CodeCache should check that the UnlinkedCodeBlock was successfully created before...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog-2017-03-23
1 2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] MachineThreads does not consider situation that one thread has multiple VMs
4         https://bugs.webkit.org/show_bug.cgi?id=169819
5
6         Reviewed by Mark Lam.
7
8         The Linux port of PlatformThread suspend/resume mechanism relies on having a thread
9         specific singleton thread data, and was relying on MachineThreads::Thread to be this
10         thread specific singleton. But because MachineThreads::Thread is not a thread specific
11         singleton, we can get a deadlock in the GTK port's DatabaseProcess.
12
13         This patch fixes this issue by moving per thread data from MachineThreads::Thread to
14         MachineThreads::ThreadData, where there will only be one instance of
15         MachineThreads::ThreadData per thread. Each MachineThreads::Thread will now point to
16         the same MachineThreads::ThreadData for any given thread.
17
18         * heap/MachineStackMarker.cpp:
19         (pthreadSignalHandlerSuspendResume):
20         (JSC::threadData):
21         (JSC::MachineThreads::Thread::Thread):
22         (JSC::MachineThreads::Thread::createForCurrentThread):
23         (JSC::MachineThreads::Thread::operator==):
24         (JSC::MachineThreads::ThreadData::ThreadData):
25         (JSC::MachineThreads::ThreadData::~ThreadData):
26         (JSC::MachineThreads::ThreadData::suspend):
27         (JSC::MachineThreads::ThreadData::resume):
28         (JSC::MachineThreads::ThreadData::getRegisters):
29         (JSC::MachineThreads::ThreadData::Registers::stackPointer):
30         (JSC::MachineThreads::ThreadData::Registers::framePointer):
31         (JSC::MachineThreads::ThreadData::Registers::instructionPointer):
32         (JSC::MachineThreads::ThreadData::Registers::llintPC):
33         (JSC::MachineThreads::ThreadData::freeRegisters):
34         (JSC::MachineThreads::ThreadData::captureStack):
35         (JSC::MachineThreads::tryCopyOtherThreadStacks):
36         (JSC::MachineThreads::Thread::~Thread): Deleted.
37         (JSC::MachineThreads::Thread::suspend): Deleted.
38         (JSC::MachineThreads::Thread::resume): Deleted.
39         (JSC::MachineThreads::Thread::getRegisters): Deleted.
40         (JSC::MachineThreads::Thread::Registers::stackPointer): Deleted.
41         (JSC::MachineThreads::Thread::Registers::framePointer): Deleted.
42         (JSC::MachineThreads::Thread::Registers::instructionPointer): Deleted.
43         (JSC::MachineThreads::Thread::Registers::llintPC): Deleted.
44         (JSC::MachineThreads::Thread::freeRegisters): Deleted.
45         (JSC::MachineThreads::Thread::captureStack): Deleted.
46         * heap/MachineStackMarker.h:
47         (JSC::MachineThreads::Thread::operator!=):
48         (JSC::MachineThreads::Thread::suspend):
49         (JSC::MachineThreads::Thread::resume):
50         (JSC::MachineThreads::Thread::getRegisters):
51         (JSC::MachineThreads::Thread::freeRegisters):
52         (JSC::MachineThreads::Thread::captureStack):
53         (JSC::MachineThreads::Thread::platformThread):
54         (JSC::MachineThreads::Thread::stackBase):
55         (JSC::MachineThreads::Thread::stackEnd):
56         * runtime/SamplingProfiler.cpp:
57         (JSC::FrameWalker::isValidFramePointer):
58         * runtime/VMTraps.cpp:
59         (JSC::findActiveVMAndStackBounds):
60
61 2017-03-23  Mark Lam  <mark.lam@apple.com>
62
63         Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
64         https://bugs.webkit.org/show_bug.cgi?id=169783
65
66         Reviewed by Saam Barati.
67
68         Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
69         an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
70         succeeds.
71
72         * dfg/DFGOperations.cpp:
73         * ftl/FTLOperations.cpp:
74         (JSC::FTL::operationMaterializeObjectInOSR):
75         * runtime/ArrayPrototype.cpp:
76         (JSC::arrayProtoFuncSplice):
77         * runtime/CommonSlowPaths.cpp:
78         (JSC::SLOW_PATH_DECL):
79         * runtime/JSArray.cpp:
80         (JSC::JSArray::tryCreateForInitializationPrivate):
81         (JSC::JSArray::fastSlice):
82         * runtime/JSArray.h:
83         (JSC::constructArray):
84         (JSC::constructArrayNegativeIndexed):
85         * runtime/RegExpMatchesArray.cpp:
86         (JSC::createEmptyRegExpMatchesArray):
87         * runtime/RegExpMatchesArray.h:
88         (JSC::createRegExpMatchesArray):
89
90 2017-03-23  Guillaume Emont  <guijemont@igalia.com>
91
92         [jsc] Add MacroAssemblerMIPS::storeFence()
93         https://bugs.webkit.org/show_bug.cgi?id=169705
94
95         Reviewed by Yusuke Suzuki.
96
97         There doesn't seem to be anything more fine grained than "sync" that
98         guarantees that all memory operations following it are going to happen
99         after all stores before it, so we just use sync.
100
101         * assembler/MIPSAssembler.h:
102         (JSC::MIPSAssembler::sync): Added a FIXME about SYNC_MB.
103         * assembler/MacroAssemblerMIPS.h:
104         (JSC::MacroAssemblerMIPS::storeFence): Added.
105
106 2017-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
107
108         [JSC][DFG] Propagate AnyIntAsDouble information carefully to utilize it in fixup
109         https://bugs.webkit.org/show_bug.cgi?id=169914
110
111         Reviewed by Saam Barati.
112
113         In DFG prediction propagation phase, we pollute the prediction of GetByVal for Array::Double
114         as SpecDoubleReal even if the heap prediction says the proper prediction is SpecAnyIntAsDouble.
115         Thus, the following nodes just see the result of GetByVal(Array::Double) as double value,
116         and select suboptimal edge filters in fixup phase. For example, if the result of GetByVal is
117         SpecAnyIntAsDouble, we can see the node like ArithAdd(SpecAnyIntAsDouble, Int52) and we should
118         have a chance to make it ArithAdd(Check:Int52, Int52) instead of ArithAdd(Double, Double).
119
120         This patch propagates SpecAnyIntAsDouble in GetByVal(Array::Double) properly. And ValueAdd,
121         ArithAdd and ArithSub select AnyInt edge filters for SpecAnyIntAsDouble values. It finally
122         produces a Int52 specialized DFG node. And subsequent nodes using the produced one also
123         become Int52 specialized.
124
125         One considerable problem is that the heap prediction misses the non any int doubles. In that case,
126         if Int52 edge filter is used, BadType exit will occur. It updates the prediction of the value profile
127         of GetByVal. So, in the next time, GetByVal(Array::Double) produces more conservative predictions
128         and avoids exit-and-recompile loop correctly.
129
130         This change is very sensitive to the correct AI and appropriate predictions. Thus, this patch finds
131         and fixes some related issues. One is incorrect prediction of ToThis and another is incorrect
132         AI logic for Int52Rep.
133
134         This change dramatically improves kraken benchmarks' crypto-pbkdf2 and crypto-sha256-iterative
135         by 42.0% and 30.7%, respectively.
136
137                                                      baseline                  patched
138         Kraken:
139         ai-astar                                  158.851+-4.132      ?     159.433+-5.176         ?
140         audio-beat-detection                       53.193+-1.621      ?      53.391+-2.072         ?
141         audio-dft                                 103.589+-2.277      ?     104.902+-1.924         ? might be 1.0127x slower
142         audio-fft                                  40.491+-1.102             39.854+-0.755           might be 1.0160x faster
143         audio-oscillator                           68.504+-1.721      ?      68.957+-1.725         ?
144         imaging-darkroom                          118.367+-2.171      ?     119.581+-2.310         ? might be 1.0103x slower
145         imaging-desaturate                         71.443+-1.461      ?      72.398+-1.918         ? might be 1.0134x slower
146         imaging-gaussian-blur                     110.648+-4.035            109.184+-3.373           might be 1.0134x faster
147         json-parse-financial                       60.363+-1.628      ?      61.936+-1.585         ? might be 1.0261x slower
148         json-stringify-tinderbox                   37.903+-0.869      ?      39.559+-1.607         ? might be 1.0437x slower
149         stanford-crypto-aes                        56.313+-1.512      ?      56.675+-1.715         ?
150         stanford-crypto-ccm                        51.564+-1.900      ?      53.456+-2.548         ? might be 1.0367x slower
151         stanford-crypto-pbkdf2                    129.546+-2.738      ^      91.214+-2.027         ^ definitely 1.4202x faster
152         stanford-crypto-sha256-iterative           43.515+-0.730      ^      33.292+-0.653         ^ definitely 1.3071x faster
153
154         <arithmetic>                               78.878+-0.528      ^      75.988+-0.621         ^ definitely 1.0380x faster
155
156         * dfg/DFGAbstractInterpreterInlines.h:
157         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
158         * dfg/DFGGraph.h:
159         (JSC::DFG::Graph::addShouldSpeculateAnyInt):
160         * dfg/DFGPredictionPropagationPhase.cpp:
161         * ftl/FTLLowerDFGToB3.cpp:
162         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
163
164 2017-03-22  Mark Lam  <mark.lam@apple.com>
165
166         Add support for Error.stackTraceLimit.
167         https://bugs.webkit.org/show_bug.cgi?id=169904
168
169         Reviewed by Saam Barati.
170
171         Since there's no standard for this yet, we'll implement Error.stackTraceLimit
172         based on how Chrome does it.  This includes some idiosyncrasies like:
173         1. If we set Error.stackTraceLimit = 0, then new Error().stack yields an empty
174            stack trace (Chrome has a title with no stack frame entries).
175         2. If we set Error.stackTraceLimit = {] (i.e. to a non-number value), then
176            new Error().stack is undefined.
177
178         Chrome and IE defaults their Error.stackTraceLimit to 10.  We'll default ours to
179         100 because 10 may be a bit too skimpy and it is not that costly to allow up to
180         100 frames instead of 10.
181
182         The default value for Error.stackTraceLimit is specified by
183         Options::defaultErrorStackTraceLimit().
184
185         Also, the Exception object now limits the number of stack trace frames it captures
186         to the limit specified by Options::exceptionStackTraceLimit().
187
188         Note: the Exception object captures a stack trace that is not necessarily the
189         same as the one in an Error object being thrown:
190
191         - The Error object captures the stack trace at the point of object creation.
192
193         - The Exception object captures the stack trace at the point that the exception
194           is thrown.  This stack trace is captured even when throwing a value that is not
195           an Error object e.g. a primitive value.  The Exception object stack trace is
196           only used by WebInspector to identify where a value is thrown from.  Hence,
197           it does not necessary make sense the Exception object stack trace limited by
198           Error.stackTraceLimit.  Instead, we have it use own Options::exceptionStackTraceLimit().
199
200         * interpreter/Interpreter.cpp:
201         (JSC::Interpreter::unwind):
202         * jsc.cpp:
203         (dumpException):
204         * runtime/CommonIdentifiers.h:
205         * runtime/Error.cpp:
206         (JSC::addErrorInfoAndGetBytecodeOffset):
207         * runtime/ErrorConstructor.cpp:
208         (JSC::ErrorConstructor::finishCreation):
209         (JSC::ErrorConstructor::put):
210         (JSC::ErrorConstructor::deleteProperty):
211         * runtime/ErrorConstructor.h:
212         (JSC::ErrorConstructor::stackTraceLimit):
213         * runtime/Exception.cpp:
214         (JSC::Exception::finishCreation):
215         * runtime/Options.h:
216
217 2017-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
218
219         [JSC] Use jsNontrivialString for Number toString operations
220         https://bugs.webkit.org/show_bug.cgi?id=169965
221
222         Reviewed by Mark Lam.
223
224         After single character check, produced string is always longer than 1.
225         Thus, we can use jsNontrivialString.
226
227         * runtime/NumberPrototype.cpp:
228         (JSC::int32ToStringInternal):
229
230 2017-03-22  JF Bastien  <jfbastien@apple.com>
231
232         WebAssembly: name ExecState consistently
233         https://bugs.webkit.org/show_bug.cgi?id=169954
234
235         Reviewed by Saam Barati.
236
237         No functional change.
238
239         * wasm/js/JSWebAssemblyCompileError.cpp:
240         (JSC::JSWebAssemblyCompileError::create):
241         (JSC::createJSWebAssemblyCompileError):
242         * wasm/js/JSWebAssemblyCompileError.h:
243         (JSC::JSWebAssemblyCompileError::create):
244         * wasm/js/JSWebAssemblyLinkError.cpp:
245         (JSC::JSWebAssemblyLinkError::create):
246         (JSC::createJSWebAssemblyLinkError):
247         * wasm/js/JSWebAssemblyLinkError.h:
248         (JSC::JSWebAssemblyLinkError::create):
249         * wasm/js/JSWebAssemblyRuntimeError.cpp:
250         (JSC::JSWebAssemblyRuntimeError::create):
251         * wasm/js/JSWebAssemblyRuntimeError.h:
252         (JSC::JSWebAssemblyRuntimeError::create):
253         * wasm/js/WebAssemblyInstanceConstructor.cpp:
254         (JSC::callJSWebAssemblyInstance):
255         * wasm/js/WebAssemblyMemoryConstructor.cpp:
256         (JSC::callJSWebAssemblyMemory):
257         * wasm/js/WebAssemblyModuleConstructor.cpp:
258         (JSC::callJSWebAssemblyModule):
259         (JSC::WebAssemblyModuleConstructor::createModule):
260         * wasm/js/WebAssemblyModuleRecord.cpp:
261         (JSC::WebAssemblyModuleRecord::link):
262         (JSC::dataSegmentFail):
263         (JSC::WebAssemblyModuleRecord::evaluate):
264         * wasm/js/WebAssemblyPrototype.cpp:
265         (JSC::webAssemblyFunctionValidate):
266         (JSC::webAssemblyFunctionCompile):
267         * wasm/js/WebAssemblyTableConstructor.cpp:
268         (JSC::callJSWebAssemblyTable):
269
270 2017-03-22  JF Bastien  <jfbastien@apple.com>
271
272         WebAssembly: constructors without new don't throw
273         https://bugs.webkit.org/show_bug.cgi?id=165995
274
275         Reviewed by Saam Barati.
276
277         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
278         (JSC::constructJSWebAssemblyCompileError):
279         (JSC::callJSWebAssemblyCompileError):
280         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
281         (JSC::constructJSWebAssemblyLinkError):
282         (JSC::callJSWebAssemblyLinkError):
283         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
284         (JSC::constructJSWebAssemblyRuntimeError):
285         (JSC::callJSWebAssemblyRuntimeError):
286
287 2017-03-22  Guillaume Emont  <guijemont@igalia.com>
288
289         [DFG] Don't use ArraySlice intrinsic on MIPS
290         https://bugs.webkit.org/show_bug.cgi?id=169721
291
292         Reviewed by Yusuke Suzuki.
293
294         Like on x86, we don't have enough registers available for this.
295
296         * assembler/CPU.h:
297         (JSC::isMIPS): Added.
298         * dfg/DFGByteCodeParser.cpp:
299         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
300         Don't use the ArraySlice intrinsic on MIPS.
301
302 2017-03-21  Mark Lam  <mark.lam@apple.com>
303
304         The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
305         https://bugs.webkit.org/show_bug.cgi?id=169933
306         <rdar://problem/31105125>
307
308         Reviewed by Filip Pizlo and Geoffrey Garen.
309
310         Also fixed the bit-rotted RangeKey::dump() function.
311
312         * dfg/DFGIntegerCheckCombiningPhase.cpp:
313         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
314
315 2017-03-21  Csaba Osztrogonác  <ossy@webkit.org>
316
317         [ARM] Add missing MacroAssembler functions after r214187
318         https://bugs.webkit.org/show_bug.cgi?id=169912
319
320         Reviewed by Yusuke Suzuki.
321
322         * assembler/MacroAssemblerARM.h:
323         (JSC::MacroAssemblerARM::loadFloat):
324         (JSC::MacroAssemblerARM::storeFloat):
325
326 2017-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
327
328         [JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double
329         https://bugs.webkit.org/show_bug.cgi?id=167454
330
331         Reviewed by Saam Barati.
332
333         This patch improves Number.toString(radix) performance
334         by introducing NumberToStringWithRadix DFG node. It directly
335         calls the operation and it always returns String.
336
337                                                        baseline                  patched
338
339             stanford-crypto-sha256-iterative        45.130+-0.928             44.032+-1.184           might be 1.0250x faster
340
341 2017-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
342
343         [JSC] Add JSPromiseDeferred::reject(ExecState*, Exception*) interface
344         https://bugs.webkit.org/show_bug.cgi?id=169908
345
346         Reviewed by Sam Weinig.
347
348         To avoid calling reject(ExecState*, JSValue) with Exception* accidentally,
349         we add a new interface reject(ExecState*, Exception*).
350         Such an interface is already added in DOMPromise in WebCore.
351
352         * runtime/JSInternalPromiseDeferred.cpp:
353         (JSC::JSInternalPromiseDeferred::reject):
354         * runtime/JSInternalPromiseDeferred.h:
355         * runtime/JSPromiseDeferred.cpp:
356         (JSC::JSPromiseDeferred::reject):
357         * runtime/JSPromiseDeferred.h:
358
359 2017-03-21  Zan Dobersek  <zdobersek@igalia.com>
360
361         [jsc] MacroAssemblerMIPS: implement the branchPtr(RelationalCondition, BaseIndex, RegisterID) overload.
362         https://bugs.webkit.org/show_bug.cgi?id=169717
363
364         Reviewed by Yusuke Suzuki.
365
366         * assembler/MacroAssembler.h: Expose branchPtr() on MIPS as well.
367         * assembler/MacroAssemblerMIPS.h:
368         (JSC::MacroAssemblerMIPS::branchPtr): Added.
369
370         * dfg/DFGAbstractInterpreterInlines.h:
371         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
372         * dfg/DFGByteCodeParser.cpp:
373         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
374         * dfg/DFGClobberize.h:
375         (JSC::DFG::clobberize):
376         * dfg/DFGDoesGC.cpp:
377         (JSC::DFG::doesGC):
378         * dfg/DFGFixupPhase.cpp:
379         (JSC::DFG::FixupPhase::fixupNode):
380         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
381         * dfg/DFGNodeType.h:
382         * dfg/DFGOperations.cpp:
383         * dfg/DFGOperations.h:
384         * dfg/DFGPredictionPropagationPhase.cpp:
385         * dfg/DFGSafeToExecute.h:
386         (JSC::DFG::safeToExecute):
387         * dfg/DFGSpeculativeJIT.cpp:
388         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
389         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber):
390         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithRadix):
391         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): Deleted.
392         * dfg/DFGSpeculativeJIT.h:
393         (JSC::DFG::SpeculativeJIT::callOperation):
394         * dfg/DFGSpeculativeJIT32_64.cpp:
395         (JSC::DFG::SpeculativeJIT::compile):
396         * dfg/DFGSpeculativeJIT64.cpp:
397         (JSC::DFG::SpeculativeJIT::compile):
398         * dfg/DFGStrengthReductionPhase.cpp:
399         (JSC::DFG::StrengthReductionPhase::handleNode):
400         * ftl/FTLCapabilities.cpp:
401         (JSC::FTL::canCompile):
402         * ftl/FTLLowerDFGToB3.cpp:
403         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
404         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
405         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
406         * jit/CCallHelpers.h:
407         (JSC::CCallHelpers::setupArgumentsWithExecState):
408         * jit/JITOperations.h:
409         * runtime/Intrinsic.h:
410         * runtime/NumberPrototype.cpp:
411         (JSC::int52ToStringWithRadix):
412         (JSC::int32ToStringInternal):
413         (JSC::numberToStringInternal):
414         (JSC::int32ToString):
415         (JSC::int52ToString):
416         (JSC::numberToString):
417         (JSC::numberProtoFuncToString):
418         (JSC::integerValueToString): Deleted.
419         * runtime/NumberPrototype.h:
420         * runtime/StringPrototype.cpp:
421         (JSC::StringPrototype::finishCreation):
422
423 2017-03-20  Filip Pizlo  <fpizlo@apple.com>
424
425         Graph coloring should use coalescable moves when spilling
426         https://bugs.webkit.org/show_bug.cgi?id=169820
427
428         Reviewed by Michael Saboff.
429         
430         This makes our graph coloring register allocator use a new family of move instructions when
431         spilling both operands of the move. It's a three-operand move:
432         
433             Move (src), (dst), %scratch
434         
435         Previously, if both operands got spilled, we would emit a new instruction to load or store that
436         spill slot. But this made it hard for allocateStack to see that the two spill locations are
437         coalescable. This new kind of instruction makes it obvious that it's a coalescable move.
438         
439         This change implements the coalescing of spill slots inside allocateStack.
440         
441         This is an outrageous speed-up on the tsf_ir_speed benchmark from http://filpizlo.com/tsf/. This
442         is an interesting benchmark because it has a super ugly interpreter loop with ~20 live variables
443         carried around the loop back edge. This change makes that interpreter run 5x faster.
444         
445         This isn't a speed-up on any other benchmarks. It also doesn't regress anything. Compile time is
446         neither progressed or regressed, since the coalescing is super cheap, and this does not add any
447         significant new machinery to the register allocator (it's just a small change to spill codegen).
448         Overall on our wasm benchmarks, this is a 16% throughput progression.
449         
450         * assembler/MacroAssembler.h:
451         (JSC::MacroAssembler::move):
452         (JSC::MacroAssembler::move32):
453         (JSC::MacroAssembler::moveFloat):
454         (JSC::MacroAssembler::moveDouble):
455         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
456         (JSC::B3::Air::allocateRegistersByGraphColoring):
457         * b3/air/AirAllocateStack.cpp:
458         (JSC::B3::Air::allocateStack):
459         * b3/air/AirInst.cpp:
460         (JSC::B3::Air::Inst::hasEarlyDef):
461         (JSC::B3::Air::Inst::hasLateUseOrDef):
462         (JSC::B3::Air::Inst::needsPadding):
463         * b3/air/AirInst.h:
464         * b3/air/AirOpcode.opcodes:
465         * b3/air/AirPadInterference.cpp:
466         (JSC::B3::Air::padInterference):
467         * runtime/Options.h:
468
469 2017-03-19  Chris Dumez  <cdumez@apple.com>
470
471         `const location = "foo"` throws in a worker
472         https://bugs.webkit.org/show_bug.cgi?id=169839
473
474         Reviewed by Mark Lam.
475
476         Our HasRestrictedGlobalProperty check in JSC was slightly wrong, causing us
477         to sometimes throw a Syntax exception when we shouldn't when declaring a
478         const/let variable and sometimes not throw an exception when we should have.
479
480         This aligns our behavior with ES6, Firefox and Chrome.
481
482         * runtime/ProgramExecutable.cpp:
483         (JSC::hasRestrictedGlobalProperty):
484         (JSC::ProgramExecutable::initializeGlobalProperties):
485         Rewrite hasRestrictedGlobalProperty logic as per the EcmaScript spec:
486         - http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasproperty
487         In particular, they were 2 issues:
488         - We should throw a SyntaxError if hasProperty() returned true but getOwnProperty()
489           would fail to return a descriptor. This would happen for properties that are
490           not OWN properties, but defined somewhere in the prototype chain. The spec does
491           not say to use hasProperty(), only getOwnProperty() and says we should return
492           false if getOwnProperty() does not return a descriptor. This is what we do now.
493         - We would fail to throw when declaring a let/const variable that shadows an own
494           property whose value is undefined. This is because the previous code was
495           explicitly checking for this case. I believe this was a misinterpretation of
496           ES6 which says:
497           """
498           Let desc be O.[[GetOwnProperty]](P).
499           If desc is undefined, return false.
500           """
501           We should check that desc is undefined, not desc.value. This is now fixed.
502
503 2017-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
504
505         import(arg) crashes when ToString(arg) throws
506         https://bugs.webkit.org/show_bug.cgi?id=169778
507
508         Reviewed by Saam Barati.
509
510         JSPromiseDeferred should not be rejected with Exception*.
511
512         * runtime/JSGlobalObjectFunctions.cpp:
513         (JSC::globalFuncImportModule):
514
515 2017-03-18  Oleksandr Skachkov  <gskachkov@gmail.com>
516
517         [JSC] Remove unnecessary condition from needsDerivedConstructorInArrowFunctionLexicalEnvironment in BytecodeGenerator.cpp 
518         https://bugs.webkit.org/show_bug.cgi?id=169832
519
520         Reviewed by Mark Lam.
521
522         Remove already covered condition in needsDerivedConstructorInArrowFunctionLexicalEnvironment 
523         function. Condition isConstructor() && constructorKind() == ConstructorKind::Extends is already
524         isClassContext.
525
526          * bytecompiler/BytecodeGenerator.cpp:
527         (JSC::BytecodeGenerator::needsDerivedConstructorInArrowFunctionLexicalEnvironment):
528
529 2017-03-18  Chris Dumez  <cdumez@apple.com>
530
531         Allow setting the prototype of cross-origin objects, as long as they don't change
532         https://bugs.webkit.org/show_bug.cgi?id=169787
533
534         Reviewed by Mark Lam.
535
536         * runtime/JSGlobalObject.h:
537         Mark JS global object as an immutable prototype exotic object to match Window.
538
539         * runtime/JSObject.cpp:
540         (JSC::JSObject::setPrototypeWithCycleCheck):
541         Update setPrototypeWithCycleCheck() for immutable prototype exotic objects in order
542         to align with:
543         - https://tc39.github.io/ecma262/#sec-set-immutable-prototype
544
545         In particular, we need to call [[GetPrototypeOf]] and return true if it returns the same
546         value as the new prototype. We really need to call [[GetPrototypeOf]] and not merely
547         getting the prototype slot via getPrototypeDirect() since Location and Window override
548         [[GetPrototypeOf]] to return null in the cross-origin case.
549
550         * runtime/JSProxy.cpp:
551         (JSC::JSProxy::setPrototype):
552         Update JSProxy::setPrototype() to forward such calls to its target. This is needed so
553         we end up calling JSObject::setPrototypeWithCycleCheck() for the Window object.
554         Handling immutable prototype exotic objects in that method does the right thing for
555         Window.
556
557 2017-03-17  Michael Saboff  <msaboff@apple.com>
558
559         Use USE_INTERNAL_SDK to compute ENABLE_FAST_JIT_PERMISSIONS instead of HAVE_INTERNAL_SDK
560         https://bugs.webkit.org/show_bug.cgi?id=169817
561
562         Reviewed by Filip Pizlo.
563
564         * Configurations/FeatureDefines.xcconfig:
565
566 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
567
568         Air should be powerful enough to support Tmp-splitting
569         https://bugs.webkit.org/show_bug.cgi?id=169515
570
571         Reviewed by Saam Barati.
572         
573         In the process of implementing the Tmp-splitting optimization, I made some small
574         clean-ups. They don't affect anything - it's basically moving code around and adding
575         utility functions.
576
577         * CMakeLists.txt:
578         * JavaScriptCore.xcodeproj/project.pbxproj:
579         * assembler/LinkBuffer.cpp:
580         (JSC::LinkBuffer::allocate): testb3 was sometimes failing its checkDoesNotUseInstruction check because of uninitialized memory. This initializes the internal fragmentation slop of every JIT allocation.
581         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
582         * b3/air/AirAllocateRegistersByGraphColoring.h:
583         (JSC::B3::Air::useIRC): It's useful to be able to query which register allocator we're using.
584         * b3/air/AirArg.cpp:
585         (WTF::printInternal):
586         * b3/air/AirArg.h:
587         (JSC::B3::Air::Arg::temperature): The temperature of a role is a useful concept to have factored out.
588         * b3/air/AirBreakCriticalEdges.cpp: Added.
589         (JSC::B3::Air::breakCriticalEdges): I was surprised that we didn't have this already. It's a pretty fundamental CFG utility.
590         * b3/air/AirBreakCriticalEdges.h: Added.
591         * b3/air/AirGenerate.cpp:
592         * b3/air/AirInsertionSet.h: You can't use & if you want copy-constructibility, which seems to be a prerequisite to IndexMap<BasicBlock, InsertionSet>.
593         (JSC::B3::Air::InsertionSet::InsertionSet):
594         (JSC::B3::Air::InsertionSet::code):
595         * b3/air/AirLiveness.h: Teach Liveness to track only warm liveness.
596         (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
597         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
598         (JSC::B3::Air::RegLivenessAdapter::acceptsRole):
599         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
600         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
601
602 2017-03-16  Mark Lam  <mark.lam@apple.com>
603
604         Fix exception scope verification failures in GenericArgumentsInlines.h.
605         https://bugs.webkit.org/show_bug.cgi?id=165012
606
607         Reviewed by Saam Barati.
608
609         * runtime/GenericArgumentsInlines.h:
610         (JSC::GenericArguments<Type>::defineOwnProperty):
611
612 2017-03-16  Simon Fraser  <simon.fraser@apple.com>
613
614         Improve the system tracing points
615         https://bugs.webkit.org/show_bug.cgi?id=169790
616
617         Reviewed by Zalan Bujtas.
618
619         Use a more cohesive set of system trace points that give a good overview of what
620         WebKit is doing. Added points for resource loading, render tree building, sync messages
621         to the web process, async image decode, WASM and fetching cookies.
622
623         * wasm/WasmPlan.cpp:
624         (JSC::Wasm::Plan::run):
625         * wasm/js/WebAssemblyFunction.cpp:
626         (JSC::callWebAssemblyFunction):
627
628 2017-03-16  Mark Lam  <mark.lam@apple.com>
629
630         Array concat operation should check for length overflows.
631         https://bugs.webkit.org/show_bug.cgi?id=169796
632         <rdar://problem/31095276>
633
634         Reviewed by Keith Miller.
635
636         * runtime/ArrayPrototype.cpp:
637         (JSC::concatAppendOne):
638         (JSC::arrayProtoPrivateFuncConcatMemcpy):
639
640 2017-03-16  Mark Lam  <mark.lam@apple.com>
641
642         The new array with spread operation needs to check for length overflows.
643         https://bugs.webkit.org/show_bug.cgi?id=169780
644         <rdar://problem/31072182>
645
646         Reviewed by Filip Pizlo.
647
648         * dfg/DFGOperations.cpp:
649         * dfg/DFGSpeculativeJIT.cpp:
650         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
651         * ftl/FTLLowerDFGToB3.cpp:
652         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
653         * ftl/FTLOperations.cpp:
654         (JSC::FTL::operationMaterializeObjectInOSR):
655         * llint/LLIntSlowPaths.cpp:
656         * runtime/CommonSlowPaths.cpp:
657         (JSC::SLOW_PATH_DECL):
658         * runtime/JSGlobalObject.cpp:
659
660 2017-03-16  Filip Pizlo  <fpizlo@apple.com>
661
662         FTL should support global and eval code
663         https://bugs.webkit.org/show_bug.cgi?id=169656
664
665         Reviewed by Geoffrey Garen and Saam Barati.
666         
667         Turned off the restriction against global and eval code running in the FTL, and then fixed all of
668         the things that didn't work.
669         
670         This is a big speed-up on microbenchmarks that I wrote for this patch. One of the reasons why we
671         hadn't done this earlier is that we've never seen a benchmark that needed it. Global and eval
672         code rarely gets FTL-hot. Still, this seems like possibly a small JetStream speed-up.
673
674         * dfg/DFGJITCode.cpp:
675         (JSC::DFG::JITCode::setOSREntryBlock): I outlined this for better debugging.
676         * dfg/DFGJITCode.h:
677         (JSC::DFG::JITCode::setOSREntryBlock): Deleted.
678         * dfg/DFGNode.h:
679         (JSC::DFG::Node::isSemanticallySkippable): It turns out that global code often has InvalidationPoints before LoopHints. They are also skippable from the standpoint of OSR entrypoint analysis.
680         * dfg/DFGOperations.cpp: Don't do any normal compiles of global code - just do OSR compiles.
681         * ftl/FTLCapabilities.cpp: Enable FTL for global and eval code.
682         (JSC::FTL::canCompile):
683         * ftl/FTLCompile.cpp: Just debugging clean-ups.
684         (JSC::FTL::compile):
685         * ftl/FTLJITFinalizer.cpp: Implement finalize() and ensure that we only do things with the entrypoint buffer if we have one. We won't have one for eval code that we aren't OSR entering into.
686         (JSC::FTL::JITFinalizer::finalize):
687         (JSC::FTL::JITFinalizer::finalizeFunction):
688         (JSC::FTL::JITFinalizer::finalizeCommon):
689         * ftl/FTLJITFinalizer.h:
690         * ftl/FTLLink.cpp: When entering a function normally, we need the "entrypoint" to put the arity check code. Global and eval code don't need this.
691         (JSC::FTL::link):
692         * ftl/FTLOSREntry.cpp: Fix a dataLog statement.
693         (JSC::FTL::prepareOSREntry):
694         * ftl/FTLOSRExitCompiler.cpp: Remove dead code that happened to assert that we're exiting from a function.
695         (JSC::FTL::compileStub):
696
697 2017-03-16  Michael Saboff  <msaboff@apple.com>
698
699         WebAssembly: function-tests/load-offset.js fails on ARM64
700         https://bugs.webkit.org/show_bug.cgi?id=169724
701
702         Reviewed by Keith Miller.
703
704         We need to use the two source version of Add64 to create a Wasm address with the
705         other source the first child.
706
707         * b3/B3LowerToAir.cpp:
708         (JSC::B3::Air::LowerToAir::lower):
709
710 2017-03-16  Jon Lee  <jonlee@apple.com>
711
712         Add FIXMEs to update WebRTC
713         https://bugs.webkit.org/show_bug.cgi?id=169735
714
715         Reviewed by Youenn Fablet.
716
717         * runtime/CommonIdentifiers.h: Add RTCIceTransport.
718
719 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
720
721         Unreviewed, copy m_numberOfArgumentsToSkip
722         https://bugs.webkit.org/show_bug.cgi?id=164582
723
724         * bytecode/CodeBlock.cpp:
725         (JSC::CodeBlock::CodeBlock):
726
727 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
728
729         Unreviewed, fix numParameter() - 1 OSRExit materialization
730         https://bugs.webkit.org/show_bug.cgi?id=164582
731
732         When materializing rest parameters, we rely on that numParameter() - 1 equals to
733         the numberOfArgumentsToSkip. But this assumption is broken in r214029.
734
735         * bytecode/CodeBlock.cpp:
736         (JSC::CodeBlock::finishCreation):
737         * bytecode/CodeBlock.h:
738         (JSC::CodeBlock::numberOfArgumentsToSkip):
739         * ftl/FTLOperations.cpp:
740         (JSC::FTL::operationMaterializeObjectInOSR):
741
742 2017-03-16  Caio Lima  <ticaiolima@gmail.com>
743
744         [ESnext] Implement Object Spread
745         https://bugs.webkit.org/show_bug.cgi?id=167963
746
747         Reviewed by Yusuke Suzuki.
748
749         This patch implements ECMA262 stage 3 Object Spread proposal [1].
750         It's implemented using CopyDataProperties to copy all enumerable keys
751         from object being spreaded.
752
753         It's also fixing CopyDataProperties that was using
754         Object.getOwnPropertyNames to list all keys to be copied, and now is
755         using Relect.ownKeys.
756
757         [1] - https://github.com/sebmarkbage/ecmascript-rest-spread
758
759         * builtins/GlobalOperations.js:
760         (globalPrivate.copyDataProperties):
761         * bytecode/CodeBlock.cpp:
762         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
763         * bytecode/UnlinkedCodeBlock.h:
764         (JSC::UnlinkedCodeBlock::addSetConstant):
765         * bytecompiler/BytecodeGenerator.cpp:
766         (JSC::BytecodeGenerator::emitLoad):
767         * bytecompiler/BytecodeGenerator.h:
768         * bytecompiler/NodesCodegen.cpp:
769         (JSC::PropertyListNode::emitBytecode):
770         (JSC::ObjectPatternNode::bindValue):
771         (JSC::ObjectSpreadExpressionNode::emitBytecode):
772         * parser/ASTBuilder.h:
773         (JSC::ASTBuilder::createObjectSpreadExpression):
774         (JSC::ASTBuilder::createProperty):
775         * parser/NodeConstructors.h:
776         (JSC::PropertyNode::PropertyNode):
777         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
778         * parser/Nodes.h:
779         (JSC::ObjectSpreadExpressionNode::expression):
780         * parser/Parser.cpp:
781         (JSC::Parser<LexerType>::parseProperty):
782         * parser/SyntaxChecker.h:
783         (JSC::SyntaxChecker::createObjectSpreadExpression):
784         (JSC::SyntaxChecker::createProperty):
785         * runtime/JSGlobalObject.cpp:
786         (JSC::JSGlobalObject::init):
787         * runtime/JSGlobalObjectFunctions.cpp:
788         (JSC::privateToObject): Deleted.
789         * runtime/JSGlobalObjectFunctions.h:
790
791 2017-03-15  Yusuke Suzuki  <utatane.tea@gmail.com>
792
793         [JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity
794         https://bugs.webkit.org/show_bug.cgi?id=164582
795
796         Reviewed by Saam Barati.
797
798         Previously we implement the default parameters as follows.
799
800             1. We count the default parameters as the usual parameters.
801             2. We just get the argument register.
802             3. Check it with op_is_undefined.
803             4. And fill the binding with either the argument register or default value.
804
805         The above is simple. However, it has the side effect that it always increase the arity of the function.
806         While `function.length` does not increase, internally, the number of parameters of CodeBlock increases.
807         This effectively prevent our DFG / FTL to perform inlining: currently we only allows DFG to inline
808         the function with the arity less than or equal the number of passing arguments. It is OK. But when using
809         default parameters, we frequently do not pass the argument for the parameter with the default value.
810         Thus, in our current implementation, we frequently need to fixup the arity. And we frequently fail
811         to inline the function.
812
813         This patch fixes the above problem by not increasing the arity of the function. When we encounter the
814         parameter with the default value, we use `op_argument` to get the argument instead of using the argument
815         registers.
816
817         This improves six-speed defaults.es6 performance by 4.45x.
818
819             defaults.es6        968.4126+-101.2350   ^    217.6602+-14.8831       ^ definitely 4.4492x faster
820
821         * bytecode/UnlinkedFunctionExecutable.cpp:
822         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
823         * bytecode/UnlinkedFunctionExecutable.h:
824         * bytecompiler/BytecodeGenerator.cpp:
825         (JSC::BytecodeGenerator::BytecodeGenerator):
826         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
827         (JSC::BytecodeGenerator::initializeNextParameter):
828         (JSC::BytecodeGenerator::initializeParameters):
829         * bytecompiler/BytecodeGenerator.h:
830         * bytecompiler/NodesCodegen.cpp:
831         (JSC::FunctionNode::emitBytecode):
832         * dfg/DFGByteCodeParser.cpp:
833         (JSC::DFG::ByteCodeParser::inliningCost):
834         * parser/ASTBuilder.h:
835         (JSC::ASTBuilder::createFunctionMetadata):
836         * parser/Nodes.cpp:
837         (JSC::FunctionMetadataNode::FunctionMetadataNode):
838         * parser/Nodes.h:
839         (JSC::FunctionParameters::size):
840         (JSC::FunctionParameters::at):
841         (JSC::FunctionParameters::append):
842         (JSC::FunctionParameters::isSimpleParameterList):
843         * parser/Parser.cpp:
844         (JSC::Parser<LexerType>::isArrowFunctionParameters):
845         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
846         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
847         (JSC::Parser<LexerType>::parseFormalParameters):
848         (JSC::Parser<LexerType>::parseFunctionBody):
849         (JSC::Parser<LexerType>::parseFunctionParameters):
850         (JSC::Parser<LexerType>::parseFunctionInfo):
851         * parser/Parser.h:
852         * parser/SyntaxChecker.h:
853         (JSC::SyntaxChecker::createFunctionMetadata):
854         * runtime/FunctionExecutable.h:
855         * runtime/JSFunction.cpp:
856         (JSC::JSFunction::createBuiltinFunction):
857         (JSC::JSFunction::reifyLength):
858
859 2017-03-15  Yusuke Suzuki  <utatane.tea@gmail.com>
860
861         [DFG] ToString operation should have fixup for primitives to say this node does not have side effects
862         https://bugs.webkit.org/show_bug.cgi?id=169544
863
864         Reviewed by Saam Barati.
865
866         Our DFG ToString only considers well about String operands. While ToString(non cell operand) does not have
867         any side effect, it is not modeled well in DFG.
868
869         This patch introduces a fixup for ToString with NonCellUse edge. If this edge is set, ToString does not
870         clobber things (like ToLowerCase, producing String). And ToString(NonCellUse) allows us to perform CSE!
871
872         Our microbenchmark shows 32.9% improvement due to dropped GetButterfly and CSE for ToString().
873
874                                             baseline                  patched
875
876             template-string-array       12.6284+-0.2766     ^      9.4998+-0.2295        ^ definitely 1.3293x faster
877
878         And SixSpeed template_string.es6 shows 16.68x performance improvement due to LICM onto this non-side-effectful ToString().
879
880                                           baseline                  patched
881
882             template_string.es6     3229.7343+-40.5705    ^    193.6077+-36.3349       ^ definitely 16.6818x faster
883
884         * dfg/DFGAbstractInterpreterInlines.h:
885         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
886         * dfg/DFGClobberize.h:
887         (JSC::DFG::clobberize):
888         * dfg/DFGFixupPhase.cpp:
889         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
890         * dfg/DFGSpeculativeJIT.cpp:
891         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
892         (JSC::DFG::SpeculativeJIT::speculateNotCell):
893         * dfg/DFGSpeculativeJIT.h:
894         * dfg/DFGSpeculativeJIT32_64.cpp:
895         (JSC::DFG::SpeculativeJIT::compile):
896         * dfg/DFGSpeculativeJIT64.cpp:
897         (JSC::DFG::SpeculativeJIT::compile):
898         * ftl/FTLLowerDFGToB3.cpp:
899         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
900         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
901         (JSC::FTL::DFG::LowerDFGToB3::speculateNotCell):
902
903 2017-03-15  Ryan Haddad  <ryanhaddad@apple.com>
904
905         Revert part of r213978 to see if it resolves LayoutTest crashes.
906         https://bugs.webkit.org/show_bug.cgi?id=169729
907
908         Reviewed by Alexey Proskuryakov.
909
910         * JavaScriptCore.xcodeproj/project.pbxproj:
911
912 2017-03-15  Guillaume Emont  <guijemont@igalia.com>
913
914         [jsc][mips] Fix compilation error introduced in r213652
915         https://bugs.webkit.org/show_bug.cgi?id=169723
916
917         Reviewed by Mark Lam.
918
919         The new replaceWithBkpt() contains a lapsus in it
920         (s/code/instructionStart) and won't compile.
921
922         * assembler/MIPSAssembler.h:
923         (JSC::MIPSAssembler::replaceWithBkpt):
924
925 2017-03-15  Daniel Ehrenberg  <littledan@chromium.org>
926
927         Switch back to ISO 4217 for Intl CurrencyDigits data
928         https://bugs.webkit.org/show_bug.cgi?id=169182
929     
930         Previously, a patch switched Intl.NumberFormat to use CLDR data through
931         ICU to get the default number of decimal digits for a currency.
932         However, that change actually violated the ECMA 402 specification,
933         which references ISO 4217 as the data source. This patch reverts to
934         an in-line implementation of that data.
935
936         Reviewed by Saam Barati.
937
938         * runtime/IntlNumberFormat.cpp:
939         (JSC::computeCurrencySortKey):
940         (JSC::extractCurrencySortKey):
941         (JSC::computeCurrencyDigits):
942
943 2017-03-15  Saam Barati  <sbarati@apple.com>
944
945         WebAssembly: When we GC to try to get a fast memory, we should call collectAllGarbage(), not collectSync()
946         https://bugs.webkit.org/show_bug.cgi?id=169704
947
948         Reviewed by Mark Lam.
949
950         We weren't always sweeping the memory needed to free
951         the WasmMemory we wanted to use. collectAllGarbage()
952         will do this if the JS objects wrapping WasmMemory
953         are dead.
954
955         This patch also moves the increment of the allocatedFastMemories
956         integer to be thread safe.
957
958         * wasm/WasmMemory.cpp:
959         (JSC::Wasm::tryGetFastMemory):
960
961 2017-03-15  Mark Lam  <mark.lam@apple.com>
962
963         Fix exception scope verification failures in jsc.cpp.
964         https://bugs.webkit.org/show_bug.cgi?id=164968
965
966         Reviewed by Saam Barati.
967
968         * jsc.cpp:
969         (WTF::CustomGetter::customGetter):
970
971         (GlobalObject::moduleLoaderResolve):
972         (GlobalObject::moduleLoaderFetch):
973         - The only way modules would throw an exception is if we encounter an OutOfMemory
974           error.  This should be extremely rare.  At this point, I don't think it's worth
975           doing the dance to propagate the exception when this happens.  Instead, we'll
976           simply do a RELEASE_ASSERT that we don't see any exceptions here.
977
978         (functionRun):
979         (functionRunString):
980         (functionLoadModule):
981         (functionCheckModuleSyntax):
982         (box):
983         (dumpException):
984         (runWithScripts):
985
986 2017-03-15  Mark Lam  <mark.lam@apple.com>
987
988         Fix missing exception checks in Interpreter.cpp.
989         https://bugs.webkit.org/show_bug.cgi?id=164964
990
991         Reviewed by Saam Barati.
992
993         * interpreter/Interpreter.cpp:
994         (JSC::eval):
995         (JSC::sizeOfVarargs):
996         (JSC::sizeFrameForVarargs):
997         (JSC::Interpreter::executeProgram):
998         (JSC::Interpreter::executeCall):
999         (JSC::Interpreter::executeConstruct):
1000         (JSC::Interpreter::prepareForRepeatCall):
1001         (JSC::Interpreter::execute):
1002
1003 2017-03-15  Dean Jackson  <dino@apple.com>
1004
1005         Sort Xcode project files
1006         https://bugs.webkit.org/show_bug.cgi?id=169669
1007
1008         Reviewed by Antoine Quint.
1009
1010         * JavaScriptCore.xcodeproj/project.pbxproj:
1011
1012 2017-03-14  Tomas Popela  <tpopela@redhat.com>
1013
1014         Wrong condition in offlineasm/risc.rb
1015         https://bugs.webkit.org/show_bug.cgi?id=169597
1016
1017         Reviewed by Mark Lam.
1018
1019         It's missing the 'and' operator between the conditions.
1020
1021         * offlineasm/risc.rb:
1022
1023 2017-03-14  Mark Lam  <mark.lam@apple.com>
1024
1025         BytecodeGenerator should use the same function to determine if it needs to store the DerivedConstructor in an ArrowFunction lexical environment.
1026         https://bugs.webkit.org/show_bug.cgi?id=169647
1027         <rdar://problem/31051832>
1028
1029         Reviewed by Michael Saboff.
1030
1031         * bytecompiler/BytecodeGenerator.cpp:
1032         (JSC::BytecodeGenerator::usesDerivedConstructorInArrowFunctionLexicalEnvironment):
1033         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1034         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1035         * bytecompiler/BytecodeGenerator.h:
1036
1037 2017-03-14  Brian Burg  <bburg@apple.com>
1038
1039         [Cocoa] Web Inspector: generated code for parsing an array of primitive-type enums from payload does not work
1040         https://bugs.webkit.org/show_bug.cgi?id=169629
1041
1042         Reviewed by Joseph Pecoraro.
1043
1044         This was encountered while trying to compile new protocol definitions that support the Actions API.
1045
1046         * inspector/scripts/codegen/models.py:
1047         (EnumType.__repr__): Improve debug logging so fields match the class member names.
1048
1049         * inspector/scripts/codegen/objc_generator.py:
1050         (ObjCGenerator.payload_to_objc_expression_for_member):
1051         If the array elements are actually a primitive type, then there's no need to do any
1052         conversion from a payload. This happens for free since the payload is a tree of
1053         NSDictionary, NSString, NSNumber, etc. 
1054
1055         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1056         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1057         Rebaseline.
1058
1059         * inspector/scripts/tests/generic/type-declaration-object-type.json:
1060         Add new cases for properties that contain an array with enum type references and an array of anonymous enums.
1061
1062 2017-03-14  Filip Pizlo  <fpizlo@apple.com>
1063
1064         Record the HashSet/HashMap operations in DFG/FTL/B3 and replay them in a benchmark
1065         https://bugs.webkit.org/show_bug.cgi?id=169590
1066
1067         Reviewed by Saam Barati.
1068         
1069         Adds code to support logging some hashtable stuff in the DFG.
1070
1071         * dfg/DFGAvailabilityMap.cpp:
1072         (JSC::DFG::AvailabilityMap::pruneHeap):
1073         * dfg/DFGCombinedLiveness.cpp:
1074         (JSC::DFG::liveNodesAtHead):
1075         (JSC::DFG::CombinedLiveness::CombinedLiveness):
1076         * dfg/DFGCombinedLiveness.h:
1077         * dfg/DFGLivenessAnalysisPhase.cpp:
1078         (JSC::DFG::LivenessAnalysisPhase::run):
1079         (JSC::DFG::LivenessAnalysisPhase::processBlock):
1080         * dfg/DFGNode.cpp:
1081         * dfg/DFGNode.h:
1082         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1083
1084 2017-03-14  Joseph Pecoraro  <pecoraro@apple.com>
1085
1086         Web Inspector: Remove unused Network protocol event
1087         https://bugs.webkit.org/show_bug.cgi?id=169619
1088
1089         Reviewed by Mark Lam.
1090
1091         * inspector/protocol/Network.json:
1092         This became unused in r213621 and should have been removed
1093         from the protocol file then.
1094
1095 2017-03-14  Mark Lam  <mark.lam@apple.com>
1096
1097         Add a null check in VMTraps::willDestroyVM() to handle a race condition.
1098         https://bugs.webkit.org/show_bug.cgi?id=169620
1099
1100         Reviewed by Filip Pizlo.
1101
1102         There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
1103         from its m_signalSenders list) and SignalSender::send() (which removes itself
1104         from the list).  In the event that SignalSender::send() removes itself between
1105         the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
1106         time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
1107         with a NULL sender pointer.  The fix is to add the missing null check before using
1108         the sender pointer.
1109
1110         * runtime/VMTraps.cpp:
1111         (JSC::VMTraps::willDestroyVM):
1112         (JSC::VMTraps::fireTrap):
1113         * runtime/VMTraps.h:
1114
1115 2017-03-14  Mark Lam  <mark.lam@apple.com>
1116
1117         Gardening: Speculative build fix for CLoop after r213886.
1118         https://bugs.webkit.org/show_bug.cgi?id=169436
1119
1120         Not reviewed.
1121
1122         * runtime/MachineContext.h:
1123
1124 2017-03-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1125
1126         [JSC] Drop unnecessary pthread_attr_t for JIT enabled Linux / FreeBSD environment
1127         https://bugs.webkit.org/show_bug.cgi?id=169592
1128
1129         Reviewed by Carlos Garcia Campos.
1130
1131         Since suspended mcontext_t has all the necessary information, we can drop
1132         pthread_attr_t allocation and destroy for JIT enabled Linux / FreeBSD environment.
1133
1134         * heap/MachineStackMarker.cpp:
1135         (JSC::MachineThreads::Thread::getRegisters):
1136         (JSC::MachineThreads::Thread::Registers::stackPointer):
1137         (JSC::MachineThreads::Thread::Registers::framePointer):
1138         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1139         (JSC::MachineThreads::Thread::Registers::llintPC):
1140         (JSC::MachineThreads::Thread::freeRegisters):
1141         * heap/MachineStackMarker.h:
1142
1143 2017-03-14  Zan Dobersek  <zdobersek@igalia.com>
1144
1145         [GLib] Use USE(GLIB) guards in JavaScriptCore/inspector/EventLoop.cpp
1146         https://bugs.webkit.org/show_bug.cgi?id=169594
1147
1148         Reviewed by Carlos Garcia Campos.
1149
1150         Instead of PLATFORM(GTK) guards, utilize the USE(GLIB) build guards
1151         to guard the GLib-specific includes and invocations in the JSC
1152         inspector's EventLoop class implementation.
1153
1154         * inspector/EventLoop.cpp:
1155         (Inspector::EventLoop::cycle):
1156
1157 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1158
1159         [JSC][Linux] Implement VMTrap in Linux ports
1160         https://bugs.webkit.org/show_bug.cgi?id=169436
1161
1162         Reviewed by Mark Lam.
1163
1164         This patch port VMTrap to Linux ports.
1165         We extract MachineContext accessors from various places (wasm/, heap/ and tools/)
1166         and use them in all the JSC code.
1167
1168         * JavaScriptCore.xcodeproj/project.pbxproj:
1169         * heap/MachineStackMarker.cpp:
1170         (JSC::MachineThreads::Thread::Registers::stackPointer):
1171         (JSC::MachineThreads::Thread::Registers::framePointer):
1172         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1173         (JSC::MachineThreads::Thread::Registers::llintPC):
1174         * heap/MachineStackMarker.h:
1175         * runtime/MachineContext.h: Added.
1176         (JSC::MachineContext::stackPointer):
1177         (JSC::MachineContext::framePointer):
1178         (JSC::MachineContext::instructionPointer):
1179         (JSC::MachineContext::argumentPointer<1>):
1180         (JSC::MachineContext::argumentPointer):
1181         (JSC::MachineContext::llintInstructionPointer):
1182         * runtime/PlatformThread.h:
1183         (JSC::platformThreadSignal):
1184         * runtime/VMTraps.cpp:
1185         (JSC::SignalContext::SignalContext):
1186         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
1187         * tools/CodeProfiling.cpp:
1188         (JSC::profilingTimer):
1189         * tools/SigillCrashAnalyzer.cpp:
1190         (JSC::SignalContext::SignalContext):
1191         (JSC::SignalContext::dump):
1192         * tools/VMInspector.cpp:
1193         * wasm/WasmFaultSignalHandler.cpp:
1194         (JSC::Wasm::trapHandler):
1195
1196 2017-03-13  Mark Lam  <mark.lam@apple.com>
1197
1198         Make the HeapVerifier useful again.
1199         https://bugs.webkit.org/show_bug.cgi?id=161752
1200
1201         Reviewed by Filip Pizlo.
1202
1203         Resurrect the HeapVerifier.  Here's what the verifier now offers:
1204
1205         1. It captures the list of cells before and after GCs up to N GC cycles.
1206            N is set by JSC_numberOfGCCyclesToRecordForVerification.
1207            Currently, N defaults to 3.
1208
1209            This is useful if we're debugging in lldb and want to check if a candidate
1210            cell pointer was observed by the GC during the last N GC cycles.  We can do
1211            this check buy calling HeapVerifier::checkIfRecorded() with the cell address.
1212
1213            HeapVerifier::checkIfRecorded() is robust and can be used on bogus addresses.
1214            If the candidate cell was previously recorded by the HeapVerifier during a
1215            GC cycle, checkIfRecorded() will dump any useful info it has on that cell.
1216
1217         2. The HeapVerifier will verify that cells in its captured list after a GC are
1218            sane.  Some examples of cell insanity are:
1219            - the cell claims to belong to a different VM.
1220            - the cell has a NULL structureID.
1221            - the cell has a NULL structure.
1222            - the cell's structure has a NULL structureID.
1223            - the cell's structure has a NULL structure.
1224            - the cell's structure's structure has a NULL structureID.
1225            - the cell's structure's structure has a NULL structure.
1226
1227            These are all signs of corruption or a GC bug.  The verifier will report any
1228            insanity it finds, and then crash with a RELEASE_ASSERT.
1229
1230         3. Since the HeapVerifier captures list of cells in the heap before and after GCs
1231            for the last N GCs, it will also automatically "trim" dead cells those list
1232            after the most recent GC.
1233
1234            "trim" here means that the CellProfile in the HeapVerifier's lists will be
1235            updated to reflect that the cell is now dead.  It still keeps a record of the
1236            dead cell pointer and the meta data collected about it back when it was alive.
1237            As a result, checkIfRecorded() will also report if the candidate cell passed
1238            to it is a dead object from a previous GC cycle. 
1239
1240         4. Each CellProfile captured by the HeapVerifier now track the following info:
1241            - the cell's HeapCell::Kind.
1242            - the cell's liveness.
1243            - if is JSCell, the cell's classInfo()->className.
1244            - an associated timestamp.
1245            - an associated stack trace.
1246
1247            Currently, the timestamp is only used for the time when the cell was recorded
1248            by the HeapVerifier during GC.  The stack trace is currently unused.
1249
1250            However, these fields are kept there so that we can instrument the VM (during
1251            a debugging session, which requires rebuilding the VM) and record interesting
1252            stack traces like that of the time of allocation of the cell.  Since
1253            capturing the stack traces for each cell is a very heavy weight operation,
1254            the HeapVerifier code does not do this by default.  Instead, we just leave
1255            the building blocks for doing so in place to ease future debugging efforts.
1256
1257         * heap/Heap.cpp:
1258         (JSC::Heap::runBeginPhase):
1259         (JSC::Heap::runEndPhase):
1260         (JSC::Heap::didFinishCollection):
1261         * heap/Heap.h:
1262         (JSC::Heap::verifier):
1263         * heap/MarkedAllocator.h:
1264         (JSC::MarkedAllocator::takeLastActiveBlock): Deleted.
1265         * heap/MarkedSpace.h:
1266         * heap/MarkedSpaceInlines.h:
1267         (JSC::MarkedSpace::forEachLiveCell):
1268         * tools/CellList.cpp:
1269         (JSC::CellList::find):
1270         (JSC::CellList::reset):
1271         (JSC::CellList::findCell): Deleted.
1272         * tools/CellList.h:
1273         (JSC::CellList::CellList):
1274         (JSC::CellList::name):
1275         (JSC::CellList::size):
1276         (JSC::CellList::cells):
1277         (JSC::CellList::add):
1278         (JSC::CellList::reset): Deleted.
1279         * tools/CellProfile.h:
1280         (JSC::CellProfile::CellProfile):
1281         (JSC::CellProfile::cell):
1282         (JSC::CellProfile::jsCell):
1283         (JSC::CellProfile::isJSCell):
1284         (JSC::CellProfile::kind):
1285         (JSC::CellProfile::isLive):
1286         (JSC::CellProfile::isDead):
1287         (JSC::CellProfile::setIsLive):
1288         (JSC::CellProfile::setIsDead):
1289         (JSC::CellProfile::timestamp):
1290         (JSC::CellProfile::className):
1291         (JSC::CellProfile::stackTrace):
1292         (JSC::CellProfile::setStackTrace):
1293         * tools/HeapVerifier.cpp:
1294         (JSC::HeapVerifier::startGC):
1295         (JSC::HeapVerifier::endGC):
1296         (JSC::HeapVerifier::gatherLiveCells):
1297         (JSC::trimDeadCellsFromList):
1298         (JSC::HeapVerifier::trimDeadCells):
1299         (JSC::HeapVerifier::printVerificationHeader):
1300         (JSC::HeapVerifier::verifyCellList):
1301         (JSC::HeapVerifier::validateCell):
1302         (JSC::HeapVerifier::validateJSCell):
1303         (JSC::HeapVerifier::verify):
1304         (JSC::HeapVerifier::reportCell):
1305         (JSC::HeapVerifier::checkIfRecorded):
1306         (JSC::HeapVerifier::initializeGCCycle): Deleted.
1307         (JSC::GatherCellFunctor::GatherCellFunctor): Deleted.
1308         (JSC::GatherCellFunctor::visit): Deleted.
1309         (JSC::GatherCellFunctor::operator()): Deleted.
1310         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace): Deleted.
1311         * tools/HeapVerifier.h:
1312         (JSC::HeapVerifier::GCCycle::reset):
1313
1314 2017-03-13  SKumarMetro  <s.kumar@metrological.com>
1315
1316         JSC: fix compilation errors for MIPS
1317         https://bugs.webkit.org/show_bug.cgi?id=168402
1318
1319         Reviewed by Mark Lam.
1320
1321         * assembler/MIPSAssembler.h:
1322         (JSC::MIPSAssembler::fillNops):
1323         Added.
1324         * assembler/MacroAssemblerMIPS.h:
1325         Added MacroAssemblerMIPS::numGPRs and MacroAssemblerMIPS::numFPRs .
1326         * bytecode/InlineAccess.h:
1327         (JSC::InlineAccess::sizeForPropertyAccess):
1328         (JSC::InlineAccess::sizeForPropertyReplace):
1329         (JSC::InlineAccess::sizeForLengthAccess):
1330         Added MIPS cases.
1331
1332 2017-03-13  Filip Pizlo  <fpizlo@apple.com>
1333
1334         FTL should not flush strict arguments unless it really needs to
1335         https://bugs.webkit.org/show_bug.cgi?id=169519
1336
1337         Reviewed by Mark Lam.
1338         
1339         This is a refinement that we should have done ages ago. This kills some pointless PutStacks
1340         in DFG SSA IR. It can sometimes unlock other optimizations.
1341         
1342         Relanding after I fixed the special cases for CreateArguments-style nodes. 
1343
1344         * dfg/DFGPreciseLocalClobberize.h:
1345         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1346
1347 2017-03-13  Devin Rousso  <webkit@devinrousso.com>
1348
1349         Web Inspector: Event Listeners section is missing 'once', 'passive' event listener flags
1350         https://bugs.webkit.org/show_bug.cgi?id=167080
1351
1352         Reviewed by Joseph Pecoraro.
1353
1354         * inspector/protocol/DOM.json:
1355         Add "passive" and "once" items to the EventListener type.
1356
1357 2017-03-13  Mark Lam  <mark.lam@apple.com>
1358
1359         Remove obsolete experimental ObjC SPI.
1360         https://bugs.webkit.org/show_bug.cgi?id=169569
1361
1362         Reviewed by Saam Barati.
1363
1364         * API/JSVirtualMachine.mm:
1365         (-[JSVirtualMachine enableSigillCrashAnalyzer]): Deleted.
1366         * API/JSVirtualMachinePrivate.h: Removed.
1367         * JavaScriptCore.xcodeproj/project.pbxproj:
1368
1369 2017-03-13  Commit Queue  <commit-queue@webkit.org>
1370
1371         Unreviewed, rolling out r213856.
1372         https://bugs.webkit.org/show_bug.cgi?id=169562
1373
1374         Breaks JSC stress test stress/super-property-access.js.ftl-
1375         eager failing (Requested by mlam|g on #webkit).
1376
1377         Reverted changeset:
1378
1379         "FTL should not flush strict arguments unless it really needs
1380         to"
1381         https://bugs.webkit.org/show_bug.cgi?id=169519
1382         http://trac.webkit.org/changeset/213856
1383
1384 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1385
1386         [JSC][Linux] Allow profilers to demangle C++ names
1387         https://bugs.webkit.org/show_bug.cgi?id=169559
1388
1389         Reviewed by Michael Catanzaro.
1390
1391         Linux also offers dladdr & demangling feature.
1392         Thus, we can use it to show the names in profilers.
1393         For example, SamplingProfiler tells us the C function names.
1394
1395         * runtime/SamplingProfiler.cpp:
1396         (JSC::SamplingProfiler::StackFrame::displayName):
1397         * tools/CodeProfile.cpp:
1398         (JSC::symbolName):
1399
1400 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1401
1402         [WTF] Clean up RunLoop and WorkQueue with Seconds and Function
1403         https://bugs.webkit.org/show_bug.cgi?id=169537
1404
1405         Reviewed by Sam Weinig.
1406
1407         * runtime/Watchdog.cpp:
1408         (JSC::Watchdog::startTimer):
1409
1410 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
1411
1412         FTL should not flush strict arguments unless it really needs to
1413         https://bugs.webkit.org/show_bug.cgi?id=169519
1414
1415         Reviewed by Mark Lam.
1416         
1417         This is a refinement that we should have done ages ago. This kills some pointless PutStacks
1418         in DFG SSA IR. It can sometimes unlock other optimizations.
1419
1420         * dfg/DFGPreciseLocalClobberize.h:
1421         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1422
1423 2017-03-13  Caio Lima  <ticaiolima@gmail.com>
1424
1425         [JSC] It should be possible create a label named let when parsing Statement in non strict mode
1426         https://bugs.webkit.org/show_bug.cgi?id=168684
1427
1428         Reviewed by Saam Barati.
1429
1430         This patch is fixing a Parser bug to allow define a label named
1431         ```let``` in sloppy mode when parsing a Statement.
1432
1433         * parser/Parser.cpp:
1434         (JSC::Parser<LexerType>::parseStatement):
1435
1436 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
1437
1438         Structure::willStoreValueSlow needs to keep the property table alive until the end
1439         https://bugs.webkit.org/show_bug.cgi?id=169520
1440
1441         Reviewed by Michael Saboff.
1442
1443         We use pointers logically interior to `propertyTable` after doing a GC. We need to prevent the
1444         compiler from optimizing away pointers to `propertyTable`.
1445         
1446         * heap/HeapCell.cpp:
1447         (JSC::HeapCell::use):
1448         * heap/HeapCell.h:
1449         (JSC::HeapCell::use): Introduce API for keeping a pointer alive until some point in execution.
1450         * runtime/Structure.cpp:
1451         (JSC::Structure::willStoreValueSlow): Use HeapCell::use() to keep the pointer alive.
1452
1453 2017-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1454
1455         Unreviewed, suprress warnings in JSC B3
1456
1457         * b3/B3Opcode.cpp:
1458
1459 2017-03-11  Michael Saboff  <msaboff@apple.com>
1460
1461         Allow regular expressions to be used when selecting a process name in JSC config file
1462         https://bugs.webkit.org/show_bug.cgi?id=169495
1463
1464         Reviewed by Saam Barati.
1465
1466         Only added regular expression selectors for unix like platforms.
1467
1468         * runtime/ConfigFile.cpp:
1469         (JSC::ConfigFileScanner::tryConsumeRegExPattern):
1470         (JSC::ConfigFile::parse):
1471
1472 2017-03-11  Jon Lee  <jonlee@apple.com>
1473
1474         WebGPU prototype - Front-End
1475         https://bugs.webkit.org/show_bug.cgi?id=167952
1476
1477         Reviewed by Dean Jackson.
1478
1479         * runtime/CommonIdentifiers.h: Add WebGPU objects.
1480
1481 2017-03-10  Filip Pizlo  <fpizlo@apple.com>
1482
1483         The JITs should be able to emit fast TLS loads
1484         https://bugs.webkit.org/show_bug.cgi?id=169483
1485
1486         Reviewed by Keith Miller.
1487         
1488         Added loadFromTLS32/64/Ptr to the MacroAssembler and added a B3 test for this.
1489
1490         * assembler/ARM64Assembler.h:
1491         (JSC::ARM64Assembler::mrs_TPIDRRO_EL0):
1492         * assembler/MacroAssembler.h:
1493         (JSC::MacroAssembler::loadFromTLSPtr):
1494         * assembler/MacroAssemblerARM64.h:
1495         (JSC::MacroAssemblerARM64::loadFromTLS32):
1496         (JSC::MacroAssemblerARM64::loadFromTLS64):
1497         * assembler/MacroAssemblerX86Common.h:
1498         (JSC::MacroAssemblerX86Common::loadFromTLS32):
1499         * assembler/MacroAssemblerX86_64.h:
1500         (JSC::MacroAssemblerX86_64::loadFromTLS64):
1501         * assembler/X86Assembler.h:
1502         (JSC::X86Assembler::adcl_im):
1503         (JSC::X86Assembler::addl_mr):
1504         (JSC::X86Assembler::addl_im):
1505         (JSC::X86Assembler::andl_im):
1506         (JSC::X86Assembler::orl_im):
1507         (JSC::X86Assembler::orl_rm):
1508         (JSC::X86Assembler::subl_im):
1509         (JSC::X86Assembler::cmpb_im):
1510         (JSC::X86Assembler::cmpl_rm):
1511         (JSC::X86Assembler::cmpl_im):
1512         (JSC::X86Assembler::testb_im):
1513         (JSC::X86Assembler::movb_i8m):
1514         (JSC::X86Assembler::movb_rm):
1515         (JSC::X86Assembler::movl_mr):
1516         (JSC::X86Assembler::movq_mr):
1517         (JSC::X86Assembler::movsxd_rr):
1518         (JSC::X86Assembler::gs):
1519         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1520         * b3/testb3.cpp:
1521         (JSC::B3::testFastTLS):
1522         (JSC::B3::run):
1523
1524 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1525
1526         Fix watch and tv builds after r213294
1527         https://bugs.webkit.org/show_bug.cgi?id=169508
1528
1529         Reviewed by Dan Bernstein.
1530
1531         * Configurations/FeatureDefines.xcconfig:
1532
1533 2017-03-10  Saam Barati  <sbarati@apple.com>
1534
1535         WebAssembly: Make more demos run
1536         https://bugs.webkit.org/show_bug.cgi?id=165510
1537         <rdar://problem/29760310>
1538
1539         Reviewed by Keith Miller.
1540
1541         This patch makes another Wasm demo run:
1542         https://kripken.github.io/BananaBread/cube2/bb.html
1543         
1544         This patch fixes two bugs:
1545         1. When WebAssemblyFunctionType was added, we did not properly
1546         update the last JS type value.
1547         2. Our code for our JS -> Wasm entrypoint was wrong. It lead to bad
1548         code generation where we would emit B3 that would write over r12
1549         and rbx (on x86) which is invalid since those are our pinned registers.
1550         This patch just rewrites the entrypoint to use hand written assembler
1551         code. I was planning on doing this anyways because it's a compile
1552         time speed boost.
1553         
1554         Also, this patch adds support for some new API features:
1555         We can now export an import, either via a direct export, or via a Table and the
1556         Element section. I've added a new class called WebAssemblyWrapperFunction that
1557         just wraps over a JSObject that is a function. Wrapper functions have types
1558         associated with them, so if they're re-imported, or called via call_indirect,
1559         they can be type checked.
1560
1561         * CMakeLists.txt:
1562         * JavaScriptCore.xcodeproj/project.pbxproj:
1563         * runtime/JSGlobalObject.cpp:
1564         (JSC::JSGlobalObject::init):
1565         (JSC::JSGlobalObject::visitChildren):
1566         * runtime/JSGlobalObject.h:
1567         (JSC::JSGlobalObject::webAssemblyWrapperFunctionStructure):
1568         * runtime/JSType.h:
1569         * wasm/JSWebAssemblyCodeBlock.h:
1570         (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
1571         * wasm/WasmB3IRGenerator.cpp:
1572         (JSC::Wasm::createJSToWasmWrapper):
1573         * wasm/WasmCallingConvention.h:
1574         (JSC::Wasm::CallingConvention::headerSizeInBytes):
1575         * wasm/js/JSWebAssemblyHelpers.h:
1576         (JSC::isWebAssemblyHostFunction):
1577         * wasm/js/JSWebAssemblyInstance.cpp:
1578         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1579         * wasm/js/JSWebAssemblyInstance.h:
1580         (JSC::JSWebAssemblyInstance::importFunction):
1581         (JSC::JSWebAssemblyInstance::importFunctions):
1582         (JSC::JSWebAssemblyInstance::setImportFunction):
1583         * wasm/js/JSWebAssemblyTable.cpp:
1584         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1585         (JSC::JSWebAssemblyTable::grow):
1586         (JSC::JSWebAssemblyTable::clearFunction):
1587         (JSC::JSWebAssemblyTable::setFunction):
1588         * wasm/js/JSWebAssemblyTable.h:
1589         (JSC::JSWebAssemblyTable::getFunction):
1590         * wasm/js/WebAssemblyFunction.cpp:
1591         (JSC::callWebAssemblyFunction):
1592         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1593         (JSC::WebAssemblyInstanceConstructor::createInstance):
1594         * wasm/js/WebAssemblyModuleRecord.cpp:
1595         (JSC::WebAssemblyModuleRecord::link):
1596         (JSC::WebAssemblyModuleRecord::evaluate):
1597         * wasm/js/WebAssemblyModuleRecord.h:
1598         * wasm/js/WebAssemblyTablePrototype.cpp:
1599         (JSC::webAssemblyTableProtoFuncGet):
1600         (JSC::webAssemblyTableProtoFuncSet):
1601         * wasm/js/WebAssemblyWrapperFunction.cpp: Added.
1602         (JSC::callWebAssemblyWrapperFunction):
1603         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
1604         (JSC::WebAssemblyWrapperFunction::create):
1605         (JSC::WebAssemblyWrapperFunction::finishCreation):
1606         (JSC::WebAssemblyWrapperFunction::createStructure):
1607         (JSC::WebAssemblyWrapperFunction::visitChildren):
1608         * wasm/js/WebAssemblyWrapperFunction.h: Added.
1609         (JSC::WebAssemblyWrapperFunction::signatureIndex):
1610         (JSC::WebAssemblyWrapperFunction::wasmEntrypoint):
1611         (JSC::WebAssemblyWrapperFunction::function):
1612
1613 2017-03-10  Mark Lam  <mark.lam@apple.com>
1614
1615         JSC: BindingNode::bindValue doesn't increase the scope's reference count.
1616         https://bugs.webkit.org/show_bug.cgi?id=168546
1617         <rdar://problem/30589551>
1618
1619         Reviewed by Saam Barati.
1620
1621         We should protect the scope RegisterID with a RefPtr while it is still needed.
1622
1623         * bytecompiler/NodesCodegen.cpp:
1624         (JSC::ForInNode::emitLoopHeader):
1625         (JSC::ForOfNode::emitBytecode):
1626         (JSC::BindingNode::bindValue):
1627
1628 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1629
1630         Fix CMake build.
1631
1632         * CMakeLists.txt:
1633         Make more forwarding headers so we can find WasmFaultSignalHandler.h from WebProcess.cpp.
1634
1635 2017-03-10  Mark Lam  <mark.lam@apple.com>
1636
1637         [Re-landing] Implement a StackTrace utility object that can capture stack traces for debugging.
1638         https://bugs.webkit.org/show_bug.cgi?id=169454
1639
1640         Reviewed by Michael Saboff.
1641
1642         The underlying implementation is hoisted right out of Assertions.cpp from the
1643         implementations of WTFPrintBacktrace().
1644
1645         The reason we need this StackTrace object is because during heap debugging, we
1646         sometimes want to capture the stack trace that allocated the objects of interest.
1647         Dumping the stack trace directly to stdout (using WTFReportBacktrace()) may
1648         perturb the execution profile sufficiently that an issue may not reproduce,
1649         while alternatively, just capturing the stack trace and deferring printing it
1650         till we actually need it later perturbs the execution profile less.
1651
1652         In addition, just capturing the stack traces (instead of printing them
1653         immediately at each capture site) allows us to avoid polluting stdout with tons
1654         of stack traces that may be irrelevant.
1655
1656         For now, we only capture the native stack trace.  We'll leave capturing and
1657         integrating the JS stack trace as an exercise for the future if we need it then.
1658
1659         Here's an example of how to use this StackTrace utility:
1660
1661             // Capture a stack trace of the top 10 frames.
1662             std::unique_ptr<StackTrace> trace(StackTrace::captureStackTrace(10));
1663             // Print the trace.
1664             dataLog(*trace);
1665
1666         * CMakeLists.txt:
1667         * JavaScriptCore.xcodeproj/project.pbxproj:
1668         * tools/StackTrace.cpp: Added.
1669         (JSC::StackTrace::instanceSize):
1670         (JSC::StackTrace::captureStackTrace):
1671         (JSC::StackTrace::dump):
1672         * tools/StackTrace.h: Added.
1673         (JSC::StackTrace::size):
1674         (JSC::StackTrace::StackTrace):
1675
1676 2017-03-04  Filip Pizlo  <fpizlo@apple.com>
1677
1678         B3 should have comprehensive support for atomic operations
1679         https://bugs.webkit.org/show_bug.cgi?id=162349
1680
1681         Reviewed by Keith Miller.
1682         
1683         This adds the following capabilities to B3:
1684         
1685         - Atomic weak/strong unfenced/fenced compare-and-swap
1686         - Atomic add/sub/or/and/xor/xchg
1687         - Acquire/release fencing on loads/stores
1688         - Fenceless load-load dependencies
1689         
1690         This adds lowering to the following instructions on x86:
1691         
1692         - lock cmpxchg
1693         - lock xadd
1694         - lock add/sub/or/and/xor/xchg
1695         
1696         This adds lowering to the following instructions on ARM64:
1697         
1698         - ldar and friends
1699         - stlr and friends
1700         - ldxr and friends (unfenced LL)
1701         - stxr and friends (unfended SC)
1702         - ldaxr and friends (fenced LL)
1703         - stlxr and friends (fenced SC)
1704         - eor as a fenceless load-load dependency
1705         
1706         This does instruction selection pattern matching to ensure that weak/strong CAS and all of the
1707         variants of fences and atomic math ops get lowered to the best possible instruction sequence.
1708         For example, we support the Equal(AtomicStrongCAS(expected, ...), expected) pattern and a bunch
1709         of its friends. You can say Branch(Equal(AtomicStrongCAS(expected, ...), expected)) and it will
1710         generate the best possible branch sequence on x86 and ARM64.
1711         
1712         B3 now knows how to model all of the kinds of fencing. It knows that acq loads are ordered with
1713         respect to each other and with respect to rel stores, creating sequential consistency that
1714         transcends just the acq/rel fences themselves (see Effects::fence). It knows that the phantom
1715         fence effects may only target some abstract heaps but not others, so that load elimination and
1716         store sinking can still operate across fences if you just tell B3 that the fence does not alias
1717         those accesses. This makes it super easy to teach B3 that some of your heap is thread-local.
1718         Even better, it lets you express fine-grained dependencies where the atomics that affect one
1719         property in shared memory do not clobber non-atomics that ffect some other property in shared
1720         memory.
1721         
1722         One of my favorite features is Depend, which allows you to express load-load dependencies. On
1723         x86 it lowers to nothing, while on ARM64 it lowers to eor.
1724         
1725         This also exposes a common atomicWeakCAS API to the x86_64/ARM64 MacroAssemblers. Same for
1726         acq/rel. JSC's 64-bit JITs are now a happy concurrency playground.
1727         
1728         This doesn't yet expose the functionality to JS or wasm. SAB still uses the non-intrinsic
1729         implementations of the Atomics object, for now.
1730         
1731         * CMakeLists.txt:
1732         * JavaScriptCore.xcodeproj/project.pbxproj:
1733         * assembler/ARM64Assembler.h:
1734         (JSC::ARM64Assembler::ldar):
1735         (JSC::ARM64Assembler::ldxr):
1736         (JSC::ARM64Assembler::ldaxr):
1737         (JSC::ARM64Assembler::stxr):
1738         (JSC::ARM64Assembler::stlr):
1739         (JSC::ARM64Assembler::stlxr):
1740         (JSC::ARM64Assembler::excepnGenerationImmMask):
1741         (JSC::ARM64Assembler::exoticLoad):
1742         (JSC::ARM64Assembler::storeRelease):
1743         (JSC::ARM64Assembler::exoticStore):
1744         * assembler/AbstractMacroAssembler.cpp: Added.
1745         (WTF::printInternal):
1746         * assembler/AbstractMacroAssembler.h:
1747         (JSC::AbstractMacroAssemblerBase::invert):
1748         * assembler/MacroAssembler.h:
1749         * assembler/MacroAssemblerARM64.h:
1750         (JSC::MacroAssemblerARM64::loadAcq8SignedExtendTo32):
1751         (JSC::MacroAssemblerARM64::loadAcq8):
1752         (JSC::MacroAssemblerARM64::storeRel8):
1753         (JSC::MacroAssemblerARM64::loadAcq16SignedExtendTo32):
1754         (JSC::MacroAssemblerARM64::loadAcq16):
1755         (JSC::MacroAssemblerARM64::storeRel16):
1756         (JSC::MacroAssemblerARM64::loadAcq32):
1757         (JSC::MacroAssemblerARM64::loadAcq64):
1758         (JSC::MacroAssemblerARM64::storeRel32):
1759         (JSC::MacroAssemblerARM64::storeRel64):
1760         (JSC::MacroAssemblerARM64::loadLink8):
1761         (JSC::MacroAssemblerARM64::loadLinkAcq8):
1762         (JSC::MacroAssemblerARM64::storeCond8):
1763         (JSC::MacroAssemblerARM64::storeCondRel8):
1764         (JSC::MacroAssemblerARM64::loadLink16):
1765         (JSC::MacroAssemblerARM64::loadLinkAcq16):
1766         (JSC::MacroAssemblerARM64::storeCond16):
1767         (JSC::MacroAssemblerARM64::storeCondRel16):
1768         (JSC::MacroAssemblerARM64::loadLink32):
1769         (JSC::MacroAssemblerARM64::loadLinkAcq32):
1770         (JSC::MacroAssemblerARM64::storeCond32):
1771         (JSC::MacroAssemblerARM64::storeCondRel32):
1772         (JSC::MacroAssemblerARM64::loadLink64):
1773         (JSC::MacroAssemblerARM64::loadLinkAcq64):
1774         (JSC::MacroAssemblerARM64::storeCond64):
1775         (JSC::MacroAssemblerARM64::storeCondRel64):
1776         (JSC::MacroAssemblerARM64::atomicStrongCAS8):
1777         (JSC::MacroAssemblerARM64::atomicStrongCAS16):
1778         (JSC::MacroAssemblerARM64::atomicStrongCAS32):
1779         (JSC::MacroAssemblerARM64::atomicStrongCAS64):
1780         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS8):
1781         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS16):
1782         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS32):
1783         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS64):
1784         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS8):
1785         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS16):
1786         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS32):
1787         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS64):
1788         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS8):
1789         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS16):
1790         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS32):
1791         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS64):
1792         (JSC::MacroAssemblerARM64::depend32):
1793         (JSC::MacroAssemblerARM64::depend64):
1794         (JSC::MacroAssemblerARM64::loadLink):
1795         (JSC::MacroAssemblerARM64::loadLinkAcq):
1796         (JSC::MacroAssemblerARM64::storeCond):
1797         (JSC::MacroAssemblerARM64::storeCondRel):
1798         (JSC::MacroAssemblerARM64::signExtend):
1799         (JSC::MacroAssemblerARM64::branch):
1800         (JSC::MacroAssemblerARM64::atomicStrongCAS):
1801         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS):
1802         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS):
1803         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS):
1804         (JSC::MacroAssemblerARM64::extractSimpleAddress):
1805         (JSC::MacroAssemblerARM64::signExtend<8>):
1806         (JSC::MacroAssemblerARM64::signExtend<16>):
1807         (JSC::MacroAssemblerARM64::branch<64>):
1808         * assembler/MacroAssemblerX86Common.h:
1809         (JSC::MacroAssemblerX86Common::add32):
1810         (JSC::MacroAssemblerX86Common::and32):
1811         (JSC::MacroAssemblerX86Common::and16):
1812         (JSC::MacroAssemblerX86Common::and8):
1813         (JSC::MacroAssemblerX86Common::neg32):
1814         (JSC::MacroAssemblerX86Common::neg16):
1815         (JSC::MacroAssemblerX86Common::neg8):
1816         (JSC::MacroAssemblerX86Common::or32):
1817         (JSC::MacroAssemblerX86Common::or16):
1818         (JSC::MacroAssemblerX86Common::or8):
1819         (JSC::MacroAssemblerX86Common::sub16):
1820         (JSC::MacroAssemblerX86Common::sub8):
1821         (JSC::MacroAssemblerX86Common::sub32):
1822         (JSC::MacroAssemblerX86Common::xor32):
1823         (JSC::MacroAssemblerX86Common::xor16):
1824         (JSC::MacroAssemblerX86Common::xor8):
1825         (JSC::MacroAssemblerX86Common::not32):
1826         (JSC::MacroAssemblerX86Common::not16):
1827         (JSC::MacroAssemblerX86Common::not8):
1828         (JSC::MacroAssemblerX86Common::store16):
1829         (JSC::MacroAssemblerX86Common::atomicStrongCAS8):
1830         (JSC::MacroAssemblerX86Common::atomicStrongCAS16):
1831         (JSC::MacroAssemblerX86Common::atomicStrongCAS32):
1832         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS8):
1833         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS16):
1834         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS32):
1835         (JSC::MacroAssemblerX86Common::atomicWeakCAS8):
1836         (JSC::MacroAssemblerX86Common::atomicWeakCAS16):
1837         (JSC::MacroAssemblerX86Common::atomicWeakCAS32):
1838         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS8):
1839         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS16):
1840         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS32):
1841         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS8):
1842         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS16):
1843         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS32):
1844         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS8):
1845         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS16):
1846         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS32):
1847         (JSC::MacroAssemblerX86Common::atomicAdd8):
1848         (JSC::MacroAssemblerX86Common::atomicAdd16):
1849         (JSC::MacroAssemblerX86Common::atomicAdd32):
1850         (JSC::MacroAssemblerX86Common::atomicSub8):
1851         (JSC::MacroAssemblerX86Common::atomicSub16):
1852         (JSC::MacroAssemblerX86Common::atomicSub32):
1853         (JSC::MacroAssemblerX86Common::atomicAnd8):
1854         (JSC::MacroAssemblerX86Common::atomicAnd16):
1855         (JSC::MacroAssemblerX86Common::atomicAnd32):
1856         (JSC::MacroAssemblerX86Common::atomicOr8):
1857         (JSC::MacroAssemblerX86Common::atomicOr16):
1858         (JSC::MacroAssemblerX86Common::atomicOr32):
1859         (JSC::MacroAssemblerX86Common::atomicXor8):
1860         (JSC::MacroAssemblerX86Common::atomicXor16):
1861         (JSC::MacroAssemblerX86Common::atomicXor32):
1862         (JSC::MacroAssemblerX86Common::atomicNeg8):
1863         (JSC::MacroAssemblerX86Common::atomicNeg16):
1864         (JSC::MacroAssemblerX86Common::atomicNeg32):
1865         (JSC::MacroAssemblerX86Common::atomicNot8):
1866         (JSC::MacroAssemblerX86Common::atomicNot16):
1867         (JSC::MacroAssemblerX86Common::atomicNot32):
1868         (JSC::MacroAssemblerX86Common::atomicXchgAdd8):
1869         (JSC::MacroAssemblerX86Common::atomicXchgAdd16):
1870         (JSC::MacroAssemblerX86Common::atomicXchgAdd32):
1871         (JSC::MacroAssemblerX86Common::atomicXchg8):
1872         (JSC::MacroAssemblerX86Common::atomicXchg16):
1873         (JSC::MacroAssemblerX86Common::atomicXchg32):
1874         (JSC::MacroAssemblerX86Common::loadAcq8):
1875         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32):
1876         (JSC::MacroAssemblerX86Common::loadAcq16):
1877         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32):
1878         (JSC::MacroAssemblerX86Common::loadAcq32):
1879         (JSC::MacroAssemblerX86Common::storeRel8):
1880         (JSC::MacroAssemblerX86Common::storeRel16):
1881         (JSC::MacroAssemblerX86Common::storeRel32):
1882         (JSC::MacroAssemblerX86Common::storeFence):
1883         (JSC::MacroAssemblerX86Common::loadFence):
1884         (JSC::MacroAssemblerX86Common::replaceWithJump):
1885         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
1886         (JSC::MacroAssemblerX86Common::patchableJumpSize):
1887         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1888         (JSC::MacroAssemblerX86Common::supportsAVX):
1889         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1890         (JSC::MacroAssemblerX86Common::x86Condition):
1891         (JSC::MacroAssemblerX86Common::atomicStrongCAS):
1892         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS):
1893         * assembler/MacroAssemblerX86_64.h:
1894         (JSC::MacroAssemblerX86_64::add64):
1895         (JSC::MacroAssemblerX86_64::and64):
1896         (JSC::MacroAssemblerX86_64::neg64):
1897         (JSC::MacroAssemblerX86_64::or64):
1898         (JSC::MacroAssemblerX86_64::sub64):
1899         (JSC::MacroAssemblerX86_64::xor64):
1900         (JSC::MacroAssemblerX86_64::not64):
1901         (JSC::MacroAssemblerX86_64::store64):
1902         (JSC::MacroAssemblerX86_64::atomicStrongCAS64):
1903         (JSC::MacroAssemblerX86_64::branchAtomicStrongCAS64):
1904         (JSC::MacroAssemblerX86_64::atomicWeakCAS64):
1905         (JSC::MacroAssemblerX86_64::branchAtomicWeakCAS64):
1906         (JSC::MacroAssemblerX86_64::atomicRelaxedWeakCAS64):
1907         (JSC::MacroAssemblerX86_64::branchAtomicRelaxedWeakCAS64):
1908         (JSC::MacroAssemblerX86_64::atomicAdd64):
1909         (JSC::MacroAssemblerX86_64::atomicSub64):
1910         (JSC::MacroAssemblerX86_64::atomicAnd64):
1911         (JSC::MacroAssemblerX86_64::atomicOr64):
1912         (JSC::MacroAssemblerX86_64::atomicXor64):
1913         (JSC::MacroAssemblerX86_64::atomicNeg64):
1914         (JSC::MacroAssemblerX86_64::atomicNot64):
1915         (JSC::MacroAssemblerX86_64::atomicXchgAdd64):
1916         (JSC::MacroAssemblerX86_64::atomicXchg64):
1917         (JSC::MacroAssemblerX86_64::loadAcq64):
1918         (JSC::MacroAssemblerX86_64::storeRel64):
1919         * assembler/X86Assembler.h:
1920         (JSC::X86Assembler::addl_mr):
1921         (JSC::X86Assembler::addq_mr):
1922         (JSC::X86Assembler::addq_rm):
1923         (JSC::X86Assembler::addq_im):
1924         (JSC::X86Assembler::andl_mr):
1925         (JSC::X86Assembler::andl_rm):
1926         (JSC::X86Assembler::andw_rm):
1927         (JSC::X86Assembler::andb_rm):
1928         (JSC::X86Assembler::andl_im):
1929         (JSC::X86Assembler::andw_im):
1930         (JSC::X86Assembler::andb_im):
1931         (JSC::X86Assembler::andq_mr):
1932         (JSC::X86Assembler::andq_rm):
1933         (JSC::X86Assembler::andq_im):
1934         (JSC::X86Assembler::incq_m):
1935         (JSC::X86Assembler::negq_m):
1936         (JSC::X86Assembler::negl_m):
1937         (JSC::X86Assembler::negw_m):
1938         (JSC::X86Assembler::negb_m):
1939         (JSC::X86Assembler::notl_m):
1940         (JSC::X86Assembler::notw_m):
1941         (JSC::X86Assembler::notb_m):
1942         (JSC::X86Assembler::notq_m):
1943         (JSC::X86Assembler::orl_mr):
1944         (JSC::X86Assembler::orl_rm):
1945         (JSC::X86Assembler::orw_rm):
1946         (JSC::X86Assembler::orb_rm):
1947         (JSC::X86Assembler::orl_im):
1948         (JSC::X86Assembler::orw_im):
1949         (JSC::X86Assembler::orb_im):
1950         (JSC::X86Assembler::orq_mr):
1951         (JSC::X86Assembler::orq_rm):
1952         (JSC::X86Assembler::orq_im):
1953         (JSC::X86Assembler::subl_mr):
1954         (JSC::X86Assembler::subl_rm):
1955         (JSC::X86Assembler::subw_rm):
1956         (JSC::X86Assembler::subb_rm):
1957         (JSC::X86Assembler::subl_im):
1958         (JSC::X86Assembler::subw_im):
1959         (JSC::X86Assembler::subb_im):
1960         (JSC::X86Assembler::subq_mr):
1961         (JSC::X86Assembler::subq_rm):
1962         (JSC::X86Assembler::subq_im):
1963         (JSC::X86Assembler::xorl_mr):
1964         (JSC::X86Assembler::xorl_rm):
1965         (JSC::X86Assembler::xorl_im):
1966         (JSC::X86Assembler::xorw_rm):
1967         (JSC::X86Assembler::xorw_im):
1968         (JSC::X86Assembler::xorb_rm):
1969         (JSC::X86Assembler::xorb_im):
1970         (JSC::X86Assembler::xorq_im):
1971         (JSC::X86Assembler::xorq_rm):
1972         (JSC::X86Assembler::xorq_mr):
1973         (JSC::X86Assembler::xchgb_rm):
1974         (JSC::X86Assembler::xchgw_rm):
1975         (JSC::X86Assembler::xchgl_rm):
1976         (JSC::X86Assembler::xchgq_rm):
1977         (JSC::X86Assembler::movw_im):
1978         (JSC::X86Assembler::movq_i32m):
1979         (JSC::X86Assembler::cmpxchgb_rm):
1980         (JSC::X86Assembler::cmpxchgw_rm):
1981         (JSC::X86Assembler::cmpxchgl_rm):
1982         (JSC::X86Assembler::cmpxchgq_rm):
1983         (JSC::X86Assembler::xaddb_rm):
1984         (JSC::X86Assembler::xaddw_rm):
1985         (JSC::X86Assembler::xaddl_rm):
1986         (JSC::X86Assembler::xaddq_rm):
1987         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1988         * b3/B3AtomicValue.cpp: Added.
1989         (JSC::B3::AtomicValue::~AtomicValue):
1990         (JSC::B3::AtomicValue::dumpMeta):
1991         (JSC::B3::AtomicValue::cloneImpl):
1992         (JSC::B3::AtomicValue::AtomicValue):
1993         * b3/B3AtomicValue.h: Added.
1994         * b3/B3BasicBlock.h:
1995         * b3/B3BlockInsertionSet.cpp:
1996         (JSC::B3::BlockInsertionSet::BlockInsertionSet):
1997         (JSC::B3::BlockInsertionSet::insert): Deleted.
1998         (JSC::B3::BlockInsertionSet::insertBefore): Deleted.
1999         (JSC::B3::BlockInsertionSet::insertAfter): Deleted.
2000         (JSC::B3::BlockInsertionSet::execute): Deleted.
2001         * b3/B3BlockInsertionSet.h:
2002         * b3/B3Effects.cpp:
2003         (JSC::B3::Effects::interferes):
2004         (JSC::B3::Effects::operator==):
2005         (JSC::B3::Effects::dump):
2006         * b3/B3Effects.h:
2007         (JSC::B3::Effects::forCall):
2008         (JSC::B3::Effects::mustExecute):
2009         * b3/B3EliminateCommonSubexpressions.cpp:
2010         * b3/B3Generate.cpp:
2011         (JSC::B3::generateToAir):
2012         * b3/B3GenericBlockInsertionSet.h: Added.
2013         (JSC::B3::GenericBlockInsertionSet::GenericBlockInsertionSet):
2014         (JSC::B3::GenericBlockInsertionSet::insert):
2015         (JSC::B3::GenericBlockInsertionSet::insertBefore):
2016         (JSC::B3::GenericBlockInsertionSet::insertAfter):
2017         (JSC::B3::GenericBlockInsertionSet::execute):
2018         * b3/B3HeapRange.h:
2019         (JSC::B3::HeapRange::operator|):
2020         * b3/B3InsertionSet.cpp:
2021         (JSC::B3::InsertionSet::insertClone):
2022         * b3/B3InsertionSet.h:
2023         * b3/B3LegalizeMemoryOffsets.cpp:
2024         * b3/B3LowerMacros.cpp:
2025         (JSC::B3::lowerMacros):
2026         * b3/B3LowerMacrosAfterOptimizations.cpp:
2027         * b3/B3LowerToAir.cpp:
2028         (JSC::B3::Air::LowerToAir::LowerToAir):
2029         (JSC::B3::Air::LowerToAir::run):
2030         (JSC::B3::Air::LowerToAir::effectiveAddr):
2031         (JSC::B3::Air::LowerToAir::addr):
2032         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode):
2033         (JSC::B3::Air::LowerToAir::appendShift):
2034         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2035         (JSC::B3::Air::LowerToAir::storeOpcode):
2036         (JSC::B3::Air::LowerToAir::createStore):
2037         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2038         (JSC::B3::Air::LowerToAir::newBlock):
2039         (JSC::B3::Air::LowerToAir::splitBlock):
2040         (JSC::B3::Air::LowerToAir::fillStackmap):
2041         (JSC::B3::Air::LowerToAir::appendX86Div):
2042         (JSC::B3::Air::LowerToAir::appendX86UDiv):
2043         (JSC::B3::Air::LowerToAir::loadLinkOpcode):
2044         (JSC::B3::Air::LowerToAir::storeCondOpcode):
2045         (JSC::B3::Air::LowerToAir::appendCAS):
2046         (JSC::B3::Air::LowerToAir::appendVoidAtomic):
2047         (JSC::B3::Air::LowerToAir::appendGeneralAtomic):
2048         (JSC::B3::Air::LowerToAir::lower):
2049         (JSC::B3::Air::LowerToAir::lowerX86Div): Deleted.
2050         (JSC::B3::Air::LowerToAir::lowerX86UDiv): Deleted.
2051         * b3/B3LowerToAir.h:
2052         * b3/B3MemoryValue.cpp:
2053         (JSC::B3::MemoryValue::isLegalOffset):
2054         (JSC::B3::MemoryValue::accessType):
2055         (JSC::B3::MemoryValue::accessBank):
2056         (JSC::B3::MemoryValue::accessByteSize):
2057         (JSC::B3::MemoryValue::dumpMeta):
2058         (JSC::B3::MemoryValue::MemoryValue):
2059         (JSC::B3::MemoryValue::accessWidth): Deleted.
2060         * b3/B3MemoryValue.h:
2061         * b3/B3MemoryValueInlines.h: Added.
2062         (JSC::B3::MemoryValue::isLegalOffset):
2063         (JSC::B3::MemoryValue::requiresSimpleAddr):
2064         (JSC::B3::MemoryValue::accessWidth):
2065         * b3/B3MoveConstants.cpp:
2066         * b3/B3NativeTraits.h: Added.
2067         * b3/B3Opcode.cpp:
2068         (JSC::B3::storeOpcode):
2069         (WTF::printInternal):
2070         * b3/B3Opcode.h:
2071         (JSC::B3::isLoad):
2072         (JSC::B3::isStore):
2073         (JSC::B3::isLoadStore):
2074         (JSC::B3::isAtomic):
2075         (JSC::B3::isAtomicCAS):
2076         (JSC::B3::isAtomicXchg):
2077         (JSC::B3::isMemoryAccess):
2078         (JSC::B3::signExtendOpcode):
2079         * b3/B3Procedure.cpp:
2080         (JSC::B3::Procedure::dump):
2081         * b3/B3Procedure.h:
2082         (JSC::B3::Procedure::hasQuirks):
2083         (JSC::B3::Procedure::setHasQuirks):
2084         * b3/B3PureCSE.cpp:
2085         (JSC::B3::pureCSE):
2086         * b3/B3PureCSE.h:
2087         * b3/B3ReduceStrength.cpp:
2088         * b3/B3Validate.cpp:
2089         * b3/B3Value.cpp:
2090         (JSC::B3::Value::returnsBool):
2091         (JSC::B3::Value::effects):
2092         (JSC::B3::Value::key):
2093         (JSC::B3::Value::performSubstitution):
2094         (JSC::B3::Value::typeFor):
2095         * b3/B3Value.h:
2096         * b3/B3Width.cpp:
2097         (JSC::B3::bestType):
2098         * b3/B3Width.h:
2099         (JSC::B3::canonicalWidth):
2100         (JSC::B3::isCanonicalWidth):
2101         (JSC::B3::mask):
2102         * b3/air/AirArg.cpp:
2103         (JSC::B3::Air::Arg::jsHash):
2104         (JSC::B3::Air::Arg::dump):
2105         (WTF::printInternal):
2106         * b3/air/AirArg.h:
2107         (JSC::B3::Air::Arg::isAnyUse):
2108         (JSC::B3::Air::Arg::isColdUse):
2109         (JSC::B3::Air::Arg::cooled):
2110         (JSC::B3::Air::Arg::isEarlyUse):
2111         (JSC::B3::Air::Arg::isLateUse):
2112         (JSC::B3::Air::Arg::isAnyDef):
2113         (JSC::B3::Air::Arg::isEarlyDef):
2114         (JSC::B3::Air::Arg::isLateDef):
2115         (JSC::B3::Air::Arg::isZDef):
2116         (JSC::B3::Air::Arg::simpleAddr):
2117         (JSC::B3::Air::Arg::statusCond):
2118         (JSC::B3::Air::Arg::isSimpleAddr):
2119         (JSC::B3::Air::Arg::isMemory):
2120         (JSC::B3::Air::Arg::isStatusCond):
2121         (JSC::B3::Air::Arg::isCondition):
2122         (JSC::B3::Air::Arg::ptr):
2123         (JSC::B3::Air::Arg::base):
2124         (JSC::B3::Air::Arg::isGP):
2125         (JSC::B3::Air::Arg::isFP):
2126         (JSC::B3::Air::Arg::isValidForm):
2127         (JSC::B3::Air::Arg::forEachTmpFast):
2128         (JSC::B3::Air::Arg::forEachTmp):
2129         (JSC::B3::Air::Arg::asAddress):
2130         (JSC::B3::Air::Arg::asStatusCondition):
2131         (JSC::B3::Air::Arg::isInvertible):
2132         (JSC::B3::Air::Arg::inverted):
2133         * b3/air/AirBasicBlock.cpp:
2134         (JSC::B3::Air::BasicBlock::setSuccessors):
2135         * b3/air/AirBasicBlock.h:
2136         * b3/air/AirBlockInsertionSet.cpp: Added.
2137         (JSC::B3::Air::BlockInsertionSet::BlockInsertionSet):
2138         (JSC::B3::Air::BlockInsertionSet::~BlockInsertionSet):
2139         * b3/air/AirBlockInsertionSet.h: Added.
2140         * b3/air/AirDumpAsJS.cpp: Removed.
2141         * b3/air/AirDumpAsJS.h: Removed.
2142         * b3/air/AirEliminateDeadCode.cpp:
2143         (JSC::B3::Air::eliminateDeadCode):
2144         * b3/air/AirGenerate.cpp:
2145         (JSC::B3::Air::prepareForGeneration):
2146         * b3/air/AirInstInlines.h:
2147         (JSC::B3::Air::isAtomicStrongCASValid):
2148         (JSC::B3::Air::isBranchAtomicStrongCASValid):
2149         (JSC::B3::Air::isAtomicStrongCAS8Valid):
2150         (JSC::B3::Air::isAtomicStrongCAS16Valid):
2151         (JSC::B3::Air::isAtomicStrongCAS32Valid):
2152         (JSC::B3::Air::isAtomicStrongCAS64Valid):
2153         (JSC::B3::Air::isBranchAtomicStrongCAS8Valid):
2154         (JSC::B3::Air::isBranchAtomicStrongCAS16Valid):
2155         (JSC::B3::Air::isBranchAtomicStrongCAS32Valid):
2156         (JSC::B3::Air::isBranchAtomicStrongCAS64Valid):
2157         * b3/air/AirOpcode.opcodes:
2158         * b3/air/AirOptimizeBlockOrder.cpp:
2159         (JSC::B3::Air::optimizeBlockOrder):
2160         * b3/air/AirPadInterference.cpp:
2161         (JSC::B3::Air::padInterference):
2162         * b3/air/AirSpillEverything.cpp:
2163         (JSC::B3::Air::spillEverything):
2164         * b3/air/opcode_generator.rb:
2165         * b3/testb3.cpp:
2166         (JSC::B3::testLoadAcq42):
2167         (JSC::B3::testStoreRelAddLoadAcq32):
2168         (JSC::B3::testStoreRelAddLoadAcq8):
2169         (JSC::B3::testStoreRelAddFenceLoadAcq8):
2170         (JSC::B3::testStoreRelAddLoadAcq16):
2171         (JSC::B3::testStoreRelAddLoadAcq64):
2172         (JSC::B3::testTrappingStoreElimination):
2173         (JSC::B3::testX86LeaAddAdd):
2174         (JSC::B3::testX86LeaAddShlLeftScale1):
2175         (JSC::B3::testAtomicWeakCAS):
2176         (JSC::B3::testAtomicStrongCAS):
2177         (JSC::B3::testAtomicXchg):
2178         (JSC::B3::testDepend32):
2179         (JSC::B3::testDepend64):
2180         (JSC::B3::run):
2181         * runtime/Options.h:
2182
2183 2017-03-10  Csaba Osztrogonác  <ossy@webkit.org>
2184
2185         Unreviewed typo fixes after r213652.
2186         https://bugs.webkit.org/show_bug.cgi?id=168920
2187
2188         * assembler/MacroAssemblerARM.h:
2189         (JSC::MacroAssemblerARM::replaceWithBreakpoint):
2190         * assembler/MacroAssemblerMIPS.h:
2191         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint):
2192
2193 2017-03-10  Csaba Osztrogonác  <ossy@webkit.org>
2194
2195         Unreviewed ARM buildfix after r213652.
2196         https://bugs.webkit.org/show_bug.cgi?id=168920
2197
2198         r213652 used replaceWithBrk and replaceWithBkpt names for the same
2199         function, which was inconsistent and caused build error in ARMAssembler.
2200
2201         * assembler/ARM64Assembler.h:
2202         (JSC::ARM64Assembler::replaceWithBkpt): Renamed replaceWithBrk to replaceWithBkpt.
2203         (JSC::ARM64Assembler::replaceWithBrk): Deleted.
2204         * assembler/ARMAssembler.h:
2205         (JSC::ARMAssembler::replaceWithBkpt): Renamed replaceWithBrk to replaceWithBkpt.
2206         (JSC::ARMAssembler::replaceWithBrk): Deleted.
2207         * assembler/MacroAssemblerARM64.h:
2208         (JSC::MacroAssemblerARM64::replaceWithBreakpoint):
2209
2210 2017-03-10  Alex Christensen  <achristensen@webkit.org>
2211
2212         Win64 build fix.
2213
2214         * b3/B3FenceValue.h:
2215         * b3/B3Value.h:
2216         Putting JS_EXPORT_PRIVATE on member functions in classes that are declared with JS_EXPORT_PRIVATE
2217         doesn't accomplish anything except making Visual Studio mad.
2218         * b3/air/opcode_generator.rb:
2219         winnt.h has naming collisions with enum values from AirOpcode.h.
2220         For example, MemoryFence is #defined to be _mm_mfence, which is declared to be a function in emmintrin.h.
2221         RotateLeft32 is #defined to be _rotl, which is declared to be a function in <stdlib.h>
2222         A clean solution is just to put Opcode:: before the references to the opcode names to tell Visual Studio
2223         that it is referring to the enum value in AirOpcode.h and not the function declaration elsewhere.
2224
2225 2017-03-09  Ryan Haddad  <ryanhaddad@apple.com>
2226
2227         Unreviewed, rolling out r213695.
2228
2229         This change broke the Windows build.
2230
2231         Reverted changeset:
2232
2233         "Implement a StackTrace utility object that can capture stack
2234         traces for debugging."
2235         https://bugs.webkit.org/show_bug.cgi?id=169454
2236         http://trac.webkit.org/changeset/213695
2237
2238 2017-03-09  Caio Lima  <ticaiolima@gmail.com>
2239
2240         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2241         https://bugs.webkit.org/show_bug.cgi?id=167962
2242
2243         Reviewed by Keith Miller.
2244
2245         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2246         Patch is a prototype implementation of it. A simple change over the
2247         parser was necessary to support the new '...' token on Object Pattern
2248         destruction rule. In the bytecode generator side, We changed the
2249         bytecode generated on ObjectPatternNode::bindValue to store in an
2250         array identifiers of already destructed properties, following spec draft
2251         section[2], and then pass it as excludedNames to CopyDataProperties.
2252         The rest destruction the calls copyDataProperties to perform the
2253         copy of rest properties in rhs.
2254
2255         We also implemented CopyDataProperties as private JS global operation
2256         on builtins/GlobalOperations.js following it's specification on [3].
2257         It is implemented using Set object to verify if a property is on
2258         excludedNames to keep this algorithm with O(n + m) complexity, where n
2259         = number of source's own properties and m = excludedNames.length. 
2260
2261         As a requirement to use JSSets as constants, a change in
2262         CodeBlock::create API was necessary, because JSSet creation can throws OOM
2263         exception. Now, CodeBlock::finishCreation returns ```false``` if an
2264         execption is throwed by
2265         CodeBlock::setConstantIdentifierSetRegisters and then we return
2266         nullptr to ScriptExecutable::newCodeBlockFor. It is responsible to
2267         check if CodeBlock was constructed properly and then, throw OOM
2268         exception to the correct scope.
2269
2270         [1] - https://github.com/sebmarkbage/ecmascript-rest-spread
2271         [2] - http://sebmarkbage.github.io/ecmascript-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2272         [3] - http://sebmarkbage.github.io/ecmascript-rest-spread/#AbstractOperations-CopyDataProperties
2273
2274         * builtins/BuiltinNames.h:
2275         * builtins/GlobalOperations.js:
2276         (globalPrivate.copyDataProperties):
2277         * bytecode/CodeBlock.cpp:
2278         (JSC::CodeBlock::finishCreation):
2279         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2280         * bytecode/CodeBlock.h:
2281         * bytecode/EvalCodeBlock.h:
2282         (JSC::EvalCodeBlock::create):
2283         * bytecode/FunctionCodeBlock.h:
2284         (JSC::FunctionCodeBlock::create):
2285         * bytecode/ModuleProgramCodeBlock.h:
2286         (JSC::ModuleProgramCodeBlock::create):
2287         * bytecode/ProgramCodeBlock.h:
2288         (JSC::ProgramCodeBlock::create):
2289         * bytecode/UnlinkedCodeBlock.h:
2290         (JSC::UnlinkedCodeBlock::addSetConstant):
2291         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2292         * bytecompiler/BytecodeGenerator.cpp:
2293         (JSC::BytecodeGenerator::emitLoad):
2294         * bytecompiler/BytecodeGenerator.h:
2295         * bytecompiler/NodesCodegen.cpp:
2296         (JSC::ObjectPatternNode::bindValue):
2297         * parser/ASTBuilder.h:
2298         (JSC::ASTBuilder::appendObjectPatternEntry):
2299         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2300         (JSC::ASTBuilder::setContainsObjectRestElement):
2301         * parser/Nodes.h:
2302         (JSC::ObjectPatternNode::appendEntry):
2303         (JSC::ObjectPatternNode::setContainsRestElement):
2304         * parser/Parser.cpp:
2305         (JSC::Parser<LexerType>::parseDestructuringPattern):
2306         (JSC::Parser<LexerType>::parseProperty):
2307         * parser/SyntaxChecker.h:
2308         (JSC::SyntaxChecker::operatorStackPop):
2309         * runtime/JSGlobalObject.cpp:
2310         (JSC::JSGlobalObject::init):
2311         * runtime/JSGlobalObjectFunctions.cpp:
2312         (JSC::privateToObject):
2313         * runtime/JSGlobalObjectFunctions.h:
2314         * runtime/ScriptExecutable.cpp:
2315         (JSC::ScriptExecutable::newCodeBlockFor):
2316
2317 2017-03-09  Mark Lam  <mark.lam@apple.com>
2318
2319         Implement a StackTrace utility object that can capture stack traces for debugging.
2320         https://bugs.webkit.org/show_bug.cgi?id=169454
2321
2322         Reviewed by Michael Saboff.
2323
2324         The underlying implementation is hoisted right out of Assertions.cpp from the
2325         implementations of WTFPrintBacktrace().
2326
2327         The reason we need this StackTrace object is because during heap debugging, we
2328         sometimes want to capture the stack trace that allocated the objects of interest.
2329         Dumping the stack trace directly to stdout (using WTFReportBacktrace()) may
2330         perturb the execution profile sufficiently that an issue may not reproduce,
2331         while alternatively, just capturing the stack trace and deferring printing it
2332         till we actually need it later perturbs the execution profile less.
2333
2334         In addition, just capturing the stack traces (instead of printing them
2335         immediately at each capture site) allows us to avoid polluting stdout with tons
2336         of stack traces that may be irrelevant.
2337
2338         For now, we only capture the native stack trace.  We'll leave capturing and
2339         integrating the JS stack trace as an exercise for the future if we need it then.
2340
2341         Here's an example of how to use this StackTrace utility:
2342
2343             // Capture a stack trace of the top 10 frames.
2344             std::unique_ptr<StackTrace> trace(StackTrace::captureStackTrace(10));
2345             // Print the trace.
2346             dataLog(*trace);
2347
2348         * CMakeLists.txt:
2349         * JavaScriptCore.xcodeproj/project.pbxproj:
2350         * tools/StackTrace.cpp: Added.
2351         (JSC::StackTrace::instanceSize):
2352         (JSC::StackTrace::captureStackTrace):
2353         (JSC::StackTrace::dump):
2354         * tools/StackTrace.h: Added.
2355         (JSC::StackTrace::StackTrace):
2356         (JSC::StackTrace::size):
2357
2358 2017-03-09  Keith Miller  <keith_miller@apple.com>
2359
2360         WebAssembly: Enable fast memory for WK2
2361         https://bugs.webkit.org/show_bug.cgi?id=169437
2362
2363         Reviewed by Tim Horton.
2364
2365         * JavaScriptCore.xcodeproj/project.pbxproj:
2366
2367 2017-03-09  Matt Baker  <mattbaker@apple.com>
2368
2369         Web Inspector: Add XHR breakpoints UI
2370         https://bugs.webkit.org/show_bug.cgi?id=168763
2371         <rdar://problem/30952439>
2372
2373         Reviewed by Joseph Pecoraro.
2374
2375         * inspector/protocol/DOMDebugger.json:
2376         Added clarifying comments to command descriptions.
2377
2378 2017-03-09  Michael Saboff  <msaboff@apple.com>
2379
2380         Add plumbing to WebProcess to enable JavaScriptCore configuration and logging
2381         https://bugs.webkit.org/show_bug.cgi?id=169387
2382
2383         Reviewed by Filip Pizlo.
2384
2385         Added a helper function, processConfigFile(), to process configuration file.
2386         Changed jsc.cpp to use that function in lieu of processing the config file
2387         manually.
2388
2389         * JavaScriptCore.xcodeproj/project.pbxproj: Made ConfigFile.h a private header file.
2390         * jsc.cpp:
2391         (jscmain):
2392         * runtime/ConfigFile.cpp:
2393         (JSC::processConfigFile):
2394         * runtime/ConfigFile.h:
2395
2396 2017-03-09  Joseph Pecoraro  <pecoraro@apple.com>
2397
2398         Web Inspector: Show HTTP protocol version and other Network Load Metrics (IP Address, Priority, Connection ID)
2399         https://bugs.webkit.org/show_bug.cgi?id=29687
2400         <rdar://problem/19281586>
2401
2402         Reviewed by Matt Baker and Brian Burg.
2403
2404         * inspector/protocol/Network.json:
2405         Add metrics object with optional properties to loadingFinished event.
2406
2407 2017-03-09  Youenn Fablet  <youenn@apple.com>
2408
2409         Minimal build is broken
2410         https://bugs.webkit.org/show_bug.cgi?id=169416
2411
2412         Reviewed by Chris Dumez.
2413
2414         Since we now have some JS built-ins that are not tied to a compilation flag, we can remove compilation guards around m_vm.
2415         We could probably remove m_vm by ensuring m_jsDOMBindingInternals appear first but this might break very easily.
2416
2417         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2418         (generate_members):
2419         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2420         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2421         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2422
2423 2017-03-09  Daniel Bates  <dabates@apple.com>
2424
2425         Guard Credential Management implementation behind a runtime enabled feature flag
2426         https://bugs.webkit.org/show_bug.cgi?id=169364
2427         <rdar://problem/30957425>
2428
2429         Reviewed by Brent Fulgham.
2430
2431         Add common identifiers for Credential, PasswordCredential, and SiteBoundCredential that are
2432         needed to guard these interfaces behind a runtime enabled feature flag.
2433
2434         * runtime/CommonIdentifiers.h:
2435
2436 2017-03-09  Mark Lam  <mark.lam@apple.com>
2437
2438         Refactoring some HeapVerifier code.
2439         https://bugs.webkit.org/show_bug.cgi?id=169443
2440
2441         Reviewed by Filip Pizlo.
2442
2443         Renamed LiveObjectData to CellProfile.
2444         Renamed LiveObjectList to CellList.
2445         Moved CellProfile.*, CellList.*, and HeapVerifier.* from the heap folder to the tools folder.
2446         Updated the HeapVerifier to handle JSCells instead of just JSObjects.
2447
2448         This is in preparation for subsequent patches to fix up the HeapVerifier for service again.
2449
2450         * CMakeLists.txt:
2451         * JavaScriptCore.xcodeproj/project.pbxproj:
2452         * heap/Heap.cpp:
2453         (JSC::Heap::runBeginPhase):
2454         (JSC::Heap::runEndPhase):
2455         * heap/HeapVerifier.cpp: Removed.
2456         * heap/HeapVerifier.h: Removed.
2457         * heap/LiveObjectData.h: Removed.
2458         * heap/LiveObjectList.cpp: Removed.
2459         * heap/LiveObjectList.h: Removed.
2460         * tools/CellList.cpp: Copied from Source/JavaScriptCore/heap/LiveObjectList.cpp.
2461         (JSC::CellList::findCell):
2462         (JSC::LiveObjectList::findObject): Deleted.
2463         * tools/CellList.h: Copied from Source/JavaScriptCore/heap/LiveObjectList.h.
2464         (JSC::CellList::CellList):
2465         (JSC::CellList::reset):
2466         (JSC::LiveObjectList::LiveObjectList): Deleted.
2467         (JSC::LiveObjectList::reset): Deleted.
2468         * tools/CellProfile.h: Copied from Source/JavaScriptCore/heap/LiveObjectData.h.
2469         (JSC::CellProfile::CellProfile):
2470         (JSC::LiveObjectData::LiveObjectData): Deleted.
2471         * tools/HeapVerifier.cpp: Copied from Source/JavaScriptCore/heap/HeapVerifier.cpp.
2472         (JSC::GatherCellFunctor::GatherCellFunctor):
2473         (JSC::GatherCellFunctor::visit):
2474         (JSC::GatherCellFunctor::operator()):
2475         (JSC::HeapVerifier::gatherLiveCells):
2476         (JSC::HeapVerifier::cellListForGathering):
2477         (JSC::trimDeadCellsFromList):
2478         (JSC::HeapVerifier::trimDeadCells):
2479         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
2480         (JSC::HeapVerifier::reportCell):
2481         (JSC::HeapVerifier::checkIfRecorded):
2482         (JSC::GatherLiveObjFunctor::GatherLiveObjFunctor): Deleted.
2483         (JSC::GatherLiveObjFunctor::visit): Deleted.
2484         (JSC::GatherLiveObjFunctor::operator()): Deleted.
2485         (JSC::HeapVerifier::gatherLiveObjects): Deleted.
2486         (JSC::HeapVerifier::liveObjectListForGathering): Deleted.
2487         (JSC::trimDeadObjectsFromList): Deleted.
2488         (JSC::HeapVerifier::trimDeadObjects): Deleted.
2489         (JSC::HeapVerifier::reportObject): Deleted.
2490         * tools/HeapVerifier.h: Copied from Source/JavaScriptCore/heap/HeapVerifier.h.
2491
2492 2017-03-09  Anders Carlsson  <andersca@apple.com>
2493
2494         Add delegate support to WebCore
2495         https://bugs.webkit.org/show_bug.cgi?id=169427
2496         Part of rdar://problem/28880714.
2497
2498         Reviewed by Geoffrey Garen.
2499
2500         * Configurations/FeatureDefines.xcconfig:
2501         Add feature define.
2502
2503 2017-03-09  Nikita Vasilyev  <nvasilyev@apple.com>
2504
2505         Web Inspector: Show individual messages in the content pane for a WebSocket
2506         https://bugs.webkit.org/show_bug.cgi?id=169011
2507
2508         Reviewed by Joseph Pecoraro.
2509
2510         Add walltime parameter and correct the description of Timestamp type.
2511
2512         * inspector/protocol/Network.json:
2513
2514 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2515
2516         Unreviewed, fix weak external symbol error.
2517
2518         * heap/SlotVisitor.h:
2519
2520 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2521
2522         std::isnan/isinf should work with WTF time classes
2523         https://bugs.webkit.org/show_bug.cgi?id=164991
2524
2525         Reviewed by Darin Adler.
2526         
2527         Changes AtomicsObject to use std::isnan() instead of operator== to detect NaN.
2528
2529         * runtime/AtomicsObject.cpp:
2530         (JSC::atomicsFuncWait):
2531
2532 2017-03-09  Mark Lam  <mark.lam@apple.com>
2533
2534         Use const AbstractLocker& (instead of const LockHolder&) in more places.
2535         https://bugs.webkit.org/show_bug.cgi?id=169424
2536
2537         Reviewed by Filip Pizlo.
2538
2539         * heap/CodeBlockSet.cpp:
2540         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2541         * heap/CodeBlockSet.h:
2542         * heap/CodeBlockSetInlines.h:
2543         (JSC::CodeBlockSet::mark):
2544         * heap/ConservativeRoots.cpp:
2545         (JSC::CompositeMarkHook::CompositeMarkHook):
2546         * heap/MachineStackMarker.cpp:
2547         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2548         * heap/MachineStackMarker.h:
2549         * profiler/ProfilerDatabase.cpp:
2550         (JSC::Profiler::Database::ensureBytecodesFor):
2551         * profiler/ProfilerDatabase.h:
2552         * runtime/SamplingProfiler.cpp:
2553         (JSC::FrameWalker::FrameWalker):
2554         (JSC::CFrameWalker::CFrameWalker):
2555         (JSC::SamplingProfiler::createThreadIfNecessary):
2556         (JSC::SamplingProfiler::takeSample):
2557         (JSC::SamplingProfiler::start):
2558         (JSC::SamplingProfiler::pause):
2559         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2560         (JSC::SamplingProfiler::clearData):
2561         (JSC::SamplingProfiler::releaseStackTraces):
2562         * runtime/SamplingProfiler.h:
2563         (JSC::SamplingProfiler::setStopWatch):
2564         * wasm/WasmMemory.cpp:
2565         (JSC::Wasm::availableFastMemories):
2566         (JSC::Wasm::activeFastMemories):
2567         (JSC::Wasm::viewActiveFastMemories):
2568         * wasm/WasmMemory.h:
2569
2570 2017-03-09  Saam Barati  <sbarati@apple.com>
2571
2572         WebAssembly: Make the Unity AngryBots demo run
2573         https://bugs.webkit.org/show_bug.cgi?id=169268
2574
2575         Reviewed by Keith Miller.
2576
2577         This patch fixes three bugs:
2578         1. The WasmBinding code for making a JS call was off
2579         by 1 in its stack layout code.
2580         2. The WasmBinding code had a "<" comparison instead
2581         of a ">=" comparison. This would cause us to calculate
2582         the wrong frame pointer offset.
2583         3. The code to reload wasm state inside B3IRGenerator didn't
2584         properly represent its effects.
2585
2586         * wasm/WasmB3IRGenerator.cpp:
2587         (JSC::Wasm::restoreWebAssemblyGlobalState):
2588         (JSC::Wasm::parseAndCompile):
2589         * wasm/WasmBinding.cpp:
2590         (JSC::Wasm::wasmToJs):
2591         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2592         (JSC::WebAssemblyInstanceConstructor::createInstance):
2593
2594 2017-03-09  Mark Lam  <mark.lam@apple.com>
2595
2596         Make the VM Traps mechanism non-polling for the DFG and FTL.
2597         https://bugs.webkit.org/show_bug.cgi?id=168920
2598         <rdar://problem/30738588>
2599
2600         Reviewed by Filip Pizlo.
2601
2602         1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
2603            This is currently only enabled for OS(DARWIN) and ENABLE(JIT). 
2604         2. Added assembler functions for overwriting an instruction with a breakpoint.
2605         3. Added a new JettisonDueToVMTraps jettison reason.
2606         4. Added CodeBlock and DFG::CommonData utility functions for over-writing
2607            invalidation points with breakpoint instructions.
2608         5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
2609         6. Remove the JSC_alwaysCheckTraps option because of (4) above.
2610            For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
2611            Options::usePollingTraps() to always be true.  This makes the VMTraps
2612            implementation fall back to using polling based traps only.
2613
2614         7. Make VMTraps support signal based traps.
2615
2616         Some design and implementation details of signal based VM traps:
2617
2618         - The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
2619
2620         - VMTraps::fireTrap() will set the flag for the requested trap and instantiate
2621           a SignalSender.  The SignalSender will send SIGUSR1 to the mutator thread that
2622           we want to trap, and check for the occurence of one of the following events:
2623
2624           a. VMTraps::handleTraps() has been called for the requested trap, or
2625
2626           b. the VM is inactive and is no longer executing any JS code.  We determine
2627              this to be the case if the thread no longer owns the JSLock and the VM's
2628              entryScope is null.
2629
2630              Note: the thread can relinquish the JSLock while the VM's entryScope is not
2631              null.  This happens when the thread calls JSLock::dropAllLocks() before
2632              calling a host function that may block on IO (or whatever).  For our purpose,
2633              this counts as the VM still running JS code, and VM::fireTrap() will still
2634              be waiting.
2635
2636           If the SignalSender does not see either of these events, it will sleep for a
2637           while and then re-send SIGUSR1 and check for the events again.  When it sees
2638           one of these events, it will consider the mutator to have received the trap
2639           request.
2640
2641         - The SIGUSR1 handler will try to insert breakpoints at the invalidation points
2642           in the DFG/FTL codeBlock at the top of the stack.  This allows the mutator
2643           thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
2644           safe to jettison the codeBlock.
2645
2646           Note: we cannot have the requester thread (that called VMTraps::fireTrap())
2647           insert the breakpoint instructions itself.  This is because we need the
2648           register state of the the mutator thread (that we want to trap in) in order to
2649           find the codeBlocks that we wish to insert the breakpoints in.  Currently,
2650           we don't have a generic way for the requester thread to get the register state
2651           of another thread.
2652
2653         - The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
2654           invalidation point.  If so, it will jettison the codeBlock and adjust the PC
2655           to re-execute the invalidation OSR exit off-ramp.  After the OSR exit, the
2656           baseline JIT code will eventually reach an op_check_traps and call
2657           VMTraps::handleTraps().
2658
2659           If the handler is not trapping at an invalidation point, then it must be
2660           observing an assertion failure (which also uses the breakpoint instruction).
2661           In this case, the handler will defer to the default SIGTRAP handler and crash.
2662
2663         - The reason we need the SignalSender is because SignalSender::send() is called
2664           from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
2665           send() needs to make use of the VM pointer, and it is not guaranteed that the
2666           VM will outlive the thread.  SignalSender provides the mechanism by which we
2667           can nullify the VM pointer when the VM dies so that the thread does not
2668           continue to use it.
2669
2670         * assembler/ARM64Assembler.h:
2671         (JSC::ARM64Assembler::replaceWithBrk):
2672         * assembler/ARMAssembler.h:
2673         (JSC::ARMAssembler::replaceWithBrk):
2674         * assembler/ARMv7Assembler.h:
2675         (JSC::ARMv7Assembler::replaceWithBkpt):
2676         * assembler/MIPSAssembler.h:
2677         (JSC::MIPSAssembler::replaceWithBkpt):
2678         * assembler/MacroAssemblerARM.h:
2679         (JSC::MacroAssemblerARM::replaceWithJump):
2680         * assembler/MacroAssemblerARM64.h:
2681         (JSC::MacroAssemblerARM64::replaceWithBreakpoint):
2682         * assembler/MacroAssemblerARMv7.h:
2683         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
2684         * assembler/MacroAssemblerMIPS.h:
2685         (JSC::MacroAssemblerMIPS::replaceWithJump):
2686         * assembler/MacroAssemblerX86Common.h:
2687         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
2688         * assembler/X86Assembler.h:
2689         (JSC::X86Assembler::replaceWithInt3):
2690         * bytecode/CodeBlock.cpp:
2691         (JSC::CodeBlock::jettison):
2692         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
2693         (JSC::CodeBlock::installVMTrapBreakpoints):
2694         * bytecode/CodeBlock.h:
2695         * bytecompiler/BytecodeGenerator.cpp:
2696         (JSC::BytecodeGenerator::emitCheckTraps):
2697         * dfg/DFGCommonData.cpp:
2698         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2699         (JSC::DFG::CommonData::isVMTrapBreakpoint):
2700         * dfg/DFGCommonData.h:
2701         (JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
2702         * dfg/DFGJumpReplacement.cpp:
2703         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2704         * dfg/DFGJumpReplacement.h:
2705         (JSC::DFG::JumpReplacement::dataLocation):
2706         * dfg/DFGNodeType.h:
2707         * heap/CodeBlockSet.cpp:
2708         (JSC::CodeBlockSet::contains):
2709         * heap/CodeBlockSet.h:
2710         * heap/CodeBlockSetInlines.h:
2711         (JSC::CodeBlockSet::iterate):
2712         * heap/Heap.cpp:
2713         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
2714         * heap/Heap.h:
2715         * heap/HeapInlines.h:
2716         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
2717         * heap/MachineStackMarker.h:
2718         (JSC::MachineThreads::threadsListHead):
2719         * jit/ExecutableAllocator.cpp:
2720         (JSC::ExecutableAllocator::isValidExecutableMemory):
2721         * jit/ExecutableAllocator.h:
2722         * profiler/ProfilerJettisonReason.cpp:
2723         (WTF::printInternal):
2724         * profiler/ProfilerJettisonReason.h:
2725         * runtime/JSLock.cpp:
2726         (JSC::JSLock::didAcquireLock):
2727         * runtime/Options.cpp:
2728         (JSC::overrideDefaults):
2729         * runtime/Options.h:
2730         * runtime/PlatformThread.h:
2731         (JSC::platformThreadSignal):
2732         * runtime/VM.cpp:
2733         (JSC::VM::~VM):
2734         (JSC::VM::ensureWatchdog):
2735         (JSC::VM::handleTraps): Deleted.
2736         (JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
2737         * runtime/VM.h:
2738         (JSC::VM::ownerThread):
2739         (JSC::VM::traps):
2740         (JSC::VM::handleTraps):
2741         (JSC::VM::needTrapHandling):
2742         (JSC::VM::needAsynchronousTerminationSupport): Deleted.
2743         * runtime/VMTraps.cpp:
2744         (JSC::VMTraps::vm):
2745         (JSC::SignalContext::SignalContext):
2746         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
2747         (JSC::vmIsInactive):
2748         (JSC::findActiveVMAndStackBounds):
2749         (JSC::handleSigusr1):
2750         (JSC::handleSigtrap):
2751         (JSC::installSignalHandlers):
2752         (JSC::sanitizedTopCallFrame):
2753         (JSC::isSaneFrame):
2754         (JSC::VMTraps::tryInstallTrapBreakpoints):
2755         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2756         (JSC::VMTraps::VMTraps):
2757         (JSC::VMTraps::willDestroyVM):
2758         (JSC::VMTraps::addSignalSender):
2759         (JSC::VMTraps::removeSignalSender):
2760         (JSC::VMTraps::SignalSender::willDestroyVM):
2761         (JSC::VMTraps::SignalSender::send):
2762         (JSC::VMTraps::fireTrap):
2763         (JSC::VMTraps::handleTraps):
2764         * runtime/VMTraps.h:
2765         (JSC::VMTraps::~VMTraps):
2766         (JSC::VMTraps::needTrapHandling):
2767         (JSC::VMTraps::notifyGrabAllLocks):
2768         (JSC::VMTraps::SignalSender::SignalSender):
2769         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2770         * tools/VMInspector.cpp:
2771         * tools/VMInspector.h:
2772         (JSC::VMInspector::getLock):
2773         (JSC::VMInspector::iterate):
2774
2775 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2776
2777         WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed
2778         https://bugs.webkit.org/show_bug.cgi?id=169215
2779
2780         Reviewed by Mark Lam.
2781         
2782         This doesn't have a test because it would be a very complicated test.
2783
2784         * runtime/JSObject.h:
2785         (JSC::JSObject::ensureLength): If ensureLengthSlow returns false, we need to return false.
2786
2787 2017-03-07  Filip Pizlo  <fpizlo@apple.com>
2788
2789         WTF should make it super easy to do ARM concurrency tricks
2790         https://bugs.webkit.org/show_bug.cgi?id=169300
2791
2792         Reviewed by Mark Lam.
2793         
2794         This changes a bunch of GC hot paths to use new concurrency APIs that lead to optimal
2795         code on both x86 (fully leverage TSO, transactions become CAS loops) and ARM (use
2796         dependency chains for fencing, transactions become LL/SC loops). While inspecting the
2797         machine code, I found other opportunities for improvement, like inlining the "am I
2798         marked" part of the marking functions.
2799
2800         * heap/Heap.cpp:
2801         (JSC::Heap::setGCDidJIT):
2802         * heap/HeapInlines.h:
2803         (JSC::Heap::testAndSetMarked):
2804         * heap/LargeAllocation.h:
2805         (JSC::LargeAllocation::isMarked):
2806         (JSC::LargeAllocation::isMarkedConcurrently):
2807         (JSC::LargeAllocation::aboutToMark):
2808         (JSC::LargeAllocation::testAndSetMarked):
2809         * heap/MarkedBlock.h:
2810         (JSC::MarkedBlock::areMarksStaleWithDependency):
2811         (JSC::MarkedBlock::aboutToMark):
2812         (JSC::MarkedBlock::isMarkedConcurrently):
2813         (JSC::MarkedBlock::isMarked):
2814         (JSC::MarkedBlock::testAndSetMarked):
2815         * heap/SlotVisitor.cpp:
2816         (JSC::SlotVisitor::appendSlow):
2817         (JSC::SlotVisitor::appendHiddenSlow):
2818         (JSC::SlotVisitor::appendHiddenSlowImpl):
2819         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2820         (JSC::SlotVisitor::appendUnbarriered): Deleted.
2821         (JSC::SlotVisitor::appendHidden): Deleted.
2822         * heap/SlotVisitor.h:
2823         * heap/SlotVisitorInlines.h:
2824         (JSC::SlotVisitor::appendUnbarriered):
2825         (JSC::SlotVisitor::appendHidden):
2826         (JSC::SlotVisitor::append):
2827         (JSC::SlotVisitor::appendValues):
2828         (JSC::SlotVisitor::appendValuesHidden):
2829         * runtime/CustomGetterSetter.cpp:
2830         * runtime/JSObject.cpp:
2831         (JSC::JSObject::visitButterflyImpl):
2832         * runtime/JSObject.h:
2833
2834 2017-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2835
2836         [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot
2837         https://bugs.webkit.org/show_bug.cgi?id=160124
2838
2839         Reviewed by Mark Lam.
2840
2841         When performing CallVarargs, we will copy values to the stack.
2842         Before actually copying values, we need to adjust the stackPointerRegister
2843         to ensure copied values are in the allocated stack area.
2844         If we do not that, OS can break the values that is stored beyond the stack
2845         pointer. For example, signal stack can be constructed on these area, and
2846         breaks values.
2847
2848         This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js
2849         in Linux port. Since Linux ports use signal to suspend and resume threads,
2850         signal handler is frequently called when enabling sampling profiler. Thus this
2851         crash occurs.
2852
2853         * dfg/DFGSpeculativeJIT32_64.cpp:
2854         (JSC::DFG::SpeculativeJIT::emitCall):
2855         * dfg/DFGSpeculativeJIT64.cpp:
2856         (JSC::DFG::SpeculativeJIT::emitCall):
2857         * ftl/FTLLowerDFGToB3.cpp:
2858         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2859         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2860         * jit/SetupVarargsFrame.cpp:
2861         (JSC::emitSetupVarargsFrameFastCase):
2862         * jit/SetupVarargsFrame.h:
2863
2864 2017-03-08  Joseph Pecoraro  <pecoraro@apple.com>
2865
2866         Web Inspector: Should be able to see where Resources came from (Memory Cache, Disk Cache)
2867         https://bugs.webkit.org/show_bug.cgi?id=164892
2868         <rdar://problem/29320562>
2869
2870         Reviewed by Brian Burg.
2871
2872         * inspector/protocol/Network.json:
2873         Replace "fromDiskCache" property with "source" property which includes
2874         more complete information about the source of this response (network,
2875         memory cache, disk cache, or unknown).
2876
2877         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2878         (_generate_class_for_object_declaration):
2879         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2880         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2881         * inspector/scripts/codegen/generator.py:
2882         (Generator):
2883         (Generator.open_fields):
2884         To avoid conflicts between the Inspector::Protocol::Network::Response::Source
2885         enum and open accessor string symbol that would have the same name, only generate
2886         a specific list of open accessor strings. This reduces the list of exported
2887         symbols from all properties to just the ones that are needed. This can be
2888         cleaned up later if needed.
2889
2890         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: Added.
2891         * inspector/scripts/tests/generic/type-with-open-parameters.json: Added.
2892         Test for open accessors generation.
2893
2894 2017-03-08  Keith Miller  <keith_miller@apple.com>
2895
2896         WebAssembly: Make OOB for fast memory do an extra safety check by ensuring the faulting address is in the range we allocated for fast memory
2897         https://bugs.webkit.org/show_bug.cgi?id=169290
2898
2899         Reviewed by Saam Barati.
2900
2901         This patch adds an extra sanity check by ensuring that the the memory address we faulting trying to load is in range
2902         of some wasm fast memory.
2903
2904         * wasm/WasmFaultSignalHandler.cpp:
2905         (JSC::Wasm::trapHandler):
2906         (JSC::Wasm::enableFastMemory):
2907         * wasm/WasmMemory.cpp:
2908         (JSC::Wasm::activeFastMemories):
2909         (JSC::Wasm::viewActiveFastMemories):
2910         (JSC::Wasm::tryGetFastMemory):
2911         (JSC::Wasm::releaseFastMemory):
2912         * wasm/WasmMemory.h:
2913
2914 2017-03-07  Dean Jackson  <dino@apple.com>
2915
2916         Some platforms won't be able to create a GPUDevice
2917         https://bugs.webkit.org/show_bug.cgi?id=169314
2918         <rdar://problems/30907521>
2919
2920         Reviewed by Jon Lee.
2921
2922         Disable WEB_GPU on the iOS Simulator.
2923
2924         * Configurations/FeatureDefines.xcconfig:
2925
2926 2017-03-06  Saam Barati  <sbarati@apple.com>
2927
2928         WebAssembly: Implement the WebAssembly.instantiate API
2929         https://bugs.webkit.org/show_bug.cgi?id=165982
2930         <rdar://problem/29760110>
2931
2932         Reviewed by Keith Miller.
2933
2934         This patch is a straight forward implementation of the WebAssembly.instantiate
2935         API: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstantiate
2936         
2937         I implemented the API in a synchronous manner. We should make it
2938         asynchronous: https://bugs.webkit.org/show_bug.cgi?id=169187
2939
2940         * wasm/JSWebAssembly.cpp:
2941         (JSC::webAssemblyCompileFunc):
2942         (JSC::webAssemblyInstantiateFunc):
2943         (JSC::JSWebAssembly::finishCreation):
2944         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2945         (JSC::constructJSWebAssemblyInstance):
2946         (JSC::WebAssemblyInstanceConstructor::createInstance):
2947         * wasm/js/WebAssemblyInstanceConstructor.h:
2948         * wasm/js/WebAssemblyModuleConstructor.cpp:
2949         (JSC::constructJSWebAssemblyModule):
2950         (JSC::WebAssemblyModuleConstructor::createModule):
2951         * wasm/js/WebAssemblyModuleConstructor.h:
2952
2953 2017-03-06  Michael Saboff  <msaboff@apple.com>
2954
2955         Take advantage of fast permissions switching of JIT memory for devices that support it
2956         https://bugs.webkit.org/show_bug.cgi?id=169155
2957
2958         Reviewed by Saam Barati.
2959
2960         Start using the os_thread_self_restrict_rwx_to_XX() SPIs when available to
2961         control access to JIT memory.
2962
2963         Had to update the Xcode config files to handle various build variations of
2964         public and internal SDKs.
2965
2966         * Configurations/Base.xcconfig:
2967         * Configurations/FeatureDefines.xcconfig:
2968         * jit/ExecutableAllocator.cpp:
2969         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2970         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2971         * jit/ExecutableAllocator.h:
2972         (JSC::performJITMemcpy):
2973
2974 2017-03-06  Csaba Osztrogonác  <ossy@webkit.org>
2975
2976         REGRESSION(r212778): It made 400 tests crash on AArch64 Linux
2977         https://bugs.webkit.org/show_bug.cgi?id=168502
2978
2979         Reviewed by Filip Pizlo.
2980
2981         * heap/RegisterState.h: Use setjmp code path on AArch64 Linux too to fix crashes.
2982
2983 2017-03-06  Caio Lima  <ticaiolima@gmail.com>
2984
2985         op_get_by_id_with_this should use inline caching
2986         https://bugs.webkit.org/show_bug.cgi?id=162124
2987
2988         Reviewed by Saam Barati.
2989
2990         This patch is enabling inline cache for op_get_by_id_with_this in all
2991         tiers. It means that operations using ```super.member``` are going to
2992         be able to be optimized by PIC. To enable it, we introduced a new
2993         member of StructureStubInfo.patch named thisGPR, created a new class
2994         to manage the IC named JITGetByIdWithThisGenerator and changed
2995         PolymorphicAccess.regenerate that uses StructureStubInfo.patch.thisGPR
2996         to decide the correct this value on inline caches.
2997         With inline cached enabled, ```super.member``` are ~4.5x faster,
2998         according microbenchmarks.
2999
3000         * bytecode/AccessCase.cpp:
3001         (JSC::AccessCase::generateImpl):
3002         * bytecode/PolymorphicAccess.cpp:
3003         (JSC::PolymorphicAccess::regenerate):
3004         * bytecode/PolymorphicAccess.h:
3005         * bytecode/StructureStubInfo.cpp:
3006         (JSC::StructureStubInfo::reset):
3007         * bytecode/StructureStubInfo.h:
3008         * dfg/DFGFixupPhase.cpp:
3009         (JSC::DFG::FixupPhase::fixupNode):
3010         * dfg/DFGJITCompiler.cpp:
3011         (JSC::DFG::JITCompiler::link):
3012         * dfg/DFGJITCompiler.h:
3013         (JSC::DFG::JITCompiler::addGetByIdWithThis):
3014         * dfg/DFGSpeculativeJIT.cpp:
3015         (JSC::DFG::SpeculativeJIT::compileIn):
3016         * dfg/DFGSpeculativeJIT.h:
3017         (JSC::DFG::SpeculativeJIT::callOperation):
3018         * dfg/DFGSpeculativeJIT32_64.cpp:
3019         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3020         (JSC::DFG::SpeculativeJIT::compile):
3021         * dfg/DFGSpeculativeJIT64.cpp:
3022         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3023         (JSC::DFG::SpeculativeJIT::compile):
3024         * ftl/FTLLowerDFGToB3.cpp:
3025         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3026         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3027         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
3028         * jit/CCallHelpers.h:
3029         (JSC::CCallHelpers::setupArgumentsWithExecState):
3030         * jit/ICStats.h:
3031         * jit/JIT.cpp:
3032         (JSC::JIT::JIT):
3033         (JSC::JIT::privateCompileSlowCases):
3034         (JSC::JIT::link):
3035         * jit/JIT.h:
3036         * jit/JITInlineCacheGenerator.cpp:
3037         (JSC::JITByIdGenerator::JITByIdGenerator):
3038         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
3039         (JSC::JITGetByIdWithThisGenerator::generateFastPath):
3040         * jit/JITInlineCacheGenerator.h:
3041         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
3042         * jit/JITInlines.h:
3043         (JSC::JIT::callOperation):
3044         * jit/JITOperations.cpp:
3045         * jit/JITOperations.h:
3046         * jit/JITPropertyAccess.cpp:
3047         (JSC::JIT::emit_op_get_by_id_with_this):
3048         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3049         * jit/JITPropertyAccess32_64.cpp:
3050         (JSC::JIT::emit_op_get_by_id_with_this):
3051         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3052         * jit/Repatch.cpp:
3053         (JSC::appropriateOptimizingGetByIdFunction):
3054         (JSC::appropriateGenericGetByIdFunction):
3055         (JSC::tryCacheGetByID):
3056         * jit/Repatch.h:
3057         * jsc.cpp:
3058         (WTF::CustomGetter::getOwnPropertySlot):
3059         (WTF::CustomGetter::customGetterAcessor):
3060
3061 2017-03-06  Saam Barati  <sbarati@apple.com>
3062
3063         WebAssembly: implement init_expr for Element
3064         https://bugs.webkit.org/show_bug.cgi?id=165888
3065         <rdar://problem/29760199>
3066
3067         Reviewed by Keith Miller.
3068
3069         This patch fixes a few bugs. The main change is allowing init_expr
3070         for the Element's offset. To do this, I had to fix a couple of
3071         other bugs:
3072         
3073         - I removed our invalid early module-parse-time invalidation
3074         of out of bound Element sections. This is not in the spec because
3075         it can't be validated in the general case when the offset is a
3076         get_global.
3077         
3078         - Our get_global validation inside our init_expr parsing code was simply wrong.
3079         It thought that the index operand to get_global went into the pool of imports,
3080         but it does not. It indexes into the pool of globals. I changed the code to
3081         refer to the global pool instead.
3082
3083         * wasm/WasmFormat.h:
3084         (JSC::Wasm::Element::Element):
3085         * wasm/WasmModuleParser.cpp:
3086         * wasm/js/WebAssemblyModuleRecord.cpp:
3087         (JSC::WebAssemblyModuleRecord::evaluate):
3088
3089 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3090
3091         [JSC] Allow indexed module namespace object fields
3092         https://bugs.webkit.org/show_bug.cgi?id=168870
3093
3094         Reviewed by Saam Barati.
3095
3096         While JS modules cannot expose any indexed bindings,
3097         Wasm modules can expose them. However, module namespace
3098         object currently does not support indexed properties.
3099         This patch allows module namespace objects to offer
3100         indexed binding accesses.
3101
3102         * runtime/JSModuleNamespaceObject.cpp:
3103         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
3104         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
3105         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
3106         * runtime/JSModuleNamespaceObject.h:
3107
3108 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3109
3110         Null pointer crash when loading module with unresolved import also as a script file
3111         https://bugs.webkit.org/show_bug.cgi?id=168971
3112
3113         Reviewed by Saam Barati.
3114
3115         If linking throws an error, this error should be re-thrown
3116         when requesting the same module.
3117
3118         * builtins/ModuleLoaderPrototype.js:
3119         (globalPrivate.newRegistryEntry):
3120         * runtime/JSModuleRecord.cpp:
3121         (JSC::JSModuleRecord::link):
3122
3123 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3124
3125         [GTK][JSCOnly] Enable WebAssembly on Linux environment
3126         https://bugs.webkit.org/show_bug.cgi?id=164032
3127
3128         Reviewed by Michael Catanzaro.
3129
3130         This patch enables WebAssembly on JSCOnly and GTK ports.
3131         Basically, almost all the WASM code is portable to Linux.
3132         One platform-dependent part is faster memory load using SIGBUS
3133         signal handler. This patch ports this part to Linux.
3134
3135         * CMakeLists.txt:
3136         * llint/LLIntSlowPaths.cpp:
3137         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3138         * wasm/WasmFaultSignalHandler.cpp:
3139         (JSC::Wasm::trapHandler):
3140         (JSC::Wasm::enableFastMemory):
3141
3142 2017-03-06  Daniel Ehrenberg  <littledan@igalia.com>
3143
3144         Currency digits calculation in Intl.NumberFormat should call out to ICU
3145         https://bugs.webkit.org/show_bug.cgi?id=169182
3146
3147         Reviewed by Yusuke Suzuki.
3148
3149         * runtime/IntlNumberFormat.cpp:
3150         (JSC::computeCurrencyDigits):
3151         (JSC::computeCurrencySortKey): Deleted.
3152         (JSC::extractCurrencySortKey): Deleted.
3153
3154 2017-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3155
3156         [JSCOnly][GTK] Suppress warnings on return type in B3 and WASM
3157         https://bugs.webkit.org/show_bug.cgi?id=168869
3158
3159         Reviewed by Keith Miller.
3160
3161         * b3/B3Width.h:
3162         * wasm/WasmSections.h:
3163
3164 2017-03-04  Csaba Osztrogonác  <ossy@webkit.org>
3165
3166         [ARM] Unreviewed buildfix after r213376.
3167
3168         * assembler/ARMAssembler.h:
3169         (JSC::ARMAssembler::isBkpt): Typo fixed.
3170
3171 2017-03-03  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3172
3173         [JSC] build fix after r213399
3174         https://bugs.webkit.org/show_bug.cgi?id=169154
3175
3176         Unreviewed.
3177
3178         * runtime/ConfigFile.cpp: Include unistd.h since its where getcwd() is defined.
3179
3180 2017-03-03  Dean Jackson  <dino@apple.com>
3181
3182         Add WebGPU compile flag and experimental feature flag
3183         https://bugs.webkit.org/show_bug.cgi?id=169161
3184         <rdar://problem/30846689>
3185
3186         Reviewed by Tim Horton.
3187
3188         Add ENABLE_WEBGPU, an experimental feature flag, a RuntimeEnabledFeature,
3189         and an InternalSetting.
3190
3191         * Configurations/FeatureDefines.xcconfig:
3192
3193 2017-03-03  Michael Saboff  <msaboff@apple.com>
3194
3195         Add support for relative pathnames to JSC config files
3196         https://bugs.webkit.org/show_bug.cgi?id=169154
3197
3198         Reviewed by Saam Barati.
3199
3200         If the config file is a relative path, prepend the current working directory.
3201         After canonicalizing the config file path, we extract its directory path and
3202         use that for the directory for a relative log pathname.
3203
3204         * runtime/ConfigFile.cpp:
3205         (JSC::ConfigFile::ConfigFile):
3206         (JSC::ConfigFile::parse):
3207         (JSC::ConfigFile::canonicalizePaths):
3208         * runtime/ConfigFile.h:
3209
3210 2017-03-03  Michael Saboff  <msaboff@apple.com>
3211
3212         Add load / store exclusive instruction group to ARM64 disassembler
3213         https://bugs.webkit.org/show_bug.cgi?id=169152
3214
3215         Reviewed by Filip Pizlo.
3216
3217         * disassembler/ARM64/A64DOpcode.cpp:
3218         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::format):
3219         * disassembler/ARM64/A64DOpcode.h:
3220         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::opName):
3221         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::rs):
3222         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::rt2):
3223         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o0):
3224         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o1):
3225         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o2):
3226         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::loadBit):
3227         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::opNumber):
3228         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::isPairOp):
3229
3230 2017-03-03  Keith Miller  <keith_miller@apple.com>
3231
3232         WASM should support faster loads.
3233         https://bugs.webkit.org/show_bug.cgi?id=162693
3234
3235         Reviewed by Saam Barati.
3236
3237         This patch adds support for WebAssembly using a 32-bit address
3238         space for memory (along with some extra space for offset
3239         overflow). With a&n