9ae28fe960d7ed4123f50f2d6f05aa452eca3fce
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-12-08  Filip Pizlo  <fpizlo@apple.com>
2
3         MultiPutByOffset should get a barrier if it transitions
4         https://bugs.webkit.org/show_bug.cgi?id=165646
5
6         Reviewed by Keith Miller.
7         
8         Previously, if we knew that we were storing a non-cell but we needed to transition, we
9         would fail to add the barrier but the FTL's lowering expected the barrier to be there.
10         
11         Strictly, we need to "consider" the barrier on MultiPutByOffset if the value is
12         possibly a cell or if the MultiPutByOffset may transition. Then "considering" the
13         barrier implies checking if the base is possibly old.
14         
15         But because the barrier is so cheap anyway, this patch implements something safer: we
16         just consider the barrier on MultiPutByOffset unconditionally, which opts it out of any
17         barrier optimizations other than those based on the predicted state of the base. Those
18         optimizations are already sound - for example they use doesGC() to detect safepoints
19         and that function correctly predicts when MultiPutByOffset could GC.
20         
21         Because the barrier optimizations are only a very small speed-up, I think it's great to
22         fix bugs by weakening the optimizer without cleverness.
23
24         * dfg/DFGFixupPhase.cpp:
25         * dfg/DFGStoreBarrierInsertionPhase.cpp:
26         * heap/MarkedBlock.cpp:
27         (JSC::MarkedBlock::assertValidCell):
28
29 2016-12-08  Filip Pizlo  <fpizlo@apple.com>
30
31         Enable concurrent GC on ARM64
32         https://bugs.webkit.org/show_bug.cgi?id=165643
33
34         Reviewed by Saam Barati.
35
36         It looks stable enough to enable.
37
38         * assembler/CPU.h:
39         (JSC::useGCFences): Deleted.
40         * bytecode/PolymorphicAccess.cpp:
41         (JSC::AccessCase::generateImpl):
42         * dfg/DFGSpeculativeJIT.cpp:
43         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
44         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
45         * ftl/FTLLowerDFGToB3.cpp:
46         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
47         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
48         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
49         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
50         * jit/AssemblyHelpers.h:
51         (JSC::AssemblyHelpers::mutatorFence):
52         (JSC::AssemblyHelpers::storeButterfly):
53         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
54         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
55         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
56         * runtime/Options.cpp:
57         (JSC::recomputeDependentOptions):
58
59 2016-12-08  Filip Pizlo  <fpizlo@apple.com>
60
61         Disable collectContinuously if not useConcurrentGC
62
63         Rubber stamped by Geoffrey Garen.
64
65         * runtime/Options.cpp:
66         (JSC::recomputeDependentOptions):
67
68 2016-12-08  Filip Pizlo  <fpizlo@apple.com>
69
70         Unreviewed, fix cloop build.
71
72         * runtime/JSObject.h:
73
74 2016-12-06  Filip Pizlo  <fpizlo@apple.com>
75
76         Concurrent GC should be stable enough to land enabled on X86_64
77         https://bugs.webkit.org/show_bug.cgi?id=164990
78
79         Reviewed by Geoffrey Garen.
80         
81         This fixes a ton of performance and correctness bugs revealed by getting the concurrent GC to
82         be stable enough to land enabled.
83         
84         I had to redo the JSObject::visitChildren concurrency protocol again. This time I think it's
85         even more correct than ever!
86         
87         This is an enormous win on JetStream/splay-latency and Octane/SplayLatency. It looks to be
88         mostly neutral on everything else, though Speedometer is showing statistically weak signs of a
89         slight regression.
90
91         * API/JSAPIWrapperObject.mm: Added locking.
92         (JSC::JSAPIWrapperObject::visitChildren):
93         * API/JSCallbackObject.h: Added locking.
94         (JSC::JSCallbackObjectData::visitChildren):
95         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
96         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::deletePrivateProperty):
97         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
98         * CMakeLists.txt:
99         * JavaScriptCore.xcodeproj/project.pbxproj:
100         * bytecode/CodeBlock.cpp:
101         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): This had a TOCTOU race on shouldJettisonDueToOldAge.
102         (JSC::EvalCodeCache::visitAggregate): Moved to EvalCodeCache.cpp.
103         * bytecode/DirectEvalCodeCache.cpp: Added. Outlined some functions and made them use locks.
104         (JSC::DirectEvalCodeCache::setSlow):
105         (JSC::DirectEvalCodeCache::clear):
106         (JSC::DirectEvalCodeCache::visitAggregate):
107         * bytecode/DirectEvalCodeCache.h:
108         (JSC::DirectEvalCodeCache::set):
109         (JSC::DirectEvalCodeCache::clear): Deleted.
110         * bytecode/UnlinkedCodeBlock.cpp: Added locking.
111         (JSC::UnlinkedCodeBlock::visitChildren):
112         (JSC::UnlinkedCodeBlock::setInstructions):
113         (JSC::UnlinkedCodeBlock::shrinkToFit):
114         * bytecode/UnlinkedCodeBlock.h: Added locking.
115         (JSC::UnlinkedCodeBlock::addRegExp):
116         (JSC::UnlinkedCodeBlock::addConstant):
117         (JSC::UnlinkedCodeBlock::addFunctionDecl):
118         (JSC::UnlinkedCodeBlock::addFunctionExpr):
119         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
120         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
121         * debugger/Debugger.cpp: Use the right delete API.
122         (JSC::Debugger::recompileAllJSFunctions):
123         * dfg/DFGAbstractInterpreterInlines.h:
124         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix a pre-existing bug in ToFunction constant folding.
125         * dfg/DFGClobberize.h: Add support for nuking.
126         (JSC::DFG::clobberize):
127         * dfg/DFGClobbersExitState.cpp: Add support for nuking.
128         (JSC::DFG::clobbersExitState):
129         * dfg/DFGFixupPhase.cpp: Add support for nuking.
130         (JSC::DFG::FixupPhase::fixupNode):
131         (JSC::DFG::FixupPhase::indexForChecks):
132         (JSC::DFG::FixupPhase::originForCheck):
133         (JSC::DFG::FixupPhase::speculateForBarrier):
134         (JSC::DFG::FixupPhase::insertCheck):
135         (JSC::DFG::FixupPhase::fixupChecksInBlock):
136         * dfg/DFGSpeculativeJIT.cpp: Add support for nuking.
137         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
138         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
139         * ftl/FTLLowerDFGToB3.cpp: Add support for nuking.
140         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
141         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
142         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
143         (JSC::FTL::DFG::LowerDFGToB3::nukeStructureAndSetButterfly):
144         (JSC::FTL::DFG::LowerDFGToB3::setButterfly): Deleted.
145         * heap/CodeBlockSet.cpp: We need to be more careful about the CodeBlockSet workflow during GC, since we will allocate CodeBlocks in eden while collecting.
146         (JSC::CodeBlockSet::clearMarksForFullCollection):
147         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
148         * heap/Heap.cpp: Added code to measure max pauses. Added a better collectContinuously mode.
149         (JSC::Heap::lastChanceToFinalize): Stop the collectContinuously thread.
150         (JSC::Heap::harvestWeakReferences): Inline SlotVisitor::harvestWeakReferences.
151         (JSC::Heap::finalizeUnconditionalFinalizers): Inline SlotVisitor::finalizeUnconditionalReferences.
152         (JSC::Heap::markToFixpoint): We need to do some MarkedSpace stuff before every conservative scan, rather than just at the start of marking, so we now call prepareForConservativeScan() before each conservative scan. Also call a less-parallel version of drainInParallel when the mutator is running.
153         (JSC::Heap::collectInThread): Inline Heap::prepareForAllocation().
154         (JSC::Heap::stopIfNecessarySlow): We need to be more careful about ensuring that we run finalization before and after stopping. Also, we should sanitize stack when stopping the world.
155         (JSC::Heap::acquireAccessSlow): Add some optional debug prints.
156         (JSC::Heap::handleNeedFinalize): Assert that we are running this when the world is not stopped.
157         (JSC::Heap::finalize): Remove the old collectContinuously code.
158         (JSC::Heap::requestCollection): We don't need to sanitize stack here anymore.
159         (JSC::Heap::notifyIsSafeToCollect): Start the collectContinuously thread. It will request collection 1 KHz.
160         (JSC::Heap::prepareForAllocation): Deleted.
161         (JSC::Heap::preventCollection): Prevent any new concurrent GCs from being initiated.
162         (JSC::Heap::allowCollection):
163         (JSC::Heap::forEachSlotVisitor): Allows us to safely iterate slot visitors.
164         * heap/Heap.h:
165         * heap/HeapInlines.h:
166         (JSC::Heap::writeBarrier): If the 'to' cell is not NewWhite then it could be AnthraciteOrBlack. During a full collection, objects may be AnthraciteOrBlack from a previous GC. Turns out, we don't benefit from this optimization so we can just kill it.
167         * heap/HeapSnapshotBuilder.cpp:
168         (JSC::HeapSnapshotBuilder::buildSnapshot): This needs to use PreventCollectionScope to ensure snapshot soundness.
169         * heap/ListableHandler.h:
170         (JSC::ListableHandler::isOnList): Useful helper.
171         * heap/LockDuringMarking.h:
172         (JSC::lockDuringMarking): It's a locker that only locks while we're marking.
173         * heap/MarkedAllocator.cpp:
174         (JSC::MarkedAllocator::addBlock): Hold the bitvector lock while resizing.
175         * heap/MarkedBlock.cpp: Hold the bitvector lock while accessing the bitvectors while the mutator is running.
176         * heap/MarkedSpace.cpp:
177         (JSC::MarkedSpace::prepareForConservativeScan): We used to do this in prepareForMarking, but we need to do it before each conservative scan not just before marking.
178         (JSC::MarkedSpace::prepareForMarking): Remove the logic moved to prepareForConservativeScan.
179         * heap/MarkedSpace.h:
180         * heap/PreventCollectionScope.h: Added.
181         * heap/SlotVisitor.cpp: Refactored drainFromShared so that we can write a similar function called drainInParallelPassively.
182         (JSC::SlotVisitor::updateMutatorIsStopped): Update whether we can use "fast" scanning.
183         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate):
184         (JSC::SlotVisitor::didReachTermination):
185         (JSC::SlotVisitor::hasWork):
186         (JSC::SlotVisitor::drain): This now uses the rightToRun lock to allow the main GC thread to safepoint the workers.
187         (JSC::SlotVisitor::drainFromShared):
188         (JSC::SlotVisitor::drainInParallelPassively): This runs marking with one fewer threads than normal. It's useful for when we have resumed the mutator, since then the mutator has a better chance of getting on a core.
189         (JSC::SlotVisitor::addWeakReferenceHarvester):
190         (JSC::SlotVisitor::addUnconditionalFinalizer):
191         (JSC::SlotVisitor::harvestWeakReferences): Deleted.
192         (JSC::SlotVisitor::finalizeUnconditionalFinalizers): Deleted.
193         * heap/SlotVisitor.h:
194         * heap/SlotVisitorInlines.h: Outline stuff.
195         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
196         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
197         * runtime/InferredType.cpp: This needed thread safety.
198         (JSC::InferredType::visitChildren): This needs to keep its structure finalizer alive until it runs.
199         (JSC::InferredType::set):
200         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally):
201         * runtime/InferredType.h:
202         * runtime/InferredValue.cpp: This needed thread safety.
203         (JSC::InferredValue::visitChildren):
204         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
205         * runtime/JSArray.cpp:
206         (JSC::JSArray::unshiftCountSlowCase): Update to use new butterfly API.
207         (JSC::JSArray::unshiftCountWithArrayStorage): Update to use new butterfly API.
208         * runtime/JSArrayBufferView.cpp:
209         (JSC::JSArrayBufferView::visitChildren): Thread safety.
210         * runtime/JSCell.h:
211         (JSC::JSCell::setStructureIDDirectly): This is used for nuking the structure.
212         (JSC::JSCell::InternalLocker::InternalLocker): Deleted. The cell is now the lock.
213         (JSC::JSCell::InternalLocker::~InternalLocker): Deleted. The cell is now the lock.
214         * runtime/JSCellInlines.h:
215         (JSC::JSCell::structure): Clean this up.
216         (JSC::JSCell::lock): The cell is now the lock.
217         (JSC::JSCell::tryLock):
218         (JSC::JSCell::unlock):
219         (JSC::JSCell::isLocked):
220         (JSC::JSCell::lockInternalLock): Deleted.
221         (JSC::JSCell::unlockInternalLock): Deleted.
222         * runtime/JSFunction.cpp:
223         (JSC::JSFunction::visitChildren): Thread safety.
224         * runtime/JSGenericTypedArrayViewInlines.h:
225         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Thread safety.
226         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Thread safety.
227         * runtime/JSObject.cpp:
228         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties): Factor out this "easy" step of butterfly visiting.
229         (JSC::JSObject::visitButterfly): Make this achieve 100% precision about structure-butterfly relationships. This relies on the mutator "nuking" the structure prior to "locked" structure-butterfly transitions.
230         (JSC::JSObject::visitChildren): Use the new, nicer API.
231         (JSC::JSFinalObject::visitChildren): Use the new, nicer API.
232         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): Use the new butterfly API.
233         (JSC::JSObject::createInitialUndecided): Use the new butterfly API.
234         (JSC::JSObject::createInitialInt32): Use the new butterfly API.
235         (JSC::JSObject::createInitialDouble): Use the new butterfly API.
236         (JSC::JSObject::createInitialContiguous): Use the new butterfly API.
237         (JSC::JSObject::createArrayStorage): Use the new butterfly API.
238         (JSC::JSObject::convertUndecidedToContiguous): Use the new butterfly API.
239         (JSC::JSObject::convertUndecidedToArrayStorage): Use the new butterfly API.
240         (JSC::JSObject::convertInt32ToArrayStorage): Use the new butterfly API.
241         (JSC::JSObject::convertDoubleToContiguous): Use the new butterfly API.
242         (JSC::JSObject::convertDoubleToArrayStorage): Use the new butterfly API.
243         (JSC::JSObject::convertContiguousToArrayStorage): Use the new butterfly API.
244         (JSC::JSObject::increaseVectorLength): Use the new butterfly API.
245         (JSC::JSObject::shiftButterflyAfterFlattening): Use the new butterfly API.
246         * runtime/JSObject.h:
247         (JSC::JSObject::setButterfly): This now does all of the fences. Only use this when you are not also transitioning the structure or the structure's lastOffset.
248         (JSC::JSObject::nukeStructureAndSetButterfly): Use this when doing locked structure-butterfly transitions.
249         * runtime/JSObjectInlines.h:
250         (JSC::JSObject::putDirectWithoutTransition): Use the newly factored out API.
251         (JSC::JSObject::prepareToPutDirectWithoutTransition): Factor this out!
252         (JSC::JSObject::putDirectInternal): Use the newly factored out API.
253         * runtime/JSPropertyNameEnumerator.cpp:
254         (JSC::JSPropertyNameEnumerator::finishCreation): Locks!
255         (JSC::JSPropertyNameEnumerator::visitChildren): Locks!
256         * runtime/JSSegmentedVariableObject.cpp:
257         (JSC::JSSegmentedVariableObject::visitChildren): Locks!
258         * runtime/JSString.cpp:
259         (JSC::JSString::visitChildren): Thread safety.
260         * runtime/ModuleProgramExecutable.cpp:
261         (JSC::ModuleProgramExecutable::visitChildren): Thread safety.
262         * runtime/Options.cpp: For now we disable concurrent GC on not-X86_64.
263         (JSC::recomputeDependentOptions):
264         * runtime/Options.h: Change the default max GC parallelism to 8. I don't know why it was still 7.
265         * runtime/SamplingProfiler.cpp:
266         (JSC::SamplingProfiler::stackTracesAsJSON): This needs to defer GC before grabbing its lock.
267         * runtime/SparseArrayValueMap.cpp: This needed thread safety.
268         (JSC::SparseArrayValueMap::add):
269         (JSC::SparseArrayValueMap::remove):
270         (JSC::SparseArrayValueMap::visitChildren):
271         * runtime/SparseArrayValueMap.h:
272         * runtime/Structure.cpp: This had a race between addNewPropertyTransition and visitChildren.
273         (JSC::Structure::Structure):
274         (JSC::Structure::materializePropertyTable):
275         (JSC::Structure::addNewPropertyTransition):
276         (JSC::Structure::flattenDictionaryStructure):
277         (JSC::Structure::add): Help out with nuking support - the m_offset needs to play along.
278         (JSC::Structure::visitChildren):
279         * runtime/Structure.h: Make some useful things public - like the notion of a lastOffset.
280         * runtime/StructureChain.cpp:
281         (JSC::StructureChain::visitChildren): Thread safety!
282         * runtime/StructureChain.h: Thread safety!
283         * runtime/StructureIDTable.cpp:
284         (JSC::StructureIDTable::allocateID): Ensure that we don't get nuked IDs.
285         * runtime/StructureIDTable.h: Add the notion of a nuked ID! It's a bit that the runtime never sees except during specific shady actions like locked structure-butterfly transitions. "Nuking" tells the GC to steer clear and rescan once we fire the barrier.
286         (JSC::nukedStructureIDBit):
287         (JSC::nuke):
288         (JSC::isNuked):
289         (JSC::decontaminate):
290         * runtime/StructureInlines.h:
291         (JSC::Structure::hasIndexingHeader): Better API.
292         (JSC::Structure::add):
293         * runtime/VM.cpp: Better GC interaction.
294         (JSC::VM::ensureWatchdog):
295         (JSC::VM::deleteAllLinkedCode):
296         (JSC::VM::deleteAllCode):
297         * runtime/VM.h:
298         (JSC::VM::getStructure): Why wasn't this always an API!
299         * runtime/WebAssemblyExecutable.cpp:
300         (JSC::WebAssemblyExecutable::visitChildren): Thread safety.
301
302 2016-12-08  Filip Pizlo  <fpizlo@apple.com>
303
304         Enable SharedArrayBuffer, remove the flag
305         https://bugs.webkit.org/show_bug.cgi?id=165614
306
307         Rubber stamped by Geoffrey Garen.
308
309         * runtime/JSGlobalObject.cpp:
310         (JSC::JSGlobalObject::init):
311         * runtime/RuntimeFlags.h:
312
313 2016-12-08  JF Bastien  <jfbastien@apple.com>
314
315         WebAssembly JS API: wire up Instance imports
316         https://bugs.webkit.org/show_bug.cgi?id=165118
317
318         Reviewed by Saam Barati.
319
320         Change a bunch of the WebAssembly object model, and pipe the
321         necessary changes to be able to call JS imports from
322         WebAssembly. This will make it easier to call_indirect, and
323         unblock many other missing features.
324
325         As a follow-up I need to teach JSC::linkFor to live without a
326         CodeBlock: wasm doesn't have one and the IC patching is sad. We'll
327         switch on the callee (or its type?) and then use that as the owner
328         (because the callee is alive if the instance is alive, ditto
329         module, and module owns the CallLinkInfo).
330
331         * CMakeLists.txt:
332         * JavaScriptCore.xcodeproj/project.pbxproj:
333         * interpreter/CallFrame.h:
334         (JSC::ExecState::callee): give access to the callee as a JSCell
335         * jit/RegisterSet.cpp: dead code from previous WebAssembly implementation
336         * jsc.cpp:
337         (callWasmFunction):
338         (functionTestWasmModuleFunctions):
339         * runtime/JSCellInlines.h:
340         (JSC::ExecState::vm): check callee instead of jsCallee: wasm only has a JSCell and not a JSObject
341         * runtime/VM.cpp:
342         (JSC::VM::VM): store the "top" WebAssembly.Instance on entry to WebAssembly (and restore the previous one on exit)
343         * runtime/VM.h:
344         * testWasm.cpp:
345         (runWasmTests):
346         * wasm/JSWebAssembly.h:
347         * wasm/WasmB3IRGenerator.cpp:
348         (JSC::Wasm::B3IRGenerator::B3IRGenerator): pass unlinked calls around to shorten their lifetime: they're ony needed until the Plan is done
349         (JSC::Wasm::B3IRGenerator::addCall):
350         (JSC::Wasm::createJSToWasmWrapper):
351         (JSC::Wasm::parseAndCompile): also pass in the function index space, so that imports can be signature-checked along with internal functions
352         * wasm/WasmB3IRGenerator.h:
353         * wasm/WasmBinding.cpp: Added.
354         (JSC::Wasm::importStubGenerator): stubs from wasm to JS
355         * wasm/WasmBinding.h: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
356         * wasm/WasmCallingConvention.h:
357         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
358         * wasm/WasmFormat.h: fix the object model
359         (JSC::Wasm::CallableFunction::CallableFunction):
360         * wasm/WasmFunctionParser.h: simplify some of the failure condition checks
361         (JSC::Wasm::FunctionParser<Context>::FunctionParser): need function index space, not just internal functions
362         (JSC::Wasm::FunctionParser<Context>::parseExpression):
363         * wasm/WasmModuleParser.cpp: early-create some of the structures which will be needed later
364         (JSC::Wasm::ModuleParser::parseImport):
365         (JSC::Wasm::ModuleParser::parseFunction):
366         (JSC::Wasm::ModuleParser::parseMemory):
367         (JSC::Wasm::ModuleParser::parseExport):
368         (JSC::Wasm::ModuleParser::parseCode):
369         * wasm/WasmModuleParser.h:
370         (JSC::Wasm::ModuleParser::functionIndexSpace):
371         (JSC::Wasm::ModuleParser::functionLocations):
372         * wasm/WasmParser.h:
373         (JSC::Wasm::Parser::consumeUTF8String):
374         * wasm/WasmPlan.cpp: pass around the wasm objects at the right time, reducing their lifetime and making it easier to pass them around when needed
375         (JSC::Wasm::Plan::run):
376         (JSC::Wasm::Plan::initializeCallees):
377         * wasm/WasmPlan.h:
378         (JSC::Wasm::Plan::exports):
379         (JSC::Wasm::Plan::internalFunctionCount):
380         (JSC::Wasm::Plan::jsToWasmEntryPointForFunction):
381         (JSC::Wasm::Plan::takeModuleInformation):
382         (JSC::Wasm::Plan::takeCallLinkInfos):
383         (JSC::Wasm::Plan::takeWasmToJSStubs):
384         (JSC::Wasm::Plan::takeFunctionIndexSpace):
385         * wasm/WasmValidate.cpp: check function index space instead of only internal functions
386         (JSC::Wasm::Validate::addCall):
387         (JSC::Wasm::validateFunction):
388         * wasm/WasmValidate.h:
389         * wasm/js/JSWebAssemblyCallee.cpp:
390         (JSC::JSWebAssemblyCallee::finishCreation):
391         * wasm/js/JSWebAssemblyCallee.h:
392         (JSC::JSWebAssemblyCallee::create):
393         (JSC::JSWebAssemblyCallee::jsToWasmEntryPoint):
394         * wasm/js/JSWebAssemblyInstance.cpp:
395         (JSC::JSWebAssemblyInstance::create):
396         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
397         (JSC::JSWebAssemblyInstance::visitChildren):
398         * wasm/js/JSWebAssemblyInstance.h: hold the import functions off the end of the Instance
399         (JSC::JSWebAssemblyInstance::importFunction):
400         (JSC::JSWebAssemblyInstance::importFunctions):
401         (JSC::JSWebAssemblyInstance::setImportFunction):
402         (JSC::JSWebAssemblyInstance::offsetOfImportFunctions):
403         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
404         (JSC::JSWebAssemblyInstance::allocationSize):
405         * wasm/js/JSWebAssemblyModule.cpp:
406         (JSC::JSWebAssemblyModule::create):
407         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
408         (JSC::JSWebAssemblyModule::visitChildren):
409         * wasm/js/JSWebAssemblyModule.h: hold the link call info, the import function stubs, and the function index space
410         (JSC::JSWebAssemblyModule::signatureForFunctionIndexSpace):
411         (JSC::JSWebAssemblyModule::importCount):
412         (JSC::JSWebAssemblyModule::calleeFromFunctionIndexSpace):
413         * wasm/js/WebAssemblyFunction.cpp:
414         (JSC::callWebAssemblyFunction): set top Instance on VM
415         * wasm/js/WebAssemblyFunction.h:
416         (JSC::WebAssemblyFunction::instance):
417         * wasm/js/WebAssemblyInstanceConstructor.cpp:
418         (JSC::constructJSWebAssemblyInstance): handle function imports
419         * wasm/js/WebAssemblyModuleConstructor.cpp:
420         (JSC::constructJSWebAssemblyModule): generate the stubs for import functions
421         * wasm/js/WebAssemblyModuleRecord.cpp:
422         (JSC::WebAssemblyModuleRecord::link):
423         * wasm/js/WebAssemblyToJSCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
424         (JSC::WebAssemblyToJSCallee::create): dummy JSCell singleton which lives on the VM, and is put as the callee in the import stub's frame to identified it when unwinding
425         (JSC::WebAssemblyToJSCallee::createStructure):
426         (JSC::WebAssemblyToJSCallee::WebAssemblyToJSCallee):
427         (JSC::WebAssemblyToJSCallee::finishCreation):
428         (JSC::WebAssemblyToJSCallee::destroy):
429         * wasm/js/WebAssemblyToJSCallee.h: Copied from Source/JavaScriptCore/wasm/WasmB3IRGenerator.h.
430
431 2016-12-08  Mark Lam  <mark.lam@apple.com>
432
433         Enable JSC restricted options by default in the jsc shell.
434         https://bugs.webkit.org/show_bug.cgi?id=165615
435
436         Reviewed by Keith Miller.
437
438         The jsc shell is only used for debugging and development testing.  We should
439         allow it to use restricted options like JSC_useDollarVM even for release builds.
440
441         * jsc.cpp:
442         (jscmain):
443         * runtime/Options.cpp:
444         (JSC::Options::enableRestrictedOptions):
445         (JSC::Options::isAvailable):
446         (JSC::allowRestrictedOptions): Deleted.
447         * runtime/Options.h:
448
449 2016-12-08  Chris Dumez  <cdumez@apple.com>
450
451         Unreviewed, rolling out r209489.
452
453         Likely caused large regressions on JetStream, Sunspider and
454         Speedometer
455
456         Reverted changeset:
457
458         "Add system trace points for JavaScript VM entry/exit"
459         https://bugs.webkit.org/show_bug.cgi?id=165550
460         http://trac.webkit.org/changeset/209489
461
462 2016-12-08  Keith Miller  <keith_miller@apple.com>
463
464         Move LEB tests to API tests
465         https://bugs.webkit.org/show_bug.cgi?id=165586
466
467         Reviewed by Saam Barati.
468
469         Delete old stuff.
470
471         * testWasm.cpp:
472         (printUsageStatement):
473         (CommandLine::parseArguments):
474         (main):
475         (runLEBTests): Deleted.
476
477 2016-12-07  JF Bastien  <jfbastien@apple.com>
478
479         Cleanup WebAssembly's RETURN_IF_EXCEPTION
480         https://bugs.webkit.org/show_bug.cgi?id=165595
481
482         Reviewed by Filip Pizlo.
483
484         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
485         (JSC::constructJSWebAssemblyCompileError):
486         * wasm/js/WebAssemblyFunction.cpp:
487         (JSC::callWebAssemblyFunction):
488         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
489         (JSC::constructJSWebAssemblyRuntimeError):
490
491 2016-12-07  Geoffrey Garen  <ggaren@apple.com>
492
493         Renamed SourceCode members to match their accessor names
494         https://bugs.webkit.org/show_bug.cgi?id=165573
495
496         Reviewed by Keith Miller.
497
498         startChar => startOffset
499         endChar => endOffset
500
501         * parser/UnlinkedSourceCode.h:
502         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
503         (JSC::UnlinkedSourceCode::view):
504         (JSC::UnlinkedSourceCode::startOffset):
505         (JSC::UnlinkedSourceCode::endOffset):
506         (JSC::UnlinkedSourceCode::length):
507
508 2016-12-07  Keith Miller  <keith_miller@apple.com>
509
510         Add more missing trivial wasm ops.
511         https://bugs.webkit.org/show_bug.cgi?id=165564
512
513         Reviewed by Geoffrey Garen.
514
515         This patch adds the nop, drop, and tee_local opcodes.
516         It also fixes an issue where we were not generating
517         the proper enums for the grow_memory and current_memory
518         opcodes.
519
520         * wasm/WasmFunctionParser.h:
521         (JSC::Wasm::FunctionParser<Context>::parseExpression):
522         * wasm/generateWasmOpsHeader.py:
523
524 2016-12-07  Geoffrey Garen  <ggaren@apple.com>
525
526         Renamed source => parentSource
527         https://bugs.webkit.org/show_bug.cgi?id=165570
528
529         Reviewed by Keith Miller.
530
531         For less confuse.
532
533         * bytecode/UnlinkedFunctionExecutable.cpp:
534         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
535
536 2016-12-07  Yusuke Suzuki  <utatane.tea@gmail.com>
537
538         [JSC] Drop translate phase in module loader
539         https://bugs.webkit.org/show_bug.cgi?id=164861
540
541         Reviewed by Saam Barati.
542
543         Originally, this "translate" phase was introduced to the module loader.
544         However, recent rework discussion[1] starts dropping this phase.
545         And this "translate" phase is meaningless in the browser side module loader
546         since this phase originally mimics the node.js's translation hook (like,
547         transpiling CoffeeScript source to JavaScript).
548
549         This "translate" phase is not necessary for the exposed HTML5
550         <script type="module"> tag right now. Once the module loader pipeline is
551         redefined and specified, we need to update the current loader anyway.
552         So dropping "translate" phase right now is OK.
553
554         This a bit simplifies the current module loader pipeline.
555
556         [1]: https://github.com/whatwg/loader/issues/147
557
558         * builtins/ModuleLoaderPrototype.js:
559         (newRegistryEntry):
560         (fulfillFetch):
561         (requestFetch):
562         (requestInstantiate):
563         (provide):
564         (fulfillTranslate): Deleted.
565         (requestTranslate): Deleted.
566         * bytecode/BytecodeIntrinsicRegistry.cpp:
567         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
568         * jsc.cpp:
569         * runtime/JSGlobalObject.cpp:
570         * runtime/JSGlobalObject.h:
571         * runtime/JSModuleLoader.cpp:
572         (JSC::JSModuleLoader::translate): Deleted.
573         * runtime/JSModuleLoader.h:
574         * runtime/ModuleLoaderPrototype.cpp:
575         (JSC::moduleLoaderPrototypeInstantiate):
576         (JSC::moduleLoaderPrototypeTranslate): Deleted.
577
578 2016-12-07  Joseph Pecoraro  <pecoraro@apple.com>
579
580         Web Inspector: Add ability to distinguish if a Script was parsed as a module
581         https://bugs.webkit.org/show_bug.cgi?id=164900
582         <rdar://problem/29323817>
583
584         Reviewed by Timothy Hatcher.
585
586         * inspector/agents/InspectorDebuggerAgent.cpp:
587         (Inspector::InspectorDebuggerAgent::didParseSource):
588         * inspector/protocol/Debugger.json:
589         Add an optional event parameter to distinguish if a script was a module or not.
590
591 2016-12-07  Simon Fraser  <simon.fraser@apple.com>
592
593         Add system trace points for JavaScript VM entry/exit
594         https://bugs.webkit.org/show_bug.cgi?id=165550
595
596         Reviewed by Tim Horton.
597
598         Add trace points for entry/exit into/out of the JS VM.
599
600         * runtime/VMEntryScope.cpp:
601         (JSC::VMEntryScope::VMEntryScope):
602         (JSC::VMEntryScope::~VMEntryScope):
603
604 2016-12-06  Keith Miller  <keith_miller@apple.com>
605
606         Add support for truncation operators
607         https://bugs.webkit.org/show_bug.cgi?id=165519
608
609         Reviewed by Geoffrey Garen.
610
611         This patch adds initial support for truncation operators. The current patch
612         does range based out of bounds checking, in the future we should use system
613         register flags on ARM and other tricks on X86 improve the performance of
614         these opcodes.
615
616         * assembler/MacroAssemblerARM64.h:
617         (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
618         (JSC::MacroAssemblerARM64::truncateDoubleToInt64):
619         (JSC::MacroAssemblerARM64::truncateDoubleToUint64):
620         (JSC::MacroAssemblerARM64::truncateFloatToInt32):
621         (JSC::MacroAssemblerARM64::truncateFloatToUint32):
622         (JSC::MacroAssemblerARM64::truncateFloatToInt64):
623         (JSC::MacroAssemblerARM64::truncateFloatToUint64):
624         * assembler/MacroAssemblerX86Common.h:
625         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
626         (JSC::MacroAssemblerX86Common::truncateDoubleToUint32): Deleted.
627         * assembler/MacroAssemblerX86_64.h:
628         (JSC::MacroAssemblerX86_64::truncateDoubleToUint32):
629         (JSC::MacroAssemblerX86_64::truncateDoubleToInt64):
630         (JSC::MacroAssemblerX86_64::truncateDoubleToUint64):
631         (JSC::MacroAssemblerX86_64::truncateFloatToUint32):
632         (JSC::MacroAssemblerX86_64::truncateFloatToInt64):
633         (JSC::MacroAssemblerX86_64::truncateFloatToUint64):
634         * assembler/X86Assembler.h:
635         (JSC::X86Assembler::cvttss2si_rr):
636         (JSC::X86Assembler::cvttss2siq_rr):
637         * wasm/WasmB3IRGenerator.cpp:
638         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncSF64>):
639         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncSF32>):
640         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncUF64>):
641         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32TruncUF32>):
642         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncSF64>):
643         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
644         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncSF32>):
645         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
646         * wasm/WasmFunctionParser.h:
647         (JSC::Wasm::FunctionParser<Context>::parseExpression):
648
649 2016-12-07  Joseph Pecoraro  <pecoraro@apple.com>
650
651         Web Inspector: Remove unused and mostly untested Page domain commands and events
652         https://bugs.webkit.org/show_bug.cgi?id=165507
653
654         Reviewed by Brian Burg.
655
656         Remove unused and unsupported commands and events.
657
658           - Page.setDocumentContent
659           - Page.getScriptExecutionStatus
660           - Page.setScriptExecutionDisabled
661           - Page.handleJavaScriptDialog
662           - Page.javascriptDialogOpening
663           - Page.javascriptDialogClosed
664           - Page.scriptsEnabled
665
666         * inspector/protocol/Page.json:
667
668 2016-12-07  Yusuke Suzuki  <utatane.tea@gmail.com>
669
670         [JSC] Merge PromiseReactions
671         https://bugs.webkit.org/show_bug.cgi?id=165526
672
673         Reviewed by Sam Weinig.
674
675         Our promise implementation has two arrays per Promise; promiseFulfillReactions and promiseRejectReactions.
676         And everytime we call `promise.then`, we create two promise reactions for fullfill and reject.
677         However, these two reactions and the arrays for reactions can be merged into one array and one reaction.
678         It reduces the unnecessary object allocations.
679
680         No behavior change.
681
682         * builtins/BuiltinNames.h:
683         * builtins/PromiseOperations.js:
684         (globalPrivate.newPromiseReaction):
685         (globalPrivate.triggerPromiseReactions):
686         (globalPrivate.rejectPromise):
687         (globalPrivate.fulfillPromise):
688         (globalPrivate.promiseReactionJob):
689         (globalPrivate.initializePromise):
690         * builtins/PromisePrototype.js:
691         (then):
692         * runtime/JSPromise.cpp:
693         (JSC::JSPromise::finishCreation):
694
695 2016-12-06  Mark Lam  <mark.lam@apple.com>
696
697         GetByID IC is wrongly unwrapping the global proxy this value for getter/setters.
698         https://bugs.webkit.org/show_bug.cgi?id=165401
699
700         Reviewed by Saam Barati.
701
702         When the this value for a property access is the JS global and that property
703         access is via a GetterSetter, the underlying getter / setter functions would
704         expect the this value they receive to be the JSProxy instance instead of the
705         JSGlobalObject.  This is consistent with how the LLINT and runtime code behaves.
706         The IC code should behave the same way.
707
708         Also added some ASSERTs to document invariants in the code, and help detect
709         bugs sooner if the code gets changed in a way that breaks those invariants in
710         the future.
711
712         * bytecode/PolymorphicAccess.cpp:
713         (JSC::AccessCase::generateImpl):
714
715 2016-12-06  Joseph Pecoraro  <pecoraro@apple.com>
716
717         DumpRenderTree ASSERT in JSC::ExecutableBase::isHostFunction seen on bots
718         https://bugs.webkit.org/show_bug.cgi?id=165497
719         <rdar://problem/29538973>
720
721         Reviewed by Saam Barati.
722
723         * inspector/agents/InspectorScriptProfilerAgent.cpp:
724         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
725         Defer collection when extracting and processing the samples to avoid
726         any objects held by the samples from getting collected while processing.
727         This is because while processing we call into functions that can
728         allocate and we must prevent those functions from syncing with the
729         GC thread which may collect other sample data yet to be processed.
730
731 2016-12-06  Alexey Proskuryakov  <ap@apple.com>
732
733         Correct SDKROOT values in xcconfig files
734         https://bugs.webkit.org/show_bug.cgi?id=165487
735         rdar://problem/29539209
736
737         Reviewed by Dan Bernstein.
738
739         Fix suggested by Dan Bernstein.
740
741         * Configurations/DebugRelease.xcconfig:
742
743 2016-12-06  Saam Barati  <sbarati@apple.com>
744
745         Remove old Wasm object model
746         https://bugs.webkit.org/show_bug.cgi?id=165481
747
748         Reviewed by Keith Miller and Mark Lam.
749
750         It's confusing to see code that consults both the old
751         Wasm object model alongside the new one. The old object
752         model is not a thing, and it's not being used. Let's
753         remove it now to prevent further confusion.
754
755         * CMakeLists.txt:
756         * JavaScriptCore.xcodeproj/project.pbxproj:
757         * bytecode/CodeBlock.cpp:
758         (JSC::CodeBlock::finalizeLLIntInlineCaches):
759         (JSC::CodeBlock::replacement):
760         (JSC::CodeBlock::computeCapabilityLevel):
761         (JSC::CodeBlock::updateAllPredictions):
762         * bytecode/CodeBlock.h:
763         * bytecode/WebAssemblyCodeBlock.cpp: Removed.
764         * bytecode/WebAssemblyCodeBlock.h: Removed.
765         * dfg/DFGCapabilities.cpp:
766         (JSC::DFG::isSupportedForInlining):
767         * interpreter/Interpreter.cpp:
768         (JSC::GetStackTraceFunctor::operator()):
769         (JSC::UnwindFunctor::operator()):
770         (JSC::isWebAssemblyExecutable): Deleted.
771         * jit/JITOperations.cpp:
772         * jit/Repatch.cpp:
773         (JSC::linkPolymorphicCall):
774         * llint/LLIntSlowPaths.cpp:
775         (JSC::LLInt::setUpCall):
776         * runtime/ExecutableBase.cpp:
777         (JSC::ExecutableBase::clearCode):
778         * runtime/ExecutableBase.h:
779         (JSC::ExecutableBase::isWebAssemblyExecutable): Deleted.
780         * runtime/JSFunction.cpp:
781         * runtime/JSFunction.h:
782         * runtime/JSFunctionInlines.h:
783         (JSC::JSFunction::isBuiltinFunction):
784         * runtime/VM.cpp:
785         (JSC::VM::VM):
786         * runtime/VM.h:
787         * runtime/WebAssemblyExecutable.cpp: Removed.
788         * runtime/WebAssemblyExecutable.h: Removed.
789
790 2016-12-06  JF Bastien  <jfbastien@apple.com>
791
792         PureNaN: fix typo
793         https://bugs.webkit.org/show_bug.cgi?id=165493
794
795         Reviewed by Mark Lam.
796
797         * runtime/PureNaN.h:
798
799 2016-12-06  Mark Lam  <mark.lam@apple.com>
800
801         Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec.
802         https://bugs.webkit.org/show_bug.cgi?id=165227
803         <rdar://problem/29442665>
804
805         Reviewed by Saam Barati.
806
807         * runtime/JSObject.cpp:
808         (JSC::JSObject::setPrototypeWithCycleCheck):
809         - This is where we check for immutable prototype exotic objects and refuse to set
810           the prototype if needed.
811           See https://tc39.github.io/ecma262/#sec-immutable-prototype-exotic-objects.
812
813         * runtime/JSTypeInfo.h:
814         (JSC::TypeInfo::isImmutablePrototypeExoticObject):
815         * runtime/Structure.h:
816         - Add flag for declaring immutable prototype exotic objects.
817
818         * runtime/ObjectPrototype.h:
819         - Declare that Object.prototype is an immutable prototype exotic object.
820           See https://tc39.github.io/ecma262/#sec-properties-of-the-object-prototype-object.
821
822         * runtime/ObjectConstructor.cpp:
823         (JSC::objectConstructorSetPrototypeOf):
824         - Use better error messages.
825
826 2016-12-04  Darin Adler  <darin@apple.com>
827
828         Use ASCIICType more, and improve it a little bit
829         https://bugs.webkit.org/show_bug.cgi?id=165360
830
831         Reviewed by Sam Weinig.
832
833         * inspector/InspectorValues.cpp:
834         (Inspector::readHexDigits): Use isASCIIHexDigit.
835         (Inspector::hextoInt): Deleted.
836         (decodeString): Use toASCIIHexValue.
837
838         * runtime/JSGlobalObjectFunctions.cpp:
839         (JSC::parseDigit): Use isASCIIDigit, isASCIIUpper, and isASCIILower.
840
841         * runtime/StringPrototype.cpp:
842         (JSC::substituteBackreferencesSlow): Use isASCIIDigit.
843
844 2016-12-06  Csaba Osztrogon√°c  <ossy@webkit.org>
845
846         Add storeFence support for ARMv7
847         https://bugs.webkit.org/show_bug.cgi?id=164733
848
849         Reviewed by Saam Barati.
850
851         * assembler/ARMAssembler.h:
852         (JSC::ARMAssembler::dmbISHST): Added.
853         * assembler/ARMv7Assembler.h: Typo fixed, DMB has only T1 encoding.
854         (JSC::ARMv7Assembler::dmbSY):
855         (JSC::ARMv7Assembler::dmbISHST): Added.
856         * assembler/MacroAssemblerARM.h:
857         (JSC::MacroAssemblerARM::storeFence):
858         * assembler/MacroAssemblerARMv7.h:
859         (JSC::MacroAssemblerARMv7::storeFence):
860
861 2016-12-05  Matt Baker  <mattbaker@apple.com>
862
863         Web Inspector: remove ASSERT from InspectorDebuggerAgent::derefAsyncCallData
864         https://bugs.webkit.org/show_bug.cgi?id=165413
865         <rdar://problem/29517587>
866
867         Reviewed by Brian Burg.
868
869         DOMTimer::removeById can call into InspectorInstrumentation with an
870         invalid identifier, so don't assert that async call data exists.
871
872         * inspector/agents/InspectorDebuggerAgent.cpp:
873         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
874
875 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
876
877         Fixed a bug in my last patch.
878
879         Unreviewed.
880
881         * bytecode/UnlinkedFunctionExecutable.h: Restore the conversion to
882         one-based counting.
883
884 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
885
886         Moved start and end column linking into helper functions
887         https://bugs.webkit.org/show_bug.cgi?id=165422
888
889         Reviewed by Sam Weinig.
890
891         * bytecode/UnlinkedFunctionExecutable.cpp:
892         (JSC::UnlinkedFunctionExecutable::link):
893         * bytecode/UnlinkedFunctionExecutable.h:
894
895 2016-12-05  Mark Lam  <mark.lam@apple.com>
896
897         Fix JSC files so that we can build a release build with NDEBUG #undef'ed.
898         https://bugs.webkit.org/show_bug.cgi?id=165409
899
900         Reviewed by Keith Miller.
901
902         This allows us to run a release build with DEBUG ASSERTs enabled.
903
904         * bytecode/BytecodeLivenessAnalysis.cpp:
905         * bytecode/UnlinkedEvalCodeBlock.cpp:
906         * bytecode/UnlinkedFunctionCodeBlock.cpp:
907         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
908         * bytecode/UnlinkedProgramCodeBlock.cpp:
909         * runtime/EvalExecutable.cpp:
910
911 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
912
913         Renamed source => parentSource
914         https://bugs.webkit.org/show_bug.cgi?id=165419
915
916         Reviewed by Saam Barati.
917
918         This should help clarify that a FunctionExecutable holds the source
919         code to its *parent* scope, and not its own SourceCode.
920
921         * builtins/BuiltinExecutables.cpp:
922         (JSC::BuiltinExecutables::createExecutable):
923         * bytecode/UnlinkedFunctionExecutable.cpp:
924         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
925         (JSC::UnlinkedFunctionExecutable::link):
926         * bytecode/UnlinkedFunctionExecutable.h:
927
928 2016-12-05  Geoffrey Garen  <ggaren@apple.com>
929
930         ScriptExecutable should not contain a copy of firstLine and startColumn
931         https://bugs.webkit.org/show_bug.cgi?id=165415
932
933         Reviewed by Keith Miller.
934
935         We already have this data in SourceCode.
936
937         It's super confusing to have two copies of this data, where one is
938         allowed to mutate. In reality, your line and column number never change.
939
940         * bytecode/UnlinkedFunctionExecutable.cpp:
941         (JSC::UnlinkedFunctionExecutable::link):
942         * runtime/CodeCache.cpp:
943         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
944         * runtime/CodeCache.h:
945         (JSC::generateUnlinkedCodeBlock):
946         * runtime/FunctionExecutable.cpp:
947         (JSC::FunctionExecutable::FunctionExecutable):
948         * runtime/FunctionExecutable.h:
949         * runtime/ScriptExecutable.cpp:
950         (JSC::ScriptExecutable::ScriptExecutable):
951         (JSC::ScriptExecutable::newCodeBlockFor):
952         * runtime/ScriptExecutable.h:
953         (JSC::ScriptExecutable::firstLine):
954         (JSC::ScriptExecutable::startColumn):
955         (JSC::ScriptExecutable::recordParse):
956
957 2016-12-05  Caitlin Potter  <caitp@igalia.com>
958
959         [JSC] report unexpected token when "async" is followed by identifier 
960         https://bugs.webkit.org/show_bug.cgi?id=165091
961
962         Reviewed by Mark Lam.
963
964         Report a SyntaxError, in order to report correct error in contexts
965         an async ArrowFunction cannot occur. Also corrects errors in comment
966         describing JSTokenType bitfield, which was added in r209293.
967
968         * parser/Parser.cpp:
969         (JSC::Parser<LexerType>::parseMemberExpression):
970         * parser/ParserTokens.h:
971
972 2016-12-05  Keith Miller  <keith_miller@apple.com>
973
974         Add Wasm i64 to i32 conversion.
975         https://bugs.webkit.org/show_bug.cgi?id=165378
976
977         Reviewed by Filip Pizlo.
978
979         It turns out the wrap operation is just B3's Trunc.
980
981         * wasm/wasm.json:
982
983 2016-12-05  Joseph Pecoraro  <pecoraro@apple.com>
984
985         REGRESSION(r208985): SafariForWebKitDevelopment Symbol Not Found looking for method with WTF::Optional
986         https://bugs.webkit.org/show_bug.cgi?id=165351
987
988         Reviewed by Yusuke Suzuki.
989
990         Some versions of Safari expect:
991
992             Inspector::BackendDispatcher::reportProtocolError(WTF::Optional<long>, Inspector::BackendDispatcher::CommonErrorCode, WTF::String const&)
993         
994         Which we had updated to use std::optional. Expose a version with the original
995         Symbol for these Safaris. This stub will just call through to the new version.
996
997         * inspector/InspectorBackendDispatcher.cpp:
998         (Inspector::BackendDispatcher::reportProtocolError):
999         * inspector/InspectorBackendDispatcher.h:
1000
1001 2016-12-05  Konstantin Tokarev  <annulen@yandex.ru>
1002
1003         Add __STDC_FORMAT_MACROS before inttypes.h is included
1004         https://bugs.webkit.org/show_bug.cgi?id=165374
1005
1006         We need formatting macros like PRIu64 to be available in all places where
1007         inttypes.h header is used. All these usages get inttypes.h definitions
1008         via wtf/Assertions.h header, except SQLiteFileSystem.cpp where formatting
1009         macros are not used anymore since r185129.
1010
1011         This patch fixes multiple build errors with MinGW and reduces number of
1012         independent __STDC_FORMAT_MACROS uses in the code base.
1013
1014         Reviewed by Darin Adler.
1015
1016         * disassembler/ARM64/A64DOpcode.cpp: Removed __STDC_FORMAT_MACROS
1017         because it is obtained via Assertions.h now
1018         * disassembler/ARM64Disassembler.cpp: Ditto.
1019
1020 2016-12-04  Keith Miller  <keith_miller@apple.com>
1021
1022         Add support for Wasm ctz and popcnt
1023         https://bugs.webkit.org/show_bug.cgi?id=165369
1024
1025         Reviewed by Saam Barati.
1026
1027         * assembler/MacroAssemblerARM64.h:
1028         (JSC::MacroAssemblerARM64::countTrailingZeros32):
1029         (JSC::MacroAssemblerARM64::countTrailingZeros64):
1030         * assembler/MacroAssemblerX86Common.cpp:
1031         * assembler/MacroAssemblerX86Common.h:
1032         (JSC::MacroAssemblerX86Common::countTrailingZeros32):
1033         (JSC::MacroAssemblerX86Common::supportsBMI1):
1034         (JSC::MacroAssemblerX86Common::ctzAfterBsf):
1035         * assembler/MacroAssemblerX86_64.h:
1036         (JSC::MacroAssemblerX86_64::countTrailingZeros64):
1037         * assembler/X86Assembler.h:
1038         (JSC::X86Assembler::tzcnt_rr):
1039         (JSC::X86Assembler::tzcntq_rr):
1040         (JSC::X86Assembler::bsf_rr):
1041         (JSC::X86Assembler::bsfq_rr):
1042         * wasm/WasmB3IRGenerator.cpp:
1043         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Ctz>):
1044         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Ctz>):
1045         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
1046         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
1047         * wasm/WasmFunctionParser.h:
1048         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1049
1050 2016-12-04  Saam Barati  <sbarati@apple.com>
1051
1052         We should have a Wasm callee
1053         https://bugs.webkit.org/show_bug.cgi?id=165163
1054
1055         Reviewed by Keith Miller.
1056
1057         This patch adds JSWebAssemblyCallee and stores it into the
1058         callee slot in the call frame as part of the prologue of a
1059         wasm function. This is the first step in implementing
1060         unwinding from/through wasm frames. We will use the callee
1061         to identify that a machine frame belongs to wasm code.
1062
1063         * CMakeLists.txt:
1064         * JavaScriptCore.xcodeproj/project.pbxproj:
1065         * jsc.cpp:
1066         (callWasmFunction):
1067         (functionTestWasmModuleFunctions):
1068         * llint/LowLevelInterpreter64.asm:
1069         * runtime/JSGlobalObject.cpp:
1070         * runtime/VM.cpp:
1071         (JSC::VM::VM):
1072         * runtime/VM.h:
1073         * wasm/JSWebAssembly.h:
1074         * wasm/WasmB3IRGenerator.cpp:
1075         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1076         (JSC::Wasm::parseAndCompile):
1077         * wasm/WasmCallingConvention.h:
1078         (JSC::Wasm::CallingConvention::setupFrameInPrologue):
1079         * wasm/WasmFormat.h:
1080         * wasm/WasmPlan.cpp:
1081         (JSC::Wasm::Plan::initializeCallees):
1082         * wasm/WasmPlan.h:
1083         (JSC::Wasm::Plan::compiledFunction):
1084         (JSC::Wasm::Plan::getCompiledFunctions): Deleted.
1085         * wasm/js/JSWebAssemblyCallee.cpp: Added.
1086         (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee):
1087         (JSC::JSWebAssemblyCallee::finishCreation):
1088         (JSC::JSWebAssemblyCallee::destroy):
1089         * wasm/js/JSWebAssemblyCallee.h: Added.
1090         (JSC::JSWebAssemblyCallee::create):
1091         (JSC::JSWebAssemblyCallee::createStructure):
1092         (JSC::JSWebAssemblyCallee::jsEntryPoint):
1093         * wasm/js/JSWebAssemblyModule.cpp:
1094         (JSC::JSWebAssemblyModule::create):
1095         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
1096         (JSC::JSWebAssemblyModule::visitChildren):
1097         * wasm/js/JSWebAssemblyModule.h:
1098         (JSC::JSWebAssemblyModule::moduleInformation):
1099         (JSC::JSWebAssemblyModule::callee):
1100         (JSC::JSWebAssemblyModule::callees):
1101         (JSC::JSWebAssemblyModule::offsetOfCallees):
1102         (JSC::JSWebAssemblyModule::allocationSize):
1103         (JSC::JSWebAssemblyModule::compiledFunctions): Deleted.
1104         * wasm/js/WebAssemblyFunction.cpp:
1105         (JSC::callWebAssemblyFunction):
1106         (JSC::WebAssemblyFunction::create):
1107         (JSC::WebAssemblyFunction::visitChildren):
1108         (JSC::WebAssemblyFunction::finishCreation):
1109         * wasm/js/WebAssemblyFunction.h:
1110         (JSC::WebAssemblyFunction::webAssemblyCallee):
1111         (JSC::WebAssemblyFunction::instance):
1112         (JSC::WebAssemblyFunction::signature):
1113         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction): Deleted.
1114         (JSC::WebAssemblyFunction::webAssemblyFunctionCell): Deleted.
1115         * wasm/js/WebAssemblyFunctionCell.cpp:
1116         (JSC::WebAssemblyFunctionCell::create): Deleted.
1117         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell): Deleted.
1118         (JSC::WebAssemblyFunctionCell::destroy): Deleted.
1119         (JSC::WebAssemblyFunctionCell::createStructure): Deleted.
1120         * wasm/js/WebAssemblyFunctionCell.h:
1121         (JSC::WebAssemblyFunctionCell::function): Deleted.
1122         * wasm/js/WebAssemblyModuleConstructor.cpp:
1123         (JSC::constructJSWebAssemblyModule):
1124         * wasm/js/WebAssemblyModuleRecord.cpp:
1125         (JSC::WebAssemblyModuleRecord::link):
1126
1127 2016-12-04  Matt Baker  <mattbaker@apple.com>
1128
1129         Web Inspector: Assertion Failures breakpoint should respect global Breakpoints enabled setting
1130         https://bugs.webkit.org/show_bug.cgi?id=165277
1131         <rdar://problem/29467098>
1132
1133         Reviewed by Mark Lam.
1134
1135         * inspector/agents/InspectorDebuggerAgent.cpp:
1136         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
1137         Check that breakpoints are active before pausing.
1138
1139 2016-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1140
1141         Refactor SymbolImpl layout
1142         https://bugs.webkit.org/show_bug.cgi?id=165247
1143
1144         Reviewed by Darin Adler.
1145
1146         Use SymbolImpl::{create, createNullSymbol} instead.
1147
1148         * runtime/PrivateName.h:
1149         (JSC::PrivateName::PrivateName):
1150
1151 2016-12-03  JF Bastien  <jfbastien@apple.com>
1152
1153         WebAssembly: update binary format to 0xD version
1154         https://bugs.webkit.org/show_bug.cgi?id=165345
1155
1156         Reviewed by Keith Miller.
1157
1158         As described in the following PR: https://github.com/WebAssembly/design/pull/836
1159         Originally committed in r209175, reverted in r209242, and fixed in r209284.
1160
1161         * wasm/WasmB3IRGenerator.cpp:
1162         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1163         (JSC::Wasm::B3IRGenerator::zeroForType):
1164         (JSC::Wasm::B3IRGenerator::addConstant):
1165         (JSC::Wasm::createJSWrapper):
1166         * wasm/WasmCallingConvention.h:
1167         (JSC::Wasm::CallingConvention::marshallArgument):
1168         * wasm/WasmFormat.cpp:
1169         (JSC::Wasm::toString): Deleted.
1170         * wasm/WasmFormat.h:
1171         (JSC::Wasm::isValueType):
1172         (JSC::Wasm::toB3Type): Deleted.
1173         * wasm/WasmFunctionParser.h:
1174         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1175         * wasm/WasmModuleParser.cpp:
1176         (JSC::Wasm::ModuleParser::parse):
1177         (JSC::Wasm::ModuleParser::parseType):
1178         * wasm/WasmModuleParser.h:
1179         * wasm/WasmParser.h:
1180         (JSC::Wasm::Parser::parseResultType):
1181         * wasm/generateWasm.py:
1182         (Wasm.__init__):
1183         * wasm/generateWasmOpsHeader.py:
1184         (cppMacro):
1185         (typeMacroizer):
1186         (opcodeMacroizer):
1187         * wasm/js/WebAssemblyFunction.cpp:
1188         (JSC::callWebAssemblyFunction):
1189         * wasm/wasm.json:
1190
1191 2016-12-02  Keith Miller  <keith_miller@apple.com>
1192
1193         Add Wasm copysign
1194         https://bugs.webkit.org/show_bug.cgi?id=165355
1195
1196         Reviewed by Filip Pizlo.
1197
1198         This patch also makes two other important changes:
1199
1200         1) allows for i64 constants in the B3 generator language.
1201         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
1202            of a Double in B3.
1203
1204         * wasm/WasmB3IRGenerator.cpp:
1205         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1206         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
1207         (CodeGenerator.generateOpcode):
1208         (generateConstCode):
1209         (generateI32ConstCode): Deleted.
1210         * wasm/wasm.json:
1211
1212 2016-12-03  Commit Queue  <commit-queue@webkit.org>
1213
1214         Unreviewed, rolling out r209298.
1215         https://bugs.webkit.org/show_bug.cgi?id=165359
1216
1217         broke the build (Requested by smfr on #webkit).
1218
1219         Reverted changeset:
1220
1221         "Add Wasm copysign"
1222         https://bugs.webkit.org/show_bug.cgi?id=165355
1223         http://trac.webkit.org/changeset/209298
1224
1225 2016-12-02  Keith Miller  <keith_miller@apple.com>
1226
1227         Add Wasm copysign
1228         https://bugs.webkit.org/show_bug.cgi?id=165355
1229
1230         Reviewed by Filip Pizlo.
1231
1232         This patch also makes two other important changes:
1233
1234         1) allows for i64 constants in the B3 generator language.
1235         2) Fixes a bug with F64ConvertUI64 where the operation returned a Float instead
1236            of a Double in B3.
1237
1238         * wasm/WasmB3IRGenerator.cpp:
1239         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1240         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
1241         (CodeGenerator.generateOpcode):
1242         (generateConstCode):
1243         (generateI32ConstCode): Deleted.
1244         * wasm/wasm.json:
1245
1246 2016-12-02  Keith Miller  <keith_miller@apple.com>
1247
1248         Unreviewed, fix git having a breakdown over trying to reland a rollout.
1249
1250 2016-12-02  Keith Miller  <keith_miller@apple.com>
1251
1252         Add Wasm floating point nearest and trunc
1253         https://bugs.webkit.org/show_bug.cgi?id=165339
1254
1255         Reviewed by Saam Barati.
1256
1257         This patch also allows any wasm primitive type to be passed as a
1258         string.
1259
1260         * assembler/MacroAssemblerARM64.h:
1261         (JSC::MacroAssemblerARM64::nearestIntDouble):
1262         (JSC::MacroAssemblerARM64::nearestIntFloat):
1263         (JSC::MacroAssemblerARM64::truncDouble):
1264         (JSC::MacroAssemblerARM64::truncFloat):
1265         * assembler/MacroAssemblerX86Common.h:
1266         (JSC::MacroAssemblerX86Common::nearestIntDouble):
1267         (JSC::MacroAssemblerX86Common::nearestIntFloat):
1268         * jsc.cpp:
1269         (box):
1270         * wasm/WasmB3IRGenerator.cpp:
1271         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1272         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
1273         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
1274         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
1275         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
1276         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
1277         * wasm/WasmFunctionParser.h:
1278         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1279
1280 2016-12-02  Caitlin Potter  <caitp@igalia.com>
1281
1282 [JSC] add additional bit to JSTokenType bitfield
1283         https://bugs.webkit.org/show_bug.cgi?id=165091
1284
1285         Reviewed by Geoffrey Garen.
1286
1287         Avoid overflow which causes keyword tokens to be treated as unary
1288         tokens now that "async" is tokenized as a keyword, by granting an
1289         additional 64 bits to be occupied by token IDs.
1290
1291         * parser/ParserTokens.h:
1292
1293 2016-12-02  Andy Estes  <aestes@apple.com>
1294
1295         [Cocoa] Adopt the PRODUCT_BUNDLE_IDENTIFIER build setting
1296         https://bugs.webkit.org/show_bug.cgi?id=164492
1297
1298         Reviewed by Dan Bernstein.
1299
1300         * Configurations/JavaScriptCore.xcconfig: Set PRODUCT_BUNDLE_IDENTIFIER to
1301         com.apple.$(PRODUCT_NAME:rfc1034identifier).
1302         * Info.plist: Changed CFBundleIdentifier's value from com.apple.${PRODUCT_NAME} to
1303         ${PRODUCT_BUNDLE_IDENTIFIER}.
1304
1305 2016-12-02  JF Bastien  <jfbastien@apple.com>
1306
1307         WebAssembly: mark WasmOps.h as private
1308         https://bugs.webkit.org/show_bug.cgi?id=165335
1309
1310         Reviewed by Mark Lam.
1311
1312         * JavaScriptCore.xcodeproj/project.pbxproj: WasmOps.h will be used by non-JSC and should therefore be private
1313
1314 2016-12-02  Commit Queue  <commit-queue@webkit.org>
1315
1316         Unreviewed, rolling out r209275 and r209276.
1317         https://bugs.webkit.org/show_bug.cgi?id=165348
1318
1319         "broke the arm build" (Requested by keith_miller on #webkit).
1320
1321         Reverted changesets:
1322
1323         "Add Wasm floating point nearest and trunc"
1324         https://bugs.webkit.org/show_bug.cgi?id=165339
1325         http://trac.webkit.org/changeset/209275
1326
1327         "Unreviewed, forgot to change instruction after renaming."
1328         http://trac.webkit.org/changeset/209276
1329
1330 2016-12-02  Keith Miller  <keith_miller@apple.com>
1331
1332         Unreviewed, forgot to change instruction after renaming.
1333
1334         * assembler/MacroAssemblerARM64.h:
1335         (JSC::MacroAssemblerARM64::nearestIntDouble):
1336         (JSC::MacroAssemblerARM64::nearestIntFloat):
1337
1338 2016-12-02  Keith Miller  <keith_miller@apple.com>
1339
1340         Add Wasm floating point nearest and trunc
1341         https://bugs.webkit.org/show_bug.cgi?id=165339
1342
1343         Reviewed by Filip Pizlo.
1344
1345         This patch also allows any wasm primitive type to be passed as a
1346         string.
1347
1348         * assembler/MacroAssemblerARM64.h:
1349         (JSC::MacroAssemblerARM64::nearestIntDouble):
1350         (JSC::MacroAssemblerARM64::nearestIntFloat):
1351         (JSC::MacroAssemblerARM64::truncDouble):
1352         (JSC::MacroAssemblerARM64::truncFloat):
1353         * assembler/MacroAssemblerX86Common.h:
1354         (JSC::MacroAssemblerX86Common::nearestIntDouble):
1355         (JSC::MacroAssemblerX86Common::nearestIntFloat):
1356         * jsc.cpp:
1357         (box):
1358         * wasm/WasmB3IRGenerator.cpp:
1359         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1360         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
1361         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Nearest>):
1362         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Nearest>):
1363         (JSC::Wasm::B3IRGenerator::addOp<OpType::F64Trunc>):
1364         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32Trunc>):
1365         * wasm/WasmFunctionParser.h:
1366         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1367
1368 2016-12-02  JF Bastien  <jfbastien@apple.com>
1369
1370         WebAssembly: revert patch causing odd breakage
1371         https://bugs.webkit.org/show_bug.cgi?id=165308
1372
1373         Unreviewed.
1374
1375         Bug #164724 seems to cause build issues which I haven't tracked down yet. WasmOps.h can't be found:
1376         ./Source/JavaScriptCore/wasm/WasmFormat.h:34:10: fatal error: 'WasmOps.h' file not found
1377
1378         It's weird since the file is auto-generated and has been for a while. #164724 merely includes it in WasmFormat.h.
1379
1380         * wasm/WasmB3IRGenerator.cpp:
1381         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1382         (JSC::Wasm::B3IRGenerator::zeroForType):
1383         (JSC::Wasm::B3IRGenerator::addConstant):
1384         (JSC::Wasm::createJSWrapper):
1385         * wasm/WasmCallingConvention.h:
1386         (JSC::Wasm::CallingConvention::marshallArgument):
1387         * wasm/WasmFormat.cpp:
1388         (JSC::Wasm::toString):
1389         * wasm/WasmFormat.h:
1390         (JSC::Wasm::toB3Type):
1391         * wasm/WasmFunctionParser.h:
1392         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1393         * wasm/WasmModuleParser.cpp:
1394         (JSC::Wasm::ModuleParser::parse):
1395         (JSC::Wasm::ModuleParser::parseType):
1396         * wasm/WasmModuleParser.h:
1397         * wasm/WasmParser.h:
1398         (JSC::Wasm::Parser::parseResultType):
1399         * wasm/generateWasm.py:
1400         (Wasm.__init__):
1401         * wasm/generateWasmOpsHeader.py:
1402         (cppMacro):
1403         (opcodeMacroizer):
1404         (typeMacroizer): Deleted.
1405         * wasm/js/WebAssemblyFunction.cpp:
1406         (JSC::callWebAssemblyFunction):
1407         * wasm/wasm.json:
1408
1409 2016-12-01  Brian Burg  <bburg@apple.com>
1410
1411         Remote Inspector: fix weird typo in generated ObjC protocol type initializer implementations
1412         https://bugs.webkit.org/show_bug.cgi?id=165295
1413         <rdar://problem/29427778>
1414
1415         Reviewed by Joseph Pecoraro.
1416
1417         Remove a stray semicolon appended after custom initializer signatures.
1418         This is a syntax error when building with less lenient compiler warnings.
1419
1420         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1421         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1422         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1423         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1424         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1425         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1426         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1427         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1428         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1429
1430 2016-12-01  Saam Barati  <sbarati@apple.com>
1431
1432         Rename CallFrame::callee() to CallFrame::jsCallee()
1433         https://bugs.webkit.org/show_bug.cgi?id=165293
1434
1435         Reviewed by Keith Miller.
1436
1437         Wasm will soon have its own Callee that doesn't derive
1438         from JSObject, but derives from JSCell. I want to introduce
1439         a new function like:
1440         ```
1441         CalleeBase* CallFrame::callee()
1442         ```
1443         
1444         once we have a Wasm callee. It only makes sense to name that
1445         function callee() and rename the current one turn to:
1446         ```
1447         JSObject* CallFrame::jsCallee()
1448         ```
1449
1450         * API/APICallbackFunction.h:
1451         (JSC::APICallbackFunction::call):
1452         (JSC::APICallbackFunction::construct):
1453         * API/JSCallbackObjectFunctions.h:
1454         (JSC::JSCallbackObject<Parent>::construct):
1455         (JSC::JSCallbackObject<Parent>::call):
1456         * debugger/DebuggerCallFrame.cpp:
1457         (JSC::DebuggerCallFrame::scope):
1458         (JSC::DebuggerCallFrame::type):
1459         * interpreter/CallFrame.cpp:
1460         (JSC::CallFrame::friendlyFunctionName):
1461         * interpreter/CallFrame.h:
1462         (JSC::ExecState::jsCallee):
1463         (JSC::ExecState::callee): Deleted.
1464         * interpreter/Interpreter.cpp:
1465         (JSC::Interpreter::dumpRegisters):
1466         (JSC::notifyDebuggerOfUnwinding):
1467         * interpreter/ShadowChicken.cpp:
1468         (JSC::ShadowChicken::update):
1469         * interpreter/StackVisitor.cpp:
1470         (JSC::StackVisitor::readNonInlinedFrame):
1471         * llint/LLIntSlowPaths.cpp:
1472         (JSC::LLInt::traceFunctionPrologue):
1473         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1474         * runtime/ArrayConstructor.cpp:
1475         (JSC::constructArrayWithSizeQuirk):
1476         * runtime/AsyncFunctionConstructor.cpp:
1477         (JSC::callAsyncFunctionConstructor):
1478         (JSC::constructAsyncFunctionConstructor):
1479         * runtime/BooleanConstructor.cpp:
1480         (JSC::constructWithBooleanConstructor):
1481         * runtime/ClonedArguments.cpp:
1482         (JSC::ClonedArguments::createWithInlineFrame):
1483         * runtime/CommonSlowPaths.h:
1484         (JSC::CommonSlowPaths::arityCheckFor):
1485         * runtime/DateConstructor.cpp:
1486         (JSC::constructWithDateConstructor):
1487         * runtime/DirectArguments.cpp:
1488         (JSC::DirectArguments::createByCopying):
1489         * runtime/Error.h:
1490         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
1491         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
1492         * runtime/ErrorConstructor.cpp:
1493         (JSC::Interpreter::constructWithErrorConstructor):
1494         (JSC::Interpreter::callErrorConstructor):
1495         * runtime/FunctionConstructor.cpp:
1496         (JSC::constructWithFunctionConstructor):
1497         (JSC::callFunctionConstructor):
1498         * runtime/GeneratorFunctionConstructor.cpp:
1499         (JSC::callGeneratorFunctionConstructor):
1500         (JSC::constructGeneratorFunctionConstructor):
1501         * runtime/InternalFunction.cpp:
1502         (JSC::InternalFunction::createSubclassStructure):
1503         * runtime/IntlCollator.cpp:
1504         (JSC::IntlCollator::initializeCollator):
1505         * runtime/IntlCollatorConstructor.cpp:
1506         (JSC::constructIntlCollator):
1507         (JSC::callIntlCollator):
1508         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1509         * runtime/IntlDateTimeFormat.cpp:
1510         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1511         * runtime/IntlDateTimeFormatConstructor.cpp:
1512         (JSC::constructIntlDateTimeFormat):
1513         (JSC::callIntlDateTimeFormat):
1514         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1515         * runtime/IntlNumberFormat.cpp:
1516         (JSC::IntlNumberFormat::initializeNumberFormat):
1517         * runtime/IntlNumberFormatConstructor.cpp:
1518         (JSC::constructIntlNumberFormat):
1519         (JSC::callIntlNumberFormat):
1520         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1521         * runtime/IntlObject.cpp:
1522         (JSC::canonicalizeLocaleList):
1523         (JSC::defaultLocale):
1524         (JSC::lookupSupportedLocales):
1525         (JSC::intlObjectFuncGetCanonicalLocales):
1526         * runtime/JSArrayBufferConstructor.cpp:
1527         (JSC::constructArrayBuffer):
1528         * runtime/JSArrayBufferPrototype.cpp:
1529         (JSC::arrayBufferProtoFuncSlice):
1530         * runtime/JSBoundFunction.cpp:
1531         (JSC::boundThisNoArgsFunctionCall):
1532         (JSC::boundFunctionCall):
1533         (JSC::boundThisNoArgsFunctionConstruct):
1534         (JSC::boundFunctionConstruct):
1535         * runtime/JSCellInlines.h:
1536         (JSC::ExecState::vm):
1537         * runtime/JSCustomGetterSetterFunction.cpp:
1538         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1539         * runtime/JSFunction.cpp:
1540         (JSC::callHostFunctionAsConstructor):
1541         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1542         (JSC::constructGenericTypedArrayView):
1543         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1544         (JSC::genericTypedArrayViewProtoFuncSlice):
1545         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1546         * runtime/JSGlobalObjectFunctions.cpp:
1547         (JSC::globalFuncEval):
1548         * runtime/JSInternalPromiseConstructor.cpp:
1549         (JSC::constructPromise):
1550         * runtime/JSMapIterator.cpp:
1551         (JSC::JSMapIterator::createPair):
1552         (JSC::JSMapIterator::clone):
1553         * runtime/JSNativeStdFunction.cpp:
1554         (JSC::runStdFunction):
1555         * runtime/JSPromiseConstructor.cpp:
1556         (JSC::constructPromise):
1557         * runtime/JSPropertyNameIterator.cpp:
1558         (JSC::JSPropertyNameIterator::clone):
1559         * runtime/JSScope.h:
1560         (JSC::ExecState::lexicalGlobalObject):
1561         * runtime/JSSetIterator.cpp:
1562         (JSC::JSSetIterator::createPair):
1563         (JSC::JSSetIterator::clone):
1564         * runtime/JSStringIterator.cpp:
1565         (JSC::JSStringIterator::clone):
1566         * runtime/MapConstructor.cpp:
1567         (JSC::constructMap):
1568         * runtime/MapPrototype.cpp:
1569         (JSC::mapProtoFuncValues):
1570         (JSC::mapProtoFuncEntries):
1571         (JSC::mapProtoFuncKeys):
1572         (JSC::privateFuncMapIterator):
1573         * runtime/NativeErrorConstructor.cpp:
1574         (JSC::Interpreter::constructWithNativeErrorConstructor):
1575         (JSC::Interpreter::callNativeErrorConstructor):
1576         * runtime/ObjectConstructor.cpp:
1577         (JSC::constructObject):
1578         * runtime/ProxyObject.cpp:
1579         (JSC::performProxyCall):
1580         (JSC::performProxyConstruct):
1581         * runtime/ProxyRevoke.cpp:
1582         (JSC::performProxyRevoke):
1583         * runtime/RegExpConstructor.cpp:
1584         (JSC::constructWithRegExpConstructor):
1585         (JSC::callRegExpConstructor):
1586         * runtime/ScopedArguments.cpp:
1587         (JSC::ScopedArguments::createByCopying):
1588         * runtime/SetConstructor.cpp:
1589         (JSC::constructSet):
1590         * runtime/SetPrototype.cpp:
1591         (JSC::setProtoFuncValues):
1592         (JSC::setProtoFuncEntries):
1593         (JSC::privateFuncSetIterator):
1594         * runtime/StringConstructor.cpp:
1595         (JSC::constructWithStringConstructor):
1596         * runtime/StringPrototype.cpp:
1597         (JSC::stringProtoFuncIterator):
1598         * runtime/WeakMapConstructor.cpp:
1599         (JSC::constructWeakMap):
1600         * runtime/WeakSetConstructor.cpp:
1601         (JSC::constructWeakSet):
1602         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1603         (JSC::constructJSWebAssemblyCompileError):
1604         * wasm/js/WebAssemblyFunction.cpp:
1605         (JSC::callWebAssemblyFunction):
1606         * wasm/js/WebAssemblyModuleConstructor.cpp:
1607         (JSC::constructJSWebAssemblyModule):
1608         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1609         (JSC::constructJSWebAssemblyRuntimeError):
1610
1611 2016-12-01  Brian Burg  <bburg@apple.com>
1612
1613         Web Inspector: generated code should use a framework-style import for *ProtocolArrayConversions.h
1614         https://bugs.webkit.org/show_bug.cgi?id=165281
1615         <rdar://problem/29427778>
1616
1617         Reviewed by Joseph Pecoraro.
1618
1619         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1620         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
1621         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1622         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1623         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1624         * inspector/scripts/tests/expected/enum-values.json-result:
1625         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1626         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1627         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1628         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1629         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1630         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1631         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1632         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1633         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1634
1635 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1636
1637         SourceCodeKey should use unlinked source code
1638         https://bugs.webkit.org/show_bug.cgi?id=165286
1639
1640         Reviewed by Saam Barati.
1641
1642         This patch splits out UnlinkedSourceCode from SourceCode, and deploys
1643         UnlinkedSourceCode in SourceCodeKey.
1644
1645         It's misleading to store SourceCode in SourceCodeKey because SourceCode
1646         has an absolute location whereas unlinked cached code has no location.
1647
1648         I plan to deploy UnlinkedSourceCode in more places, to indicate code
1649         that has no absolute location.
1650
1651         * JavaScriptCore.xcodeproj/project.pbxproj:
1652         * parser/SourceCode.cpp:
1653         (JSC::UnlinkedSourceCode::toUTF8):
1654         (JSC::SourceCode::toUTF8): Deleted.
1655         * parser/SourceCode.h:
1656         (JSC::SourceCode::SourceCode):
1657         (JSC::SourceCode::startColumn):
1658         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
1659         (JSC::SourceCode::hash): Deleted.
1660         (JSC::SourceCode::view): Deleted.
1661         (JSC::SourceCode::providerID): Deleted.
1662         (JSC::SourceCode::isNull): Deleted.
1663         (JSC::SourceCode::provider): Deleted.
1664         (JSC::SourceCode::startOffset): Deleted.
1665         (JSC::SourceCode::endOffset): Deleted.
1666         (JSC::SourceCode::length): Deleted. Move a bunch of stuff in to a new
1667         base class, UnlinkedSourceCode.
1668
1669         * parser/SourceCodeKey.h:
1670         (JSC::SourceCodeKey::SourceCodeKey): Use UnlinkedSourceCode since code
1671         in the cache has no location.
1672
1673         * parser/UnlinkedSourceCode.h: Copied from Source/JavaScriptCore/parser/SourceCode.h.
1674         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
1675         (JSC::UnlinkedSourceCode::provider):
1676         (JSC::SourceCode::SourceCode): Deleted.
1677         (JSC::SourceCode::isHashTableDeletedValue): Deleted.
1678         (JSC::SourceCode::hash): Deleted.
1679         (JSC::SourceCode::view): Deleted.
1680         (JSC::SourceCode::providerID): Deleted.
1681         (JSC::SourceCode::isNull): Deleted.
1682         (JSC::SourceCode::provider): Deleted.
1683         (JSC::SourceCode::firstLine): Deleted.
1684         (JSC::SourceCode::startColumn): Deleted.
1685         (JSC::SourceCode::startOffset): Deleted.
1686         (JSC::SourceCode::endOffset): Deleted.
1687         (JSC::SourceCode::length): Deleted.
1688         (JSC::makeSource): Deleted.
1689         (JSC::SourceCode::subExpression): Deleted.
1690
1691         * runtime/CodeCache.h: Use UnlinkedSourceCode in the cache.
1692
1693 2016-12-01  Keith Miller  <keith_miller@apple.com>
1694
1695         Add wasm int to floating point opcodes
1696         https://bugs.webkit.org/show_bug.cgi?id=165252
1697
1698         Reviewed by Geoffrey Garen.
1699
1700         This patch adds support for the Wasm integral type => floating point
1701         type conversion opcodes. Most of these were already supported by B3
1702         however there was no support for uint64 to float/double. Unfortunately,
1703         AFAIK x86_64 does not have a single instruction that performs this
1704         conversion. Since there is a signed conversion instruction on x86 we
1705         use that for all uint64s that don't have the top bit set. If they do have
1706         the top bit set we need to divide by 2 (rounding up) then convert the number
1707         with the signed conversion then double the result.
1708
1709         * assembler/MacroAssemblerX86_64.h:
1710         (JSC::MacroAssemblerX86_64::convertUInt64ToDouble):
1711         (JSC::MacroAssemblerX86_64::convertUInt64ToFloat):
1712         * jsc.cpp:
1713         (valueWithTypeOfWasmValue):
1714         (box):
1715         (functionTestWasmModuleFunctions):
1716         * wasm/WasmB3IRGenerator.cpp:
1717         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
1718         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
1719         * wasm/WasmFunctionParser.h:
1720         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1721         * wasm/wasm.json:
1722
1723 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1724
1725         Renamed EvalCodeCache => DirectEvalCodeCache
1726         https://bugs.webkit.org/show_bug.cgi?id=165271
1727
1728         Reviewed by Saam Barati.
1729
1730         We only use this cache for DirectEval, not IndirectEval.
1731
1732         * JavaScriptCore.xcodeproj/project.pbxproj:
1733         * bytecode/CodeBlock.cpp:
1734         (JSC::DirectEvalCodeCache::visitAggregate):
1735         (JSC::CodeBlock::stronglyVisitStrongReferences):
1736         (JSC::EvalCodeCache::visitAggregate): Deleted.
1737         * bytecode/CodeBlock.h:
1738         (JSC::CodeBlock::directEvalCodeCache):
1739         (JSC::CodeBlock::evalCodeCache): Deleted.
1740         * bytecode/DirectEvalCodeCache.h: Copied from Source/JavaScriptCore/bytecode/EvalCodeCache.h.
1741         (JSC::EvalCodeCache::CacheKey::CacheKey): Deleted.
1742         (JSC::EvalCodeCache::CacheKey::hash): Deleted.
1743         (JSC::EvalCodeCache::CacheKey::isEmptyValue): Deleted.
1744         (JSC::EvalCodeCache::CacheKey::operator==): Deleted.
1745         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue): Deleted.
1746         (JSC::EvalCodeCache::CacheKey::Hash::hash): Deleted.
1747         (JSC::EvalCodeCache::CacheKey::Hash::equal): Deleted.
1748         (JSC::EvalCodeCache::tryGet): Deleted.
1749         (JSC::EvalCodeCache::set): Deleted.
1750         (JSC::EvalCodeCache::isEmpty): Deleted.
1751         (JSC::EvalCodeCache::clear): Deleted.
1752         * bytecode/EvalCodeCache.h: Removed.
1753         * interpreter/Interpreter.cpp:
1754         (JSC::eval):
1755         * runtime/DirectEvalExecutable.cpp:
1756         (JSC::DirectEvalExecutable::create):
1757
1758 2016-12-01  Geoffrey Garen  <ggaren@apple.com>
1759
1760         Removed some unnecessary indirection in code generation
1761         https://bugs.webkit.org/show_bug.cgi?id=165264
1762
1763         Reviewed by Keith Miller.
1764
1765         There's no need to route through JSGlobalObject when producing code --
1766         it just made the code harder to read.
1767
1768         This patch moves functions from JSGlobalObject to their singleton
1769         call sites.
1770
1771         * runtime/CodeCache.cpp:
1772         (JSC::CodeCache::getUnlinkedEvalCodeBlock):
1773         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock): Deleted.
1774         * runtime/CodeCache.h:
1775         * runtime/DirectEvalExecutable.cpp:
1776         (JSC::DirectEvalExecutable::create):
1777         * runtime/IndirectEvalExecutable.cpp:
1778         (JSC::IndirectEvalExecutable::create):
1779         * runtime/JSGlobalObject.cpp:
1780         (JSC::JSGlobalObject::createProgramCodeBlock): Deleted.
1781         (JSC::JSGlobalObject::createLocalEvalCodeBlock): Deleted.
1782         (JSC::JSGlobalObject::createGlobalEvalCodeBlock): Deleted.
1783         (JSC::JSGlobalObject::createModuleProgramCodeBlock): Deleted.
1784         * runtime/JSGlobalObject.h:
1785         * runtime/ModuleProgramExecutable.cpp:
1786         (JSC::ModuleProgramExecutable::create):
1787         * runtime/ProgramExecutable.cpp:
1788         (JSC::ProgramExecutable::initializeGlobalProperties):
1789         * runtime/ProgramExecutable.h:
1790
1791 2016-11-30  Darin Adler  <darin@apple.com>
1792
1793         Roll out StringBuilder changes from the previous patch.
1794         They were a slowdown on a Kraken JSON test.
1795
1796         * runtime/JSONObject.cpp:
1797         Roll out changes from below.
1798
1799 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1800
1801         [JSC] Specifying same module entry point multiple times cause TypeError
1802         https://bugs.webkit.org/show_bug.cgi?id=164858
1803
1804         Reviewed by Saam Barati.
1805
1806         Allow importing the same module multiple times. Previously, when specifying the same
1807         module in the <script type="module" src="here">, it throws TypeError.
1808
1809         * builtins/ModuleLoaderPrototype.js:
1810         (requestFetch):
1811         (requestTranslate):
1812         (requestInstantiate):
1813         (requestSatisfy):
1814
1815 2016-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1816
1817         WebAssembly JS API: export a module namespace object instead of a module environment
1818         https://bugs.webkit.org/show_bug.cgi?id=165121
1819
1820         Reviewed by Saam Barati.
1821
1822         This patch setup AbstractModuleRecord further for WebAssemblyModuleRecord.
1823         For exported entries in a wasm instance, we set up exported entries for
1824         AbstractModuleRecord. This allows us to export WASM exported functions in
1825         the module handling code.
1826
1827         Since the exported entries in the abstract module record are correctly
1828         instantiated, the module namespace object for WASM module also starts
1829         working correctly. So we start exposing the module namespace object
1830         as `instance.exports` instead of the module environment object.
1831
1832         And we move SourceCode, lexicalVariables, and declaredVariables fields to
1833         JSModuleRecord since they are related to JS source code (in the spec words,
1834         they are related to the source text module record).
1835
1836         * runtime/AbstractModuleRecord.cpp:
1837         (JSC::AbstractModuleRecord::AbstractModuleRecord):
1838         * runtime/AbstractModuleRecord.h:
1839         (JSC::AbstractModuleRecord::sourceCode): Deleted.
1840         (JSC::AbstractModuleRecord::declaredVariables): Deleted.
1841         (JSC::AbstractModuleRecord::lexicalVariables): Deleted.
1842         * runtime/JSModuleRecord.cpp:
1843         (JSC::JSModuleRecord::JSModuleRecord):
1844         * runtime/JSModuleRecord.h:
1845         (JSC::JSModuleRecord::sourceCode):
1846         (JSC::JSModuleRecord::declaredVariables):
1847         (JSC::JSModuleRecord::lexicalVariables):
1848         * wasm/WasmFormat.cpp:
1849         * wasm/js/JSWebAssemblyInstance.cpp:
1850         (JSC::JSWebAssemblyInstance::finishCreation):
1851         * wasm/js/WebAssemblyFunction.cpp:
1852         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1853         (JSC::constructJSWebAssemblyInstance):
1854         * wasm/js/WebAssemblyModuleRecord.cpp:
1855         (JSC::WebAssemblyModuleRecord::create):
1856         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
1857         (JSC::WebAssemblyModuleRecord::finishCreation):
1858         WebAssemblyModuleRecord::link should perform linking things.
1859         So allocating exported entries should be done here.
1860         (JSC::WebAssemblyModuleRecord::link):
1861         * wasm/js/WebAssemblyModuleRecord.h:
1862
1863 2016-11-30  Mark Lam  <mark.lam@apple.com>
1864
1865         TypeInfo::OutOfLineTypeFlags should be 16 bits in size.
1866         https://bugs.webkit.org/show_bug.cgi?id=165224
1867
1868         Reviewed by Saam Barati.
1869
1870         There's no reason for OutOfLineTypeFlags to be constraint to 8 bits since the
1871         space is available to us.  Making OutOfLineTypeFlags 16 bits brings TypeInfo up
1872         to 32 bits in size from the current 24 bits.
1873
1874         * runtime/JSTypeInfo.h:
1875         (JSC::TypeInfo::TypeInfo):
1876
1877 2016-11-30  Joseph Pecoraro  <pecoraro@apple.com>
1878
1879         REGRESSION: inspector/sampling-profiler/* LayoutTests are flaky timeouts
1880         https://bugs.webkit.org/show_bug.cgi?id=164388
1881         <rdar://problem/29101555>
1882
1883         Reviewed by Saam Barati.
1884
1885         There was a possibility of a deadlock between the main thread and the GC thread
1886         with the SamplingProfiler lock when Inspector is processing samples to send to
1887         the frontend. The Inspector (main thread) was holding the SamplingProfiler lock
1888         while processing samples, which runs JavaScript that could trigger a GC, and
1889         GC then tries to acquire the SamplingProfiler lock to process unprocessed samples.
1890
1891         A simple solution here is to tighten the bounds of when Inspector holds the
1892         SamplingProfiler lock. It only needs the lock when extracting samples from
1893         the SamplingProfiler. It doesn't need to hold the lock for processing those
1894         samples, which is what can run script and cause a GC.
1895
1896         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1897         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1898         Tighten bounds of this lock to only where it is needed.
1899
1900 2016-11-30  Mark Lam  <mark.lam@apple.com>
1901
1902         Proxy is not allowed in the global prototype chain.
1903         https://bugs.webkit.org/show_bug.cgi?id=165205
1904
1905         Reviewed by Geoffrey Garen.
1906
1907         * runtime/ProgramExecutable.cpp:
1908         (JSC::ProgramExecutable::initializeGlobalProperties):
1909         - We'll now throw a TypeError if we detect a Proxy in the global prototype chain.
1910
1911 2016-11-30  Commit Queue  <commit-queue@webkit.org>
1912
1913         Unreviewed, rolling out r209112.
1914         https://bugs.webkit.org/show_bug.cgi?id=165208
1915
1916         "It regressed Octane/Raytrace and JetStream" (Requested by
1917         saamyjoon on #webkit).
1918
1919         Reverted changeset:
1920
1921         "We should support CreateThis in the FTL"
1922         https://bugs.webkit.org/show_bug.cgi?id=164904
1923         http://trac.webkit.org/changeset/209112
1924
1925 2016-11-30  Darin Adler  <darin@apple.com>
1926
1927         Streamline and speed up tokenizer and segmented string classes
1928         https://bugs.webkit.org/show_bug.cgi?id=165003
1929
1930         Reviewed by Sam Weinig.
1931
1932         * runtime/JSONObject.cpp:
1933         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
1934         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
1935         no benefit in creating a String for that function if one doesn't already exist.
1936
1937 2016-11-29  JF Bastien  <jfbastien@apple.com>
1938
1939         WebAssembly JS API: improve Instance
1940         https://bugs.webkit.org/show_bug.cgi?id=164757
1941
1942         Reviewed by Keith Miller.
1943
1944         An Instance's `exports` property wasn't populated with exports.
1945
1946         According to the spec [0], `exports` should present itself as a WebAssembly
1947         Module Record. In order to do this we need to split JSModuleRecord into
1948         AbstractModuleRecord (without the `link` and `evaluate` functions), and
1949         JSModuleRecord (which implements link and evaluate). We can then have a separate
1950         WebAssemblyModuleRecord which shares most of the implementation.
1951
1952         `exports` then maps function names to WebAssemblyFunction and
1953         WebAssemblyFunctionCell, which call into the B3-generated WebAssembly code.
1954
1955         A follow-up patch will do imports.
1956
1957         A few things of note:
1958
1959          - Use Identifier instead of String. They get uniqued, we need them for the JSModuleNamespaceObject. This is safe because JSWebAssemblyModule creation is on the main thread.
1960          - JSWebAssemblyInstance needs to refer to the JSWebAssemblyModule used to create it, because the module owns the code, identifiers, etc. The world would be very sad if it got GC'd.
1961          - Instance.exports shouldn't use putWithoutTransition because it affects all Structures, whereas here each instance needs its own exports.
1962          - Expose the compiled functions, and pipe them to the InstanceConstructor. Start moving things around to split JSModuleRecord out into JS and WebAssembly parts.
1963
1964           [0]: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstance-constructor
1965
1966         * CMakeLists.txt:
1967         * JavaScriptCore.xcodeproj/project.pbxproj:
1968         * runtime/AbstractModuleRecord.cpp: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.cpp, which I split in two
1969         (JSC::AbstractModuleRecord::AbstractModuleRecord):
1970         (JSC::AbstractModuleRecord::destroy):
1971         (JSC::AbstractModuleRecord::finishCreation):
1972         (JSC::AbstractModuleRecord::visitChildren):
1973         (JSC::AbstractModuleRecord::appendRequestedModule):
1974         (JSC::AbstractModuleRecord::addStarExportEntry):
1975         (JSC::AbstractModuleRecord::addImportEntry):
1976         (JSC::AbstractModuleRecord::addExportEntry):
1977         (JSC::identifierToJSValue):
1978         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1979         (JSC::AbstractModuleRecord::ResolveQuery::ResolveQuery):
1980         (JSC::AbstractModuleRecord::ResolveQuery::isEmptyValue):
1981         (JSC::AbstractModuleRecord::ResolveQuery::isDeletedValue):
1982         (JSC::AbstractModuleRecord::ResolveQuery::Hash::hash):
1983         (JSC::AbstractModuleRecord::ResolveQuery::Hash::equal):
1984         (JSC::AbstractModuleRecord::cacheResolution):
1985         (JSC::getExportedNames):
1986         (JSC::AbstractModuleRecord::getModuleNamespace):
1987         (JSC::printableName):
1988         (JSC::AbstractModuleRecord::dump):
1989         * runtime/AbstractModuleRecord.h: Copied from Source/JavaScriptCore/runtime/JSModuleRecord.h.
1990         (JSC::AbstractModuleRecord::ImportEntry::isNamespace):
1991         (JSC::AbstractModuleRecord::sourceCode):
1992         (JSC::AbstractModuleRecord::moduleKey):
1993         (JSC::AbstractModuleRecord::requestedModules):
1994         (JSC::AbstractModuleRecord::exportEntries):
1995         (JSC::AbstractModuleRecord::importEntries):
1996         (JSC::AbstractModuleRecord::starExportEntries):
1997         (JSC::AbstractModuleRecord::declaredVariables):
1998         (JSC::AbstractModuleRecord::lexicalVariables):
1999         (JSC::AbstractModuleRecord::moduleEnvironment):
2000         * runtime/JSGlobalObject.cpp:
2001         (JSC::JSGlobalObject::init):
2002         (JSC::JSGlobalObject::visitChildren):
2003         * runtime/JSGlobalObject.h:
2004         (JSC::JSGlobalObject::webAssemblyModuleRecordStructure):
2005         (JSC::JSGlobalObject::webAssemblyFunctionStructure):
2006         * runtime/JSModuleEnvironment.cpp:
2007         (JSC::JSModuleEnvironment::create):
2008         (JSC::JSModuleEnvironment::finishCreation):
2009         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2010         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2011         (JSC::JSModuleEnvironment::put):
2012         (JSC::JSModuleEnvironment::deleteProperty):
2013         * runtime/JSModuleEnvironment.h:
2014         (JSC::JSModuleEnvironment::create):
2015         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
2016         (JSC::JSModuleEnvironment::allocationSize):
2017         (JSC::JSModuleEnvironment::moduleRecord):
2018         (JSC::JSModuleEnvironment::moduleRecordSlot):
2019         * runtime/JSModuleNamespaceObject.cpp:
2020         (JSC::JSModuleNamespaceObject::finishCreation):
2021         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2022         * runtime/JSModuleNamespaceObject.h:
2023         (JSC::JSModuleNamespaceObject::create):
2024         (JSC::JSModuleNamespaceObject::moduleRecord):
2025         * runtime/JSModuleRecord.cpp:
2026         (JSC::JSModuleRecord::createStructure):
2027         (JSC::JSModuleRecord::create):
2028         (JSC::JSModuleRecord::JSModuleRecord):
2029         (JSC::JSModuleRecord::destroy):
2030         (JSC::JSModuleRecord::finishCreation):
2031         (JSC::JSModuleRecord::visitChildren):
2032         (JSC::JSModuleRecord::instantiateDeclarations):
2033         * runtime/JSModuleRecord.h:
2034         * runtime/JSScope.cpp:
2035         (JSC::abstractAccess):
2036         (JSC::JSScope::collectClosureVariablesUnderTDZ):
2037         * runtime/VM.cpp:
2038         (JSC::VM::VM):
2039         * runtime/VM.h:
2040         * wasm/JSWebAssembly.h:
2041         * wasm/WasmFormat.h: use Identifier instead of String
2042         * wasm/WasmModuleParser.cpp:
2043         (JSC::Wasm::ModuleParser::parse):
2044         (JSC::Wasm::ModuleParser::parseType):
2045         (JSC::Wasm::ModuleParser::parseImport): fix off-by-one
2046         (JSC::Wasm::ModuleParser::parseFunction):
2047         (JSC::Wasm::ModuleParser::parseExport):
2048         * wasm/WasmModuleParser.h:
2049         (JSC::Wasm::ModuleParser::ModuleParser):
2050         * wasm/WasmPlan.cpp:
2051         (JSC::Wasm::Plan::run):
2052         * wasm/js/JSWebAssemblyInstance.cpp:
2053         (JSC::JSWebAssemblyInstance::create):
2054         (JSC::JSWebAssemblyInstance::finishCreation):
2055         (JSC::JSWebAssemblyInstance::visitChildren):
2056         * wasm/js/JSWebAssemblyInstance.h:
2057         (JSC::JSWebAssemblyInstance::module):
2058         * wasm/js/JSWebAssemblyModule.cpp:
2059         (JSC::JSWebAssemblyModule::create):
2060         (JSC::JSWebAssemblyModule::finishCreation):
2061         (JSC::JSWebAssemblyModule::visitChildren):
2062         * wasm/js/JSWebAssemblyModule.h:
2063         (JSC::JSWebAssemblyModule::moduleInformation):
2064         (JSC::JSWebAssemblyModule::compiledFunctions):
2065         (JSC::JSWebAssemblyModule::exportSymbolTable):
2066         * wasm/js/WebAssemblyFunction.cpp: Added.
2067         (JSC::callWebAssemblyFunction):
2068         (JSC::WebAssemblyFunction::create):
2069         (JSC::WebAssemblyFunction::createStructure):
2070         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2071         (JSC::WebAssemblyFunction::visitChildren):
2072         (JSC::WebAssemblyFunction::finishCreation):
2073         * wasm/js/WebAssemblyFunction.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
2074         (JSC::CallableWebAssemblyFunction::CallableWebAssemblyFunction):
2075         (JSC::WebAssemblyFunction::webAssemblyFunctionCell):
2076         * wasm/js/WebAssemblyFunctionCell.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
2077         (JSC::WebAssemblyFunctionCell::create):
2078         (JSC::WebAssemblyFunctionCell::WebAssemblyFunctionCell):
2079         (JSC::WebAssemblyFunctionCell::destroy):
2080         (JSC::WebAssemblyFunctionCell::createStructure):
2081         * wasm/js/WebAssemblyFunctionCell.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h.
2082         (JSC::WebAssemblyFunctionCell::function):
2083         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2084         (JSC::constructJSWebAssemblyInstance):
2085         * wasm/js/WebAssemblyModuleConstructor.cpp:
2086         (JSC::constructJSWebAssemblyModule):
2087         * wasm/js/WebAssemblyModuleRecord.cpp: Added.
2088         (JSC::WebAssemblyModuleRecord::createStructure):
2089         (JSC::WebAssemblyModuleRecord::create):
2090         (JSC::WebAssemblyModuleRecord::WebAssemblyModuleRecord):
2091         (JSC::WebAssemblyModuleRecord::destroy):
2092         (JSC::WebAssemblyModuleRecord::finishCreation):
2093         (JSC::WebAssemblyModuleRecord::visitChildren):
2094         (JSC::WebAssemblyModuleRecord::link):
2095         (JSC::WebAssemblyModuleRecord::evaluate):
2096         * wasm/js/WebAssemblyModuleRecord.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
2097
2098 2016-11-29  Saam Barati  <sbarati@apple.com>
2099
2100         We should be able optimize the pattern where we spread a function's rest parameter to another call
2101         https://bugs.webkit.org/show_bug.cgi?id=163865
2102
2103         Reviewed by Filip Pizlo.
2104
2105         This patch optimizes the following patterns to prevent both the allocation
2106         of the rest parameter, and the execution of the iterator protocol:
2107         
2108         ```
2109         function foo(...args) {
2110             let arr = [...args];
2111         }
2112         
2113         and
2114         
2115         function foo(...args) {
2116             bar(...args);
2117         }
2118         ```
2119         
2120         To do this, I've extended the arguments elimination phase to reason
2121         about Spread and NewArrayWithSpread. I've added two new nodes, PhantomSpread
2122         and PhantomNewArrayWithSpread. PhantomSpread is only allowed over rest
2123         parameters that don't escape. If the rest parameter *does* escape, we can't
2124         convert the spread into a phantom because it would not be sound w.r.t JS
2125         semantics because we would be reading from the call frame even though
2126         the rest array may have changed.
2127         
2128         Note that NewArrayWithSpread also understands what to do when one of its
2129         arguments is PhantomSpread(@PhantomCreateRest) even if it itself is escaped.
2130         
2131         PhantomNewArrayWithSpread is only allowed over a series of
2132         PhantomSpread(@PhantomCreateRest) nodes. Like with PhantomSpread, PhantomNewArrayWithSpread
2133         is only allowed if none of its arguments that are being spread are escaped
2134         and if it itself is not escaped.
2135         
2136         Because there is a dependency between a node being a candidate and
2137         the escaped state of the node's children, I've extended the notion
2138         of escaping a node inside the arguments elimination phase. Now, when
2139         any node is escaped, we must consider all other candidates that are may
2140         now no longer be valid.
2141         
2142         For example:
2143         
2144         ```
2145         function foo(...args) {
2146             escape(args);
2147             bar(...args);
2148         }
2149         ```
2150         
2151         In the above program, we don't know if the function call to escape()
2152         modifies args, therefore, the spread can not become phantom because
2153         the execution of the spread may not be as simple as reading the
2154         arguments from the call frame.
2155         
2156         Unfortunately, the arguments elimination phase does not consider control
2157         flow when doing its escape analysis. It would be good to integrate this
2158         phase with the object allocation sinking phase. To see why, consider
2159         an example where we don't eliminate the spread and allocation of the rest
2160         parameter even though we could:
2161         
2162         ```
2163         function foo(rareCondition, ...args) {
2164             bar(...args);
2165             if (rareCondition)
2166                 baz(args);
2167         }
2168         ```
2169         
2170         There are only a few users of the PhantomSpread and PhantomNewArrayWithSpread
2171         nodes. PhantomSpread is only used by PhantomNewArrayWithSpread and NewArrayWithSpread.
2172         PhantomNewArrayWithSpread is only used by ForwardVarargs and the various
2173         *Call*ForwardVarargs nodes. The users of these phantoms know how to produce
2174         what the phantom node would have produced. For example, NewArrayWithSpread
2175         knows how to produce the values that would have been produced by PhantomSpread(@PhantomCreateRest)
2176         by directly reading from the call frame.
2177         
2178         This patch is a 6% speedup on my MBP on ES6SampleBench.
2179
2180         * b3/B3LowerToAir.cpp:
2181         (JSC::B3::Air::LowerToAir::tryAppendLea):
2182         * b3/B3ValueRep.h:
2183         * builtins/BuiltinExecutables.cpp:
2184         (JSC::BuiltinExecutables::createDefaultConstructor):
2185         * dfg/DFGAbstractInterpreterInlines.h:
2186         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2187         * dfg/DFGArgumentsEliminationPhase.cpp:
2188         * dfg/DFGClobberize.h:
2189         (JSC::DFG::clobberize):
2190         * dfg/DFGDoesGC.cpp:
2191         (JSC::DFG::doesGC):
2192         * dfg/DFGFixupPhase.cpp:
2193         (JSC::DFG::FixupPhase::fixupNode):
2194         * dfg/DFGForAllKills.h:
2195         (JSC::DFG::forAllKillsInBlock):
2196         * dfg/DFGNode.h:
2197         (JSC::DFG::Node::hasConstant):
2198         (JSC::DFG::Node::constant):
2199         (JSC::DFG::Node::bitVector):
2200         (JSC::DFG::Node::isPhantomAllocation):
2201         * dfg/DFGNodeType.h:
2202         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2203         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2204         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
2205         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2206         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2207         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2208         * dfg/DFGPreciseLocalClobberize.h:
2209         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2210         * dfg/DFGPredictionPropagationPhase.cpp:
2211         * dfg/DFGPromotedHeapLocation.cpp:
2212         (WTF::printInternal):
2213         * dfg/DFGPromotedHeapLocation.h:
2214         * dfg/DFGSafeToExecute.h:
2215         (JSC::DFG::safeToExecute):
2216         * dfg/DFGSpeculativeJIT32_64.cpp:
2217         (JSC::DFG::SpeculativeJIT::compile):
2218         * dfg/DFGSpeculativeJIT64.cpp:
2219         (JSC::DFG::SpeculativeJIT::compile):
2220         * dfg/DFGValidate.cpp:
2221         * ftl/FTLCapabilities.cpp:
2222         (JSC::FTL::canCompile):
2223         * ftl/FTLLowerDFGToB3.cpp:
2224         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2225         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2226         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2227         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2228         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2229         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2230         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
2231         (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame):
2232         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
2233         * ftl/FTLOperations.cpp:
2234         (JSC::FTL::operationPopulateObjectInOSR):
2235         (JSC::FTL::operationMaterializeObjectInOSR):
2236         * jit/SetupVarargsFrame.cpp:
2237         (JSC::emitSetupVarargsFrameFastCase):
2238         * jsc.cpp:
2239         (GlobalObject::finishCreation):
2240         (functionMaxArguments):
2241         * runtime/JSFixedArray.h:
2242         (JSC::JSFixedArray::createFromArray):
2243
2244 2016-11-29  Commit Queue  <commit-queue@webkit.org>
2245
2246         Unreviewed, rolling out r209058 and r209074.
2247         https://bugs.webkit.org/show_bug.cgi?id=165188
2248
2249         These changes caused API test StringBuilderTest.Equal to crash
2250         and/or fail. (Requested by ryanhaddad on #webkit).
2251
2252         Reverted changesets:
2253
2254         "Streamline and speed up tokenizer and segmented string
2255         classes"
2256         https://bugs.webkit.org/show_bug.cgi?id=165003
2257         http://trac.webkit.org/changeset/209058
2258
2259         "REGRESSION (r209058): API test StringBuilderTest.Equal
2260         crashing"
2261         https://bugs.webkit.org/show_bug.cgi?id=165142
2262         http://trac.webkit.org/changeset/209074
2263
2264 2016-11-29  Caitlin Potter  <caitp@igalia.com>
2265
2266         [JSC] always wrap AwaitExpression operand in a new Promise
2267         https://bugs.webkit.org/show_bug.cgi?id=165181
2268
2269         Reviewed by Yusuke Suzuki.
2270
2271         Ensure operand of AwaitExpression is wrapped in a new Promise by
2272         explicitly creating a new Promise Capability and invoking its
2273         resolve callback. This avoids the specified short-circuit for
2274         Promise.resolve().
2275
2276         * builtins/AsyncFunctionPrototype.js:
2277         (globalPrivate.asyncFunctionResume):
2278
2279 2016-11-29  Saam Barati  <sbarati@apple.com>
2280
2281         We should support CreateThis in the FTL
2282         https://bugs.webkit.org/show_bug.cgi?id=164904
2283
2284         Reviewed by Geoffrey Garen.
2285
2286         * ftl/FTLAbstractHeapRepository.h:
2287         * ftl/FTLCapabilities.cpp:
2288         (JSC::FTL::canCompile):
2289         * ftl/FTLLowerDFGToB3.cpp:
2290         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2291         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2292         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2293         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
2294         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
2295         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2296         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2297         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2298         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2299         * runtime/Structure.h:
2300
2301 2016-11-29  Mark Lam  <mark.lam@apple.com>
2302
2303         Fix exception scope verification failures in runtime/RegExp* files.
2304         https://bugs.webkit.org/show_bug.cgi?id=165054
2305
2306         Reviewed by Saam Barati.
2307
2308         Also replaced returning JSValue() with returning { }.
2309
2310         * runtime/RegExpConstructor.cpp:
2311         (JSC::toFlags):
2312         (JSC::regExpCreate):
2313         (JSC::constructRegExp):
2314         * runtime/RegExpObject.cpp:
2315         (JSC::RegExpObject::defineOwnProperty):
2316         (JSC::collectMatches):
2317         (JSC::RegExpObject::matchGlobal):
2318         * runtime/RegExpObjectInlines.h:
2319         (JSC::getRegExpObjectLastIndexAsUnsigned):
2320         (JSC::RegExpObject::execInline):
2321         (JSC::RegExpObject::matchInline):
2322         * runtime/RegExpPrototype.cpp:
2323         (JSC::regExpProtoFuncCompile):
2324         (JSC::flagsString):
2325         (JSC::regExpProtoFuncToString):
2326         (JSC::regExpProtoFuncSplitFast):
2327
2328 2016-11-29  Andy Estes  <aestes@apple.com>
2329
2330         [Cocoa] Enable two clang warnings recommended by Xcode
2331         https://bugs.webkit.org/show_bug.cgi?id=164498
2332
2333         Reviewed by Mark Lam.
2334
2335         * Configurations/Base.xcconfig: Enabled CLANG_WARN_INFINITE_RECURSION and CLANG_WARN_SUSPICIOUS_MOVE.
2336
2337 2016-11-29  Keith Miller  <keith_miller@apple.com>
2338
2339         Add simple way to implement Wasm ops that require more than one B3 opcode
2340         https://bugs.webkit.org/show_bug.cgi?id=165129
2341
2342         Reviewed by Geoffrey Garen.
2343
2344         This patch adds a simple way to show the B3IRGenerator opcode script how
2345         to generate code for Wasm opcodes that do not have a one to one mapping.
2346         The syntax is pretty simple right now. There are only three things one
2347         can use as of this patch (although more things might be added in the future)
2348         1) Wasm opcode arguments: These are referred to as @<argument_number>. For example,
2349            I32.sub would map to Sub(@0, @1).
2350         2) 32-bit int constants: These are reffered to as i32(<value>). For example, i32.inc
2351            would map to Add(@0, i32(1))
2352         3) B3 opcodes: These are referred to as the B3 opcode name followed by the B3Value's constructor
2353            arguments. A value may take the result of another value as an argument. For example, you can do
2354            Div(Mul(@0, Add(@0, i32(1))), i32(2)) if there was a b3 opcode that computed the sum from 1 to n.
2355
2356         These scripts are used to implement Wasm's eqz and floating point max/min opcodes. This patch
2357         also adds missing support for the Wasm Neg opcodes.
2358
2359         * jsc.cpp:
2360         (box):
2361         (functionTestWasmModuleFunctions):
2362         * wasm/WasmB3IRGenerator.cpp:
2363         (JSC::Wasm::toB3Op): Deleted.
2364         * wasm/WasmFunctionParser.h:
2365         (JSC::Wasm::FunctionParser<Context>::parseBody):
2366         * wasm/WasmModuleParser.cpp:
2367         (JSC::Wasm::ModuleParser::parseType):
2368         * wasm/WasmParser.h:
2369         (JSC::Wasm::Parser::parseUInt8):
2370         (JSC::Wasm::Parser::parseValueType):
2371         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
2372         (Source):
2373         (Source.__init__):
2374         (read):
2375         (lex):
2376         (CodeGenerator):
2377         (CodeGenerator.__init__):
2378         (CodeGenerator.advance):
2379         (CodeGenerator.token):
2380         (CodeGenerator.parseError):
2381         (CodeGenerator.consume):
2382         (CodeGenerator.generateParameters):
2383         (CodeGenerator.generateOpcode):
2384         (CodeGenerator.generate):
2385         (temp):
2386         (generateB3OpCode):
2387         (generateI32ConstCode):
2388         (generateB3Code):
2389         (generateSimpleCode):
2390         * wasm/wasm.json:
2391
2392 2016-11-29  Mark Lam  <mark.lam@apple.com>
2393
2394         Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
2395         https://bugs.webkit.org/show_bug.cgi?id=165053
2396
2397         Reviewed by Saam Barati.
2398
2399         Also replaced returning JSValue() with returning { }.
2400
2401         * runtime/ProxyConstructor.cpp:
2402         (JSC::constructProxyObject):
2403         * runtime/ProxyObject.cpp:
2404         (JSC::ProxyObject::structureForTarget):
2405         (JSC::performProxyGet):
2406         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2407         (JSC::ProxyObject::performHasProperty):
2408         (JSC::ProxyObject::getOwnPropertySlotCommon):
2409         (JSC::ProxyObject::performPut):
2410         (JSC::ProxyObject::putByIndexCommon):
2411         (JSC::performProxyCall):
2412         (JSC::performProxyConstruct):
2413         (JSC::ProxyObject::performDelete):
2414         (JSC::ProxyObject::performPreventExtensions):
2415         (JSC::ProxyObject::performIsExtensible):
2416         (JSC::ProxyObject::performDefineOwnProperty):
2417         (JSC::ProxyObject::performGetOwnPropertyNames):
2418         (JSC::ProxyObject::performSetPrototype):
2419         (JSC::ProxyObject::performGetPrototype):
2420
2421 2016-11-28  Matt Baker  <mattbaker@apple.com>
2422
2423         Web Inspector: Debugger should have an option for showing asynchronous call stacks
2424         https://bugs.webkit.org/show_bug.cgi?id=163230
2425         <rdar://problem/28698683>
2426
2427         Reviewed by Joseph Pecoraro.
2428
2429         * inspector/ScriptCallFrame.cpp:
2430         (Inspector::ScriptCallFrame::isNative):
2431         Encapsulate check for native code source URL.
2432
2433         * inspector/ScriptCallFrame.h:
2434         * inspector/ScriptCallStack.cpp:
2435         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2436         (Inspector::ScriptCallStack::buildInspectorArray):
2437         * inspector/ScriptCallStack.h:
2438         Replace use of Console::StackTrace with Array<Console::CallFrame>.
2439
2440         * inspector/agents/InspectorDebuggerAgent.cpp:
2441         (Inspector::InspectorDebuggerAgent::disable):
2442         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
2443         Set number of async frames to store (including boundary frames).
2444         A value of zero disables recording of async call stacks.
2445
2446         (Inspector::InspectorDebuggerAgent::buildAsyncStackTrace):
2447         Helper function for building a linked list StackTraces.
2448         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2449         Store a call stack for the script that scheduled the async call.
2450         If the call repeats (e.g. setInterval), the starting reference count is
2451         set to 1. This ensures that dereffing after dispatch won't clear the stack.
2452         If another async call is currently being dispatched, increment the
2453         AsyncCallData reference count for that call.
2454
2455         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2456         Decrement the reference count for the canceled call.
2457
2458         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2459         Set the identifier for the async callback currently being dispatched,
2460         so that if the debugger pauses during dispatch a stack trace can be
2461         associated with the pause location. If an async call is already being
2462         dispatched, which could be the case when a script schedules an async
2463         call in a nested runloop, do nothing.
2464
2465         (Inspector::InspectorDebuggerAgent::didDispatchAsyncCall):
2466         Decrement the reference count for the canceled call.
2467         (Inspector::InspectorDebuggerAgent::didPause):
2468         If a stored stack trace exists for this location, convert to a protocol
2469         object and send to the frontend.
2470
2471         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
2472         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2473         (Inspector::InspectorDebuggerAgent::refAsyncCallData):
2474         Increment AsyncCallData reference count.
2475         (Inspector::InspectorDebuggerAgent::derefAsyncCallData):
2476         Decrement AsyncCallData reference count. If zero, deref its parent
2477         (if it exists) and remove the AsyncCallData entry.
2478
2479         * inspector/agents/InspectorDebuggerAgent.h:
2480
2481         * inspector/protocol/Console.json:
2482         * inspector/protocol/Network.json:
2483         Replace use of Console.StackTrace with array of Console.CallFrame.
2484
2485         * inspector/protocol/Debugger.json:
2486         New protocol command and event data.
2487
2488 2016-11-28  Darin Adler  <darin@apple.com>
2489
2490         Streamline and speed up tokenizer and segmented string classes
2491         https://bugs.webkit.org/show_bug.cgi?id=165003
2492
2493         Reviewed by Sam Weinig.
2494
2495         * runtime/JSONObject.cpp:
2496         (JSC::Stringifier::appendStringifiedValue): Use viewWithUnderlyingString when calling
2497         StringBuilder::appendQuotedJSONString, since it now takes a StringView and there is
2498         no benefit in creating a String for that function if one doesn't already exist.
2499
2500 2016-11-21  Mark Lam  <mark.lam@apple.com>
2501
2502         Fix exception scope verification failures in runtime/Intl* files.
2503         https://bugs.webkit.org/show_bug.cgi?id=165014
2504
2505         Reviewed by Saam Barati.
2506
2507         * runtime/IntlCollatorConstructor.cpp:
2508         (JSC::constructIntlCollator):
2509         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
2510         * runtime/IntlCollatorPrototype.cpp:
2511         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2512         * runtime/IntlDateTimeFormatConstructor.cpp:
2513         (JSC::constructIntlDateTimeFormat):
2514         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
2515         * runtime/IntlDateTimeFormatPrototype.cpp:
2516         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2517         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2518         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2519         * runtime/IntlNumberFormatConstructor.cpp:
2520         (JSC::constructIntlNumberFormat):
2521         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
2522         * runtime/IntlNumberFormatPrototype.cpp:
2523         (JSC::IntlNumberFormatFuncFormatNumber):
2524         (JSC::IntlNumberFormatPrototypeGetterFormat):
2525         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2526         * runtime/IntlObject.cpp:
2527         (JSC::lookupSupportedLocales):
2528         * runtime/IntlObjectInlines.h:
2529         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2530
2531 2016-11-28  Mark Lam  <mark.lam@apple.com>
2532
2533         Fix exception scope verification failures in IteratorOperations.h.
2534         https://bugs.webkit.org/show_bug.cgi?id=165015
2535
2536         Reviewed by Saam Barati.
2537
2538         * runtime/IteratorOperations.h:
2539         (JSC::forEachInIterable):
2540
2541 2016-11-28  Mark Lam  <mark.lam@apple.com>
2542
2543         Fix exception scope verification failures in JSArray* files.
2544         https://bugs.webkit.org/show_bug.cgi?id=165016
2545
2546         Reviewed by Saam Barati.
2547
2548         * runtime/JSArray.cpp:
2549         (JSC::JSArray::defineOwnProperty):
2550         (JSC::JSArray::put):
2551         (JSC::JSArray::setLength):
2552         (JSC::JSArray::pop):
2553         (JSC::JSArray::push):
2554         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2555         * runtime/JSArrayBuffer.cpp:
2556         (JSC::JSArrayBuffer::put):
2557         (JSC::JSArrayBuffer::defineOwnProperty):
2558         * runtime/JSArrayInlines.h:
2559         (JSC::getLength):
2560         (JSC::toLength):
2561
2562 2016-11-28  Mark Lam  <mark.lam@apple.com>
2563
2564         Fix exception scope verification failures in JSDataView.cpp.
2565         https://bugs.webkit.org/show_bug.cgi?id=165020
2566
2567         Reviewed by Saam Barati.
2568
2569         * runtime/JSDataView.cpp:
2570         (JSC::JSDataView::put):
2571
2572 2016-11-28  Mark Lam  <mark.lam@apple.com>
2573
2574         Fix exception scope verification failures in JSFunction.cpp.
2575         https://bugs.webkit.org/show_bug.cgi?id=165021
2576
2577         Reviewed by Saam Barati.
2578
2579         * runtime/JSFunction.cpp:
2580         (JSC::JSFunction::put):
2581         (JSC::JSFunction::defineOwnProperty):
2582
2583 2016-11-28  Mark Lam  <mark.lam@apple.com>
2584
2585         Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
2586         https://bugs.webkit.org/show_bug.cgi?id=165022
2587
2588         Reviewed by Saam Barati.
2589
2590         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2591         (JSC::constructGenericTypedArrayViewFromIterator):
2592         (JSC::constructGenericTypedArrayViewWithArguments):
2593         (JSC::constructGenericTypedArrayView):
2594         * runtime/JSGenericTypedArrayViewInlines.h:
2595         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2596         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2597         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2598         (JSC::speciesConstruct):
2599         (JSC::genericTypedArrayViewProtoFuncSet):
2600         (JSC::genericTypedArrayViewProtoFuncJoin):
2601         (JSC::genericTypedArrayViewProtoFuncSlice):
2602         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2603
2604 2016-11-28  Mark Lam  <mark.lam@apple.com>
2605
2606         Fix exception scope verification failures in runtime/Operations.cpp/h.
2607         https://bugs.webkit.org/show_bug.cgi?id=165046
2608
2609         Reviewed by Saam Barati.
2610
2611         Also switched to using returning { } instead of JSValue().
2612
2613         * runtime/Operations.cpp:
2614         (JSC::jsAddSlowCase):
2615         (JSC::jsIsObjectTypeOrNull):
2616         * runtime/Operations.h:
2617         (JSC::jsStringFromRegisterArray):
2618         (JSC::jsStringFromArguments):
2619         (JSC::jsLess):
2620         (JSC::jsLessEq):
2621
2622 2016-11-28  Mark Lam  <mark.lam@apple.com>
2623
2624         Fix exception scope verification failures in JSScope.cpp.
2625         https://bugs.webkit.org/show_bug.cgi?id=165047
2626
2627         Reviewed by Saam Barati.
2628
2629         * runtime/JSScope.cpp:
2630         (JSC::JSScope::resolve):
2631
2632 2016-11-28  Mark Lam  <mark.lam@apple.com>
2633
2634         Fix exception scope verification failures in JSTypedArrayViewPrototype.cpp.
2635         https://bugs.webkit.org/show_bug.cgi?id=165049
2636
2637         Reviewed by Saam Barati.
2638
2639         * runtime/JSTypedArrayViewPrototype.cpp:
2640         (JSC::typedArrayViewPrivateFuncSort):
2641         (JSC::typedArrayViewProtoFuncSet):
2642         (JSC::typedArrayViewProtoFuncCopyWithin):
2643         (JSC::typedArrayViewProtoFuncIncludes):
2644         (JSC::typedArrayViewProtoFuncLastIndexOf):
2645         (JSC::typedArrayViewProtoFuncIndexOf):
2646         (JSC::typedArrayViewProtoFuncJoin):
2647         (JSC::typedArrayViewProtoGetterFuncBuffer):
2648         (JSC::typedArrayViewProtoGetterFuncLength):
2649         (JSC::typedArrayViewProtoGetterFuncByteLength):
2650         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2651         (JSC::typedArrayViewProtoFuncReverse):
2652         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2653         (JSC::typedArrayViewProtoFuncSlice):
2654
2655 2016-11-28  Mark Lam  <mark.lam@apple.com>
2656
2657         Fix exception scope verification failures in runtime/Map* files.
2658         https://bugs.webkit.org/show_bug.cgi?id=165050
2659
2660         Reviewed by Saam Barati.
2661
2662         * runtime/MapConstructor.cpp:
2663         (JSC::constructMap):
2664         * runtime/MapIteratorPrototype.cpp:
2665         (JSC::MapIteratorPrototypeFuncNext):
2666         * runtime/MapPrototype.cpp:
2667         (JSC::privateFuncMapIteratorNext):
2668
2669 2016-11-28  Mark Lam  <mark.lam@apple.com>
2670
2671         Fix exception scope verification failures in more miscellaneous files.
2672         https://bugs.webkit.org/show_bug.cgi?id=165102
2673
2674         Reviewed by Saam Barati.
2675
2676         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2677         (JSC::constructJSWebAssemblyInstance):
2678
2679 2016-11-28  Mark Lam  <mark.lam@apple.com>
2680
2681         Fix exception scope verification failures in runtime/Weak* files.
2682         https://bugs.webkit.org/show_bug.cgi?id=165096
2683
2684         Reviewed by Geoffrey Garen.
2685
2686         * runtime/WeakMapConstructor.cpp:
2687         (JSC::constructWeakMap):
2688         * runtime/WeakMapPrototype.cpp:
2689         (JSC::protoFuncWeakMapSet):
2690         * runtime/WeakSetConstructor.cpp:
2691         (JSC::constructWeakSet):
2692         * runtime/WeakSetPrototype.cpp:
2693         (JSC::protoFuncWeakSetAdd):
2694
2695 2016-11-28  Mark Lam  <mark.lam@apple.com>
2696
2697         Fix exception scope verification failures in runtime/String* files.
2698         https://bugs.webkit.org/show_bug.cgi?id=165067
2699
2700         Reviewed by Saam Barati.
2701
2702         * runtime/StringConstructor.cpp:
2703         (JSC::stringFromCodePoint):
2704         (JSC::constructWithStringConstructor):
2705         * runtime/StringObject.cpp:
2706         (JSC::StringObject::put):
2707         (JSC::StringObject::putByIndex):
2708         (JSC::StringObject::defineOwnProperty):
2709         * runtime/StringPrototype.cpp:
2710         (JSC::jsSpliceSubstrings):
2711         (JSC::jsSpliceSubstringsWithSeparators):
2712         (JSC::replaceUsingRegExpSearch):
2713         (JSC::replaceUsingStringSearch):
2714         (JSC::repeatCharacter):
2715         (JSC::replace):
2716         (JSC::stringProtoFuncReplaceUsingStringSearch):
2717         (JSC::stringProtoFuncCharAt):
2718         (JSC::stringProtoFuncCodePointAt):
2719         (JSC::stringProtoFuncConcat):
2720         (JSC::stringProtoFuncIndexOf):
2721         (JSC::stringProtoFuncLastIndexOf):
2722         (JSC::splitStringByOneCharacterImpl):
2723         (JSC::stringProtoFuncSplitFast):
2724         (JSC::stringProtoFuncSubstring):
2725         (JSC::stringProtoFuncToLowerCase):
2726         (JSC::stringProtoFuncToUpperCase):
2727         (JSC::toLocaleCase):
2728         (JSC::trimString):
2729         (JSC::stringProtoFuncIncludes):
2730         (JSC::builtinStringIncludesInternal):
2731         (JSC::stringProtoFuncIterator):
2732         (JSC::normalize):
2733         (JSC::stringProtoFuncNormalize):
2734
2735 2016-11-28  Mark Lam  <mark.lam@apple.com>
2736
2737         Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp.
2738         https://bugs.webkit.org/show_bug.cgi?id=165051
2739
2740         Reviewed by Saam Barati.
2741
2742         Also,
2743         1. Replaced returning JSValue() with returning { }.
2744         2. Replaced uses of exec->propertyNames() with vm.propertyNames.
2745
2746         * runtime/ObjectConstructor.cpp:
2747         (JSC::constructObject):
2748         (JSC::objectConstructorGetPrototypeOf):
2749         (JSC::objectConstructorGetOwnPropertyDescriptor):
2750         (JSC::objectConstructorGetOwnPropertyDescriptors):
2751         (JSC::objectConstructorGetOwnPropertyNames):
2752         (JSC::objectConstructorGetOwnPropertySymbols):
2753         (JSC::objectConstructorKeys):
2754         (JSC::ownEnumerablePropertyKeys):
2755         (JSC::toPropertyDescriptor):
2756         (JSC::defineProperties):
2757         (JSC::objectConstructorDefineProperties):
2758         (JSC::objectConstructorCreate):
2759         (JSC::setIntegrityLevel):
2760         (JSC::objectConstructorSeal):
2761         (JSC::objectConstructorPreventExtensions):
2762         (JSC::objectConstructorIsSealed):
2763         (JSC::objectConstructorIsFrozen):
2764         (JSC::ownPropertyKeys):
2765         * runtime/ObjectPrototype.cpp:
2766         (JSC::objectProtoFuncValueOf):
2767         (JSC::objectProtoFuncHasOwnProperty):
2768         (JSC::objectProtoFuncIsPrototypeOf):
2769         (JSC::objectProtoFuncDefineGetter):
2770         (JSC::objectProtoFuncDefineSetter):
2771         (JSC::objectProtoFuncLookupGetter):
2772         (JSC::objectProtoFuncLookupSetter):
2773         (JSC::objectProtoFuncToLocaleString):
2774         (JSC::objectProtoFuncToString):
2775
2776 2016-11-26  Mark Lam  <mark.lam@apple.com>
2777
2778         Fix exception scope verification failures in miscellaneous files.
2779         https://bugs.webkit.org/show_bug.cgi?id=165055
2780
2781         Reviewed by Saam Barati.
2782
2783         * runtime/MathObject.cpp:
2784         (JSC::mathProtoFuncIMul):
2785         * runtime/ModuleLoaderPrototype.cpp:
2786         (JSC::moduleLoaderPrototypeParseModule):
2787         (JSC::moduleLoaderPrototypeRequestedModules):
2788         * runtime/NativeErrorConstructor.cpp:
2789         (JSC::Interpreter::constructWithNativeErrorConstructor):
2790         * runtime/NumberConstructor.cpp:
2791         (JSC::constructWithNumberConstructor):
2792         * runtime/SetConstructor.cpp:
2793         (JSC::constructSet):
2794         * runtime/SetIteratorPrototype.cpp:
2795         (JSC::SetIteratorPrototypeFuncNext):
2796         * runtime/SparseArrayValueMap.cpp:
2797         (JSC::SparseArrayValueMap::putEntry):
2798         (JSC::SparseArrayEntry::put):
2799         * runtime/TemplateRegistry.cpp:
2800         (JSC::TemplateRegistry::getTemplateObject):
2801
2802 2016-11-28  Mark Lam  <mark.lam@apple.com>
2803
2804         Fix exception scope verification failures in ReflectObject.cpp.
2805         https://bugs.webkit.org/show_bug.cgi?id=165066
2806
2807         Reviewed by Saam Barati.
2808
2809         * runtime/ReflectObject.cpp:
2810         (JSC::reflectObjectConstruct):
2811         (JSC::reflectObjectDefineProperty):
2812         (JSC::reflectObjectEnumerate):
2813         (JSC::reflectObjectGet):
2814         (JSC::reflectObjectGetOwnPropertyDescriptor):
2815         (JSC::reflectObjectGetPrototypeOf):
2816         (JSC::reflectObjectOwnKeys):
2817         (JSC::reflectObjectSet):
2818
2819 2016-11-24  Mark Lam  <mark.lam@apple.com>
2820
2821         Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp.
2822         https://bugs.webkit.org/show_bug.cgi?id=164972
2823
2824         Reviewed by Geoffrey Garen.
2825
2826         * runtime/ArrayConstructor.cpp:
2827         (JSC::constructArrayWithSizeQuirk):
2828         * runtime/ArrayPrototype.cpp:
2829         (JSC::getProperty):
2830         (JSC::putLength):
2831         (JSC::speciesWatchpointsValid):
2832         (JSC::speciesConstructArray):
2833         (JSC::shift):
2834         (JSC::unshift):
2835         (JSC::arrayProtoFuncToString):
2836         (JSC::arrayProtoFuncToLocaleString):
2837         (JSC::slowJoin):
2838         (JSC::fastJoin):
2839         (JSC::arrayProtoFuncJoin):
2840         (JSC::arrayProtoFuncPop):
2841         (JSC::arrayProtoFuncPush):
2842         (JSC::arrayProtoFuncReverse):
2843         (JSC::arrayProtoFuncShift):
2844         (JSC::arrayProtoFuncSlice):
2845         (JSC::arrayProtoFuncSplice):
2846         (JSC::arrayProtoFuncUnShift):
2847         (JSC::arrayProtoFuncIndexOf):
2848         (JSC::arrayProtoFuncLastIndexOf):
2849         (JSC::concatAppendOne):
2850         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2851         (JSC::ArrayPrototype::attemptToInitializeSpeciesWatchpoint):
2852
2853 2016-11-28  Mark Lam  <mark.lam@apple.com>
2854
2855         Fix exception scope verification failures in LLIntSlowPaths.cpp.
2856         https://bugs.webkit.org/show_bug.cgi?id=164969
2857
2858         Reviewed by Geoffrey Garen.
2859
2860         * llint/LLIntSlowPaths.cpp:
2861         (JSC::LLInt::getByVal):
2862         (JSC::LLInt::setUpCall):
2863         (JSC::LLInt::varargsSetup):
2864         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2865
2866 2016-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2867
2868         [WTF] Import std::optional reference implementation as WTF::Optional
2869         https://bugs.webkit.org/show_bug.cgi?id=164199
2870
2871         Reviewed by Saam Barati and Sam Weinig.
2872
2873         Previous WTF::Optional::operator= is not compatible to std::optional::operator=.
2874         std::optional::emplace has the same semantics to the previous one.
2875         So we change the code to use it.
2876
2877         * Scripts/builtins/builtins_templates.py:
2878         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2879         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2880         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2881         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2882         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2883         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2884         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2885         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2886         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2887         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2888         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2889         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2890         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2891         * assembler/MacroAssemblerARM64.h:
2892         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
2893         * assembler/MacroAssemblerX86Common.h:
2894         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
2895         * b3/B3CheckSpecial.cpp:
2896         (JSC::B3::CheckSpecial::forEachArg):
2897         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2898         * b3/B3CheckSpecial.h:
2899         * b3/B3LowerToAir.cpp:
2900         (JSC::B3::Air::LowerToAir::scaleForShl):
2901         (JSC::B3::Air::LowerToAir::effectiveAddr):
2902         (JSC::B3::Air::LowerToAir::tryAppendLea):
2903         * b3/B3Opcode.cpp:
2904         (JSC::B3::invertedCompare):
2905         * b3/B3Opcode.h:
2906         * b3/B3PatchpointSpecial.cpp:
2907         (JSC::B3::PatchpointSpecial::forEachArg):
2908         * b3/B3StackmapSpecial.cpp:
2909         (JSC::B3::StackmapSpecial::forEachArgImpl):
2910         * b3/B3StackmapSpecial.h:
2911         * b3/B3Value.cpp:
2912         (JSC::B3::Value::invertedCompare):
2913         * b3/air/AirArg.h:
2914         (JSC::B3::Air::Arg::isValidScale):
2915         (JSC::B3::Air::Arg::isValidAddrForm):
2916         (JSC::B3::Air::Arg::isValidIndexForm):
2917         (JSC::B3::Air::Arg::isValidForm):
2918         * b3/air/AirCustom.h:
2919         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2920         * b3/air/AirFixObviousSpills.cpp:
2921         * b3/air/AirInst.h:
2922         * b3/air/AirInstInlines.h:
2923         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2924         * b3/air/AirIteratedRegisterCoalescing.cpp:
2925         * b3/air/AirSpecial.cpp:
2926         (JSC::B3::Air::Special::shouldTryAliasingDef):
2927         * b3/air/AirSpecial.h:
2928         * bytecode/BytecodeGeneratorification.cpp:
2929         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2930         * bytecode/CodeBlock.cpp:
2931         (JSC::CodeBlock::findPC):
2932         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2933         * bytecode/CodeBlock.h:
2934         * bytecode/UnlinkedFunctionExecutable.cpp:
2935         (JSC::UnlinkedFunctionExecutable::link):
2936         * bytecode/UnlinkedFunctionExecutable.h:
2937         * bytecompiler/BytecodeGenerator.h:
2938         * bytecompiler/NodesCodegen.cpp:
2939         (JSC::PropertyListNode::emitPutConstantProperty):
2940         (JSC::ObjectPatternNode::bindValue):
2941         * debugger/Debugger.cpp:
2942         (JSC::Debugger::resolveBreakpoint):
2943         * debugger/DebuggerCallFrame.cpp:
2944         (JSC::DebuggerCallFrame::currentPosition):
2945         * debugger/DebuggerParseData.cpp:
2946         (JSC::DebuggerPausePositions::breakpointLocationForLineColumn):
2947         * debugger/DebuggerParseData.h:
2948         * debugger/ScriptProfilingScope.h:
2949         * dfg/DFGAbstractInterpreterInlines.h:
2950         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2951         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2952         * dfg/DFGJITCode.cpp:
2953         (JSC::DFG::JITCode::findPC):
2954         * dfg/DFGJITCode.h:
2955         * dfg/DFGOperations.cpp:
2956         (JSC::DFG::operationPutByValInternal):
2957         * dfg/DFGSlowPathGenerator.h:
2958         (JSC::DFG::SlowPathGenerator::generate):
2959         * dfg/DFGSpeculativeJIT.cpp:
2960         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2961         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2962         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2963         (JSC::DFG::SpeculativeJIT::compileMathIC):
2964         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2965         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2966         * dfg/DFGSpeculativeJIT.h:
2967         * dfg/DFGSpeculativeJIT32_64.cpp:
2968         (JSC::DFG::SpeculativeJIT::compile):
2969         * dfg/DFGSpeculativeJIT64.cpp:
2970         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2971         (JSC::DFG::SpeculativeJIT::emitBranch):
2972         (JSC::DFG::SpeculativeJIT::compile):
2973         * dfg/DFGStrengthReductionPhase.cpp:
2974         (JSC::DFG::StrengthReductionPhase::handleNode):
2975         * ftl/FTLJITCode.cpp:
2976         (JSC::FTL::JITCode::findPC):
2977         * ftl/FTLJITCode.h:
2978         * heap/Heap.cpp:
2979         (JSC::Heap::collectAsync):
2980         (JSC::Heap::collectSync):
2981         (JSC::Heap::collectInThread):
2982         (JSC::Heap::requestCollection):
2983         (JSC::Heap::willStartCollection):
2984         (JSC::Heap::didFinishCollection):
2985         (JSC::Heap::shouldDoFullCollection):
2986         * heap/Heap.h:
2987         (JSC::Heap::collectionScope):
2988         * heap/HeapSnapshot.cpp:
2989         (JSC::HeapSnapshot::nodeForCell):
2990         (JSC::HeapSnapshot::nodeForObjectIdentifier):
2991         * heap/HeapSnapshot.h:
2992         * inspector/InspectorBackendDispatcher.cpp:
2993         (Inspector::BackendDispatcher::dispatch):
2994         (Inspector::BackendDispatcher::sendPendingErrors):
2995         (Inspector::BackendDispatcher::reportProtocolError):
2996         * inspector/InspectorBackendDispatcher.h:
2997         * inspector/agents/InspectorHeapAgent.cpp:
2998         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2999         (Inspector::InspectorHeapAgent::getPreview):
3000         (Inspector::InspectorHeapAgent::getRemoteObject):
3001         * inspector/agents/InspectorHeapAgent.h:
3002         * inspector/remote/RemoteConnectionToTarget.h:
3003         * inspector/remote/RemoteConnectionToTarget.mm:
3004         (Inspector::RemoteConnectionToTarget::targetIdentifier):
3005         (Inspector::RemoteConnectionToTarget::setup):
3006         * inspector/remote/RemoteInspector.h:
3007         * inspector/remote/RemoteInspector.mm:
3008         (Inspector::RemoteInspector::updateClientCapabilities):
3009         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3010         (_generate_declarations_for_enum_conversion_methods):
3011         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
3012         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3013         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
3014         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3015         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3016         * inspector/scripts/tests/expected/enum-values.json-result:
3017         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3018         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3019         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3020         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3021         * jit/JITCode.h:
3022         (JSC::JITCode::findPC):
3023         * jit/JITDivGenerator.cpp:
3024         (JSC::JITDivGenerator::generateFastPath):
3025         * jit/JITOperations.cpp:
3026         * jit/PCToCodeOriginMap.cpp:
3027         (JSC::PCToCodeOriginMap::findPC):
3028         * jit/PCToCodeOriginMap.h:
3029         * jsc.cpp:
3030         (WTF::RuntimeArray::getOwnPropertySlot):
3031         * llint/LLIntSlowPaths.cpp:
3032         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3033         * parser/ModuleAnalyzer.cpp:
3034         (JSC::ModuleAnalyzer::exportVariable):
3035         * runtime/ConcurrentJSLock.h:
3036         (JSC::ConcurrentJSLocker::ConcurrentJSLocker):
3037         * runtime/DefinePropertyAttributes.h:
3038         (JSC::DefinePropertyAttributes::writable):
3039         (JSC::DefinePropertyAttributes::configurable):
3040         (JSC::DefinePropertyAttributes::enumerable):
3041         * runtime/GenericArgumentsInlines.h:
3042         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3043         (JSC::GenericArguments<Type>::put):
3044         (JSC::GenericArguments<Type>::deleteProperty):
3045         (JSC::GenericArguments<Type>::defineOwnProperty):
3046         * runtime/HasOwnPropertyCache.h:
3047         (JSC::HasOwnPropertyCache::get):
3048         * runtime/HashMapImpl.h:
3049         (JSC::concurrentJSMapHash):
3050         * runtime/Identifier.h:
3051         (JSC::parseIndex):
3052         * runtime/JSArray.cpp:
3053         (JSC::JSArray::defineOwnProperty):
3054         * runtime/JSCJSValue.cpp:
3055         (JSC::JSValue::toNumberFromPrimitive):
3056         (JSC::JSValue::putToPrimitive):
3057         * runtime/JSCJSValue.h:
3058         * runtime/JSGenericTypedArrayView.h:
3059         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
3060         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3061         (JSC::constructGenericTypedArrayViewWithArguments):
3062         (JSC::constructGenericTypedArrayView):
3063         * runtime/JSGenericTypedArrayViewInlines.h:
3064         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
3065         (JSC::JSGenericTypedArrayView<Adaptor>::put):
3066         * runtime/JSModuleRecord.cpp:
3067         * runtime/JSModuleRecord.h:
3068         * runtime/JSObject.cpp:
3069         (JSC::JSObject::putDirectAccessor):
3070         (JSC::JSObject::deleteProperty):
3071         (JSC::JSObject::putDirectMayBeIndex):
3072         (JSC::JSObject::defineOwnProperty):
3073         * runtime/JSObject.h:
3074         (JSC::JSObject::getOwnPropertySlot):
3075         (JSC::JSObject::getPropertySlot):
3076         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
3077         * runtime/JSObjectInlines.h:
3078         (JSC::JSObject::putInline):
3079         * runtime/JSString.cpp:
3080         (JSC::JSString::getStringPropertyDescriptor):
3081         * runtime/JSString.h:
3082         (JSC::JSString::getStringPropertySlot):
3083         * runtime/LiteralParser.cpp:
3084         (JSC::LiteralParser<CharType>::parse):
3085         * runtime/MathCommon.h:
3086         (JSC::safeReciprocalForDivByConst):
3087         * runtime/ObjectPrototype.cpp:
3088         (JSC::objectProtoFuncHasOwnProperty):
3089         * runtime/PropertyDescriptor.h:
3090         (JSC::toPropertyDescriptor):
3091         * runtime/PropertyName.h:
3092         (JSC::parseIndex):
3093         * runtime/SamplingProfiler.cpp:
3094         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3095         * runtime/StringObject.cpp:
3096         (JSC::StringObject::put):
3097         (JSC::isStringOwnProperty):
3098         (JSC::StringObject::deleteProperty):
3099         * runtime/ToNativeFromValue.h:
3100         (JSC::toNativeFromValueWithoutCoercion):
3101         * runtime/TypedArrayAdaptors.h:
3102         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
3103         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
3104         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
3105         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
3106         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
3107         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
3108         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
3109
3110 2016-11-26  Sam Weinig  <sam@webkit.org>
3111
3112         Convert IntersectionObserver over to using RuntimeEnabledFeatures so it can be properly excluded from script
3113         https://bugs.webkit.org/show_bug.cgi?id=164965
3114
3115         Reviewed by Simon Fraser.
3116
3117         * runtime/CommonIdentifiers.h:
3118         Add identifiers needed for RuntimeEnabledFeatures.
3119
3120 2016-11-23  Zan Dobersek  <zdobersek@igalia.com>
3121
3122         Remove ENABLE_ASSEMBLER_WX_EXCLUSIVE code
3123         https://bugs.webkit.org/show_bug.cgi?id=165027
3124
3125         Reviewed by Darin Adler.
3126
3127         Remove the code guarded with ENABLE(ASSEMBLER_WX_EXCLUSIVE).
3128         No port enables this and the guarded code doesn't build at all,
3129         so it's safe to say it's abandoned.
3130
3131         * jit/ExecutableAllocator.cpp:
3132         (JSC::ExecutableAllocator::initializeAllocator):
3133         (JSC::ExecutableAllocator::ExecutableAllocator):
3134         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
3135
3136 2016-11-18  Mark Lam  <mark.lam@apple.com>
3137
3138         Fix exception scope verification failures in JSC profiler files.
3139         https://bugs.webkit.org/show_bug.cgi?id=164971
3140
3141         Reviewed by Saam Barati.
3142
3143         * profiler/ProfilerBytecodeSequence.cpp:
3144         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
3145         * profiler/ProfilerCompilation.cpp:
3146         (JSC::Profiler::Compilation::toJS):
3147         * profiler/ProfilerDatabase.cpp:
3148         (JSC::Profiler::Database::toJS):
3149         (JSC::Profiler::Database::toJSON):
3150         * profiler/ProfilerOSRExitSite.cpp:
3151         (JSC::Profiler::OSRExitSite::toJS):
3152         * profiler/ProfilerOriginStack.cpp:
3153         (JSC::Profiler::OriginStack::toJS):
3154
3155 2016-11-22  Mark Lam  <mark.lam@apple.com>
3156
3157         Fix exception scope verification failures in JSONObject.cpp.
3158         https://bugs.webkit.org/show_bug.cgi?id=165025
3159
3160         Reviewed by Saam Barati.
3161
3162         * runtime/JSONObject.cpp:
3163         (JSC::gap):
3164         (JSC::Stringifier::Stringifier):
3165         (JSC::Stringifier::stringify):
3166         (JSC::Stringifier::toJSON):
3167         (JSC::Stringifier::appendStringifiedValue):
3168         (JSC::Stringifier::Holder::appendNextProperty):
3169         (JSC::Walker::walk):
3170         (JSC::JSONProtoFuncParse):
3171         (JSC::JSONProtoFuncStringify):
3172         (JSC::JSONStringify):
3173
3174 2016-11-21  Mark Lam  <mark.lam@apple.com>
3175
3176         Removed an extra space character at the end of line.
3177
3178         Not reviewed.
3179
3180         * runtime/JSCell.cpp:
3181         (JSC::JSCell::toNumber):
3182
3183 2016-11-21  Mark Lam  <mark.lam@apple.com>
3184
3185         Fix exception scope verification failures in FunctionConstructor.cpp.
3186         https://bugs.webkit.org/show_bug.cgi?id=165011
3187
3188         Reviewed by Saam Barati.
3189
3190         * runtime/FunctionConstructor.cpp:
3191         (JSC::constructFunction):
3192         (JSC::constructFunctionSkippingEvalEnabledCheck):
3193
3194 2016-11-21  Mark Lam  <mark.lam@apple.com>
3195
3196         Fix exception scope verification failures in GetterSetter.cpp.
3197         https://bugs.webkit.org/show_bug.cgi?id=165013
3198
3199         Reviewed by Saam Barati.
3200
3201         * runtime/GetterSetter.cpp:
3202         (JSC::callGetter):
3203         (JSC::callSetter):
3204
3205 2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3206
3207         Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
3208         https://bugs.webkit.org/show_bug.cgi?id=164898
3209
3210         Reviewed by Darin Adler.
3211
3212         The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
3213         same tagged template literal need to return an identical object.
3214         The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
3215         can prune its entries in the collector thread. At that time, this TemplateRegistryKey
3216         is deallocated. Since it includes String (and then, StringImpl), we accidentally call
3217         ref(), deref() and StringImpl::destroy() in the different thread from the main thread
3218         while this TemplateRegistryKey is allocated in the main thread.
3219
3220         Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
3221         while the entry of the WeakGCMap is alive, the callsite object has the reference to
3222         the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
3223
3224         And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
3225         interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
3226         SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
3227         TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
3228         It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
3229
3230         * CMakeLists.txt:
3231         * JavaScriptCore.xcodeproj/project.pbxproj:
3232         * builtins/BuiltinNames.h:
3233         * bytecompiler/BytecodeGenerator.cpp:
3234         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
3235         (JSC::BytecodeGenerator::emitGetTemplateObject):
3236         * bytecompiler/BytecodeGenerator.h:
3237         * runtime/JSGlobalObject.cpp:
3238         (JSC::getTemplateObject):
3239         * runtime/JSTemplateRegistryKey.cpp:
3240         (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
3241         (JSC::JSTemplateRegistryKey::create):
3242         * runtime/JSTemplateRegistryKey.h:
3243         * runtime/TemplateRegistry.cpp:
3244         (JSC::TemplateRegistry::getTemplateObject):
3245         * runtime/TemplateRegistry.h:
3246         * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
3247         (JSC::TemplateRegistryKey::~TemplateRegistryKey):
3248         * runtime/TemplateRegistryKey.h:
3249         (JSC::TemplateRegistryKey::calculateHash):
3250         (JSC::TemplateRegistryKey::create):
3251         (JSC::TemplateRegistryKey::TemplateRegistryKey):
3252         * runtime/TemplateRegistryKeyTable.cpp: Added.
3253         (JSC::TemplateRegistryKeyTranslator::hash):
3254         (JSC::TemplateRegistryKeyTranslator::equal):
3255         (JSC::TemplateRegistryKeyTranslator::translate):
3256         (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
3257         (JSC::TemplateRegistryKeyTable::createKey):
3258         (JSC::TemplateRegistryKeyTable::unregister):
3259         * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
3260         (JSC::TemplateRegistryKeyTable::KeyHash::hash):
3261         (JSC::TemplateRegistryKeyTable::KeyHash::equal):
3262         * runtime/VM.h:
3263         (JSC::VM::templateRegistryKeyTable):
3264
3265 2016-11-21  Mark Lam  <mark.lam@apple.com>
3266
3267         Fix exception scope verification failures in runtime/Error* files.
3268         https://bugs.webkit.org/show_bug.cgi?id=164998
3269
3270         Reviewed by Darin Adler.
3271
3272         * runtime/ErrorConstructor.cpp:
3273         (JSC::Interpreter::constructWithErrorConstructor):
3274         * runtime/ErrorInstance.cpp:
3275         (JSC::ErrorInstance::create):
3276         * runtime/ErrorInstance.h:
3277         * runtime/ErrorPrototype.cpp:
3278         (JSC::errorProtoFuncToString):
3279
3280 2016-11-21  Mark Lam  <mark.lam@apple.com>
3281
3282         Fix exception scope verification failures in *Executable.cpp files.
3283         https://bugs.webkit.org/show_bug.cgi?id=164996
3284
3285         Reviewed by Darin Adler.
3286
3287         * runtime/DirectEvalExecutable.cpp:
3288         (JSC::DirectEvalExecutable::create):
3289         * runtime/IndirectEvalExecutable.cpp:
3290         (JSC::IndirectEvalExecutable::create):
3291         * runtime/ProgramExecutable.cpp:
3292         (JSC::ProgramExecutable::initializeGlobalProperties):
3293         * runtime/ScriptExecutable.cpp:
3294         (JSC::ScriptExecutable::prepareForExecutionImpl):
3295
3296 2016-11-20  Zan Dobersek  <zdobersek@igalia.com>
3297
3298         [EncryptedMedia] Make EME API runtime-enabled
3299         https://bugs.webkit.org/show_bug.cgi?id=164927
3300
3301         Reviewed by Jer Noble.
3302
3303         * runtime/CommonIdentifiers.h: Add the necessary identifiers.
3304
3305 2016-11-20  Mark Lam  <mark.lam@apple.com>
3306
3307         Fix exception scope verification failures in ConstructData.cpp.
3308         https://bugs.webkit.org/show_bug.cgi?id=164976
3309
3310         Reviewed by Darin Adler.
3311
3312         * runtime/ConstructData.cpp:
3313         (JSC::construct):
3314
3315 2016-11-20  Mark Lam  <mark.lam@apple.com>
3316
3317         Fix exception scope verification failures in CommonSlowPaths.cpp/h.
3318         https://bugs.webkit.org/show_bug.cgi?id=164975
3319
3320         Reviewed by Darin Adler.
3321
3322         * runtime/CommonSlowPaths.cpp:
3323         (JSC::SLOW_PATH_DECL):
3324         * runtime/CommonSlowPaths.h:
3325         (JSC::CommonSlowPaths::opIn):
3326
3327 2016-11-20  Mark Lam  <mark.lam@apple.com>
3328
3329         Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
3330         https://bugs.webkit.org/show_bug.cgi?id=164995
3331
3332         Reviewed by Darin Adler.
3333
3334         * runtime/DateConstructor.cpp:
3335         (JSC::millisecondsFromComponents):
3336         (JSC::constructDate):
3337         * runtime/DatePrototype.cpp:
3338         (JSC::dateProtoFuncToPrimitiveSymbol):
3339
3340 2016-11-20  Caitlin Potter  <caitp@igalia.com>
3341
3342         [JSC] speed up parsing of async functions
3343         https://bugs.webkit.org/show_bug.cgi?id=164808
3344
3345         Reviewed by Yusuke Suzuki.
3346
3347         Minor adjustments to Parser in order to mitigate slowdown with async
3348         function parsing enabled:
3349
3350           - Tokenize "async" as a keyword
3351           - Perform less branching in various areas of the Parser
3352
3353         * parser/Keywords.table:
3354         * parser/Parser.cpp:
3355         (JSC::Parser<LexerType>::parseStatementListItem):
3356         (JSC::Parser<LexerType>::parseStatement):
3357         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3358         (JSC::Parser<LexerType>::parseClass):
3359         (JSC::Parser<LexerType>::parseExportDeclaration):
3360         (JSC::Parser<LexerType>::parseAssignmentExpression):
3361         (JSC::Parser<LexerType>::parseProperty):
3362         (JSC::Parser<LexerType>::createResolveAndUseVariable):
3363         (JSC::Parser<LexerType>::parsePrimaryExpression):
3364         (JSC::Parser<LexerType>::parseMemberExpression):
3365         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3366         * parser/Parser.h:
3367         (JSC::isAnyContextualKeyword):
3368         (JSC::isIdentifierOrAnyContextualKeyword):
3369         (JSC::isSafeContextualKeyword):
3370         (JSC::Parser::matchSpecIdentifier):
3371         * parser/ParserTokens.h:
3372         * runtime/CommonIdentifiers.h:
3373
3374 2016-11-19  Mark Lam  <mark.lam@apple.com>
3375
3376         Add --timeoutMultiplier option to allow some tests more time to run.
3377         https://bugs.webkit.org/show_bug.cgi?id=164951
3378
3379         Reviewed by Yusuke Suzuki.
3380
3381         * jsc.cpp:
3382         (timeoutThreadMain):
3383         - Modified to factor in a timeout multiplier that can adjust the timeout duration.
3384         (startTimeoutThreadIfNeeded):
3385         - Moved the code that starts the timeout thread here from main() so that we can
3386         call it after command line args have been parsed instead.
3387         (main):
3388         - Deleted old timeout thread starting code.
3389         (CommandLine::parseArguments):
3390         - Added parsing of the --timeoutMultiplier option.
3391         (jscmain):
3392         - Start the timeout thread if needed after we've parsed the command line args.
3393
3394 2016-11-19  Mark Lam  <mark.lam@apple.com>
3395
3396         Fix missing exception checks in JSC inspector files.
3397         https://bugs.webkit.org/show_bug.cgi?id=164959
3398
3399         Reviewed by Saam Barati.
3400
3401         * inspector/JSInjectedScriptHost.cpp:
3402         (Inspector::JSInjectedScriptHost::getInternalProperties):
3403         (Inspector::JSInjectedScriptHost::weakMapEntries):
3404         (Inspector::JSInjectedScriptHost::weakSetEntries):
3405         (Inspector::JSInjectedScriptHost::iteratorEntries):
3406         * inspector/JSJavaScriptCallFrame.cpp:
3407         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
3408
3409 2016-11-18  Mark Lam  <mark.lam@apple.com>
3410
3411         Fix missing exception checks in DFGOperations.cpp.
3412         https://bugs.webkit.org/show_bug.cgi?id=164958
3413
3414         Reviewed by Geoffrey Garen.
3415
3416         * dfg/DFGOperations.cpp:
3417
3418 2016-11-18  Mark Lam  <mark.lam@apple.com>
3419
3420         Fix exception scope verification failures in ShadowChicken.cpp.
3421         https://bugs.webkit.org/show_bug.cgi?id=164966
3422
3423         Reviewed by Saam Barati.
3424
3425         * interpreter/ShadowChicken.cpp:
3426         (JSC::ShadowChicken::functionsOnStack):
3427
3428 2016-11-18  Jeremy Jones  <jeremyj@apple.com>
3429
3430         Add runtime flag to enable pointer lock. Enable pointer lock feature for mac.
3431         https://bugs.webkit.org/show_bug.cgi?id=163801
3432
3433         Reviewed by Simon Fraser.
3434
3435         * Configurations/FeatureDefines.xcconfig:
3436
3437 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
3438
3439         Unreviewed, fix cloop.
3440
3441         * bytecode/CodeBlock.cpp:
3442         (JSC::CodeBlock::stronglyVisitStrongReferences):
3443
3444 2016-11-18  Filip Pizlo  <fpizlo@apple.com>
3445
3446         Concurrent GC should be able to run splay in debug mode and earley/raytrace in release mode with no perf regression
3447         https://bugs.webkit.org/show_bug.cgi?id=164282
3448
3449         Reviewed by Geoffrey Garen and Oliver Hunt.
3450         
3451         The two three remaining bugs were:
3452
3453         - Improper ordering inside putDirectWithoutTransition() and friends. We need to make sure
3454           that the GC doesn't see the store to Structure::m_offset until we've resized the butterfly.
3455           That proved a bit tricky. On the other hand, this means that we could probably remove the
3456           requirement that the GC holds the Structure lock in some cases. I haven't removed that lock
3457           yet because I still think it might protect some weird cases, and it doesn't seem to cost us
3458           anything.
3459         
3460         - CodeBlock's GC strategy needed to be made thread-safe (visitWeakly, visitChildren, and
3461           their friends now hold locks) and incremental-safe (we need to update predictions in the
3462           finalizer to make sure we clear anything that was put into a value profile towards the end
3463           of GC).
3464         
3465         - The GC timeslicing scheduler needed to be made a bit more aggressive to deal with
3466           generational workloads like earley, raytrace, and CDjs. Once I got those benchmarks to run,
3467           I found that they would do many useless iterations of GC because they wouldn't pause long
3468           enough after rescanning weak references and roots. I added a bunch of knobs for forcing a
3469           pause. In the end, I realized that I could get the desired effect by putting a ceiling on
3470           mutator utilization. We want the GC to finish quickly if it is possible to do so, even if
3471           the amount of allocation that the mutator had done is low. Having a utilization ceiling
3472           seems to accomplish this for benchmarks with trivial heaps (earley and raytrace) as well as
3473           huge heaps (like CDjs in its "large" configuration).
3474         
3475         This preserves splay performance, makes the concurrent GC more stable, and makes the
3476         concurrent GC not a perf regression on earley or raytrace. It seems to give us great CDjs
3477         performance as well, but this is still hard to tell because we crash a lot in that benchmark.
3478
3479         * bytecode/CodeBlock.cpp:
3480         (JSC::CodeBlock::CodeBlock):
3481         (JSC::CodeBlock::visitWeakly):
3482         (JSC::CodeBlock::visitChildren):
3483         (JSC::CodeBlock::shouldVisitStrongly):
3484         (JSC::CodeBlock::shouldJettisonDueToOldAge):
3485         (JSC::CodeBlock::propagateTransitions):
3486         (JSC::CodeBlock::determineLiveness):
3487         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
3488         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
3489         (JSC::CodeBlock::visitOSRExitTargets):
3490         (JSC::CodeBlock::stronglyVisitStrongReferences):
3491         (JSC::CodeBlock::stronglyVisitWeakReferences):
3492         * bytecode/CodeBlock.h:
3493         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
3494         * heap/CodeBlockSet.cpp:
3495         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3496         * heap/Heap.cpp:
3497         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
3498         (JSC::Heap::markToFixpoint):
3499         (JSC::Heap::beginMarking):
3500         (JSC::Heap::addToRememberedSet):
3501         (JSC::Heap::collectInThread):
3502         * heap/Heap.h:
3503         * heap/HeapInlines.h:
3504         (JSC::Heap::mutatorFence):
3505         * heap/MarkedBlock.cpp:
3506         * runtime/JSCellInlines.h:
3507         (JSC::JSCell::finishCreation):
3508         * runtime/JSObjectInlines.h:
3509         (JSC::JSObject::putDirectWithoutTransition):
3510         (JSC::JSObject::putDirectInternal):
3511         * runtime/Options.h:
3512         * runtime/Structure.cpp:
3513         (JSC::Structure::add):
3514         * runtime/Structure.h:
3515         * runtime/StructureInlines.h:
3516         (JSC::Structure::add):
3517
3518 2016-11-18  Joseph Pecoraro  <pecoraro@apple.com>
3519
3520         Web Inspector: Generator functions should have a displayable name when shown in stack traces
3521         https://bugs.webkit.org/show_bug.cgi?id=164844
3522         <rdar://problem/29300697>
3523
3524         Reviewed by Yusuke Suzuki.
3525
3526         * parser/SyntaxChecker.h:
3527         (JSC::SyntaxChecker::createGeneratorFunctionBody):
3528         * parser/ASTBuilder.h:
3529         (JSC::ASTBuilder::createGeneratorFunctionBody):
3530         New way to create a generator function with an inferred name.
3531
3532         * parser/Parser.cpp:
3533         (JSC::Parser<LexerType>::parseInner):
3534         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
3535         * parser/Parser.h:
3536         Pass on the name of the generator wrapper function so we can
3537         use it on the inner generator function.
3538
3539 2016-11-17  Ryosuke Niwa  <rniwa@webkit.org>
3540
3541         Add an experimental API to find elements across shadow boundaries
3542         https://bugs.webkit.org/show_bug.cgi?id=164851
3543         <rdar://problem/28220092>
3544
3545         Reviewed by Sam Weinig.
3546
3547         * runtime/CommonIdentifiers.h:
3548
3549 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3550
3551         [JSC] Drop arguments.caller
3552         https://bugs.webkit.org/show_bug.cgi?id=164859
3553
3554         Reviewed by Saam Barati.
3555
3556         Originally, some JavaScript engine has `arguments.caller` property.
3557         But it easily causes some information leaks and it becomes obstacles
3558         for secure ECMAScript (SES). In ES5, we make it deprecated in strict
3559         mode. To do so, we explicitly set "caller" getter throwing TypeError
3560         to arguments in strict mode.
3561
3562         But now, there is no modern engine which supports `arguments.caller`
3563         in sloppy mode. So the original compatibility problem is gone and
3564         "caller" getter in the strict mode arguments becomes meaningless.
3565
3566         ES2017 drops this from the spec. In this patch, we also drop this
3567         `arguments.caller` in strict mode support.
3568
3569         Note that Function#caller is still alive.
3570
3571         * runtime/ClonedArguments.cpp:
3572         (JSC::ClonedArguments::getOwnPropertySlot):
3573         (JSC::ClonedArguments::put):
3574         (JSC::ClonedArguments::deleteProperty):
3575         (JSC::ClonedArguments::defineOwnProperty):
3576         (JSC::ClonedArguments::materializeSpecials):
3577
3578 2016-11-17  Mark Lam  <mark.lam@apple.com>
3579
3580         Inlining should be disallowed when JSC_alwaysUseShadowChicken=true.
3581         https://bugs.webkit.org/show_bug.cgi?id=164893
3582         <rdar://problem/29146436>
3583
3584         Reviewed by Saam Barati.
3585
3586         * runtime/Options.cpp:
3587         (JSC::recomputeDependentOptions):
3588
3589 2016-11-17  Filip Pizlo  <fpizlo@apple.com>
3590
3591         Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
3592         https://bugs.webkit.org/show_bug.cgi?id=164885
3593
3594         Reviewed by Mark Lam.
3595         
3596         This adds a useGCFences() function that we use to guard all eager object zero-fill and the
3597         related fences. It currently returns true only on x86().
3598         
3599         The goal here is to get the bots to tell us if this code is responsible for perf issues on
3600         any non-x86 platforms. We have a few different paths that we can pursue if this turns out
3601         to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
3602         we could get rid of it and instead teach B3 how to think about fences.
3603
3604         * assembler/CPU.h:
3605         (JSC::useGCFences):
3606         * bytecode/PolymorphicAccess.cpp:
3607         (JSC::AccessCase::generateImpl):
3608         * dfg/DFGSpeculativeJIT.cpp:
3609         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3610         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3611         * ftl/FTLLowerDFGToB3.cpp:
3612         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3613         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3614         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3615         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3616         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3617         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3618         * jit/AssemblyHelpers.h:
3619         (JSC::AssemblyHelpers::mutatorFence):
3620         (JSC::AssemblyHelpers::storeButterfly):
3621         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
3622         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
3623
3624 2016-11-17  Keith Miller  <keith_miller@apple.com>
3625
3626         Add rotate to Wasm
3627         https://bugs.webkit.org/show_bug.cgi?id=164871
3628
3629         Reviewed by Filip Pizlo.
3630
3631         Add rotate left and rotate right to Wasm. These directly map to B3 opcodes.
3632         This also moves arm specific transformations of rotate left to lower macros
3633         after optimization. It's a bad idea to have platform specific canonicalizations
3634         in reduce strength since other optimizations may not be aware of it.
3635
3636         Add a bug to do pure CSE after lower macros after optimization since we want to
3637         clean up RotL(value, Neg(Neg(shift))).
3638
3639         * b3/B3Generate.cpp:
3640         (JSC::B3::generateToAir):
3641         * b3/B3LowerMacrosAfterOptimizations.cpp:
3642         * b3/B3ReduceStrength.cpp:
3643         * wasm/wasm.json:
3644
3645 2016-11-17  Keith Miller  <keith_miller@apple.com>
3646
3647         Add sqrt to Wasm
3648         https://bugs.webkit.org/show_bug.cgi?id=164877
3649
3650         Reviewed by Mark Lam.
3651
3652         B3 already has a Sqrt opcode we just need to map Wasm to it.
3653
3654         * wasm/wasm.json:
3655
3656 2016-11-17  Keith Miller  <keith_miller@apple.com>
3657
3658         Add support for rotate in B3 and the relevant assemblers
3659         https://bugs.webkit.org/show_bug.cgi?id=164869
3660
3661         Reviewed by Geoffrey Garen.
3662
3663         This patch runs RotR and RotL (rotate right and left respectively)
3664         through B3 and B3's assemblers. One thing of note is that ARM64 does
3665         not support rotate left instead it allows negative right rotations.
3666
3667         This patch also fixes a theoretical bug in the assembler where
3668         on X86 doing someShiftOp(reg, edx) would instead shift the shift
3669         amount by the value. Additionally, this patch refactors some
3670         of the X86 assembler to use templates when deciding how to format
3671         the appropriate shift instruction.
3672
3673         * assembler/MacroAssemblerARM64.h:
3674         (JSC::MacroAssemblerARM64::rotateRight32):
3675         (JSC::MacroAssemblerARM64::rotateRight64):
3676         * assembler/MacroAssemblerX86Common.h:
3677         (JSC::MacroAssemblerX86Common::rotateRight32):
3678         (JSC::MacroAssemblerX86Common::rotateLeft32):
3679         * assembler/MacroAssemblerX86_64.h:
3680         (JSC::MacroAssemblerX86_64::lshift64):
3681         (JSC::MacroAssemblerX86_64::rshift64):
3682         (JSC::MacroAssemblerX86_64::urshift64):
3683         (JSC::MacroAssemblerX86_64::rotateRight64):
3684         (JSC::MacroAssemblerX86_64::rotateLeft64):
3685         (JSC::MacroAssemblerX86_64::or64):
3686         * assembler/X86Assembler.h:
3687         (JSC::X86Assembler::xorq_rm):
3688         (JSC::X86Assembler::shiftInstruction32):
3689         (JSC::X86Assembler::sarl_i8r):
3690         (JSC::X86Assembler::shrl_i8r):
3691         (JSC::X86Assembler::shll_i8r):
3692         (JSC::X86Assembler::rorl_i8r):
3693         (JSC::X86Assembler::rorl_CLr):
3694         (JSC::X86Assembler::roll_i8r):
3695         (JSC::X86Assembler::roll_CLr):
3696         (JSC::X86Assembler::shiftInstruction64):
3697         (JSC::X86Assembler::sarq_CLr):
3698         (JSC::X86Assembler::sarq_i8r):
3699         (JSC::X86Assembler::shrq_i8r):
3700         (JSC::X86Assembler::shlq_i8r):
3701         (JSC::X86Assembler::rorq_i8r):
3702         (JSC::X86Assembler::rorq_CLr):
3703         (JSC::X86Assembler::rolq_i8r):
3704         (JSC::X86Assembler::rolq_CLr):
3705         * b3/B3Common.h:
3706         (JSC::B3::rotateRight):
3707         (JSC::B3::rotateLeft):
3708         * b3/B3Const32Value.cpp:
3709         (JSC::B3::Const32Value::rotRConstant):
3710         (JSC::B3::Const32Value::rotLConstant):
3711         * b3/B3Const32Value.h:
3712         * b3/B3Const64Value.cpp:
3713         (JSC::B3::Const64Value::rotRConstant):
3714         (JSC::B3::Const64Value::rotLConstant):
3715         * b3/B3Const64Value.h:
3716         * b3/B3LowerToAir.cpp:
3717         (JSC::B3::Air::LowerToAir::lower):
3718         * b3/B3Opcode.cpp:
3719         (WTF::printInternal):
3720         * b3/B3Opcode.h:
3721         * b3/B3ReduceStrength.cpp:
3722         * b3/B3Validate.cpp:
3723         * b3/B3Value.cpp:
3724         (JSC::B3::Value::rotRConstant):
3725         (JSC::B3::Value::rotLConstant):
3726         (JSC::B3::Value::effects):
3727         (JSC::B3::Value::key):
3728         (JSC::B3::Value::typeFor):
3729         * b3/B3Value.h:
3730         * b3/B3ValueKey.cpp:
3731         (JSC::B3::ValueKey::materialize):
3732         * b3/air/AirInstInlines.h:
3733         (JSC::B3::Air::isRotateRight32Valid):
3734         (JSC::B3::Air::isRotateLeft32Valid):
3735         (JSC::B3::Air::isRotateRight64Valid):
3736         (JSC::B3::Air::isRotateLeft64Valid):
3737         * b3/air/AirOpcode.opcodes:
3738         * b3/testb3.cpp:
3739         (JSC::B3::testRotR):
3740         (JSC::B3::testRotL):
3741         (JSC::B3::testRotRWithImmShift):
3742         (JSC::B3::testRotLWithImmShift):
3743         (JSC::B3::run):
3744
3745 2016-11-17  Saam Barati  <sbarati@apple.com>
3746
3747         Remove async/await compile time flag and enable tests
3748         https://bugs.webkit.org/show_bug.cgi?id=164828
3749         <rdar://problem/28639334>
3750
3751         Reviewed by Yusuke Suzuki.
3752
3753         * Configurations/FeatureDefines.xcconfig:
3754         * parser/Parser.cpp:
3755         (JSC::Parser<LexerType>::parseStatementListItem):
3756         (JSC::Parser<LexerType>::parseStatement):
3757         (JSC::Parser<LexerType>::parseClass):
3758         (JSC::Parser<LexerType>::parseExportDeclaration):
3759         (JSC::Parser<LexerType>::parseAssignmentExpression):
3760         (JSC::Parser<LexerType>::parseProperty):
3761         (JSC::Parser<LexerType>::parsePrimaryExpression):
3762         (JSC::Parser<LexerType>::parseMemberExpression):
3763         (JSC::Parser<LexerType>::parseUnaryExpression):
3764
3765 2016-11-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3766
3767         [JSC] WTF::TemporaryChange with WTF::SetForScope
3768         https://bugs.webkit.org/show_bug.cgi?id=164761
3769
3770         Reviewed by Saam Barati.
3771
3772         * bytecompiler/BytecodeGenerator.h:
3773         * bytecompiler/SetForScope.h: Removed.
3774         * debugger/Debugger.cpp:
3775         * inspector/InspectorBackendDispatcher.cpp:
3776         (Inspector::BackendDispatcher::dispatch):
3777         * inspector/ScriptDebugServer.cpp:
3778         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
3779         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
3780         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
3781         (Inspector::ScriptDebugServer::sourceParsed):
3782         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
3783         * parser/Parser.cpp:
3784
3785 2016-11-16  Mark Lam  <mark.lam@apple.com>
3786
3787         ExceptionFuzz needs to placate exception check verification before overwriting a thrown exception.
3788         https://bugs.webkit.org/show_bug.cgi?id=164843
3789
3790         Reviewed by Keith Miller.
3791
3792         The ThrowScope will check for unchecked simulated exceptions before throwing a
3793         new exception.  This ensures that we don't quietly overwrite a pending exception
3794         (which should never happen, with the only exception being to rethrow the same
3795         exception).  However, ExceptionFuzz works by intentionally throwing its own
3796         exception even when one may already exist thereby potentially overwriting an
3797         existing exception.  This is ok for ExceptionFuzz testing, but we need to placate
3798         the exception check verifier before ExceptionFuzz throws its own exception.
3799
3800         * runtime/ExceptionFuzz.cpp:
3801         (JSC::doExceptionFuzzing):
3802
3803 2016-11-16  Geoffrey Garen  <ggaren@apple.com>
3804
3805         UnlinkedCodeBlock should not have a starting line number
3806         https://bugs.webkit.org/show_bug.cgi?id=164838
3807
3808         Reviewed by Mark Lam.
3809
3810         Here's how the starting line number in UnlinkedCodeBlock used to work:
3811
3812         (1) Assign the source code starting line number to the parser starting
3813         line number.
3814
3815         (2) Assign (1) to the AST.
3816
3817         (3) Subtract (1) from (2) and assign to UnlinkedCodeBlock.
3818
3819         Then, when linking:
3820
3821         (4) Add (3) to (1).
3822
3823         This was an awesome no-op.
3824
3825         Generally, unlinked code is code that is not tied to any particular
3826         web page or resource. So, it's inappropriate to think of it having a
3827         starting line number.
3828
3829         * bytecode/UnlinkedCodeBlock.cpp:
3830         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3831         * bytecode/UnlinkedCodeBlock.h:
3832         (JSC::UnlinkedCodeBlock::recordParse):
3833         (JSC::UnlinkedCodeBlock::hasCapturedVariables):
3834         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3835         * runtime/CodeCache.cpp:
3836         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
3837         * runtime/CodeCache.h:
3838         (JSC::generateUnlinkedCodeBlock):
3839
3840 2016-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3841
3842         [ES6][WebCore] Change ES6_MODULES compile time flag to runtime flag
3843         https://bugs.webkit.org/show_bug.cgi?id=164827
3844
3845         Reviewed by Ryosuke Niwa.
3846
3847         * Configurations/FeatureDefines.xcconfig:
3848
3849 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
3850
3851         Unreviewed, roll out r208811. It's not sound.
3852
3853         * ftl/FTLLowerDFGToB3.cpp:
3854         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3855         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3856         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3857         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3858         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3859         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3860         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced): Deleted.
3861
3862 2016-11-16  Keith Miller  <keith_miller@apple.com>
3863
3864         Wasm function parser should use template functions for each binary and unary opcode
3865         https://bugs.webkit.org/show_bug.cgi?id=164835
3866
3867         Reviewed by Mark Lam.
3868
3869         This patch changes the wasm function parser to call into a template specialization
3870         for each binary/unary opcode. This change makes it easier to have custom implementations
3871         of various opcodes. It is also, in theory a speedup since it does not require switching
3872         on the opcode twice.
3873
3874         * CMakeLists.txt:
3875         * DerivedSources.make:
3876         * wasm/WasmB3IRGenerator.cpp:
3877         (): Deleted.
3878         * wasm/WasmFunctionParser.h:
3879         (JSC::Wasm::FunctionParser<Context>::binaryCase):
3880         (JSC::Wasm::FunctionParser<Context>::unaryCase):
3881         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3882         * wasm/WasmValidate.cpp:
3883         * wasm/generateWasm.py:
3884         (isBinary):
3885         (isSimple):
3886         * wasm/generateWasmB3IRGeneratorInlinesHeader.py: Added.
3887         (generateSimpleCode):
3888         * wasm/generateWasmOpsHeader.py:
3889         (opcodeMacroizer):
3890         * wasm/generateWasmValidateInlinesHeader.py:
3891
3892 2016-11-16  Mark Lam  <mark.lam@apple.com>
3893
3894         ExceptionFuzz functions should use its client's ThrowScope.
3895         https://bugs.webkit.org/show_bug.cgi?id=164834
3896
3897         Reviewed by Geoffrey Garen.
3898
3899         This is because ExceptionFuzz's purpose is to throw exceptions from its client at
3900         exception check sites.  Using the client's ThrowScope solves 2 problems:
3901
3902         1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
3903            mis-attributed to ExceptionFuzz when it should be attributed to its client.
3904
3905         2. One way exception scope verification works is by having ThrowScopes assert
3906            that there are no unchecked simulated exceptions when the ThrowScope is
3907            instantiated.  However, ExceptionFuzz necessarily works by inserting
3908            doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
3909            and an exception check.  If we declare a ThrowScope in ExceptionFuzz's code,
3910            we will be instantiating the ThrowScope between the point where a simulated
3911            throw occurs and where the needed exception check can occur.  Hence, having
3912            ExceptionFuzz instantiate its own ThrowScope will fail exception scope
3913            verification every time.
3914
3915         Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
3916
3917         Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
3918         already exists in every slow path function instead of creating a new one.
3919
3920         * jit/JITOperations.cpp:
3921         * llint/LLIntSlowPaths.cpp:
3922         * runtime/CommonSlowPaths.cpp:
3923         * runtime/ExceptionFuzz.cpp:
3924         (JSC::doExceptionFuzzing):
3925         * runtime/ExceptionFuzz.h:
3926         (JSC::doExceptionFuzzingIfEnabled):
3927
3928 2016-11-16  Filip Pizlo  <fpizlo@apple.com>
3929
3930         Slight Octane regression from concurrent GC's eager object zero-fill
3931         https://bugs.webkit.org/show_bug.cgi?id=164823
3932
3933         Reviewed by Geoffrey Garen.
3934         
3935         During concurrent GC, we need to eagerly zero-fill objects we allocate prior to
3936         executing the end-of-allocation fence. This causes some regressions. This is an attempt
3937         to fix those regressions by making them conditional on whether the mutator is fenced.
3938         
3939         This is a slight speed-up on raytrace and boyer, and hopefully it will fix the
3940         regression.
3941
3942         * ftl/FTLLowerDFGToB3.cpp:
3943         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3944         (JSC::FTL::DFG::LowerDFGToB3::splatWordsIfMutatorIsFenced):
3945         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3946         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
3947         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3948         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
3949         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
3950
3951 2016-11-16  Mark Lam  <mark.lam@apple.com>
3952
3953         Fix exception scope checking in JSGlobalObject.cpp.
3954         https://bugs.webkit.org/show_bug.cgi?id=164831
3955
3956         Reviewed by Saam Barati.
3957
3958         * runtime/JSGlobalObject.cpp:
3959         (JSC::JSGlobalObject::init):