REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-11-15  Filip Pizlo  <fpizlo@apple.com>
2
3         REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
4         https://bugs.webkit.org/show_bug.cgi?id=164775
5
6         Reviewed by Mark Lam and Keith Miller.
7         
8         We were calling inlineStorage() which asserts that inline storage is not empty. But we
9         were calling it in a context where it could be empty and that's fine. So, we now call
10         inlineStorageUnsafe().
11
12         * runtime/JSObject.h:
13         (JSC::JSFinalObject::JSFinalObject):
14
15 2016-11-14  Csaba Osztrogon√°c  <ossy@webkit.org>
16
17         [ARM] Unreviewed buildfix after r208720.
18
19         * assembler/MacroAssemblerARM.h:
20         (JSC::MacroAssemblerARM::storeFence): Stub function copied from MacroAssemblerARMv7.h.
21
22 2016-11-14  Caitlin Potter  <caitp@igalia.com>
23
24         [JSC] do not reference AwaitExpression Promises in async function Promise chain
25         https://bugs.webkit.org/show_bug.cgi?id=164753
26
27         Reviewed by Yusuke Suzuki.
28
29         Previously, long-running async functions which contained many AwaitExpressions
30         would allocate and retain references to intermediate Promise objects for each `await`,
31         resulting in a memory leak.
32
33         To mitigate this leak, a reference to the original Promise (and its resolve and reject
34         functions) associated with the async function are kept, and passed to each call to
35         @asyncFunctionResume, while intermediate Promises are discarded. This is done by adding
36         a new Register to the BytecodeGenerator to hold the PromiseCapability object associated
37         with an async function wrapper. The capability is used to reject the Promise if an
38         exception is thrown during parameter initialization, and is used to store the resulting
39         value once the async function has terminated.
40
41         * builtins/AsyncFunctionPrototype.js:
42         (globalPrivate.asyncFunctionResume):
43         * bytecompiler/BytecodeGenerator.cpp:
44         (JSC::BytecodeGenerator::BytecodeGenerator):
45         * bytecompiler/BytecodeGenerator.h:
46         (JSC::BytecodeGenerator::promiseCapabilityRegister):
47         * bytecompiler/NodesCodegen.cpp:
48         (JSC::FunctionNode::emitBytecode):
49
50 2016-11-14  Joseph Pecoraro  <pecoraro@apple.com>
51
52         Web Inspector: Worker debugging should pause all targets and view call frames in all targets
53         https://bugs.webkit.org/show_bug.cgi?id=164305
54         <rdar://problem/29056192>
55
56         Reviewed by Timothy Hatcher.
57
58         * inspector/InjectedScriptSource.js:
59         (InjectedScript.prototype._propertyDescriptors):
60         Accessing __proto__ does a ToThis(...) conversion on the receiver.
61         In the case of GlobalObjects (such as WorkerGlobalScope when paused)
62         this would return undefined and throw an exception. We can use
63         Object.getPrototypeOf to avoid that conversion and possible error.
64
65         * inspector/protocol/Debugger.json:
66         Provide a new way to effectively `resume` + `pause` immediately.
67         This must be implemented on the backend to correctly synchronize
68         the resuming and pausing.
69
70         * inspector/agents/InspectorDebuggerAgent.h:
71         * inspector/agents/InspectorDebuggerAgent.cpp:
72         (Inspector::InspectorDebuggerAgent::continueUntilNextRunLoop):
73         Treat this as `resume` and `pause`. Resume now, and trigger
74         a pause if the VM becomes idle and we didn't pause before then
75         (such as hitting a breakpoint after we resumed).
76
77         (Inspector::InspectorDebuggerAgent::pause):
78         (Inspector::InspectorDebuggerAgent::resume):
79         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
80         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
81         Clean up and correct pause on next statement logic.
82
83         (Inspector::InspectorDebuggerAgent::registerIdleHandler):
84         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
85         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
86         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping): Deleted.
87         The idle handler may now also trigger a pause in the case
88         where continueUntilNextRunLoop resumed and wants to pause.
89
90         (Inspector::InspectorDebuggerAgent::didPause):
91         Eliminate the useless didPause. The DOMDebugger was keeping track
92         of its own state that was worse then the state in DebuggerAgent.
93
94 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
95
96         Unreviewed, fix cloop.
97
98         * runtime/JSCellInlines.h:
99
100 2016-11-14  Filip Pizlo  <fpizlo@apple.com>
101
102         The GC should be optionally concurrent and disabled by default
103         https://bugs.webkit.org/show_bug.cgi?id=164454
104
105         Reviewed by Geoffrey Garen.
106         
107         This started out as a patch to have the GC scan the stack at the end, and then the
108         outage happened and I decided to pick a more aggresive target: give the GC a concurrent
109         mode that can be enabled at runtime, and whose only effect is that it turns on the
110         ResumeTheWorldScope. This gives our GC a really intuitive workflow: by default, the GC
111         thread is running solo with the world stopped and the parallel markers converged and
112         waiting. We have a parallel work scope to enable the parallel markers and now we have a
113         ResumeTheWorldScope that will optionally resume the world and then stop it again.
114         
115         It's easy to make a concurrent GC that always instantly crashes. I can't promise that
116         this one won't do that when you run it. I set a specific goal: I wanted to do >10
117         concurrent GCs in debug mode with generations, optimizing JITs, and parallel marking
118         disabled.
119         
120         To reach this milestone, I needed to do a bunch of stuff:
121         
122         - The mutator needs a separate mark stack for the barrier, since it will mutate this
123           stack concurrently to the collector's slot visitors.
124         
125         - The use of CellState to indicate whether an object is being scanned the first time or
126           a subsequent time was racy. It fails spectacularly when a barrier is fired at the same
127           time as visitChildren is running or if the barrier runs at the same time as the GC
128           marks the same object. So, I split SlotVisitor's mark stacks. It's now the case that
129           you know why you're being scanned by looking at which stack you came off of.
130         
131         - All of root marking must be in the collector fixpoint. I renamed markRoots to
132           markToFixpoint. They say concurrency is hard, but the collector looks more intuitive
133           this way. We never gained anything from forcing people to make a choice between
134           scanning something in the fixpoint versus outside of it. Because root scanning is
135           cheap, we can afford to do it repeatedly, which means all root scanning can now do
136           constraint-based marking (like: I'll mark you if that thing is marked).
137         
138         - JSObject::visitChildren's scanning of the butterfly raced with property additions,
139           indexed storage transitions and resizing, and a bunch of miscellaneous dirty butterfly
140           reshaping functions - like the one that flattens a dictionary and some sneaky
141           ArrayStorage transformations. Many of these can be fixed by using store-store fences
142           in the mutator and load-load fences in the collector. I've adopted the rule that the
143           collector must always see either a butterfly and structure that match or a newer
144           butterfly with an older structure, where their age is just one transition apart. This
145           can be achieved with fences. For the cases where it breaks down, I added a lock to
146           every JSCell. This is a full-fledged WTF lock that we sneak into two available bits in
147           the indexingType. See the WTF ChangeLog for details.
148           
149           The mutator fencing rules are as follows:
150           
151           - Store-store fence before and after setting the butterfly.
152           - Store-store fence before setting structure if you had changed the shape of the
153             butterfly.
154           - Store-store fence after initializing all fields in an allocation.
155         
156         - A dictionary Structure can change in strange ways while the GC is trying to scan it.
157           So, JSObject::visitChildren will now grab the object's structure's lock if the
158           object's structure is a dictionary. Dictionary structures are 1:1 with their object,
159           so this does not reduce GC parallelism (super unlikely that the GC will simultaneously
160           scan an object from two threads).
161         
162         - The GC can blow away a Structure's property table at any time. As a small consolation,
163           it's now holding the Structure's lock when it does so. But there was tons of code in
164           Structure that uses DeferGC to prevent the GC from blowing away the property table.
165           This doesn't work with concurrent GC, since DeferGC only means that the GC won't run
166           its safepoint (i.e. stop-the-world code) in the DeferGC region. It will still do
167           marking and it was the Structure::visitChildren that would delete the table. It turns
168           out that Structure's reliance on the property table not being deleted was the product
169           of code rot. We already had functions that would materialize the table on demand. We
170           were simply making the mistake of saying:
171           
172               structure->materializePropertyMap();
173               ...
174               structure->propertyTable()->things
175           
176           Instead of saying:
177           
178               PropertyTable* table = structure->ensurePropertyTable();
179               ...
180               table->things
181           
182           Switching the code to use the latter idiom allowed me to simplify the code a lot while
183           fixing the race.
184         
185         - The LLInt's get_by_val handling was broken because the indexing shape constants were
186           wrong. Once I started putting more things into the IndexingType, that started causing
187           crashes for me. So I fixed LLInt. That turned out to be a lot of work, since that code
188           had rotted in subtle ways.
189         
190         This is a speed-up in SunSpider, probably because of the LLInt fix. This is neutral on
191         Octane and Kraken. It's a smaller slow-down on LongSpider, but I think we can ignore
192         that (we don't view LongSpider as an official benchmark). By default, the concurrent GC
193         is disabled: in all of the places where it would have resumed the world to run marking
194         concurrently to the mutator, it will just skip the resume step. When you enable
195         concurrent GC (--useConcurrentGC=true), it can sometimes run Octane/splay to completion.
196         It seems to perform quite well: on my machine, it improves both splay-throughput and
197         splay-latency. It's probably unstable for other programs.
198
199         * API/JSVirtualMachine.mm:
200         (-[JSVirtualMachine isOldExternalObject:]):
201         * assembler/MacroAssemblerARMv7.h:
202         (JSC::MacroAssemblerARMv7::storeFence):
203         * bytecode/InlineAccess.cpp:
204         (JSC::InlineAccess::dumpCacheSizesAndCrash):
205         (JSC::InlineAccess::generateSelfPropertyAccess):
206         (JSC::InlineAccess::generateArrayLength):
207         * bytecode/ObjectAllocationProfile.h:
208         (JSC::ObjectAllocationProfile::offsetOfInlineCapacity):
209         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
210         (JSC::ObjectAllocationProfile::initialize):
211         (JSC::ObjectAllocationProfile::inlineCapacity):
212         (JSC::ObjectAllocationProfile::clear):
213         * bytecode/PolymorphicAccess.cpp:
214         (JSC::AccessCase::generateWithGuard):
215         (JSC::AccessCase::generateImpl):
216         * dfg/DFGArrayifySlowPathGenerator.h:
217         * dfg/DFGClobberize.h:
218         (JSC::DFG::clobberize):
219         * dfg/DFGOSRExitCompiler32_64.cpp:
220         (JSC::DFG::OSRExitCompiler::compileExit):
221         * dfg/DFGOSRExitCompiler64.cpp:
222         (JSC::DFG::OSRExitCompiler::compileExit):
223         * dfg/DFGOperations.cpp:
224         * dfg/DFGPlan.cpp:
225         (JSC::DFG::Plan::markCodeBlocks):
226         (JSC::DFG::Plan::rememberCodeBlocks):
227         * dfg/DFGPlan.h:
228         * dfg/DFGSpeculativeJIT.cpp:
229         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
230         (JSC::DFG::SpeculativeJIT::checkArray):
231         (JSC::DFG::SpeculativeJIT::arrayify):
232         (JSC::DFG::SpeculativeJIT::compileMakeRope):
233         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
234         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
235         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
236         (JSC::DFG::SpeculativeJIT::compileSpread):
237         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
238         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
239         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
240         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
241         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
242         * dfg/DFGSpeculativeJIT64.cpp:
243         (JSC::DFG::SpeculativeJIT::compile):
244         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
245         * dfg/DFGTierUpCheckInjectionPhase.cpp:
246         (JSC::DFG::TierUpCheckInjectionPhase::run):
247         * dfg/DFGWorklist.cpp:
248         (JSC::DFG::Worklist::markCodeBlocks):
249         (JSC::DFG::Worklist::rememberCodeBlocks):
250         (JSC::DFG::markCodeBlocks):
251         (JSC::DFG::completeAllPlansForVM):
252         (JSC::DFG::rememberCodeBlocks):
253         * dfg/DFGWorklist.h:
254         * ftl/FTLAbstractHeapRepository.cpp:
255         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
256         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
257         * ftl/FTLAbstractHeapRepository.h:
258         * ftl/FTLJITCode.cpp:
259         (JSC::FTL::JITCode::~JITCode):
260         * ftl/FTLLowerDFGToB3.cpp:
261         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
262         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
263         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
264         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
265         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
266         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
267         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
268         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
269         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
270         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
271         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
272         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
273         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
274         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
275         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
276         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
277         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
278         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
279         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
280         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
281         (JSC::FTL::DFG::LowerDFGToB3::isArrayType):
282         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
283         (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
284         (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
285         * ftl/FTLOSRExitCompiler.cpp:
286         (JSC::FTL::compileStub):
287         * ftl/FTLOutput.cpp:
288         (JSC::FTL::Output::signExt32ToPtr):
289         (JSC::FTL::Output::fence):
290         * ftl/FTLOutput.h:
291         * heap/CellState.h:
292         * heap/GCSegmentedArray.h:
293         * heap/Heap.cpp:
294         (JSC::Heap::ResumeTheWorldScope::ResumeTheWorldScope):
295         (JSC::Heap::ResumeTheWorldScope::~ResumeTheWorldScope):
296         (JSC::Heap::Heap):
297         (JSC::Heap::~Heap):
298         (JSC::Heap::harvestWeakReferences):
299         (JSC::Heap::finalizeUnconditionalFinalizers):
300         (JSC::Heap::completeAllJITPlans):
301         (JSC::Heap::markToFixpoint):
302         (JSC::Heap::gatherStackRoots):
303         (JSC::Heap::beginMarking):
304         (JSC::Heap::visitConservativeRoots):
305         (JSC::Heap::visitCompilerWorklistWeakReferences):
306         (JSC::Heap::updateObjectCounts):
307         (JSC::Heap::endMarking):
308         (JSC::Heap::addToRememberedSet):
309         (JSC::Heap::collectInThread):
310         (JSC::Heap::stopTheWorld):
311         (JSC::Heap::resumeTheWorld):
312         (JSC::Heap::setGCDidJIT):
313         (JSC::Heap::setNeedFinalize):
314         (JSC::Heap::setMutatorWaiting):
315         (JSC::Heap::clearMutatorWaiting):
316         (JSC::Heap::finalize):
317         (JSC::Heap::flushWriteBarrierBuffer):
318         (JSC::Heap::writeBarrierSlowPath):
319         (JSC::Heap::canCollect):
320         (JSC::Heap::reportExtraMemoryVisited):
321         (JSC::Heap::reportExternalMemoryVisited):
322         (JSC::Heap::notifyIsSafeToCollect):
323         (JSC::Heap::markRoots): Deleted.
324         (JSC::Heap::visitExternalRememberedSet): Deleted.
325         (JSC::Heap::visitSmallStrings): Deleted.
326         (JSC::Heap::visitProtectedObjects): Deleted.
327         (JSC::Heap::visitArgumentBuffers): Deleted.
328         (JSC::Heap::visitException): Deleted.
329         (JSC::Heap::visitStrongHandles): Deleted.
330         (JSC::Heap::visitHandleStack): Deleted.
331         (JSC::Heap::visitSamplingProfiler): Deleted.
332         (JSC::Heap::visitTypeProfiler): Deleted.
333         (JSC::Heap::visitShadowChicken): Deleted.
334         (JSC::Heap::traceCodeBlocksAndJITStubRoutines): Deleted.
335         (JSC::Heap::visitWeakHandles): Deleted.
336         (JSC::Heap::flushOldStructureIDTables): Deleted.
337         (JSC::Heap::stopAllocation): Deleted.
338         * heap/Heap.h:
339         (JSC::Heap::collectorSlotVisitor):
340         (JSC::Heap::mutatorMarkStack):
341         (JSC::Heap::mutatorShouldBeFenced):
342         (JSC::Heap::addressOfMutatorShouldBeFenced):
343         (JSC::Heap::slotVisitor): Deleted.
344         (JSC::Heap::notifyIsSafeToCollect): Deleted.
345         (JSC::Heap::barrierShouldBeFenced): Deleted.
346         (JSC::Heap::addressOfBarrierShouldBeFenced): Deleted.
347         * heap/MarkStack.cpp:
348         (JSC::MarkStackArray::transferTo):
349         * heap/MarkStack.h:
350         * heap/MarkedAllocator.cpp:
351         (JSC::MarkedAllocator::tryAllocateIn):
352         * heap/MarkedBlock.cpp:
353         (JSC::MarkedBlock::MarkedBlock):
354         (JSC::MarkedBlock::Handle::specializedSweep):
355         (JSC::MarkedBlock::Handle::sweep):
356         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
357         (JSC::MarkedBlock::Handle::stopAllocating):
358         (JSC::MarkedBlock::Handle::resumeAllocating):
359         (JSC::MarkedBlock::aboutToMarkSlow):
360         (JSC::MarkedBlock::Handle::didConsumeFreeList):
361         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): Deleted.
362         (JSC::SetNewlyAllocatedFunctor::operator()): Deleted.
363         * heap/MarkedBlock.h:
364         * heap/MarkedSpace.cpp:
365         (JSC::MarkedSpace::resumeAllocating):
366         * heap/SlotVisitor.cpp:
367         (JSC::SlotVisitor::SlotVisitor):
368         (JSC::SlotVisitor::~SlotVisitor):
369         (JSC::SlotVisitor::reset):
370         (JSC::SlotVisitor::clearMarkStacks):
371         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
372         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
373         (JSC::SlotVisitor::appendToMarkStack):
374         (JSC::SlotVisitor::appendToMutatorMarkStack):
375         (JSC::SlotVisitor::visitChildren):
376         (JSC::SlotVisitor::donateKnownParallel):
377         (JSC::SlotVisitor::drain):
378         (JSC::SlotVisitor::drainFromShared):
379         (JSC::SlotVisitor::containsOpaqueRoot):
380         (JSC::SlotVisitor::donateAndDrain):
381         (JSC::SlotVisitor::mergeOpaqueRoots):
382         (JSC::SlotVisitor::dump):
383         (JSC::SlotVisitor::clearMarkStack): Deleted.
384         (JSC::SlotVisitor::opaqueRootCount): Deleted.
385         * heap/SlotVisitor.h:
386         (JSC::SlotVisitor::collectorMarkStack):
387         (JSC::SlotVisitor::mutatorMarkStack):
388         (JSC::SlotVisitor::isEmpty):
389         (JSC::SlotVisitor::bytesVisited):
390         (JSC::SlotVisitor::markStack): Deleted.
391         (JSC::SlotVisitor::bytesCopied): Deleted.
392         * heap/SlotVisitorInlines.h:
393         (JSC::SlotVisitor::reportExtraMemoryVisited):
394         (JSC::SlotVisitor::reportExternalMemoryVisited):
395         * jit/AssemblyHelpers.cpp:
396         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
397         * jit/AssemblyHelpers.h:
398         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
399         (JSC::AssemblyHelpers::barrierStoreLoadFence):
400         (JSC::AssemblyHelpers::mutatorFence):
401         (JSC::AssemblyHelpers::storeButterfly):
402         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
403         (JSC::AssemblyHelpers::emitInitializeInlineStorage):
404         (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
405         (JSC::AssemblyHelpers::jumpIfBarrierStoreLoadFenceNotNeeded): Deleted.
406         * jit/JITInlines.h:
407         (JSC::JIT::emitArrayProfilingSiteWithCell):
408         * jit/JITOperations.cpp:
409         * jit/JITPropertyAccess.cpp:
410         (JSC::JIT::emit_op_put_to_scope):
411         (JSC::JIT::emit_op_put_to_arguments):
412         * llint/LLIntData.cpp:
413         (JSC::LLInt::Data::performAssertions):
414         * llint/LowLevelInterpreter.asm:
415         * llint/LowLevelInterpreter64.asm:
416         * runtime/ButterflyInlines.h:
417         (JSC::Butterfly::create):
418         (JSC::Butterfly::createOrGrowPropertyStorage):
419         * runtime/ConcurrentJITLock.h:
420         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): Deleted.
421         * runtime/GenericArgumentsInlines.h:
422         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
423         (JSC::GenericArguments<Type>::putByIndex):
424         * runtime/IndexingType.h:
425         * runtime/JSArray.cpp:
426         (JSC::JSArray::unshiftCountSlowCase):
427         (JSC::JSArray::unshiftCountWithArrayStorage):
428         * runtime/JSCell.h:
429         (JSC::JSCell::InternalLocker::InternalLocker):
430         (JSC::JSCell::InternalLocker::~InternalLocker):
431         (JSC::JSCell::atomicCompareExchangeCellStateWeakRelaxed):
432         (JSC::JSCell::atomicCompareExchangeCellStateStrong):
433         (JSC::JSCell::indexingTypeAndMiscOffset):
434         (JSC::JSCell::indexingTypeOffset): Deleted.
435         * runtime/JSCellInlines.h:
436         (JSC::JSCell::JSCell):
437         (JSC::JSCell::finishCreation):
438         (JSC::JSCell::indexingTypeAndMisc):
439         (JSC::JSCell::indexingType):
440         (JSC::JSCell::setStructure):
441         (JSC::JSCell::callDestructor):
442         (JSC::JSCell::lockInternalLock):
443         (JSC::JSCell::unlockInternalLock):
444         * runtime/JSObject.cpp:
445         (JSC::JSObject::visitButterfly):
446         (JSC::JSObject::visitChildren):
447         (JSC::JSFinalObject::visitChildren):
448         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
449         (JSC::JSObject::createInitialUndecided):
450         (JSC::JSObject::createInitialInt32):
451         (JSC::JSObject::createInitialDouble):
452         (JSC::JSObject::createInitialContiguous):
453         (JSC::JSObject::createArrayStorage):
454         (JSC::JSObject::convertUndecidedToArrayStorage):
455         (JSC::JSObject::convertInt32ToArrayStorage):
456         (JSC::JSObject::convertDoubleToArrayStorage):
457         (JSC::JSObject::convertContiguousToArrayStorage):
458         (JSC::JSObject::deleteProperty):
459         (JSC::JSObject::defineOwnIndexedProperty):
460         (JSC::JSObject::increaseVectorLength):
461         (JSC::JSObject::ensureLengthSlow):
462         (JSC::JSObject::reallocateAndShrinkButterfly):
463         (JSC::JSObject::allocateMoreOutOfLineStorage):
464         (JSC::JSObject::shiftButterflyAfterFlattening):
465         (JSC::JSObject::growOutOfLineStorage): Deleted.
466         * runtime/JSObject.h:
467         (JSC::JSFinalObject::JSFinalObject):
468         (JSC::JSObject::setButterfly):
469         (JSC::JSObject::getOwnNonIndexPropertySlot):
470         (JSC::JSObject::fillCustomGetterPropertySlot):
471         (JSC::JSObject::getOwnPropertySlot):
472         (JSC::JSObject::getPropertySlot):
473         (JSC::JSObject::setStructureAndButterfly): Deleted.
474         (JSC::JSObject::setButterflyWithoutChangingStructure): Deleted.
475         (JSC::JSObject::putDirectInternal): Deleted.
476         (JSC::JSObject::putDirectWithoutTransition): Deleted.
477         * runtime/JSObjectInlines.h:
478         (JSC::JSObject::getPropertySlot):
479         (JSC::JSObject::getNonIndexPropertySlot):
480         (JSC::JSObject::putDirectWithoutTransition):
481         (JSC::JSObject::putDirectInternal):
482         * runtime/Options.h:
483         * runtime/SparseArrayValueMap.h:
484         * runtime/Structure.cpp:
485         (JSC::Structure::dumpStatistics):
486         (JSC::Structure::findStructuresAndMapForMaterialization):
487         (JSC::Structure::materializePropertyTable):
488         (JSC::Structure::addNewPropertyTransition):
489         (JSC::Structure::changePrototypeTransition):
490         (JSC::Structure::attributeChangeTransition):
491         (JSC::Structure::toDictionaryTransition):
492         (JSC::Structure::takePropertyTableOrCloneIfPinned):
493         (JSC::Structure::nonPropertyTransition):
494         (JSC::Structure::isSealed):
495         (JSC::Structure::isFrozen):
496         (JSC::Structure::flattenDictionaryStructure):
497         (JSC::Structure::pin):
498         (JSC::Structure::pinForCaching):
499         (JSC::Structure::willStoreValueSlow):
500         (JSC::Structure::copyPropertyTableForPinning):
501         (JSC::Structure::add):
502         (JSC::Structure::remove):
503         (JSC::Structure::getPropertyNamesFromStructure):
504         (JSC::Structure::visitChildren):
505         (JSC::Structure::materializePropertyMap): Deleted.
506         (JSC::Structure::addPropertyWithoutTransition): Deleted.
507         (JSC::Structure::removePropertyWithoutTransition): Deleted.
508         (JSC::Structure::copyPropertyTable): Deleted.
509         (JSC::Structure::createPropertyMap): Deleted.
510         (JSC::PropertyTable::checkConsistency): Deleted.
511         (JSC::Structure::checkConsistency): Deleted.
512         * runtime/Structure.h:
513         * runtime/StructureIDBlob.h:
514         (JSC::StructureIDBlob::StructureIDBlob):
515         (JSC::StructureIDBlob::indexingTypeIncludingHistory):
516         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory):
517         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset):
518         (JSC::StructureIDBlob::indexingType): Deleted.
519         (JSC::StructureIDBlob::setIndexingType): Deleted.
520         (JSC::StructureIDBlob::indexingTypeOffset): Deleted.
521         * runtime/StructureInlines.h:
522         (JSC::Structure::get):
523         (JSC::Structure::checkOffsetConsistency):
524         (JSC::Structure::checkConsistency):
525         (JSC::Structure::add):
526         (JSC::Structure::remove):
527         (JSC::Structure::addPropertyWithoutTransition):
528         (JSC::Structure::removePropertyWithoutTransition):
529         (JSC::Structure::setPropertyTable):
530         (JSC::Structure::putWillGrowOutOfLineStorage): Deleted.
531         (JSC::Structure::propertyTable): Deleted.
532         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
533
534 2016-11-14  Keith Miller  <keith_miller@apple.com>
535
536         Add Wasm select
537         https://bugs.webkit.org/show_bug.cgi?id=164743
538
539         Reviewed by Saam Barati.
540
541         Also, this patch fixes an issue with the jsc.cpp test harness where negative numbers would be sign extended
542         when they shouldn't be.
543
544         * jsc.cpp:
545         (box):
546         * wasm/WasmB3IRGenerator.cpp:
547         * wasm/WasmFunctionParser.h:
548         (JSC::Wasm::FunctionParser<Context>::parseExpression):
549         * wasm/WasmValidate.cpp:
550         (JSC::Wasm::Validate::addSelect):
551
552 2016-11-11  Geoffrey Garen  <ggaren@apple.com>
553
554         JSC should distinguish between local and global eval
555         https://bugs.webkit.org/show_bug.cgi?id=164628
556
557         Reviewed by Saam Barati.
558
559         Local use of the 'eval' keyword and invocation of the global window.eval
560         function are distinct operations in JavaScript.
561
562         This patch splits out LocalEvalExecutable vs GlobalEvalExecutable in
563         order to help distinguish these operations in code.
564
565         Our code used to do some silly things for lack of distinguishing these
566         cases. For example, it would double cache local eval in CodeCache and
567         EvalCodeCache. This made CodeCache seem more complicated than it really
568         was.
569
570         * CMakeLists.txt:
571         * JavaScriptCore.xcodeproj/project.pbxproj: Added some files.
572
573         * bytecode/CodeBlock.h:
574
575         * bytecode/EvalCodeCache.h:
576         (JSC::EvalCodeCache::tryGet):
577         (JSC::EvalCodeCache::set):
578         (JSC::EvalCodeCache::getSlow): Deleted. Moved code generation out of
579         the cache to avoid tight coupling. Now the cache just caches.
580
581         * bytecode/UnlinkedEvalCodeBlock.h:
582         * bytecode/UnlinkedFunctionExecutable.cpp:
583         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
584         * bytecode/UnlinkedModuleProgramCodeBlock.h:
585         * bytecode/UnlinkedProgramCodeBlock.h:
586         * debugger/DebuggerCallFrame.cpp:
587         (JSC::DebuggerCallFrame::evaluateWithScopeExtension): Updated for interface
588         changes.
589
590         * interpreter/Interpreter.cpp:
591         (JSC::eval): Moved code generation here so the cache didn't need to build
592         it in.
593
594         * llint/LLIntOffsetsExtractor.cpp:
595
596         * runtime/CodeCache.cpp:
597         (JSC::CodeCache::getUnlinkedGlobalCodeBlock): No need to check for TDZ
598         variables any more. We only cache global programs, and global variable
599         access always does TDZ checks.
600
601         (JSC::CodeCache::getUnlinkedProgramCodeBlock):
602         (JSC::CodeCache::getUnlinkedGlobalEvalCodeBlock):
603         (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
604         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
605
606         (JSC::CodeCache::CodeCache): Deleted.
607         (JSC::CodeCache::~CodeCache): Deleted.
608         (JSC::CodeCache::getGlobalCodeBlock): Deleted.
609         (JSC::CodeCache::getProgramCodeBlock): Deleted.
610         (JSC::CodeCache::getEvalCodeBlock): Deleted.
611         (JSC::CodeCache::getModuleProgramCodeBlock): Deleted.
612         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Deleted.
613
614         * runtime/CodeCache.h:
615         (JSC::CodeCache::clear):
616         (JSC::generateUnlinkedCodeBlock): Moved unlinked code block creation
617         out of the CodeCache class and into a stand-alone function because
618         we need it for local eval, which does not live in CodeCache.
619
620         * runtime/EvalExecutable.cpp:
621         (JSC::EvalExecutable::create): Deleted.
622         * runtime/EvalExecutable.h:
623         (): Deleted.
624         * runtime/GlobalEvalExecutable.cpp: Added.
625         (JSC::GlobalEvalExecutable::create):
626         (JSC::GlobalEvalExecutable::GlobalEvalExecutable):
627         * runtime/GlobalEvalExecutable.h: Added.
628         * runtime/LocalEvalExecutable.cpp: Added.
629         (JSC::LocalEvalExecutable::create):
630         (JSC::LocalEvalExecutable::LocalEvalExecutable):
631         * runtime/LocalEvalExecutable.h: Added. Split out Local vs Global
632         EvalExecutable classes to distinguish these operations in code. The key
633         difference is that LocalEvalExecutable does not live in the CodeCache
634         and only lives in the EvalCodeCache.
635
636         * runtime/JSGlobalObject.cpp:
637         (JSC::JSGlobalObject::createProgramCodeBlock):
638         (JSC::JSGlobalObject::createLocalEvalCodeBlock):
639         (JSC::JSGlobalObject::createGlobalEvalCodeBlock):
640         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
641         (JSC::JSGlobalObject::createEvalCodeBlock): Deleted.
642         * runtime/JSGlobalObject.h:
643         * runtime/JSGlobalObjectFunctions.cpp:
644         (JSC::globalFuncEval):
645
646         * runtime/JSScope.cpp:
647         (JSC::JSScope::collectClosureVariablesUnderTDZ):
648         (JSC::JSScope::collectVariablesUnderTDZ): Deleted. We don't include
649         global lexical variables in our concept of TDZ scopes anymore. Global
650         variable access always does TDZ checks unconditionally. So, only closure
651         scope accesses give specific consideration to TDZ checks.
652
653         * runtime/JSScope.h:
654
655 2016-11-14  Caitlin Potter  <caitp@igalia.com>
656
657         [JSC] Handle new_async_func / new_async_func_exp in DFG / FTL
658         https://bugs.webkit.org/show_bug.cgi?id=164037
659
660         Reviewed by Yusuke Suzuki.
661
662         This patch introduces new_async_func / new_async_func_exp into DFG and FTL,
663         in much the same capacity that https://trac.webkit.org/changeset/194216 added
664         DFG / FTL support for generators: by adding new DFG nodes (NewAsyncFunction and
665         PhantomNewAsyncFunction), rather than extending the existing NewFunction node type.
666
667         Like NewFunction and PhantomNewFunction, and the Generator variants, allocation of
668         async wrapper functions may be deferred or eliminated during the allocation sinking
669         phase.
670
671         * dfg/DFGAbstractInterpreterInlines.h:
672         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
673         * dfg/DFGByteCodeParser.cpp:
674         (JSC::DFG::ByteCodeParser::parseBlock):
675         * dfg/DFGCapabilities.cpp:
676         (JSC::DFG::capabilityLevel):
677         * dfg/DFGClobberize.h:
678         (JSC::DFG::clobberize):
679         * dfg/DFGClobbersExitState.cpp:
680         (JSC::DFG::clobbersExitState):
681         * dfg/DFGDoesGC.cpp:
682         (JSC::DFG::doesGC):
683         * dfg/DFGFixupPhase.cpp:
684         (JSC::DFG::FixupPhase::fixupNode):
685         * dfg/DFGMayExit.cpp:
686         * dfg/DFGNode.h:
687         (JSC::DFG::Node::convertToPhantomNewFunction):
688         (JSC::DFG::Node::convertToPhantomNewAsyncFunction):
689         (JSC::DFG::Node::hasCellOperand):
690         (JSC::DFG::Node::isFunctionAllocation):
691         (JSC::DFG::Node::isPhantomFunctionAllocation):
692         (JSC::DFG::Node::isPhantomAllocation):
693         * dfg/DFGNodeType.h:
694         * dfg/DFGObjectAllocationSinkingPhase.cpp:
695         * dfg/DFGPredictionPropagationPhase.cpp:
696         * dfg/DFGSafeToExecute.h:
697         (JSC::DFG::safeToExecute):
698         * dfg/DFGSpeculativeJIT.cpp:
699         (JSC::DFG::SpeculativeJIT::compileNewFunction):
700         * dfg/DFGSpeculativeJIT32_64.cpp:
701         (JSC::DFG::SpeculativeJIT::compile):
702         * dfg/DFGSpeculativeJIT64.cpp:
703         (JSC::DFG::SpeculativeJIT::compile):
704         * dfg/DFGStoreBarrierInsertionPhase.cpp:
705         * dfg/DFGStructureRegistrationPhase.cpp:
706         (JSC::DFG::StructureRegistrationPhase::run):
707         * dfg/DFGValidate.cpp:
708         * ftl/FTLCapabilities.cpp:
709         (JSC::FTL::canCompile):
710         * ftl/FTLLowerDFGToB3.cpp:
711         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
712         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
713         * ftl/FTLOperations.cpp:
714         (JSC::FTL::operationPopulateObjectInOSR):
715         (JSC::FTL::operationMaterializeObjectInOSR):
716         * runtime/JSGlobalObject.cpp:
717         (JSC::JSGlobalObject::init):
718         (JSC::JSGlobalObject::visitChildren):
719         * runtime/JSGlobalObject.h:
720         (JSC::JSGlobalObject::asyncFunctionPrototype):
721         (JSC::JSGlobalObject::asyncFunctionStructure):
722         (JSC::JSGlobalObject::lazyAsyncFunctionStructure): Deleted.
723         (JSC::JSGlobalObject::asyncFunctionPrototypeConcurrently): Deleted.
724         (JSC::JSGlobalObject::asyncFunctionStructureConcurrently): Deleted.
725
726 2016-11-14  Mark Lam  <mark.lam@apple.com>
727
728         Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
729         https://bugs.webkit.org/show_bug.cgi?id=164701
730         <rdar://problem/27462104>
731
732         Reviewed by Darin Adler.
733
734         The characters8(), characters16(), and operator[] in JSString::SafeView converts
735         the underlying JSString to a StringView via get(), and then uses the StringView
736         without first checking if an exception was thrown during the conversion.  This is
737         unsafe because the conversion may have failed.
738         
739         Instead, we should remove these 3 convenience methods, and make the caller
740         explicitly call get() and do the appropriate exception checks before using the
741         StringView.
742
743         * runtime/JSGlobalObjectFunctions.cpp:
744         (JSC::toStringView):
745         (JSC::encode):
746         (JSC::decode):
747         (JSC::globalFuncParseInt):
748         (JSC::globalFuncEscape):
749         (JSC::globalFuncUnescape):
750         (JSC::toSafeView): Deleted.
751         * runtime/JSONObject.cpp:
752         (JSC::JSONProtoFuncParse):
753         * runtime/JSString.h:
754         (JSC::JSString::SafeView::length):
755         (JSC::JSString::SafeView::characters8): Deleted.
756         (JSC::JSString::SafeView::characters16): Deleted.
757         (JSC::JSString::SafeView::operator[]): Deleted.
758         * runtime/StringPrototype.cpp:
759         (JSC::stringProtoFuncRepeatCharacter):
760         (JSC::stringProtoFuncCharAt):
761         (JSC::stringProtoFuncCharCodeAt):
762         (JSC::stringProtoFuncNormalize):
763
764 2016-11-14  Mark Lam  <mark.lam@apple.com>
765
766         RegExpObject::exec/match should handle errors gracefully.
767         https://bugs.webkit.org/show_bug.cgi?id=155145
768         <rdar://problem/27435934>
769
770         Reviewed by Keith Miller.
771
772         1. Added some missing exception checks to RegExpObject::execInline() and
773            RegExpObject::matchInline().
774         2. Updated related code to work with ExceptionScope verification requirements.
775
776         * dfg/DFGOperations.cpp:
777         * runtime/RegExpObjectInlines.h:
778         (JSC::RegExpObject::execInline):
779         (JSC::RegExpObject::matchInline):
780         * runtime/RegExpPrototype.cpp:
781         (JSC::regExpProtoFuncTestFast):
782         (JSC::regExpProtoFuncExec):
783         (JSC::regExpProtoFuncMatchFast):
784
785 2016-11-13  Mark Lam  <mark.lam@apple.com>
786
787         Add debugging facility to limit the max single allocation size.
788         https://bugs.webkit.org/show_bug.cgi?id=164681
789
790         Reviewed by Keith Miller.
791
792         Added JSC option to set FastMalloc's maxSingleAllocationSize for testing purposes.
793         This option is only available on Debug builds.
794
795         * runtime/Options.cpp:
796         (JSC::Options::isAvailable):
797         (JSC::recomputeDependentOptions):
798         * runtime/Options.h:
799
800 2016-11-12  Joseph Pecoraro  <pecoraro@apple.com>
801
802         Follow-up fix to r208639.
803
804         Unreviewed fix. This is a straightfoward change where I forgot to
805         switch from uncheckedArgument() to argument() in once case after
806         dropping an argumentCount check. All other cases do this properly.
807         This addresses an ASSERT seen on the bots running tests.
808
809         * runtime/JSDataViewPrototype.cpp:
810         (JSC::setData):
811
812 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
813
814         test262: DataView with explicit undefined byteLength should be the same as it not being present
815         https://bugs.webkit.org/show_bug.cgi?id=164453
816
817         Reviewed by Darin Adler.
818
819         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
820         (JSC::constructGenericTypedArrayView):
821         Handle the special case of DataView construction with an undefined byteLength value.
822
823 2016-11-11  Joseph Pecoraro  <pecoraro@apple.com>
824
825         test262: DataView get methods should allow for missing offset, set methods should allow for missing value
826         https://bugs.webkit.org/show_bug.cgi?id=164451
827
828         Reviewed by Darin Adler.
829
830         * runtime/JSDataViewPrototype.cpp:
831         (JSC::getData):
832         Missing offset is still valid and will be coerced to 0.
833
834         (JSC::setData):
835         Missing value is still valid and will be coerced to 0.
836
837 2016-11-11  Saam Barati  <sbarati@apple.com>
838
839         We should have a more concise way of determining when we're varargs calling a function using rest parameters
840         https://bugs.webkit.org/show_bug.cgi?id=164258
841
842         Reviewed by Yusuke Suzuki.
843
844         This patch adds two new bytecodes and DFG nodes for the following code patterns:
845
846         ```
847         foo(a, b, ...c)
848         let x = [a, b, ...c];
849         ```
850
851         To do this, I've introduced two new bytecode operations (and their
852         corresponding DFG nodes):
853
854         op_spread and op_new_array_with_spread.
855
856         op_spread takes a single input and performs the ES6 iteration protocol on it.
857         It returns the result of doing the spread inside a new class I've
858         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
859         field and a buffer of values allocated inline in the cell. Abstracting
860         the protocol into a single node is good because it will make IR analysis
861         in the future much simpler. For now, it's also good because it allows
862         us to create fast paths for array iteration (which is quite common).
863         This fast path allows us to emit really good code for array iteration
864         inside the DFG/FTL.
865
866         op_new_array_with_spread is a variable argument bytecode that also
867         has a bit vector associated with it. The bit vector indicates if
868         any particular argument is to be spread or not. Arguments that
869         are spread are known to be JSFixedArray because we must emit an
870         op_spread before op_new_array_with_spread consumes the value.
871         For example, for this array:
872         [a, b, ...c, d, ...e]
873         we will have this bit vector:
874         [0, 0, 1, 0, 1]
875
876         The reason I've chosen this IR is that it will make eliminating
877         a rest allocation for this type of code much easier:
878
879         ```
880         function foo(...args) {
881             return bar(a, b, ...args);
882         }
883         ```
884
885         It will be easier to analyze the IR now that the operations
886         will be described at a high level.
887
888         This patch is an ~8% speedup on ES6SampleBench on my MBP.
889
890         * CMakeLists.txt:
891         * DerivedSources.make:
892         * JavaScriptCore.xcodeproj/project.pbxproj:
893         * builtins/IteratorHelpers.js: Added.
894         (performIteration):
895         * bytecode/BytecodeList.json:
896         * bytecode/BytecodeUseDef.h:
897         (JSC::computeUsesForBytecodeOffset):
898         (JSC::computeDefsForBytecodeOffset):
899         * bytecode/CodeBlock.cpp:
900         (JSC::CodeBlock::dumpBytecode):
901         * bytecode/ObjectPropertyConditionSet.cpp:
902         (JSC::generateConditionForSelfEquivalence):
903         * bytecode/ObjectPropertyConditionSet.h:
904         * bytecode/TrackedReferences.cpp:
905         (JSC::TrackedReferences::check):
906         * bytecode/UnlinkedCodeBlock.h:
907         (JSC::UnlinkedCodeBlock::bitVectors):
908         (JSC::UnlinkedCodeBlock::bitVector):
909         (JSC::UnlinkedCodeBlock::addBitVector):
910         (JSC::UnlinkedCodeBlock::shrinkToFit):
911         * bytecompiler/BytecodeGenerator.cpp:
912         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
913         * bytecompiler/BytecodeGenerator.h:
914         * bytecompiler/NodesCodegen.cpp:
915         (JSC::ArrayNode::emitBytecode):
916         * dfg/DFGAbstractInterpreterInlines.h:
917         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
918         * dfg/DFGByteCodeParser.cpp:
919         (JSC::DFG::ByteCodeParser::addToGraph):
920         (JSC::DFG::ByteCodeParser::parseBlock):
921         * dfg/DFGCapabilities.cpp:
922         (JSC::DFG::capabilityLevel):
923         * dfg/DFGClobberize.h:
924         (JSC::DFG::clobberize):
925         * dfg/DFGDoesGC.cpp:
926         (JSC::DFG::doesGC):
927         * dfg/DFGFixupPhase.cpp:
928         (JSC::DFG::FixupPhase::fixupNode):
929         (JSC::DFG::FixupPhase::watchHavingABadTime):
930         * dfg/DFGGraph.h:
931         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
932         * dfg/DFGNode.h:
933         (JSC::DFG::Node::bitVector):
934         * dfg/DFGNodeType.h:
935         * dfg/DFGOperations.cpp:
936         * dfg/DFGOperations.h:
937         * dfg/DFGPredictionPropagationPhase.cpp:
938         * dfg/DFGSafeToExecute.h:
939         (JSC::DFG::safeToExecute):
940         * dfg/DFGSpeculativeJIT.cpp:
941         (JSC::DFG::SpeculativeJIT::compileSpread):
942         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
943         * dfg/DFGSpeculativeJIT.h:
944         (JSC::DFG::SpeculativeJIT::callOperation):
945         * dfg/DFGSpeculativeJIT32_64.cpp:
946         (JSC::DFG::SpeculativeJIT::compile):
947         * dfg/DFGSpeculativeJIT64.cpp:
948         (JSC::DFG::SpeculativeJIT::compile):
949         * dfg/DFGStructureRegistrationPhase.cpp:
950         (JSC::DFG::StructureRegistrationPhase::run):
951         * ftl/FTLAbstractHeapRepository.h:
952         * ftl/FTLCapabilities.cpp:
953         (JSC::FTL::canCompile):
954         * ftl/FTLLowerDFGToB3.cpp:
955         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
956         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
957         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
958         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
959         * jit/AssemblyHelpers.h:
960         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
961         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
962         * jit/JIT.cpp:
963         (JSC::JIT::privateCompileMainPass):
964         * jit/JIT.h:
965         * jit/JITOpcodes.cpp:
966         (JSC::JIT::emit_op_new_array_with_spread):
967         (JSC::JIT::emit_op_spread):
968         * jit/JITOperations.h:
969         * llint/LLIntData.cpp:
970         (JSC::LLInt::Data::performAssertions):
971         * llint/LLIntSlowPaths.cpp:
972         * llint/LowLevelInterpreter.asm:
973         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
974         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
975         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
976         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
977         * runtime/CommonSlowPaths.cpp:
978         (JSC::SLOW_PATH_DECL):
979         * runtime/CommonSlowPaths.h:
980         * runtime/IteratorOperations.h:
981         (JSC::forEachInIterable):
982         * runtime/JSCInlines.h:
983         * runtime/JSFixedArray.cpp: Added.
984         (JSC::JSFixedArray::visitChildren):
985         * runtime/JSFixedArray.h: Added.
986         (JSC::JSFixedArray::createStructure):
987         (JSC::JSFixedArray::createFromArray):
988         (JSC::JSFixedArray::get):
989         (JSC::JSFixedArray::buffer):
990         (JSC::JSFixedArray::size):
991         (JSC::JSFixedArray::offsetOfSize):
992         (JSC::JSFixedArray::offsetOfData):
993         (JSC::JSFixedArray::create):
994         (JSC::JSFixedArray::JSFixedArray):
995         (JSC::JSFixedArray::allocationSize):
996         * runtime/JSGlobalObject.cpp:
997         (JSC::JSGlobalObject::JSGlobalObject):
998         (JSC::JSGlobalObject::init):
999         (JSC::JSGlobalObject::visitChildren):
1000         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
1001         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
1002         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
1003         * runtime/JSGlobalObject.h:
1004         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
1005         (JSC::JSGlobalObject::iteratorProtocolFunction):
1006         * runtime/JSGlobalObjectInlines.h: Added.
1007         (JSC::JSGlobalObject::objectPrototypeIsSane):
1008         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1009         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1010         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
1011         * runtime/JSType.h:
1012         * runtime/VM.cpp:
1013         (JSC::VM::VM):
1014         * runtime/VM.h:
1015
1016 2016-11-11  Keith Miller  <keith_miller@apple.com>
1017
1018         Move Wasm tests to JS
1019         https://bugs.webkit.org/show_bug.cgi?id=164611
1020
1021         Reviewed by Geoffrey Garen.
1022
1023         This patch translates most of the tests from testWasm.cpp to the JS testing api. Most of the
1024         ommited tests were earliest tests, which tested trivial things, like adding two
1025         constants. Some tests are ommited for other reasons, however. These are:
1026
1027         1) Tests using I64 since the testing api does not yet know how to handle 64-bit numbers.  2)
1028         Tests that would validate the memory of the module once wasm was done with it since that's
1029         not really possible in JS.
1030
1031         In order to make such a translation easier this patch also adds some features to the JS
1032         testing api:
1033
1034         1) Blocks can now be done lexically by adding a lambda as the last argument of the block
1035         opcode. For example one can do:
1036             ...
1037             .Block("i32", b => b.I32Const(1) )
1038
1039         and the nested lambda will automatically have an end attached.
1040
1041         2) The JS testing api can now handle inline signature types.
1042
1043         3) Relocate some code to make it easier to follow and prevent 44 space indentation.
1044
1045         4) Rename varuint/varint to varuint32/varint32, this lets them be directly called from the
1046         wasm.json without being remapped.
1047
1048         5) Add support for Memory and Function sections to the Builder.
1049
1050         6) Add support for local variables.
1051
1052         On the JSC side, we needed to expose a new function to validate the compiled wasm code
1053         behaves the way we expect. At least until the JS Wasm API is finished. The new validation
1054         function, testWasmModuleFunctions, takes an array buffer containing the wasm binary, the
1055         number of functions in the blob and tests for each of those functions.
1056
1057         * jsc.cpp:
1058         (GlobalObject::finishCreation):
1059         (box):
1060         (callWasmFunction):
1061         (functionTestWasmModuleFunctions):
1062         * testWasm.cpp:
1063         (checkPlan):
1064         (runWasmTests):
1065         * wasm/WasmB3IRGenerator.cpp:
1066         (JSC::Wasm::parseAndCompile):
1067         * wasm/WasmFunctionParser.h:
1068         (JSC::Wasm::FunctionParser<Context>::parse):
1069         (JSC::Wasm::FunctionParser<Context>::parseBody):
1070         (JSC::Wasm::FunctionParser<Context>::parseBlock): Deleted.
1071         * wasm/WasmModuleParser.cpp:
1072         (JSC::Wasm::ModuleParser::parseMemory):
1073         (JSC::Wasm::ModuleParser::parseExport):
1074         * wasm/WasmPlan.cpp:
1075         (JSC::Wasm::Plan::Plan):
1076         (JSC::Wasm::Plan::run):
1077         * wasm/WasmPlan.h:
1078         * wasm/js/WebAssemblyModuleConstructor.cpp:
1079         (JSC::constructJSWebAssemblyModule):
1080
1081 2016-11-11  Saam Barati  <sbarati@apple.com>
1082
1083         Unreviewed try to fix windows build after https://bugs.webkit.org/show_bug.cgi?id=164650
1084
1085         * dfg/DFGByteCodeParser.cpp:
1086         (JSC::DFG::ByteCodeParser::parseBlock):
1087
1088 2016-11-11  Saam Barati  <sbarati@apple.com>
1089
1090         We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
1091         https://bugs.webkit.org/show_bug.cgi?id=164650
1092
1093         Reviewed by Geoffrey Garen.
1094
1095         Some code was incorrectly holding a lock when recursively calling
1096         back into the bytecode parser's via inlining a put_by_val as a put_by_id.
1097         This can cause a deadlock if the inlinee CodeBlock is something we're
1098         already holding a lock for. I've changed the range of the lock holder
1099         to be as narrow as possible.
1100
1101         * dfg/DFGByteCodeParser.cpp:
1102         (JSC::DFG::ByteCodeParser::parseBlock):
1103
1104 2016-11-11  Chris Dumez  <cdumez@apple.com>
1105
1106         Unreviewed, rolling out r208584.
1107
1108         Seems to have regressed Speedometer by 1% on Mac
1109
1110         Reverted changeset:
1111
1112         "We should have a more concise way of determining when we're
1113         varargs calling a function using rest parameters"
1114         https://bugs.webkit.org/show_bug.cgi?id=164258
1115         http://trac.webkit.org/changeset/208584
1116
1117 2016-11-11  Chris Dumez  <cdumez@apple.com>
1118
1119         Unreviewed, rolling out r208117 and r208160.
1120
1121         Regressed Speedometer by >1.5%
1122
1123         Reverted changesets:
1124
1125         "We should have a way of profiling when a get_by_id is pure
1126         and to emit a PureGetById in the DFG/FTL"
1127         https://bugs.webkit.org/show_bug.cgi?id=163305
1128         http://trac.webkit.org/changeset/208117
1129
1130         "Debug JSC test microbenchmarks/pure-get-by-id-cse-2.js timing
1131         out"
1132         https://bugs.webkit.org/show_bug.cgi?id=164227
1133         http://trac.webkit.org/changeset/208160
1134
1135 2016-11-11  Saam Barati  <sbarati@apple.com>
1136
1137         We should have a more concise way of determining when we're varargs calling a function using rest parameters
1138         https://bugs.webkit.org/show_bug.cgi?id=164258
1139
1140         Reviewed by Yusuke Suzuki.
1141
1142         This patch adds two new bytecodes and DFG nodes for the following code patterns:
1143
1144         ```
1145         foo(a, b, ...c)
1146         let x = [a, b, ...c];
1147         ```
1148
1149         To do this, I've introduced two new bytecode operations (and their
1150         corresponding DFG nodes):
1151
1152         op_spread and op_new_array_with_spread.
1153
1154         op_spread takes a single input and performs the ES6 iteration protocol on it.
1155         It returns the result of doing the spread inside a new class I've
1156         made called JSFixedArray. JSFixedArray is a cell with a single 'size'
1157         field and a buffer of values allocated inline in the cell. Abstracting
1158         the protocol into a single node is good because it will make IR analysis
1159         in the future much simpler. For now, it's also good because it allows
1160         us to create fast paths for array iteration (which is quite common).
1161         This fast path allows us to emit really good code for array iteration
1162         inside the DFG/FTL.
1163
1164         op_new_array_with_spread is a variable argument bytecode that also
1165         has a bit vector associated with it. The bit vector indicates if
1166         any particular argument is to be spread or not. Arguments that
1167         are spread are known to be JSFixedArray because we must emit an
1168         op_spread before op_new_array_with_spread consumes the value.
1169         For example, for this array:
1170         [a, b, ...c, d, ...e]
1171         we will have this bit vector:
1172         [0, 0, 1, 0, 1]
1173
1174         The reason I've chosen this IR is that it will make eliminating
1175         a rest allocation for this type of code much easier:
1176
1177         ```
1178         function foo(...args) {
1179             return bar(a, b, ...args);
1180         }
1181         ```
1182
1183         It will be easier to analyze the IR now that the operations
1184         will be described at a high level.
1185
1186         This patch is an ~8% speedup on ES6SampleBench on my MBP.
1187
1188         * CMakeLists.txt:
1189         * DerivedSources.make:
1190         * JavaScriptCore.xcodeproj/project.pbxproj:
1191         * builtins/IteratorHelpers.js: Added.
1192         (performIteration):
1193         * bytecode/BytecodeList.json:
1194         * bytecode/BytecodeUseDef.h:
1195         (JSC::computeUsesForBytecodeOffset):
1196         (JSC::computeDefsForBytecodeOffset):
1197         * bytecode/CodeBlock.cpp:
1198         (JSC::CodeBlock::dumpBytecode):
1199         * bytecode/ObjectPropertyConditionSet.cpp:
1200         (JSC::generateConditionForSelfEquivalence):
1201         * bytecode/ObjectPropertyConditionSet.h:
1202         * bytecode/TrackedReferences.cpp:
1203         (JSC::TrackedReferences::check):
1204         * bytecode/UnlinkedCodeBlock.h:
1205         (JSC::UnlinkedCodeBlock::bitVectors):
1206         (JSC::UnlinkedCodeBlock::bitVector):
1207         (JSC::UnlinkedCodeBlock::addBitVector):
1208         (JSC::UnlinkedCodeBlock::shrinkToFit):
1209         * bytecompiler/BytecodeGenerator.cpp:
1210         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
1211         * bytecompiler/BytecodeGenerator.h:
1212         * bytecompiler/NodesCodegen.cpp:
1213         (JSC::ArrayNode::emitBytecode):
1214         * dfg/DFGAbstractInterpreterInlines.h:
1215         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1216         * dfg/DFGByteCodeParser.cpp:
1217         (JSC::DFG::ByteCodeParser::addToGraph):
1218         (JSC::DFG::ByteCodeParser::parseBlock):
1219         * dfg/DFGCapabilities.cpp:
1220         (JSC::DFG::capabilityLevel):
1221         * dfg/DFGClobberize.h:
1222         (JSC::DFG::clobberize):
1223         * dfg/DFGDoesGC.cpp:
1224         (JSC::DFG::doesGC):
1225         * dfg/DFGFixupPhase.cpp:
1226         (JSC::DFG::FixupPhase::fixupNode):
1227         (JSC::DFG::FixupPhase::watchHavingABadTime):
1228         * dfg/DFGGraph.h:
1229         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
1230         * dfg/DFGNode.h:
1231         (JSC::DFG::Node::bitVector):
1232         * dfg/DFGNodeType.h:
1233         * dfg/DFGOperations.cpp:
1234         * dfg/DFGOperations.h:
1235         * dfg/DFGPredictionPropagationPhase.cpp:
1236         * dfg/DFGSafeToExecute.h:
1237         (JSC::DFG::safeToExecute):
1238         * dfg/DFGSpeculativeJIT.cpp:
1239         (JSC::DFG::SpeculativeJIT::compileSpread):
1240         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1241         * dfg/DFGSpeculativeJIT.h:
1242         (JSC::DFG::SpeculativeJIT::callOperation):
1243         * dfg/DFGSpeculativeJIT32_64.cpp:
1244         (JSC::DFG::SpeculativeJIT::compile):
1245         * dfg/DFGSpeculativeJIT64.cpp:
1246         (JSC::DFG::SpeculativeJIT::compile):
1247         * dfg/DFGStructureRegistrationPhase.cpp:
1248         (JSC::DFG::StructureRegistrationPhase::run):
1249         * ftl/FTLAbstractHeapRepository.h:
1250         * ftl/FTLCapabilities.cpp:
1251         (JSC::FTL::canCompile):
1252         * ftl/FTLLowerDFGToB3.cpp:
1253         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1254         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1255         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1256         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1257         * jit/AssemblyHelpers.h:
1258         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1259         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1260         * jit/JIT.cpp:
1261         (JSC::JIT::privateCompileMainPass):
1262         * jit/JIT.h:
1263         * jit/JITOpcodes.cpp:
1264         (JSC::JIT::emit_op_new_array_with_spread):
1265         (JSC::JIT::emit_op_spread):
1266         * jit/JITOperations.h:
1267         * llint/LLIntData.cpp:
1268         (JSC::LLInt::Data::performAssertions):
1269         * llint/LLIntSlowPaths.cpp:
1270         * llint/LowLevelInterpreter.asm:
1271         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Added.
1272         (JSC::ArrayIteratorAdaptiveWatchpoint::ArrayIteratorAdaptiveWatchpoint):
1273         (JSC::ArrayIteratorAdaptiveWatchpoint::handleFire):
1274         * runtime/ArrayIteratorAdaptiveWatchpoint.h: Added.
1275         * runtime/CommonSlowPaths.cpp:
1276         (JSC::SLOW_PATH_DECL):
1277         * runtime/CommonSlowPaths.h:
1278         * runtime/IteratorOperations.h:
1279         (JSC::forEachInIterable):
1280         * runtime/JSCInlines.h:
1281         * runtime/JSFixedArray.cpp: Added.
1282         (JSC::JSFixedArray::visitChildren):
1283         * runtime/JSFixedArray.h: Added.
1284         (JSC::JSFixedArray::createStructure):
1285         (JSC::JSFixedArray::createFromArray):
1286         (JSC::JSFixedArray::get):
1287         (JSC::JSFixedArray::buffer):
1288         (JSC::JSFixedArray::size):
1289         (JSC::JSFixedArray::offsetOfSize):
1290         (JSC::JSFixedArray::offsetOfData):
1291         (JSC::JSFixedArray::create):
1292         (JSC::JSFixedArray::JSFixedArray):
1293         (JSC::JSFixedArray::allocationSize):
1294         * runtime/JSGlobalObject.cpp:
1295         (JSC::JSGlobalObject::JSGlobalObject):
1296         (JSC::JSGlobalObject::init):
1297         (JSC::JSGlobalObject::visitChildren):
1298         (JSC::JSGlobalObject::objectPrototypeIsSane): Deleted.
1299         (JSC::JSGlobalObject::arrayPrototypeChainIsSane): Deleted.
1300         (JSC::JSGlobalObject::stringPrototypeChainIsSane): Deleted.
1301         * runtime/JSGlobalObject.h:
1302         (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint):
1303         (JSC::JSGlobalObject::iteratorProtocolFunction):
1304         * runtime/JSGlobalObjectInlines.h: Added.
1305         (JSC::JSGlobalObject::objectPrototypeIsSane):
1306         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1307         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1308         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable):
1309         * runtime/JSType.h:
1310         * runtime/VM.cpp:
1311         (JSC::VM::VM):
1312         * runtime/VM.h:
1313
1314 2016-11-10  JF Bastien  <jfbastien@apple.com>
1315
1316         ASSERTION FAILED: length > offset encountered with wasm.yaml/wasm/js-api/test_Module.js.default-wasm
1317         https://bugs.webkit.org/show_bug.cgi?id=164597
1318
1319         Reviewed by Keith Miller.
1320
1321         * wasm/WasmParser.h:
1322         (JSC::Wasm::Parser::parseVarUInt32): move closer to other parsers
1323         (JSC::Wasm::Parser::parseVarUInt64): move closer to other parsers
1324
1325 2016-11-10  Joseph Pecoraro  <pecoraro@apple.com>
1326
1327         test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex)
1328         https://bugs.webkit.org/show_bug.cgi?id=164450
1329
1330         Reviewed by Darin Adler.
1331
1332         * runtime/JSCJSValue.h:
1333         * runtime/JSCJSValueInlines.h:
1334         (JSC::JSValue::toIndex):
1335         Introduce a method for toIndex, which is used by DataView and TypedArrays
1336         to convert an argument to a number with the possibility of throwing
1337         RangeErrors for negative values. We also throw RangeErrors for large
1338         values, because wherever this is used we expect an unsigned.
1339
1340         * runtime/JSArrayBufferConstructor.cpp:
1341         (JSC::constructArrayBuffer):
1342         * runtime/JSDataViewPrototype.cpp:
1343         (JSC::getData):
1344         (JSC::setData):
1345         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1346         (JSC::constructGenericTypedArrayViewWithArguments):
1347         (JSC::constructGenericTypedArrayView):
1348         Use toIndex instead of toUint32 where required.
1349
1350 2016-11-10  Mark Lam  <mark.lam@apple.com>
1351
1352         A few bits of minor code clean up.
1353         https://bugs.webkit.org/show_bug.cgi?id=164523
1354
1355         Reviewed by Yusuke Suzuki.
1356
1357         * interpreter/StackVisitor.cpp:
1358         (JSC::StackVisitor::Frame::dump):
1359         - Insert a space to make the dump more legible.
1360
1361         * runtime/Options.h:
1362         - Fixed some typos.
1363
1364         * runtime/StringPrototype.cpp:
1365         (JSC::stringProtoFuncReplaceUsingRegExp):
1366         (JSC::stringProtoFuncReplaceUsingStringSearch):
1367         - Use the VM& that is already available.
1368
1369 2016-11-10  Mark Lam  <mark.lam@apple.com>
1370
1371         Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node.
1372         https://bugs.webkit.org/show_bug.cgi?id=164600
1373         <rdar://problem/28828676>
1374
1375         Reviewed by Filip Pizlo.
1376
1377         Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG
1378         node that it is provided with always has a different origin than the node that is
1379         using that operand.  For example, in a DFG graph that looks like this:
1380
1381             a: ...
1382             b: ArithAdd(@a, ...)
1383
1384         ... when emitting speculation checks on @a for the ArithAdd node at @b,
1385         Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to
1386         originate from a different bytecode than @b.  The intent here is to get the
1387         profile for @a so that the OSR exit ramp for @b can update @a's profile with the
1388         observed result type from @a so that future type prediction on incoming args for
1389         the ArithAdd node can take this into consideration.
1390
1391         However, op_negate can be compiled into the following series of nodes:
1392
1393             a: ...
1394             b: BooleanToNumber(@a)
1395             c: DoubleRep(@b)
1396             d: ArithNegate(@c)
1397
1398         All 3 nodes @b, @c, and @d maps to the same op_negate bytecode i.e. they have the
1399         same origin.  When the speculativeJIT emits a speculationCheck for DoubleRep, it
1400         calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the
1401         BooleanToNumber node.  But because all 3 nodes have the same origin,
1402         Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for
1403         the op_negate.  Subsequently, the OSR exit ramp will modify the ArithProfile of
1404         the op_negate and corrupt its profile.  Instead, what the OSR exit ramp should be
1405         doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's
1406         operand @a in this case.
1407
1408         The fix is to always pass the current node we're generating code for (in addition
1409         to the operand node) to Graph::methodOfGettingAValueProfileFor().  This way, we
1410         know the profile is valid if and only if the current node and its operand node
1411         does not have the same origin.
1412
1413         In this patch, we also fixed the following:
1414         1. Teach Graph::methodOfGettingAValueProfileFor() to get the profile for
1415            BooleanToNumber's operand if the operand node it is given is BooleanToNumber.
1416         2. Change JITCompiler::appendExceptionHandlingOSRExit() to explicitly pass an
1417            empty MethodOfGettingAValueProfile().  It was implicitly doing this before.
1418         3. Change SpeculativeJIT::emitInvalidationPoint() to pass an empty
1419            MethodOfGettingAValueProfile().  It has no child node.  Hence, it doesn't
1420            make sense to call Graph::methodOfGettingAValueProfileFor() for a child node
1421            that does not exist.
1422
1423         * dfg/DFGGraph.cpp:
1424         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1425         * dfg/DFGGraph.h:
1426         * dfg/DFGJITCompiler.cpp:
1427         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
1428         * dfg/DFGSpeculativeJIT.cpp:
1429         (JSC::DFG::SpeculativeJIT::speculationCheck):
1430         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
1431         * ftl/FTLLowerDFGToB3.cpp:
1432         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
1433
1434 2016-11-10  Aaron Chu  <aaron_chu@apple.com>
1435
1436         Web Inspector: AXI: clarify button roles (e.g. toggle or popup button)
1437         https://bugs.webkit.org/show_bug.cgi?id=130726
1438         <rdar://problem/16420420>
1439
1440         Reviewed by Brian Burg.
1441
1442         Add the isPopupButton flag to the AccessibilityProperties type.
1443
1444         * inspector/protocol/DOM.json:
1445
1446 2016-11-10  Csaba Osztrogon√°c  <ossy@webkit.org>
1447
1448         [ARM] Unreviewed buildfix after r208450.
1449
1450         * assembler/MacroAssemblerARM.h:
1451         (JSC::MacroAssemblerARM::load8SignedExtendTo32): Added.
1452
1453 2016-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1454
1455         [JSC] Avoid cloned arguments allocation in ArrayPrototype methods
1456         https://bugs.webkit.org/show_bug.cgi?id=164502
1457
1458         Reviewed by Saam Barati.
1459
1460         In many builtin functions, we use `arguments` to just get optional parameters.
1461         While FTL argument elimination can drop `arguments` allocations, it leaves
1462         the allocations in LLInt, Baseline, and DFG. And we found that DFG compiled
1463         Array#map is heavily used in ES6SampleBench/Basic. And it always creates
1464         a meaningless ClonedArguments.
1465
1466         Using ES6 default parameter here is not a solution. It increases the number
1467         of parameters of the CodeBlock (not `function.length`). And the optional
1468         parameters in Array.prototype.xxx methods are not typically passed. For
1469         example, we typically do not pass `thisArg` to `Array.prototype.map` function.
1470         In this case, the arity check frequently fails. It requires the additional C
1471         call to fixup arguments and it becomes pure overhead.
1472
1473         To solve this problem, this patch introduces a new bytecode intrinsic @argument().
1474         This offers the way to retrieve the argument value without increasing the
1475         arity of the function. And if the argument is not passed (out of bounds), it
1476         just returns `undefined`. The semantics of this intrinsic is the same to the C++
1477         ExecState::argument(). This operation does not require `arguments` object. And we
1478         can drop the `argument` references even in lower 3 tiers.
1479
1480         We implement op_get_argument for this intrinsic. And later this will be converted
1481         to DFG GetArgument node. All the tiers handles this feature.
1482
1483         This patch improves ES6SampleBench/Basic 13.8% in steady state. And in summary,
1484         it improves 4.5%.
1485
1486         In the future, we can improve the implementation of the default parameters.
1487         Currently, the default parameter always increases the arity of the function. So
1488         if you do not pass the argument, the arity check fails. But since it is the default
1489         parameter, it is likely that we don't pass the argument. Using op_get_argument to
1490         implement the default parameter can decrease the case in which the arity check
1491         frequently fails. And it can change the builtin implementation to use the ES6
1492         default parameters instead of using the special @argument() intrinsic in the future.
1493         And at that case, the user code also receives the benefit.
1494
1495         ES6SampleBench/Basic.
1496             Baseline:
1497                 Running... Basic ( 1  to go)
1498                 firstIteration:     39.38 ms +- 4.48 ms
1499                 averageWorstCase:   20.79 ms +- 0.96 ms
1500                 steadyState:        1959.22 ms +- 65.55 ms
1501
1502             Patched:
1503                 Running... Basic ( 1  to go)
1504                 firstIteration:     37.85 ms +- 4.09 ms
1505                 averageWorstCase:   18.60 ms +- 0.76 ms
1506                 steadyState:        1721.89 ms +- 57.58 ms
1507
1508         All summary.
1509             Baseline:
1510                 summary:            164.34 ms +- 5.01 ms
1511             Patched:
1512                 summary:            157.26 ms +- 5.96 ms
1513
1514         * builtins/ArrayConstructor.js:
1515         * builtins/ArrayPrototype.js:
1516         (reduce):
1517         (reduceRight):
1518         (every):
1519         (forEach):
1520         (filter):
1521         (map):
1522         (some):
1523         (fill):
1524         (find):
1525         (findIndex):
1526         (includes):
1527         (copyWithin):
1528         * builtins/DatePrototype.js:
1529         (toLocaleString):
1530         (toLocaleDateString):
1531         (toLocaleTimeString):
1532         * builtins/MapPrototype.js:
1533         (forEach):
1534         * builtins/NumberPrototype.js:
1535         (toLocaleString):
1536         * builtins/SetPrototype.js:
1537         (forEach):
1538         * builtins/StringPrototype.js:
1539         (padStart):
1540         (padEnd):
1541         (localeCompare):
1542         * builtins/TypedArrayConstructor.js:
1543         * builtins/TypedArrayPrototype.js:
1544         (every):
1545         (fill):
1546         (find):
1547         (findIndex):
1548         (forEach):
1549         (some):
1550         (reduce):
1551         (reduceRight):
1552         (map):
1553         (filter):
1554         * bytecode/BytecodeIntrinsicRegistry.h:
1555         * bytecode/BytecodeList.json:
1556         * bytecode/BytecodeUseDef.h:
1557         (JSC::computeUsesForBytecodeOffset):
1558         (JSC::computeDefsForBytecodeOffset):
1559         * bytecode/CodeBlock.cpp:
1560         (JSC::CodeBlock::dumpBytecode):
1561         (JSC::CodeBlock::finishCreation):
1562         * bytecompiler/BytecodeGenerator.cpp:
1563         (JSC::BytecodeGenerator::emitGetArgument):
1564         * bytecompiler/BytecodeGenerator.h:
1565         * bytecompiler/NodesCodegen.cpp:
1566         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argument):
1567         * dfg/DFGAbstractInterpreterInlines.h:
1568         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1569         * dfg/DFGByteCodeParser.cpp:
1570         (JSC::DFG::ByteCodeParser::parseBlock):
1571         * dfg/DFGCapabilities.cpp:
1572         (JSC::DFG::capabilityLevel):
1573         * dfg/DFGClobberize.h:
1574         (JSC::DFG::clobberize):
1575         * dfg/DFGDoesGC.cpp:
1576         (JSC::DFG::doesGC):
1577         * dfg/DFGFixupPhase.cpp:
1578         (JSC::DFG::FixupPhase::fixupNode):
1579         * dfg/DFGNode.h:
1580         (JSC::DFG::Node::hasHeapPrediction):
1581         (JSC::DFG::Node::hasArgumentIndex):
1582         (JSC::DFG::Node::argumentIndex):
1583         * dfg/DFGNodeType.h:
1584         * dfg/DFGPreciseLocalClobberize.h:
1585         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1586         * dfg/DFGPredictionPropagationPhase.cpp:
1587         * dfg/DFGSafeToExecute.h:
1588         (JSC::DFG::safeToExecute):
1589         * dfg/DFGSpeculativeJIT.cpp:
1590         (JSC::DFG::SpeculativeJIT::compileGetArgument):
1591         * dfg/DFGSpeculativeJIT.h:
1592         * dfg/DFGSpeculativeJIT32_64.cpp:
1593         (JSC::DFG::SpeculativeJIT::compile):
1594         * dfg/DFGSpeculativeJIT64.cpp:
1595         (JSC::DFG::SpeculativeJIT::compile):
1596         * ftl/FTLCapabilities.cpp:
1597         (JSC::FTL::canCompile):
1598         * ftl/FTLLowerDFGToB3.cpp:
1599         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1600         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
1601         * jit/JIT.cpp:
1602         (JSC::JIT::privateCompileMainPass):
1603         * jit/JIT.h:
1604         * jit/JITOpcodes.cpp:
1605         (JSC::JIT::emit_op_get_argument):
1606         * jit/JITOpcodes32_64.cpp:
1607         (JSC::JIT::emit_op_get_argument):
1608         * llint/LowLevelInterpreter32_64.asm:
1609         * llint/LowLevelInterpreter64.asm:
1610
1611 2016-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1612
1613         Web Inspector: DebuggerManager.Event.Resumed introduces test flakiness
1614         https://bugs.webkit.org/show_bug.cgi?id=161951
1615         <rdar://problem/28295767>
1616
1617         Reviewed by Brian Burg.
1618
1619         This removes an ambiguity in the protocol when stepping through
1620         JavaScript. Previously, when paused and issuing a Debugger.step*
1621         command the frontend would always receive a Debugger.resumed event and
1622         then, maybe, a Debugger.paused event indicating we paused again (after
1623         stepping). However, this ambiguity means that the frontend needs to
1624         wait for a short period of time to determine if we really resumed
1625         or not. And even still that decision may be incorrect if the step
1626         takes a sufficiently long period of time.
1627
1628         The new approach removes this ambiguity. Now, in response to a
1629         Debugger.step* command the backend MUST send a single Debugger.paused
1630         event or Debugger.resumed event. Now the frontend knows that the
1631         next Debugger event it receives after issuing the step command is
1632         the result (stepped and paused, or stepped and resumed).
1633
1634         To make resuming consistent in all cases, a Debugger.resume command
1635         will always respond with a Debugger.resumed event.
1636
1637         Finally, Debugger.continueToLocation is treated like a "big step"
1638         in cases where we can resolve the location. If we can't resolve the
1639         location it is treated as a resume, maintaining the old behavior.
1640
1641         * inspector/agents/InspectorDebuggerAgent.h:
1642         * inspector/agents/InspectorDebuggerAgent.cpp:
1643         (Inspector::InspectorDebuggerAgent::stepOver):
1644         (Inspector::InspectorDebuggerAgent::stepInto):
1645         (Inspector::InspectorDebuggerAgent::stepOut):
1646         (Inspector::InspectorDebuggerAgent::willStepAndMayBecomeIdle):
1647         (Inspector::InspectorDebuggerAgent::didBecomeIdleAfterStepping):
1648         When stepping register a VM exit observer so that we can issue
1649         a Debugger.resumed event if the step caused us to exit the VM.
1650
1651         (Inspector::InspectorDebuggerAgent::resume):
1652         Set a flag to issue a Debugger.resumed event once we break out
1653         of the nested run loop.
1654
1655         (Inspector::InspectorDebuggerAgent::didPause):
1656         We are issuing Debugger.paused so clear the state to indicate that
1657         we no longer need to issue Debugger.resumed event, we have paused.
1658
1659         (Inspector::InspectorDebuggerAgent::didContinue):
1660         Only issue the Debugger.resumed event if needed (explicitly asked
1661         to resume).
1662
1663         (Inspector::InspectorDebuggerAgent::continueToLocation):
1664         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1665         All places that do continueProgram should be audited. In error cases,
1666         if we are paused and continue we should remember to send Debugger.resumed.
1667
1668         * inspector/protocol/Debugger.json:
1669         Clarify in the protocol description the contract of these methods.
1670
1671 2016-11-09  Joseph Pecoraro  <pecoraro@apple.com>
1672
1673         Web Inspector: Associate Worker Resources with the Worker and not the Page
1674         https://bugs.webkit.org/show_bug.cgi?id=164342
1675         <rdar://problem/29075775>
1676
1677         Reviewed by Timothy Hatcher.
1678
1679         * inspector/protocol/Network.json:
1680         * inspector/protocol/Page.json:
1681         Associate Resource data with a target.
1682
1683 2016-11-09  Keith Miller  <keith_miller@apple.com>
1684
1685         jsc CLI should work with the remote inspector
1686         https://bugs.webkit.org/show_bug.cgi?id=164569
1687
1688         Reviewed by Joseph Pecoraro.
1689
1690         This patch enables using the remote inspector on the jsc CLI.
1691         In order to use the remote inspector, jsc users need to pass an option.
1692
1693         * jsc.cpp:
1694         (CommandLine::parseArguments):
1695         (runJSC):
1696
1697 2016-11-09  Saam Barati  <sbarati@apple.com>
1698
1699         Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser
1700         https://bugs.webkit.org/show_bug.cgi?id=164464
1701         <rdar://problem/29131452>
1702
1703         Reviewed by Darin Adler.
1704
1705         We were incorrectly matching this pattern inside the bytecode parser
1706         to return NaN. Instead, we must return:
1707           Infinity for Math.min()
1708          -Infinity for Math.max()
1709
1710         * dfg/DFGByteCodeParser.cpp:
1711         (JSC::DFG::ByteCodeParser::handleMinMax):
1712
1713 2016-11-09  Saam Barati  <sbarati@apple.com>
1714
1715         TypeProfiler and running GC collection on another thread don't play nicely with each other
1716         https://bugs.webkit.org/show_bug.cgi?id=164441
1717         <rdar://problem/29132174>
1718
1719         Reviewed by Geoffrey Garen.
1720
1721         This fix here is simple: we now treat the type profiler log as a GC root.
1722         GC will make sure that we mark any values/structures that are in the log.
1723         It's easy to reason about the correctness of this, and it also solves
1724         the problem that we were clearing the log on the GC thread. Clearing the
1725         log on the GC thread was a problem because when we clear the log, we may
1726         allocate, which we're not allowed to do from the GC thread.
1727
1728         * heap/Heap.cpp:
1729         (JSC::Heap::markRoots):
1730         (JSC::Heap::visitTypeProfiler):
1731         (JSC::Heap::collectInThread):
1732         * heap/Heap.h:
1733         * runtime/TypeProfilerLog.cpp:
1734         (JSC::TypeProfilerLog::processLogEntries):
1735         (JSC::TypeProfilerLog::visit):
1736         * runtime/TypeProfilerLog.h:
1737
1738 2016-11-09  JF Bastien  <jfbastien@apple.com>
1739
1740         WebAssembly: Silence noisy warning
1741         https://bugs.webkit.org/show_bug.cgi?id=164459
1742
1743         Reviewed by Yusuke Suzuki.
1744
1745         * wasm/WasmPlan.cpp:
1746         (JSC::Wasm::Plan::Plan):
1747
1748 2016-11-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1749
1750         [JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t
1751         https://bugs.webkit.org/show_bug.cgi?id=164432
1752
1753         Reviewed by Michael Saboff.
1754
1755         Except for X86, our supported MacroAssemblers do not have native 8bit instructions.
1756         It means that all the 8bit instructions are converted to 32bit operations by using
1757         scratch registers. For example, ARM64 branch8 implementation is the following.
1758
1759             Jump branch8(RelationCondition cord, Address left, TrustedImm32 right)
1760             {
1761                 TrustedImm32 right8(static_cast<int8_t>(right.m_value));
1762                 load8(left, getCachedMemoryTempRegisterIDAndInvalidate());
1763                 return branch32(cone, memoryTempRegister, right8);
1764             }
1765
1766         The problem is that we exclusively use zero-extended load instruction (load8). Even
1767         for signed RelationConditions, we do not perform sign extension. It makes signed
1768         operations with negative numbers incorrect! Consider the |left| address holds `-1`
1769         in int8_t form. However load8 will load it as 255 into 32bit register. On the other hand,
1770         |right| will be sign extended. If you pass 0 as |right| and LessThan condition, this
1771         branch8 should jump based on the answer of `-1 < 0`. But the current MacroAssembler
1772         performs `255 < 0` in int32_t context and returns the incorrect result.
1773
1774         We should follow the x86 model. So we should select the appropriate load operation and masking
1775         operation based on the RelationCondition. This patch introduces mask8OnCondition and load8OnCondition.
1776         And we use them in 8bit operations including branch8, branchTest8, compare8, and test8.
1777
1778         We intentionally do not change anything on x86 assembler since it has the native signed 8bit operations.
1779
1780         * JavaScriptCore.xcodeproj/project.pbxproj:
1781         * assembler/AbstractMacroAssembler.h:
1782         * assembler/MacroAssembler.h:
1783         (JSC::MacroAssembler::isSigned):
1784         (JSC::MacroAssembler::isUnsigned):
1785         (JSC::MacroAssembler::branchTest8):
1786         * assembler/MacroAssemblerARM.h:
1787         (JSC::MacroAssemblerARM::branch8):
1788         (JSC::MacroAssemblerARM::branchTest8):
1789         (JSC::MacroAssemblerARM::compare8):
1790         (JSC::MacroAssemblerARM::test8):
1791         * assembler/MacroAssemblerARM64.h:
1792         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1793         (JSC::MacroAssemblerARM64::branch8):
1794         (JSC::MacroAssemblerARM64::branchTest8):
1795         (JSC::MacroAssemblerARM64::compare8):
1796         (JSC::MacroAssemblerARM64::test8):
1797         * assembler/MacroAssemblerARMv7.h:
1798         (JSC::MacroAssemblerARMv7::branch8):
1799         (JSC::MacroAssemblerARMv7::branchTest8):
1800         (JSC::MacroAssemblerARMv7::compare8):
1801         (JSC::MacroAssemblerARMv7::test8):
1802         * assembler/MacroAssemblerHelpers.h: Added.
1803         (JSC::MacroAssemblerHelpers::isSigned):
1804         (JSC::MacroAssemblerHelpers::isUnsigned):
1805         (JSC::MacroAssemblerHelpers::mask8OnCondition):
1806         (JSC::MacroAssemblerHelpers::load8OnCondition):
1807         * assembler/MacroAssemblerMIPS.h:
1808         (JSC::MacroAssemblerMIPS::branch8):
1809         (JSC::MacroAssemblerMIPS::compare8):
1810         (JSC::MacroAssemblerMIPS::branchTest8):
1811         (JSC::MacroAssemblerMIPS::test8):
1812         * assembler/MacroAssemblerSH4.h:
1813         (JSC::MacroAssemblerSH4::branchTest8):
1814         (JSC::MacroAssemblerSH4::branch8):
1815         (JSC::MacroAssemblerSH4::compare8):
1816         (JSC::MacroAssemblerSH4::test8):
1817         * assembler/MacroAssemblerX86_64.h:
1818         (JSC::MacroAssemblerX86_64::branch8):
1819
1820 2016-11-08  Geoffrey Garen  <ggaren@apple.com>
1821
1822         REGRESSION: date-format-tofte.js is super slow
1823         https://bugs.webkit.org/show_bug.cgi?id=164499
1824
1825         Reviewed by Sam Weinig.
1826
1827         * bytecode/EvalCodeCache.h:
1828         (JSC::EvalCodeCache::CacheKey::operator==): Use character comparison,
1829         not pointer comparison. (This function was always wrong, but I started
1830         calling it in more places.)
1831
1832 2016-11-08  Saam Barati  <sbarati@apple.com>
1833
1834         REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache
1835         https://bugs.webkit.org/show_bug.cgi?id=164433
1836
1837         Reviewed by Mark Lam.
1838
1839         Clearing the HasOwnPropertyCache will call deref() on the StringImpls
1840         in the cache. We were doing this from the collector thread, which is
1841         not allowed. It must be done from the mutator thread. We now clear the
1842         cache in Heap::finalize() which happens before the mutator begins
1843         executing JS after a collection happens.
1844
1845         * heap/Heap.cpp:
1846         (JSC::Heap::collectInThread):
1847         (JSC::Heap::finalize):
1848
1849 2016-11-05  Konstantin Tokarev  <annulen@yandex.ru>
1850
1851         Fixed compilation of LLInt with MinGW
1852         https://bugs.webkit.org/show_bug.cgi?id=164449
1853
1854         Reviewed by Michael Catanzaro.
1855
1856         MinGW uses LLIntAssembly.h with GNU assembler syntax, just like GCC on
1857         other platforms.
1858
1859         * llint/LowLevelInterpreter.cpp: Include LLIntAssembly.h with
1860         appropriate preamble.
1861
1862 2016-11-04  Filip Pizlo  <fpizlo@apple.com>
1863
1864         WTF::ParkingLot should stop using std::chrono because std::chrono::duration casts are prone to overflows
1865         https://bugs.webkit.org/show_bug.cgi?id=152045
1866
1867         Reviewed by Andy Estes.
1868         
1869         Probably the nicest example of why this patch is a good idea is the change in
1870         AtomicsObject.cpp.
1871
1872         * jit/ICStats.cpp:
1873         (JSC::ICStats::ICStats):
1874         * runtime/AtomicsObject.cpp:
1875         (JSC::atomicsFuncWait):
1876
1877 2016-11-04  JF Bastien  <jfbastien@apple.com>
1878
1879         testWASM should be very sad if no options are provided
1880         https://bugs.webkit.org/show_bug.cgi?id=164444
1881
1882         Reviewed by Saam Barati.
1883
1884         Detect missing or invalid options on the command line.
1885
1886         * testWasm.cpp:
1887         (CommandLine::parseArguments):
1888
1889 2016-11-04  Mark Lam  <mark.lam@apple.com>
1890
1891         Error description code should be able to handle Symbol values.
1892         https://bugs.webkit.org/show_bug.cgi?id=164436
1893         <rdar://problem/29115583>
1894
1895         Reviewed by Filip Pizlo and Saam Barati.
1896
1897         Previously, we try to toString() the Symbol value, resulting in it throwing an
1898         exception in errorDescriptionForValue() which breaks the invariant that
1899         errorDescriptionForValue() should not throw.
1900
1901         We fixed this by making errorDescriptionForValue() aware of the Symbol type, and
1902         not so a toString() on Symbol values.  Also fixed notAFunctionSourceAppender()
1903         to build a nicer message for Symbol values.
1904
1905         * runtime/ExceptionHelpers.cpp:
1906         (JSC::errorDescriptionForValue):
1907         (JSC::notAFunctionSourceAppender):
1908
1909 2016-11-02  Geoffrey Garen  <ggaren@apple.com>
1910
1911         EvalCodeCache should not give up in strict mode and other cases
1912         https://bugs.webkit.org/show_bug.cgi?id=164357
1913
1914         Reviewed by Michael Saboff.
1915
1916         EvalCodeCache gives up in non-trivial cases because generated eval code
1917         can't soundly migrate from, for example, a let scope to a non-let scope.
1918         The number of cases has grown over time.
1919
1920         Instead, let's cache eval code based on the location of the call to
1921         eval(). That way, we never relocate the code, and it's sound to make
1922         normal assumptions about our surrounding scope.
1923
1924         * bytecode/EvalCodeCache.h:
1925         (JSC::EvalCodeCache::CacheKey::CacheKey): Use CallSiteIndex to uniquely
1926         identify the location of our call to eval().
1927
1928         (JSC::EvalCodeCache::CacheKey::hash):
1929         (JSC::EvalCodeCache::CacheKey::operator==):
1930         (JSC::EvalCodeCache::CacheKey::Hash::equal): Use CallSiteIndex instead
1931         of lots of other flags.
1932
1933         (JSC::EvalCodeCache::tryGet): No need to include details that are implied
1934         by our CallSiteIndex.
1935
1936         (JSC::EvalCodeCache::getSlow): No need to skip caching in complex
1937         situations. We promise we'll never relocate the cached code.
1938
1939         (JSC::EvalCodeCache::isCacheableScope): Deleted.
1940         (JSC::EvalCodeCache::isCacheable): Deleted.
1941
1942         * interpreter/Interpreter.cpp:
1943         (JSC::eval): Pass through a CallSiteIndex to uniquely identify this call
1944         to eval().
1945
1946 2016-11-04  Keith Miller  <keith_miller@apple.com>
1947
1948         Add support for Wasm br_table
1949         https://bugs.webkit.org/show_bug.cgi?id=164429
1950
1951         Reviewed by Michael Saboff.
1952
1953         This patch adds support for Wasm br_table. The Wasm br_table
1954         opcode essentially directly maps to B3's switch opcode.
1955
1956         There are also three other minor changes:
1957         1) all non-argument locals should be initialized to zero at function entry.
1958         2) add new setErrorMessage member to WasmFunctionParser.h
1959         3) return does not decode an extra immediate anymore.
1960
1961         * testWasm.cpp:
1962         (runWasmTests):
1963         * wasm/WasmB3IRGenerator.cpp:
1964         * wasm/WasmFunctionParser.h:
1965         (JSC::Wasm::FunctionParser::setErrorMessage):
1966         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1967         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
1968         (JSC::Wasm::FunctionParser<Context>::popExpressionStack):
1969         * wasm/WasmValidate.cpp:
1970         (JSC::Wasm::Validate::checkBranchTarget):
1971         (JSC::Wasm::Validate::addBranch):
1972         (JSC::Wasm::Validate::addSwitch):
1973
1974 2016-11-04  JF Bastien  <jfbastien@apple.com>
1975
1976         WebAssembly JS API: implement more sections
1977         https://bugs.webkit.org/show_bug.cgi?id=164023
1978
1979         Reviewed by Keith Miller.
1980
1981         On the JSC side:
1982
1983          - Put in parser stubs for all WebAssembly sections.
1984          - Parse Import, Export sections.
1985          - Use tryReserveCapacity instead of reserve, and bail out of the parser if it fails. This prevents the parser from bringing everything down when faced with a malicious input.
1986          - Encapsulate all parsed module information into its own structure, making it easier to pass around (from parser to Plan to Module to Instance).
1987          - Create WasmFormat.cpp to hold parsed module information's dtor to avoid including WasmMemory.h needlessly.
1988          - Remove all remainders of polyfill-prototype-1, and update license.
1989          - Add missing WasmOps.h and WasmValidateInlines.h auto-generation for cmake build.
1990
1991         On the Builder.js testing side:
1992
1993          - Implement Type, Import (function only), Export (function only) sections.
1994          - Check section order and uniqueness.
1995          - Optionally auto-generate the Type section from subsequent Export / Import / Code entries.
1996          - Allow re-exporting an import.
1997
1998         * CMakeLists.txt: missing auto-genration
1999         * JavaScriptCore.xcodeproj/project.pbxproj: merge conflict
2000         * testWasm.cpp: update for API changes, no functional change
2001         (checkPlan):
2002         (runWasmTests):
2003         * wasm/WasmFormat.cpp: add a dtor which requires extra headers which I'd rather not include in WasmFormat.h
2004         (JSC::Wasm::ModuleInformation::~ModuleInformation):
2005         * wasm/WasmFormat.h: Add External, Import, Functioninformation, Export, ModuleInformation, CompiledFunction, and remove obsolete stuff which was a holdover from the first implementation (all that code is now gone, so remove its license)
2006         (JSC::Wasm::External::isValid):
2007         * wasm/WasmModuleParser.cpp: simplify some, make names consistent with the WebAssembly section names, check memory allocations so they can fail early
2008         (JSC::Wasm::ModuleParser::parse):
2009         (JSC::Wasm::ModuleParser::parseType):
2010         (JSC::Wasm::ModuleParser::parseImport):
2011         (JSC::Wasm::ModuleParser::parseFunction):
2012         (JSC::Wasm::ModuleParser::parseTable):
2013         (JSC::Wasm::ModuleParser::parseMemory):
2014         (JSC::Wasm::ModuleParser::parseGlobal):
2015         (JSC::Wasm::ModuleParser::parseExport):
2016         (JSC::Wasm::ModuleParser::parseStart):
2017         (JSC::Wasm::ModuleParser::parseElement):
2018         (JSC::Wasm::ModuleParser::parseCode): avoid overflow through function size.
2019         (JSC::Wasm::ModuleParser::parseData):
2020         * wasm/WasmModuleParser.h:
2021         (JSC::Wasm::ModuleParser::moduleInformation):
2022         * wasm/WasmParser.h:
2023         (JSC::Wasm::Parser::consumeUTF8String): add as required by spec
2024         (JSC::Wasm::Parser::parseExternalKind): add as per spec
2025         * wasm/WasmPlan.cpp:
2026         (JSC::Wasm::Plan::Plan): fix some ownership, improve some error messages
2027         * wasm/WasmPlan.h: fix some ownership
2028         (JSC::Wasm::Plan::getModuleInformation):
2029         (JSC::Wasm::Plan::getMemory):
2030         (JSC::Wasm::Plan::compiledFunctionCount):
2031         (JSC::Wasm::Plan::compiledFunction):
2032         (JSC::Wasm::Plan::getCompiledFunctions):
2033         * wasm/WasmSections.h: macroize with description, so that error messages are super pretty. This could be auto-generated.
2034         * wasm/js/JSWebAssemblyModule.cpp:
2035         (JSC::JSWebAssemblyModule::create): take module information
2036         (JSC::JSWebAssemblyModule::JSWebAssemblyModule): ditto
2037         * wasm/js/JSWebAssemblyModule.h:
2038         (JSC::JSWebAssemblyModule::moduleInformation):
2039         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2040         (JSC::constructJSWebAssemblyInstance): check that modules with imports are instantiated with an import object, as per spec. This needs to be tested.
2041         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2042         (JSC::constructJSWebAssemblyMemory):
2043         * wasm/js/WebAssemblyModuleConstructor.cpp:
2044         (JSC::constructJSWebAssemblyModule):
2045         * wasm/js/WebAssemblyTableConstructor.cpp:
2046         (JSC::constructJSWebAssemblyTable):
2047
2048 2016-11-03  Mark Lam  <mark.lam@apple.com>
2049
2050         ClonedArguments need to also support haveABadTime mode.
2051         https://bugs.webkit.org/show_bug.cgi?id=164200
2052         <rdar://problem/27211336>
2053
2054         Reviewed by Geoffrey Garen.
2055
2056         For those who are not familiar with the parlance, "have a bad time" in the VM
2057         means that Object.prototype has been modified in such a way that we can no longer
2058         trivially do indexed property accesses without consulting the Object.prototype.
2059         This defeats JIT indexed put optimizations, and hence, makes the VM "have a
2060         bad time".
2061
2062         Once the VM enters haveABadTime mode, all existing objects are converted to use
2063         slow put storage.  Thereafter, JSArrays are always created with slow put storage.
2064         JSObjects are always created with a blank indexing type.  When a new indexed
2065         property is put into the new object, its indexing type will be converted to the
2066         slow put array indexing type just before we perform the put operation.  This is
2067         how we ensure that the objects will also use slow put storage.
2068
2069         However, ClonedArguments is an object which was previously created unconditionally
2070         to use contiguous storage.  Subsequently, if we try to call Object.preventExtensions()
2071         on that ClonedArguments object, Object.preventExtensions() will:
2072         1. make the ClonedArguments enter dictionary indexing mode, which means it will
2073         2. first ensure that the ClonedArguments is using slow put array storage via
2074            JSObject::ensureArrayStorageSlow().
2075
2076         However, JSObject::ensureArrayStorageSlow() expects that we never see an object
2077         with contiguous storage once we're in haveABadTime mode.  Our ClonedArguments
2078         object did not obey this invariant.
2079
2080         The fix is to make the ClonedArguments factories create objects that use slow put
2081         array storage when in haveABadTime mode.  This means:
2082
2083         1. JSGlobalObject::haveABadTime() now changes m_clonedArgumentsStructure to use
2084            its slow put version.
2085
2086            Also the caching of the slow put version of m_regExpMatchesArrayStructure,
2087            because we only need to create it when we are having a bad time. 
2088
2089         2. The ClonedArguments factories now allocates a butterfly with slow put array
2090            storage if we're in haveABadTime mode.
2091
2092            Also added some assertions in ClonedArguments' factory methods to ensure that
2093            the created object has the slow put indexing type when it needsSlowPutIndexing().
2094
2095         3. DFGFixupPhase now watches the havingABadTimeWatchpoint because ClonedArguments'
2096            structure will change when having a bad time.
2097
2098         4. DFGArgumentEliminationPhase and DFGVarargsForwardingPhase need not be changed
2099            because it is still valid to eliminate the creation of the arguments object
2100            even having a bad time, as long as the arguments object does not escape.
2101
2102         5. The DFGAbstractInterpreterInlines now checks for haveABadTime, and sets the
2103            predicted type to be SpecObject.
2104
2105         Note: this issue does not apply to DirectArguments and ScopedArguments because
2106         they use a blank indexing type (just like JSObject).
2107
2108         * dfg/DFGAbstractInterpreterInlines.h:
2109         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2110         * dfg/DFGArrayMode.cpp:
2111         (JSC::DFG::ArrayMode::dump):
2112         * dfg/DFGFixupPhase.cpp:
2113         (JSC::DFG::FixupPhase::fixupNode):
2114         * runtime/ClonedArguments.cpp:
2115         (JSC::ClonedArguments::createEmpty):
2116         (JSC::ClonedArguments::createWithInlineFrame):
2117         (JSC::ClonedArguments::createWithMachineFrame):
2118         (JSC::ClonedArguments::createByCopyingFrom):
2119         (JSC::ClonedArguments::createStructure):
2120         (JSC::ClonedArguments::createSlowPutStructure):
2121         * runtime/ClonedArguments.h:
2122         * runtime/JSGlobalObject.cpp:
2123         (JSC::JSGlobalObject::init):
2124         (JSC::JSGlobalObject::haveABadTime):
2125         (JSC::JSGlobalObject::visitChildren):
2126         * runtime/JSGlobalObject.h:
2127
2128 2016-11-03  Filip Pizlo  <fpizlo@apple.com>
2129
2130         DFG plays fast and loose with the shadow values of a Phi
2131         https://bugs.webkit.org/show_bug.cgi?id=164309
2132
2133         Reviewed by Saam Barati.
2134         
2135         Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
2136         tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
2137         not a special case for most compiler transforms. It does this by introducing another value
2138         called Upsilon, which stores a value into some Phi.
2139         
2140         B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
2141         the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
2142         times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
2143         Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
2144         the value from its phiTmp to its tmp.
2145         
2146         This is necessary to support scenarios like this:
2147         
2148             a: Phi()
2149             b: Upsilon(@x, ^a)
2150             c: Use(@a)
2151         
2152         Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
2153         the a value (like @a) doesn't change during its lifetime.
2154         
2155         Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
2156         all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
2157         model the Upsilon as storing into the Phi directly.
2158         
2159         Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
2160         shadow value. This change addresses this problem by introducing the concept of a
2161         NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
2162         optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
2163         rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
2164         a good amount of code.
2165         
2166         This looks to be perf-neutral.
2167
2168         Rolled back in after fixing the debug build.
2169
2170         * CMakeLists.txt:
2171         * JavaScriptCore.xcodeproj/project.pbxproj:
2172         * b3/air/AirLiveness.h:
2173         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
2174         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
2175         (JSC::B3::Air::RegLivenessAdapter::numIndices):
2176         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2177         (JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
2178         (JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
2179         (JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
2180         * dfg/DFGAbstractInterpreter.h:
2181         (JSC::DFG::AbstractInterpreter::forNode):
2182         * dfg/DFGAbstractInterpreterInlines.h:
2183         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2184         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2185         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2186         * dfg/DFGAtTailAbstractState.cpp:
2187         (JSC::DFG::AtTailAbstractState::createValueForNode):
2188         (JSC::DFG::AtTailAbstractState::forNode):
2189         * dfg/DFGAtTailAbstractState.h:
2190         * dfg/DFGBasicBlock.h:
2191         * dfg/DFGCombinedLiveness.cpp:
2192         (JSC::DFG::liveNodesAtHead):
2193         * dfg/DFGCombinedLiveness.h:
2194         * dfg/DFGFlowIndexing.cpp: Added.
2195         (JSC::DFG::FlowIndexing::FlowIndexing):
2196         (JSC::DFG::FlowIndexing::~FlowIndexing):
2197         (JSC::DFG::FlowIndexing::recompute):
2198         * dfg/DFGFlowIndexing.h: Added.
2199         (JSC::DFG::FlowIndexing::graph):
2200         (JSC::DFG::FlowIndexing::numIndices):
2201         (JSC::DFG::FlowIndexing::index):
2202         (JSC::DFG::FlowIndexing::shadowIndex):
2203         (JSC::DFG::FlowIndexing::nodeProjection):
2204         * dfg/DFGFlowMap.h: Added.
2205         (JSC::DFG::FlowMap::FlowMap):
2206         (JSC::DFG::FlowMap::resize):
2207         (JSC::DFG::FlowMap::graph):
2208         (JSC::DFG::FlowMap::at):
2209         (JSC::DFG::FlowMap::atShadow):
2210         (WTF::printInternal):
2211         * dfg/DFGGraph.cpp:
2212         (JSC::DFG::Graph::Graph):
2213         * dfg/DFGGraph.h:
2214         (JSC::DFG::Graph::abstractValuesCache): Deleted.
2215         * dfg/DFGInPlaceAbstractState.cpp:
2216         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2217         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2218         (JSC::DFG::setLiveValues):
2219         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2220         (JSC::DFG::InPlaceAbstractState::merge):
2221         * dfg/DFGInPlaceAbstractState.h:
2222         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2223         (JSC::DFG::InPlaceAbstractState::forNode):
2224         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2225         * dfg/DFGLivenessAnalysisPhase.cpp:
2226         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2227         (JSC::DFG::LivenessAnalysisPhase::run):
2228         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2229         (JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
2230         * dfg/DFGNode.h:
2231         (JSC::DFG::NodeComparator::operator()):
2232         (JSC::DFG::nodeListDump):
2233         (JSC::DFG::nodeMapDump):
2234         (JSC::DFG::nodeValuePairListDump):
2235         (JSC::DFG::nodeComparator): Deleted.
2236         * dfg/DFGNodeAbstractValuePair.cpp: Added.
2237         (JSC::DFG::NodeAbstractValuePair::dump):
2238         * dfg/DFGNodeAbstractValuePair.h: Added.
2239         (JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
2240         * dfg/DFGNodeFlowProjection.cpp: Added.
2241         (JSC::DFG::NodeFlowProjection::dump):
2242         * dfg/DFGNodeFlowProjection.h: Added.
2243         (JSC::DFG::NodeFlowProjection::NodeFlowProjection):
2244         (JSC::DFG::NodeFlowProjection::operator bool):
2245         (JSC::DFG::NodeFlowProjection::kind):
2246         (JSC::DFG::NodeFlowProjection::node):
2247         (JSC::DFG::NodeFlowProjection::operator*):
2248         (JSC::DFG::NodeFlowProjection::operator->):
2249         (JSC::DFG::NodeFlowProjection::hash):
2250         (JSC::DFG::NodeFlowProjection::operator==):
2251         (JSC::DFG::NodeFlowProjection::operator!=):
2252         (JSC::DFG::NodeFlowProjection::operator<):
2253         (JSC::DFG::NodeFlowProjection::operator>):
2254         (JSC::DFG::NodeFlowProjection::operator<=):
2255         (JSC::DFG::NodeFlowProjection::operator>=):
2256         (JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
2257         (JSC::DFG::NodeFlowProjection::isStillValid):
2258         (JSC::DFG::NodeFlowProjection::forEach):
2259         (JSC::DFG::NodeFlowProjectionHash::hash):
2260         (JSC::DFG::NodeFlowProjectionHash::equal):
2261         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2262
2263 2016-11-03  Commit Queue  <commit-queue@webkit.org>
2264
2265         Unreviewed, rolling out r208364.
2266         https://bugs.webkit.org/show_bug.cgi?id=164402
2267
2268         broke the build (Requested by smfr on #webkit).
2269
2270         Reverted changeset:
2271
2272         "DFG plays fast and loose with the shadow values of a Phi"
2273         https://bugs.webkit.org/show_bug.cgi?id=164309
2274         http://trac.webkit.org/changeset/208364
2275
2276 2016-11-03  Filip Pizlo  <fpizlo@apple.com>
2277
2278         DFG plays fast and loose with the shadow values of a Phi
2279         https://bugs.webkit.org/show_bug.cgi?id=164309
2280
2281         Reviewed by Saam Barati.
2282         
2283         Oh boy, what an embarrassing mistake! The style of SSA I like to use avoids block/value
2284         tuples as parameters of a Phi, thereby simplifying CFG transformations and making Phi largely
2285         not a special case for most compiler transforms. It does this by introducing another value
2286         called Upsilon, which stores a value into some Phi.
2287         
2288         B3 uses this also. The easiest way to understand what Upsilon/Phi behave like is to look at
2289         the B3->Air lowering. Air is not SSA - it has Tmps that you can assign to and use as many
2290         times as you like. B3 allocates one Tmp per Value, and an extra "phiTmp" for Phis, so that
2291         Phis get two Tmps total. Upsilon stores the value into the phiTmp of the Phi, while Phi moves
2292         the value from its phiTmp to its tmp.
2293         
2294         This is necessary to support scenarios like this:
2295         
2296             a: Phi()
2297             b: Upsilon(@x, ^a)
2298             c: Use(@a)
2299         
2300         Here, we want @c to see @a's value before @b. That's a very basic requirement of SSA: that
2301         the a value (like @a) doesn't change during its lifetime.
2302         
2303         Unfortunately, DFG's liveness analysis, abstract interpreter, and integer range optimization
2304         all failed to correctly model Upsilon/Phi this way. They would assume that it's accurate to
2305         model the Upsilon as storing into the Phi directly.
2306         
2307         Because DFG does flow analysis over SSA, making it correct means enabling it to speak of the
2308         shadow value. This change addresses this problem by introducing the concept of a
2309         NodeFlowProjection. This is a key that lets us speak of both a Node's primary value and its
2310         optional "shadow" value. Liveness, AI, and integer range are now keyed by NodeFlowProjection
2311         rather than Node*. Conceptually this turns out to be a very simple change, but it does touch
2312         a good amount of code.
2313         
2314         This looks to be perf-neutral.
2315
2316         * CMakeLists.txt:
2317         * JavaScriptCore.xcodeproj/project.pbxproj:
2318         * b3/air/AirLiveness.h:
2319         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
2320         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
2321         (JSC::B3::Air::RegLivenessAdapter::numIndices):
2322         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2323         (JSC::B3::Air::TmpLivenessAdapter::maxIndex): Deleted.
2324         (JSC::B3::Air::StackSlotLivenessAdapter::maxIndex): Deleted.
2325         (JSC::B3::Air::RegLivenessAdapter::maxIndex): Deleted.
2326         * dfg/DFGAbstractInterpreter.h:
2327         (JSC::DFG::AbstractInterpreter::forNode):
2328         * dfg/DFGAbstractInterpreterInlines.h:
2329         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2330         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2331         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2332         * dfg/DFGAtTailAbstractState.cpp:
2333         (JSC::DFG::AtTailAbstractState::createValueForNode):
2334         (JSC::DFG::AtTailAbstractState::forNode):
2335         * dfg/DFGAtTailAbstractState.h:
2336         * dfg/DFGBasicBlock.h:
2337         * dfg/DFGCombinedLiveness.cpp:
2338         (JSC::DFG::liveNodesAtHead):
2339         * dfg/DFGCombinedLiveness.h:
2340         * dfg/DFGFlowIndexing.cpp: Added.
2341         (JSC::DFG::FlowIndexing::FlowIndexing):
2342         (JSC::DFG::FlowIndexing::~FlowIndexing):
2343         (JSC::DFG::FlowIndexing::recompute):
2344         * dfg/DFGFlowIndexing.h: Added.
2345         (JSC::DFG::FlowIndexing::graph):
2346         (JSC::DFG::FlowIndexing::numIndices):
2347         (JSC::DFG::FlowIndexing::index):
2348         (JSC::DFG::FlowIndexing::shadowIndex):
2349         (JSC::DFG::FlowIndexing::nodeProjection):
2350         * dfg/DFGFlowMap.h: Added.
2351         (JSC::DFG::FlowMap::FlowMap):
2352         (JSC::DFG::FlowMap::resize):
2353         (JSC::DFG::FlowMap::graph):
2354         (JSC::DFG::FlowMap::at):
2355         (JSC::DFG::FlowMap::atShadow):
2356         (WTF::printInternal):
2357         * dfg/DFGGraph.cpp:
2358         (JSC::DFG::Graph::Graph):
2359         * dfg/DFGGraph.h:
2360         (JSC::DFG::Graph::abstractValuesCache): Deleted.
2361         * dfg/DFGInPlaceAbstractState.cpp:
2362         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2363         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2364         (JSC::DFG::setLiveValues):
2365         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2366         (JSC::DFG::InPlaceAbstractState::merge):
2367         * dfg/DFGInPlaceAbstractState.h:
2368         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2369         (JSC::DFG::InPlaceAbstractState::forNode):
2370         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2371         * dfg/DFGLivenessAnalysisPhase.cpp:
2372         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2373         (JSC::DFG::LivenessAnalysisPhase::run):
2374         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2375         (JSC::DFG::LivenessAnalysisPhase::addChildUse): Deleted.
2376         * dfg/DFGNode.h:
2377         (JSC::DFG::NodeComparator::operator()):
2378         (JSC::DFG::nodeListDump):
2379         (JSC::DFG::nodeMapDump):
2380         (JSC::DFG::nodeValuePairListDump):
2381         (JSC::DFG::nodeComparator): Deleted.
2382         * dfg/DFGNodeAbstractValuePair.cpp: Added.
2383         (JSC::DFG::NodeAbstractValuePair::dump):
2384         * dfg/DFGNodeAbstractValuePair.h: Added.
2385         (JSC::DFG::NodeAbstractValuePair::NodeAbstractValuePair):
2386         * dfg/DFGNodeFlowProjection.cpp: Added.
2387         (JSC::DFG::NodeFlowProjection::dump):
2388         * dfg/DFGNodeFlowProjection.h: Added.
2389         (JSC::DFG::NodeFlowProjection::NodeFlowProjection):
2390         (JSC::DFG::NodeFlowProjection::operator bool):
2391         (JSC::DFG::NodeFlowProjection::kind):
2392         (JSC::DFG::NodeFlowProjection::node):
2393         (JSC::DFG::NodeFlowProjection::operator*):
2394         (JSC::DFG::NodeFlowProjection::operator->):
2395         (JSC::DFG::NodeFlowProjection::hash):
2396         (JSC::DFG::NodeFlowProjection::operator==):
2397         (JSC::DFG::NodeFlowProjection::operator!=):
2398         (JSC::DFG::NodeFlowProjection::operator<):
2399         (JSC::DFG::NodeFlowProjection::operator>):
2400         (JSC::DFG::NodeFlowProjection::operator<=):
2401         (JSC::DFG::NodeFlowProjection::operator>=):
2402         (JSC::DFG::NodeFlowProjection::isHashTableDeletedValue):
2403         (JSC::DFG::NodeFlowProjection::isStillValid):
2404         (JSC::DFG::NodeFlowProjection::forEach):
2405         (JSC::DFG::NodeFlowProjectionHash::hash):
2406         (JSC::DFG::NodeFlowProjectionHash::equal):
2407         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2408
2409 2016-11-03  Keith Miller  <keith_miller@apple.com>
2410
2411         Unreviewed, changelog fix due to failed git rebase..
2412
2413 2016-11-03  Keith Miller  <keith_miller@apple.com>
2414
2415         Wasm starts a new stack whenever it adds a new block and has return types for blocks.
2416         https://bugs.webkit.org/show_bug.cgi?id=164100
2417
2418         Reviewed by Saam Barati.
2419
2420         This patch overhauls much of the Wasm function parser, validator, and B3 IR generator
2421         to work with block return types. In Wasm, blocks can act as expressions and have a
2422         return value. Most of the control flow operators needed to be rewritten in order to
2423         support this feature. To enable return types the function parser needed to be able
2424         to save and restore the expression stack from previous blocks, which is done via the
2425         control stack.
2426
2427         This patch also removes the lazy continuation block system added previously. It's
2428         not clear if there would be any performance win from such a system. There are likely
2429         many other things with orders of magnitude more impact on B3 IR generation. The
2430         complexity cost of such a system is not worth the effort without sufficient evidence
2431         otherwise.
2432
2433         * testWasm.cpp:
2434         (runWasmTests):
2435         * wasm/WasmB3IRGenerator.cpp:
2436         * wasm/WasmFunctionParser.h:
2437         (JSC::Wasm::FunctionParser<Context>::parseBlock):
2438         (JSC::Wasm::FunctionParser<Context>::addReturn):
2439         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2440         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2441         (JSC::Wasm::FunctionParser<Context>::popExpressionStack):
2442         * wasm/WasmValidate.cpp:
2443         (JSC::Wasm::Validate::ControlData::hasNonVoidSignature):
2444         (JSC::Wasm::Validate::addElse):
2445         (JSC::Wasm::Validate::addElseToUnreachable):
2446         (JSC::Wasm::Validate::addBranch):
2447         (JSC::Wasm::Validate::endBlock):
2448         (JSC::Wasm::Validate::addEndToUnreachable):
2449         (JSC::Wasm::Validate::dump):
2450         (JSC::Wasm::validateFunction):
2451         (JSC::Wasm::Validate::isContinuationReachable): Deleted.
2452
2453 2016-11-03  Saam Barati  <sbarati@apple.com>
2454
2455         Asking for a value profile prediction should be defensive against not finding a value profile
2456         https://bugs.webkit.org/show_bug.cgi?id=164306
2457
2458         Reviewed by Mark Lam.
2459
2460         Currently, the code that calls CodeBlock::valueProfilePredictionForBytecodeOffset
2461         in the DFG assumes it will always be at a value producing node. However, this isn't
2462         true if we tail call from an inlined setter. When we're at a tail call, we try
2463         to find the first caller that isn't a tail call to see what value the
2464         tail_call produces. If we inline a setter, however, we will end up finding
2465         the put_by_id as our first non-tail-called "caller", and that won't have a
2466         value profile associated with it since it's not a value producing node.
2467         CodeBlock::valueProfilePredictionForBytecodeOffset should be defensive
2468         against finding a null value profile.
2469
2470         * bytecode/CodeBlock.h:
2471         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
2472         * dfg/DFGByteCodeParser.cpp:
2473         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2474
2475 2016-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2476
2477         Unreviewed, fix CLoop build after r208320.
2478         https://bugs.webkit.org/show_bug.cgi?id=162980
2479
2480         Add required forward declarations.
2481
2482         * domjit/DOMJITHeapRange.cpp:
2483         * domjit/DOMJITSignature.h:
2484         * runtime/VM.h:
2485
2486 2016-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2487
2488         [DOMJIT] Add DOMJIT::Signature
2489         https://bugs.webkit.org/show_bug.cgi?id=162980
2490
2491         Reviewed by Saam Barati and Sam Weinig.
2492
2493         This patch introduces a new mechanism called DOMJIT::Signature. We can annotate the function with DOMJIT::Signature.
2494         DOMJIT::Signature has type information of that function. And it also maintains the effect of the function and the
2495         pointer to the unsafe function. The unsafe function means the function without type and argument count checks.
2496         By using these information, we can separate type and argument count checks from the function. And we can emit
2497         these things as DFG checks and convert the function call itself to CallDOM node. CallDOM node can call the unsafe
2498         function directly without any checks. Furthermore, this CallDOM node can represent its own clobberizing rules based
2499         on DOMJIT::Effect maintained by DOMJIT::Signature. It allows us to make opaque Call node to a CallDOM node that
2500         merely reads some part of heap. These changes (1) can drop duplicate type checks in DFG, (2) offer ability to move
2501         CallDOM node to somewhere, and (3) track more detailed heap reads and writes of CallDOM nodes.
2502
2503         We first emit Call node with DOMJIT::Signature in DFGByteCodeParser. And in the fixup phase, we attempt to lower
2504         Call node to CallDOM node with checks & edge filters. This is because we do not know the type predictions in
2505         DFGByteCodeParser phase. If we always emit CallDOM node in DFGByteCodeParser, if we evaluate `div.getAttribute(true)`
2506         thingy, the Uncountable OSR exits repeatedly happen because AI figures out the abstract value is cleared.
2507
2508         Currently, DOMJIT signature only allows the types that can reside in GPR. This is because the types of the unsafe
2509         function arguments are represented as the sequence of void*. In the future, we will extend to accept other types like
2510         float, double etc.
2511
2512         We annotate several functions in Element. In particular, we annotate Element::getAttribute. This allows us to perform
2513         LICM in Dromaeo dom-attr test. In the Dromaeo dom-attr getAttribute test, we can see 32x improvement. (134974.8 v.s. 4203.4)
2514
2515         * JavaScriptCore.xcodeproj/project.pbxproj:
2516         * bytecode/CallVariant.h:
2517         (JSC::CallVariant::functionExecutable):
2518         (JSC::CallVariant::nativeExecutable):
2519         (JSC::CallVariant::signatureFor):
2520         * bytecode/SpeculatedType.h:
2521         (JSC::isNotStringSpeculation):
2522         (JSC::isNotInt32Speculation):
2523         (JSC::isNotBooleanSpeculation):
2524         * dfg/DFGAbstractInterpreterInlines.h:
2525         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2526         * dfg/DFGByteCodeParser.cpp:
2527         (JSC::DFG::ByteCodeParser::addCall):
2528         (JSC::DFG::ByteCodeParser::handleCall):
2529         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2530         (JSC::DFG::ByteCodeParser::handleInlining):
2531         (JSC::DFG::ByteCodeParser::handleDOMJITCall):
2532         (JSC::DFG::ByteCodeParser::parseBlock):
2533         * dfg/DFGClobberize.h:
2534         (JSC::DFG::clobberize):
2535         * dfg/DFGDoesGC.cpp:
2536         (JSC::DFG::doesGC):
2537         * dfg/DFGFixupPhase.cpp:
2538         (JSC::DFG::FixupPhase::fixupNode):
2539         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2540         (JSC::DFG::FixupPhase::fixupCheckDOM):
2541         (JSC::DFG::FixupPhase::fixupCallDOM):
2542         * dfg/DFGNode.cpp:
2543         (JSC::DFG::Node::convertToCallDOM):
2544         * dfg/DFGNode.h:
2545         (JSC::DFG::Node::hasHeapPrediction):
2546         (JSC::DFG::Node::shouldSpeculateNotInt32):
2547         (JSC::DFG::Node::shouldSpeculateNotBoolean):
2548         (JSC::DFG::Node::shouldSpeculateNotString):
2549         (JSC::DFG::Node::hasSignature):
2550         (JSC::DFG::Node::signature):
2551         * dfg/DFGNodeType.h:
2552         * dfg/DFGPredictionPropagationPhase.cpp:
2553         * dfg/DFGSafeToExecute.h:
2554         (JSC::DFG::safeToExecute):
2555         * dfg/DFGSpeculativeJIT.cpp:
2556         (JSC::DFG::SpeculativeJIT::compileCallDOM):
2557         * dfg/DFGSpeculativeJIT.h:
2558         (JSC::DFG::SpeculativeJIT::callOperation):
2559         * dfg/DFGSpeculativeJIT32_64.cpp:
2560         (JSC::DFG::SpeculativeJIT::compile):
2561         * dfg/DFGSpeculativeJIT64.cpp:
2562         (JSC::DFG::SpeculativeJIT::compile):
2563         * domjit/DOMJITEffect.h:
2564         (JSC::DOMJIT::Effect::Effect):
2565         (JSC::DOMJIT::Effect::forWrite):
2566         (JSC::DOMJIT::Effect::forRead):
2567         (JSC::DOMJIT::Effect::forReadWrite):
2568         (JSC::DOMJIT::Effect::forPure):
2569         (JSC::DOMJIT::Effect::forDef):
2570         (JSC::DOMJIT::Effect::mustGenerate):
2571         In clang, we cannot make this Effect constructor constexpr if we use Optional<HeapRange>.
2572         So we use HeapRange::top() for Nullopt def now.
2573
2574         * domjit/DOMJITHeapRange.h:
2575         (JSC::DOMJIT::HeapRange::fromRaw):
2576         (JSC::DOMJIT::HeapRange::operator bool):
2577         (JSC::DOMJIT::HeapRange::operator==):
2578         (JSC::DOMJIT::HeapRange::operator!=):
2579         (JSC::DOMJIT::HeapRange::fromConstant):
2580         * domjit/DOMJITSignature.h: Copied from Source/JavaScriptCore/domjit/DOMJITEffect.h.
2581         (JSC::DOMJIT::Signature::Signature):
2582         (JSC::DOMJIT::Signature::argumentCount):
2583         (JSC::DOMJIT::Signature::checkDOM):
2584         * ftl/FTLCapabilities.cpp:
2585         (JSC::FTL::canCompile):
2586         * ftl/FTLLowerDFGToB3.cpp:
2587         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2588         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
2589         * jit/JITOperations.h:
2590         * jit/JITThunks.cpp:
2591         (JSC::JITThunks::hostFunctionStub):
2592         * jit/JITThunks.h:
2593         * runtime/JSBoundFunction.cpp:
2594         (JSC::JSBoundFunction::create):
2595         * runtime/JSCell.h:
2596         * runtime/JSFunction.cpp:
2597         (JSC::JSFunction::create):
2598         * runtime/JSFunction.h:
2599         * runtime/JSNativeStdFunction.cpp:
2600         (JSC::JSNativeStdFunction::create):
2601         * runtime/JSObject.cpp:
2602         (JSC::JSObject::putDirectNativeFunction):
2603         * runtime/JSObject.h:
2604         * runtime/Lookup.h:
2605         (JSC::HashTableValue::functionLength):
2606         (JSC::HashTableValue::signature):
2607         (JSC::reifyStaticProperty):
2608         * runtime/NativeExecutable.cpp:
2609         (JSC::NativeExecutable::create):
2610         (JSC::NativeExecutable::NativeExecutable):
2611         * runtime/NativeExecutable.h:
2612         * runtime/PropertySlot.h:
2613         * runtime/VM.cpp:
2614         (JSC::VM::getHostFunction):
2615         * runtime/VM.h:
2616
2617 2016-11-02  Andreas Kling  <akling@apple.com>
2618
2619         MarkedSpace should have specialized size classes for popular engine objects.
2620         <https://webkit.org/b/164345>
2621
2622         Reviewed by Filip Pizlo.
2623
2624         The MarkedSpace size classes were recently reworked to minimize wasted space
2625         at the end of MarkedBlocks.
2626
2627         However, we know that some specific objects will be allocated in very high volume.
2628         Adding specialized size classes for those object sizes achieves greater utilization
2629         since we're basically guaranteed to allocate them all the time.
2630
2631         Inject specialized size classes for these four objects:
2632
2633             - FunctionCodeBlock
2634                 560 bytes instead of 624
2635                 28 per block instead of 26 (+2)
2636
2637             - FunctionExecutable
2638                 176 bytes instead of 224
2639                 92 per block instead of 72 (+20)
2640
2641             - UnlinkedFunctionCodeBlock
2642                 256 bytes instead of 320
2643                 63 per block instead of 50 (+13)
2644
2645             - UnlinkedFunctionExecutable
2646                 192 bytes instead of 224
2647                 84 per block instead of 72 (+12)
2648
2649         * heap/MarkedSpace.cpp:
2650
2651 2016-11-02  Geoffrey Garen  <ggaren@apple.com>
2652
2653         One file per class for UnlinkedCodeBlock.h/.cpp
2654         https://bugs.webkit.org/show_bug.cgi?id=164348
2655
2656         Reviewed by Saam Barati.
2657
2658         * CMakeLists.txt:
2659         * JavaScriptCore.xcodeproj/project.pbxproj:
2660         * bytecode/FunctionCodeBlock.h:
2661         * bytecode/ModuleProgramCodeBlock.h:
2662         * bytecode/ProgramCodeBlock.h:
2663         * bytecode/UnlinkedCodeBlock.cpp:
2664         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
2665         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
2666         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
2667         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
2668         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
2669         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
2670         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
2671         * bytecode/UnlinkedCodeBlock.h:
2672         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
2673         * bytecode/UnlinkedEvalCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
2674         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
2675         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
2676         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
2677         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
2678         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
2679         (JSC::dumpLineColumnEntry): Deleted.
2680         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
2681         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
2682         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
2683         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
2684         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
2685         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
2686         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
2687         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
2688         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
2689         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
2690         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
2691         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
2692         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
2693         (JSC::UnlinkedCodeBlock::instructions): Deleted.
2694         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
2695         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
2696         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
2697         * bytecode/UnlinkedEvalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
2698         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
2699         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
2700         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
2701         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
2702         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
2703         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
2704         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
2705         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2706         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
2707         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
2708         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
2709         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
2710         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
2711         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
2712         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
2713         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
2714         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
2715         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2716         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
2717         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
2718         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2719         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
2720         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2721         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
2722         (JSC::UnlinkedCodeBlock::regexp): Deleted.
2723         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
2724         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2725         (JSC::UnlinkedCodeBlock::identifier): Deleted.
2726         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
2727         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2728         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
2729         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
2730         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
2731         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
2732         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
2733         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
2734         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2735         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
2736         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
2737         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
2738         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
2739         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
2740         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
2741         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2742         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
2743         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
2744         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2745         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
2746         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
2747         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2748         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
2749         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2750         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
2751         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
2752         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2753         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
2754         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
2755         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
2756         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2757         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
2758         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
2759         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
2760         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
2761         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
2762         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
2763         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
2764         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
2765         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
2766         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
2767         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
2768         (JSC::UnlinkedCodeBlock::codeType): Deleted.
2769         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
2770         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
2771         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2772         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
2773         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
2774         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2775         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2776         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2777         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
2778         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
2779         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
2780         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
2781         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
2782         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
2783         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
2784         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
2785         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
2786         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
2787         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
2788         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
2789         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
2790         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
2791         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
2792         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
2793         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
2794         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
2795         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
2796         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
2797         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
2798         * bytecode/UnlinkedFunctionCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
2799         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
2800         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
2801         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
2802         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
2803         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
2804         (JSC::dumpLineColumnEntry): Deleted.
2805         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
2806         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
2807         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
2808         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
2809         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
2810         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
2811         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
2812         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
2813         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
2814         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
2815         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
2816         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
2817         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
2818         (JSC::UnlinkedCodeBlock::instructions): Deleted.
2819         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
2820         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
2821         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
2822         * bytecode/UnlinkedFunctionCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
2823         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
2824         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
2825         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
2826         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
2827         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
2828         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
2829         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
2830         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2831         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
2832         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
2833         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
2834         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
2835         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
2836         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
2837         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
2838         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
2839         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
2840         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2841         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
2842         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
2843         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2844         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
2845         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2846         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
2847         (JSC::UnlinkedCodeBlock::regexp): Deleted.
2848         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
2849         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2850         (JSC::UnlinkedCodeBlock::identifier): Deleted.
2851         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
2852         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2853         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
2854         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
2855         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
2856         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
2857         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
2858         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
2859         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2860         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
2861         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
2862         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
2863         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
2864         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
2865         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
2866         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2867         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
2868         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
2869         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2870         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
2871         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
2872         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2873         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
2874         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2875         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
2876         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
2877         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2878         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
2879         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
2880         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
2881         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2882         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
2883         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
2884         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
2885         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
2886         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
2887         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
2888         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
2889         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
2890         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
2891         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
2892         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
2893         (JSC::UnlinkedCodeBlock::codeType): Deleted.
2894         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
2895         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
2896         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2897         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
2898         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
2899         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2900         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2901         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2902         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
2903         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
2904         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
2905         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
2906         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
2907         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
2908         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
2909         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
2910         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
2911         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
2912         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
2913         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
2914         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
2915         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
2916         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
2917         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
2918         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
2919         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
2920         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
2921         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
2922         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
2923         * bytecode/UnlinkedFunctionExecutable.cpp:
2924         (JSC::UnlinkedFunctionExecutable::destroy):
2925         * bytecode/UnlinkedGlobalCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
2926         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2927         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
2928         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
2929         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
2930         (): Deleted.
2931         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
2932         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
2933         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
2934         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
2935         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2936         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
2937         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
2938         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
2939         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
2940         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
2941         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
2942         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
2943         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
2944         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
2945         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2946         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
2947         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
2948         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2949         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
2950         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2951         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
2952         (JSC::UnlinkedCodeBlock::regexp): Deleted.
2953         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
2954         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2955         (JSC::UnlinkedCodeBlock::identifier): Deleted.
2956         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
2957         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2958         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
2959         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
2960         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
2961         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
2962         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
2963         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
2964         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2965         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
2966         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
2967         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
2968         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
2969         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
2970         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
2971         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2972         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
2973         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
2974         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2975         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
2976         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
2977         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2978         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
2979         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2980         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
2981         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
2982         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2983         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
2984         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
2985         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
2986         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2987         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
2988         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
2989         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
2990         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
2991         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
2992         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
2993         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
2994         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
2995         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
2996         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
2997         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
2998         (JSC::UnlinkedCodeBlock::codeType): Deleted.
2999         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
3000         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
3001         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
3002         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
3003         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
3004         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3005         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3006         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3007         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
3008         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
3009         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
3010         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
3011         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
3012         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
3013         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
3014         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
3015         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3016         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
3017         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
3018         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
3019         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
3020         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
3021         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
3022         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3023         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
3024         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
3025         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
3026         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
3027         * bytecode/UnlinkedModuleProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
3028         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
3029         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
3030         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
3031         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
3032         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
3033         (JSC::dumpLineColumnEntry): Deleted.
3034         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
3035         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
3036         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
3037         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
3038         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
3039         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3040         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
3041         (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
3042         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
3043         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
3044         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
3045         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
3046         (JSC::UnlinkedCodeBlock::instructions): Deleted.
3047         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
3048         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
3049         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
3050         * bytecode/UnlinkedModuleProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
3051         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
3052         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
3053         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
3054         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
3055         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
3056         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
3057         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
3058         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
3059         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
3060         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
3061         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
3062         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
3063         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
3064         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
3065         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
3066         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
3067         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
3068         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
3069         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
3070         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
3071         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
3072         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
3073         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
3074         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
3075         (JSC::UnlinkedCodeBlock::regexp): Deleted.
3076         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
3077         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
3078         (JSC::UnlinkedCodeBlock::identifier): Deleted.
3079         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
3080         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
3081         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
3082         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
3083         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
3084         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
3085         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
3086         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
3087         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
3088         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
3089         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
3090         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
3091         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
3092         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
3093         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
3094         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
3095         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
3096         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
3097         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
3098         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
3099         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
3100         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
3101         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
3102         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
3103         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
3104         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
3105         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
3106         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
3107         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
3108         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
3109         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
3110         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
3111         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
3112         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
3113         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
3114         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
3115         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
3116         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
3117         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
3118         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
3119         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
3120         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
3121         (JSC::UnlinkedCodeBlock::codeType): Deleted.
3122         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
3123         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
3124         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
3125         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
3126         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
3127         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3128         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3129         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3130         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
3131         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
3132         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
3133         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
3134         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
3135         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
3136         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
3137         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
3138         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3139         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
3140         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
3141         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
3142         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
3143         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
3144         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
3145         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3146         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
3147         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
3148         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
3149         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
3150         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
3151         * bytecode/UnlinkedProgramCodeBlock.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
3152         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
3153         (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
3154         (JSC::UnlinkedCodeBlock::estimatedSize): Deleted.
3155         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
3156         (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
3157         (JSC::dumpLineColumnEntry): Deleted.
3158         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
3159         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
3160         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
3161         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
3162         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
3163         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3164         (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
3165         (JSC::UnlinkedModuleProgramCodeBlock::destroy): Deleted.
3166         (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
3167         (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
3168         (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
3169         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
3170         (JSC::UnlinkedCodeBlock::instructions): Deleted.
3171         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset): Deleted.
3172         (JSC::UnlinkedCodeBlock::handlerForIndex): Deleted.
3173         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
3174         * bytecode/UnlinkedProgramCodeBlock.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
3175         (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
3176         (JSC::UnlinkedSimpleJumpTable::add): Deleted.
3177         (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
3178         (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
3179         (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
3180         (JSC::UnlinkedCodeBlock::usesEval): Deleted.
3181         (JSC::UnlinkedCodeBlock::parseMode): Deleted.
3182         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
3183         (JSC::UnlinkedCodeBlock::derivedContextType): Deleted.
3184         (JSC::UnlinkedCodeBlock::evalContextType): Deleted.
3185         (JSC::UnlinkedCodeBlock::isArrowFunctionContext): Deleted.
3186         (JSC::UnlinkedCodeBlock::isClassContext): Deleted.
3187         (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
3188         (JSC::UnlinkedCodeBlock::expressionInfo): Deleted.
3189         (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
3190         (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
3191         (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
3192         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
3193         (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
3194         (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
3195         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
3196         (JSC::UnlinkedCodeBlock::numParameters): Deleted.
3197         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
3198         (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
3199         (JSC::UnlinkedCodeBlock::regexp): Deleted.
3200         (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
3201         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
3202         (JSC::UnlinkedCodeBlock::identifier): Deleted.
3203         (JSC::UnlinkedCodeBlock::identifiers): Deleted.
3204         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
3205         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
3206         (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
3207         (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
3208         (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
3209         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
3210         (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
3211         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
3212         (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
3213         (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
3214         (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
3215         (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
3216         (JSC::UnlinkedCodeBlock::superBinding): Deleted.
3217         (JSC::UnlinkedCodeBlock::scriptMode): Deleted.
3218         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
3219         (JSC::UnlinkedCodeBlock::numCalleeLocals): Deleted.
3220         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
3221         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
3222         (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
3223         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
3224         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
3225         (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
3226         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
3227         (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
3228         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
3229         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
3230         (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
3231         (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
3232         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
3233         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
3234         (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
3235         (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
3236         (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
3237         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
3238         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
3239         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
3240         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
3241         (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
3242         (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
3243         (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
3244         (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
3245         (JSC::UnlinkedCodeBlock::codeType): Deleted.
3246         (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
3247         (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
3248         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
3249         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
3250         (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
3251         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3252         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3253         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3254         (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
3255         (JSC::UnlinkedCodeBlock::recordParse): Deleted.
3256         (JSC::UnlinkedCodeBlock::sourceURLDirective): Deleted.
3257         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective): Deleted.
3258         (JSC::UnlinkedCodeBlock::setSourceURLDirective): Deleted.
3259         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): Deleted.
3260         (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
3261         (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
3262         (JSC::UnlinkedCodeBlock::firstLine): Deleted.
3263         (JSC::UnlinkedCodeBlock::lineCount): Deleted.
3264         (JSC::UnlinkedCodeBlock::startColumn): Deleted.
3265         (JSC::UnlinkedCodeBlock::endColumn): Deleted.
3266         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
3267         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
3268         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets): Deleted.
3269         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes): Deleted.
3270         (JSC::UnlinkedCodeBlock::didOptimize): Deleted.
3271         (JSC::UnlinkedCodeBlock::setDidOptimize): Deleted.
3272         (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
3273