Versioning.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog-2018-01-01
1 2017-12-22  Jeff Miller  <jeffm@apple.com>
2
3         Update user-visible copyright strings to include 2018
4         https://bugs.webkit.org/show_bug.cgi?id=181141
5
6         Reviewed by Dan Bernstein.
7
8         * Info.plist:
9
10 2017-12-30  Yusuke Suzuki  <utatane.tea@gmail.com>
11
12         [JSC] Remove unused JSTypes
13         https://bugs.webkit.org/show_bug.cgi?id=181184
14
15         Reviewed by Saam Barati.
16
17         JSType includes some unused types such as NullType. They are for
18         primitive values in old days. But now JSType is only used for JSCells.
19
20         * runtime/JSType.h:
21         * runtime/TypedArrayType.cpp:
22         (JSC::typeForTypedArrayType):
23
24 2017-12-28  Saam Barati  <sbarati@apple.com>
25
26         Remove op_assert and make @assert in builtins a function call so we have DFG/FTL coverage for builtins that use @assert in debug builds
27         https://bugs.webkit.org/show_bug.cgi?id=181176
28
29         Reviewed by Yusuke Suzuki.
30
31         Previously, op_assert was only implemented in the LLInt and baseline JIT. This
32         meant that any builtin that used @assert was not tiering up to the DFG/FTL
33         in debug builds. This patch changes @assert to just call a host function when
34         !ASSERT_DISABLED. It's a no-op when ASSERT_DISABLED. Now, builtins that use @assert
35         will tier up to the DFG/FTL on debug builds.
36
37         * builtins/BuiltinNames.h:
38         * bytecode/BytecodeDumper.cpp:
39         (JSC::BytecodeDumper<Block>::dumpBytecode):
40         * bytecode/BytecodeIntrinsicRegistry.h:
41         * bytecode/BytecodeList.json:
42         * bytecode/BytecodeUseDef.h:
43         (JSC::computeUsesForBytecodeOffset):
44         (JSC::computeDefsForBytecodeOffset):
45         * bytecompiler/BytecodeGenerator.cpp:
46         (JSC::BytecodeGenerator::emitAssert): Deleted.
47         * bytecompiler/BytecodeGenerator.h:
48         * bytecompiler/NodesCodegen.cpp:
49         (JSC::FunctionCallResolveNode::emitBytecode):
50         (JSC::BytecodeIntrinsicNode::emit_intrinsic_assert): Deleted.
51         * jit/JIT.cpp:
52         (JSC::JIT::privateCompileMainPass):
53         * llint/LowLevelInterpreter.asm:
54         * runtime/CommonSlowPaths.cpp:
55         * runtime/CommonSlowPaths.h:
56         * runtime/JSGlobalObject.cpp:
57         (JSC::assertCall):
58         (JSC::JSGlobalObject::init):
59
60 2017-12-28  Fujii Hironori  <Hironori.Fujii@sony.com>
61
62         [Win][CMake] Use add_custom_command to copy each forwarding header files
63         https://bugs.webkit.org/show_bug.cgi?id=180921
64
65         Reviewed by Brent Fulgham.
66
67         * PlatformWin.cmake: Use WEBKIT_MAKE_FORWARDING_HEADERS.
68
69 2017-12-28  Saam Barati  <sbarati@apple.com>
70
71         Assertion used to determine if something is an async generator is wrong
72         https://bugs.webkit.org/show_bug.cgi?id=181168
73         <rdar://problem/35640560>
74
75         Reviewed by Yusuke Suzuki.
76
77         Previous assertions were doing a get on the base value for @@asyncIterator.
78         This symbol is defined on AsyncGeneratorPrototype. The base value may change
79         its prototype, but it's still an async generator as far as our system is
80         concerned. This patch updates the assertion to check for a private property
81         on the base value.
82
83         * builtins/AsyncGeneratorPrototype.js:
84         (globalPrivate.asyncGeneratorReject):
85         (globalPrivate.asyncGeneratorResolve):
86         (globalPrivate.asyncGeneratorResumeNext):
87
88 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
89
90         Build fix after r226299 (3)
91         https://bugs.webkit.org/show_bug.cgi?id=181160
92
93         Unreviewed build fix.
94
95         * API/tests/TypedArrayCTest.cpp: fix typo in header name.
96
97 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
98
99         Build fix after r226299 (2)
100         https://bugs.webkit.org/show_bug.cgi?id=181160
101
102         Unreviewed build fix.
103
104         * API/tests/TypedArrayCTest.cpp: Add missing header include.
105
106 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
107
108         Build fix after r226299
109         https://bugs.webkit.org/show_bug.cgi?id=181160
110
111         Unreviewed build fix.
112
113         * API/tests/TypedArrayCTest.cpp:
114         (assertEqualsAsNumber): Disambiguate usage of isnan.
115
116 2017-12-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
117
118         REGRESSION(r225769): Build error with constexpr std::max // std::min in libdstdc++4
119         https://bugs.webkit.org/show_bug.cgi?id=181160
120
121         Reviewed by Myles C. Maxfield.
122
123         Disambiguate usage of min and max (Use the version from stdlib).
124
125         * runtime/JSArray.cpp:
126         (JSC::JSArray::unshiftCountSlowCase):
127         (JSC::JSArray::setLengthWithArrayStorage):
128         (JSC::JSArray::shiftCountWithArrayStorage):
129         (JSC::JSArray::fillArgList):
130         (JSC::JSArray::copyToArguments):
131
132 2017-12-27  Zan Dobersek  <zdobersek@igalia.com>
133
134         REGRESSION(r225913): about 30 JSC test failures on ARMv7
135         https://bugs.webkit.org/show_bug.cgi?id=181162
136
137         Reviewed by Michael Catanzaro.
138
139         Fast case in DFG::SpeculativeJIT::compileArraySlice() was enabled in
140         r225913 on all but 32-bit x86 platform. Other 32-bit platforms have the
141         same lack of GP registers, so the conditional is changed here to only
142         enable this optimization explicitly on ARM64 and x86-64.
143
144         * dfg/DFGSpeculativeJIT.cpp:
145         (JSC::DFG::SpeculativeJIT::compileArraySlice):
146
147 2017-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
148
149         [JSC] Remove std::chrono completely
150         https://bugs.webkit.org/show_bug.cgi?id=181165
151
152         Reviewed by Konstantin Tokarev.
153
154         This patch removes std::chrono use completely from JSC.
155
156         * API/JSContextRef.cpp:
157         (JSContextGroupSetExecutionTimeLimit):
158         * API/tests/ExecutionTimeLimitTest.cpp:
159         (currentCPUTimeAsJSFunctionCallback):
160         (testExecutionTimeLimit):
161         * bytecode/CodeBlock.cpp:
162         (JSC::CodeBlock::CodeBlock):
163         (JSC::timeToLive):
164         * bytecode/CodeBlock.h:
165         (JSC::CodeBlock::timeSinceCreation):
166         * runtime/SamplingProfiler.cpp:
167         (JSC::SamplingProfiler::SamplingProfiler):
168         (JSC::SamplingProfiler::timerLoop):
169         (JSC::SamplingProfiler::takeSample):
170         (JSC::SamplingProfiler::reportTopFunctions):
171         (JSC::SamplingProfiler::reportTopBytecodes):
172         * runtime/SamplingProfiler.h:
173         (JSC::SamplingProfiler::setTimingInterval):
174         * runtime/VM.cpp:
175         (JSC::VM::VM):
176         * runtime/Watchdog.cpp:
177         (JSC::Watchdog::Watchdog):
178         (JSC::Watchdog::setTimeLimit):
179         (JSC::Watchdog::shouldTerminate):
180         (JSC::Watchdog::startTimer):
181         (JSC::currentWallClockTime): Deleted.
182         * runtime/Watchdog.h:
183
184 2017-12-26  Zan Dobersek  <zdobersek@igalia.com>
185
186         REGRESSION(r226269): 60 JSC test failures on ARMv7
187         https://bugs.webkit.org/show_bug.cgi?id=181163
188
189         Reviewed by Yusuke Suzuki.
190
191         In r226269, DFG::SpeculativeJIT::compile() changed behavior for the
192         GetDirectPname operation on non-x86 platforms, switching to using
193         GPRFlushedCallResult registers for the payload and tag pair of the
194         return value (through the JSValueRegsFlushedCallResult struct). This
195         tripped about 60 test cases on ARMv7.
196
197         As before this change, GPRTemporary registers should be used, but this
198         can now be done through a JSValueRegsTemporary object.
199
200         * dfg/DFGSpeculativeJIT32_64.cpp:
201         (JSC::DFG::SpeculativeJIT::compile):
202
203 2017-12-22  Caio Lima  <ticaiolima@gmail.com>
204
205         [JSC] IntlCollator and IntlNumberFormat has static fields with same name
206         https://bugs.webkit.org/show_bug.cgi?id=181128
207
208         Reviewed by Yusuke Suzuki.
209
210         Minor fixes into IntlNumberFormat::initializeNumberFormat and
211         IntlCollator::initializeCollator that makes JSC unified sources
212         compile. These files were generating compilation error when placed at
213         the same UnifiedSource.cpp, because they had static variables with same name.
214
215         * runtime/IntlCollator.cpp:
216         (JSC::IntlCollator::initializeCollator):
217         * runtime/IntlNumberFormat.cpp:
218         (JSC::IntlNumberFormat::initializeNumberFormat):
219
220 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
221
222         generate_offset_extractor.rb should not print to stderr by default
223         https://bugs.webkit.org/show_bug.cgi?id=181133
224
225         Reviewed by Mark Lam.
226
227         Remove unneeded print output.
228
229         * offlineasm/generate_offset_extractor.rb:
230
231 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
232
233         [DFG] Cleaning up and unifying 32bit code more
234         https://bugs.webkit.org/show_bug.cgi?id=181124
235
236         Reviewed by Mark Lam.
237
238         This patch unifies DFG 32bit code into 64bit code more. In this patch, we move RegExp DFG nodes
239         from 32bit / 64bit code to the common code. We change some RegExp operations to returning JSCell*
240         instead of EncodedJSValue. This simplifies DFG implementation.
241
242         And we also move HasGenericProperty since we now have JSValueRegsFlushedCallResult. ToPrimive,
243         LogShadowChickenPrologue, and LogShadowChickenTail are almost the same in 32bit and 64bit.
244         Thus, it is unified easily.
245
246         And we also move some GPRFlushedCallResult from the original places to the places just after
247         `flushRegisters()` not to spill unnecessary registers.
248
249         * dfg/DFGOperations.cpp:
250         * dfg/DFGOperations.h:
251         * dfg/DFGSpeculativeJIT.cpp:
252         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
253         (JSC::DFG::SpeculativeJIT::compileRegExpTest):
254         (JSC::DFG::SpeculativeJIT::compileStringReplace):
255         (JSC::DFG::SpeculativeJIT::compileHasGenericProperty):
256         (JSC::DFG::SpeculativeJIT::compileToPrimitive):
257         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
258         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
259         * dfg/DFGSpeculativeJIT.h:
260         (JSC::DFG::SpeculativeJIT::callOperation):
261         * dfg/DFGSpeculativeJIT32_64.cpp:
262         (JSC::DFG::SpeculativeJIT::emitCall):
263         (JSC::DFG::SpeculativeJIT::compile):
264         * dfg/DFGSpeculativeJIT64.cpp:
265         (JSC::DFG::SpeculativeJIT::compile):
266         (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
267         * ftl/FTLLowerDFGToB3.cpp:
268         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
269         * jit/JITOperations.cpp:
270         * jit/JITOperations.h:
271         * runtime/StringPrototype.cpp:
272         (JSC::jsSpliceSubstrings):
273         (JSC::jsSpliceSubstringsWithSeparators):
274         (JSC::removeUsingRegExpSearch):
275         (JSC::replaceUsingRegExpSearch):
276         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
277         (JSC::operationStringProtoFuncReplaceRegExpString):
278         (JSC::replaceUsingStringSearch):
279         (JSC::replace):
280         (JSC::stringProtoFuncReplaceUsingRegExp):
281         (JSC::stringProtoFuncReplaceUsingStringSearch):
282         (JSC::operationStringProtoFuncReplaceGeneric):
283         * runtime/StringPrototype.h:
284
285 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
286
287         [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
288         https://bugs.webkit.org/show_bug.cgi?id=179914
289         <rdar://problem/36196039>
290
291         Unreviewed.
292
293         * PlatformGTK.cmake:
294
295 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
296
297         [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
298         https://bugs.webkit.org/show_bug.cgi?id=179914
299
300         Reviewed by Carlos Garcia Campos.
301
302         Add a new JavaScriptCoreGTK build target, to build JSC as a shared library. Link the
303         original JavaScriptCore build target, which is now a static library, to it. Use
304         --whole-archive to prevent all the JavaScriptCore symbols from being dropped, since none are
305         used directly by JavaScriptCoreGTK.
306
307         The installed libjavascriptcoregtk-4.0 now corresponds to the JavaScriptCoreGTK target,
308         instead of the JavaScriptCore target. There is almost no difference on the installed system,
309         except that we now use a version script when linking, to hide private symbols, since they're
310         no longer needed by libwebkit2gtk-4.0.so.
311
312         Also, move the symbols map here.
313
314         * PlatformGTK.cmake:
315         * javascriptcoregtk-symbols.map: Added.
316
317 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
318
319         [DFG] Unify bunch of DFG 32bit code into 64bit code
320         https://bugs.webkit.org/show_bug.cgi?id=181083
321
322         Reviewed by Mark Lam.
323
324         There are bunch of the completely same code in 32bit and 64bit DFG.
325         This is largely because of the old DFG code. At that time, we do not
326         have enough abstraction to describe them in one code. But now, we have
327         JSValueRegs, JSValueRegsTemporary etc. They allow DFG to write 32bit and
328         64bit handling in one code.
329
330         This patch unifies easy ones. This is nice since basically 32bit code is
331         a bit old and not maintained so much compared to 64bit. If we can drop
332         32bit specific code as much as possible, it would be nice. Furthermore,
333         we can find various mistakes in 32bit: For example, NewObject does not have
334         mutatorFence in 32bit while 64bit has it. This unification is a chance
335         to fix miscellaneous bugs in 32bit while reducing maintenance burden.
336
337         * dfg/DFGSpeculativeJIT.cpp:
338         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
339         (JSC::DFG::SpeculativeJIT::compileGetEnumerableLength):
340         (JSC::DFG::SpeculativeJIT::compileToIndexString):
341         (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis):
342         (JSC::DFG::SpeculativeJIT::compileHasStructureProperty):
343         (JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator):
344         (JSC::DFG::SpeculativeJIT::compileGetEnumeratorPname):
345         (JSC::DFG::SpeculativeJIT::compileGetGetter):
346         (JSC::DFG::SpeculativeJIT::compileGetSetter):
347         (JSC::DFG::SpeculativeJIT::compileGetCallee):
348         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
349         (JSC::DFG::SpeculativeJIT::compileStrCat):
350         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
351         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
352         (JSC::DFG::SpeculativeJIT::compileCreateThis):
353         (JSC::DFG::SpeculativeJIT::compileNewObject):
354         * dfg/DFGSpeculativeJIT.h:
355         (JSC::DFG::SpeculativeJIT::callOperation):
356         * dfg/DFGSpeculativeJIT32_64.cpp:
357         (JSC::DFG::SpeculativeJIT::compile):
358         * dfg/DFGSpeculativeJIT64.cpp:
359         (JSC::DFG::SpeculativeJIT::compile):
360
361 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
362
363         [DFG] Add JSValueRegsFlushedCallResult
364         https://bugs.webkit.org/show_bug.cgi?id=181075
365
366         Reviewed by Mark Lam.
367
368         Add JSValueRegsFlushedCallResult, which is appropriate for the JSValueRegs result
369         of the function call after flushing. We can remove bunch of `#if USE(JSVALUE32_64)`
370         code and simplify them.
371
372         * dfg/DFGSpeculativeJIT.cpp:
373         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
374         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
375         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
376         (JSC::DFG::SpeculativeJIT::compileParseInt):
377         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
378         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
379         (JSC::DFG::SpeculativeJIT::compileValueAdd):
380         (JSC::DFG::SpeculativeJIT::compileArithMul):
381         (JSC::DFG::SpeculativeJIT::compileArithDiv):
382         (JSC::DFG::SpeculativeJIT::compileArithRounding):
383         (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
384         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
385         * dfg/DFGSpeculativeJIT.h:
386         (JSC::DFG::SpeculativeJIT::callOperation):
387         (JSC::DFG::JSValueRegsFlushedCallResult::JSValueRegsFlushedCallResult):
388         (JSC::DFG::JSValueRegsFlushedCallResult::regs):
389
390 2017-12-21  Saam Barati  <sbarati@apple.com>
391
392         lowering get_by_val to GetById inside bytecode parser should check for BadType exit kind
393         https://bugs.webkit.org/show_bug.cgi?id=181112
394
395         Reviewed by Mark Lam.
396
397         The React subtest in Speedometer has a get_by_val it always converts
398         into a GetById in the DFG. This GetById always exits because of the incoming
399         identifier is a rope. This patch fixes this infinite exit loop
400         by only doing this transformation if we haven't exited due to BadType.
401
402         * dfg/DFGByteCodeParser.cpp:
403         (JSC::DFG::ByteCodeParser::parseBlock):
404
405 2017-12-21  Mark Lam  <mark.lam@apple.com>
406
407         Add WTF::PoisonedUniquePtr to replace std::unique_ptr when poisoning is desired.
408         https://bugs.webkit.org/show_bug.cgi?id=181062
409         <rdar://problem/36167040>
410
411         Reviewed by Chris Dumez.
412
413         * runtime/JSCPoisonedPtr.cpp:
414         - Added a needed #include.
415
416 2017-12-21  Jeremy Jones  <jeremyj@apple.com>
417
418         Update FULLSCREEN_API feature defines.
419         https://bugs.webkit.org/show_bug.cgi?id=181015
420
421         Reviewed by Tim Horton.
422
423         Change enabled iphone sdk for FULLSCREEN_API.
424
425         * Configurations/FeatureDefines.xcconfig:
426
427 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
428
429         [JSC] Do not check isValid() in op_new_regexp
430         https://bugs.webkit.org/show_bug.cgi?id=180970
431
432         Reviewed by Saam Barati.
433
434         We should not check `isValid()` inside op_new_regexp.
435         This simplifies the semantics of NewRegexp node in DFG.
436
437         * bytecompiler/NodesCodegen.cpp:
438         (JSC::RegExpNode::emitBytecode):
439         * dfg/DFGMayExit.cpp:
440         * dfg/DFGSpeculativeJIT.cpp:
441         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
442         * ftl/FTLLowerDFGToB3.cpp:
443         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
444         * jit/JITOperations.cpp:
445         * llint/LLIntSlowPaths.cpp:
446         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
447
448 2017-12-20  Saam Barati  <sbarati@apple.com>
449
450         GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
451         https://bugs.webkit.org/show_bug.cgi?id=181054
452
453         Reviewed by Mark Lam.
454
455         Speedometer's react subtest has a function that is in an OSR exit loop because
456         we used to unconditionally speculate cell for the operand to GetPropertyEnumerator.
457         This fix doesn't seem to speed up Speedometer at all, but it's good hygiene 
458         for our compiler to not have this pathology. This patch adds a generic
459         GetPropertyEnumerator to prevent the exit loop.
460
461         * dfg/DFGFixupPhase.cpp:
462         (JSC::DFG::FixupPhase::fixupNode):
463         * dfg/DFGSpeculativeJIT32_64.cpp:
464         (JSC::DFG::SpeculativeJIT::compile):
465         * dfg/DFGSpeculativeJIT64.cpp:
466         (JSC::DFG::SpeculativeJIT::compile):
467         * ftl/FTLLowerDFGToB3.cpp:
468         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
469         * jit/JITOperations.cpp:
470         * jit/JITOperations.h:
471
472 2017-12-20  Daniel Bates  <dabates@apple.com>
473
474         Remove Alternative Presentation Button
475         https://bugs.webkit.org/show_bug.cgi?id=180500
476         <rdar://problem/35891047>
477
478         Reviewed by Simon Fraser.
479
480         We no longer need the alternative presentation button.
481
482         * Configurations/FeatureDefines.xcconfig:
483
484 2017-12-19  Saam Barati  <sbarati@apple.com>
485
486         We forgot to do index masking for in bounds int32 arrays in the FTL
487         https://bugs.webkit.org/show_bug.cgi?id=180987
488
489         Reviewed by Keith Miller.
490
491         * ftl/FTLLowerDFGToB3.cpp:
492         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
493
494 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
495
496         [DFG][FTL] NewRegexp shoud be fast
497         https://bugs.webkit.org/show_bug.cgi?id=180960
498
499         Reviewed by Michael Saboff.
500
501         When we encounter RegExp literal like /AAA/g, we need to create a RegExp object.
502         Typical idiom like `string.match(/regexp/)` requires RegExp object creation
503         every time.
504
505         As a first step, this patch accelerates RegExp object creation by handling it
506         in DFG and FTL. In a subsequent patch, we would like to introduce PhantomNewRegexp
507         to remove unnecessary RegExp object creations.
508
509         This patch improves SixSpeed/regex-u.{es5,es6}.
510
511                                      baseline                  patched
512
513             regex-u.es5          69.6759+-3.1951     ^     53.1425+-2.0292        ^ definitely 1.3111x faster
514             regex-u.es6         129.5413+-5.4437     ^    107.2105+-7.7775        ^ definitely 1.2083x faster
515
516         * dfg/DFGSpeculativeJIT.cpp:
517         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
518         * dfg/DFGSpeculativeJIT.h:
519         * dfg/DFGSpeculativeJIT32_64.cpp:
520         (JSC::DFG::SpeculativeJIT::compile):
521         * dfg/DFGSpeculativeJIT64.cpp:
522         (JSC::DFG::SpeculativeJIT::compile):
523         * ftl/FTLAbstractHeapRepository.h:
524         * ftl/FTLLowerDFGToB3.cpp:
525         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
526         * jit/JIT.h:
527         * jit/JITInlines.h:
528         (JSC::JIT::callOperation):
529         * jit/JITOpcodes.cpp:
530         (JSC::JIT::emit_op_new_regexp):
531         * jit/JITOperations.cpp:
532         * jit/JITOperations.h:
533         * llint/LLIntSlowPaths.cpp:
534         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
535         * runtime/RegExpObject.h:
536         (JSC::RegExpObject::offsetOfRegExp):
537         (JSC::RegExpObject::allocationSize):
538
539 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
540
541         Unreviewed, include YarrErrorCode.h in Yarr.h
542         https://bugs.webkit.org/show_bug.cgi?id=180966
543
544         * yarr/Yarr.h:
545
546 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
547
548         [YARR] Yarr should return ErrorCode instead of error messages (const char*)
549         https://bugs.webkit.org/show_bug.cgi?id=180966
550
551         Reviewed by Mark Lam.
552
553         Currently, Yarr returns const char*` for an error message when needed.
554         But it is easier to handle error status if Yarr returns an error code
555         instead of `const char*`.
556
557         In this patch, we introduce Yarr::ErrorCode. Yarr returns it instead of
558         `const char*`. `std::expected<void, Yarr::ErrorCode>` would be appropriate
559         for the Yarr API interface. But it requires substantial changes removing
560         ErrorCode::NoError, so this patch just uses the current Yarr::ErrorCode as
561         a first step.
562
563         * JavaScriptCore.xcodeproj/project.pbxproj:
564         * Sources.txt:
565         * inspector/ContentSearchUtilities.cpp:
566         (Inspector::ContentSearchUtilities::findMagicComment):
567         * parser/ASTBuilder.h:
568         (JSC::ASTBuilder::createRegExp):
569         * parser/Parser.cpp:
570         (JSC::Parser<LexerType>::parsePrimaryExpression):
571         * parser/SyntaxChecker.h:
572         (JSC::SyntaxChecker::createRegExp):
573         * runtime/RegExp.cpp:
574         (JSC::RegExp::RegExp):
575         (JSC::RegExp::byteCodeCompileIfNecessary):
576         (JSC::RegExp::compile):
577         (JSC::RegExp::compileMatchOnly):
578         * runtime/RegExp.h:
579         * yarr/RegularExpression.cpp:
580         (JSC::Yarr::RegularExpression::Private::Private):
581         (JSC::Yarr::RegularExpression::Private::compile):
582         * yarr/YarrErrorCode.cpp: Added.
583         (JSC::Yarr::errorMessage):
584         * yarr/YarrErrorCode.h: Copied from Source/JavaScriptCore/yarr/YarrSyntaxChecker.h.
585         (JSC::Yarr::hasError):
586         * yarr/YarrParser.h:
587         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
588         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
589         (JSC::Yarr::Parser::Parser):
590         (JSC::Yarr::Parser::isIdentityEscapeAnError):
591         (JSC::Yarr::Parser::parseEscape):
592         (JSC::Yarr::Parser::parseCharacterClass):
593         (JSC::Yarr::Parser::parseParenthesesBegin):
594         (JSC::Yarr::Parser::parseParenthesesEnd):
595         (JSC::Yarr::Parser::parseQuantifier):
596         (JSC::Yarr::Parser::parseTokens):
597         (JSC::Yarr::Parser::parse):
598         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
599         (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
600         (JSC::Yarr::parse):
601         * yarr/YarrPattern.cpp:
602         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
603         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
604         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
605         (JSC::Yarr::YarrPattern::compile):
606         (JSC::Yarr::YarrPattern::YarrPattern):
607         (JSC::Yarr::YarrPattern::errorMessage): Deleted.
608         * yarr/YarrPattern.h:
609         (JSC::Yarr::YarrPattern::reset):
610         * yarr/YarrSyntaxChecker.cpp:
611         (JSC::Yarr::checkSyntax):
612         * yarr/YarrSyntaxChecker.h:
613
614 2017-12-18  Saam Barati  <sbarati@apple.com>
615
616         Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer)
617
618         * dfg/DFGPreciseLocalClobberize.h:
619         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
620
621 2017-12-16  Filip Pizlo  <fpizlo@apple.com>
622
623         Vector index masking
624         https://bugs.webkit.org/show_bug.cgi?id=180909
625
626         Reviewed by Keith Miller.
627         
628         Adopt index masking for strings.
629
630         * dfg/DFGSpeculativeJIT.cpp:
631         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
632         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
633         * ftl/FTLAbstractHeapRepository.h:
634         * ftl/FTLLowerDFGToB3.cpp:
635         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
636         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
637         * jit/ThunkGenerators.cpp:
638         (JSC::stringCharLoad):
639
640 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
641
642         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
643         https://bugs.webkit.org/show_bug.cgi?id=179762
644
645         Reviewed by Saam Barati.
646
647         This patch extends arguments elimination phase to accept NewArrayBuffer.
648         We can convert NewArrayBuffer to PhantomNewArrayBuffer if it is only
649         used by spreading nodes.
650
651         This improves SixSpeed spread.es6 by 3.5x.
652
653             spread.es6           79.1496+-3.5665     ^     23.6204+-1.8526        ^ definitely 3.3509x faster
654
655         * dfg/DFGAbstractInterpreterInlines.h:
656         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
657         * dfg/DFGArgumentsEliminationPhase.cpp:
658         * dfg/DFGClobberize.h:
659         (JSC::DFG::clobberize):
660         * dfg/DFGDoesGC.cpp:
661         (JSC::DFG::doesGC):
662         * dfg/DFGFixupPhase.cpp:
663         (JSC::DFG::FixupPhase::fixupNode):
664         * dfg/DFGNode.h:
665         (JSC::DFG::Node::hasNewArrayBufferData):
666         (JSC::DFG::Node::hasVectorLengthHint):
667         (JSC::DFG::Node::hasIndexingType):
668         (JSC::DFG::Node::indexingType):
669         (JSC::DFG::Node::hasCellOperand):
670         (JSC::DFG::Node::isPhantomAllocation):
671         * dfg/DFGNodeType.h:
672         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
673         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
674         * dfg/DFGPredictionPropagationPhase.cpp:
675         * dfg/DFGPromotedHeapLocation.cpp:
676         (WTF::printInternal):
677         * dfg/DFGPromotedHeapLocation.h:
678         * dfg/DFGSafeToExecute.h:
679         (JSC::DFG::safeToExecute):
680         * dfg/DFGSpeculativeJIT32_64.cpp:
681         (JSC::DFG::SpeculativeJIT::compile):
682         * dfg/DFGSpeculativeJIT64.cpp:
683         (JSC::DFG::SpeculativeJIT::compile):
684         * dfg/DFGValidate.cpp:
685         * ftl/FTLCapabilities.cpp:
686         (JSC::FTL::canCompile):
687         * ftl/FTLLowerDFGToB3.cpp:
688         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
689         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
690         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
691         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
692         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
693         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
694         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
695         * ftl/FTLOperations.cpp:
696         (JSC::FTL::operationPopulateObjectInOSR):
697         (JSC::FTL::operationMaterializeObjectInOSR):
698
699 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         [JSC] Use IsoSpace for JSWeakMap and JSWeakSet to use finalizeUnconditionally
702         https://bugs.webkit.org/show_bug.cgi?id=180916
703
704         Reviewed by Darin Adler.
705
706         This patch drops UnconditionalFinalizer for JSWeakMap and JSWeakSetby using IsoSpace.
707         Since these cells always require calling finalizeUnconditionally, we do not need to
708         track cells by using IsoCellSet.
709
710         Currently we still have WeakReferenceHarvester in JSWeakMap and JSWeakSet. We should
711         avoid using a global linked-list for this in the future.
712
713         * JavaScriptCore.xcodeproj/project.pbxproj:
714         * heap/Heap.cpp:
715         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace):
716         (JSC::Heap::finalizeUnconditionalFinalizers):
717         * heap/Heap.h:
718         * runtime/VM.cpp:
719         (JSC::VM::VM):
720         * runtime/VM.h:
721         * runtime/WeakMapImpl.cpp:
722         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
723         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally): Deleted.
724         * runtime/WeakMapImpl.h:
725         (JSC::WeakMapImpl::isWeakMap):
726         (JSC::WeakMapImpl::isWeakSet):
727         (JSC::WeakMapImpl::subspaceFor):
728         * runtime/WeakMapImplInlines.h: Added.
729         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
730
731 2017-12-17  Mark Lam  <mark.lam@apple.com>
732
733         Hollow out stub implementation of InspectorBackendDispatcher::sendResponse().
734         https://bugs.webkit.org/show_bug.cgi?id=180901
735         <rdar://problem/36087649>
736
737         Reviewed by Darin Adler.
738
739         We only need to keep a deprecated implementation of InspectorValues,
740         InspectorObjects, and InspectorBackendDispatcher::sendResponse() around so that
741         older versions of Safari can link against and run with a build of the latest code
742         in WebKit trunk. Older versions of System Safari used InspectorValues (via
743         WebInspector.framework) for two things:
744
745         1. Augmented JSContexts SPIs (via WebInspector.framework).
746         2. maybe WebDriver.
747
748         Neither of these are used when running SafariForWebKitDevelopment.  Since neither
749         are used, we can stub out the symbols (InspectorValues, InspectorObjects,
750         InspectorBackendDispatcher::sendResponse) to do nothing, and
751         SafariForWebKitDevelopment will still continue to launch with trunk WebKit, and
752         run without any observable bad behavior.
753
754         * JavaScriptCore.xcodeproj/project.pbxproj:
755         * SourcesCocoa.txt:
756         * inspector/InspectorBackendDispatcher.cpp:
757         * inspector/InspectorBackendDispatcher.h:
758         * inspector/cocoa/DeprecatedInspectorValues.cpp:
759         (Inspector::InspectorValue::null):
760         (Inspector::InspectorValue::create):
761         (Inspector::InspectorValue::asValue):
762         (Inspector::InspectorValue::asObject):
763         (Inspector::InspectorValue::asArray):
764         (Inspector::InspectorValue::parseJSON):
765         (Inspector::InspectorValue::toJSONString const):
766         (Inspector::InspectorValue::asBoolean const):
767         (Inspector::InspectorValue::asDouble const):
768         (Inspector::InspectorValue::asInteger const):
769         (Inspector::InspectorValue::asString const):
770         (Inspector::InspectorValue::writeJSON const):
771         (Inspector::InspectorValue::memoryCost const):
772         (Inspector::InspectorObjectBase::openAccessors):
773         (Inspector::InspectorObjectBase::memoryCost const):
774         (Inspector::InspectorObjectBase::getBoolean const):
775         (Inspector::InspectorObjectBase::getString const):
776         (Inspector::InspectorObjectBase::getObject const):
777         (Inspector::InspectorObjectBase::getArray const):
778         (Inspector::InspectorObjectBase::getValue const):
779         (Inspector::InspectorObjectBase::remove):
780         (Inspector::InspectorObject::create):
781         (Inspector::InspectorArrayBase::get const):
782         (Inspector::InspectorArrayBase::memoryCost const):
783         (Inspector::InspectorArray::create):
784         (Inspector::BackendDispatcher::sendResponse):
785         (Inspector::InspectorObjectBase::~InspectorObjectBase): Deleted.
786         (Inspector::InspectorObjectBase::asObject): Deleted.
787         (Inspector::InspectorObjectBase::writeJSON const): Deleted.
788         (Inspector::InspectorObjectBase::InspectorObjectBase): Deleted.
789         (Inspector::InspectorArrayBase::~InspectorArrayBase): Deleted.
790         (Inspector::InspectorArrayBase::asArray): Deleted.
791         (Inspector::InspectorArrayBase::writeJSON const): Deleted.
792         (Inspector::InspectorArrayBase::InspectorArrayBase): Deleted.
793         * inspector/cocoa/DeprecatedInspectorValues.h: Removed.
794
795 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
796
797         [JSC][WebCore][CSSJIT] Remove VM reference in CSSJIT
798         https://bugs.webkit.org/show_bug.cgi?id=180917
799
800         Reviewed by Sam Weinig.
801
802         We do not need to hold JIT flags in VM. We add
803         static VM::{canUseJIT,canUseAssembler,canUseRegExpJIT} functions.
804
805         * interpreter/AbstractPC.cpp:
806         (JSC::AbstractPC::AbstractPC):
807         * jit/JITThunks.cpp:
808         (JSC::JITThunks::ctiNativeCall):
809         (JSC::JITThunks::ctiNativeConstruct):
810         (JSC::JITThunks::ctiNativeTailCall):
811         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
812         (JSC::JITThunks::ctiInternalFunctionCall):
813         (JSC::JITThunks::ctiInternalFunctionConstruct):
814         (JSC::JITThunks::hostFunctionStub):
815         * llint/LLIntEntrypoint.cpp:
816         (JSC::LLInt::setFunctionEntrypoint):
817         (JSC::LLInt::setEvalEntrypoint):
818         (JSC::LLInt::setProgramEntrypoint):
819         (JSC::LLInt::setModuleProgramEntrypoint):
820         * llint/LLIntSlowPaths.cpp:
821         (JSC::LLInt::shouldJIT):
822         (JSC::LLInt::entryOSR):
823         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
824         * runtime/RegExp.cpp:
825         (JSC::RegExp::compile):
826         (JSC::RegExp::compileMatchOnly):
827         * runtime/VM.cpp:
828         (JSC::VM::canUseAssembler):
829         (JSC::VM::canUseJIT):
830         (JSC::VM::canUseRegExpJIT):
831         (JSC::VM::VM):
832         * runtime/VM.h:
833         (JSC::VM::canUseJIT): Deleted.
834         (JSC::VM::canUseRegExpJIT): Deleted.
835
836 2017-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
837
838         [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
839         https://bugs.webkit.org/show_bug.cgi?id=180906
840
841         Reviewed by Filip Pizlo.
842
843         The number of SlotVisitors can increase after setting up m_visitCounters.
844         If it happens, our m_visitCounters misses the visit count of newly added
845         SlotVisitors. It accidentally decides that constraints are converged.
846         This leads to random assertion hits in Linux environment.
847
848         In this patch, we compare the number of SlotVisitors in didVisitSomething().
849         If the number of SlotVisitors is changed, we conservatively say we did
850         visit something.
851
852         * heap/Heap.h:
853         * heap/HeapInlines.h:
854         (JSC::Heap::numberOfSlotVisitors):
855         * heap/MarkingConstraintSet.h:
856         * heap/MarkingConstraintSolver.cpp:
857         (JSC::MarkingConstraintSolver::didVisitSomething const):
858
859 2017-12-16  Keith Miller  <keith_miller@apple.com>
860
861         Indexing should only be computed when the new structure has an indexing header.
862         https://bugs.webkit.org/show_bug.cgi?id=180895
863
864         Reviewed by Saam Barati.
865
866         If we don't have an indexing header then we point the butterfly
867         sizeof(IndexingHeader) past the end of the butterfly. This makes
868         the computation of the offset simpler since it doesn't depend on
869         the indexing headeriness of the butterfly.
870
871         * jit/JITOperations.cpp:
872         * runtime/JSObject.cpp:
873         (JSC::JSObject::createInitialUndecided):
874         (JSC::JSObject::createInitialInt32):
875         (JSC::JSObject::createInitialDouble):
876         (JSC::JSObject::createInitialContiguous):
877         (JSC::JSObject::createArrayStorage):
878         (JSC::JSObject::convertUndecidedToArrayStorage):
879         (JSC::JSObject::convertInt32ToArrayStorage):
880         (JSC::JSObject::convertDoubleToArrayStorage):
881         * runtime/JSObject.h:
882         (JSC::JSObject::setButterfly):
883         (JSC::JSObject::nukeStructureAndSetButterfly):
884         * runtime/JSObjectInlines.h:
885         (JSC::JSObject::prepareToPutDirectWithoutTransition):
886         (JSC::JSObject::putDirectInternal):
887
888 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
889
890         Unreviewed, rolling out r225941.
891
892         This change introduced LayoutTest crashes and assertion
893         failures.
894
895         Reverted changeset:
896
897         "Web Inspector: replace HTMLCanvasElement with
898         CanvasRenderingContext for instrumentation logic"
899         https://bugs.webkit.org/show_bug.cgi?id=180770
900         https://trac.webkit.org/changeset/225941
901
902 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
903
904         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
905         https://bugs.webkit.org/show_bug.cgi?id=180804
906
907         Add 32bit path for WeakMapGet.
908
909         * dfg/DFGSpeculativeJIT.cpp:
910         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
911
912 2017-12-14  Saam Barati  <sbarati@apple.com>
913
914         The CleanUp after LICM is erroneously removing a Check
915         https://bugs.webkit.org/show_bug.cgi?id=180852
916         <rdar://problem/36063494>
917
918         Reviewed by Filip Pizlo.
919
920         There was a bug where CleanUp phase relied on isProved() bits and LICM
921         changed them in an invalid way. The bug is as follows:
922         
923         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
924         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
925         and that Check dominates all of L2. This is also a hoisting candidate, so we
926         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
927         the preheader for each loop inside L1, so P1 and P2. When considering P2,
928         we execute the Check. Inside P2, before any hoisting is done, this Check
929         is dead code, because BB dominates P2. When we use AI to "execute" the
930         Check, it'll set its proof status to proved. This is because inside P2,
931         in the program before LICM runs, the Check is indeed proven at P2. But
932         it is not proven inside P1. This "execute" call will set our proof status
933         for the node inside *P1*, hence, we crash.
934         
935         The fix here is to make LICM precise when updating the ProofStatus of an edge.
936         It can trust the AI state at the preheader it hoists the node to, but it can't
937         trust the state when executing effects inside inner loops's preheaders.
938
939         * dfg/DFGPlan.cpp:
940         (JSC::DFG::Plan::compileInThreadImpl):
941
942 2017-12-14  David Kilzer  <ddkilzer@apple.com>
943
944         Enable -Wstrict-prototypes for WebKit
945         <https://webkit.org/b/180757>
946         <rdar://problem/36024132>
947
948         Rubber-stamped by Joseph Pecoraro.
949
950         * API/tests/CompareAndSwapTest.h:
951         (testCompareAndSwap): Add 'void' to C function declaration.
952         * API/tests/ExecutionTimeLimitTest.h:
953         (testExecutionTimeLimit): Ditto.
954         * API/tests/FunctionOverridesTest.h:
955         (testFunctionOverrides): Ditto.
956         * API/tests/GlobalContextWithFinalizerTest.h:
957         (testGlobalContextWithFinalizer): Ditto.
958         * API/tests/JSONParseTest.h:
959         (testJSONParse): Ditto.
960         * API/tests/MultithreadedMultiVMExecutionTest.h:
961         (startMultithreadedMultiVMExecutionTest): Ditto.
962         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
963         * API/tests/PingPongStackOverflowTest.h:
964         (testPingPongStackOverflow): Ditto.
965         * Configurations/Base.xcconfig:
966         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
967
968 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
969
970         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
971         https://bugs.webkit.org/show_bug.cgi?id=180804
972
973         Reviewed by Saam Barati.
974
975         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
976
977         * dfg/DFGRegisterBank.h:
978         (JSC::DFG::RegisterBank::lockedCount const):
979         * dfg/DFGSpeculativeJIT.cpp:
980         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
981
982 2017-12-14  Keith Miller  <keith_miller@apple.com>
983
984         Unreviewed, forgot to add { }
985
986         * runtime/JSObject.h:
987         (JSC::JSObject::setButterfly):
988         (JSC::JSObject::nukeStructureAndSetButterfly):
989
990 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
991
992         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
993         https://bugs.webkit.org/show_bug.cgi?id=180770
994
995         Reviewed by Joseph Pecoraro.
996
997         * inspector/protocol/Canvas.json:
998
999 2017-12-14  Keith Miller  <keith_miller@apple.com>
1000
1001         Fix assertion in JSObject's structure setting methods
1002         https://bugs.webkit.org/show_bug.cgi?id=180840
1003
1004         Reviewed by Mark Lam.
1005
1006         I forgot that when Typed Arrays have non-indexed properties
1007         added to them, they call the generic code. The generic code
1008         in turn calls the regular structure setting methods. Thus,
1009         these assertions were invalid and we should just avoid setting
1010         the indexing mask if we have a Typed Array.
1011
1012         * runtime/JSObject.h:
1013         (JSC::JSObject::setButterfly):
1014         (JSC::JSObject::nukeStructureAndSetButterfly):
1015
1016 2017-12-14  Michael Saboff  <msaboff@apple.com>
1017
1018         REGRESSION (r225695): Repro crash on yahoo login page
1019         https://bugs.webkit.org/show_bug.cgi?id=180761
1020
1021         Reviewed by JF Bastien.
1022
1023         Relanding r225695 with a fix.
1024
1025         The fix is that we need to save the return address for a parentheses in
1026         the ParenContext because it is actually used by any immediately contained
1027         alternatives.
1028
1029         Also did a little refactoring, changing occurances of PatternContext to
1030         ParenContext since that is the name of the structure.
1031
1032         * runtime/RegExp.cpp:
1033         (JSC::byteCodeCompilePattern):
1034         (JSC::RegExp::byteCodeCompileIfNecessary):
1035         (JSC::RegExp::compile):
1036         (JSC::RegExp::compileMatchOnly):
1037         * runtime/RegExp.h:
1038         * runtime/RegExpInlines.h:
1039         (JSC::RegExp::matchInline):
1040         * testRegExp.cpp:
1041         (parseRegExpLine):
1042         (runFromFiles):
1043         * yarr/Yarr.h:
1044         * yarr/YarrInterpreter.cpp:
1045         (JSC::Yarr::ByteCompiler::compile):
1046         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1047         * yarr/YarrJIT.cpp:
1048         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1049         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1050         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1051         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1052         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1053         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1054         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1055         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
1056         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1057         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1058         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1059         (JSC::Yarr::YarrGenerator::allocateParenContext):
1060         (JSC::Yarr::YarrGenerator::freeParenContext):
1061         (JSC::Yarr::YarrGenerator::saveParenContext):
1062         (JSC::Yarr::YarrGenerator::restoreParenContext):
1063         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1064         (JSC::Yarr::YarrGenerator::storeToFrame):
1065         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1066         (JSC::Yarr::YarrGenerator::clearMatches):
1067         (JSC::Yarr::YarrGenerator::generate):
1068         (JSC::Yarr::YarrGenerator::backtrack):
1069         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1070         (JSC::Yarr::YarrGenerator::generateEnter):
1071         (JSC::Yarr::YarrGenerator::generateReturn):
1072         (JSC::Yarr::YarrGenerator::YarrGenerator):
1073         (JSC::Yarr::YarrGenerator::compile):
1074         * yarr/YarrJIT.h:
1075         (JSC::Yarr::YarrCodeBlock::execute):
1076         * yarr/YarrPattern.cpp:
1077         (JSC::Yarr::indentForNestingLevel):
1078         (JSC::Yarr::dumpUChar32):
1079         (JSC::Yarr::dumpCharacterClass):
1080         (JSC::Yarr::PatternTerm::dump):
1081         (JSC::Yarr::YarrPattern::dumpPattern):
1082         * yarr/YarrPattern.h:
1083         (JSC::Yarr::PatternTerm::containsAnyCaptures):
1084         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1085         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1086         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1087         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1088         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
1089         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1090
1091 2017-12-13  Keith Miller  <keith_miller@apple.com>
1092
1093         JSObjects should have a mask for loading indexed properties
1094         https://bugs.webkit.org/show_bug.cgi?id=180768
1095
1096         Reviewed by Mark Lam.
1097
1098         This patch adds a new member to JSObject that holds an indexing
1099         mask.  The indexing mask is bitwise anded with the index used to
1100         load a property.  If for whatever reason an attacker is able to
1101         clobber the vectorLength of our butterfly they still won't be able
1102         to read substantially past the end of the buttefly. For
1103         performance reasons we don't use the indexing masking for
1104         TypedArrays. Since TypedArrays are already gigacaged the risk of
1105         wild reads is still restricted.
1106
1107         This patch is a <1% regression on Speedometer and ~3% regression
1108         on JetStream in my testing.
1109
1110         * assembler/MacroAssembler.h:
1111         (JSC::MacroAssembler::urshiftPtr):
1112         * bytecode/AccessCase.cpp:
1113         (JSC::AccessCase::generateImpl):
1114         * dfg/DFGAbstractHeap.h:
1115         * dfg/DFGClobberize.h:
1116         (JSC::DFG::clobberize):
1117         * dfg/DFGSpeculativeJIT.cpp:
1118         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1119         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1120         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1121         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1122         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1123         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1124         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
1125         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1126         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1127         * dfg/DFGSpeculativeJIT.h:
1128         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1129         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1130         * dfg/DFGSpeculativeJIT32_64.cpp:
1131         (JSC::DFG::SpeculativeJIT::compile):
1132         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1133         * dfg/DFGSpeculativeJIT64.cpp:
1134         (JSC::DFG::SpeculativeJIT::compile):
1135         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1136         * ftl/FTLAbstractHeap.cpp:
1137         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1138         * ftl/FTLAbstractHeap.h:
1139         * ftl/FTLAbstractHeapRepository.h:
1140         * ftl/FTLLowerDFGToB3.cpp:
1141         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1142         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1143         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1144         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1145         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1146         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1147         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1148         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1149         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1150         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
1151         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
1152         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1153         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1154         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1155         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1156         * ftl/FTLOutput.h:
1157         (JSC::FTL::Output::baseIndex):
1158         * jit/AssemblyHelpers.h:
1159         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
1160         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
1161         (JSC::AssemblyHelpers::emitAllocateJSObject):
1162         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1163         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1164         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1165         (JSC::AssemblyHelpers::storeButterfly): Deleted.
1166         * jit/JITOpcodes.cpp:
1167         (JSC::JIT::emit_op_new_object):
1168         (JSC::JIT::emit_op_create_this):
1169         * jit/JITOpcodes32_64.cpp:
1170         (JSC::JIT::emit_op_new_object):
1171         (JSC::JIT::emit_op_create_this):
1172         * jit/JITPropertyAccess.cpp:
1173         (JSC::JIT::emitDoubleLoad):
1174         (JSC::JIT::emitContiguousLoad):
1175         (JSC::JIT::emitArrayStorageLoad):
1176         * llint/LowLevelInterpreter32_64.asm:
1177         * llint/LowLevelInterpreter64.asm:
1178         * runtime/ArrayStorage.h:
1179         (JSC::ArrayStorage::availableVectorLength):
1180         * runtime/Butterfly.h:
1181         (JSC::ContiguousData::ContiguousData):
1182         (JSC::ContiguousData::at const):
1183         (JSC::ContiguousData::at):
1184         (JSC::Butterfly::publicLength const):
1185         (JSC::Butterfly::vectorLength const):
1186         (JSC::Butterfly::computeIndexingMaskForVectorLength):
1187         (JSC::Butterfly::computeIndexingMask):
1188         (JSC::Butterfly::contiguousInt32):
1189         (JSC::ContiguousData::operator[] const): Deleted.
1190         (JSC::ContiguousData::operator[]): Deleted.
1191         (JSC::Butterfly::publicLength): Deleted.
1192         (JSC::Butterfly::vectorLength): Deleted.
1193         * runtime/ButterflyInlines.h:
1194         (JSC::ContiguousData<T>::at const):
1195         (JSC::ContiguousData<T>::at):
1196         * runtime/ClonedArguments.cpp:
1197         (JSC::ClonedArguments::createEmpty):
1198         * runtime/JSArray.cpp:
1199         (JSC::JSArray::tryCreateUninitializedRestricted):
1200         (JSC::JSArray::appendMemcpy):
1201         (JSC::JSArray::setLength):
1202         (JSC::JSArray::pop):
1203         (JSC::JSArray::fastSlice):
1204         (JSC::JSArray::shiftCountWithArrayStorage):
1205         (JSC::JSArray::shiftCountWithAnyIndexingType):
1206         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1207         (JSC::JSArray::fillArgList):
1208         (JSC::JSArray::copyToArguments):
1209         * runtime/JSArrayBufferView.cpp:
1210         (JSC::JSArrayBufferView::JSArrayBufferView):
1211         * runtime/JSArrayInlines.h:
1212         (JSC::JSArray::pushInline):
1213         * runtime/JSFixedArray.h:
1214         (JSC::JSFixedArray::createFromArray):
1215         * runtime/JSGenericTypedArrayViewInlines.h:
1216         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1217         * runtime/JSObject.cpp:
1218         (JSC::JSObject::getOwnPropertySlotByIndex):
1219         (JSC::JSObject::putByIndex):
1220         (JSC::JSObject::createInitialInt32):
1221         (JSC::JSObject::createInitialDouble):
1222         (JSC::JSObject::createInitialContiguous):
1223         (JSC::JSObject::convertUndecidedToInt32):
1224         (JSC::JSObject::convertUndecidedToDouble):
1225         (JSC::JSObject::convertUndecidedToContiguous):
1226         (JSC::JSObject::convertInt32ToDouble):
1227         (JSC::JSObject::convertInt32ToArrayStorage):
1228         (JSC::JSObject::convertDoubleToContiguous):
1229         (JSC::JSObject::convertDoubleToArrayStorage):
1230         (JSC::JSObject::convertContiguousToArrayStorage):
1231         (JSC::JSObject::createInitialForValueAndSet):
1232         (JSC::JSObject::deletePropertyByIndex):
1233         (JSC::JSObject::getOwnPropertyNames):
1234         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1235         (JSC::JSObject::countElements):
1236         (JSC::JSObject::ensureLengthSlow):
1237         (JSC::JSObject::reallocateAndShrinkButterfly):
1238         (JSC::JSObject::getEnumerableLength):
1239         * runtime/JSObject.h:
1240         (JSC::JSObject::canGetIndexQuickly):
1241         (JSC::JSObject::getIndexQuickly):
1242         (JSC::JSObject::tryGetIndexQuickly const):
1243         (JSC::JSObject::setIndexQuickly):
1244         (JSC::JSObject::initializeIndex):
1245         (JSC::JSObject::initializeIndexWithoutBarrier):
1246         (JSC::JSObject::butterflyIndexingMaskOffset):
1247         (JSC::JSObject::butterflyIndexingMask const):
1248         (JSC::JSObject::setButterflyWithIndexingMask):
1249         (JSC::JSObject::setButterfly):
1250         (JSC::JSObject::nukeStructureAndSetButterfly):
1251         (JSC::JSObject::JSObject):
1252         * runtime/RegExpMatchesArray.h:
1253         (JSC::tryCreateUninitializedRegExpMatchesArray):
1254         * runtime/Structure.cpp:
1255         (JSC::Structure::flattenDictionaryStructure):
1256
1257 2017-12-14  David Kilzer  <ddkilzer@apple.com>
1258
1259         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
1260
1261         Fixes the following warning during builds:
1262
1263             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
1264
1265         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
1266         entries for JSCPoisonedPtr.h.
1267
1268 2017-12-14  David Kilzer  <ddkilzer@apple.com>
1269
1270         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
1271         <https://bugs.webkit.org/show_bug.cgi?id=180738>
1272
1273         * runtime/InferredValue.h: Attempt to fix build by adding
1274         missing #include statements.
1275
1276 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
1277
1278         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
1279         https://bugs.webkit.org/show_bug.cgi?id=180783
1280
1281         Reviewed by Saam Barati.
1282         
1283         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
1284         
1285             BB#1:
1286                 a: Load(@x)
1287                 b: Load(@x)
1288                 c: Load(@b)
1289             BB#2:
1290                 d: Load(@b)
1291             BB#3:
1292                 e: Load(@b)
1293         
1294         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
1295         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
1296         this:
1297
1298             BB#1:
1299                 a: Load(@x)
1300                 b: Load(@x)
1301                 c: Load(@a)
1302                 memoryAtTail: {@x=>@a, @a=>@c}
1303             BB#2:
1304                 d: Load(@a) [sic]
1305                 memoryAtTail: {@b=>@d}
1306             BB#3:
1307                 e: Load(@b)
1308                 memoryAtTail: {@b=>@e} [sic]
1309         
1310         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
1311         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
1312         map, we don't find it and leave the redundancy.
1313         
1314         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
1315         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
1316
1317         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
1318         * b3/B3Generate.cpp:
1319         (JSC::B3::generateToAir): Fix the bug.
1320         * b3/air/AirReportUsedRegisters.cpp:
1321         (JSC::B3::Air::reportUsedRegisters): Logging.
1322         * dfg/DFGByteCodeParser.cpp:
1323         * dfg/DFGSSAConversionPhase.cpp:
1324         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
1325         * ftl/FTLLowerDFGToB3.cpp:
1326         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
1327
1328 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1329
1330         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
1331         https://bugs.webkit.org/show_bug.cgi?id=180787
1332         <rdar://problem/35934838>
1333
1334         Reviewed by Brian Burg.
1335
1336         * inspector/ContentSearchUtilities.cpp:
1337         (Inspector::ContentSearchUtilities::findMagicComment):
1338         For empty / null strings just return. There is no use
1339         trying to search them for a long common syntax.
1340
1341 2017-12-13  Saam Barati  <sbarati@apple.com>
1342
1343         Arrow functions need their own structure because they have different properties than sloppy functions
1344         https://bugs.webkit.org/show_bug.cgi?id=180779
1345         <rdar://problem/35814591>
1346
1347         Reviewed by Mark Lam.
1348
1349         We were using the same structure for sloppy functions and
1350         arrow functions. This broke our IC caching machinery because
1351         these two types of functions actually have different properties.
1352         This patch gives them different structures.
1353
1354         * dfg/DFGAbstractInterpreterInlines.h:
1355         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1356         * dfg/DFGSpeculativeJIT.cpp:
1357         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1358         * ftl/FTLLowerDFGToB3.cpp:
1359         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1360         * runtime/FunctionConstructor.cpp:
1361         (JSC::constructFunctionSkippingEvalEnabledCheck):
1362         * runtime/JSFunction.cpp:
1363         (JSC::JSFunction::selectStructureForNewFuncExp):
1364         (JSC::JSFunction::create):
1365         * runtime/JSFunction.h:
1366         * runtime/JSFunctionInlines.h:
1367         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1368         * runtime/JSGlobalObject.cpp:
1369         (JSC::JSGlobalObject::init):
1370         (JSC::JSGlobalObject::visitChildren):
1371         * runtime/JSGlobalObject.h:
1372         (JSC::JSGlobalObject::arrowFunctionStructure const):
1373
1374 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1375
1376         InferredValue should use IsoSubspace
1377         https://bugs.webkit.org/show_bug.cgi?id=180738
1378
1379         Reviewed by Keith Miller.
1380         
1381         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
1382         its UnconditionalFinalizer.
1383
1384         * JavaScriptCore.xcodeproj/project.pbxproj:
1385         * heap/Heap.cpp:
1386         (JSC::Heap::finalizeUnconditionalFinalizers):
1387         * runtime/InferredValue.cpp:
1388         (JSC::InferredValue::visitChildren):
1389         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
1390         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
1391         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
1392         * runtime/InferredValue.h:
1393         (JSC::InferredValue::subspaceFor):
1394         * runtime/InferredValueInlines.h: Added.
1395         (JSC::InferredValue::finalizeUnconditionally):
1396         * runtime/VM.cpp:
1397         (JSC::VM::VM):
1398         * runtime/VM.h:
1399
1400 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
1401
1402         Web Inspector: add instrumentation for ImageBitmapRenderingContext
1403         https://bugs.webkit.org/show_bug.cgi?id=180736
1404
1405         Reviewed by Joseph Pecoraro.
1406
1407         * inspector/protocol/Canvas.json:
1408         * inspector/scripts/codegen/generator.py:
1409
1410 2017-12-13  Saam Barati  <sbarati@apple.com>
1411
1412         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
1413         https://bugs.webkit.org/show_bug.cgi?id=180771
1414
1415         Reviewed by JF Bastien.
1416
1417         * dfg/DFGTypeCheckHoistingPhase.cpp:
1418         (JSC::DFG::TypeCheckHoistingPhase::run):
1419
1420 2017-12-13  Saam Barati  <sbarati@apple.com>
1421
1422         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
1423         https://bugs.webkit.org/show_bug.cgi?id=180764
1424
1425         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
1426
1427         * dfg/DFGTypeCheckHoistingPhase.cpp:
1428         (JSC::DFG::TypeCheckHoistingPhase::run):
1429
1430 2017-12-13  Michael Saboff  <msaboff@apple.com>
1431
1432         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
1433
1434         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
1435
1436         * runtime/RegExp.cpp:
1437         (JSC::RegExp::compile):
1438         (JSC::RegExp::compileMatchOnly):
1439         (JSC::byteCodeCompilePattern): Deleted.
1440         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
1441         * runtime/RegExp.h:
1442         * runtime/RegExpInlines.h:
1443         (JSC::RegExp::matchInline):
1444         * testRegExp.cpp:
1445         (parseRegExpLine):
1446         (runFromFiles):
1447         * yarr/Yarr.h:
1448         * yarr/YarrInterpreter.cpp:
1449         (JSC::Yarr::ByteCompiler::compile):
1450         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1451         (JSC::Yarr::ByteCompiler::emitDisjunction):
1452         * yarr/YarrJIT.cpp:
1453         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1454         (JSC::Yarr::YarrGenerator::generate):
1455         (JSC::Yarr::YarrGenerator::backtrack):
1456         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1457         (JSC::Yarr::YarrGenerator::generateEnter):
1458         (JSC::Yarr::YarrGenerator::generateReturn):
1459         (JSC::Yarr::YarrGenerator::YarrGenerator):
1460         (JSC::Yarr::YarrGenerator::compile):
1461         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
1462         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
1463         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
1464         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
1465         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
1466         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
1467         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
1468         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
1469         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
1470         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
1471         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
1472         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
1473         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
1474         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
1475         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
1476         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
1477         * yarr/YarrJIT.h:
1478         (JSC::Yarr::YarrCodeBlock::execute):
1479         * yarr/YarrPattern.cpp:
1480         (JSC::Yarr::indentForNestingLevel):
1481         (JSC::Yarr::dumpUChar32):
1482         (JSC::Yarr::PatternTerm::dump):
1483         (JSC::Yarr::YarrPattern::dumpPattern):
1484         (JSC::Yarr::dumpCharacterClass): Deleted.
1485         * yarr/YarrPattern.h:
1486         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1487         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1488         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
1489         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
1490         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
1491         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
1492         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
1493         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
1494
1495 2017-12-13  Mark Lam  <mark.lam@apple.com>
1496
1497         Fill out some Poisoned APIs, fix some bugs, and add some tests.
1498         https://bugs.webkit.org/show_bug.cgi?id=180724
1499         <rdar://problem/36006884>
1500
1501         Reviewed by JF Bastien.
1502
1503         * runtime/StructureTransitionTable.h:
1504
1505 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
1506
1507         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
1508         https://bugs.webkit.org/show_bug.cgi?id=180746
1509
1510         Reviewed by Saam Barati.
1511
1512         We have some uncatched exceptions that could happen due to OOM into
1513         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
1514         catching such exceptions properly.
1515
1516         * runtime/JSBigInt.cpp:
1517         (JSC::JSBigInt::allocateFor):
1518         (JSC::JSBigInt::parseInt):
1519         * runtime/JSCJSValue.cpp:
1520         (JSC::JSValue::toStringSlowCase const):
1521
1522 2017-12-13  Saam Barati  <sbarati@apple.com>
1523
1524         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1525         https://bugs.webkit.org/show_bug.cgi?id=163579
1526         <rdar://problem/35455798>
1527
1528         Reviewed by Mark Lam.
1529
1530         Some functions in JavaScript do not have the "caller" and "arguments" properties.
1531         For example, strict functions do not. When reading our code that dealt with these
1532         types of functions, it was simply all wrong. We were doing weird things depending
1533         on the method table hook. This patch fixes this by doing what we should've been
1534         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
1535         it should defer to its base class implementation for the various method table hooks.
1536
1537         * runtime/JSFunction.cpp:
1538         (JSC::JSFunction::put):
1539         (JSC::JSFunction::deleteProperty):
1540         (JSC::JSFunction::defineOwnProperty):
1541
1542 2017-12-13  Saam Barati  <sbarati@apple.com>
1543
1544         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1545         https://bugs.webkit.org/show_bug.cgi?id=180734
1546         <rdar://problem/35640547>
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         The |this| value may be TDZ. If type check hoisting phase
1551         hoists a CheckStructure to it, it will crash. This patch
1552         makes it so we emit CheckStructureOrEmpty for |this|.
1553
1554         * dfg/DFGTypeCheckHoistingPhase.cpp:
1555         (JSC::DFG::TypeCheckHoistingPhase::run):
1556
1557 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1558
1559         [JSC] Optimize Object.assign by single transition acceleration
1560         https://bugs.webkit.org/show_bug.cgi?id=180644
1561
1562         Reviewed by Saam Barati.
1563
1564         Handling single transition is critical. Since this get() function is only used
1565         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
1566         to accelerate it.
1567
1568         This improves SixSpeed/object-assign.es6 by 2.8%.
1569
1570                                     baseline                  patched
1571
1572         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
1573
1574         * runtime/Structure.cpp:
1575         (JSC::StructureTransitionTable::get const):
1576
1577 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1578
1579         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
1580         https://bugs.webkit.org/show_bug.cgi?id=180732
1581
1582         Rubber stamped by Mark Lam.
1583         
1584         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
1585         scalable enough to support that, so we should do it carefully.
1586
1587         * heap/MarkedSpace.cpp:
1588         * runtime/PropertyMapHashTable.h:
1589         * runtime/Structure.h:
1590         * runtime/StructureRareData.h:
1591         * runtime/VM.cpp:
1592         (JSC::VM::VM):
1593         * runtime/VM.h:
1594
1595 2017-12-12  Saam Barati  <sbarati@apple.com>
1596
1597         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1598         https://bugs.webkit.org/show_bug.cgi?id=180725
1599         <rdar://problem/35970511>
1600
1601         Reviewed by Michael Saboff.
1602
1603         * dfg/DFGClobberize.h:
1604         (JSC::DFG::clobberize):
1605         * dfg/DFGPreciseLocalClobberize.h:
1606         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1607
1608 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1609
1610         [JSC] Implement optimized WeakMap and WeakSet
1611         https://bugs.webkit.org/show_bug.cgi?id=179929
1612
1613         Reviewed by Saam Barati.
1614
1615         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
1616         This is similar to HashMapImpl. But,
1617
1618         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
1619         do not need to have iterators.
1620
1621         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
1622         of auxiliary buffer. This is because we would like to allocate buffer
1623         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
1624         shrink it if necessary. However, allocating from the GC heap during
1625         finalization is not allowed.
1626
1627         In particular, (2) is important since it ensures any WeakMap operations
1628         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
1629         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
1630         do not cause GC makes our implementation simple. To ensure this, we place
1631         DisallowGC for each WeakMap's interface.
1632
1633         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
1634         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
1635         WeakMap, it returns value. And it returns key if it is WeakSet. If it
1636         does not find a corresponding entry, it returns JSEmpty.
1637         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
1638
1639         This patch improves WeakMap and WeakSet operations.
1640
1641                                      baseline                  patched
1642
1643             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
1644             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
1645
1646         * JavaScriptCore.xcodeproj/project.pbxproj:
1647         * Sources.txt:
1648         * dfg/DFGAbstractHeap.h:
1649         * dfg/DFGAbstractInterpreterInlines.h:
1650         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1651         * dfg/DFGByteCodeParser.cpp:
1652         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1653         * dfg/DFGClobberize.h:
1654         (JSC::DFG::clobberize):
1655         * dfg/DFGDoesGC.cpp:
1656         (JSC::DFG::doesGC):
1657         * dfg/DFGFixupPhase.cpp:
1658         (JSC::DFG::FixupPhase::fixupNode):
1659         * dfg/DFGNode.h:
1660         (JSC::DFG::Node::hasHeapPrediction):
1661         * dfg/DFGNodeType.h:
1662         * dfg/DFGOperations.cpp:
1663         * dfg/DFGOperations.h:
1664         * dfg/DFGPredictionPropagationPhase.cpp:
1665         * dfg/DFGSafeToExecute.h:
1666         (JSC::DFG::safeToExecute):
1667         * dfg/DFGSpeculativeJIT.cpp:
1668         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
1669         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1670         * dfg/DFGSpeculativeJIT.h:
1671         * dfg/DFGSpeculativeJIT32_64.cpp:
1672         (JSC::DFG::SpeculativeJIT::compile):
1673         * dfg/DFGSpeculativeJIT64.cpp:
1674         (JSC::DFG::SpeculativeJIT::compile):
1675         * ftl/FTLAbstractHeapRepository.h:
1676         * ftl/FTLCapabilities.cpp:
1677         (JSC::FTL::canCompile):
1678         * ftl/FTLLowerDFGToB3.cpp:
1679         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1680         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
1681         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1682         * inspector/JSInjectedScriptHost.cpp:
1683         (Inspector::JSInjectedScriptHost::weakMapEntries):
1684         (Inspector::JSInjectedScriptHost::weakSetEntries):
1685         Existing code is incorrect. They can run GC and break WeakMap's iterator.
1686         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
1687         entries without causing any GC.
1688
1689         * runtime/HashMapImpl.h:
1690         (JSC::shouldShrink):
1691         (JSC::shouldRehashAfterAdd):
1692         (JSC::nextCapacity):
1693         (JSC::HashMapImpl::shouldRehashAfterAdd const):
1694         (JSC::HashMapImpl::shouldShrink const):
1695         (JSC::HashMapImpl::rehash):
1696         (JSC::WeakMapHash::hash): Deleted.
1697         (JSC::WeakMapHash::equal): Deleted.
1698         * runtime/Intrinsic.cpp:
1699         (JSC::intrinsicName):
1700         * runtime/Intrinsic.h:
1701         * runtime/JSWeakMap.cpp:
1702         * runtime/JSWeakMap.h:
1703         * runtime/JSWeakSet.cpp:
1704         * runtime/JSWeakSet.h:
1705         * runtime/VM.cpp:
1706         * runtime/WeakGCMap.h:
1707         (JSC::WeakGCMap::forEach): Deleted.
1708         * runtime/WeakMapBase.cpp: Removed.
1709         * runtime/WeakMapBase.h: Removed.
1710         * runtime/WeakMapConstructor.cpp:
1711         (JSC::constructWeakMap):
1712         * runtime/WeakMapImpl.cpp: Added.
1713         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
1714         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1715         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1716         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
1717         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
1718         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
1719         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
1720         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
1721         * runtime/WeakMapImpl.h: Added.
1722         (JSC::jsWeakMapHash):
1723         (JSC::nextCapacityAfterRemoveBatching):
1724         (JSC::WeakMapBucket::setKey):
1725         (JSC::WeakMapBucket::setValue):
1726         (JSC::WeakMapBucket::key const):
1727         (JSC::WeakMapBucket::value const):
1728         (JSC::WeakMapBucket::copyFrom):
1729         (JSC::WeakMapBucket::offsetOfKey):
1730         (JSC::WeakMapBucket::offsetOfValue):
1731         (JSC::WeakMapBucket::extractValue):
1732         (JSC::WeakMapBucket::isEmpty):
1733         (JSC::WeakMapBucket::deletedKey):
1734         (JSC::WeakMapBucket::isDeleted):
1735         (JSC::WeakMapBucket::makeDeleted):
1736         (JSC::WeakMapBucket::visitAggregate):
1737         (JSC::WeakMapBucket::clearValue):
1738         (JSC::WeakMapBuffer::allocationSize):
1739         (JSC::WeakMapBuffer::buffer const):
1740         (JSC::WeakMapBuffer::create):
1741         (JSC::WeakMapBuffer::reset):
1742         (JSC::WeakMapImpl::WeakMapImpl):
1743         (JSC::WeakMapImpl::finishCreation):
1744         (JSC::WeakMapImpl::get):
1745         (JSC::WeakMapImpl::has):
1746         (JSC::WeakMapImpl::add):
1747         (JSC::WeakMapImpl::remove):
1748         (JSC::WeakMapImpl::size const):
1749         (JSC::WeakMapImpl::offsetOfBuffer):
1750         (JSC::WeakMapImpl::offsetOfCapacity):
1751         (JSC::WeakMapImpl::findBucket):
1752         (JSC::WeakMapImpl::buffer const):
1753         (JSC::WeakMapImpl::forEach):
1754         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
1755         (JSC::WeakMapImpl::shouldShrink const):
1756         (JSC::WeakMapImpl::canUseBucket):
1757         (JSC::WeakMapImpl::addInternal):
1758         (JSC::WeakMapImpl::findBucketAlreadyHashed):
1759         (JSC::WeakMapImpl::rehash):
1760         (JSC::WeakMapImpl::checkConsistency const):
1761         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1762         (JSC::WeakMapImpl::assertBufferIsEmpty const):
1763         (JSC::WeakMapImpl::DeadKeyCleaner::target):
1764         * runtime/WeakMapPrototype.cpp:
1765         (JSC::WeakMapPrototype::finishCreation):
1766         (JSC::protoFuncWeakMapGet):
1767         (JSC::protoFuncWeakMapHas):
1768         * runtime/WeakSetConstructor.cpp:
1769         (JSC::constructWeakSet):
1770         * runtime/WeakSetPrototype.cpp:
1771         (JSC::WeakSetPrototype::finishCreation):
1772         (JSC::protoFuncWeakSetHas):
1773         (JSC::protoFuncWeakSetAdd):
1774
1775 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
1776
1777         It should be possible to flag a cell for unconditional finalization
1778         https://bugs.webkit.org/show_bug.cgi?id=180636
1779
1780         Reviewed by Saam Barati.
1781         
1782         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
1783         global linked list - but they had some nice properties:
1784         
1785         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
1786           survived and needed it.
1787             -> Just needing it wasn't enough.
1788             -> Just surviving wasn't enough.
1789         
1790         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
1791         finalizer logic to be invoked. I think that's not great. InferredType got around this by
1792         making InferredStructure a cell, but this was a gross hack. For one, it meant that
1793         InferredStructure would survive during the GC in which its finalizer obviated the need for its
1794         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
1795         thing that turns out to be subtly broken.
1796         
1797         We really need to have a way of indicating when you have entered into the state that requires
1798         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
1799         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
1800         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
1801         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
1802         another level to say which atoms within a MarkedBlock have unconditional finalizers.
1803         
1804         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
1805         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
1806         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
1807         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
1808         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
1809         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
1810         it makes sense to have a handful per subspace max. This change only needs one per subspace,
1811         but you could imagine more if we do this for WeakReferenceHarvester.
1812         
1813         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
1814         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
1815         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
1816         both survive and need it for the hardest work to take place. The work of adding does involve
1817         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
1818         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
1819         However, it's perfect for running in parallel since the only write operations are to widely
1820         dispersed cache lines that contain the bits underlying the set.
1821         
1822         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
1823         that need unconditional finalizers, and only touches the memory of marked objects that have
1824         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
1825         previously found that this speeds up walking over a lot of objects when I made similar changes
1826         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
1827         HashSet).
1828         
1829         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
1830         
1831         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
1832         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
1833         IsoSubspace in more places.
1834
1835         * JavaScriptCore.xcodeproj/project.pbxproj:
1836         * Sources.txt:
1837         * heap/AtomIndices.h: Added.
1838         (JSC::AtomIndices::AtomIndices):
1839         * heap/Heap.cpp:
1840         (JSC::Heap::finalizeUnconditionalFinalizers):
1841         * heap/Heap.h:
1842         * heap/IsoCellSet.cpp: Added.
1843         (JSC::IsoCellSet::IsoCellSet):
1844         (JSC::IsoCellSet::~IsoCellSet):
1845         (JSC::IsoCellSet::addSlow):
1846         (JSC::IsoCellSet::didResizeBits):
1847         (JSC::IsoCellSet::didRemoveBlock):
1848         (JSC::IsoCellSet::sweepToFreeList):
1849         * heap/IsoCellSet.h: Added.
1850         * heap/IsoCellSetInlines.h: Added.
1851         (JSC::IsoCellSet::add):
1852         (JSC::IsoCellSet::remove):
1853         (JSC::IsoCellSet::contains const):
1854         (JSC::IsoCellSet::forEachMarkedCell):
1855         * heap/IsoSubspace.cpp:
1856         (JSC::IsoSubspace::didResizeBits):
1857         (JSC::IsoSubspace::didRemoveBlock):
1858         (JSC::IsoSubspace::didBeginSweepingToFreeList):
1859         * heap/IsoSubspace.h:
1860         * heap/MarkedAllocator.cpp:
1861         (JSC::MarkedAllocator::addBlock):
1862         (JSC::MarkedAllocator::removeBlock):
1863         * heap/MarkedAllocator.h:
1864         * heap/MarkedAllocatorInlines.h:
1865         * heap/MarkedBlock.cpp:
1866         (JSC::MarkedBlock::Handle::sweep):
1867         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
1868         * heap/MarkedBlock.h:
1869         (JSC::MarkedBlock::marks const):
1870         (JSC::MarkedBlock::Handle::newlyAllocated const):
1871         * heap/MarkedBlockInlines.h:
1872         (JSC::MarkedBlock::Handle::isAllocated):
1873         (JSC::MarkedBlock::Handle::isEmpty):
1874         (JSC::MarkedBlock::Handle::emptyMode):
1875         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1876         * heap/Subspace.cpp:
1877         (JSC::Subspace::didResizeBits):
1878         (JSC::Subspace::didRemoveBlock):
1879         (JSC::Subspace::didBeginSweepingToFreeList):
1880         * heap/Subspace.h:
1881         * heap/SubspaceInlines.h:
1882         (JSC::Subspace::forEachMarkedCell):
1883         * runtime/InferredStructure.cpp:
1884         (JSC::InferredStructure::InferredStructure):
1885         (JSC::InferredStructure::create): Deleted.
1886         (JSC::InferredStructure::destroy): Deleted.
1887         (JSC::InferredStructure::createStructure): Deleted.
1888         (JSC::InferredStructure::visitChildren): Deleted.
1889         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1890         (JSC::InferredStructure::finishCreation): Deleted.
1891         * runtime/InferredStructure.h:
1892         * runtime/InferredStructureWatchpoint.cpp:
1893         (JSC::InferredStructureWatchpoint::fireInternal):
1894         * runtime/InferredType.cpp:
1895         (JSC::InferredType::visitChildren):
1896         (JSC::InferredType::willStoreValueSlow):
1897         (JSC::InferredType::makeTopSlow):
1898         (JSC::InferredType::set):
1899         (JSC::InferredType::removeStructure):
1900         (JSC::InferredType::finalizeUnconditionally):
1901         * runtime/InferredType.h:
1902         * runtime/VM.cpp:
1903         (JSC::VM::VM):
1904         * runtime/VM.h:
1905
1906 2017-12-12  Saam Barati  <sbarati@apple.com>
1907
1908         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1909         https://bugs.webkit.org/show_bug.cgi?id=180723
1910         <rdar://problem/35859726>
1911
1912         Reviewed by JF Bastien.
1913
1914         * dfg/DFGConstantFoldingPhase.cpp:
1915         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1916
1917 2017-12-04  Brian Burg  <bburg@apple.com>
1918
1919         Web Inspector: modernize InjectedScript a bit
1920         https://bugs.webkit.org/show_bug.cgi?id=180367
1921
1922         Reviewed by Timothy Hatcher.
1923
1924         Stop using out parameters passed by pointer, use references instead.
1925         Stop using OptOutput<T> in favor of std::optional where possible.
1926         If there is only one out-parameter and a void return type, then return the value.
1927
1928         * inspector/InjectedScript.h:
1929         * inspector/InjectedScript.cpp:
1930         (Inspector::InjectedScript::evaluate):
1931         (Inspector::InjectedScript::callFunctionOn):
1932         (Inspector::InjectedScript::evaluateOnCallFrame):
1933         (Inspector::InjectedScript::getFunctionDetails):
1934         (Inspector::InjectedScript::functionDetails):
1935         (Inspector::InjectedScript::getPreview):
1936         (Inspector::InjectedScript::getProperties):
1937         (Inspector::InjectedScript::getDisplayableProperties):
1938         (Inspector::InjectedScript::getInternalProperties):
1939         (Inspector::InjectedScript::getCollectionEntries):
1940         (Inspector::InjectedScript::saveResult):
1941         (Inspector::InjectedScript::setExceptionValue):
1942         (Inspector::InjectedScript::clearExceptionValue):
1943         (Inspector::InjectedScript::inspectObject):
1944         (Inspector::InjectedScript::releaseObject):
1945
1946         * inspector/InjectedScriptBase.h:
1947         * inspector/InjectedScriptBase.cpp:
1948         (Inspector::InjectedScriptBase::InjectedScriptBase):
1949         Declare m_environment with a default initializer.
1950
1951         (Inspector::InjectedScriptBase::makeCall):
1952         (Inspector::InjectedScriptBase::makeEvalCall):
1953         Just return the result, no need for an out-parameter.
1954         Rearrange some code paths now that we can just return a result.
1955         Return a Ref<JSON::Value> since it is either a result value or error value.
1956         Use out_ prefixes in a few places to improve readability.
1957
1958         * inspector/agents/InspectorDebuggerAgent.cpp:
1959         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1960         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1961         * inspector/agents/InspectorHeapAgent.cpp:
1962         (Inspector::InspectorHeapAgent::getPreview):
1963         * inspector/agents/InspectorRuntimeAgent.cpp:
1964         (Inspector::InspectorRuntimeAgent::evaluate):
1965         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1966         (Inspector::InspectorRuntimeAgent::getPreview):
1967         (Inspector::InspectorRuntimeAgent::getProperties):
1968         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1969         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1970         (Inspector::InspectorRuntimeAgent::saveResult):
1971         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1972         and std::optional until the former is removed from generated method signatures.
1973
1974 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1975
1976         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1977         https://bugs.webkit.org/show_bug.cgi?id=179000
1978
1979         Reviewed by Darin Adler and Yusuke Suzuki.
1980
1981         This patch starts the implementation of BigInt primitive on
1982         JavaScriptCore. We are introducing BigInt primitive and
1983         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1984         field implemented contiguosly on memory as inline storage of JSBigInt to
1985         take advantages on performance due to cache locality. The
1986         implementation allows 64 or 32 bitwise arithmetic operations.
1987         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1988         m_length that keeps track of BigInt length.
1989         The implementation is following the V8 one. [[BigIntData]] is manipulated
1990         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1991         We also have some operations to support arithmetics over digits.
1992
1993         It is important to notice that on our representation,
1994         JSBigInt::dataStorage()[0] represents the least significant digit and
1995         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1996
1997         We are also introducing into this Patch the BigInt literals lexer and
1998         syntax parsing support. The operation Strict Equals on BigInts is also being
1999         implemented to enable tests.
2000         These features are being implemented behind a runtime flage "--useBigInt" and
2001         are disabled by default.
2002
2003         * JavaScriptCore.xcodeproj/project.pbxproj:
2004         * Sources.txt:
2005         * bytecode/CodeBlock.cpp:
2006         * bytecompiler/BytecodeGenerator.cpp:
2007         (JSC::BytecodeGenerator::emitEqualityOp):
2008         (JSC::BytecodeGenerator::addBigIntConstant):
2009         * bytecompiler/BytecodeGenerator.h:
2010         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
2011         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
2012         * bytecompiler/NodesCodegen.cpp:
2013         (JSC::BigIntNode::jsValue const):
2014         * dfg/DFGAbstractInterpreterInlines.h:
2015         (JSC::DFG::isToThisAnIdentity):
2016         * interpreter/Interpreter.cpp:
2017         (JSC::sizeOfVarargs):
2018         * llint/LLIntData.cpp:
2019         (JSC::LLInt::Data::performAssertions):
2020         * llint/LowLevelInterpreter.asm:
2021         * parser/ASTBuilder.h:
2022         (JSC::ASTBuilder::createBigInt):
2023         * parser/Lexer.cpp:
2024         (JSC::Lexer<T>::parseBinary):
2025         (JSC::Lexer<T>::parseOctal):
2026         (JSC::Lexer<T>::parseDecimal):
2027         (JSC::Lexer<T>::lex):
2028         (JSC::Lexer<T>::parseHex): Deleted.
2029         * parser/Lexer.h:
2030         * parser/NodeConstructors.h:
2031         (JSC::BigIntNode::BigIntNode):
2032         * parser/Nodes.h:
2033         (JSC::ExpressionNode::isBigInt const):
2034         (JSC::BigIntNode::value):
2035         * parser/Parser.cpp:
2036         (JSC::Parser<LexerType>::parsePrimaryExpression):
2037         * parser/ParserTokens.h:
2038         * parser/ResultType.h:
2039         (JSC::ResultType::definitelyIsBigInt const):
2040         (JSC::ResultType::mightBeBigInt const):
2041         (JSC::ResultType::isNotBigInt const):
2042         (JSC::ResultType::addResultType):
2043         (JSC::ResultType::bigIntType):
2044         (JSC::ResultType::forAdd):
2045         (JSC::ResultType::forLogicalOp):
2046         * parser/SyntaxChecker.h:
2047         (JSC::SyntaxChecker::createBigInt):
2048         * runtime/CommonIdentifiers.h:
2049         * runtime/JSBigInt.cpp: Added.
2050         (JSC::JSBigInt::visitChildren):
2051         (JSC::JSBigInt::JSBigInt):
2052         (JSC::JSBigInt::initialize):
2053         (JSC::JSBigInt::createStructure):
2054         (JSC::JSBigInt::createZero):
2055         (JSC::JSBigInt::allocationSize):
2056         (JSC::JSBigInt::createWithLength):
2057         (JSC::JSBigInt::finishCreation):
2058         (JSC::JSBigInt::toPrimitive const):
2059         (JSC::JSBigInt::singleDigitValueForString):
2060         (JSC::JSBigInt::parseInt):
2061         (JSC::JSBigInt::toString):
2062         (JSC::JSBigInt::isZero):
2063         (JSC::JSBigInt::inplaceMultiplyAdd):
2064         (JSC::JSBigInt::digitAdd):
2065         (JSC::JSBigInt::digitSub):
2066         (JSC::JSBigInt::digitMul):
2067         (JSC::JSBigInt::digitPow):
2068         (JSC::JSBigInt::digitDiv):
2069         (JSC::JSBigInt::internalMultiplyAdd):
2070         (JSC::JSBigInt::equalToBigInt):
2071         (JSC::JSBigInt::absoluteDivSmall):
2072         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2073         (JSC::JSBigInt::toStringGeneric):
2074         (JSC::JSBigInt::rightTrim):
2075         (JSC::JSBigInt::allocateFor):
2076         (JSC::JSBigInt::estimatedSize):
2077         (JSC::JSBigInt::toNumber const):
2078         (JSC::JSBigInt::getPrimitiveNumber const):
2079         * runtime/JSBigInt.h: Added.
2080         (JSC::JSBigInt::setSign):
2081         (JSC::JSBigInt::sign const):
2082         (JSC::JSBigInt::setLength):
2083         (JSC::JSBigInt::length const):
2084         (JSC::JSBigInt::parseInt):
2085         (JSC::JSBigInt::offsetOfData):
2086         (JSC::JSBigInt::dataStorage):
2087         (JSC::JSBigInt::digit):
2088         (JSC::JSBigInt::setDigit):
2089         (JSC::asBigInt):
2090         * runtime/JSCJSValue.cpp:
2091         (JSC::JSValue::synthesizePrototype const):
2092         (JSC::JSValue::toStringSlowCase const):
2093         * runtime/JSCJSValue.h:
2094         * runtime/JSCJSValueInlines.h:
2095         (JSC::JSValue::isBigInt const):
2096         (JSC::JSValue::strictEqualSlowCaseInline):
2097         * runtime/JSCell.cpp:
2098         (JSC::JSCell::put):
2099         (JSC::JSCell::putByIndex):
2100         (JSC::JSCell::toPrimitive const):
2101         (JSC::JSCell::getPrimitiveNumber const):
2102         (JSC::JSCell::toNumber const):
2103         (JSC::JSCell::toObjectSlow const):
2104         * runtime/JSCell.h:
2105         * runtime/JSCellInlines.h:
2106         (JSC::JSCell::isBigInt const):
2107         * runtime/JSType.h:
2108         * runtime/MathCommon.h:
2109         (JSC::clz64):
2110         * runtime/NumberPrototype.cpp:
2111         * runtime/Operations.cpp:
2112         (JSC::jsTypeStringForValue):
2113         (JSC::jsIsObjectTypeOrNull):
2114         * runtime/Options.h:
2115         * runtime/ParseInt.h:
2116         * runtime/SmallStrings.h:
2117         (JSC::SmallStrings::typeString const):
2118         * runtime/StructureInlines.h:
2119         (JSC::prototypeForLookupPrimitiveImpl):
2120         * runtime/TypeofType.cpp:
2121         (WTF::printInternal):
2122         * runtime/TypeofType.h:
2123         * runtime/VM.cpp:
2124         (JSC::VM::VM):
2125         * runtime/VM.h:
2126
2127 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
2128
2129         LLInt: reserve 16 bytes of stack on MIPS for native calls
2130         https://bugs.webkit.org/show_bug.cgi?id=180653
2131
2132         Reviewed by Carlos Alberto Lopez Perez.
2133
2134         * llint/LowLevelInterpreter32_64.asm:
2135         On MIPS, substract 24 from the stack pointer (16 for calling
2136         convention + 8 to be 16-aligned) instead of the 8 on other platforms
2137         (for alignment).
2138
2139 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2140
2141         [WTF] Thread::create should have Thread::tryCreate
2142         https://bugs.webkit.org/show_bug.cgi?id=180333
2143
2144         Reviewed by Darin Adler.
2145
2146         * assembler/testmasm.cpp:
2147         (JSC::run):
2148         * b3/air/testair.cpp:
2149         * b3/testb3.cpp:
2150         (JSC::B3::run):
2151         * jsc.cpp:
2152         (functionDollarAgentStart):
2153
2154 2017-12-11  Michael Saboff  <msaboff@apple.com>
2155
2156         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
2157         https://bugs.webkit.org/show_bug.cgi?id=180685
2158
2159         Reviewed by Saam Barati.
2160
2161         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
2162         the character class check to return true without reading the character.  Given that
2163         the character could be a surrogate pair, we need to read the character even if we
2164         don't have the check it.
2165
2166         * yarr/YarrInterpreter.cpp:
2167         (JSC::Yarr::Interpreter::testCharacterClass):
2168         (JSC::Yarr::Interpreter::checkCharacterClass):
2169
2170 2017-12-11  Saam Barati  <sbarati@apple.com>
2171
2172         We need to disableCaching() in ErrorInstance when we materialize properties
2173         https://bugs.webkit.org/show_bug.cgi?id=180343
2174         <rdar://problem/35833002>
2175
2176         Reviewed by Mark Lam.
2177
2178         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
2179         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
2180         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
2181         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
2182         existing property only found on Structure B. This is obviously wrong as it would lead to an
2183         OOB store if we didn't already crash when generating the IC.
2184
2185         * jit/Repatch.cpp:
2186         (JSC::tryCachePutByID):
2187         * runtime/ErrorInstance.cpp:
2188         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2189         (JSC::ErrorInstance::put):
2190         * runtime/ErrorInstance.h:
2191         * runtime/Structure.cpp:
2192         (JSC::Structure::didCachePropertyReplacement):
2193
2194 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
2195
2196         [WinCairo] DLLLauncherMain should use SetDllDirectory
2197         https://bugs.webkit.org/show_bug.cgi?id=180642
2198
2199         Reviewed by Alex Christensen.
2200
2201         Windows have icuuc.dll in the system directory. WebKit should find
2202         one in WebKitLibraries directory, not one in the system directory.
2203
2204         * shell/DLLLauncherMain.cpp:
2205         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
2206
2207 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
2208
2209         Web Inspector: Optionally log WebKit log parameters as JSON
2210         https://bugs.webkit.org/show_bug.cgi?id=180529
2211         <rdar://problem/35909462>
2212
2213         Reviewed by Joseph Pecoraro.
2214
2215         * inspector/ConsoleMessage.cpp:
2216         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
2217         values. Concatenate all adjacent strings to make logging cleaner.
2218         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
2219         (Inspector::ConsoleMessage::scriptState const):
2220         * inspector/ConsoleMessage.h:
2221
2222         * inspector/InjectedScript.cpp:
2223         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
2224         * inspector/InjectedScript.h:
2225         * inspector/InjectedScriptSource.js:
2226         (let.InjectedScript.prototype.wrapJSONString):
2227
2228 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
2229
2230         Remove unused builtin names
2231         https://bugs.webkit.org/show_bug.cgi?id=180673
2232
2233         Reviewed by Keith Miller.
2234
2235         * builtins/BuiltinNames.h:
2236
2237 2017-12-11  David Quesada  <david_quesada@apple.com>
2238
2239         Turn on ENABLE_APPLICATION_MANIFEST
2240         https://bugs.webkit.org/show_bug.cgi?id=180562
2241         rdar://problem/35924737
2242
2243         Reviewed by Geoffrey Garen.
2244
2245         * Configurations/FeatureDefines.xcconfig:
2246
2247 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
2248
2249         Harden a few assertions in GC sweep
2250         https://bugs.webkit.org/show_bug.cgi?id=180634
2251
2252         Reviewed by Saam Barati.
2253         
2254         This turns one dynamic check into a release assertion and upgrades another assertion to a release
2255         assertion.
2256
2257         * heap/MarkedBlock.cpp:
2258         (JSC::MarkedBlock::Handle::sweep):
2259
2260 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
2261
2262         [python] Modernize "except" usage for python3 compatibility
2263         https://bugs.webkit.org/show_bug.cgi?id=180612
2264
2265         Reviewed by Michael Catanzaro.
2266
2267         * inspector/scripts/generate-inspector-protocol-bindings.py:
2268
2269 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2270
2271         InferredType should not use UnconditionalFinalizer
2272         https://bugs.webkit.org/show_bug.cgi?id=180456
2273
2274         Reviewed by Saam Barati.
2275         
2276         This turns InferredStructure into a cell so that we can unconditionally finalize them without
2277         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
2278         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
2279         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
2280         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
2281
2282         * JavaScriptCore.xcodeproj/project.pbxproj:
2283         * Sources.txt:
2284         * heap/Heap.cpp:
2285         (JSC::Heap::finalizeUnconditionalFinalizers):
2286         * heap/Heap.h:
2287         * runtime/InferredStructure.cpp: Added.
2288         (JSC::InferredStructure::create):
2289         (JSC::InferredStructure::destroy):
2290         (JSC::InferredStructure::createStructure):
2291         (JSC::InferredStructure::visitChildren):
2292         (JSC::InferredStructure::finalizeUnconditionally):
2293         (JSC::InferredStructure::InferredStructure):
2294         (JSC::InferredStructure::finishCreation):
2295         * runtime/InferredStructure.h: Added.
2296         * runtime/InferredStructureWatchpoint.cpp: Added.
2297         (JSC::InferredStructureWatchpoint::fireInternal):
2298         * runtime/InferredStructureWatchpoint.h: Added.
2299         * runtime/InferredType.cpp:
2300         (JSC::InferredType::visitChildren):
2301         (JSC::InferredType::willStoreValueSlow):
2302         (JSC::InferredType::makeTopSlow):
2303         (JSC::InferredType::set):
2304         (JSC::InferredType::removeStructure):
2305         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
2306         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
2307         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
2308         * runtime/InferredType.h:
2309         * runtime/VM.cpp:
2310         (JSC::VM::VM):
2311         * runtime/VM.h:
2312
2313 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
2314
2315         [python] Replace print >> operator with print() function for python3 compatibility
2316         https://bugs.webkit.org/show_bug.cgi?id=180611
2317
2318         Reviewed by Michael Catanzaro.
2319
2320         * Scripts/make-js-file-arrays.py:
2321         (main):
2322
2323 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2324
2325         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
2326         https://bugs.webkit.org/show_bug.cgi?id=180520
2327         <rdar://problem/35900764>
2328
2329         Reviewed by Brian Burg.
2330
2331         * inspector/protocol/ServiceWorker.json:
2332         Include content script content in the initialization info.
2333
2334 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
2335
2336         [python] Replace print operator with print() function for python3 compatibility
2337         https://bugs.webkit.org/show_bug.cgi?id=180592
2338
2339         Reviewed by Michael Catanzaro.
2340
2341         * Scripts/generateYarrUnicodePropertyTables.py:
2342         (openOrExit):
2343         (verifyUCDFilesExist):
2344         (Aliases.parsePropertyAliasesFile):
2345         (Aliases.parsePropertyValueAliasesFile):
2346         * Scripts/make-js-file-arrays.py:
2347         (main):
2348         * generate-bytecode-files:
2349
2350 2017-12-08  Mark Lam  <mark.lam@apple.com>
2351
2352         Need to unpoison native function pointers for CLoop.
2353         https://bugs.webkit.org/show_bug.cgi?id=180601
2354         <rdar://problem/35942028>
2355
2356         Reviewed by JF Bastien.
2357
2358         * llint/LowLevelInterpreter64.asm:
2359
2360 2017-12-08  Michael Saboff  <msaboff@apple.com>
2361
2362         YARR: JIT RegExps with greedy parenthesized sub patterns
2363         https://bugs.webkit.org/show_bug.cgi?id=180538
2364
2365         Reviewed by JF Bastien.
2366
2367         This patch adds JIT support for regular expressions containing greedy counted
2368         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
2369
2370         Just like in the interpreter, expressions with nested parenthetical subpatterns
2371         require saving the results of previous matches of the parentheses contents along
2372         with any associated state.  This saved state is needed in the case that we need
2373         to backtrack.  This state is called ParenContext within the code space allocated
2374         for this ParenContext is managed using a simple block allocator within the JIT'ed
2375         code.  The raw space managed by this allocator is passed into the JIT'ed function.
2376
2377         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
2378         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
2379         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
2380         expression.
2381
2382         Due to increased register usage by the parenthesis handling code, the use of
2383         registers by the JIT engine was restructured, with registers used for Unicode
2384         pattern matching replaced with constants.
2385
2386         Reworked some of the context structures that are used across the interpreter
2387         and JIT implementations to make them a little more uniform and to handle the
2388         needs of JIT'ing the new parentheses forms.
2389
2390         To help with development and debugging of this code, compiled patterns dumping
2391         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
2392
2393         * runtime/RegExp.cpp:
2394         (JSC::byteCodeCompilePattern):
2395         (JSC::RegExp::byteCodeCompileIfNecessary):
2396         (JSC::RegExp::compile):
2397         (JSC::RegExp::compileMatchOnly):
2398         * runtime/RegExp.h:
2399         * runtime/RegExpInlines.h:
2400         (JSC::RegExp::matchInline):
2401         * testRegExp.cpp:
2402         (parseRegExpLine):
2403         (runFromFiles):
2404         * yarr/Yarr.h:
2405         * yarr/YarrInterpreter.cpp:
2406         (JSC::Yarr::ByteCompiler::compile):
2407         (JSC::Yarr::ByteCompiler::dumpDisjunction):
2408         * yarr/YarrJIT.cpp:
2409         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
2410         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
2411         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
2412         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
2413         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
2414         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
2415         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
2416         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
2417         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
2418         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2419         (JSC::Yarr::YarrGenerator::allocatePatternContext):
2420         (JSC::Yarr::YarrGenerator::freePatternContext):
2421         (JSC::Yarr::YarrGenerator::savePatternContext):
2422         (JSC::Yarr::YarrGenerator::restorePatternContext):
2423         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2424         (JSC::Yarr::YarrGenerator::storeToFrame):
2425         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
2426         (JSC::Yarr::YarrGenerator::clearMatches):
2427         (JSC::Yarr::YarrGenerator::generate):
2428         (JSC::Yarr::YarrGenerator::backtrack):
2429         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2430         (JSC::Yarr::YarrGenerator::generateEnter):
2431         (JSC::Yarr::YarrGenerator::generateReturn):
2432         (JSC::Yarr::YarrGenerator::YarrGenerator):
2433         (JSC::Yarr::YarrGenerator::compile):
2434         * yarr/YarrJIT.h:
2435         (JSC::Yarr::YarrCodeBlock::execute):
2436         * yarr/YarrPattern.cpp:
2437         (JSC::Yarr::indentForNestingLevel):
2438         (JSC::Yarr::dumpUChar32):
2439         (JSC::Yarr::dumpCharacterClass):
2440         (JSC::Yarr::PatternTerm::dump):
2441         (JSC::Yarr::YarrPattern::dumpPattern):
2442         * yarr/YarrPattern.h:
2443         (JSC::Yarr::PatternTerm::containsAnyCaptures):
2444         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
2445         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
2446         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
2447         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
2448         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
2449         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
2450
2451 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2452
2453         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
2454         https://bugs.webkit.org/show_bug.cgi?id=180590
2455         <rdar://problem/35882767>
2456
2457         Reviewed by Mark Lam.
2458
2459         * inspector/agents/InspectorConsoleAgent.cpp:
2460         (Inspector::InspectorConsoleAgent::enable):
2461         Swap the messages to a Vector that won't change during iteration.
2462
2463 2017-12-08  Michael Saboff  <msaboff@apple.com>
2464
2465         YARR: Coalesce constructed character classes
2466         https://bugs.webkit.org/show_bug.cgi?id=180537
2467
2468         Reviewed by JF Bastien.
2469
2470         When adding characters or character ranges to a character class being constructed,
2471         we now coalesce adjacent characters and character ranges.  When we create a
2472         character class after construction is complete, we do a final coalescing pass
2473         across the character list and ranges to catch any remaining coalescing
2474         opportunities.
2475
2476         Added an optimization for character classes that will match any character.
2477         This is somewhat common in code created before the /s (dotAll) flag was added
2478         to the engine.
2479
2480         * yarr/YarrInterpreter.cpp:
2481         (JSC::Yarr::Interpreter::checkCharacterClass):
2482         * yarr/YarrJIT.cpp:
2483         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2484         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2485         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2486         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2487         * yarr/YarrPattern.cpp:
2488         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2489         (JSC::Yarr::CharacterClassConstructor::reset):
2490         (JSC::Yarr::CharacterClassConstructor::charClass):
2491         (JSC::Yarr::CharacterClassConstructor::addSorted):
2492         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2493         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
2494         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
2495         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
2496         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
2497         (JSC::Yarr::PatternTerm::dump):
2498         (JSC::Yarr::anycharCreate):
2499         * yarr/YarrPattern.h:
2500         (JSC::Yarr::CharacterClass::CharacterClass):
2501
2502 2017-12-07  Saam Barati  <sbarati@apple.com>
2503
2504         Modify our dollar VM clflush intrinsic to aid in some perf testing
2505         https://bugs.webkit.org/show_bug.cgi?id=180559
2506
2507         Reviewed by Mark Lam.
2508
2509         * tools/JSDollarVM.cpp:
2510         (JSC::functionCpuClflush):
2511         (JSC::functionDeltaBetweenButterflies):
2512         (JSC::JSDollarVM::finishCreation):
2513
2514 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2515
2516         Simplify log channel configuration UI
2517         https://bugs.webkit.org/show_bug.cgi?id=180527
2518         <rdar://problem/35908382>
2519
2520         Reviewed by Joseph Pecoraro.
2521
2522         * inspector/protocol/Console.json:
2523
2524 2017-12-07  Mark Lam  <mark.lam@apple.com>
2525
2526         Apply poisoning to some native code pointers.
2527         https://bugs.webkit.org/show_bug.cgi?id=180541
2528         <rdar://problem/35916875>
2529
2530         Reviewed by Filip Pizlo.
2531
2532         Renamed g_classInfoPoison to g_globalDataPoison.
2533         Renamed g_masmPoison to g_jitCodePoison.
2534         Introduced g_nativeCodePoison.
2535         Applied g_nativeCodePoison to poisoning some native code pointers.
2536
2537         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
2538         to malloc allocated data structures (where needed).
2539
2540         * API/JSCallbackFunction.h:
2541         (JSC::JSCallbackFunction::functionCallback):
2542         * JavaScriptCore.xcodeproj/project.pbxproj:
2543         * jit/ThunkGenerators.cpp:
2544         (JSC::nativeForGenerator):
2545         * llint/LowLevelInterpreter64.asm:
2546         * runtime/CustomGetterSetter.h:
2547         (JSC::CustomGetterSetter::getter const):
2548         (JSC::CustomGetterSetter::setter const):
2549         * runtime/InternalFunction.cpp:
2550         (JSC::InternalFunction::getCallData):
2551         (JSC::InternalFunction::getConstructData):
2552         * runtime/InternalFunction.h:
2553         (JSC::InternalFunction::nativeFunctionFor):
2554         * runtime/JSCPoison.h: Added.
2555         * runtime/JSCPoisonedPtr.cpp:
2556         (JSC::initializePoison):
2557         * runtime/JSCPoisonedPtr.h:
2558         * runtime/Lookup.h:
2559         * runtime/NativeExecutable.cpp:
2560         (JSC::NativeExecutable::hashFor const):
2561         * runtime/NativeExecutable.h:
2562         * runtime/Structure.cpp:
2563         (JSC::StructureTransitionTable::setSingleTransition):
2564         * runtime/StructureTransitionTable.h:
2565         (JSC::StructureTransitionTable::StructureTransitionTable):
2566         (JSC::StructureTransitionTable::isUsingSingleSlot const):
2567         (JSC::StructureTransitionTable::map const):
2568         (JSC::StructureTransitionTable::weakImpl const):
2569         (JSC::StructureTransitionTable::setMap):
2570
2571 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
2572
2573         Web Inspector: Fix style in remote inspector classes
2574         https://bugs.webkit.org/show_bug.cgi?id=180545
2575
2576         Reviewed by Youenn Fablet.
2577
2578         * inspector/remote/RemoteControllableTarget.h:
2579         * inspector/remote/RemoteInspectionTarget.h:
2580         * runtime/JSGlobalObjectDebuggable.h:
2581
2582 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
2583
2584         Use fastAlignedFree to free aligned memory.
2585         https://bugs.webkit.org/show_bug.cgi?id=180540
2586
2587         Reviewed by Saam Barati.
2588
2589         * heap/IsoAlignedMemoryAllocator.cpp:
2590         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2591
2592 2017-12-07  Matt Lewis  <jlewis3@apple.com>
2593
2594         Unreviewed, rolling out r225634.
2595
2596         This caused layout tests to time out.
2597
2598         Reverted changeset:
2599
2600         "Simplify log channel configuration UI"
2601         https://bugs.webkit.org/show_bug.cgi?id=180527
2602         https://trac.webkit.org/changeset/225634
2603
2604 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2605
2606         Simplify log channel configuration UI
2607         https://bugs.webkit.org/show_bug.cgi?id=180527
2608         <rdar://problem/35908382>
2609
2610         Reviewed by Joseph Pecoraro.
2611
2612         * inspector/protocol/Console.json:
2613
2614 2017-12-07  Mark Lam  <mark.lam@apple.com>
2615
2616         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
2617         https://bugs.webkit.org/show_bug.cgi?id=180514
2618
2619         Reviewed by Saam Barati and JF Bastien.
2620
2621         Re-landing r225620 with speculative build fix for GCC 7.
2622
2623         * API/JSCallbackObject.h:
2624         * API/JSObjectRef.cpp:
2625         (classInfoPrivate):
2626         * JavaScriptCore.xcodeproj/project.pbxproj:
2627         * Sources.txt:
2628         * assembler/MacroAssemblerCodeRef.h:
2629         (JSC::FunctionPtr::FunctionPtr):
2630         (JSC::FunctionPtr::value const):
2631         (JSC::FunctionPtr::executableAddress const):
2632         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2633         (JSC::ReturnAddressPtr::value const):
2634         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2635         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2636         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2637         (JSC::MacroAssemblerCodePtr:: const):
2638         (JSC::MacroAssemblerCodePtr::operator! const):
2639         (JSC::MacroAssemblerCodePtr::operator== const):
2640         (JSC::MacroAssemblerCodePtr::emptyValue):
2641         (JSC::MacroAssemblerCodePtr::deletedValue):
2642         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2643         * b3/B3LowerMacros.cpp:
2644         * b3/testb3.cpp:
2645         (JSC::B3::testInterpreter):
2646         * dfg/DFGSpeculativeJIT.cpp:
2647         (JSC::DFG::SpeculativeJIT::checkArray):
2648         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2649         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2650         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2651         * ftl/FTLLowerDFGToB3.cpp:
2652         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2653         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2654         * jit/AssemblyHelpers.h:
2655         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2656         * jit/SpecializedThunkJIT.h:
2657         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2658         * jit/ThunkGenerators.cpp:
2659         (JSC::virtualThunkFor):
2660         (JSC::boundThisNoArgsFunctionCallGenerator):
2661         * llint/LLIntSlowPaths.cpp:
2662         (JSC::LLInt::handleHostCall):
2663         (JSC::LLInt::setUpCall):
2664         * llint/LowLevelInterpreter64.asm:
2665         * runtime/InitializeThreading.cpp:
2666         (JSC::initializeThreading):
2667         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2668         (JSC::initializePoison):
2669         (JSC::initializeScrambledPtrKeys): Deleted.
2670         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2671         * runtime/JSCScrambledPtr.cpp: Removed.
2672         * runtime/JSCScrambledPtr.h: Removed.
2673         * runtime/JSDestructibleObject.h:
2674         (JSC::JSDestructibleObject::classInfo const):
2675         * runtime/JSSegmentedVariableObject.h:
2676         (JSC::JSSegmentedVariableObject::classInfo const):
2677         * runtime/Structure.h:
2678         * runtime/VM.h:
2679
2680 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
2681
2682         Unreviewed, rolling out r225620
2683         https://bugs.webkit.org/show_bug.cgi?id=180514
2684         <rdar://problem/35901694>
2685
2686         It broke the build with GCC 7, and I don't know how to fix it.
2687
2688         * API/JSCallbackObject.h:
2689         * API/JSObjectRef.cpp:
2690         (classInfoPrivate):
2691         * JavaScriptCore.xcodeproj/project.pbxproj:
2692         * Sources.txt:
2693         * assembler/MacroAssemblerCodeRef.h:
2694         (JSC::FunctionPtr::FunctionPtr):
2695         (JSC::FunctionPtr::value const):
2696         (JSC::FunctionPtr::executableAddress const):
2697         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2698         (JSC::ReturnAddressPtr::value const):
2699         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2700         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2701         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2702         (JSC::MacroAssemblerCodePtr:: const):
2703         (JSC::MacroAssemblerCodePtr::operator! const):
2704         (JSC::MacroAssemblerCodePtr::operator== const):
2705         (JSC::MacroAssemblerCodePtr::emptyValue):
2706         (JSC::MacroAssemblerCodePtr::deletedValue):
2707         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
2708         * b3/B3LowerMacros.cpp:
2709         * b3/testb3.cpp:
2710         (JSC::B3::testInterpreter):
2711         * dfg/DFGSpeculativeJIT.cpp:
2712         (JSC::DFG::SpeculativeJIT::checkArray):
2713         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2714         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2715         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2716         * ftl/FTLLowerDFGToB3.cpp:
2717         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2718         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2719         * jit/AssemblyHelpers.h:
2720         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2721         * jit/SpecializedThunkJIT.h:
2722         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2723         * jit/ThunkGenerators.cpp:
2724         (JSC::virtualThunkFor):
2725         (JSC::boundThisNoArgsFunctionCallGenerator):
2726         * llint/LLIntSlowPaths.cpp:
2727         (JSC::LLInt::handleHostCall):
2728         (JSC::LLInt::setUpCall):
2729         * llint/LowLevelInterpreter64.asm:
2730         * runtime/InitializeThreading.cpp:
2731         (JSC::initializeThreading):
2732         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2733         (JSC::initializeScrambledPtrKeys):
2734         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
2735         * runtime/JSDestructibleObject.h:
2736         (JSC::JSDestructibleObject::classInfo const):
2737         * runtime/JSSegmentedVariableObject.h:
2738         (JSC::JSSegmentedVariableObject::classInfo const):
2739         * runtime/Structure.h:
2740         * runtime/VM.h:
2741
2742 2017-12-06  Mark Lam  <mark.lam@apple.com>
2743
2744         Refactoring: Rename ScrambledPtr to Poisoned.
2745         https://bugs.webkit.org/show_bug.cgi?id=180514
2746
2747         Reviewed by Saam Barati.
2748
2749         * API/JSCallbackObject.h:
2750         * API/JSObjectRef.cpp:
2751         (classInfoPrivate):
2752         * JavaScriptCore.xcodeproj/project.pbxproj:
2753         * Sources.txt:
2754         * assembler/MacroAssemblerCodeRef.h:
2755         (JSC::FunctionPtr::FunctionPtr):
2756         (JSC::FunctionPtr::value const):
2757         (JSC::FunctionPtr::executableAddress const):
2758         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2759         (JSC::ReturnAddressPtr::value const):
2760         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2761         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2762         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2763         (JSC::MacroAssemblerCodePtr:: const):
2764         (JSC::MacroAssemblerCodePtr::operator! const):
2765         (JSC::MacroAssemblerCodePtr::operator== const):
2766         (JSC::MacroAssemblerCodePtr::emptyValue):
2767         (JSC::MacroAssemblerCodePtr::deletedValue):
2768         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2769         * b3/B3LowerMacros.cpp:
2770         * b3/testb3.cpp:
2771         (JSC::B3::testInterpreter):
2772         * dfg/DFGSpeculativeJIT.cpp:
2773         (JSC::DFG::SpeculativeJIT::checkArray):
2774         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2775         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2776         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2777         * ftl/FTLLowerDFGToB3.cpp:
2778         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2779         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2780         * jit/AssemblyHelpers.h:
2781         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2782         * jit/SpecializedThunkJIT.h:
2783         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2784         * jit/ThunkGenerators.cpp:
2785         (JSC::virtualThunkFor):
2786         (JSC::boundThisNoArgsFunctionCallGenerator):
2787         * llint/LLIntSlowPaths.cpp:
2788         (JSC::LLInt::handleHostCall):
2789         (JSC::LLInt::setUpCall):
2790         * llint/LowLevelInterpreter64.asm:
2791         * runtime/InitializeThreading.cpp:
2792         (JSC::initializeThreading):
2793         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2794         (JSC::initializePoison):
2795         (JSC::initializeScrambledPtrKeys): Deleted.
2796         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2797         * runtime/JSCScrambledPtr.cpp: Removed.
2798         * runtime/JSCScrambledPtr.h: Removed.
2799         * runtime/JSDestructibleObject.h:
2800         (JSC::JSDestructibleObject::classInfo const):
2801         * runtime/JSSegmentedVariableObject.h:
2802         (JSC::JSSegmentedVariableObject::classInfo const):
2803         * runtime/Structure.h:
2804         * runtime/VM.h:
2805
2806 2017-12-02  Darin Adler  <darin@apple.com>
2807
2808         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
2809         https://bugs.webkit.org/show_bug.cgi?id=180009
2810
2811         Reviewed by Alex Christensen.
2812
2813         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
2814         * bytecode/CodeBlock.cpp: Ditto.
2815         * bytecode/ExecutionCounter.cpp: Ditto.
2816         * runtime/ConfigFile.cpp: Ditto.
2817         * runtime/DatePrototype.cpp: Ditto.
2818         * runtime/IndexingType.cpp: Ditto.
2819         * runtime/JSCJSValue.cpp: Ditto.
2820         * runtime/JSDateMath.cpp: Ditto.
2821         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2822         * runtime/Options.cpp: Ditto.
2823         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
2824
2825 2017-12-06  Saam Barati  <sbarati@apple.com>
2826
2827         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
2828         https://bugs.webkit.org/show_bug.cgi?id=180438
2829         <rdar://problem/35862342>
2830
2831         Reviewed by Yusuke Suzuki.
2832
2833         A couple inspector methods that take stacktraces need
2834         to grab the JSLock.
2835
2836         * inspector/ScriptCallStackFactory.cpp:
2837         (Inspector::createScriptCallStack):
2838         (Inspector::createScriptCallStackForConsole):
2839
2840 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
2841
2842         Switch windows build to Visual Studio 2017
2843         https://bugs.webkit.org/show_bug.cgi?id=172412
2844
2845         Reviewed by Per Arne Vollan.
2846
2847         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2848
2849 2017-12-05  JF Bastien  <jfbastien@apple.com>
2850
2851         WebAssembly: don't eagerly checksum
2852         https://bugs.webkit.org/show_bug.cgi?id=180441
2853         <rdar://problem/35156628>
2854
2855         Reviewed by Saam Barati.
2856
2857         Make checksumming of module optional for now. The bots think the
2858         checksum hurt compile-time. I'd measured it and couldn't see a
2859         difference, and still can't at this point in time, but we'll see
2860         if disabling it fixes the bots. If so then I can make it lazy upon
2861         first backtrace construction, or I can try out MD5 instead of
2862         SHA1.
2863
2864         * runtime/Options.h:
2865         * wasm/WasmModuleInformation.cpp:
2866         (JSC::Wasm::ModuleInformation::ModuleInformation):
2867         * wasm/WasmModuleInformation.h:
2868         * wasm/WasmNameSection.h:
2869         (JSC::Wasm::NameSection::NameSection):
2870
2871 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2872
2873         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
2874         https://bugs.webkit.org/show_bug.cgi?id=180425
2875
2876         Reviewed by Saam Barati.
2877         
2878         Failure to do so causes leaks after starting workers.
2879
2880         * heap/IsoAlignedMemoryAllocator.cpp:
2881         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2882         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2883
2884 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
2885
2886         [Win64] Compile error in testmasm.cpp.
2887         https://bugs.webkit.org/show_bug.cgi?id=180436
2888
2889         Reviewed by Mark Lam.
2890
2891         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2892         
2893         * assembler/testmasm.cpp:
2894         (JSC::testGetEffectiveAddress):
2895
2896 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2897
2898         GC constraint solving should be parallel
2899         https://bugs.webkit.org/show_bug.cgi?id=179934
2900
2901         Reviewed by JF Bastien.
2902         
2903         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2904         speed-up. It's more than 1% on trunk-Speedometer.
2905         
2906         The constraint solver supports running constraints in parallel in two different ways:
2907         
2908         - Run multiple constraints in parallel to each other. This only works for constraints that can
2909           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2910           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2911           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2912           could probably make them concurrent, but I'm playing it safe for now.
2913         
2914         - A constraint can create parallel work for itself, which the constraint solver will interleave
2915           with other stuff. A constraint can report that it has parallel work by returning
2916           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2917           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2918           for as long as that function wants to run.
2919         
2920         It's not possible to have a non-concurrent constraint that creates parallel work.
2921         
2922         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2923         most natural for two reasons:
2924         
2925         - No need to start any other threads.
2926         
2927         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2928           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2929           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2930           thread, that thread will have work it can start doing immediately. Before this change, we had to
2931           contribute the work found by the constraint solver to the global worklist so that it could be
2932           distributed to the marker threads by load balancing. This change probably helps to avoid that
2933           load balancing step.
2934         
2935         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2936         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2937         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2938         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2939         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2940         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2941         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2942         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2943         done is indicated by null).
2944         
2945         * API/JSMarkingConstraintPrivate.cpp:
2946         (JSContextGroupAddMarkingConstraint):
2947         * API/JSVirtualMachine.mm:
2948         (scanExternalObjectGraph):
2949         (scanExternalRememberedSet):
2950         * JavaScriptCore.xcodeproj/project.pbxproj:
2951         * Sources.txt:
2952         * bytecode/AccessCase.cpp:
2953         (JSC::AccessCase::propagateTransitions const):
2954         * bytecode/CodeBlock.cpp:
2955         (JSC::CodeBlock::visitWeakly):
2956         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2957         (JSC::shouldMarkTransition):
2958         (JSC::CodeBlock::propagateTransitions):
2959         (JSC::CodeBlock::determineLiveness):
2960         * dfg/DFGWorklist.cpp:
2961         * ftl/FTLCompile.cpp:
2962         (JSC::FTL::compile):
2963         * heap/ConstraintParallelism.h: Added.
2964         (WTF::printInternal):
2965         * heap/Heap.cpp:
2966         (JSC::Heap::Heap):
2967         (JSC::Heap::addToRememberedSet):
2968         (JSC::Heap::runFixpointPhase):
2969         (JSC::Heap::stopThePeriphery):
2970         (JSC::Heap::resumeThePeriphery):
2971         (JSC::Heap::addCoreConstraints):
2972         (JSC::Heap::setBonusVisitorTask):
2973         (JSC::Heap::runTaskInParallel):
2974         (JSC::Heap::forEachSlotVisitor): Deleted.
2975         * heap/Heap.h:
2976         (JSC::Heap::worldIsRunning const):
2977         (JSC::Heap::runFunctionInParallel):
2978         * heap/HeapInlines.h:
2979         (JSC::Heap::worldIsStopped const):
2980         (JSC::Heap::isMarked):
2981         (JSC::Heap::incrementDeferralDepth):
2982         (JSC::Heap::decrementDeferralDepth):
2983         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2984         (JSC::Heap::forEachSlotVisitor):
2985         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2986         (JSC::Heap::isMarkedConcurrently): Deleted.
2987         * heap/HeapSnapshotBuilder.cpp:
2988         (JSC::HeapSnapshotBuilder::appendNode):
2989         * heap/LargeAllocation.h:
2990         (JSC::LargeAllocation::isMarked):
2991         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2992         * heap/LockDuringMarking.h:
2993         (JSC::lockDuringMarking):
2994         * heap/MarkedAllocator.cpp:
2995         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2996         * heap/MarkedAllocator.h:
2997         * heap/MarkedBlock.h:
2998         (JSC::MarkedBlock::aboutToMark):
2999         (JSC::MarkedBlock::isMarked):
3000         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
3001         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
3002         * heap/MarkedSpace.h:
3003         (JSC::MarkedSpace::activeWeakSetsBegin):
3004         (JSC::MarkedSpace::activeWeakSetsEnd):
3005         (JSC::MarkedSpace::newActiveWeakSetsBegin):
3006         (JSC::MarkedSpace::newActiveWeakSetsEnd):
3007         * heap/MarkingConstraint.cpp:
3008         (JSC::MarkingConstraint::MarkingConstraint):
3009         (JSC::MarkingConstraint::execute):
3010         (JSC::MarkingConstraint::quickWorkEstimate):
3011         (JSC::MarkingConstraint::workEstimate):
3012         (JSC::MarkingConstraint::doParallelWork):
3013         (JSC::MarkingConstraint::finishParallelWork):
3014         (JSC::MarkingConstraint::doParallelWorkImpl):
3015         (JSC::MarkingConstraint::finishParallelWorkImpl):
3016         * heap/MarkingConstraint.h:
3017         (JSC::MarkingConstraint::lastExecuteParallelism const):
3018         (JSC::MarkingConstraint::parallelism const):
3019         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
3020         (JSC::MarkingConstraint::workEstimate): Deleted.
3021         * heap/MarkingConstraintSet.cpp:
3022         (JSC::MarkingConstraintSet::MarkingConstraintSet):
3023         (JSC::MarkingConstraintSet::add):
3024         (JSC::MarkingConstraintSet::executeConvergence):
3025         (JSC::MarkingConstraintSet::executeConvergenceImpl):
3026         (JSC::MarkingConstraintSet::executeAll):
3027         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
3028         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
3029         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
3030         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
3031         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
3032         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
3033         (): Deleted.
3034         * heap/MarkingConstraintSet.h:
3035         * heap/MarkingConstraintSolver.cpp: Added.
3036         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
3037         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
3038         (JSC::MarkingConstraintSolver::didVisitSomething const):
3039         (JSC::MarkingConstraintSolver::execute):
3040         (JSC::MarkingConstraintSolver::drain):
3041         (JSC::MarkingConstraintSolver::converge):
3042         (JSC::MarkingConstraintSolver::runExecutionThread):
3043         (JSC::MarkingConstraintSolver::didExecute):
3044         * heap/MarkingConstraintSolver.h: Added.
3045         * heap/OpaqueRootSet.h: Removed.
3046         * heap/ParallelSourceAdapter.h: Added.
3047         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
3048         (JSC::createParallelSourceAdapter):
3049         * heap/SimpleMarkingConstraint.cpp: Added.
3050         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3051         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
3052         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
3053         (JSC::SimpleMarkingConstraint::executeImpl):
3054         * heap/SimpleMarkingConstraint.h: Added.
3055         * heap/SlotVisitor.cpp:
3056         (JSC::SlotVisitor::didStartMarking):
3057         (JSC::SlotVisitor::reset):
3058         (JSC::SlotVisitor::appendToMarkStack):
3059         (JSC::SlotVisitor::visitChildren):
3060         (JSC::SlotVisitor::updateMutatorIsStopped):
3061         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
3062         (JSC::SlotVisitor::drain):
3063         (JSC::SlotVisitor::performIncrementOfDraining):
3064         (JSC::SlotVisitor::didReachTermination):
3065         (JSC::SlotVisitor::hasWork):
3066         (JSC::SlotVisitor::drainFromShared):
3067         (JSC::SlotVisitor::drainInParallelPassively):
3068         (JSC::SlotVisitor::waitForTermination):
3069         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
3070         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
3071         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
3072         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
3073         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
3074         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
3075         * heap/SlotVisitor.h:
3076         * heap/SlotVisitorInlines.h:
3077         (JSC::SlotVisitor::addOpaqueRoot):
3078         (JSC::SlotVisitor::containsOpaqueRoot const):
3079         (JSC::SlotVisitor::vm):
3080         (JSC::SlotVisitor::vm const):
3081         * heap/Subspace.cpp:
3082         (JSC::Subspace::parallelAllocatorSource):
3083         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
3084         * heap/Subspace.h:
3085         * heap/SubspaceInlines.h:
3086         (JSC::Subspace::forEachMarkedCellInParallel):
3087         * heap/VisitCounter.h: Added.
3088         (JSC::VisitCounter::VisitCounter):
3089         (JSC::VisitCounter::visitCount const):
3090         * heap/VisitingTimeout.h: Removed.
3091         * heap/WeakBlock.cpp:
3092         (JSC::WeakBlock::specializedVisit):
3093         * runtime/Structure.cpp:
3094         (JSC::Structure::isCheapDuringGC):
3095         (JSC::Structure::markIfCheap):
3096
3097 2017-12-04  JF Bastien  <jfbastien@apple.com>
3098
3099         Math: don't redundantly check for exceptions, just release scope
3100         https://bugs.webkit.org/show_bug.cgi?id=180395
3101
3102         Rubber stamped by Mark Lam.
3103
3104         Two of the exceptions checks could just have been exception scope
3105         releases before the return, which is ever-so-slightly more
3106         efficient. The same technically applies where we have loops over
3107         parameters, but doing the scope release there isn't really more
3108         efficient and is way harder to read.
3109
3110         * runtime/MathObject.cpp:
3111         (JSC::mathProtoFuncATan2):
3112         (JSC::mathProtoFuncPow):
3113
3114 2017-12-04  David Quesada  <david_quesada@apple.com>
3115
3116         Add a class for parsing application manifests
3117         https://bugs.webkit.org/show_bug.cgi?id=177973
3118         rdar://problem/34747949
3119
3120         Reviewed by Geoffrey Garen.
3121
3122         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
3123
3124 2017-12-04  JF Bastien  <jfbastien@apple.com>
3125
3126         Update std::expected to match libc++ coding style
3127         https://bugs.webkit.org/show_bug.cgi?id=180264
3128
3129         Reviewed by Alex Christensen.
3130
3131         Update various uses of Expected.
3132
3133         * wasm/WasmModule.h:
3134         * wasm/WasmModuleParser.cpp:
3135         (JSC::Wasm::ModuleParser::parseImport):
3136         (JSC::Wasm::ModuleParser::parseTableHelper):
3137         (JSC::Wasm::ModuleParser::parseTable):
3138         (JSC::Wasm::ModuleParser::parseMemoryHelper):
3139         * wasm/WasmParser.h:
3140         * wasm/generateWasmValidateInlinesHeader.py:
3141         (loadMacro):
3142         (storeMacro):
3143         * wasm/js/JSWebAssemblyModule.cpp:
3144         (JSC::JSWebAssemblyModule::createStub):
3145         * wasm/js/JSWebAssemblyModule.h:
3146
3147 2017-12-04  Saam Barati  <sbarati@apple.com>
3148
3149         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
3150         https://bugs.webkit.org/show_bug.cgi?id=180366
3151         <rdar://problem/35685877>
3152
3153         Reviewed by Michael Saboff.
3154
3155         On the TailCall slow path, the CallFrameShuffler will build the frame with
3156         respect to SP instead of FP. However, this may overwrite slots on the stack
3157         that are needed if the slow path C call does a stack walk. The slow path
3158         C call does a stack walk when it throws an exception. This patch fixes
3159         this bug by ensuring that the top of the stack in the FTL always has enough
3160         space to allow CallFrameShuffler to build a frame without overwriting any
3161         items on the stack that are needed when doing a stack walk.
3162
3163         * ftl/FTLLowerDFGToB3.cpp:
3164         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3165
3166 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
3167
3168         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
3169         https://bugs.webkit.org/show_bug.cgi?id=175166
3170         <rdar://problem/34040740>
3171
3172         Reviewed by Joseph Pecoraro.
3173
3174         * inspector/protocol/Recording.json:
3175         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
3176
3177         * inspector/JSGlobalObjectConsoleClient.h:
3178         * inspector/JSGlobalObjectConsoleClient.cpp:
3179         (Inspector::JSGlobalObjectConsoleClient::record):
3180         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
3181
3182         * runtime/ConsoleClient.h:
3183         * runtime/ConsoleObject.cpp:
3184         (JSC::ConsoleObject::finishCreation):
3185         (JSC::consoleProtoFuncRecord):
3186         (JSC::consoleProtoFuncRecordEnd):
3187
3188 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3189
3190         WTF shouldn't have both Thread and ThreadIdentifier
3191         https://bugs.webkit.org/show_bug.cgi?id=180308
3192
3193         Reviewed by Darin Adler.
3194
3195         * heap/MachineStackMarker.cpp:
3196         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3197         * llint/LLIntSlowPaths.cpp:
3198         (JSC::LLInt::llint_trace_operand):
3199         (JSC::LLInt::llint_trace_value):
3200         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3201         (JSC::LLInt::traceFunctionPrologue):
3202         * runtime/ExceptionScope.cpp:
3203         (JSC::ExceptionScope::unexpectedExceptionMessage):
3204         * runtime/JSLock.h:
3205         (JSC::JSLock::currentThreadIsHoldingLock):
3206         * runtime/VM.cpp:
3207         (JSC::VM::throwException):
3208         * runtime/VM.h:
3209         (JSC::VM::throwingThread const):
3210         (JSC::VM::clearException):
3211         * tools/HeapVerifier.cpp:
3212         (JSC::HeapVerifier::printVerificationHeader):
3213
3214 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
3215
3216         Rename DestroyFunc to avoid redefinition on unified build
3217         https://bugs.webkit.org/show_bug.cgi?id=180335
3218
3219         Reviewed by Filip Pizlo.
3220
3221         Changing DestroyFunc structures to more specific names to avoid
3222         conflits on unified builds.
3223
3224         * heap/HeapCellType.cpp:
3225         (JSC::HeapCellType::finishSweep):
3226         (JSC::HeapCellType::destroy):
3227         * runtime/JSDestructibleObjectHeapCellType.cpp:
3228         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3229         (JSC::JSDestructibleObjectHeapCellType::destroy):
3230         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3231         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3232         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3233         * runtime/JSStringHeapCellType.cpp:
3234         (JSC::JSStringHeapCellType::finishSweep):
3235         (JSC::JSStringHeapCellType::destroy):
3236         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3237         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3238         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3239
3240 2017-12-01  JF Bastien  <jfbastien@apple.com>
3241
3242         JavaScriptCore: missing exception checks in Math functions that take more than one argument
3243         https://bugs.webkit.org/show_bug.cgi?id=180297
3244         <rdar://problem/35745556>
3245
3246         Reviewed by Mark Lam.
3247
3248         * runtime/MathObject.cpp:
3249         (JSC::mathProtoFuncATan2):
3250         (JSC::mathProtoFuncMax):
3251         (JSC::mathProtoFuncMin):
3252         (JSC::mathProtoFuncPow):
3253
3254 2017-12-01  Mark Lam  <mark.lam@apple.com>
3255
3256         Let's scramble ClassInfo pointers in cells.
3257         https://bugs.webkit.org/show_bug.cgi?id=180291
3258         <rdar://problem/35807620>
3259
3260         Reviewed by JF Bastien.
3261
3262         * API/JSCallbackObject.h:
3263         * API/JSObjectRef.cpp:
3264         (classInfoPrivate):
3265         * JavaScriptCore.xcodeproj/project.pbxproj:
3266         * Sources.txt: