
513         (CodeGenerator.generateOpcode):
514         (generateConstCode):
515         (generateI32ConstCode): Deleted.
516         * wasm/wasm.json:
517
518 2016-12-03  Commit Queue  <commit-queue@webkit.org>
519
520         Unreviewed, rolling out r209298.
521         https://bugs.webkit.org/show_bug.cgi?id=165359
522
523         broke the build (Requested by smfr on #webkit).
524
525         Reverted changeset:
526
527         "Add Wasm copysign"
528         https://bugs.webkit.org/show_bug.cgi?id=165355
529         http://trac.webkit.org/changeset/209298
530
531 2016-12-02  Keith Miller  <keith_miller@apple.com>
532
533         Add Wasm copysign
534         https://bugs.webkit.org/show_bug.cgi?id=165355
535
536         Reviewed by Filip Pizlo.
537
538         This patch also makes two other important changes:
539
540         1) allows for i64 constants in the B3 generator language.
541         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
542            of a Double in B3.
543
544         * wasm/WasmB3IRGenerator.cpp:
545         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
546         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
547         (CodeGenerator.generateOpcode):
548         (generateConstCode):
549         (generateI32ConstCode): Deleted.
550         * wasm/wasm.json:
551
552 2016-12-02  Keith Miller  <keith_miller@apple.com>
553
554         Unreviewed, fix git having a breakdown over trying to reland a rollout.
555
556 2016-12-02  Keith Miller  <keith_miller@apple.com>
557
558         Add Wasm floating point nearest and trunc
559         https://bugs.webkit.org/show_bug.cgi?id=165339
560
561         Reviewed by Saam Barati.
562
563         This patch also allows any wasm primitive type to be passed as a
564         string.
565
566         * assembler/MacroAssemblerARM64.h:
567         (JSC::MacroAssemblerARM64::nearestIntDouble):
568         (JSC::MacroAssemblerARM64::nearestIntFloat):
569         (JSC::MacroAssemblerARM64::truncDouble):
570         (JSC::MacroAssemblerARM64::truncFloat):
571         * assembler/MacroAssemblerX86Common.h:
572         (JSC::MacroAssemblerX86Common::nearestIntDouble):
573         (JSC::MacroAssemblerX86Common::nearestIntFloat):
574         * jsc.cpp:
575         (box):
576         * wasm/WasmB3IRGenerator.cpp:
577         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
578         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
579         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
580         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
581         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
582         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
583         * wasm/WasmFunctionParser.h:
584         (JSC::Wasm::FunctionParser<Context>::parseExpression):
585
586 2016-12-02  Caitlin Potter  <caitp@igalia.com>
587
588 [JSC] add additional bit to JSTokenType bitfield
589         https://bugs.webkit.org/show_bug.cgi?id=165091
590
591         Reviewed by Geoffrey Garen.
592
593         Avoid overflow which causes keyword tokens to be treated as unary
594         tokens now that "async" is tokenized as a keyword, by granting an
595         additional 64 bits to be occupied by token IDs.
596
597         * parser/ParserTokens.h:
598
599 2016-12-02  Andy Estes  <aestes@apple.com>
600
601         [Cocoa] Adopt the PRODUCT_BUNDLE_IDENTIFIER build setting
602         https://bugs.webkit.org/show_bug.cgi?id=164492
603
604         Reviewed by Dan Bernstein.
605
606         * Configurations/JavaScriptCore.xcconfig: Set PRODUCT_BUNDLE_IDENTIFIER to
607         com.apple.$(PRODUCT_NAME:rfc1034identifier).
608         * Info.plist: Changed CFBundleIdentifier's value from com.apple.${PRODUCT_NAME} to
609         ${PRODUCT_BUNDLE_IDENTIFIER}.
610
611 2016-12-02  JF Bastien  <jfbastien@apple.com>
612
613         WebAssembly: mark WasmOps.h as private
614         https://bugs.webkit.org/show_bug.cgi?id=165335
615
616         Reviewed by Mark Lam.
617
618         * JavaScriptCore.xcodeproj/project.pbxproj: WasmOps.h will be used by non-JSC and should therefore be private
619
620 2016-12-02  Commit Queue  <commit-queue@webkit.org>
621
622         Unreviewed, rolling out r209275 and r209276.
623         https://bugs.webkit.org/show_bug.cgi?id=165348
624
625         "broke the arm build" (Requested by keith_miller on #webkit).
626
627         Reverted changesets:
628
629         "Add Wasm floating point nearest and trunc"
630         https://bugs.webkit.org/show_bug.cgi?id=165339
631         http://trac.webkit.org/changeset/209275
632
633         "Unreviewed, forgot to change instruction after renaming."
634         http://trac.webkit.org/changeset/209276
635
636 2016-12-02  Keith Miller  <keith_miller@apple.com>
637
638         Unreviewed, forgot to change instruction after renaming.
639
640         * assembler/MacroAssemblerARM64.h:
641         (JSC::MacroAssemblerARM64::nearestIntDouble):
642         (JSC::MacroAssemblerARM64::nearestIntFloat):
643
644 2016-12-02  Keith Miller  <keith_miller@apple.com>
645
646         Add Wasm floating point nearest and trunc
647         https://bugs.webkit.org/show_bug.cgi?id=165339
648
649         Reviewed by Filip Pizlo.
650
651         This patch also allows any wasm primitive type to be passed as a
652         string.
653
654         * assembler/MacroAssemblerARM64.h:
655         (JSC::MacroAssemblerARM64::nearestIntDouble):
656         (JSC::MacroAssemblerARM64::nearestIntFloat):
657         (JSC::MacroAssemblerARM64::truncDouble):
658         (JSC::MacroAssemblerARM64::truncFloat):
659         * assembler/MacroAssemblerX86Common.h:
660         (JSC::MacroAssemblerX86Common::nearestIntDouble):
661         (JSC::MacroAssemblerX86Common::nearestIntFloat):
662         * jsc.cpp:
663         (box):
664         * wasm/WasmB3IRGenerator.cpp:
665         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
666         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
667         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
668         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
669         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
670         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
671         * wasm/WasmFunctionParser.h:
672         (JSC::Wasm::FunctionParser<Context>::parseExpression):
673
674 2016-12-02  JF Bastien  <jfbastien@apple.com>
675
676         WebAssembly: revert patch causing odd breakage
677         https://bugs.webkit.org/show_bug.cgi?id=165308
678
679         Unreviewed.
680
681         Bug #164724 seems to cause build issues which I haven't tracked down yet. WasmOps.h can't be found:
682         ./Source/JavaScriptCore/wasm/WasmFormat.h:34:10: fatal error: 'WasmOps.h' file not found
683
684         It's weird since the file is auto-generated and has been for a while. #164724 merely includes it in WasmFormat.h.
685
686         * wasm/WasmB3IRGenerator.cpp:
687         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
688         (JSC::Wasm::B3IRGenerator::zeroForType):
689         (JSC::Wasm::B3IRGenerator::addConstant):
690         (JSC::Wasm::createJSWrapper):
691         * wasm/WasmCallingConvention.h:
692         (JSC::Wasm::CallingConvention::marshallArgument):
693         * wasm/WasmFormat.cpp:
694         (JSC::Wasm::toString):
695         * wasm/WasmFormat.h:
696         (JSC::Wasm::toB3Type):
697         * wasm/WasmFunctionParser.h:
698         (JSC::Wasm::FunctionParser<Context>::parseExpression):
699         * wasm/WasmModuleParser.cpp:
700         (JSC::Wasm::ModuleParser::parse):
701         (JSC::Wasm::ModuleParser::parseType):
702         * wasm/WasmModuleParser.h:
703         * wasm/WasmParser.h:
704         (JSC::Wasm::Parser::parseResultType):
705         * wasm/generateWasm.py:
706         (Wasm.__init__):
707         * wasm/generateWasmOpsHeader.py:
708         (cppMacro):
709         (opcodeMacroizer):
710         (typeMacroizer): Deleted.
711         * wasm/js/WebAssemblyFunction.cpp:
712         (JSC::callWebAssemblyFunction):
713         * wasm/wasm.json:
714
715 2016-12-01  Brian Burg  <bburg@apple.com>
716
717         Remote Inspector: fix weird typo in generated ObjC protocol type initializer implementations
718         https://bugs.webkit.org/show_bug.cgi?id=165295
719         <rdar://problem/29427778>
720
721         Reviewed by Joseph Pecoraro.
722
723         Remove a stray semicolon appended after custom initializer signatures.
724         This is a syntax error when building with less lenient compiler warnings.
725
726         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
727         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
728         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
729         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
730         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
731         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
732         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
733         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
734         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
735
736 2016-12-01  Saam Barati  <sbarati@apple.com>
737
738         Rename CallFrame::callee() to CallFrame::jsCallee()
739         https://bugs.webkit.org/show_bug.cgi?id=165293
740
741         Reviewed by Keith Miller.
742
743         Wasm will soon have its own Callee that doesn't derive
744         from JSObject, but derives from JSCell. I want to introduce
745         a new function like:
746         ```
747         CalleeBase* CallFrame::callee()
748         ```
749         
750         once we have a Wasm callee. It only makes sense to name that
751         function callee() and rename the current one turn to:
752         ```
753         JSObject* CallFrame::jsCallee()
754         ```
755
756         * API/APICallbackFunction.h:
757         (JSC::APICallbackFunction::call):
758         (JSC::APICallbackFunction::construct):
759         * API/JSCallbackObjectFunctions.h:
760         (JSC::JSCallbackObject<Parent>::construct):
761         (JSC::JSCallbackObject<Parent>::call):
762         * debugger/DebuggerCallFrame.cpp:
763         (JSC::DebuggerCallFrame::scope):
764         (JSC::DebuggerCallFrame::type):
765         * interpreter/CallFrame.cpp:
766         (JSC::CallFrame::friendlyFunctionName):
767         * interpreter/CallFrame.h:
768         (JSC::ExecState::jsCallee):
769         (JSC::ExecState::callee): Deleted.
770         * interpreter/Interpreter.cpp:
771         (JSC::Interpreter::dumpRegisters):
772         (JSC::notifyDebuggerOfUnwinding):
773         * interpreter/ShadowChicken.cpp:
774         (JSC::ShadowChicken::update):
775         * interpreter/StackVisitor.cpp:
776         (JSC::StackVisitor::readNonInlinedFrame):
777         * llint/LLIntSlowPaths.cpp:
778         (JSC::LLInt::traceFunctionPrologue):
779         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
780         * runtime/ArrayConstructor.cpp:
781         (JSC::constructArrayWithSizeQuirk):
782         * runtime/AsyncFunctionConstructor.cpp:
783         (JSC::callAsyncFunctionConstructor):
784         (JSC::constructAsyncFunctionConstructor):
785         * runtime/BooleanConstructor.cpp:
786         (JSC::constructWithBooleanConstructor):
787         * runtime/ClonedArguments.cpp:
788         (JSC::ClonedArguments::createWithInlineFrame):
789         * runtime/CommonSlowPaths.h:
790         (JSC::CommonSlowPaths::arityCheckFor):
791         * runtime/DateConstructor.cpp:
792         (JSC::constructWithDateConstructor):
793         * runtime/DirectArguments.cpp:
794         (JSC::DirectArguments::createByCopying):
795         * runtime/Error.h:
796         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
797         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
798         * runtime/ErrorConstructor.cpp:
799         (JSC::Interpreter::constructWithErrorConstructor):
800         (JSC::Interpreter::callErrorConstructor):
801         * runtime/FunctionConstructor.cpp:
802         (JSC::constructWithFunctionConstructor):
803         (JSC::callFunctionConstructor):
804         * runtime/GeneratorFunctionConstructor.cpp:
805         (JSC::callGeneratorFunctionConstructor):
806         (JSC::constructGeneratorFunctionConstructor):
807         * runtime/InternalFunction.cpp:
808         (JSC::InternalFunction::createSubclassStructure):
809         * runtime/IntlCollator.cpp:
810         (JSC::IntlCollator::initializeCollator):
811         * runtime/IntlCollatorConstructor.cpp:
812         (JSC::constructIntlCollator):
813         (JSC::callIntlCollator):
814         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
815         * runtime/IntlDateTimeFormat.cpp:
816         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
817         * runtime/IntlDateTimeFormatConstructor.cpp:
818         (JSC::constructIntlDateTimeFormat):
819         (JSC::callIntlDateTimeFormat):
820         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
821         * runtime/IntlNumberFormat.cpp:
822         (JSC::IntlNumberFormat::initializeNumberFormat):
823         * runtime/IntlNumberFormatConstructor.cpp:
824         (JSC::constructIntlNumberFormat):
825         (JSC::callIntlNumberFormat):
826         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
827         * runtime/IntlObject.cpp:
828         (JSC::canonicalizeLocaleList):
829         (JSC::defaultLocale):
830         (JSC::lookupSupportedLocales):
831         (JSC::intlObjectFuncGetCanonicalLocales):
832         * runtime/JSArrayBufferConstructor.cpp:
833         (JSC::constructArrayBuffer):
834         * runtime/JSArrayBufferPrototype.cpp:
835         (JSC::arrayBufferProtoFuncSlice):
836         * runtime/JSBoundFunction.cpp:
837         (JSC::boundThisNoArgsFunctionCall):
838         (JSC::boundFunctionCall):
839         (JSC::boundThisNoArgsFunctionConstruct):
840         (JSC::boundFunctionConstruct):
841         * runtime/JSCellInlines.h:
842         (JSC::ExecState::vm):
843         * runtime/JSCustomGetterSetterFunction.cpp:
844         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
845         * runtime/JSFunction.cpp:
846         (JSC::callHostFunctionAsConstructor):
847         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
848         (JSC::constructGenericTypedArrayView):
849         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
850         (JSC::genericTypedArrayViewProtoFuncSlice):
851         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
852         * runtime/JSGlobalObjectFunctions.cpp:
853         (JSC::globalFuncEval):
854         * runtime/JSInternalPromiseConstructor.cpp:
855         (JSC::constructPromise):
856         * runtime/JSMapIterator.cpp:
857         (JSC::JSMapIterator::createPair):
858         (JSC::JSMapIterator::clone):
859         * runtime/JSNativeStdFunction.cpp:
860         (JSC::runStdFunction):
861         * runtime/JSPromiseConstructor.cpp:
862         (JSC::constructPromise):
863         * runtime/JSPropertyNameIterator.cpp:
864         (JSC::JSPropertyNameIterator::clone):
865         * runtime/JSScope.h:
866         (JSC::ExecState::lexicalGlobalObject):
867         * runtime/JSSetIterator.cpp:
868         (JSC::JSSetIterator::createPair):
869         (JSC::JSSetIterator::clone):
870         * runtime/JSStringIterator.cpp:
871         (JSC::JSStringIterator::clone):
872         * runtime/MapConstructor.cpp:
873         (JSC::constructMap):
874         * runtime/MapPrototype.cpp:
875         (JSC::mapProtoFuncValues):
876         (JSC::mapProtoFuncEntries):
877         (JSC::mapProtoFuncKeys):
878         (JSC::privateFuncMapIterator):
879         * runtime/NativeErrorConstructor.cpp:
880         (JSC::Interpreter::constructWithNativeErrorConstructor):
881         (JSC::Interpreter::callNativeErrorConstructor):
882         * runtime/ObjectConstructor.cpp:
883         (JSC::constructObject):
884         * runtime/ProxyObject.cpp:
885         (JSC::performProxyCall):
886         (JSC::performProxyConstruct):
887         * runtime/ProxyRevoke.cpp:
888         (JSC::performProxyRevoke):
889         * runtime/RegExpConstructor.cpp:
890         (JSC::constructWithRegExpConstructor):
891         (JSC::callRegExpConstructor):
892         * runtime/ScopedArguments.cpp:
893         (JSC::ScopedArguments::createByCopying):
894         * runtime/SetConstructor.cpp:
895         (JSC::constructSet):
896         * runtime/SetPrototype.cpp:
897         (JSC::setProtoFuncValues):
898         (JSC::setProtoFuncEntries):
899         (JSC::privateFuncSetIterator):
900         * runtime/StringConstructor.cpp:
901         (JSC::constructWithStringConstructor):
902         * runtime/StringPrototype.cpp:
903         (JSC::stringProtoFuncIterator):
904         * runtime/WeakMapConstructor.cpp:
905         (JSC::constructWeakMap):
906         * runtime/WeakSetConstructor.cpp:
907         (JSC::constructWeakSet):
908         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
909         (JSC::constructJSWebAssemblyCompileError):
910         * wasm/js/WebAssemblyFunction.cpp:
911         (JSC::callWebAssemblyFunction):
912         * wasm/js/WebAssemblyModuleConstructor.cpp:
913         (JSC::constructJSWebAssemblyModule):
914         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
915         (JSC::constructJSWebAssemblyRuntimeError):
916
917 2016-12-01  Brian Burg  <bburg@apple.com>
918
919         Web Inspector: generated code should use a framework-style import for *ProtocolArrayConversions.h
920         https://bugs.webkit.org/show_bug.cgi?id=165281
921         <rdar://problem/29427778>
922
923         Reviewed by Joseph Pecoraro.
924
925         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
926         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
927         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
928         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
929         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
930         * inspector/scripts/tests/expected/enum-values.json-result:
931         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
932         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
933         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
934         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
935         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
936         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
937         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
938         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
939         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
940
941 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
942
943         SourceCodeKey should use unlinked source code
944         https://bugs.webkit.org/show_bug.cgi?id=165286
945
946         Reviewed by Saam Barati.
947
948         This patch splits out UnlinkedSourceCode from SourceCode, and deploys
949         UnlinkedSourceCode in SourceCodeKey.
950
951         It's misleading to store SourceCode in SourceCodeKey because SourceCode
952         has an absolute location whereas unlinked cached code has no location.
953
954         I plan to deploy UnlinkedSourceCode in more places, to indicate code
955         that has no absolute location.
956
957         * JavaScriptCore.xcodeproj/project.pbxproj:
958         * parser/SourceCode.cpp:
959         (JSC::UnlinkedSourceCode::toUTF8):
960         (JSC::SourceCode::toUTF8): Deleted.
961         * parser/SourceCode.h:
962         (JSC::SourceCode::SourceCode):
963         (JSC::SourceCode::startColumn):
964         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
965         (JSC::SourceCode::hash): Deleted.
966         (JSC::SourceCode::view): Deleted.
967         (JSC::SourceCode::providerID): Deleted.
968         (JSC::SourceCode::isNull): Deleted.
969         (JSC::SourceCode::provider): Deleted.
970         (JSC::SourceCode::startOffset): Deleted.
971         (JSC::SourceCode::endOffset): Deleted.
972         (JSC::SourceCode::length): Deleted. Move a bunch of stuff in to a new
973         base class, UnlinkedSourceCode.
974
975         * parser/SourceCodeKey.h:
976         (JSC::SourceCodeKey::SourceCodeKey): Use UnlinkedSourceCode since code
977         in the cache has no location.
978
979         * parser/UnlinkedSourceCode.h: Copied from Source/JavaScriptCore/parser/SourceCode.h.
980         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
981         (JSC::UnlinkedSourceCode::provider):
982         (JSC::SourceCode::SourceCode): Deleted.
983         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
984         (JSC::SourceCode::hash): Deleted.
985         (JSC::SourceCode::view): Deleted.
986         (JSC::SourceCode::providerID): Deleted.
987         (JSC::SourceCode::isNull): Deleted.
988         (JSC::SourceCode::provider): Deleted.
989         (JSC::SourceCode::firstLine): Deleted.
990         (JSC::SourceCode::startColumn): Deleted.
991         (JSC::SourceCode::startOffset): Deleted.
992         (JSC::SourceCode::endOffset): Deleted.
993         (JSC::SourceCode::length): Deleted.
994         (JSC::makeSource): Deleted.
995         (JSC::SourceCode::subExpression): Deleted.
996
997         * runtime/CodeCache.h: Use UnlinkedSourceCode in the cache.
998
999 2016-12-01  Keith Miller  <keith_miller@apple.com>
1000
1001         Add wasm int to floating point opcodes
1002         https://bugs.webkit.org/show_bug.cgi?id=165252
1003
1004         Reviewed by Geoffrey Garen.
1005
1006         This patch adds support for the Wasm integral type => floating point
1007         type conversion opcodes. Most of these were already supported by B3
1008         however there was no support for uint64 to float/double. Unfortunately,
1009         AFAIK x86_64 does not have a single instruction that performs this
1010         conversion. Since there is a signed conversion instruction on x86 we
1011         use that for all uint64s that don't have the top bit set. If they do have
1012         the top bit set we need to divide by 2 (rounding up) then convert the number
1013         with the signed conversion then double the result.
1014
1015         * assembler/MacroAssemblerX86_64.h:
1016         (JSC::MacroAssemblerX86_64::convertUInt64ToDouble):
1017         (JSC::MacroAssemblerX86_64::convertUInt64ToFloat):
1018         * jsc.cpp:
1019         (valueWithTypeOfWasmValue):
1020         (box):
1021         (functionTestWasmModuleFunctions):
1022         * wasm/WasmB3IRGenerator.cpp:
1023         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1024         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
1025         * wasm/WasmFunctionParser.h:
1026         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1027         * wasm/wasm.json:
1028
1029 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1030
1031         Renamed EvalCodeCache => DirectEvalCodeCache
1032         https://bugs.webkit.org/show_bug.cgi?id=165271
1033
1034         Reviewed by Saam Barati.
1035
1036         We only use this cache for DirectEval, not IndirectEval.
1037
1038         * JavaScriptCore.xcodeproj/project.pbxproj:
1039         * bytecode/CodeBlock.cpp:
1040         (JSC::DirectEvalCodeCache::visitAggregate):
1041         (JSC::CodeBlock::stronglyVisitStrongReferences):
1042         (JSC::EvalCodeCache::visitAggregate): Deleted.
1043         * bytecode/CodeBlock.h:
1044         (JSC::CodeBlock::directEvalCodeCache):
1045         (JSC::CodeBlock::evalCodeCache): Deleted.
1046         * bytecode/DirectEvalCodeCache.h: Copied from Source/JavaScriptCore/bytecode/EvalCodeCache.h.
1047         (JSC::EvalCodeCache::CacheKey::CacheKey): Deleted.
1048         (JSC::EvalCodeCache::CacheKey::hash): Deleted.
1049         (JSC::EvalCodeCache::CacheKey::isEmptyValue): Deleted.
1050         (JSC::EvalCodeCache::CacheKey::operator==): Deleted.
1051         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue): Deleted.
1052         (JSC::EvalCodeCache::CacheKey::Hash::hash): Deleted.
1053         (JSC::EvalCodeCache::CacheKey::Hash::equal): Deleted.
1054         (JSC::EvalCodeCache::tryGet): Deleted.
1055         (JSC::EvalCodeCache::set): Deleted.
1056         (JSC::EvalCodeCache::isEmpty): Deleted.
1057         (JSC::EvalCodeCache::clear): Deleted.
1058         * bytecode/EvalCodeCache.h: Removed.
1059         * interpreter/Interpreter.cpp:
1060         (JSC::eval):
1061         * runtime/DirectEvalExecutable.cpp:
1062         (JSC::DirectEvalExecutable::create):
1063
1064 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1065
1066         Removed some unnecessary indirection in code generation
1067         https://bugs.webkit.org/show_bug.cgi?id=165264
1068
1069         Reviewed by Keith Miller.
1070
1071         There's no need to route through JSGlobalObject when producing code --
1072         it just made the code harder to read.
1073
1074         This patch moves functions from JSGlobalObject to their singleton
1075         call sites.
1076
1077         * runtime/CodeCache.cpp:
1078         (JSC::CodeCache::getUnlinkedEvalCodeBlock):
1079         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock): Deleted.
1080         * runtime/CodeCache.h:
1081         * runtime/DirectEvalExecutable.cpp:
1082         (JSC::DirectEvalExecutable::create):
1083         * runtime/IndirectEvalExecutable.cpp:
1084         (JSC::IndirectEvalExecutable::create):
1085         * runtime/JSGlobalObject.cpp:
1086         (JSC::JSGlobalObject::createProgramCodeBlock): Deleted.
1087         (JSC::JSGlobalObject::createLocalEvalCodeBlock): Deleted.
1088         (JSC::JSGlobalObject::createGlobalEvalCodeBlock): Deleted.
1089         (JSC::JSGlobalObject::createModuleProgramCodeBlock): Deleted.
1090         * runtime/JSGlobalObject.h:
1091         * runtime/ModuleProgramExecutable.cpp:
1092         (JSC::ModuleProgramExecutable::create):
1093         * runtime/ProgramExecutable.cpp:
1094         (JSC::ProgramExecutable::initializeGlobalProperties):
1095         * runtime/ProgramExecutable.h:
1096
1097 2016-11-30  Darin Adler  <darin@apple.com>
1098
1099         Roll out StringBuilder changes from the previous patch.
1100         They were a slowdown on a Kraken JSON test.
1101
1102         * runtime/JSONObject.cpp:
1103         Roll out changes from below.
1104
1105 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1106
1107         [JSC] Specifying same module entry point multiple times cause TypeError
1108         https://bugs.webkit.org/show_bug.cgi?id=164858
1109
1110         Reviewed by Saam Barati.
1111
1112         Allow importing the same module multiple times. Previously, when specifying the same
1113         module in the <script type="module" src="here">, it throws TypeError.
1114
1115         * builtins/ModuleLoaderPrototype.js:
1116         (requestFetch):
1117         (requestTranslate):
1118         (requestInstantiate):
1119         (requestSatisfy):
1120
1121 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1122
1123         WebAssembly JS API: export a module namespace object instead of a module environment
1124         https://bugs.webkit.org/show_bug.cgi?id=165121
1125
1126         Reviewed by Saam Barati.
1127
1128         This patch setup AbstractModuleRecord further for WebAssemblyModuleRecord.
1129         For exported entries in a wasm instance, we set up exported entries for
1130         AbstractModuleRecord. This allows us to export WASM exported functions in
1131         the module handling code.
1132
1133         Since the exported entries in the abstract module record are correctly
1134         instantiated, the module namespace object for WASM module also starts
1135         working correctly. So we start exposing the module namespace object
1136         as `instance.exports` instead of the module environment object.
1137
1138         And we move SourceCode, lexicalVariables, and declaredVariables fields to
1139         JSModuleRecord since they are related to JS source code (in the spec words,
1140         they are related to the source text module record).
1141
1142         * runtime/AbstractModuleRecord.cpp:
1143         (JSC::AbstractModuleRecord::AbstractModuleRecord):
1144         * runtime/AbstractModuleRecord.h:
1145         (JSC::AbstractModuleRecord::sourceCode): Deleted.
1146         (JSC::AbstractModuleRecord::declaredVariables): Deleted.
1147         (JSC::AbstractModuleRecord::lexicalVariables): Deleted.
1148         * runtime/JSModuleRecord.cpp:
1149         (JSC::JSModuleRecord::JSModuleRecord):
1150         * runtime/JSModuleRecord.h:
1151         (JSC::JSModuleRecord::sourceCode):
1152         (JSC::JSModuleRecord::declaredVariables):
1153         (JSC::JSModuleRecord::lexicalVariables):
1154         * wasm/WasmFormat.cpp:
1155         * wasm/js/JSWebAssemblyInstance.cpp:
1156         (JSC::JSWebAssemblyInstance::finishCreation):
1157         * wasm/js/WebAssemblyFunction.cpp:
1158         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1159         (JSC::constructJSWebAssemblyInstance):
1160         * wasm/js/WebAssemblyModuleRecord.cpp:
1161         (JSC::WebAssemblyModuleRecord::create):
1162         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
1163         (JSC::WebAssemblyModuleRecord::finishCreation):
1164         WebAssemblyModuleRecord::link should perform linking things.
1165         So allocating exported entries should be done here.
1166         (JSC::WebAssemblyModuleRecord::link):
1167         * wasm/js/WebAssemblyModuleRecord.h:
1168
1169 2016-11-30  Mark Lam  <mark.lam@apple.com>
1170
1171         TypeInfo::OutOfLineTypeFlags should be 16 bits in size.
1172         https://bugs.webkit.org/show_bug.cgi?id=165224
1173
1174         Reviewed by Saam Barati.
1175
1176         There's no reason for OutOfLineTypeFlags to be constraint to 8 bits since the
1177         space is available to us.  Making OutOfLineTypeFlags 16 bits brings TypeInfo up
1178         to 32 bits in size from the current 24 bits.
1179
1180         * runtime/JSTypeInfo.h:
1181         (JSC::TypeInfo::TypeInfo):
1182
1183 2016-11-30  Joseph Pecoraro  <pecoraro@apple.com>
1184
1185         REGRESSION: inspector/sampling-profiler/* LayoutTests are flaky timeouts
1186         https://bugs.webkit.org/show_bug.cgi?id=164388
1187         <rdar://problem/29101555>
1188
1189         Reviewed by Saam Barati.
1190
1191         There was a possibility of a deadlock between the main thread and the GC thread
1192         with the SamplingProfiler lock when Inspector is processing samples to send to
1193         the frontend. The Inspector (main thread) was holding the SamplingProfiler lock
1194         while processing samples, which runs JavaScript that could trigger a GC, and
1195         GC then tries to acquire the SamplingProfiler lock to process unprocessed samples.
1196
1197         A simple solution here is to tighten the bounds of when Inspector holds the
1198         SamplingProfiler lock. It only needs the lock when extracting samples from
1199         the SamplingProfiler. It doesn't need to hold the lock for processing those
1200         samples, which is what can run script and cause a GC.
1201
1202         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1203         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1204         Tighten bounds of this lock to only where it is needed.
1205
1206 2016-11-30  Mark Lam  <mark.lam@apple.com>
1207
1208         Proxy is not allowed in the global prototype chain.
1209         https://bugs.webkit.org/show_bug.cgi?id=165205
1210
1211         Reviewed by Geoffrey Garen.
1212
1213         * runtime/ProgramExecutable.cpp:
1214         (JSC::ProgramExecutable::initializeGlobalProperties):
1215         - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
1216
1217 2016-11-30  Commit Queue  <commit-queue@webkit.org>
1218
1219         Unreviewed, rolling out r209112.
1220         https://bugs.webkit.org/show_bug.cgi?id=165208
1221
1222         "It regressed Octane/Raytrace and JetStream" (Requested by
1223         saamyjoon on #webkit).
1224
1225         Reverted changeset:
1226
1227         "We should support CreateThis in the FTL"
1228         https://bugs.webkit.org/show_bug.cgi?id=164904
1229         http://trac.webkit.org/changeset/209112
1230
1231 2016-11-30  Darin Adler  <darin@apple.com>
1232
1233         Streamline and speed up tokenizer and segmented string classes
1234         https://bugs.webkit.org/show_bug.cgi?id=165003
1235
1236         Reviewed by Sam Weinig.
1237
1238         * runtime/JSONObject.cpp:
1239         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
1240         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
1241         no benefit in creating a String for that function if one doesn't already exist.
1242
1243 2016-11-29  JF Bastien  <jfbastien@apple.com>
1244
1245         WebAssembly JS API: improve Instance
1246         https://bugs.webkit.org/show_bug.cgi?id=164757
1247
1248         Reviewed by Keith Miller.
1249
1250         An Instance's `exports` property wasn't populated with exports.
1251
1252         According to the spec [0], `exports` should present itself as a WebAssembly
1253         Module Record. In order to do this we need to split JSModuleRecord into
1254         AbstractModuleRecord (without the `link` and `evaluate` functions), and
1255         JSModuleRecord (which implements link and evaluate). We can then have a separate
1256         WebAssemblyModuleRecord which shares most of the implementation.
1257
1258         `exports` then maps function names to WebAssemblyFunction and
1259         WebAssemblyFunctionCell, which call into the B3-generated WebAssembly code.
1260
1261         A follow-up patch will do imports.
1262
1263         A few things of note:
1264
1265          - Use Identifier instead of String. They get uniqued, we need them for the JSModuleNamespaceObject. This is safe because JSWebAssemblyModule creation is on the main thread.
1266          - JSWebAssemblyInstance needs to refer to the JSWebAssemblyModule used to create it, because the module owns the code, identifiers, etc. The world would be very sad if it got GC'd.
1267          - Instance.exports shouldn't use putWithoutTransition because it affects all Structures, whereas here each instance needs its own exports.
1268          - Expose the compiled functions, and pipe them to the InstanceConstructor. Start moving things around to split JSModuleRecord out into JS and WebAssembly parts.
1269
1270           [0]: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-constructor
1271
1272         * CMakeLists.txt:
1273         * JavaScriptCore.xcodeproj/project.pbxproj:
1274         * runtime/AbstractModuleRecord.cpp: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.cpp, which I split in two
1275         (JSC::AbstractModuleRecord::AbstractModuleRecord):
1276         (JSC::AbstractModuleRecord::destroy):
1277         (JSC::AbstractModuleRecord::finishCreation):
1278         (JSC::AbstractModuleRecord::visitChildren):
1279         (JSC::AbstractModuleRecord::appendRequestedModule):
1280         (JSC::AbstractModuleRecord::addStarExportEntry):
1281         (JSC::AbstractModuleRecord::addImportEntry):
1282         (JSC::AbstractModuleRecord::addExportEntry):
1283         (JSC::identifierToJSValue):
1284         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1285         (JSC::AbstractModuleRecord::ResolveQuery::ResolveQuery):
1286         (JSC::AbstractModuleRecord::ResolveQuery::isEmptyValue):
1287         (JSC::AbstractModuleRecord::ResolveQuery::isDeletedValue):
1288         (JSC::AbstractModuleRecord::ResolveQuery::Hash::hash):
1289         (JSC::AbstractModuleRecord::ResolveQuery::Hash::equal):
1290         (JSC::AbstractModuleRecord::cacheResolution):
1291         (JSC::getExportedNames):
1292         (JSC::AbstractModuleRecord::getModuleNamespace):
1293         (JSC::printableName):
1294         (JSC::AbstractModuleRecord::dump):
1295         * runtime/AbstractModuleRecord.h: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.h.
1296         (JSC::AbstractModuleRecord::ImportEntry::isNamespace):
1297         (JSC::AbstractModuleRecord::sourceCode):
1298         (JSC::AbstractModuleRecord::moduleKey):
1299         (JSC::AbstractModuleRecord::requestedModules):
1300         (JSC::AbstractModuleRecord::exportEntries):
1301         (JSC::AbstractModuleRecord::importEntries):
1302         (JSC::AbstractModuleRecord::starExportEntries):
1303         (JSC::AbstractModuleRecord::declaredVariables):
1304         (JSC::AbstractModuleRecord::lexicalVariables):
1305         (JSC::AbstractModuleRecord::moduleEnvironment):
1306         * runtime/JSGlobalObject.cpp:
1307         (JSC::JSGlobalObject::init):
1308         (JSC::JSGlobalObject::visitChildren):
1309         * runtime/JSGlobalObject.h:
1310         (JSC::JSGlobalObject::webAssemblyModuleRecordStructure):
1311         (JSC::JSGlobalObject::webAssemblyFunctionStructure):
1312         * runtime/JSModuleEnvironment.cpp:
1313         (JSC::JSModuleEnvironment::create):
1314         (JSC::JSModuleEnvironment::finishCreation):
1315         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1316         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1317         (JSC::JSModuleEnvironment::put):
1318         (JSC::JSModuleEnvironment::deleteProperty):
1319         * runtime/JSModuleEnvironment.h:
1320         (JSC::JSModuleEnvironment::create):
1321         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
1322         (JSC::JSModuleEnvironment::allocationSize):
1323         (JSC::JSModuleEnvironment::moduleRecord):
1324         (JSC::JSModuleEnvironment::moduleRecordSlot):
1325         * runtime/JSModuleNamespaceObject.cpp:
1326         (JSC::JSModuleNamespaceObject::finishCreation):
1327         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1328         * runtime/JSModuleNamespaceObject.h:
1329         (JSC::JSModuleNamespaceObject::create):
1330         (JSC::JSModuleNamespaceObject::moduleRecord):
1331         * runtime/JSModuleRecord.cpp:
1332         (JSC::JSModuleRecord::createStructure):
1333         (JSC::JSModuleRecord::create):
1334         (JSC::JSModuleRecord::JSModuleRecord):
1335         (JSC::JSModuleRecord::destroy):
1336         (JSC::JSModuleRecord::finishCreation):
1337         (JSC::JSModuleRecord::visitChildren):
1338         (JSC::JSModuleRecord::instantiateDeclarations):
1339         * runtime/JSModuleRecord.h:
1340         * runtime/JSScope.cpp:
1341         (JSC::abstractAccess):
1342         (JSC::JSScope::collectClosureVariablesUnderTDZ):
1343         * runtime/VM.cpp:
1344         (JSC::VM::VM):
1345         * runtime/VM.h:
1346         * wasm/JSWebAssembly.h:
1347         * wasm/WasmFormat.h: use Identifier instead of String
1348         * wasm/WasmModuleParser.cpp:
1349         (JSC::Wasm::ModuleParser::parse):
1350         (JSC::Wasm::ModuleParser::parseType):
1351         (JSC::Wasm::ModuleParser::parseImport): fix off-by-one
1352         (JSC::Wasm::ModuleParser::parseFunction):
1353         (JSC::Wasm::ModuleParser::parseExport):
1354         * wasm/WasmModuleParser.h:
1355         (JSC::Wasm::ModuleParser::ModuleParser):
1356         * wasm/WasmPlan.cpp:
1357         (JSC::Wasm::Plan::run):
1358         * wasm/js/JSWebAssemblyInstance.cpp:
1359         (JSC::JSWebAssemblyInstance::create):
1360         (JSC::JSWebAssemblyInstance::finishCreation):
1361         (JSC::JSWebAssemblyInstance::visitChildren):
1362         * wasm/js/JSWebAssemblyInstance.h:
1363         (JSC::JSWebAssemblyInstance::module):
1364         * wasm/js/JSWebAssemblyModule.cpp:
1365         (JSC::JSWebAssemblyModule::create):
1366         (JSC::JSWebAssemblyModule::finishCreation):
1367         (JSC::JSWebAssemblyModule::visitChildren):
1368         * wasm/js/JSWebAssemblyModule.h:
1369         (JSC::JSWebAssemblyModule::moduleInformation):
1370         (JSC::JSWebAssemblyModule::compiledFunctions):
1371         (JSC::JSWebAssemblyModule::exportSymbolTable):
1372         * wasm/js/WebAssemblyFunction.cpp: Added.
1373         (JSC::callWebAssemblyFunction):
1374         (JSC::WebAssemblyFunction::create):
1375         (JSC::WebAssemblyFunction::createStructure):
1376         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1377         (JSC::WebAssemblyFunction::visitChildren):
1378         (JSC::WebAssemblyFunction::finishCreation):
1379         * wasm/js/WebAssemblyFunction.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
1380         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction):
1381         (JSC::WebAssemblyFunction::webAssemblyFunctionCell):
1382         * wasm/js/WebAssemblyFunctionCell.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
1383         (JSC::WebAssemblyFunctionCell::create):
1384         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell):
1385         (JSC::WebAssemblyFunctionCell::destroy):
1386         (JSC::WebAssemblyFunctionCell::createStructure):
1387         * wasm/js/WebAssemblyFunctionCell.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
1388         (JSC::WebAssemblyFunctionCell::function):
1389         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1390         (JSC::constructJSWebAssemblyInstance):
1391         * wasm/js/WebAssemblyModuleConstructor.cpp:
1392         (JSC::constructJSWebAssemblyModule):
1393         * wasm/js/WebAssemblyModuleRecord.cpp: Added.
1394         (JSC::WebAssemblyModuleRecord::createStructure):
1395         (JSC::WebAssemblyModuleRecord::create):
1396         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
1397         (JSC::WebAssemblyModuleRecord::destroy):
1398         (JSC::WebAssemblyModuleRecord::finishCreation):
1399         (JSC::WebAssemblyModuleRecord::visitChildren):
1400         (JSC::WebAssemblyModuleRecord::link):
1401         (JSC::WebAssemblyModuleRecord::evaluate):
1402         * wasm/js/WebAssemblyModuleRecord.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
1403
1404 2016-11-29  Saam Barati  <sbarati@apple.com>
1405
1406         We should be able optimize the pattern where we spread a function's rest parameter to another call
1407         https://bugs.webkit.org/show_bug.cgi?id=163865
1408
1409         Reviewed by Filip Pizlo.
1410
1411         This patch optimizes the following patterns to prevent both the allocation
1412         of the rest parameter, and the execution of the iterator protocol:
1413         
1414         ```
1415         function foo(...args) {
1416             let arr = [...args];
1417         }
1418         
1419         and
1420         
1421         function foo(...args) {
1422             bar(...args);
1423         }
1424         ```
1425         
1426         To do this, I've extended the arguments elimination phase to reason
1427         about Spread and NewArrayWithSpread. I've added two new nodes, PhantomSpread
1428         and PhantomNewArrayWithSpread. PhantomSpread is only allowed over rest
1429         parameters that don't escape. If the rest parameter *does* escape, we can't
1430         convert the spread into a phantom because it would not be sound w.r.t JS
1431         semantics because we would be reading from the call frame even though
1432         the rest array may have changed.
1433         
1434         Note that NewArrayWithSpread also understands what to do when one of its
1435         arguments is PhantomSpread(@PhantomCreateRest) even if it itself is escaped.
1436         
1437         PhantomNewArrayWithSpread is only allowed over a series of
1438         PhantomSpread(@PhantomCreateRest) nodes. Like with PhantomSpread, PhantomNewArrayWithSpread
1439         is only allowed if none of its arguments that are being spread are escaped
1440         and if it itself is not escaped.
1441         
1442         Because there is a dependency between a node being a candidate and
1443         the escaped state of the node's children, I've extended the notion
1444         of escaping a node inside the arguments elimination phase. Now, when
1445         any node is escaped, we must consider all other candidates that are may
1446         now no longer be valid.
1447         
1448         For example:
1449         
1450         ```
1451         function foo(...args) {
1452             escape(args);
1453             bar(...args);
1454         }
1455         ```
1456         
1457         In the above program, we don't know if the function call to escape()
1458         modifies args, therefore, the spread can not become phantom because
1459         the execution of the spread may not be as simple as reading the
1460         arguments from the call frame.
1461         
1462         Unfortunately, the arguments elimination phase does not consider control
1463         flow when doing its escape analysis. It would be good to integrate this
1464         phase with the object allocation sinking phase. To see why, consider
1465         an example where we don't eliminate the spread and allocation of the rest
1466         parameter even though we could:
1467         
1468         ```
1469         function foo(rareCondition, ...args) {
1470             bar(...args);
1471             if (rareCondition)
1472                 baz(args);
1473         }
1474         ```
1475         
1476         There are only a few users of the PhantomSpread and PhantomNewArrayWithSpread
1477         nodes. PhantomSpread is only used by PhantomNewArrayWithSpread and NewArrayWithSpread.
1478         PhantomNewArrayWithSpread is only used by ForwardVarargs and the various
1479         *Call*ForwardVarargs nodes. The users of these phantoms know how to produce
1480         what the phantom node would have produced. For example, NewArrayWithSpread
1481         knows how to produce the values that would have been produced by PhantomSpread(@PhantomCreateRest)
1482         by directly reading from the call frame.
1483         
1484         This patch is a 6% speedup on my MBP on ES6SampleBench.
1485
1486         * b3/B3LowerToAir.cpp:
1487         (JSC::B3::Air::LowerToAir::tryAppendLea):
1488         * b3/B3ValueRep.h:
1489         * builtins/BuiltinExecutables.cpp:
1490         (JSC::BuiltinExecutables::createDefaultConstructor):
1491         * dfg/DFGAbstractInterpreterInlines.h:
1492         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1493         * dfg/DFGArgumentsEliminationPhase.cpp:
1494         * dfg/DFGClobberize.h:
1495         (JSC::DFG::clobberize):
1496         * dfg/DFGDoesGC.cpp:
1497         (JSC::DFG::doesGC):
1498         * dfg/DFGFixupPhase.cpp:
1499         (JSC::DFG::FixupPhase::fixupNode):
1500         * dfg/DFGForAllKills.h:
1501         (JSC::DFG::forAllKillsInBlock):
1502         * dfg/DFGNode.h:
1503         (JSC::DFG::Node::hasConstant):
1504         (JSC::DFG::Node::constant):
1505         (JSC::DFG::Node::bitVector):
1506         (JSC::DFG::Node::isPhantomAllocation):
1507         * dfg/DFGNodeType.h:
1508         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1509         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1510         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
1511         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1512         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1513         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1514         * dfg/DFGPreciseLocalClobberize.h:
1515         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1516         * dfg/DFGPredictionPropagationPhase.cpp:
1517         * dfg/DFGPromotedHeapLocation.cpp:
1518         (WTF::printInternal):
1519         * dfg/DFGPromotedHeapLocation.h:
1520         * dfg/DFGSafeToExecute.h:
1521         (JSC::DFG::safeToExecute):
1522         * dfg/DFGSpeculativeJIT32_64.cpp:
1523         (JSC::DFG::SpeculativeJIT::compile):
1524         * dfg/DFGSpeculativeJIT64.cpp:
1525         (JSC::DFG::SpeculativeJIT::compile):
1526         * dfg/DFGValidate.cpp:
1527         * ftl/FTLCapabilities.cpp:
1528         (JSC::FTL::canCompile):
1529         * ftl/FTLLowerDFGToB3.cpp:
1530         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1531         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1532         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1533         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1534         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1535         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1536         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1537         (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame):
1538         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1539         * ftl/FTLOperations.cpp:
1540         (JSC::FTL::operationPopulateObjectInOSR):
1541         (JSC::FTL::operationMaterializeObjectInOSR):
1542         * jit/SetupVarargsFrame.cpp:
1543         (JSC::emitSetupVarargsFrameFastCase):
1544         * jsc.cpp:
1545         (GlobalObject::finishCreation):
1546         (functionMaxArguments):
1547         * runtime/JSFixedArray.h:
1548         (JSC::JSFixedArray::createFromArray):
1549
1550 2016-11-29  Commit Queue  <commit-queue@webkit.org>
1551
1552         Unreviewed, rolling out r209058 and r209074.
1553         https://bugs.webkit.org/show_bug.cgi?id=165188
1554
1555         These changes caused API test StringBuilderTest.Equal to crash
1556         and/or fail. (Requested by ryanhaddad on #webkit).
1557
1558         Reverted changesets:
1559
1560         "Streamline and speed up tokenizer and segmented string
1561         classes"
1562         https://bugs.webkit.org/show_bug.cgi?id=165003
1563         http://trac.webkit.org/changeset/209058
1564
1565         "REGRESSION (r209058): API test StringBuilderTest.Equal
1566         crashing"
1567         https://bugs.webkit.org/show_bug.cgi?id=165142
1568         http://trac.webkit.org/changeset/209074
1569
1570 2016-11-29  Caitlin Potter  <caitp@igalia.com>
1571
1572         [JSC] always wrap AwaitExpression operand in a new Promise
1573         https://bugs.webkit.org/show_bug.cgi?id=165181
1574
1575         Reviewed by Yusuke Suzuki.
1576
1577         Ensure operand of AwaitExpression is wrapped in a new Promise by
1578         explicitly creating a new Promise Capability and invoking its
1579         resolve callback. This avoids the specified short-circuit for
1580         Promise.resolve().
1581
1582         * builtins/AsyncFunctionPrototype.js:
1583         (globalPrivate.asyncFunctionResume):
1584
1585 2016-11-29  Saam Barati  <sbarati@apple.com>
1586
1587         We should support CreateThis in the FTL
1588         https://bugs.webkit.org/show_bug.cgi?id=164904
1589
1590         Reviewed by Geoffrey Garen.
1591
1592         * ftl/FTLAbstractHeapRepository.h:
1593         * ftl/FTLCapabilities.cpp:
1594         (JSC::FTL::canCompile):
1595         * ftl/FTLLowerDFGToB3.cpp:
1596         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1597         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1598         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1599         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1600         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1601         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1602         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1603         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1604         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1605         * runtime/Structure.h:
1606
1607 2016-11-29  Mark Lam  <mark.lam@apple.com>
1608
1609         Fix exception scope verification failures in runtime/RegExp* files.
1610         https://bugs.webkit.org/show_bug.cgi?id=165054
1611
1612         Reviewed by Saam Barati.
1613
1614         Also replaced returning JSValue() with returning { }.
1615
1616         * runtime/RegExpConstructor.cpp:
1617         (JSC::toFlags):
1618         (JSC::regExpCreate):
1619         (JSC::constructRegExp):
1620         * runtime/RegExpObject.cpp:
1621         (JSC::RegExpObject::defineOwnProperty):
1622         (JSC::collectMatches):
1623         (JSC::RegExpObject::matchGlobal):
1624         * runtime/RegExpObjectInlines.h:
1625         (JSC::getRegExpObjectLastIndexAsUnsigned):
1626         (JSC::RegExpObject::execInline):
1627         (JSC::RegExpObject::matchInline):
1628         * runtime/RegExpPrototype.cpp:
1629         (JSC::regExpProtoFuncCompile):
1630         (JSC::flagsString):
1631         (JSC::regExpProtoFuncToString):
1632         (JSC::regExpProtoFuncSplitFast):
1633
1634 2016-11-29  Andy Estes  <aestes@apple.com>
1635
1636         [Cocoa] Enable two clang warnings recommended by Xcode
1637         https://bugs.webkit.org/show_bug.cgi?id=164498
1638
1639         Reviewed by Mark Lam.
1640
1641         * Configurations/Base.xcconfig: Enabled CLANG_WARN_INFINITE_RECURSION and CLANG_WARN_SUSPICIOUS_MOVE.
1642
1643 2016-11-29  Keith Miller  <keith_miller@apple.com>
1644
1645         Add simple way to implement Wasm ops that require more than one B3 opcode
1646         https://bugs.webkit.org/show_bug.cgi?id=165129
1647
1648         Reviewed by Geoffrey Garen.
1649
1650         This patch adds a simple way to show the B3IRGenerator opcode script how
1651         to generate code for Wasm opcodes that do not have a one to one mapping.
1652         The syntax is pretty simple right now. There are only three things one
1653         can use as of this patch (although more things might be added in the future)
1654         1) Wasm opcode arguments: These are referred to as @<argument_number>. For example,
1655            I32.sub would map to Sub(@0, @1).
1656         2) 32-bit int constants: These are reffered to as i32(<value>). For example, i32.inc
1657            would map to Add(@0, i32(1))
1658         3) B3 opcodes: These are referred to as the B3 opcode name followed by the B3Value's constructor
1659            arguments. A value may take the result of another value as an argument. For example, you can do
1660            Div(Mul(@0, Add(@0, i32(1))), i32(2)) if there was a b3 opcode that computed the sum from 1 to n.
1661
1662         These scripts are used to implement Wasm's eqz and floating point max/min opcodes. This patch
1663         also adds missing support for the Wasm Neg opcodes.
1664
1665         * jsc.cpp:
1666         (box):
1667         (functionTestWasmModuleFunctions):
1668         * wasm/WasmB3IRGenerator.cpp:
1669         (JSC::Wasm::toB3Op): Deleted.
1670         * wasm/WasmFunctionParser.h:
1671         (JSC::Wasm::FunctionParser<Context>::parseBody):
1672         * wasm/WasmModuleParser.cpp:
1673         (JSC::Wasm::ModuleParser::parseType):
1674         * wasm/WasmParser.h:
1675         (JSC::Wasm::Parser::parseUInt8):
1676         (JSC::Wasm::Parser::parseValueType):
1677         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
1678         (Source):
1679         (Source.__init__):
1680         (read):
1681         (lex):
1682         (CodeGenerator):
1683         (CodeGenerator.__init__):
1684         (CodeGenerator.advance):
1685         (CodeGenerator.token):
1686         (CodeGenerator.parseError):
1687         (CodeGenerator.consume):
1688         (CodeGenerator.generateParameters):
1689         (CodeGenerator.generateOpcode):
1690         (CodeGenerator.generate):
1691         (temp):
1692         (generateB3OpCode):
1693         (generateI32ConstCode):
1694         (generateB3Code):
1695         (generateSimpleCode):
1696         * wasm/wasm.json:
1697
1698 2016-11-29  Mark Lam  <mark.lam@apple.com>
1699
1700         Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
1701         https://bugs.webkit.org/show_bug.cgi?id=165053
1702
1703         Reviewed by Saam Barati.
1704
1705         Also replaced returning JSValue() with returning { }.
1706
1707         * runtime/ProxyConstructor.cpp:
1708         (JSC::constructProxyObject):
1709         * runtime/ProxyObject.cpp:
1710         (JSC::ProxyObject::structureForTarget):
1711         (JSC::performProxyGet):
1712         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1713         (JSC::ProxyObject::performHasProperty):
1714         (JSC::ProxyObject::getOwnPropertySlotCommon):
1715         (JSC::ProxyObject::performPut):
1716         (JSC::ProxyObject::putByIndexCommon):
1717         (JSC::performProxyCall):
1718         (JSC::performProxyConstruct):
1719         (JSC::ProxyObject::performDelete):
1720         (JSC::ProxyObject::performPreventExtensions):
1721         (JSC::ProxyObject::performIsExtensible):
1722         (JSC::ProxyObject::performDefineOwnProperty):
1723         (JSC::ProxyObject::performGetOwnPropertyNames):
1724         (JSC::ProxyObject::performSetPrototype):
1725         (JSC::ProxyObject::performGetPrototype):
1726
1727 2016-11-28  Matt Baker  <mattbaker@apple.com>
1728
1729         Web Inspector: Debugger should have an option for showing asynchronous call stacks
1730         https://bugs.webkit.org/show_bug.cgi?id=163230
1731         <rdar://problem/28698683>
1732
1733         Reviewed by Joseph Pecoraro.
1734
1735         * inspector/ScriptCallFrame.cpp:
1736         (Inspector::ScriptCallFrame::isNative):
1737         Encapsulate check for native code source URL.
1738
1739         * inspector/ScriptCallFrame.h:
1740         * inspector/ScriptCallStack.cpp:
1741         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1742         (Inspector::ScriptCallStack::buildInspectorArray):
1743         * inspector/ScriptCallStack.h:
1744         Replace use of Console::StackTrace with Array<Console::CallFrame>.
1745
1746         * inspector/agents/InspectorDebuggerAgent.cpp:
1747         (Inspector::InspectorDebuggerAgent::disable):
1748         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1749         Set number of async frames to store (including boundary frames).
1750         A value of zero disables recording of async call stacks.
1751
1752         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace):
1753         Helper function for building a linked list StackTraces.
1754         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1755         Store a call stack for the script that scheduled the async call.
1756         If the call repeats (e.g. setInterval), the starting reference count is
1757         set to 1. This ensures that dereffing after dispatch won't clear the stack.
1758         If another async call is currently being dispatched, increment the
1759         AsyncCallData reference count for that call.
1760
1761         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1762         Decrement the reference count for the canceled call.
1763
1764         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1765         Set the identifier for the async callback currently being dispatched,
1766         so that if the debugger pauses during dispatch a stack trace can be
1767         associated with the pause location. If an async call is already being
1768         dispatched, which could be the case when a script schedules an async
1769         call in a nested runloop, do nothing.
1770
1771         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
1772         Decrement the reference count for the canceled call.
1773         (Inspector::InspectorDebuggerAgent::didPause):
1774         If a stored stack trace exists for this location, convert to a protocol
1775         object and send to the frontend.
1776
1777         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1778         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1779         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
1780         Increment AsyncCallData reference count.
1781         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
1782         Decrement AsyncCallData reference count. If zero, deref its parent
1783         (if it exists) and remove the AsyncCallData entry.
1784
1785         * inspector/agents/InspectorDebuggerAgent.h:
1786
1787         * inspector/protocol/Console.json:
1788         * inspector/protocol/Network.json:
1789         Replace use of Console.StackTrace with array of Console.CallFrame.
1790
1791         * inspector/protocol/Debugger.json:
1792         New protocol command and event data.
1793
1794 2016-11-28  Darin Adler  <darin@apple.com>
1795
1796         Streamline and speed up tokenizer and segmented string classes
1797         https://bugs.webkit.org/show_bug.cgi?id=165003
1798
1799         Reviewed by Sam Weinig.
1800
1801         * runtime/JSONObject.cpp:
1802         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
1803         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
1804         no benefit in creating a String for that function if one doesn't already exist.
1805
1806 2016-11-21  Mark Lam  <mark.lam@apple.com>
1807
1808         Fix exception scope verification failures in runtime/Intl* files.
1809         https://bugs.webkit.org/show_bug.cgi?id=165014
1810
1811         Reviewed by Saam Barati.
1812
1813         * runtime/IntlCollatorConstructor.cpp:
1814         (JSC::constructIntlCollator):
1815         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1816         * runtime/IntlCollatorPrototype.cpp:
1817         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1818         * runtime/IntlDateTimeFormatConstructor.cpp:
1819         (JSC::constructIntlDateTimeFormat):
1820         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1821         * runtime/IntlDateTimeFormatPrototype.cpp:
1822         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1823         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1824         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1825         * runtime/IntlNumberFormatConstructor.cpp:
1826         (JSC::constructIntlNumberFormat):
1827         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1828         * runtime/IntlNumberFormatPrototype.cpp:
1829         (JSC::IntlNumberFormatFuncFormatNumber):
1830         (JSC::IntlNumberFormatPrototypeGetterFormat):
1831         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1832         * runtime/IntlObject.cpp:
1833         (JSC::lookupSupportedLocales):
1834         * runtime/IntlObjectInlines.h:
1835         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1836
1837 2016-11-28  Mark Lam  <mark.lam@apple.com>
1838
1839         Fix exception scope verification failures in IteratorOperations.h.
1840         https://bugs.webkit.org/show_bug.cgi?id=165015
1841
1842         Reviewed by Saam Barati.
1843
1844         * runtime/IteratorOperations.h:
1845         (JSC::forEachInIterable):
1846
1847 2016-11-28  Mark Lam  <mark.lam@apple.com>
1848
1849         Fix exception scope verification failures in JSArray* files.
1850         https://bugs.webkit.org/show_bug.cgi?id=165016
1851
1852         Reviewed by Saam Barati.
1853
1854         * runtime/JSArray.cpp:
1855         (JSC::JSArray::defineOwnProperty):
1856         (JSC::JSArray::put):
1857         (JSC::JSArray::setLength):
1858         (JSC::JSArray::pop):
1859         (JSC::JSArray::push):
1860         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1861         * runtime/JSArrayBuffer.cpp:
1862         (JSC::JSArrayBuffer::put):
1863         (JSC::JSArrayBuffer::defineOwnProperty):
1864         * runtime/JSArrayInlines.h:
1865         (JSC::getLength):
1866         (JSC::toLength):
1867
1868 2016-11-28  Mark Lam  <mark.lam@apple.com>
1869
1870         Fix exception scope verification failures in JSDataView.cpp.
1871         https://bugs.webkit.org/show_bug.cgi?id=165020
1872
1873         Reviewed by Saam Barati.
1874
1875         * runtime/JSDataView.cpp:
1876         (JSC::JSDataView::put):
1877
1878 2016-11-28  Mark Lam  <mark.lam@apple.com>
1879
1880         Fix exception scope verification failures in JSFunction.cpp.
1881         https://bugs.webkit.org/show_bug.cgi?id=165021
1882
1883         Reviewed by Saam Barati.
1884
1885         * runtime/JSFunction.cpp:
1886         (JSC::JSFunction::put):
1887         (JSC::JSFunction::defineOwnProperty):
1888
1889 2016-11-28  Mark Lam  <mark.lam@apple.com>
1890
1891         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
1892         https://bugs.webkit.org/show_bug.cgi?id=165022
1893
1894         Reviewed by Saam Barati.
1895
1896         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1897         (JSC::constructGenericTypedArrayViewFromIterator):
1898         (JSC::constructGenericTypedArrayViewWithArguments):
1899         (JSC::constructGenericTypedArrayView):
1900         * runtime/JSGenericTypedArrayViewInlines.h:
1901         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1902         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1903         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1904         (JSC::speciesConstruct):
1905         (JSC::genericTypedArrayViewProtoFuncSet):
1906         (JSC::genericTypedArrayViewProtoFuncJoin):
1907         (JSC::genericTypedArrayViewProtoFuncSlice):
1908         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1909
1910 2016-11-28  Mark Lam  <mark.lam@apple.com>
1911
1912         Fix exception scope verification failures in runtime/Operations.cpp/h.
1913         https://bugs.webkit.org/show_bug.cgi?id=165046
1914
1915         Reviewed by Saam Barati.
1916
1917         Also switched to using returning { } instead of JSValue().
1918
1919         * runtime/Operations.cpp:
1920         (JSC::jsAddSlowCase):
1921         (JSC::jsIsObjectTypeOrNull):
1922         * runtime/Operations.h:
1923         (JSC::jsStringFromRegisterArray):
1924         (JSC::jsStringFromArguments):
1925         (JSC::jsLess):
1926         (JSC::jsLessEq):
1927
1928 2016-11-28  Mark Lam  <mark.lam@apple.com>
1929
1930         Fix exception scope verification failures in JSScope.cpp.
1931         https://bugs.webkit.org/show_bug.cgi?id=165047
1932
1933         Reviewed by Saam Barati.
1934
1935         * runtime/JSScope.cpp:
1936         (JSC::JSScope::resolve):
1937
1938 2016-11-28  Mark Lam  <mark.lam@apple.com>
1939
1940         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
1941         https://bugs.webkit.org/show_bug.cgi?id=165049
1942
1943         Reviewed by Saam Barati.
1944
1945         * runtime/JSTypedArrayViewPrototype.cpp:
1946         (JSC::typedArrayViewPrivateFuncSort):
1947         (JSC::typedArrayViewProtoFuncSet):
1948         (JSC::typedArrayViewProtoFuncCopyWithin):
1949         (JSC::typedArrayViewProtoFuncIncludes):
1950         (JSC::typedArrayViewProtoFuncLastIndexOf):
1951         (JSC::typedArrayViewProtoFuncIndexOf):
1952         (JSC::typedArrayViewProtoFuncJoin):
1953         (JSC::typedArrayViewProtoGetterFuncBuffer):
1954         (JSC::typedArrayViewProtoGetterFuncLength):
1955         (JSC::typedArrayViewProtoGetterFuncByteLength):
1956         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1957         (JSC::typedArrayViewProtoFuncReverse):
1958         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1959         (JSC::typedArrayViewProtoFuncSlice):
1960
1961 2016-11-28  Mark Lam  <mark.lam@apple.com>
1962
1963         Fix exception scope verification failures in runtime/Map* files.
1964         https://bugs.webkit.org/show_bug.cgi?id=165050
1965
1966         Reviewed by Saam Barati.
1967
1968         * runtime/MapConstructor.cpp:
1969         (JSC::constructMap):
1970         * runtime/MapIteratorPrototype.cpp:
1971         (JSC::MapIteratorPrototypeFuncNext):
1972         * runtime/MapPrototype.cpp:
1973         (JSC::privateFuncMapIteratorNext):
1974
1975 2016-11-28  Mark Lam  <mark.lam@apple.com>
1976
1977         Fix exception scope verification failures in more miscellaneous files.
1978         https://bugs.webkit.org/show_bug.cgi?id=165102
1979
1980         Reviewed by Saam Barati.
1981
1982         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1983         (JSC::constructJSWebAssemblyInstance):
1984
1985 2016-11-28  Mark Lam  <mark.lam@apple.com>
1986
1987         Fix exception scope verification failures in runtime/Weak* files.
1988         https://bugs.webkit.org/show_bug.cgi?id=165096
1989
1990         Reviewed by Geoffrey Garen.
1991
1992         * runtime/WeakMapConstructor.cpp:
1993         (JSC::constructWeakMap):
1994         * runtime/WeakMapPrototype.cpp:
1995         (JSC::protoFuncWeakMapSet):
1996         * runtime/WeakSetConstructor.cpp:
1997         (JSC::constructWeakSet):
1998         * runtime/WeakSetPrototype.cpp:
1999         (JSC::protoFuncWeakSetAdd):
2000
2001 2016-11-28  Mark Lam  <mark.lam@apple.com>
2002
2003         Fix exception scope verification failures in runtime/String* files.
2004         https://bugs.webkit.org/show_bug.cgi?id=165067
2005
2006         Reviewed by Saam Barati.
2007
2008         * runtime/StringConstructor.cpp:
2009         (JSC::stringFromCodePoint):
2010         (JSC::constructWithStringConstructor):
2011         * runtime/StringObject.cpp:
2012         (JSC::StringObject::put):
2013         (JSC::StringObject::putByIndex):
2014         (JSC::StringObject::defineOwnProperty):
2015         * runtime/StringPrototype.cpp:
2016         (JSC::jsSpliceSubstrings):
2017         (JSC::jsSpliceSubstringsWithSeparators):
2018         (JSC::replaceUsingRegExpSearch):
2019         (JSC::replaceUsingStringSearch):
2020         (JSC::repeatCharacter):
2021         (JSC::replace):
2022         (JSC::stringProtoFuncReplaceUsingStringSearch):
2023         (JSC::stringProtoFuncCharAt):
2024         (JSC::stringProtoFuncCodePointAt):
2025         (JSC::stringProtoFuncConcat):
2026         (JSC::stringProtoFuncIndexOf):
2027         (JSC::stringProtoFuncLastIndexOf):
2028         (JSC::splitStringByOneCharacterImpl):
2029         (JSC::stringProtoFuncSplitFast):
2030         (JSC::stringProtoFuncSubstring):
2031         (JSC::stringProtoFuncToLowerCase):
2032         (JSC::stringProtoFuncToUpperCase):
2033         (JSC::toLocaleCase):
2034         (JSC::trimString):
2035         (JSC::stringProtoFuncIncludes):
2036         (JSC::builtinStringIncludesInternal):
2037         (JSC::stringProtoFuncIterator):
2038         (JSC::normalize):
2039         (JSC::stringProtoFuncNormalize):
2040
2041 2016-11-28  Mark Lam  <mark.lam@apple.com>
2042
2043         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
2044         https://bugs.webkit.org/show_bug.cgi?id=165051
2045
2046         Reviewed by Saam Barati.
2047
2048         Also,
2049         1. Replaced returning JSValue() with returning { }.
2050         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
2051
2052         * runtime/ObjectConstructor.cpp:
2053         (JSC::constructObject):
2054         (JSC::objectConstructorGetPrototypeOf):
2055         (JSC::objectConstructorGetOwnPropertyDescriptor):
2056         (JSC::objectConstructorGetOwnPropertyDescriptors):
2057         (JSC::objectConstructorGetOwnPropertyNames):
2058         (JSC::objectConstructorGetOwnPropertySymbols):
2059         (JSC::objectConstructorKeys):
2060         (JSC::ownEnumerablePropertyKeys):
2061         (JSC::toPropertyDescriptor):
2062         (JSC::defineProperties):
2063         (JSC::objectConstructorDefineProperties):
2064         (JSC::objectConstructorCreate):
2065         (JSC::setIntegrityLevel):
2066         (JSC::objectConstructorSeal):
2067         (JSC::objectConstructorPreventExtensions):
2068         (JSC::objectConstructorIsSealed):
2069         (JSC::objectConstructorIsFrozen):
2070         (JSC::ownPropertyKeys):
2071         * runtime/ObjectPrototype.cpp:
2072         (JSC::objectProtoFuncValueOf):
2073         (JSC::objectProtoFuncHasOwnProperty):
2074         (JSC::objectProtoFuncIsPrototypeOf):
2075         (JSC::objectProtoFuncDefineGetter):
2076         (JSC::objectProtoFuncDefineSetter):
2077         (JSC::objectProtoFuncLookupGetter):
2078         (JSC::objectProtoFuncLookupSetter):
2079         (JSC::objectProtoFuncToLocaleString):
2080         (JSC::objectProtoFuncToString):
2081
2082 2016-11-26  Mark Lam  <mark.lam@apple.com>
2083
2084         Fix exception scope verification failures in miscellaneous files.
2085         https://bugs.webkit.org/show_bug.cgi?id=165055
2086
2087         Reviewed by Saam Barati.
2088
2089         * runtime/MathObject.cpp:
2090         (JSC::mathProtoFuncIMul):
2091         * runtime/ModuleLoaderPrototype.cpp:
2092         (JSC::moduleLoaderPrototypeParseModule):
2093         (JSC::moduleLoaderPrototypeRequestedModules):
2094         * runtime/NativeErrorConstructor.cpp:
2095         (JSC::Interpreter::constructWithNativeErrorConstructor):
2096         * runtime/NumberConstructor.cpp:
2097         (JSC::constructWithNumberConstructor):
2098         * runtime/SetConstructor.cpp:
2099         (JSC::constructSet):
2100         * runtime/SetIteratorPrototype.cpp:
2101         (JSC::SetIteratorPrototypeFuncNext):
2102         * runtime/SparseArrayValueMap.cpp:
2103         (JSC::SparseArrayValueMap::putEntry):
2104         (JSC::SparseArrayEntry::put):
2105         * runtime/TemplateRegistry.cpp:
2106         (JSC::TemplateRegistry::getTemplateObject):
2107
2108 2016-11-28  Mark Lam  <mark.lam@apple.com>
2109
2110         Fix exception scope verification failures in ReflectObject.cpp.
2111         https://bugs.webkit.org/show_bug.cgi?id=165066
2112
2113         Reviewed by Saam Barati.
2114
2115         * runtime/ReflectObject.cpp:
2116         (JSC::reflectObjectConstruct):
2117         (JSC::reflectObjectDefineProperty):
2118         (JSC::reflectObjectEnumerate):
2119         (JSC::reflectObjectGet):
2120         (JSC::reflectObjectGetOwnPropertyDescriptor):
2121         (JSC::reflectObjectGetPrototypeOf):
2122         (JSC::reflectObjectOwnKeys):
2123         (JSC::reflectObjectSet):
2124
2125 2016-11-24  Mark Lam  <mark.lam@apple.com>
2126
2127         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
2128         https://bugs.webkit.org/show_bug.cgi?id=164972
2129
2130         Reviewed by Geoffrey Garen.
2131
2132         * runtime/ArrayConstructor.cpp:
2133         (JSC::constructArrayWithSizeQuirk):
2134         * runtime/ArrayPrototype.cpp:
2135         (JSC::getProperty):
2136         (JSC::putLength):
2137         (JSC::speciesWatchpointsValid):
2138         (JSC::speciesConstructArray):
2139         (JSC::shift):
2140         (JSC::unshift):
2141         (JSC::arrayProtoFuncToString):
2142         (JSC::arrayProtoFuncToLocaleString):
2143         (JSC::slowJoin):
2144         (JSC::fastJoin):
2145         (JSC::arrayProtoFuncJoin):
2146         (JSC::arrayProtoFuncPop):
2147         (JSC::arrayProtoFuncPush):
2148         (JSC::arrayProtoFuncReverse):
2149         (JSC::arrayProtoFuncShift):
2150         (JSC::arrayProtoFuncSlice):
2151         (JSC::arrayProtoFuncSplice):
2152         (JSC::arrayProtoFuncUnShift):
2153         (JSC::arrayProtoFuncIndexOf):
2154         (JSC::arrayProtoFuncLastIndexOf):
2155         (JSC::concatAppendOne):
2156         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2157         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
2158
2159 2016-11-28  Mark Lam  <mark.lam@apple.com>
2160
2161         Fix exception scope verification failures in LLIntSlowPaths.cpp.
2162         https://bugs.webkit.org/show_bug.cgi?id=164969
2163
2164         Reviewed by Geoffrey Garen.
2165
2166         * llint/LLIntSlowPaths.cpp:
2167         (JSC::LLInt::getByVal):
2168         (JSC::LLInt::setUpCall):
2169         (JSC::LLInt::varargsSetup):
2170         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2171
2172 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2173
2174         [WTF] Import std::optional reference implementation as WTF::Optional
2175         https://bugs.webkit.org/show_bug.cgi?id=164199
2176
2177         Reviewed by Saam Barati and Sam Weinig.
2178
2179         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
2180         std::optional::emplace has the same semantics to the previous one.
2181         So we change the code to use it.
2182
2183         * Scripts/builtins/builtins_templates.py:
2184         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2185         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2186         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2187         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2188         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2189         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2190         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2191         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2192         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2193         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2194         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2195         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2196         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2197         * assembler/MacroAssemblerARM64.h:
2198         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
2199         * assembler/MacroAssemblerX86Common.h:
2200         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
2201         * b3/B3CheckSpecial.cpp:
2202         (JSC::B3::CheckSpecial::forEachArg):
2203         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2204         * b3/B3CheckSpecial.h:
2205         * b3/B3LowerToAir.cpp:
2206         (JSC::B3::Air::LowerToAir::scaleForShl):
2207         (JSC::B3::Air::LowerToAir::effectiveAddr):
2208         (JSC::B3::Air::LowerToAir::tryAppendLea):
2209         * b3/B3Opcode.cpp:
2210         (JSC::B3::invertedCompare):
2211         * b3/B3Opcode.h:
2212         * b3/B3PatchpointSpecial.cpp:
2213         (JSC::B3::PatchpointSpecial::forEachArg):
2214         * b3/B3StackmapSpecial.cpp:
2215         (JSC::B3::StackmapSpecial::forEachArgImpl):
2216         * b3/B3StackmapSpecial.h:
2217         * b3/B3Value.cpp:
2218         (JSC::B3::Value::invertedCompare):
2219         * b3/air/AirArg.h:
2220         (JSC::B3::Air::Arg::isValidScale):
2221         (JSC::B3::Air::Arg::isValidAddrForm):
2222         (JSC::B3::Air::Arg::isValidIndexForm):
2223         (JSC::B3::Air::Arg::isValidForm):
2224         * b3/air/AirCustom.h:
2225         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2226         * b3/air/AirFixObviousSpills.cpp:
2227         * b3/air/AirInst.h:
2228         * b3/air/AirInstInlines.h:
2229         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2230         * b3/air/AirIteratedRegisterCoalescing.cpp:
2231         * b3/air/AirSpecial.cpp:
2232         (JSC::B3::Air::Special::shouldTryAliasingDef):
2233         * b3/air/AirSpecial.h:
2234         * bytecode/BytecodeGeneratorification.cpp:
2235         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2236         * bytecode/CodeBlock.cpp:
2237         (JSC::CodeBlock::findPC):
2238         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2239         * bytecode/CodeBlock.h:
2240         * bytecode/UnlinkedFunctionExecutable.cpp:
2241         (JSC::UnlinkedFunctionExecutable::link):
2242         * bytecode/UnlinkedFunctionExecutable.h:
2243         * bytecompiler/BytecodeGenerator.h:
2244         * bytecompiler/NodesCodegen.cpp:
2245         (JSC::PropertyListNode::emitPutConstantProperty):
2246         (JSC::ObjectPatternNode::bindValue):
2247         * debugger/Debugger.cpp:
2248         (JSC::Debugger::resolveBreakpoint):
2249         * debugger/DebuggerCallFrame.cpp:
2250         (JSC::DebuggerCallFrame::currentPosition):
2251         * debugger/DebuggerParseData.cpp:
2252         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
2253         * debugger/DebuggerParseData.h:
2254         * debugger/ScriptProfilingScope.h:
2255         * dfg/DFGAbstractInterpreterInlines.h:
2256         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2257         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2258         * dfg/DFGJITCode.cpp:
2259         (JSC::DFG::JITCode::findPC):
2260         * dfg/DFGJITCode.h:
2261         * dfg/DFGOperations.cpp:
2262         (JSC::DFG::operationPutByValInternal):
2263         * dfg/DFGSlowPathGenerator.h:
2264         (JSC::DFG::SlowPathGenerator::generate):
2265         * dfg/DFGSpeculativeJIT.cpp:
2266         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2267         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2268         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2269         (JSC::DFG::SpeculativeJIT::compileMathIC):
2270         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2271         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2272         * dfg/DFGSpeculativeJIT.h:
2273         * dfg/DFGSpeculativeJIT32_64.cpp:
2274         (JSC::DFG::SpeculativeJIT::compile):
2275         * dfg/DFGSpeculativeJIT64.cpp:
2276         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2277         (JSC::DFG::SpeculativeJIT::emitBranch):
2278         (JSC::DFG::SpeculativeJIT::compile):
2279         * dfg/DFGStrengthReductionPhase.cpp:
2280         (JSC::DFG::StrengthReductionPhase::handleNode):
2281         * ftl/FTLJITCode.cpp:
2282         (JSC::FTL::JITCode::findPC):
2283         * ftl/FTLJITCode.h:
2284         * heap/Heap.cpp:
2285         (JSC::Heap::collectAsync):
2286         (JSC::Heap::collectSync):
2287         (JSC::Heap::collectInThread):
2288         (JSC::Heap::requestCollection):
2289         (JSC::Heap::willStartCollection):
2290         (JSC::Heap::didFinishCollection):
2291         (JSC::Heap::shouldDoFullCollection):
2292         * heap/Heap.h:
2293         (JSC::Heap::collectionScope):
2294         * heap/HeapSnapshot.cpp:
2295         (JSC::HeapSnapshot::nodeForCell):
2296         (JSC::HeapSnapshot::nodeForObjectIdentifier):
2297         * heap/HeapSnapshot.h:
2298         * inspector/InspectorBackendDispatcher.cpp:
2299         (Inspector::BackendDispatcher::dispatch):
2300         (Inspector::BackendDispatcher::sendPendingErrors):
2301         (Inspector::BackendDispatcher::reportProtocolError):
2302         * inspector/InspectorBackendDispatcher.h:
2303         * inspector/agents/InspectorHeapAgent.cpp:
2304         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2305         (Inspector::InspectorHeapAgent::getPreview):
2306         (Inspector::InspectorHeapAgent::getRemoteObject):
2307         * inspector/agents/InspectorHeapAgent.h:
2308         * inspector/remote/RemoteConnectionToTarget.h:
2309         * inspector/remote/RemoteConnectionToTarget.mm:
2310         (Inspector::RemoteConnectionToTarget::targetIdentifier):
2311         (Inspector::RemoteConnectionToTarget::setup):
2312         * inspector/remote/RemoteInspector.h:
2313         * inspector/remote/RemoteInspector.mm:
2314         (Inspector::RemoteInspector::updateClientCapabilities):
2315         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2316         (_generate_declarations_for_enum_conversion_methods):
2317         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
2318         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2319         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
2320         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2321         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2322         * inspector/scripts/tests/expected/enum-values.json-result:
2323         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2324         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2325         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2326         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2327         * jit/JITCode.h:
2328         (JSC::JITCode::findPC):
2329         * jit/JITDivGenerator.cpp:
2330         (JSC::JITDivGenerator::generateFastPath):
2331         * jit/JITOperations.cpp:
2332         * jit/PCToCodeOriginMap.cpp:
2333         (JSC::PCToCodeOriginMap::findPC):
2334         * jit/PCToCodeOriginMap.h:
2335         * jsc.cpp:
2336         (WTF::RuntimeArray::getOwnPropertySlot):
2337         * llint/LLIntSlowPaths.cpp:
2338         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2339         * parser/ModuleAnalyzer.cpp:
2340         (JSC::ModuleAnalyzer::exportVariable):
2341         * runtime/ConcurrentJSLock.h:
2342         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
2343         * runtime/DefinePropertyAttributes.h:
2344         (JSC::DefinePropertyAttributes::writable):
2345         (JSC::DefinePropertyAttributes::configurable):
2346         (JSC::DefinePropertyAttributes::enumerable):
2347         * runtime/GenericArgumentsInlines.h:
2348         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2349         (JSC::GenericArguments<Type>::put):
2350         (JSC::GenericArguments<Type>::deleteProperty):
2351         (JSC::GenericArguments<Type>::defineOwnProperty):
2352         * runtime/HasOwnPropertyCache.h:
2353         (JSC::HasOwnPropertyCache::get):
2354         * runtime/HashMapImpl.h:
2355         (JSC::concurrentJSMapHash):
2356         * runtime/Identifier.h:
2357         (JSC::parseIndex):
2358         * runtime/JSArray.cpp:
2359         (JSC::JSArray::defineOwnProperty):
2360         * runtime/JSCJSValue.cpp:
2361         (JSC::JSValue::toNumberFromPrimitive):
2362         (JSC::JSValue::putToPrimitive):
2363         * runtime/JSCJSValue.h:
2364         * runtime/JSGenericTypedArrayView.h:
2365         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
2366         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2367         (JSC::constructGenericTypedArrayViewWithArguments):
2368         (JSC::constructGenericTypedArrayView):
2369         * runtime/JSGenericTypedArrayViewInlines.h:
2370         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2371         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2372         * runtime/JSModuleRecord.cpp:
2373         * runtime/JSModuleRecord.h:
2374         * runtime/JSObject.cpp:
2375         (JSC::JSObject::putDirectAccessor):
2376         (JSC::JSObject::deleteProperty):
2377         (JSC::JSObject::putDirectMayBeIndex):
2378         (JSC::JSObject::defineOwnProperty):
2379         * runtime/JSObject.h:
2380         (JSC::JSObject::getOwnPropertySlot):
2381         (JSC::JSObject::getPropertySlot):
2382         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
2383         * runtime/JSObjectInlines.h:
2384         (JSC::JSObject::putInline):
2385         * runtime/JSString.cpp:
2386         (JSC::JSString::getStringPropertyDescriptor):
2387         * runtime/JSString.h:
2388         (JSC::JSString::getStringPropertySlot):
2389         * runtime/LiteralParser.cpp:
2390         (JSC::LiteralParser<CharType>::parse):
2391         * runtime/MathCommon.h:
2392         (JSC::safeReciprocalForDivByConst):
2393         * runtime/ObjectPrototype.cpp:
2394         (JSC::objectProtoFuncHasOwnProperty):
2395         * runtime/PropertyDescriptor.h:
2396         (JSC::toPropertyDescriptor):
2397         * runtime/PropertyName.h:
2398         (JSC::parseIndex):
2399         * runtime/SamplingProfiler.cpp:
2400         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2401         * runtime/StringObject.cpp:
2402         (JSC::StringObject::put):
2403         (JSC::isStringOwnProperty):
2404         (JSC::StringObject::deleteProperty):
2405         * runtime/ToNativeFromValue.h:
2406         (JSC::toNativeFromValueWithoutCoercion):
2407         * runtime/TypedArrayAdaptors.h:
2408         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2409         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
2410         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2411         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
2412         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
2413         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
2414         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
2415
2416 2016-11-26  Sam Weinig  <sam@webkit.org>
2417
2418         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
2419         https://bugs.webkit.org/show_bug.cgi?id=164965
2420
2421         Reviewed by Simon Fraser.
2422
2423         * runtime/CommonIdentifiers.h:
2424         Add identifiers needed for RuntimeEnabledFeatures.
2425
2426 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
2427
2428         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
2429         https://bugs.webkit.org/show_bug.cgi?id=165027
2430
2431         Reviewed by Darin Adler.
2432
2433         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
2434         No port enables this and the guarded code doesn't build at all,
2435         so it's safe to say it's abandoned.
2436
2437         * jit/ExecutableAllocator.cpp:
2438         (JSC::ExecutableAllocator::initializeAllocator):
2439         (JSC::ExecutableAllocator::ExecutableAllocator):
2440         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
2441
2442 2016-11-18  Mark Lam  <mark.lam@apple.com>
2443
2444         Fix exception scope verification failures in JSC profiler files.
2445         https://bugs.webkit.org/show_bug.cgi?id=164971
2446
2447         Reviewed by Saam Barati.
2448
2449         * profiler/ProfilerBytecodeSequence.cpp:
2450         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
2451         * profiler/ProfilerCompilation.cpp:
2452         (JSC::Profiler::Compilation::toJS):
2453         * profiler/ProfilerDatabase.cpp:
2454         (JSC::Profiler::Database::toJS):
2455         (JSC::Profiler::Database::toJSON):
2456         * profiler/ProfilerOSRExitSite.cpp:
2457         (JSC::Profiler::OSRExitSite::toJS):
2458         * profiler/ProfilerOriginStack.cpp:
2459         (JSC::Profiler::OriginStack::toJS):
2460
2461 2016-11-22  Mark Lam  <mark.lam@apple.com>
2462
2463         Fix exception scope verification failures in JSONObject.cpp.
2464         https://bugs.webkit.org/show_bug.cgi?id=165025
2465
2466         Reviewed by Saam Barati.
2467
2468         * runtime/JSONObject.cpp:
2469         (JSC::gap):
2470         (JSC::Stringifier::Stringifier):
2471         (JSC::Stringifier::stringify):
2472         (JSC::Stringifier::toJSON):
2473         (JSC::Stringifier::appendStringifiedValue):
2474         (JSC::Stringifier::Holder::appendNextProperty):
2475         (JSC::Walker::walk):
2476         (JSC::JSONProtoFuncParse):
2477         (JSC::JSONProtoFuncStringify):
2478         (JSC::JSONStringify):
2479
2480 2016-11-21  Mark Lam  <mark.lam@apple.com>
2481
2482         Removed an extra space character at the end of line.
2483
2484         Not reviewed.
2485
2486         * runtime/JSCell.cpp:
2487         (JSC::JSCell::toNumber):
2488
2489 2016-11-21  Mark Lam  <mark.lam@apple.com>
2490
2491         Fix exception scope verification failures in FunctionConstructor.cpp.
2492         https://bugs.webkit.org/show_bug.cgi?id=165011
2493
2494         Reviewed by Saam Barati.
2495
2496         * runtime/FunctionConstructor.cpp:
2497         (JSC::constructFunction):
2498         (JSC::constructFunctionSkippingEvalEnabledCheck):
2499
2500 2016-11-21  Mark Lam  <mark.lam@apple.com>
2501
2502         Fix exception scope verification failures in GetterSetter.cpp.
2503         https://bugs.webkit.org/show_bug.cgi?id=165013
2504
2505         Reviewed by Saam Barati.
2506
2507         * runtime/GetterSetter.cpp:
2508         (JSC::callGetter):
2509         (JSC::callSetter):
2510
2511 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2512
2513         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
2514         https://bugs.webkit.org/show_bug.cgi?id=164898
2515
2516         Reviewed by Darin Adler.
2517
2518         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
2519         same tagged template literal need to return an identical object.
2520         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
2521         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
2522         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
2523         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
2524         while this TemplateRegistryKey is allocated in the main thread.
2525
2526         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
2527         while the entry of the WeakGCMap is alive, the callsite object has the reference to
2528         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
2529
2530         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
2531         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
2532         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
2533         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
2534         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
2535
2536         * CMakeLists.txt:
2537         * JavaScriptCore.xcodeproj/project.pbxproj:
2538         * builtins/BuiltinNames.h:
2539         * bytecompiler/BytecodeGenerator.cpp:
2540         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
2541         (JSC::BytecodeGenerator::emitGetTemplateObject):
2542         * bytecompiler/BytecodeGenerator.h:
2543         * runtime/JSGlobalObject.cpp:
2544         (JSC::getTemplateObject):
2545         * runtime/JSTemplateRegistryKey.cpp:
2546         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
2547         (JSC::JSTemplateRegistryKey::create):
2548         * runtime/JSTemplateRegistryKey.h:
2549         * runtime/TemplateRegistry.cpp:
2550         (JSC::TemplateRegistry::getTemplateObject):
2551         * runtime/TemplateRegistry.h:
2552         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
2553         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
2554         * runtime/TemplateRegistryKey.h:
2555         (JSC::TemplateRegistryKey::calculateHash):
2556         (JSC::TemplateRegistryKey::create):
2557         (JSC::TemplateRegistryKey::TemplateRegistryKey):
2558         * runtime/TemplateRegistryKeyTable.cpp: Added.
2559         (JSC::TemplateRegistryKeyTranslator::hash):
2560         (JSC::TemplateRegistryKeyTranslator::equal):
2561         (JSC::TemplateRegistryKeyTranslator::translate):
2562         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
2563         (JSC::TemplateRegistryKeyTable::createKey):
2564         (JSC::TemplateRegistryKeyTable::unregister):
2565         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
2566         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
2567         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
2568         * runtime/VM.h:
2569         (JSC::VM::templateRegistryKeyTable):
2570
2571 2016-11-21  Mark Lam  <mark.lam@apple.com>
2572
2573         Fix exception scope verification failures in runtime/Error* files.
2574         https://bugs.webkit.org/show_bug.cgi?id=164998
2575
2576         Reviewed by Darin Adler.
2577
2578         * runtime/ErrorConstructor.cpp:
2579         (JSC::Interpreter::constructWithErrorConstructor):
2580         * runtime/ErrorInstance.cpp:
2581         (JSC::ErrorInstance::create):
2582         * runtime/ErrorInstance.h:
2583         * runtime/ErrorPrototype.cpp:
2584         (JSC::errorProtoFuncToString):
2585
2586 2016-11-21  Mark Lam  <mark.lam@apple.com>
2587
2588         Fix exception scope verification failures in *Executable.cpp files.
2589         https://bugs.webkit.org/show_bug.cgi?id=164996
2590
2591         Reviewed by Darin Adler.
2592
2593         * runtime/DirectEvalExecutable.cpp:
2594         (JSC::DirectEvalExecutable::create):
2595         * runtime/IndirectEvalExecutable.cpp:
2596         (JSC::IndirectEvalExecutable::create):
2597         * runtime/ProgramExecutable.cpp:
2598         (JSC::ProgramExecutable::initializeGlobalProperties):
2599         * runtime/ScriptExecutable.cpp:
2600         (JSC::ScriptExecutable::prepareForExecutionImpl):
2601
2602 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
2603
2604         [EncryptedMedia] Make EME API runtime-enabled
2605         https://bugs.webkit.org/show_bug.cgi?id=164927
2606
2607         Reviewed by Jer Noble.
2608
2609         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
2610
2611 2016-11-20  Mark Lam  <mark.lam@apple.com>
2612
2613         Fix exception scope verification failures in ConstructData.cpp.
2614         https://bugs.webkit.org/show_bug.cgi?id=164976
2615
2616         Reviewed by Darin Adler.
2617
2618         * runtime/ConstructData.cpp:
2619         (JSC::construct):
2620
2621 2016-11-20  Mark Lam  <mark.lam@apple.com>
2622
2623         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
2624         https://bugs.webkit.org/show_bug.cgi?id=164975
2625
2626         Reviewed by Darin Adler.
2627
2628         * runtime/CommonSlowPaths.cpp:
2629         (JSC::SLOW_PATH_DECL):
2630         * runtime/CommonSlowPaths.h:
2631         (JSC::CommonSlowPaths::opIn):
2632
2633 2016-11-20  Mark Lam  <mark.lam@apple.com>
2634
2635         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
2636         https://bugs.webkit.org/show_bug.cgi?id=164995
2637
2638         Reviewed by Darin Adler.
2639
2640         * runtime/DateConstructor.cpp:
2641         (JSC::millisecondsFromComponents):
2642         (JSC::constructDate):
2643         * runtime/DatePrototype.cpp:
2644         (JSC::dateProtoFuncToPrimitiveSymbol):
2645
2646 2016-11-20  Caitlin Potter  <caitp@igalia.com>
2647
2648         [JSC] speed up parsing of async functions
2649         https://bugs.webkit.org/show_bug.cgi?id=164808
2650
2651         Reviewed by Yusuke Suzuki.
2652
2653         Minor adjustments to Parser in order to mitigate slowdown with async
2654         function parsing enabled:
2655
2656           - Tokenize "async" as a keyword
2657           - Perform less branching in various areas of the Parser
2658
2659         * parser/Keywords.table:
2660         * parser/Parser.cpp:
2661         (JSC::Parser<LexerType>::parseStatementListItem):
2662         (JSC::Parser<LexerType>::parseStatement):
2663         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2664         (JSC::Parser<LexerType>::parseClass):
2665         (JSC::Parser<LexerType>::parseExportDeclaration):
2666         (JSC::Parser<LexerType>::parseAssignmentExpression):
2667         (JSC::Parser<LexerType>::parseProperty):
2668         (JSC::Parser<LexerType>::createResolveAndUseVariable):
2669         (JSC::Parser<LexerType>::parsePrimaryExpression):
2670         (JSC::Parser<LexerType>::parseMemberExpression):
2671         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2672         * parser/Parser.h:
2673         (JSC::isAnyContextualKeyword):
2674         (JSC::isIdentifierOrAnyContextualKeyword):
2675         (JSC::isSafeContextualKeyword):
2676         (JSC::Parser::matchSpecIdentifier):
2677         * parser/ParserTokens.h:
2678         * runtime/CommonIdentifiers.h:
2679
2680 2016-11-19  Mark Lam  <mark.lam@apple.com>
2681
2682         Add --timeoutMultiplier option to allow some tests more time to run.
2683         https://bugs.webkit.org/show_bug.cgi?id=164951
2684
2685         Reviewed by Yusuke Suzuki.
2686
2687         * jsc.cpp:
2688         (timeoutThreadMain):
2689         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
2690         (startTimeoutThreadIfNeeded):
2691         - Moved the code that starts the timeout thread here from main() so that we can
2692         call it after command line args have been parsed instead.
2693         (main):
2694         - Deleted old timeout thread starting code.
2695         (CommandLine::parseArguments):
2696         - Added parsing of the --timeoutMultiplier option.
2697         (jscmain):
2698         - Start the timeout thread if needed after we've parsed the command line args.
2699
2700 2016-11-19  Mark Lam  <mark.lam@apple.com>
2701
2702         Fix missing exception checks in JSC inspector files.
2703         https://bugs.webkit.org/show_bug.cgi?id=164959
2704
2705         Reviewed by Saam Barati.
2706
2707         * inspector/JSInjectedScriptHost.cpp:
2708         (Inspector::JSInjectedScriptHost::getInternalProperties):
2709         (Inspector::JSInjectedScriptHost::weakMapEntries):
2710         (Inspector::JSInjectedScriptHost::weakSetEntries):
2711         (Inspector::JSInjectedScriptHost::iteratorEntries):
2712         * inspector/JSJavaScriptCallFrame.cpp:
2713         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2714
2715 2016-11-18  Mark Lam  <mark.lam@apple.com>
2716
2717         Fix missing exception checks in DFGOperations.cpp.
2718         https://bugs.webkit.org/show_bug.cgi?id=164958
2719
2720         Reviewed by Geoffrey Garen.
2721
2722         * dfg/DFGOperations.cpp:
2723
2724 2016-11-18  Mark Lam  <mark.lam@apple.com>
2725
2726         Fix exception scope verification failures in ShadowChicken.cpp.
2727         https://bugs.webkit.org/show_bug.cgi?id=164966
2728
2729         Reviewed by Saam Barati.
2730
2731         * interpreter/ShadowChicken.cpp:
2732         (JSC::ShadowChicken::functionsOnStack):
2733
2734 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
2735
2736         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
2737         https://bugs.webkit.org/show_bug.cgi?id=163801
2738
2739         Reviewed by Simon Fraser.
2740
2741         * Configurations/FeatureDefines.xcconfig:
2742
2743 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
2744
2745         Unreviewed, fix cloop.
2746
2747         * bytecode/CodeBlock.cpp:
2748         (JSC::CodeBlock::stronglyVisitStrongReferences):
2749
2750 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
2751
2752         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
2753         https://bugs.webkit.org/show_bug.cgi?id=164282
2754
2755         Reviewed by Geoffrey Garen and Oliver Hunt.
2756         
2757         The two three remaining bugs were:
2758
2759         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
2760           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
2761           That proved a bit tricky. On the other hand, this means that we could probably remove the
2762           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
2763           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
2764           anything.
2765         
2766         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
2767           their friends now hold locks) and incremental-safe (we need to update predictions in the
2768           finalizer to make sure we clear anything that was put into a value profile towards the end
2769           of GC).
2770         
2771         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
2772           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
2773           I found that they would do many useless iterations of GC because they wouldn't pause long
2774           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
2775           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
2776           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
2777           the amount of allocation that the mutator had done is low. Having a utilization ceiling
2778           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
2779           huge heaps (like CDjs in its "large" configuration).
2780         
2781         This preserves splay performance, makes the concurrent GC more stable, and makes the
2782         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
2783         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
2784
2785         * bytecode/CodeBlock.cpp:
2786         (JSC::CodeBlock::CodeBlock):
2787         (JSC::CodeBlock::visitWeakly):
2788         (JSC::CodeBlock::visitChildren):
2789         (JSC::CodeBlock::shouldVisitStrongly):
2790         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2791         (JSC::CodeBlock::propagateTransitions):
2792         (JSC::CodeBlock::determineLiveness):
2793         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
2794         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
2795         (JSC::CodeBlock::visitOSRExitTargets):
2796         (JSC::CodeBlock::stronglyVisitStrongReferences):
2797         (JSC::CodeBlock::stronglyVisitWeakReferences):
2798         * bytecode/CodeBlock.h:
2799         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2800         * heap/CodeBlockSet.cpp:
2801         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2802         * heap/Heap.cpp:
2803         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
2804         (JSC::Heap::markToFixpoint):
2805         (JSC::Heap::beginMarking):
2806         (JSC::Heap::addToRememberedSet):
2807         (JSC::Heap::collectInThread):
2808         * heap/Heap.h:
2809         * heap/HeapInlines.h:
2810         (JSC::Heap::mutatorFence):
2811         * heap/MarkedBlock.cpp:
2812         * runtime/JSCellInlines.h:
2813         (JSC::JSCell::finishCreation):
2814         * runtime/JSObjectInlines.h:
2815         (JSC::JSObject::putDirectWithoutTransition):
2816         (JSC::JSObject::putDirectInternal):
2817         * runtime/Options.h:
2818         * runtime/Structure.cpp:
2819         (JSC::Structure::add):
2820         * runtime/Structure.h:
2821         * runtime/StructureInlines.h:
2822         (JSC::Structure::add):
2823
2824 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
2825
2826         Web Inspector: Generator functions should have a displayable name when shown in stack traces
2827         https://bugs.webkit.org/show_bug.cgi?id=164844
2828         <rdar://problem/29300697>
2829
2830         Reviewed by Yusuke Suzuki.
2831
2832         * parser/SyntaxChecker.h:
2833         (JSC::SyntaxChecker::createGeneratorFunctionBody):
2834         * parser/ASTBuilder.h:
2835         (JSC::ASTBuilder::createGeneratorFunctionBody):
2836         New way to create a generator function with an inferred name.
2837
2838         * parser/Parser.cpp:
2839         (JSC::Parser<LexerType>::parseInner):
2840         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2841         * parser/Parser.h:
2842         Pass on the name of the generator wrapper function so we can
2843         use it on the inner generator function.
2844
2845 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
2846
2847         Add an experimental API to find elements across shadow boundaries
2848         https://bugs.webkit.org/show_bug.cgi?id=164851
2849         <rdar://problem/28220092>
2850
2851         Reviewed by Sam Weinig.
2852
2853         * runtime/CommonIdentifiers.h:
2854
2855 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2856
2857         [JSC] Drop arguments.caller
2858         https://bugs.webkit.org/show_bug.cgi?id=164859
2859
2860         Reviewed by Saam Barati.
2861
2862         Originally, some JavaScript engine has `arguments.caller` property.
2863         But it easily causes some information leaks and it becomes obstacles
2864         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
2865         mode. To do so, we explicitly set "caller" getter throwing TypeError
2866         to arguments in strict mode.
2867
2868         But now, there is no modern engine which supports `arguments.caller`
2869         in sloppy mode. So the original compatibility problem is gone and
2870         "caller" getter in the strict mode arguments becomes meaningless.
2871
2872         ES2017 drops this from the spec. In this patch, we also drop this
2873         `arguments.caller` in strict mode support.
2874
2875         Note that Function#caller is still alive.
2876
2877         * runtime/ClonedArguments.cpp:
2878         (JSC::ClonedArguments::getOwnPropertySlot):
2879         (JSC::ClonedArguments::put):
2880         (JSC::ClonedArguments::deleteProperty):
2881         (JSC::ClonedArguments::defineOwnProperty):
2882         (JSC::ClonedArguments::materializeSpecials):
2883
2884 2016-11-17  Mark Lam  <mark.lam@apple.com>
2885
2886         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
2887         https://bugs.webkit.org/show_bug.cgi?id=164893
2888         <rdar://problem/29146436>
2889
2890         Reviewed by Saam Barati.
2891
2892         * runtime/Options.cpp:
2893         (JSC::recomputeDependentOptions):
2894
2895 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
2896
2897         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
2898         https://bugs.webkit.org/show_bug.cgi?id=164885
2899
2900         Reviewed by Mark Lam.
2901         
2902         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
2903         related fences. It currently returns true only on x86().
2904         
2905         The goal here is to get the bots to tell us if this code is responsible for perf issues on
2906         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
2907         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
2908         we could get rid of it and instead teach B3 how to think about fences.
2909
2910         * assembler/CPU.h:
2911         (JSC::useGCFences):
2912         * bytecode/PolymorphicAccess.cpp:
2913         (JSC::AccessCase::generateImpl):
2914         * dfg/DFGSpeculativeJIT.cpp:
2915         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2916         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2917         * ftl/FTLLowerDFGToB3.cpp:
2918         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2919         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2920         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2921         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2922         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
2923         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
2924         * jit/AssemblyHelpers.h:
2925         (JSC::AssemblyHelpers::mutatorFence):
2926         (JSC::AssemblyHelpers::storeButterfly):
2927         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
2928         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
2929
2930 2016-11-17  Keith Miller  <keith_miller@apple.com>
2931
2932         Add rotate to Wasm
2933         https://bugs.webkit.org/show_bug.cgi?id=164871
2934
2935         Reviewed by Filip Pizlo.
2936
2937         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
2938         This also moves arm specific transformations of rotate left to lower macros
2939         after optimization. It's a bad idea to have platform specific canonicalizations
2940         in reduce strength since other optimizations may not be aware of it.
2941
2942         Add a bug to do pure CSE after lower macros after optimization since we want to
2943         clean up RotL(value, Neg(Neg(shift))).
2944
2945         * b3/B3Generate.cpp:
2946         (JSC::B3::generateToAir):
2947         * b3/B3LowerMacrosAfterOptimizations.cpp:
2948         * b3/B3ReduceStrength.cpp:
2949         * wasm/wasm.json:
2950
2951 2016-11-17  Keith Miller  <keith_miller@apple.com>
2952
2953         Add sqrt to Wasm
2954         https://bugs.webkit.org/show_bug.cgi?id=164877
2955
2956         Reviewed by Mark Lam.
2957
2958         B3 already has a Sqrt opcode we just need to map Wasm to it.
2959
2960         * wasm/wasm.json:
2961
2962 2016-11-17  Keith Miller  <keith_miller@apple.com>
2963
2964         Add support for rotate in B3 and the relevant assemblers
2965         https://bugs.webkit.org/show_bug.cgi?id=164869
2966
2967         Reviewed by Geoffrey Garen.
2968
2969         This patch runs RotR and RotL (rotate right and left respectively)
2970         through B3 and B3's assemblers. One thing of note is that ARM64 does
2971         not support rotate left instead it allows negative right rotations.
2972
2973         This patch also fixes a theoretical bug in the assembler where
2974         on X86 doing someShiftOp(reg, edx) would instead shift the shift
2975         amount by the value. Additionally, this patch refactors some
2976         of the X86 assembler to use templates when deciding how to format
2977         the appropriate shift instruction.
2978
2979         * assembler/MacroAssemblerARM64.h:
2980         (JSC::MacroAssemblerARM64::rotateRight32):
2981         (JSC::MacroAssemblerARM64::rotateRight64):
2982         * assembler/MacroAssemblerX86Common.h:
2983         (JSC::MacroAssemblerX86Common::rotateRight32):
2984         (JSC::MacroAssemblerX86Common::rotateLeft32):
2985         * assembler/MacroAssemblerX86_64.h:
2986         (JSC::MacroAssemblerX86_64::lshift64):
2987         (JSC::MacroAssemblerX86_64::rshift64):
2988         (JSC::MacroAssemblerX86_64::urshift64):
2989         (JSC::MacroAssemblerX86_64::rotateRight64):
2990         (JSC::MacroAssemblerX86_64::rotateLeft64):
2991         (JSC::MacroAssemblerX86_64::or64):
2992         * assembler/X86Assembler.h:
2993         (JSC::X86Assembler::xorq_rm):
2994         (JSC::X86Assembler::shiftInstruction32):
2995         (JSC::X86Assembler::sarl_i8r):
2996         (JSC::X86Assembler::shrl_i8r):
2997         (JSC::X86Assembler::shll_i8r):
2998         (JSC::X86Assembler::rorl_i8r):
2999         (JSC::X86Assembler::rorl_CLr):
3000         (JSC::X86Assembler::roll_i8r):
3001         (JSC::X86Assembler::roll_CLr):
3002         (JSC::X86Assembler::shiftInstruction64):
3003         (JSC::X86Assembler::sarq_CLr):
3004         (JSC::X86Assembler::sarq_i8r):
3005         (JSC::X86Assembler::shrq_i8r):
3006         (JSC::X86Assembler::shlq_i8r):
3007         (JSC::X86Assembler::rorq_i8r):
3008         (JSC::X86Assembler::rorq_CLr):
3009         (JSC::X86Assembler::rolq_i8r):
3010         (JSC::X86Assembler::rolq_CLr):
3011         * b3/B3Common.h:
3012         (JSC::B3::rotateRight):
3013         (JSC::B3::rotateLeft):
3014         * b3/B3Const32Value.cpp:
3015         (JSC::B3::Const32Value::rotRConstant):
3016         (JSC::B3::Const32Value::rotLConstant):
3017         * b3/B3Const32Value.h:
3018         * b3/B3Const64Value.cpp:
3019         (JSC::B3::Const64Value::rotRConstant):
3020         (JSC::B3::Const64Value::rotLConstant):
3021         * b3/B3Const64Value.h:
3022         * b3/B3LowerToAir.cpp:
3023         (JSC::B3::Air::LowerToAir::lower):
3024         * b3/B3Opcode.cpp:
3025         (WTF::printInternal):
3026         * b3/B3Opcode.h:
3027         * b3/B3ReduceStrength.cpp:
3028         * b3/B3Validate.cpp:
3029         * b3/B3Value.cpp:
3030         (JSC::B3::Value::rotRConstant):
3031         (JSC::B3::Value::rotLConstant):
3032         (JSC::B3::Value::effects):
3033         (JSC::B3::Value::key):
3034         (JSC::B3::Value::typeFor):
3035         * b3/B3Value.h:
3036         * b3/B3ValueKey.cpp:
3037         (JSC::B3::ValueKey::materialize):
3038         * b3/air/AirInstInlines.h:
3039         (JSC::B3::Air::isRotateRight32Valid):
3040         (JSC::B3::Air::isRotateLeft32Valid):
3041         (JSC::B3::Air::isRotateRight64Valid):
3042         (JSC::B3::Air::isRotateLeft64Valid):
3043         * b3/air/AirOpcode.opcodes:
3044         * b3/testb3.cpp:
3045         (JSC::B3::testRotR):
3046         (JSC::B3::testRotL):
3047         (JSC::B3::testRotRWithImmShift):
3048         (JSC::B3::testRotLWithImmShift):
3049         (JSC::B3::run):
3050
3051 2016-11-17  Saam Barati  <sbarati@apple.com>
3052
3053         Remove async/await compile time flag and enable tests
3054         https://bugs.webkit.org/show_bug.cgi?id=164828
3055         <rdar://problem/28639334>
3056
3057         Reviewed by Yusuke Suzuki.
3058
3059         * Configurations/FeatureDefines.xcconfig:
3060         * parser/Parser.cpp:
3061         (JSC::Parser<LexerType>::parseStatementListItem):
3062         (JSC::Parser<LexerType>::parseStatement):
3063         (JSC::Parser<LexerType>::parseClass):
3064         (JSC::Parser<LexerType>::parseExportDeclaration):
3065         (JSC::Parser<LexerType>::parseAssignmentExpression):
3066         (JSC::Parser<LexerType>::parseProperty):
3067         (JSC::Parser<LexerType>::parsePrimaryExpression):
3068         (JSC::Parser<LexerType>::parseMemberExpression):
3069         (JSC::Parser<LexerType>::parseUnaryExpression):
3070
3071 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3072
3073         [JSC] WTF::TemporaryChange with WTF::SetForScope
3074         https://bugs.webkit.org/show_bug.cgi?id=164761
3075
3076         Reviewed by Saam Barati.
3077
3078         * bytecompiler/BytecodeGenerator.h:
3079         * bytecompiler/SetForScope.h: Removed.
3080         * debugger/Debugger.cpp:
3081         * inspector/InspectorBackendDispatcher.cpp:
3082         (Inspector::BackendDispatcher::dispatch):
3083         * inspector/ScriptDebugServer.cpp:
3084         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
3085         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
3086         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
3087         (Inspector::ScriptDebugServer::sourceParsed):
3088         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
3089         * parser/Parser.cpp:
3090
3091 2016-11-16  Mark Lam  <mark.lam@apple.com>
3092
3093         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
3094         https://bugs.webkit.org/show_bug.cgi?id=164843
3095
3096         Reviewed by Keith Miller.
3097
3098         The ThrowScope will check for unchecked simulated exceptions before throwing a
3099         new exception.  This ensures that we don't quietly overwrite a pending exception
3100         (which should never happen, with the only exception being to rethrow the same
3101         exception).  However, ExceptionFuzz works by intentionally throwing its own
3102         exception even when one may already exist thereby potentially overwriting an
3103         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
3104         the exception check verifier before ExceptionFuzz throws its own exception.
3105
3106         * runtime/ExceptionFuzz.cpp:
3107         (JSC::doExceptionFuzzing):
3108
3109 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
3110
3111         UnlinkedCodeBlock should not have a starting line number
3112         https://bugs.webkit.org/show_bug.cgi?id=164838
3113
3114         Reviewed by Mark Lam.
3115
3116         Here's how the starting line number in UnlinkedCodeBlock used to work:
3117
3118         (1) Assign the source code starting line number to the parser starting
3119         line number.
3120
3121         (2) Assign (1) to the AST.
3122
3123         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
3124
3125         Then, when linking:
3126
3127         (4) Add (3) to (1).
3128
3129         This was an awesome no-op.
3130
3131         Generally, unlinked code is code that is not tied to any particular
3132         web page or resource. So, it's inappropriate to think of it having a
3133         starting line number.
3134
3135         * bytecode/UnlinkedCodeBlock.cpp:
3136         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3137         * bytecode/UnlinkedCodeBlock.h:
3138         (JSC::UnlinkedCodeBlock::recordParse):
3139         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
3140         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3141         * runtime/CodeCache.cpp:
3142         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3143         * runtime/CodeCache.h:
3144         (JSC::generateUnlinkedCodeBlock):
3145
3146 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3147
3148         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
3149         https://bugs.webkit.org/show_bug.cgi?id=164827
3150
3151         Reviewed by Ryosuke Niwa.
3152
3153         * Configurations/FeatureDefines.xcconfig:
3154
3155 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
3156
3157         Unreviewed, roll out r208811. It's not sound.
3158
3159         * ftl/FTLLowerDFGToB3.cpp:
3160         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3161         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3162         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3163         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3164         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3165         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3166         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
3167
3168 2016-11-16  Keith Miller  <keith_miller@apple.com>
3169
3170         Wasm function parser should use template functions for each binary and unary opcode
3171         https://bugs.webkit.org/show_bug.cgi?id=164835
3172
3173         Reviewed by Mark Lam.
3174
3175         This patch changes the wasm function parser to call into a template specialization
3176         for each binary/unary opcode. This change makes it easier to have custom implementations
3177         of various opcodes. It is also, in theory a speedup since it does not require switching
3178         on the opcode twice.
3179
3180         * CMakeLists.txt:
3181         * DerivedSources.make:
3182         * wasm/WasmB3IRGenerator.cpp:
3183         (): Deleted.
3184         * wasm/WasmFunctionParser.h:
3185         (JSC::Wasm::FunctionParser<Context>::binaryCase):
3186         (JSC::Wasm::FunctionParser<Context>::unaryCase):
3187         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3188         * wasm/WasmValidate.cpp:
3189         * wasm/generateWasm.py:
3190         (isBinary):
3191         (isSimple):
3192         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
3193         (generateSimpleCode):
3194         * wasm/generateWasmOpsHeader.py:
3195         (opcodeMacroizer):
3196         * wasm/generateWasmValidateInlinesHeader.py:
3197
3198 2016-11-16  Mark Lam  <mark.lam@apple.com>
3199
3200         ExceptionFuzz functions should use its client's ThrowScope.
3201         https://bugs.webkit.org/show_bug.cgi?id=164834
3202
3203         Reviewed by Geoffrey Garen.
3204
3205         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
3206         exception check sites.  Using the client's ThrowScope solves 2 problems:
3207
3208         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
3209            mis-attributed to ExceptionFuzz when it should be attributed to its client.
3210
3211         2. One way exception scope verification works is by having ThrowScopes assert
3212            that there are no unchecked simulated exceptions when the ThrowScope is
3213            instantiated.  However, ExceptionFuzz necessarily works by inserting
3214            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
3215            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
3216            we will be instantiating the ThrowScope between the point where a simulated
3217            throw occurs and where the needed exception check can occur.  Hence, having
3218            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
3219            verification every time.
3220
3221         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
3222
3223         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
3224         already exists in every slow path function instead of creating a new one.
3225
3226         * jit/JITOperations.cpp:
3227         * llint/LLIntSlowPaths.cpp:
3228         * runtime/CommonSlowPaths.cpp:
3229         * runtime/ExceptionFuzz.cpp:
3230         (JSC::doExceptionFuzzing):
3231         * runtime/ExceptionFuzz.h:
3232         (JSC::doExceptionFuzzingIfEnabled):
3233
3234 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
3235
3236         Slight Octane regression from concurrent GC's eager object zero-fill
3237         https://bugs.webkit.org/show_bug.cgi?id=164823
3238
3239         Reviewed by Geoffrey Garen.
3240         
3241         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
3242         executing the end-of-allocation fence. This causes some regressions. This is an attempt
3243         to fix those regressions by making them conditional on whether the mutator is fenced.
3244         
3245         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
3246         regression.
3247
3248         * ftl/FTLLowerDFGToB3.cpp:
3249         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3250         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
3251         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3252         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3253         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3254         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3255         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3256
3257 2016-11-16  Mark Lam  <mark.lam@apple.com>
3258
3259         Fix exception scope checking in JSGlobalObject.cpp.
3260         https://bugs.webkit.org/show_bug.cgi?id=164831
3261
3262         Reviewed by Saam Barati.
3263
3264         * runtime/JSGlobalObject.cpp:
3265         (JSC::JSGlobalObject::init):
3266         - Use a CatchScope here because we don't ever expect JSGlobalObject initialization
3267           to fail with errors.
3268         (JSC::JSGlobalObject::put):
3269         - Fix exception check requirements.
3270
3271 2016-11-16  Keith Miller  <keith_miller@apple.com>
3272
3273         Unreviewed, ARM build fix.
3274
3275         * b3/B3LowerToAir.cpp:
3276         (JSC::B3::Air::LowerToAir::lower):
3277         (JSC::B3::Air::LowerToAir::lowerX86Div):
3278         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
3279
3280 2016-11-15  Mark Lam  <mark.lam@apple.com>
3281
3282         Make JSC test functions more robust.
3283         https://bugs.webkit.org/show_bug.cgi?id=164807
3284
3285         Reviewed by Keith Miller.
3286
3287         * jsc.cpp:
3288         (functionGetHiddenValue):
3289         (functionSetHiddenValue):
3290
3291 2016-11-15  Keith Miller  <keith_miller@apple.com>
3292
3293         B3 should support UDiv/UMod
3294         https://bugs.webkit.org/show_bug.cgi?id=164811
3295
3296         Reviewed by Filip Pizlo.
3297
3298         This patch adds support for UDiv and UMod in B3. Many of the magic number
3299         cases have been ommited for now since they are unlikely to happen in wasm
3300         code. Most wasm code we will see is generated via llvm, which has more
3301         robust versions of what we would do anyway. Additionally, this patch
3302         links the new opcodes up to the wasm parser.
3303
3304         * assembler/MacroAssemblerARM64.h:
3305         (JSC::MacroAssemblerARM64::uDiv32):
3306         (JSC::MacroAssemblerARM64::uDiv64):
3307         * assembler/MacroAssemblerX86Common.h:
3308         (JSC::MacroAssemblerX86Common::x86UDiv32):
3309         * assembler/MacroAssemblerX86_64.h:
3310         (JSC::MacroAssemblerX86_64::x86UDiv64):
3311         * assembler/X86Assembler.h:
3312         (JSC::X86Assembler::divq_r):
3313         * b3/B3Common.h:
3314         (JSC::B3::chillUDiv):
3315         (JSC::B3::chillUMod):
3316         * b3/B3Const32Value.cpp:
3317         (JSC::B3::Const32Value::uDivConstant):
3318         (JSC::B3::Const32Value::uModConstant):
3319         * b3/B3Const32Value.h:
3320         * b3/B3Const64Value.cpp:
3321         (JSC::B3::Const64Value::uDivConstant):
3322         (JSC::B3::Const64Value::uModConstant):
3323         * b3/B3Const64Value.h:
3324         * b3/B3LowerMacros.cpp:
3325         * b3/B3LowerToAir.cpp:
3326         (JSC::B3::Air::LowerToAir::lower):
3327         (JSC::B3::Air::LowerToAir::lowerX86UDiv):
3328         * b3/B3Opcode.cpp:
3329         (WTF::printInternal):
3330         * b3/B3Opcode.h:
3331         * b3/B3ReduceStrength.cpp:
3332         * b3/B3Validate.cpp:
3333         * b3/B3Value.cpp:
3334         (JSC::B3::Value::uDivConstant):
3335         (JSC::B3::Value::uModConstant):
3336         (JSC::B3::Value::effects):
3337         (JSC::B3::Value::key):
3338         (JSC::B3::Value::typeFor):
3339         * b3/B3Value.h:
3340         * b3/B3ValueKey.cpp:
3341         (JSC::B3::ValueKey::materialize):
3342         * b3/air/AirInstInlines.h:
3343         (JSC::B3::Air::isX86UDiv32Valid):
3344         (JSC::B3::Air::isX86UDiv64Valid):
3345         * b3/air/AirOpcode.opcodes:
3346         * b3/testb3.cpp:
3347         (JSC::B3::testUDivArgsInt32):
3348         (JSC::B3::testUDivArgsInt64):
3349         (JSC::B3::testUModArgsInt32):
3350         (JSC::B3::testUModArgsInt64):
3351         (JSC::B3::run):
3352         * wasm/wasm.json:
3353
3354 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3355
3356         Web Inspector: Preview other CSS @media in browser window (print)
3357         https://bugs.webkit.org/show_bug.cgi?id=13530
3358         <rdar://problem/5712928>
3359
3360         Reviewed by Timothy Hatcher.
3361
3362         * inspector/protocol/Page.json:
3363         Update to preferred JSON style.
3364
3365 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3366
3367         Unreviewed, revert renaming useConcurrentJIT to useConcurrentJS.
3368
3369         * dfg/DFGDriver.cpp:
3370         (JSC::DFG::compileImpl):
3371         * heap/Heap.cpp:
3372         (JSC::Heap::addToRememberedSet):
3373         * jit/JITWorklist.cpp:
3374         (JSC::JITWorklist::compileLater):
3375         (JSC::JITWorklist::compileNow):
3376         * runtime/Options.cpp:
3377         (JSC::recomputeDependentOptions):
3378         * runtime/Options.h:
3379         * runtime/WriteBarrierInlines.h:
3380         (JSC::WriteBarrierBase<T>::set):
3381         (JSC::WriteBarrierBase<Unknown>::set):
3382
3383 2016-11-15  Geoffrey Garen  <ggaren@apple.com>
3384
3385         Debugging and other tools should not disable the code cache
3386         https://bugs.webkit.org/show_bug.cgi?id=164802
3387
3388         Reviewed by Mark Lam.
3389
3390         * bytecode/UnlinkedFunctionExecutable.cpp:
3391         (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Updated for interface
3392         change.
3393
3394         * parser/SourceCodeKey.h:
3395         (JSC::SourceCodeFlags::SourceCodeFlags):
3396         (JSC::SourceCodeFlags::bits):
3397         (JSC::SourceCodeKey::SourceCodeKey): Treat debugging and other tools
3398         as part of our key so that we can cache code while using tools. Be sure
3399         to include these bits in our hash function so you don't get storms of
3400         collisions as you open and close the Web Inspector.
3401
3402         * runtime/CodeCache.cpp:
3403         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3404         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): Treat tools as
3405         a part of our key instead of as a reason to disable caching.
3406
3407         * runtime/CodeCache.h:
3408
3409 2016-11-15  Mark Lam  <mark.lam@apple.com>
3410
3411         Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString.
3412         https://bugs.webkit.org/show_bug.cgi?id=164777
3413
3414         Reviewed by Geoffrey Garen.
3415
3416         JSString::SafeView no longer achieves its intended goal to make it easier to
3417         handle strings safely.  Its clients still need to do explicit exception checks in
3418         order to be correct.  We'll remove it and replace its uses with
3419         StringViewWithUnderlyingString instead which serves to gets the a StringView
3420         (which is what we really wanted from SafeView) and keeps the backing String alive
3421         while the view is in use.
3422
3423         Also added some missing exception checks.
3424
3425         * jsc.cpp:
3426         (printInternal):
3427         (functionDebug):
3428         * runtime/ArrayPrototype.cpp:
3429         (JSC::arrayProtoFuncJoin):
3430         * runtime/FunctionConstructor.cpp:
3431         (JSC::constructFunctionSkippingEvalEnabledCheck):
3432         * runtime/IntlCollatorPrototype.cpp:
3433         (JSC::IntlCollatorFuncCompare):
3434         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3435         (JSC::genericTypedArrayViewProtoFuncJoin):
3436         * runtime/JSGlobalObjectFunctions.cpp:
3437         (JSC::toStringView):
3438         (JSC::globalFuncParseFloat):
3439         * runtime/JSONObject.cpp:
3440         (JSC::JSONProtoFuncParse):
3441         * runtime/JSString.h:
3442         (JSC::JSString::SafeView::is8Bit): Deleted.
3443         (JSC::JSString::SafeView::length): Deleted.
3444         (JSC::JSString::SafeView::SafeView): Deleted.
3445         (JSC::JSString::SafeView::get): Deleted.
3446         (JSC::JSString::view): Deleted.
3447         * runtime/StringPrototype.cpp:
3448         (JSC::stringProtoFuncRepeatCharacter):
3449         (JSC::stringProtoFuncCharAt):
3450         (JSC::stringProtoFuncCharCodeAt):
3451         (JSC::stringProtoFuncIndexOf):
3452         (JSC::stringProtoFuncNormalize):
3453
3454 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3455
3456         Unreviewed, remove bogus assertion.
3457
3458         * heap/Heap.cpp:
3459         (JSC::Heap::markToFixpoint):
3460
3461 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3462
3463         [mac-wk1 debug] ASSERTION FAILED: thisObject->m_propertyTableUnsafe
3464         https://bugs.webkit.org/show_bug.cgi?id=162986
3465
3466         Reviewed by Saam Barati.
3467         
3468         This assertion is wrong for concurrent GC anyway, so this removes it.
3469
3470         * runtime/Structure.cpp:
3471         (JSC::Structure::visitChildren):
3472
3473 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3474
3475         Rename CONCURRENT_JIT/ConcurrentJIT to CONCURRENT_JS/ConcurrentJS
3476         https://bugs.webkit.org/show_bug.cgi?id=164791
3477
3478         Reviewed by Geoffrey Garen.
3479         
3480         Just renaming.
3481
3482         * JavaScriptCore.xcodeproj/project.pbxproj:
3483         * bytecode/ArrayProfile.cpp:
3484         (JSC::ArrayProfile::computeUpdatedPrediction):
3485         (JSC::ArrayProfile::briefDescription):
3486         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3487         * bytecode/ArrayProfile.h:
3488         (JSC::ArrayProfile::observedArrayModes):
3489         (JSC::ArrayProfile::mayInterceptIndexedAccesses):
3490         (JSC::ArrayProfile::mayStoreToHole):
3491         (JSC::ArrayProfile::outOfBounds):
3492         (JSC::ArrayProfile::usesOriginalArrayStructures):
3493         * bytecode/CallLinkStatus.cpp:
3494         (JSC::CallLinkStatus::computeFromLLInt):
3495         (JSC::CallLinkStatus::computeFor):
3496         (JSC::CallLinkStatus::computeExitSiteData):
3497         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3498         (JSC::CallLinkStatus::computeDFGStatuses):
3499         * bytecode/CallLinkStatus.h:
3500         * bytecode/CodeBlock.cpp:
3501         (JSC::CodeBlock::dumpValueProfiling):
3502         (JSC::CodeBlock::dumpArrayProfiling):
3503         (JSC::CodeBlock::finishCreation):
3504         (JSC::CodeBlock::setConstantRegisters):
3505         (JSC::CodeBlock::getStubInfoMap):
3506         (JSC::CodeBlock::getCallLinkInfoMap):
3507         (JSC::CodeBlock::getByValInfoMap):
3508         (JSC::CodeBlock::addStubInfo):
3509         (JSC::CodeBlock::addByValInfo):
3510         (JSC::CodeBlock::addCallLinkInfo):
3511         (JSC::CodeBlock::resetJITData):
3512         (JSC::CodeBlock::shrinkToFit):
3513         (JSC::CodeBlock::getArrayProfile):
3514         (JSC::CodeBlock::addArrayProfile):
3515         (JSC::CodeBlock::getOrAddArrayProfile):
3516         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3517         (JSC::CodeBlock::updateAllArrayPredictions):
3518         (JSC::CodeBlock::nameForRegister):
3519         (JSC::CodeBlock::livenessAnalysisSlow):
3520         * bytecode/CodeBlock.h:
3521         (JSC::CodeBlock::setJITCode):
3522         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
3523         (JSC::CodeBlock::addFrequentExitSite):
3524         (JSC::CodeBlock::hasExitSite):
3525         (JSC::CodeBlock::livenessAnalysis):
3526         * bytecode/DFGExitProfile.cpp:
3527         (JSC::DFG::ExitProfile::add):
3528         (JSC::DFG::ExitProfile::hasExitSite):
3529         (JSC::DFG::QueryableExitProfile::initialize):
3530         * bytecode/DFGExitProfile.h:
3531         (JSC::DFG::ExitProfile::hasExitSite):
3532         * bytecode/GetByIdStatus.cpp:
3533         (JSC::GetByIdStatus::hasExitSite):
3534         (JSC::GetByIdStatus::computeFor):
3535         (JSC::GetByIdStatus::computeForStubInfo):
3536         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3537         * bytecode/GetByIdStatus.h:
3538         * bytecode/LazyOperandValueProfile.cpp:
3539         (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
3540         (JSC::CompressedLazyOperandValueProfileHolder::add):
3541         (JSC::LazyOperandValueProfileParser::initialize):
3542         (JSC::LazyOperandValueProfileParser::prediction):
3543         * bytecode/LazyOperandValueProfile.h:
3544         * bytecode/MethodOfGettingAValueProfile.cpp:
3545         (JSC::MethodOfGettingAValueProfile::emitReportValue):
3546         * bytecode/PutByIdStatus.cpp:
3547         (JSC::PutByIdStatus::hasExitSite):
3548         (JSC::PutByIdStatus::computeFor):
3549         (JSC::PutByIdStatus::computeForStubInfo):
3550         * bytecode/PutByIdStatus.h:
3551         * bytecode/StructureStubClearingWatchpoint.cpp:
3552         (JSC::StructureStubClearingWatchpoint::fireInternal):
3553         * bytecode/ValueProfile.h:
3554         (JSC::ValueProfileBase::briefDescription):
3555         (JSC::ValueProfileBase::computeUpdatedPrediction):
3556         * dfg/DFGArrayMode.cpp:
3557         (JSC::DFG::ArrayMode::fromObserved):
3558         * dfg/DFGArrayMode.h:
3559         (JSC::DFG::ArrayMode::withSpeculationFromProfile):
3560         (JSC::DFG::ArrayMode::withProfile):
3561         * dfg/DFGByteCodeParser.cpp:
3562         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3563         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3564         (JSC::DFG::ByteCodeParser::getArrayMode):
3565         (JSC::DFG::ByteCodeParser::handleInlining):
3566         (JSC::DFG::ByteCodeParser::parseBlock):
3567         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3568         * dfg/DFGDriver.cpp:
3569         (JSC::DFG::compileImpl):
3570         * dfg/DFGFixupPhase.cpp:
3571         (JSC::DFG::FixupPhase::fixupNode):
3572         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3573         * dfg/DFGGraph.cpp:
3574         (JSC::DFG::Graph::tryGetConstantClosureVar):
3575         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3576         * dfg/DFGPredictionInjectionPhase.cpp:
3577         (JSC::DFG::PredictionInjectionPhase::run):
3578         * ftl/FTLLowerDFGToB3.cpp:
3579         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3580         * ftl/FTLOperations.cpp:
3581         (JSC::FTL::operationMaterializeObjectInOSR):
3582         * heap/Heap.cpp:
3583         (JSC::Heap::addToRememberedSet):
3584         * jit/JIT.cpp:
3585         (JSC::JIT::compileWithoutLinking):
3586         * jit/JITInlines.h:
3587         (JSC::JIT::chooseArrayMode):
3588         * jit/JITOperations.cpp:
3589         (JSC::tryGetByValOptimize):
3590         * jit/JITPropertyAccess.cpp:
3591         (JSC::JIT::privateCompileGetByValWithCachedId):
3592         (JSC::JIT::privateCompilePutByValWithCachedId):
3593         * jit/JITWorklist.cpp:
3594         (JSC::JITWorklist::compileLater):
3595         (JSC::JITWorklist::compileNow):
3596         * jit/Repatch.cpp:
3597         (JSC::repatchGetByID):
3598         (JSC::repatchPutByID):
3599         * llint/LLIntSlowPaths.cpp:
3600         (JSC::LLInt::setupGetByIdPrototypeCache):
3601         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3602         (JSC::LLInt::setUpCall):
3603         * profiler/ProfilerBytecodeSequence.cpp:
3604         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3605         * runtime/CommonSlowPaths.cpp:
3606         (JSC::SLOW_PATH_DECL):
3607         * runtime/CommonSlowPaths.h:
3608         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3609         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3610         * runtime/ConcurrentJITLock.h: Removed.
3611         * runtime/ConcurrentJSLock.h: Copied from Source/JavaScriptCore/runtime/ConcurrentJITLock.h.
3612         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
3613         (JSC::ConcurrentJSLockerBase::~ConcurrentJSLockerBase):
3614         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker):
3615         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker):
3616         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
3617         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): Deleted.
3618         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): Deleted.
3619         (JSC::ConcurrentJITLockerBase::unlockEarly): Deleted.
3620         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): Deleted.
3621         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): Deleted.
3622         (JSC::ConcurrentJITLocker::ConcurrentJITLocker): Deleted.
3623         * runtime/InferredType.cpp:
3624         (JSC::InferredType::canWatch):
3625         (JSC::InferredType::addWatchpoint):
3626         (JSC::InferredType::willStoreValueSlow):
3627         (JSC::InferredType::makeTopSlow):
3628         (JSC::InferredType::set):
3629         (JSC::InferredType::removeStructure):
3630         * runtime/InferredType.h:
3631         * runtime/InferredTypeTable.cpp:
3632         (JSC::InferredTypeTable::visitChildren):
3633         (JSC::InferredTypeTable::get):
3634         (JSC::InferredTypeTable::willStoreValue):
3635         (JSC::InferredTypeTable::makeTop):
3636         * runtime/InferredTypeTable.h:
3637         * runtime/JSEnvironmentRecord.cpp:
3638         (JSC::JSEnvironmentRecord::heapSnapshot):
3639         * runtime/JSGlobalObject.cpp:
3640         (JSC::JSGlobalObject::addGlobalVar):
3641         (JSC::JSGlobalObject::addStaticGlobals):
3642         * runtime/JSLexicalEnvironment.cpp:
3643         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3644         * runtime/JSObject.cpp:
3645         (JSC::JSObject::deleteProperty):
3646         (JSC::JSObject::shiftButterflyAfterFlattening):
3647         * runtime/JSObject.h:
3648         * runtime/JSObjectInlines.h:
3649         (JSC::JSObject::putDirectWithoutTransition):
3650         (JSC::JSObject::putDirectInternal):
3651         * runtime/JSScope.cpp:
3652         (JSC::abstractAccess):
3653         (JSC::JSScope::collectClosureVariablesUnderTDZ):
3654         * runtime/JSSegmentedVariableObject.cpp:
3655         (JSC::JSSegmentedVariableObject::findVariableIndex):
3656         (JSC::JSSegmentedVariableObject::addVariables):
3657         (JSC::JSSegmentedVariableObject::heapSnapshot):
3658         * runtime/JSSegmentedVariableObject.h:
3659         * runtime/JSSymbolTableObject.cpp:
3660         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3661         * runtime/JSSymbolTableObject.h:
3662         (JSC::symbolTableGet):
3663         (JSC::symbolTablePut):
3664         * runtime/Options.cpp:
3665         (JSC::recomputeDependentOptions):
3666         * runtime/Options.h:
3667         * runtime/ProgramExecutable.cpp:
3668         (JSC::ProgramExecutable::initializeGlobalProperties):
3669         * runtime/RegExp.cpp:
3670         (JSC::RegExp::compile):
3671         (JSC::RegExp::matchConcurrently):
3672         (JSC::RegExp::compileMatchOnly):
3673         (JSC::RegExp::deleteCode):
3674         * runtime/RegExp.h:
3675         * runtime/Structure.cpp:
3676         (JSC::Structure::materializePropertyTable):
3677         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
3678         (JSC::Structure::addNewPropertyTransition):
3679         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3680         (JSC::Structure::nonPropertyTransition):
3681         (JSC::Structure::flattenDictionaryStructure):
3682         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
3683         (JSC::Structure::add):
3684         (JSC::Structure::remove):
3685         (JSC::Structure::visitChildren):
3686         * runtime/Structure.h:
3687         * runtime/StructureInlines.h:
3688         (JSC::Structure::propertyReplacementWatchpointSet):
3689         (JSC::Structure::add):
3690         (JSC::Structure::remove):
3691         * runtime/SymbolTable.cpp:
3692         (JSC::SymbolTable::visitChildren):
3693         (JSC::SymbolTable::localToEntry):
3694         (JSC::SymbolTable::entryFor):
3695         (JSC::SymbolTable::prepareForTypeProfiling):
3696         (JSC::SymbolTable::uniqueIDForVariable):
3697         (JSC::SymbolTable::uniqueIDForOffset):
3698         (JSC::SymbolTable::globalTypeSetForOffset):
3699         (JSC::SymbolTable::globalTypeSetForVariable):
3700         * runtime/SymbolTable.h:
3701         * runtime/TypeSet.cpp:
3702         (JSC::TypeSet::addTypeInformation):
3703         (JSC::TypeSet::invalidateCache):
3704         * runtime/TypeSet.h:
3705         (JSC::TypeSet::structureSet):
3706         * runtime/VM.h:
3707         * runtime/WriteBarrierInlines.h:
3708         (JSC::WriteBarrierBase<T>::set):
3709         (JSC::WriteBarrierBase<Unknown>::set):
3710         * yarr/YarrInterpreter.cpp:
3711         (JSC::Yarr::ByteCompiler::compile):
3712         (JSC::Yarr::byteCompile):
3713         * yarr/YarrInterpreter.h:
3714         (JSC::Yarr::BytecodePattern::BytecodePattern):
3715
3716 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3717
3718         Web Inspector: Remove unused and untested Page.setTouchEmulationEnabled command
3719         https://bugs.webkit.org/show_bug.cgi?id=164793
3720
3721         Reviewed by Matt Baker.
3722
3723         * inspector/protocol/Page.json:
3724
3725 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3726
3727         Unreviewed, build fix for Windows debug build after r208738
3728         https://bugs.webkit.org/show_bug.cgi?id=164727
3729
3730         This static member variable can be touched outside of the JSC project
3731         since inlined MacroAssembler member functions read / write it.
3732         So it should be exported.
3733
3734         * assembler/MacroAssemblerX86Common.h:
3735
3736 2016-11-15  Joseph Pecoraro  <pecoraro@apple.com>
3737
3738         Web Inspector: inspector/worker/debugger-pause.html fails on WebKit1
3739         https://bugs.webkit.org/show_bug.cgi?id=164787
3740
3741         Reviewed by Timothy Hatcher.
3742
3743         * inspector/agents/InspectorDebuggerAgent.cpp:
3744         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
3745         Clear this DebuggerAgent state when we resume.
3746
3747 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3748
3749         It should be possible to disable concurrent GC timeslicing
3750         https://bugs.webkit.org/show_bug.cgi?id=164788
3751
3752         Reviewed by Saam Barati.
3753         
3754         Collector timeslicing means that the collector will try to pause once every 2ms. This is
3755         great because it throttles the mutator and prevents it from outpacing the collector. But
3756         it reduces some of the efficacy of the collectContinuously=true configuration: while
3757         it's great that collecting continuously means that the collector will also pause more
3758         frequently and so it will test the pausing code, it also means that the collector will
3759         spend less time running concurrently. The primary purpose of collectContinuously is to
3760         maximize the amount of time that the collector is running concurrently to the mutator to
3761         maximize the likelihood that a race will cause a detectable error.
3762         
3763         This adds an option to disable collector timeslicing (useCollectorTimeslicing=false).
3764         The idea is that we will usually use this in conjunction with collectContinuously=true
3765         to find race conditions during marking, but we can also use the two options
3766         independently to focus our testing on other things.
3767
3768         * heap/Heap.cpp:
3769         (JSC::Heap::markToFixpoint):
3770         * heap/SlotVisitor.cpp:
3771         (JSC::SlotVisitor::drainInParallel): We should have added this helper ages ago.
3772         * heap/SlotVisitor.h:
3773         * runtime/Options.h:
3774
3775 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3776
3777         The concurrent GC should have a timeslicing controller
3778         https://bugs.webkit.org/show_bug.cgi?id=164783
3779
3780         Reviewed by Geoffrey Garen.
3781         
3782         This adds a simple control system for deciding when the collector should let the mutator run
3783         and when it should stop the mutator. We definitely have to stop the mutator during certain
3784         collector phases, but during marking - which takes the most time - we can go either way.
3785         Normally we want to let the mutator run, but if the heap size starts to grow then we have to
3786         stop the mutator just to make sure it doesn't get too far ahead of the collector. That could
3787         lead to memory exhaustion, so it's better to just stop in that case.
3788         
3789         The controller tries to never stop the mutator for longer than short timeslices. It slices on
3790         a 2ms period (configurable via Options). The amount of that period that the collector spends
3791         with the mutator stopped is determined by the fraction of the collector's concurrent headroom
3792         that has been allocated over. The headroom is currently configured at 50% of what was
3793         allocated before the collector started.
3794         
3795         This moves a bunch of parameters into Options so that it's easier to play with different
3796         configurations.
3797         
3798         I tried these different values for the period:
3799         
3800         1ms: 30% worse than 2ms on splay-latency.
3801         2ms: best score on splay-latency: the tick time above the 99.5% percentile is <2ms.
3802         3ms: 40% worse than 2ms on splay-latency.
3803         4ms: 40% worse than 2ms on splay-latency.
3804         
3805         I also tried 100% headroom as an alternate to 50% and found it to be a worse.
3806         
3807         This patch is a 2x improvement on splay-latency with the default parameters and concurrent GC
3808         enabled. Prior to this change, the GC didn't have a good bound on its pause times, which
3809         would cause these problems. Concurrent GC is now 5.6x better on splay-latency than no
3810         concurrent GC.
3811
3812         * heap/Heap.cpp:
3813         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
3814         (JSC::Heap::markToFixpoint):
3815         (JSC::Heap::collectInThread):
3816         * runtime/Options.h:
3817
3818 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3819
3820         Unreviewed, build fix for CLoop after r208738
3821         https://bugs.webkit.org/show_bug.cgi?id=164727
3822
3823         * jsc.cpp:
3824         (WTF::DOMJITFunctionObject::unsafeFunction):
3825         (WTF::DOMJITFunctionObject::finishCreation):
3826
3827 2016-11-15  Mark Lam  <mark.lam@apple.com>
3828
3829         The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
3830         https://bugs.webkit.org/show_bug.cgi?id=164781
3831         <rdar://problem/28418590>
3832
3833         Reviewed by Geoffrey Garen and Michael Saboff.
3834
3835         * jsc.cpp:
3836         (functionSetImpureGetterDelegate):
3837
3838 2016-11-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3839
3840         [DOMJIT] Allow using macro assembler scratches in FTL CheckDOM
3841         https://bugs.webkit.org/show_bug.cgi?id=164727
3842
3843         Reviewed by Filip Pizlo.
3844
3845         While CallDOMGetter can use macro assembler scratch registers, we previiously
3846         assumed that CheckDOM code generator does not use macro assembler scratch registers.
3847         It is currently true in x86 environment. But it is not true in the other environments.
3848
3849         We should not limit DOMJIT::Patchpoint's functionality in such a way. We should allow
3850         arbitrary macro assembler operations inside the DOMJIT::Patchpoint. This patch allows
3851         CheckDOM to use macro assembler scratch registers.
3852
3853         * ftl/FTLLowerDFGToB3.cpp:
3854         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
3855         * jsc.cpp:
3856         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
3857         (WTF::DOMJITFunctionObject::createStructure):
3858         (WTF::DOMJITFunctionObject::create):
3859         (WTF::DOMJITFunctionObject::unsafeFunction):
3860         (WTF::DOMJITFunctionObject::safeFunction):
3861         (WTF::DOMJITFunctionObject::checkDOMJITNode):
3862         (WTF::DOMJITFunctionObject::finishCreation):
3863         (GlobalObject::finishCreation):
3864         (functionCreateDOMJITFunctionObject):
3865
3866 2016-11-14  Geoffrey Garen  <ggaren@apple.com>
3867
3868         CodeCache should stop pretending to cache builtins
3869         https://bugs.webkit.org/show_bug.cgi?id=164750
3870
3871         Reviewed by Saam Barati.
3872
3873         We were passing JSParserBuiltinMode to all CodeCache functions, but the
3874         passed-in value was always NotBuiltin.
3875
3876         Let's stop passing it.
3877
3878         * parser/SourceCodeKey.h:
3879         (JSC::SourceCodeFlags::SourceCodeFlags):
3880         (JSC::SourceCodeKey::SourceCodeKey):
3881         * runtime/CodeCache.cpp:
3882         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3883         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
3884         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
3885         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
3886         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3887         * runtime/CodeCache.h:
3888         (JSC::generateUnlinkedCodeBlock):
3889         * runtime/JSGlobalObject.cpp:
3890         (JSC::JSGlobalObject::createProgramCodeBlock):
3891         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
3892         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
3893         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
3894
3895 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
3896
3897         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
3898         https://bugs.webkit.org/show_bug.cgi?id=164775
3899
3900         Reviewed by Mark Lam and Keith Miller.
3901         
3902         We were calling inlineStorage() which asserts that inline storage is not empty. But we
3903         were calling it in a context where it could be empty and that's fine. So, we now call
3904         inlineStorageUnsafe().
3905
3906         * runtime/JSObject.h:
3907         (JSC::JSFinalObject::JSFinalObject):
3908
3909 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
3910
3911         [ARM] Unreviewed buildfix after r208720.
3912
3913         * assembler/MacroAssemblerARM.h:
3914         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
3915
3916 2016-11-14  Caitlin Potter  <caitp@igalia.com>
3917
3918         [JSC] do not reference AwaitExpression Promises in async function Promise chain
3919         https://bugs.webkit.org/show_bug.cgi?id=164753
3920
3921         Reviewed by Yusuke Suzuki.
3922
3923         Previously, long-running async functions which contained many AwaitExpressions
3924         would allocate and retain references to intermediate Promise objects for each `await`,
3925         resulting in a memory leak.
3926
3927         To mitigate this leak, a reference to the original Promise (and its resolve and reject
3928         functions) associated with the async function are kept, and passed to each call to
3929         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
3930         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
3931         with an async function wrapper. The capability is used to reject the Promise if an
3932         exception is thrown during parameter initialization, and is used to store the resulting
3933         value once the async function has terminated.
3934
3935         * builtins/AsyncFunctionPrototype.js:
3936         (globalPrivate.asyncFunctionResume):
3937         * bytecompiler/BytecodeGenerator.cpp:
3938         (JSC::BytecodeGenerator::BytecodeGenerator):
3939         * bytecompiler/BytecodeGenerator.h:
3940         (JSC::BytecodeGenerator::promiseCapabilityRegister):
3941         * bytecompiler/NodesCodegen.cpp:
3942         (JSC::FunctionNode::emitBytecode):
3943
3944 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
3945
3946         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
3947         https://bugs.webkit.org/show_bug.cgi?id=164305
3948         <rdar://problem/29056192>
3949
3950         Reviewed by Timothy Hatcher.
3951
3952         * inspector/InjectedScriptSource.js:
3953         (InjectedScript.prototype._propertyDescriptors):
3954         Accessing __proto__ does a ToThis(...) conversion on the receiver.
3955         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
3956         this would return undefined and throw an exception. We can use
3957         Object.getPrototypeOf to avoid that conversion and possible error.
3958
3959         * inspector/protocol/Debugger.json:
3960         Provide a new way to effectively `resume` + `pause` immediately.
3961         This must be implemented on the backend to correctly synchronize
3962         the resuming and pausing.
3963
3964         * inspector/agents/InspectorDebuggerAgent.h:
3965         * inspector/agents/InspectorDebuggerAgent.cpp:
3966         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
3967         Treat this as `resume` and `pause`. Resume now, and trigger
3968         a pause if the VM becomes idle and we didn't pause before then
3969         (such as hitting a breakpoint after we resumed).
3970
3971         (Inspector::InspectorDebuggerAgent::pause):
3972         (Inspector::InspectorDebuggerAgent::resume):
3973         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3974         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
3975         Clean up and correct pause on next statement logic.
3976
3977         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
3978         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
3979         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
3980         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
3981         The idle handler may now also trigger a pause in the case
3982         where continueUntilNextRunLoop resumed and wants to pause.
3983
3984         (Inspector::InspectorDebuggerAgent::didPause):
3985         Eliminate the useless didPause. The DOMDebugger was keeping track
3986         of its own state that was worse then the state in DebuggerAgent.
3987
3988 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
3989
3990         Unreviewed, fix cloop.