01db0ceb5eeb5f244c883fd79592e3689ceaf2bc
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-03  Andy Estes  <aestes@apple.com>
2
3         [Xcode] Add an experimental setting to build with ccache
4         https://bugs.webkit.org/show_bug.cgi?id=173875
5
6         Reviewed by Tim Horton.
7
8         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
9
10 2017-07-03  Devin Rousso  <drousso@apple.com>
11
12         Web Inspector: Support listing WebGL2 and WebGPU contexts
13         https://bugs.webkit.org/show_bug.cgi?id=173396
14
15         Reviewed by Joseph Pecoraro.
16
17         * inspector/protocol/Canvas.json:
18         * inspector/scripts/codegen/generator.py:
19         (Generator.stylized_name_for_enum_value):
20         Add cases for handling new Canvas.ContextType protocol enumerations:
21          - "webgl2" maps to `WebGL2`
22          - "webgpu" maps to `WebGPU`
23
24 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
25
26         WTF::Thread should have the threads stack bounds.
27         https://bugs.webkit.org/show_bug.cgi?id=173975
28
29         Reviewed by Mark Lam.
30
31         There is a site in JSC that try to walk another thread's stack.
32         Currently, stack bounds are stored in WTFThreadData which is located
33         in TLS. Thus, only the thread itself can access its own WTFThreadData.
34         We workaround this situation by holding StackBounds in MachineThread in JSC,
35         but StackBounds should be put in WTF::Thread instead.
36
37         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
38         information is tightly coupled with Thread. Thus putting it in WTF::Thread
39         is natural choice.
40
41         * heap/MachineStackMarker.cpp:
42         (JSC::MachineThreads::MachineThread::MachineThread):
43         (JSC::MachineThreads::MachineThread::captureStack):
44         * heap/MachineStackMarker.h:
45         (JSC::MachineThreads::MachineThread::stackBase):
46         (JSC::MachineThreads::MachineThread::stackEnd):
47         * runtime/InitializeThreading.cpp:
48         (JSC::initializeThreading):
49         * runtime/VM.cpp:
50         (JSC::VM::VM):
51         (JSC::VM::updateStackLimits):
52         (JSC::VM::committedStackByteCount):
53         * runtime/VM.h:
54         (JSC::VM::isSafeToRecurse):
55         * runtime/VMEntryScope.cpp:
56         (JSC::VMEntryScope::VMEntryScope):
57         * runtime/VMInlines.h:
58         (JSC::VM::ensureStackCapacityFor):
59         * runtime/VMTraps.cpp:
60         * yarr/YarrPattern.cpp:
61         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
62
63 2017-07-01  Dan Bernstein  <mitz@apple.com>
64
65         [iOS] Remove code only needed when building for iOS 9.x
66         https://bugs.webkit.org/show_bug.cgi?id=174068
67
68         Reviewed by Tim Horton.
69
70         * Configurations/FeatureDefines.xcconfig:
71         * jit/ExecutableAllocator.cpp:
72         * runtime/Options.cpp:
73         (JSC::recomputeDependentOptions):
74
75 2017-07-01  Dan Bernstein  <mitz@apple.com>
76
77         [macOS] Remove code only needed when building for OS X Yosemite
78         https://bugs.webkit.org/show_bug.cgi?id=174067
79
80         Reviewed by Tim Horton.
81
82         * API/WebKitAvailability.h:
83         * Configurations/Base.xcconfig:
84         * Configurations/DebugRelease.xcconfig:
85         * Configurations/FeatureDefines.xcconfig:
86         * Configurations/Version.xcconfig:
87
88 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
89
90         Unreviewed, build fix for GCC
91         https://bugs.webkit.org/show_bug.cgi?id=174034
92
93         * b3/testb3.cpp:
94         (JSC::B3::testDoubleLiteralComparison):
95
96 2017-06-30  Keith Miller  <keith_miller@apple.com>
97
98         Force crashWithInfo to be out of line.
99         https://bugs.webkit.org/show_bug.cgi?id=174028
100
101         Reviewed by Filip Pizlo.
102
103         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
104
105         * dfg/DFGGraph.cpp:
106         (JSC::DFG::logDFGAssertionFailure):
107         (JSC::DFG::Graph::logAssertionFailure):
108         (JSC::DFG::crash): Deleted.
109         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
110         * dfg/DFGGraph.h:
111
112 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
113
114         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
115         https://bugs.webkit.org/show_bug.cgi?id=174053
116
117         Reviewed by Geoffrey Garen.
118
119         We already have AbstractMacroAssembler::random() function. Use it instead.
120
121         * jit/JIT.cpp:
122         (JSC::JIT::JIT):
123         (JSC::JIT::compileWithoutLinking):
124         * jit/JIT.h:
125
126 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
127
128         [WTF] Drop SymbolRegistry::keyForSymbol
129         https://bugs.webkit.org/show_bug.cgi?id=174052
130
131         Reviewed by Sam Weinig.
132
133         * runtime/SymbolConstructor.cpp:
134         (JSC::symbolConstructorKeyFor):
135
136 2017-06-30  Saam Barati  <sbarati@apple.com>
137
138         B3ReduceStrength should reduce EqualOrUnordered over const float input
139         https://bugs.webkit.org/show_bug.cgi?id=174039
140
141         Reviewed by Michael Saboff.
142
143         We perform this folding for ConstDoubleValue. It is simply
144         an oversight that we didn't do it for ConstFloatValue.
145
146         * b3/B3ConstFloatValue.cpp:
147         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
148         * b3/B3ConstFloatValue.h:
149         * b3/testb3.cpp:
150         (JSC::B3::testFloatEqualOrUnorderedFolding):
151         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
152         (JSC::B3::testFloatEqualOrUnorderedDontFold):
153         (JSC::B3::run):
154
155 2017-06-30  Matt Baker  <mattbaker@apple.com>
156
157         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
158         https://bugs.webkit.org/show_bug.cgi?id=173840
159         <rdar://problem/30840820>
160
161         Reviewed by Joseph Pecoraro.
162
163         When truncating an asynchronous stack trace, the parent chain is traversed
164         until a locked node is found. The path from this node to the root is shared
165         by more than one stack trace, and cannot be safely modified. Starting at
166         the first locked node, the path is cloned and becomes a new stack trace tree.
167
168         However, the clone operation initialized each new AsyncStackTrace node with
169         the original node's parent. This would increment the child count of the original
170         node. When cloning nodes, new nodes should not have their parent set until the
171         next node up the parent chain is cloned.
172
173         * inspector/AsyncStackTrace.cpp:
174         (Inspector::AsyncStackTrace::truncate):
175
176 2017-06-30  Michael Saboff  <msaboff@apple.com>
177
178         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
179         https://bugs.webkit.org/show_bug.cgi?id=174044
180
181         Reviewed by Oliver Hunt.
182
183         The .* enclosure optimization didn't respect that we can start matching from a non-zero
184         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
185         then finding the extent of the match by going back to the beginning of the line and going
186         forward to the end of the line.  The code that went back to the beginning of the line
187         checked for an index of 0 instead of comparing the index to the start position.  This start
188         position is passed as the initial index.
189
190         Added another temporary register to the YARR JIT to contain the start position for
191         platforms that have spare registers.
192
193         * yarr/Yarr.h:
194         * yarr/YarrInterpreter.cpp:
195         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
196         (JSC::Yarr::Interpreter::Interpreter):
197         * yarr/YarrJIT.cpp:
198         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
199         (JSC::Yarr::YarrGenerator::compile):
200         * yarr/YarrPattern.cpp:
201         (JSC::Yarr::YarrPattern::YarrPattern):
202         * yarr/YarrPattern.h:
203         (JSC::Yarr::YarrPattern::reset):
204
205 2017-06-30  Saam Barati  <sbarati@apple.com>
206
207         B3MoveConstants floatZero() returns the wrong ValueKey
208         https://bugs.webkit.org/show_bug.cgi?id=174040
209
210         Reviewed by Filip Pizlo.
211
212         It had a typo where the ValueKey for floatZero() produces a Double
213         instead of a Float.
214
215         * b3/B3MoveConstants.cpp:
216
217 2017-06-30  Saam Barati  <sbarati@apple.com>
218
219         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
220         https://bugs.webkit.org/show_bug.cgi?id=174034
221         <rdar://problem/30793007>
222
223         Reviewed by Filip Pizlo.
224
225         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
226         reduce binary operations over double constants into the same binary
227         operation over the double constants casted to floats. This is clearly
228         incorrect as these two things will produce different values. For example:
229         
230         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
231         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
232         c = EqualOrUnordered(@a, @b) // produces 0
233         
234         into:
235         
236         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
237         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
238         c = EqualOrUnordered(@a, @b) // produces 1
239         
240         Which produces a different value for @c.
241
242         * b3/B3ReduceDoubleToFloat.cpp:
243         * b3/testb3.cpp:
244         (JSC::B3::doubleEq):
245         (JSC::B3::doubleNeq):
246         (JSC::B3::doubleGt):
247         (JSC::B3::doubleGte):
248         (JSC::B3::doubleLt):
249         (JSC::B3::doubleLte):
250         (JSC::B3::testDoubleLiteralComparison):
251         (JSC::B3::run):
252
253 2017-06-29  Jer Noble  <jer.noble@apple.com>
254
255         Make Legacy EME API controlled by RuntimeEnabled setting.
256         https://bugs.webkit.org/show_bug.cgi?id=173994
257
258         Reviewed by Sam Weinig.
259
260         * Configurations/FeatureDefines.xcconfig:
261         * runtime/CommonIdentifiers.h:
262
263 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
264
265         Ran sort-Xcode-project-file.
266
267         * JavaScriptCore.xcodeproj/project.pbxproj:
268
269 2017-06-30  Matt Lewis  <jlewis3@apple.com>
270
271         Unreviewed, rolling out r218992.
272
273         The patch broke the iOS device builds.
274
275         Reverted changeset:
276
277         "DFG_ASSERT should allow stuffing registers before trapping."
278         https://bugs.webkit.org/show_bug.cgi?id=174005
279         http://trac.webkit.org/changeset/218992
280
281 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
282
283         RegExpCachedResult::setInput should reify left and right contexts
284         https://bugs.webkit.org/show_bug.cgi?id=173818
285
286         Reviewed by Keith Miller.
287         
288         If you don't reify them in setInput, then when you later try to reify them, you'll end up
289         using indices into an old input string to create a substring of a new input string. That
290         never goes well.
291
292         * runtime/RegExpCachedResult.cpp:
293         (JSC::RegExpCachedResult::setInput):
294
295 2017-06-30  Keith Miller  <keith_miller@apple.com>
296
297         DFG_ASSERT should allow stuffing registers before trapping.
298         https://bugs.webkit.org/show_bug.cgi?id=174005
299
300         Reviewed by Mark Lam.
301
302         DFG_ASSERT currently prints error data to stderr before crashing,
303         which is nice for local development. In the wild, however, we
304         can't see this information in crash logs. This patch enables
305         stuffing some of the most useful information from DFG_ASSERTS into
306         up to five registers right before crashing. The values stuffed
307         should not impact any logging during local development.
308
309         * assembler/AbortReason.h:
310         * dfg/DFGAbstractInterpreterInlines.h:
311         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
312         * dfg/DFGGraph.cpp:
313         (JSC::DFG::logForCrash):
314         (JSC::DFG::Graph::logAssertionFailure):
315         (JSC::DFG::crash): Deleted.
316         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
317         * dfg/DFGGraph.h:
318
319 2017-06-29  Saam Barati  <sbarati@apple.com>
320
321         Calculating postCapacity in unshiftCountSlowCase is wrong
322         https://bugs.webkit.org/show_bug.cgi?id=173992
323         <rdar://problem/32283199>
324
325         Reviewed by Keith Miller.
326
327         This patch fixes a bug inside unshiftCountSlowCase where we would use
328         more memory than we allocated. The bug was when deciding how much extra
329         space we have after the vector we've allocated. This area is called the
330         postCapacity. The largest legal postCapacity value we could use is the
331         space we allocated minus the space we need:
332         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
333         However, the code was calculating the postCapacity as:
334         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
335         
336         where count is how many elements we're appending. Depending on the inputs,
337         count could be larger than (newStorageCapacity - requiredVectorLength). This
338         would cause us to use more memory than we actually allocated.
339
340         * runtime/JSArray.cpp:
341         (JSC::JSArray::unshiftCountSlowCase):
342
343 2017-06-29  Commit Queue  <commit-queue@webkit.org>
344
345         Unreviewed, rolling out r218512.
346         https://bugs.webkit.org/show_bug.cgi?id=173981
347
348         "It changes the behavior of the JS API's JSEvaluateScript
349         which breaks TurboTax" (Requested by saamyjoon on #webkit).
350
351         Reverted changeset:
352
353         "test262: Completion values for control flow do not match the
354         spec"
355         https://bugs.webkit.org/show_bug.cgi?id=171265
356         http://trac.webkit.org/changeset/218512
357
358 2017-06-29  JF Bastien  <jfbastien@apple.com>
359
360         WebAssembly: disable some APIs under CSP
361         https://bugs.webkit.org/show_bug.cgi?id=173892
362         <rdar://problem/32914613>
363
364         Reviewed by Daniel Bates.
365
366         We should disable parts of WebAssembly under Content Security
367         Policy as discussed here:
368
369         https://github.com/WebAssembly/design/issues/1092
370
371         Exactly what should be disabled isn't super clear, so we may as
372         well be conservative and disable many things if developers already
373         opted into CSP. It's easy to loosen what we disable later.
374
375         This patch disables:
376         - WebAssembly.Instance
377         - WebAssembly.instantiate
378         - WebAssembly.Memory
379         - WebAssembly.Table
380
381         And leaves:
382         - WebAssembly on the global object
383         - WebAssembly.Module
384         - WebAssembly.compile
385         - WebAssembly.CompileError
386         - WebAssembly.LinkError
387
388         Nothing because currently unimplmented:
389         - WebAssembly.compileStreaming
390         - WebAssembly.instantiateStreaming
391
392         That way it won't be possible to call WebAssembly-compiled code,
393         or create memories (which use fancy 4GiB allocations
394         sometimes). Table isn't really useful on its own, and eventually
395         we may make them shareable so without more details it seems benign
396         to disable them (and useless if we don't).
397
398         I haven't done anything with postMessage, so you can still
399         postMessage a WebAssembly.Module cross-CSP, but you can't
400         instantiate it so it's useless. Because of this I elected to leave
401         WebAssembly.Module and friends available.
402
403         I haven't added any new directives. It's still unsafe-eval. We can
404         add something else later, but it seems odd to add a WebAssembly as
405         a new capability and tell developers "you should have been using
406         this directive which we just implemented if you wanted to disable
407         WebAssembly which didn't exist when you adopted CSP". So IMO we
408         should keep unsafe-eval as it currently is, add WebAssembly to
409         what it disables, and later consider having two new directives
410         which do each individually or something.
411
412         In all cases I throw an EvalError *before* other WebAssembly
413         errors would be produced.
414
415         Note that, as for eval, reporting doesn't work and is tracked by
416         https://webkit.org/b/111869
417
418         * runtime/JSGlobalObject.cpp:
419         (JSC::JSGlobalObject::JSGlobalObject):
420         * runtime/JSGlobalObject.h:
421         (JSC::JSGlobalObject::webAssemblyEnabled):
422         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
423         (JSC::JSGlobalObject::setWebAssemblyEnabled):
424         * wasm/js/JSWebAssemblyInstance.cpp:
425         (JSC::JSWebAssemblyInstance::create):
426         * wasm/js/JSWebAssemblyMemory.cpp:
427         (JSC::JSWebAssemblyMemory::create):
428         * wasm/js/JSWebAssemblyMemory.h:
429         * wasm/js/JSWebAssemblyTable.cpp:
430         (JSC::JSWebAssemblyTable::create):
431         * wasm/js/WebAssemblyMemoryConstructor.cpp:
432         (JSC::constructJSWebAssemblyMemory):
433
434 2017-06-28  Keith Miller  <keith_miller@apple.com>
435
436         VMTraps has some races
437         https://bugs.webkit.org/show_bug.cgi?id=173941
438
439         Reviewed by Michael Saboff.
440
441         This patch refactors much of the VMTraps API.
442
443         On the message sending side:
444
445         1) No longer uses the Yarr JIT check to determine if we are in
446         RegExp code. That was unsound because RegExp JIT code can be run
447         on compilation threads.  Instead it looks at the current frame's
448         code block slot and checks if it is valid, which is the same as
449         what it did for JIT code previously.
450
451         2) Only have one signal sender thread, previously, there could be
452         many at once, which caused some data races. Additionally, the
453         signal sender thread is an automatic thread so it will deallocate
454         itself when not in use.
455
456         On the VMTraps breakpoint side:
457
458         1) We now have a true mapping of if we hit a breakpoint instead of
459         a JIT assertion. So the exception handler won't eat JIT assertions
460         anymore.
461
462         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
463         them instead of every CodeBlock on the stack. This both prevents
464         us from hitting stale VMTraps breakpoints and also doesn't OSR
465         codeblocks that otherwise don't need to be jettisoned.
466
467         3) The old exception handler could theoretically fail for a couple
468         of reasons then resume execution with a clobbered instruction
469         set. This patch will kill the program if the exception handler
470         would fail.
471
472         This patch also refactors some of the jsc.cpp functions to take the
473         CommandLine options object instead of individual options. Also, there
474         is a new command line option that makes exceptions due to watchdog
475         timeouts an acceptable result.
476
477         * API/tests/testapi.c:
478         (main):
479         * bytecode/CodeBlock.cpp:
480         (JSC::CodeBlock::installVMTrapBreakpoints):
481         * dfg/DFGCommonData.cpp:
482         (JSC::DFG::pcCodeBlockMap):
483         (JSC::DFG::CommonData::invalidate):
484         (JSC::DFG::CommonData::~CommonData):
485         (JSC::DFG::CommonData::installVMTrapBreakpoints):
486         (JSC::DFG::codeBlockForVMTrapPC):
487         * dfg/DFGCommonData.h:
488         * jsc.cpp:
489         (functionDollarAgentStart):
490         (checkUncaughtException):
491         (checkException):
492         (runWithOptions):
493         (printUsageStatement):
494         (CommandLine::parseArguments):
495         (jscmain):
496         (runWithScripts): Deleted.
497         * runtime/JSLock.cpp:
498         (JSC::JSLock::didAcquireLock):
499         * runtime/VMTraps.cpp:
500         (JSC::sanitizedTopCallFrame):
501         (JSC::VMTraps::tryInstallTrapBreakpoints):
502         (JSC::VMTraps::willDestroyVM):
503         (JSC::VMTraps::fireTrap):
504         (JSC::VMTraps::handleTraps):
505         (JSC::VMTraps::VMTraps):
506         (JSC::VMTraps::~VMTraps):
507         (JSC::findActiveVMAndStackBounds): Deleted.
508         (JSC::installSignalHandler): Deleted.
509         (JSC::VMTraps::addSignalSender): Deleted.
510         (JSC::VMTraps::removeSignalSender): Deleted.
511         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
512         (JSC::VMTraps::SignalSender::send): Deleted.
513         * runtime/VMTraps.h:
514         (JSC::VMTraps::~VMTraps): Deleted.
515         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
516
517 2017-06-28  Devin Rousso  <drousso@apple.com>
518
519         Web Inspector: Instrument active pixel memory used by canvases
520         https://bugs.webkit.org/show_bug.cgi?id=173087
521         <rdar://problem/32719261>
522
523         Reviewed by Joseph Pecoraro.
524
525         * inspector/protocol/Canvas.json:
526          - Add optional `memoryCost` attribute to the `Canvas` type.
527          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
528
529 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
530
531         Web Inspector: Cleanup Protocol JSON files
532         https://bugs.webkit.org/show_bug.cgi?id=173934
533
534         Reviewed by Matt Baker.
535
536         * inspector/protocol/ApplicationCache.json:
537         * inspector/protocol/CSS.json:
538         * inspector/protocol/Console.json:
539         * inspector/protocol/DOM.json:
540         * inspector/protocol/DOMDebugger.json:
541         * inspector/protocol/Debugger.json:
542         * inspector/protocol/LayerTree.json:
543         * inspector/protocol/Network.json:
544         * inspector/protocol/Page.json:
545         * inspector/protocol/Runtime.json:
546         Be more consistent about placement of `description` property.
547
548 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
549
550         Web Inspector: Remove unused Inspector domain events
551         https://bugs.webkit.org/show_bug.cgi?id=173905
552
553         Reviewed by Matt Baker.
554
555         * inspector/protocol/Inspector.json:
556
557 2017-06-28  JF Bastien  <jfbastien@apple.com>
558
559         Ensure that computed new stack pointer values do not underflow.
560         https://bugs.webkit.org/show_bug.cgi?id=173700
561         <rdar://problem/32926032>
562
563         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
564
565         Patch by Mark Lam, with the following fix:
566
567         Re-apply this patch, it originally broke the ARM build because the llint code
568         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
569         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
570         and operands to emit valid code (because the second operand can be SP).
571
572         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
573            m_numCalleeLocals is sane.
574
575         2. Added underflow checks in LLInt code and VarargsFrame code.
576
577         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
578            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
579            Ensure that Options::softReservedZoneSize() is at least greater than
580            Options::reservedZoneSize() by minimumReservedZoneSize.
581
582         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
583            and only if the max size of the frame is greater than Options::reservedZoneSize().
584
585            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
586            of memory at the bottom (end) of the stack.  This means that, at any time, the
587            frame pointer must be at least Options::reservedZoneSize() bytes away from the
588            end of the stack.  Hence, if the max frame size is less than
589            Options::reservedZoneSize(), there's no way that frame pointer - max
590            frame size can underflow, and we can elide the underflow check.
591
592            Note that we use Options::reservedZoneSize() instead of
593            Options::softReservedZoneSize() for determine if we need an underflow check.
594            This is because the softStackLimit that is used for stack checks can be set
595            based on Options::reservedZoneSize() during error handling (e.g. when creating
596            strings for instantiating the Error object).  Hence, the guaranteed minimum of
597            distance between the frame pointer and the end of the stack is
598            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
599
600            Note also that we ensure that Options::reservedZoneSize() is at least
601            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
602            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
603            instead of minimumReservedZoneSize gives us more chances to elide underflow
604            checks.
605
606         * JavaScriptCore.xcodeproj/project.pbxproj:
607         * bytecompiler/BytecodeGenerator.cpp:
608         (JSC::BytecodeGenerator::generate):
609         * dfg/DFGGraph.cpp:
610         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
611         * dfg/DFGJITCompiler.cpp:
612         (JSC::DFG::emitStackOverflowCheck):
613         (JSC::DFG::JITCompiler::compile):
614         (JSC::DFG::JITCompiler::compileFunction):
615         * ftl/FTLLowerDFGToB3.cpp:
616         (JSC::FTL::DFG::LowerDFGToB3::lower):
617         * jit/JIT.cpp:
618         (JSC::JIT::compileWithoutLinking):
619         * jit/SetupVarargsFrame.cpp:
620         (JSC::emitSetupVarargsFrameFastCase):
621         * llint/LLIntSlowPaths.cpp:
622         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
623         * llint/LowLevelInterpreter.asm:
624         * llint/LowLevelInterpreter32_64.asm:
625         * llint/LowLevelInterpreter64.asm:
626         * runtime/MinimumReservedZoneSize.h: Added.
627         * runtime/Options.cpp:
628         (JSC::recomputeDependentOptions):
629         * runtime/VM.cpp:
630         (JSC::VM::updateStackLimits):
631         * wasm/WasmB3IRGenerator.cpp:
632         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
633         * wasm/js/WebAssemblyFunction.cpp:
634         (JSC::callWebAssemblyFunction):
635
636 2017-06-28  Chris Dumez  <cdumez@apple.com>
637
638         Unreviewed, rolling out r218869.
639
640         Broke the iOS build
641
642         Reverted changeset:
643
644         "Ensure that computed new stack pointer values do not
645         underflow."
646         https://bugs.webkit.org/show_bug.cgi?id=173700
647         http://trac.webkit.org/changeset/218869
648
649 2017-06-28  Chris Dumez  <cdumez@apple.com>
650
651         Unreviewed, rolling out r218873.
652
653         Broke the iOS build
654
655         Reverted changeset:
656
657         "Gardening: CLoop build fix."
658         https://bugs.webkit.org/show_bug.cgi?id=173700
659         http://trac.webkit.org/changeset/218873
660
661 2017-06-28  Mark Lam  <mark.lam@apple.com>
662
663         Gardening: CLoop build fix.
664         https://bugs.webkit.org/show_bug.cgi?id=173700
665         <rdar://problem/32926032>
666
667         Not reviewed.
668
669         * llint/LLIntSlowPaths.cpp:
670         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
671
672 2017-06-28  Mark Lam  <mark.lam@apple.com>
673
674         Ensure that computed new stack pointer values do not underflow.
675         https://bugs.webkit.org/show_bug.cgi?id=173700
676         <rdar://problem/32926032>
677
678         Reviewed by Filip Pizlo and Saam Barati.
679
680         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
681            m_numCalleeLocals is sane.
682
683         2. Added underflow checks in LLInt code and VarargsFrame code.
684
685         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
686            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
687            Ensure that Options::softReservedZoneSize() is at least greater than
688            Options::reservedZoneSize() by minimumReservedZoneSize.
689
690         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
691            and only if the max size of the frame is greater than Options::reservedZoneSize().
692
693            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
694            of memory at the bottom (end) of the stack.  This means that, at any time, the
695            frame pointer must be at least Options::reservedZoneSize() bytes away from the
696            end of the stack.  Hence, if the max frame size is less than
697            Options::reservedZoneSize(), there's no way that frame pointer - max
698            frame size can underflow, and we can elide the underflow check.
699
700            Note that we use Options::reservedZoneSize() instead of
701            Options::softReservedZoneSize() for determine if we need an underflow check.
702            This is because the softStackLimit that is used for stack checks can be set
703            based on Options::reservedZoneSize() during error handling (e.g. when creating
704            strings for instantiating the Error object).  Hence, the guaranteed minimum of
705            distance between the frame pointer and the end of the stack is
706            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
707
708            Note also that we ensure that Options::reservedZoneSize() is at least
709            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
710            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
711            instead of minimumReservedZoneSize gives us more chances to elide underflow
712            checks.
713
714         * JavaScriptCore.xcodeproj/project.pbxproj:
715         * bytecompiler/BytecodeGenerator.cpp:
716         (JSC::BytecodeGenerator::generate):
717         * dfg/DFGGraph.cpp:
718         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
719         * dfg/DFGJITCompiler.cpp:
720         (JSC::DFG::JITCompiler::compile):
721         (JSC::DFG::JITCompiler::compileFunction):
722         * ftl/FTLLowerDFGToB3.cpp:
723         (JSC::FTL::DFG::LowerDFGToB3::lower):
724         * jit/JIT.cpp:
725         (JSC::JIT::compileWithoutLinking):
726         * jit/SetupVarargsFrame.cpp:
727         (JSC::emitSetupVarargsFrameFastCase):
728         * llint/LLIntSlowPaths.cpp:
729         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
730         * llint/LowLevelInterpreter.asm:
731         * llint/LowLevelInterpreter32_64.asm:
732         * llint/LowLevelInterpreter64.asm:
733         * runtime/MinimumReservedZoneSize.h: Added.
734         * runtime/Options.cpp:
735         (JSC::recomputeDependentOptions):
736         * runtime/VM.cpp:
737         (JSC::VM::updateStackLimits):
738         * wasm/WasmB3IRGenerator.cpp:
739         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
740         * wasm/js/WebAssemblyFunction.cpp:
741         (JSC::callWebAssemblyFunction):
742
743 2017-06-27  JF Bastien  <jfbastien@apple.com>
744
745         WebAssembly: running out of executable memory should throw OoM
746         https://bugs.webkit.org/show_bug.cgi?id=171537
747         <rdar://problem/32963338>
748
749         Reviewed by Saam Barati.
750
751         Both on first compile with BBQ as well as on tier-up with OMG,
752         running out of X memory shouldn't cause the entire program to
753         terminate. An exception will do when compiling initial code (since
754         we don't have any other fallback at the moment), and refusal to
755         tier up will do as well (it'll just be slower).
756
757         This is useful because programs which generate huge amounts of
758         code simply look like crashes, which developers report to
759         us. Getting a JavaScript exception instead is much clearer.
760
761         * jit/ExecutableAllocator.cpp:
762         (JSC::ExecutableAllocator::allocate):
763         * llint/LLIntSlowPaths.cpp:
764         (JSC::LLInt::shouldJIT):
765         * runtime/Options.h:
766         * wasm/WasmBBQPlan.cpp:
767         (JSC::Wasm::BBQPlan::prepare):
768         (JSC::Wasm::BBQPlan::complete):
769         * wasm/WasmBinding.cpp:
770         (JSC::Wasm::wasmToJs):
771         (JSC::Wasm::wasmToWasm):
772         * wasm/WasmBinding.h:
773         * wasm/WasmOMGPlan.cpp:
774         (JSC::Wasm::OMGPlan::work):
775         * wasm/js/JSWebAssemblyCodeBlock.cpp:
776         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
777         * wasm/js/JSWebAssemblyCodeBlock.h:
778         * wasm/js/JSWebAssemblyInstance.cpp:
779         (JSC::JSWebAssemblyInstance::finalizeCreation):
780
781 2017-06-27  Saam Barati  <sbarati@apple.com>
782
783         JITStubRoutine::passesFilter should use isJITPC
784         https://bugs.webkit.org/show_bug.cgi?id=173906
785
786         Reviewed by JF Bastien.
787
788         This patch makes JITStubRoutine use the isJITPC abstraction defined
789         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
790         hardcoded platform size constant. This means it'd do the wrong thing
791         if Options::jitMemoryReservationSize() was larger than the defined
792         constant for that platform. This patch also removes a bunch of
793         dead code in that file.
794
795         * jit/ExecutableAllocator.cpp:
796         * jit/ExecutableAllocator.h:
797         * jit/JITStubRoutine.h:
798         (JSC::JITStubRoutine::passesFilter):
799         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
800         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
801         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
802
803 2017-06-27  Saam Barati  <sbarati@apple.com>
804
805         Fix some stale comments in Wasm code base
806         https://bugs.webkit.org/show_bug.cgi?id=173814
807
808         Reviewed by Mark Lam.
809
810         * wasm/WasmBinding.cpp:
811         (JSC::Wasm::wasmToJs):
812         * wasm/WasmOMGPlan.cpp:
813         (JSC::Wasm::runOMGPlanForIndex):
814
815 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
816
817         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
818         https://bugs.webkit.org/show_bug.cgi?id=167962
819
820         Reviewed by Saam Barati.
821
822         Object Rest/Spread Destructing proposal is in stage 3[1] and this
823         Patch is a prototype implementation of it. A simple change over the
824         parser was necessary to support the new '...' token on Object Pattern
825         destruction rule. In the bytecode generator side, We changed the
826         bytecode generated on ObjectPatternNode::bindValue to store in an
827         set the identifiers of already destructured properties, following spec draft
828         section[2], and then pass it as excludedNames to CopyDataProperties.
829         The rest destructuring calls copyDataProperties to perform the
830         copy of rest properties in rhs.
831
832         We also implemented CopyDataProperties as private JS global operation
833         on builtins/GlobalOperations.js following it's specification on [3].
834         It is implemented using Set object to verify if a property is on
835         excludedNames to keep this algorithm with O(n + m) complexity, where n
836         = number of source's own properties and m = excludedNames.length.
837
838         In this implementation we aren't using excludeList as constant if
839         destructuring pattern contains computed property, i.e. we can
840         just determine the key to be excluded at runtime. If we can define all
841         identifiers in the pattern in compile time, we then create a
842         constant JSSet. This approach gives a good performance improvement,
843         since we allocate the excludeSet just once, reducing GC pressure.
844
845         [1] - https://github.com/tc39/proposal-object-rest-spread
846         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
847         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
848
849         * builtins/BuiltinNames.h:
850         * builtins/GlobalOperations.js:
851         (globalPrivate.copyDataProperties):
852         * bytecode/CodeBlock.cpp:
853         (JSC::CodeBlock::finishCreation):
854         * bytecompiler/NodesCodegen.cpp:
855         (JSC::ObjectPatternNode::bindValue):
856         * parser/ASTBuilder.h:
857         (JSC::ASTBuilder::appendObjectPatternEntry):
858         (JSC::ASTBuilder::appendObjectPatternRestEntry):
859         (JSC::ASTBuilder::setContainsObjectRestElement):
860         * parser/Nodes.h:
861         (JSC::ObjectPatternNode::appendEntry):
862         (JSC::ObjectPatternNode::setContainsRestElement):
863         * parser/Parser.cpp:
864         (JSC::Parser<LexerType>::parseDestructuringPattern):
865         (JSC::Parser<LexerType>::parseProperty):
866         * parser/SyntaxChecker.h:
867         (JSC::SyntaxChecker::operatorStackPop):
868         * runtime/JSGlobalObject.cpp:
869         (JSC::JSGlobalObject::init):
870         * runtime/JSGlobalObject.h:
871         (JSC::JSGlobalObject::asyncFunctionStructure):
872         (JSC::JSGlobalObject::setStructure): Deleted.
873         * runtime/JSGlobalObjectFunctions.cpp:
874         (JSC::privateToObject):
875         * runtime/JSGlobalObjectFunctions.h:
876         * runtime/ObjectConstructor.cpp:
877         (JSC::ObjectConstructor::finishCreation):
878         * runtime/SetPrototype.cpp:
879         (JSC::SetPrototype::finishCreation):
880
881 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
882
883         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
884         https://bugs.webkit.org/show_bug.cgi?id=173888
885
886         Reviewed by Saam Barati.
887
888         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
889         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
890         This causes occasional SEGV / assertion failures in workers/bomb test.
891
892         * dfg/DFGWorklist.cpp:
893
894 2017-06-27  Saam Barati  <sbarati@apple.com>
895
896         Remove an inaccurate comment inside DFGClobberize.h
897         https://bugs.webkit.org/show_bug.cgi?id=163874
898
899         Reviewed by Filip Pizlo.
900
901         The comment said that Clobberize may or may not be sound if run prior to
902         doing type inference. This is not correct, though. Clobberize *must* be sound
903         prior do doing type inference since we use it inside the BytecodeParser, which
904         is the very first thing the DFG does.
905
906         * dfg/DFGClobberize.h:
907         (JSC::DFG::clobberize):
908
909 2017-06-27  Saam Barati  <sbarati@apple.com>
910
911         Function constructor needs to follow the spec and validate parameters and body independently
912         https://bugs.webkit.org/show_bug.cgi?id=173303
913         <rdar://problem/32732526>
914
915         Reviewed by Keith Miller.
916
917         The Function constructor must check the arguments and body strings
918         independently for syntax errors. People rely on this specified behavior
919         to verify that a particular string is a valid function body. We used
920         to check these things strings concatenated together, instead of
921         independently. For example, this used to be valid: `Function("/*", "*/){")`.
922         However, we should throw a syntax error here since "(/*)" is not a valid
923         parameter list, and "*/){" is not a valid body.
924         
925         To implement the specified behavior, we check the syntax independently of
926         both the body and the parameter list. To check that the parameter list has
927         valid syntax, we check that it is valid if in a function with an empty body.
928         To check that the body has valid syntax, we check it is valid in a function
929         with an empty parameter list.
930
931         * runtime/FunctionConstructor.cpp:
932         (JSC::constructFunctionSkippingEvalEnabledCheck):
933
934 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
935
936         Add missing includes to fix compilation error on FreeBSD
937         https://bugs.webkit.org/show_bug.cgi?id=172919
938
939         Reviewed by Mark Lam.
940
941         * API/JSRemoteInspector.h:
942         * API/tests/GlobalContextWithFinalizerTest.cpp:
943         * API/tests/TypedArrayCTest.cpp:
944
945 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
946
947         Web Inspector: Crash generating object preview for ArrayIterator
948         https://bugs.webkit.org/show_bug.cgi?id=173754
949         <rdar://problem/32859012>
950
951         Reviewed by Saam Barati.
952
953         When Inspector generates an object preview for an ArrayIterator instance it made
954         a "clone" of the original ArrayIterator instance by constructing a new object with
955         the instance's structure. However, user code could have modified that instance's
956         structure, such as adding / removing properties. The `return` property had special
957         meaning, and our clone did not fill that slot. This approach is brittle in that
958         we weren't satisfying the expectations of an object with a particular Structure,
959         and the original goal of having Web Inspector peek values of built-in Iterators
960         was to avoid observable behavior.
961
962         This tightens Web Inspector's Iterator preview to only peek values if the
963         Iterators would actually be non-observable. It also builds an ArrayIterator
964         clone like a regular object construction.
965
966         * inspector/JSInjectedScriptHost.cpp:
967         (Inspector::cloneArrayIteratorObject):
968         Build up the Object from scratch with a new ArrayIterator prototype.
969
970         (Inspector::JSInjectedScriptHost::iteratorEntries):
971         Only clone and peek iterators if it would not be observable.
972         Also update iteration to be more in line with IterationOperations, such as when
973         we call iteratorClose.
974
975         * runtime/JSGlobalObject.cpp:
976         (JSC::JSGlobalObject::JSGlobalObject):
977         (JSC::JSGlobalObject::init):
978         * runtime/JSGlobalObject.h:
979         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
980         * runtime/JSGlobalObjectInlines.h:
981         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
982         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
983
984         * runtime/JSMap.cpp:
985         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
986         (JSC::JSMap::canCloneFastAndNonObservable):
987         * runtime/JSMap.h:
988         * runtime/JSSet.cpp:
989         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
990         (JSC::JSSet::canCloneFastAndNonObservable):
991         * runtime/JSSet.h:
992         Promote isIteratorProtocolFastAndNonObservable to a method.
993
994         * runtime/JSObject.cpp:
995         (JSC::canDoFastPutDirectIndex):
996         * runtime/JSTypeInfo.h:
997         (JSC::TypeInfo::isArgumentsType):
998         Helper to detect if an Object is an Arguments type.
999
1000 2017-06-26  Saam Barati  <sbarati@apple.com>
1001
1002         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
1003         https://bugs.webkit.org/show_bug.cgi?id=173740
1004
1005         Reviewed by Mark Lam.
1006
1007         The builtin was using for-of iteration to iterate over an internal
1008         list in its algorithm. For-of iteration is observable via user code
1009         in the global object, so this approach was wrong as it would break if
1010         a user changed the Array iteration protocol in some way.
1011
1012         * builtins/RegExpPrototype.js:
1013         (replace):
1014
1015 2017-06-26  Mark Lam  <mark.lam@apple.com>
1016
1017         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
1018         https://bugs.webkit.org/show_bug.cgi?id=173848
1019
1020         Reviewed by JF Bastien.
1021
1022         This functor only dumps the return VirtualPC.
1023
1024         * interpreter/Interpreter.cpp:
1025         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
1026         (JSC::Interpreter::dumpRegisters):
1027         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
1028         (JSC::DumpRegisterFunctor::operator()): Deleted.
1029
1030 2017-06-26  Saam Barati  <sbarati@apple.com>
1031
1032         Crash in JSC::Lexer<unsigned char>::setCode
1033         https://bugs.webkit.org/show_bug.cgi?id=172754
1034
1035         Reviewed by Mark Lam.
1036
1037         The lexer was asking one of its buffers to reserve initial space that
1038         was O(text size in bytes). For large sources, this would end up causing
1039         the vector to overflow and crash. This patch changes this code be like
1040         the Lexer's other buffers and to only reserve a small starting buffer.
1041
1042         * parser/Lexer.cpp:
1043         (JSC::Lexer<T>::setCode):
1044
1045 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1046
1047         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
1048         https://bugs.webkit.org/show_bug.cgi?id=173825
1049
1050         Reviewed by Saam Barati.
1051
1052         * jsc.cpp:
1053         (startTimeoutThreadIfNeeded):
1054         (timeoutThreadMain): Deleted.
1055
1056 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
1057
1058         Unreviewed, add missing header for CLoop
1059
1060         * runtime/SymbolTable.cpp:
1061
1062 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
1063
1064         Unreviewed, add missing header icncludes
1065
1066         * parser/Lexer.h:
1067
1068 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
1069
1070         Remove excessive headers from JavaScriptCore
1071         https://bugs.webkit.org/show_bug.cgi?id=173812
1072
1073         Reviewed by Darin Adler.
1074
1075         * API/APIUtils.h:
1076         * assembler/LinkBuffer.cpp:
1077         * assembler/MacroAssemblerCodeRef.cpp:
1078         * b3/air/AirLiveness.h:
1079         * b3/air/AirLowerAfterRegAlloc.cpp:
1080         * bindings/ScriptValue.cpp:
1081         * bindings/ScriptValue.h:
1082         * bytecode/AccessCase.cpp:
1083         * bytecode/AccessCase.h:
1084         * bytecode/ArrayProfile.h:
1085         * bytecode/BytecodeDumper.h:
1086         * bytecode/BytecodeIntrinsicRegistry.cpp:
1087         * bytecode/BytecodeKills.h:
1088         * bytecode/BytecodeLivenessAnalysis.h:
1089         * bytecode/BytecodeUseDef.h:
1090         * bytecode/CallLinkStatus.h:
1091         * bytecode/CodeBlock.h:
1092         * bytecode/CodeOrigin.h:
1093         * bytecode/ComplexGetStatus.h:
1094         * bytecode/GetByIdStatus.h:
1095         * bytecode/GetByIdVariant.h:
1096         * bytecode/InlineCallFrame.h:
1097         * bytecode/InlineCallFrameSet.h:
1098         * bytecode/Instruction.h:
1099         * bytecode/InternalFunctionAllocationProfile.h:
1100         * bytecode/JumpTable.h:
1101         * bytecode/MethodOfGettingAValueProfile.h:
1102         * bytecode/ObjectPropertyConditionSet.h:
1103         * bytecode/Operands.h:
1104         * bytecode/PolymorphicAccess.h:
1105         * bytecode/PutByIdStatus.h:
1106         * bytecode/SpeculatedType.cpp:
1107         * bytecode/StructureSet.h:
1108         * bytecode/StructureStubInfo.h:
1109         * bytecode/UnlinkedCodeBlock.h:
1110         * bytecode/UnlinkedFunctionExecutable.h:
1111         * bytecode/ValueProfile.h:
1112         * bytecompiler/BytecodeGenerator.cpp:
1113         * bytecompiler/BytecodeGenerator.h:
1114         * bytecompiler/Label.h:
1115         * bytecompiler/StaticPropertyAnalysis.h:
1116         * debugger/DebuggerCallFrame.cpp:
1117         * dfg/DFGAbstractInterpreter.h:
1118         * dfg/DFGAdjacencyList.h:
1119         * dfg/DFGArgumentsUtilities.h:
1120         * dfg/DFGArrayMode.h:
1121         * dfg/DFGArrayifySlowPathGenerator.h:
1122         * dfg/DFGBackwardsPropagationPhase.h:
1123         * dfg/DFGBasicBlock.h:
1124         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1125         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1126         * dfg/DFGCapabilities.h:
1127         * dfg/DFGCommon.h:
1128         * dfg/DFGCommonData.h:
1129         * dfg/DFGDesiredIdentifiers.h:
1130         * dfg/DFGDesiredWatchpoints.h:
1131         * dfg/DFGDisassembler.cpp:
1132         * dfg/DFGDominators.h:
1133         * dfg/DFGDriver.cpp:
1134         * dfg/DFGDriver.h:
1135         * dfg/DFGEdgeDominates.h:
1136         * dfg/DFGFinalizer.h:
1137         * dfg/DFGGenerationInfo.h:
1138         * dfg/DFGJITCompiler.cpp:
1139         * dfg/DFGJITCompiler.h:
1140         * dfg/DFGJITFinalizer.h:
1141         * dfg/DFGLivenessAnalysisPhase.h:
1142         * dfg/DFGMinifiedNode.h:
1143         * dfg/DFGMultiGetByOffsetData.h:
1144         * dfg/DFGNaturalLoops.cpp:
1145         * dfg/DFGNaturalLoops.h:
1146         * dfg/DFGNode.h:
1147         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1148         * dfg/DFGOSRExit.h:
1149         * dfg/DFGOSRExitCompilationInfo.h:
1150         * dfg/DFGOSRExitCompiler.cpp:
1151         * dfg/DFGOSRExitCompiler.h:
1152         * dfg/DFGOSRExitJumpPlaceholder.h:
1153         * dfg/DFGOperations.cpp:
1154         * dfg/DFGOperations.h:
1155         * dfg/DFGPlan.h:
1156         * dfg/DFGPreciseLocalClobberize.h:
1157         * dfg/DFGPromotedHeapLocation.h:
1158         * dfg/DFGRegisteredStructure.h:
1159         * dfg/DFGRegisteredStructureSet.h:
1160         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1161         * dfg/DFGSlowPathGenerator.h:
1162         * dfg/DFGSnippetParams.h:
1163         * dfg/DFGSpeculativeJIT.h:
1164         * dfg/DFGToFTLDeferredCompilationCallback.h:
1165         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
1166         * dfg/DFGValidate.h:
1167         * dfg/DFGValueSource.h:
1168         * dfg/DFGVariableEvent.h:
1169         * dfg/DFGVariableEventStream.h:
1170         * dfg/DFGWorklist.h:
1171         * domjit/DOMJITCallDOMGetterSnippet.h:
1172         * domjit/DOMJITEffect.h:
1173         * ftl/FTLLink.cpp:
1174         * ftl/FTLLowerDFGToB3.cpp:
1175         * ftl/FTLPatchpointExceptionHandle.h:
1176         * heap/AllocatorAttributes.h:
1177         * heap/CodeBlockSet.h:
1178         * heap/DeferGC.h:
1179         * heap/GCSegmentedArray.h:
1180         * heap/Heap.cpp:
1181         * heap/Heap.h:
1182         * heap/IncrementalSweeper.h:
1183         * heap/ListableHandler.h:
1184         * heap/MachineStackMarker.h:
1185         * heap/MarkedAllocator.h:
1186         * heap/MarkedBlock.cpp:
1187         * heap/MarkedBlock.h:
1188         * heap/MarkingConstraint.h:
1189         * heap/SlotVisitor.cpp:
1190         * heap/SlotVisitor.h:
1191         * inspector/ConsoleMessage.cpp:
1192         * inspector/ConsoleMessage.h:
1193         * inspector/InjectedScript.h:
1194         * inspector/InjectedScriptHost.h:
1195         * inspector/InjectedScriptManager.cpp:
1196         * inspector/JSGlobalObjectInspectorController.cpp:
1197         * inspector/JavaScriptCallFrame.h:
1198         * inspector/ScriptCallStack.h:
1199         * inspector/ScriptCallStackFactory.cpp:
1200         * inspector/ScriptDebugServer.h:
1201         * inspector/agents/InspectorConsoleAgent.h:
1202         * inspector/agents/InspectorDebuggerAgent.cpp:
1203         * inspector/agents/InspectorDebuggerAgent.h:
1204         * inspector/agents/InspectorHeapAgent.cpp:
1205         * inspector/agents/InspectorHeapAgent.h:
1206         * inspector/agents/InspectorRuntimeAgent.h:
1207         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1208         * inspector/agents/InspectorScriptProfilerAgent.h:
1209         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1210         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1211         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1212         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1213         * inspector/augmentable/AlternateDispatchableAgent.h:
1214         * interpreter/CLoopStack.h:
1215         * interpreter/CachedCall.h:
1216         * interpreter/CallFrame.h:
1217         * interpreter/Interpreter.cpp:
1218         * interpreter/Interpreter.h:
1219         * jit/AssemblyHelpers.cpp:
1220         * jit/AssemblyHelpers.h:
1221         * jit/CCallHelpers.h:
1222         * jit/CallFrameShuffler.h:
1223         * jit/ExecutableAllocator.h:
1224         * jit/GCAwareJITStubRoutine.h:
1225         * jit/HostCallReturnValue.h:
1226         * jit/ICStats.h:
1227         * jit/JIT.cpp:
1228         * jit/JIT.h:
1229         * jit/JITAddGenerator.h:
1230         * jit/JITCall32_64.cpp:
1231         * jit/JITCode.h:
1232         * jit/JITDisassembler.cpp:
1233         * jit/JITExceptions.cpp:
1234         * jit/JITMathIC.h:
1235         * jit/JITOpcodes.cpp:
1236         * jit/JITOperations.cpp:
1237         * jit/JITOperations.h:
1238         * jit/JITThunks.cpp:
1239         * jit/JITThunks.h:
1240         * jit/JSInterfaceJIT.h:
1241         * jit/PCToCodeOriginMap.h:
1242         * jit/PolymorphicCallStubRoutine.h:
1243         * jit/RegisterSet.h:
1244         * jit/Repatch.h:
1245         * jit/SetupVarargsFrame.h:
1246         * jit/Snippet.h:
1247         * jit/SnippetParams.h:
1248         * jit/ThunkGenerators.h:
1249         * jsc.cpp:
1250         * llint/LLIntCLoop.h:
1251         * llint/LLIntEntrypoint.h:
1252         * llint/LLIntExceptions.h:
1253         * llint/LLIntOfflineAsmConfig.h:
1254         * llint/LLIntSlowPaths.cpp:
1255         * parser/NodeConstructors.h:
1256         * parser/Nodes.cpp:
1257         * parser/Nodes.h:
1258         * parser/Parser.cpp:
1259         * parser/Parser.h:
1260         * parser/ParserTokens.h:
1261         * parser/SourceProviderCacheItem.h:
1262         * profiler/ProfilerBytecodeSequence.h:
1263         * profiler/ProfilerDatabase.cpp:
1264         * profiler/ProfilerDatabase.h:
1265         * profiler/ProfilerOrigin.h:
1266         * profiler/ProfilerOriginStack.h:
1267         * profiler/ProfilerProfiledBytecodes.h:
1268         * profiler/ProfilerUID.h:
1269         * runtime/AbstractModuleRecord.h:
1270         * runtime/ArrayConstructor.h:
1271         * runtime/ArrayConventions.h:
1272         * runtime/ArrayIteratorPrototype.h:
1273         * runtime/ArrayPrototype.h:
1274         * runtime/BasicBlockLocation.h:
1275         * runtime/Butterfly.h:
1276         * runtime/CallData.cpp:
1277         * runtime/CodeCache.h:
1278         * runtime/CommonSlowPaths.cpp:
1279         * runtime/CommonSlowPaths.h:
1280         * runtime/CommonSlowPathsExceptions.cpp:
1281         * runtime/Completion.cpp:
1282         * runtime/ControlFlowProfiler.h:
1283         * runtime/DateInstanceCache.h:
1284         * runtime/ErrorConstructor.h:
1285         * runtime/ErrorInstance.h:
1286         * runtime/ExceptionHelpers.cpp:
1287         * runtime/ExceptionHelpers.h:
1288         * runtime/ExecutableBase.h:
1289         * runtime/FunctionExecutable.h:
1290         * runtime/HasOwnPropertyCache.h:
1291         * runtime/Identifier.h:
1292         * runtime/InternalFunction.h:
1293         * runtime/IntlCollator.cpp:
1294         * runtime/IntlCollatorPrototype.h:
1295         * runtime/IntlDateTimeFormatPrototype.h:
1296         * runtime/IntlNumberFormat.cpp:
1297         * runtime/IntlNumberFormatPrototype.h:
1298         * runtime/IteratorOperations.cpp:
1299         * runtime/JSArray.h:
1300         * runtime/JSArrayBufferPrototype.h:
1301         * runtime/JSCJSValue.h:
1302         * runtime/JSCJSValueInlines.h:
1303         * runtime/JSCell.h:
1304         * runtime/JSFunction.cpp:
1305         * runtime/JSFunction.h:
1306         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1307         * runtime/JSGlobalObject.cpp:
1308         * runtime/JSGlobalObject.h:
1309         * runtime/JSGlobalObjectDebuggable.cpp:
1310         * runtime/JSGlobalObjectDebuggable.h:
1311         * runtime/JSGlobalObjectFunctions.cpp:
1312         * runtime/JSGlobalObjectFunctions.h:
1313         * runtime/JSJob.cpp:
1314         * runtime/JSLock.h:
1315         * runtime/JSModuleLoader.cpp:
1316         * runtime/JSModuleNamespaceObject.h:
1317         * runtime/JSModuleRecord.h:
1318         * runtime/JSObject.cpp:
1319         * runtime/JSObject.h:
1320         * runtime/JSRunLoopTimer.h:
1321         * runtime/JSTemplateRegistryKey.h:
1322         * runtime/JSTypedArrayPrototypes.cpp:
1323         * runtime/JSTypedArrayPrototypes.h:
1324         * runtime/JSTypedArrays.h:
1325         * runtime/LiteralParser.h:
1326         * runtime/MatchResult.h:
1327         * runtime/MemoryStatistics.h:
1328         * runtime/PrivateName.h:
1329         * runtime/PromiseDeferredTimer.h:
1330         * runtime/ProxyObject.h:
1331         * runtime/RegExp.h:
1332         * runtime/SamplingProfiler.cpp:
1333         * runtime/SmallStrings.h:
1334         * runtime/StringPrototype.cpp:
1335         * runtime/StringRecursionChecker.h:
1336         * runtime/Structure.h:
1337         * runtime/SymbolConstructor.h:
1338         * runtime/SymbolPrototype.cpp:
1339         * runtime/SymbolPrototype.h:
1340         * runtime/TypeProfiler.h:
1341         * runtime/TypeProfilerLog.h:
1342         * runtime/TypedArrayType.h:
1343         * runtime/VM.cpp:
1344         * runtime/VM.h:
1345         * runtime/VMEntryScope.h:
1346         * runtime/WeakMapData.h:
1347         * runtime/WriteBarrier.h:
1348         * tools/FunctionOverrides.cpp:
1349         * tools/FunctionOverrides.h:
1350         * wasm/WasmBinding.cpp:
1351         * wasm/js/JSWebAssemblyCodeBlock.h:
1352         * wasm/js/WebAssemblyPrototype.cpp:
1353         * yarr/Yarr.h:
1354         * yarr/YarrJIT.cpp:
1355         * yarr/YarrJIT.h:
1356         * yarr/YarrParser.h:
1357
1358 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1359
1360         [JSC] Clean up Object.entries implementation
1361         https://bugs.webkit.org/show_bug.cgi?id=173759
1362
1363         Reviewed by Sam Weinig.
1364
1365         This patch cleans up Object.entries implementation.
1366         We drop unused private functions. And we merge the
1367         implementation into Object.entries.
1368
1369         It slightly speeds up Object.entries speed.
1370
1371                                      baseline                  patched
1372
1373             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
1374
1375
1376         * builtins/BuiltinNames.h:
1377         * builtins/ObjectConstructor.js:
1378         (entries):
1379         (globalPrivate.enumerableOwnProperties): Deleted.
1380         * runtime/JSGlobalObject.cpp:
1381         (JSC::JSGlobalObject::init):
1382         * runtime/ObjectConstructor.cpp:
1383         (JSC::ownEnumerablePropertyKeys): Deleted.
1384         * runtime/ObjectConstructor.h:
1385
1386 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
1387
1388         Remove Reflect.enumerate
1389         https://bugs.webkit.org/show_bug.cgi?id=173806
1390
1391         Reviewed by Yusuke Suzuki.
1392
1393         * CMakeLists.txt:
1394         * JavaScriptCore.xcodeproj/project.pbxproj:
1395         * inspector/JSInjectedScriptHost.cpp:
1396         (Inspector::JSInjectedScriptHost::subtype):
1397         (Inspector::JSInjectedScriptHost::getInternalProperties):
1398         (Inspector::JSInjectedScriptHost::iteratorEntries):
1399         * runtime/JSGlobalObject.cpp:
1400         (JSC::JSGlobalObject::init):
1401         (JSC::JSGlobalObject::visitChildren):
1402         * runtime/JSPropertyNameIterator.cpp: Removed.
1403         * runtime/JSPropertyNameIterator.h: Removed.
1404         * runtime/ReflectObject.cpp:
1405         (JSC::reflectObjectEnumerate): Deleted.
1406
1407 2017-06-23  Keith Miller  <keith_miller@apple.com>
1408
1409         Switch VMTraps to use halt instructions rather than breakpoint instructions
1410         https://bugs.webkit.org/show_bug.cgi?id=173677
1411         <rdar://problem/32178892>
1412
1413         Reviewed by JF Bastien.
1414
1415         Using the breakpoint instruction for VMTraps caused issues with lldb.
1416         Since we only need some way to stop execution we can, in theory, use
1417         any exceptioning instruction we want. I went with the halt instruction
1418         on X86 since that is the only one byte instruction that does not
1419         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
1420         On ARM we use the data cache clearing instruction with the zero register,
1421         which triggers a segmentation fault.
1422
1423         Also, update the platform code to only use signaling VMTraps
1424         on where we have an appropriate instruction (x86 and ARM64).
1425
1426         * API/tests/ExecutionTimeLimitTest.cpp:
1427         (testExecutionTimeLimit):
1428         * assembler/ARM64Assembler.h:
1429         (JSC::ARM64Assembler::replaceWithVMHalt):
1430         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
1431         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
1432         * assembler/ARMAssembler.h:
1433         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
1434         * assembler/ARMv7Assembler.h:
1435         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
1436         * assembler/MIPSAssembler.h:
1437         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
1438         * assembler/MacroAssemblerARM.h:
1439         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
1440         * assembler/MacroAssemblerARM64.h:
1441         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1442         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
1443         * assembler/MacroAssemblerARMv7.h:
1444         (JSC::MacroAssemblerARMv7::storeFence):
1445         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
1446         * assembler/MacroAssemblerMIPS.h:
1447         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
1448         * assembler/MacroAssemblerX86Common.h:
1449         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1450         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
1451         * assembler/X86Assembler.h:
1452         (JSC::X86Assembler::replaceWithHlt):
1453         (JSC::X86Assembler::replaceWithInt3): Deleted.
1454         * dfg/DFGJumpReplacement.cpp:
1455         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
1456         * runtime/VMTraps.cpp:
1457         (JSC::SignalContext::SignalContext):
1458         (JSC::installSignalHandler):
1459         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
1460         * wasm/WasmFaultSignalHandler.cpp:
1461         (JSC::Wasm::enableFastMemory):
1462
1463 2017-06-22  Saam Barati  <sbarati@apple.com>
1464
1465         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
1466         https://bugs.webkit.org/show_bug.cgi?id=173743
1467         <rdar://problem/32932536>
1468
1469         Reviewed by Mark Lam.
1470
1471         The code always manually speculates, however, we weren't specifying
1472         ManualOperandSpeculation when creating a JSValueOperand. This would
1473         fire an assertion in JSValueOperand construction for a node like:
1474         Identity(String:@otherNode)
1475         
1476         I spent about 45 minutes trying to craft a test and came up
1477         empty. However, this fixes a debug assertion on an internal
1478         Apple website.
1479
1480         * dfg/DFGSpeculativeJIT32_64.cpp:
1481         (JSC::DFG::SpeculativeJIT::compile):
1482         * dfg/DFGSpeculativeJIT64.cpp:
1483         (JSC::DFG::SpeculativeJIT::compile):
1484
1485 2017-06-22  Saam Barati  <sbarati@apple.com>
1486
1487         ValueRep(DoubleRep(@v)) can not simply convert to @v
1488         https://bugs.webkit.org/show_bug.cgi?id=173687
1489         <rdar://problem/32855563>
1490
1491         Reviewed by Mark Lam.
1492
1493         Consider this IR:
1494          block#x
1495           p: Phi() // int32 and double flows into this phi from various control flow
1496           d: DoubleRep(@p)
1497           some uses of @d here
1498           v: ValueRep(DoubleRepUse:@d)
1499           a: NewArrayWithSize(Int32:@v)
1500           some more nodes here ...
1501         
1502         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
1503         AI proves that the Int32 check will fail. Constant folding phase removes
1504         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
1505         
1506         The IR then looks like this:
1507         block#x
1508           p: Phi() // int32 and double flows into this phi from various control flow
1509           d: DoubleRep(@p)
1510           some uses of @d here
1511           v: ValueRep(DoubleRepUse:@d)
1512           a: NewArrayWithSize(Int32:@v)
1513           Unreachable
1514         
1515         However, there was a strength reduction rule that tries eliminate redundant
1516         conversions. It used to convert the program to:
1517         block#x
1518           p: Phi() // int32 and double flows into this phi from various control flow
1519           d: DoubleRep(@p)
1520           some uses of @d here
1521           a: NewArrayWithSize(Int32:@p)
1522           Unreachable
1523         
1524         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
1525         and we'll crash. This patch removes this strength reduction rule since it
1526         does not maintain what would have happened if we executed the program before
1527         the rule.
1528         
1529         This rule is also wrong for other types of programs (I'm not sure we'd
1530         actually emit this code, but if such IR were generated, we would previously
1531         optimize it incorrectly):
1532         @a: Constant(JSTrue)
1533         @b: DoubleRep(@a)
1534         @c: ValueRep(@b)
1535         @d: use(@c)
1536         
1537         However, the strength reduction rule would've transformed this into:
1538         @a: Constant(JSTrue)
1539         @d: use(@a)
1540         
1541         And this would be wrong because node @c before the transformation would
1542         have produced the JSValue jsNumber(1.0).
1543         
1544         This patch was neutral in the benchmark run I did.
1545
1546         * dfg/DFGStrengthReductionPhase.cpp:
1547         (JSC::DFG::StrengthReductionPhase::handleNode):
1548
1549 2017-06-22  JF Bastien  <jfbastien@apple.com>
1550
1551         ARM64: doubled executable memory limit from 32MiB to 64MiB
1552         https://bugs.webkit.org/show_bug.cgi?id=173734
1553         <rdar://problem/32932407>
1554
1555         Reviewed by Oliver Hunt.
1556
1557         Some WebAssembly programs stress the amount of memory we have
1558         available, especially when we consider tiering (BBQ never dies,
1559         and is bigger that OMG). Tiering to OMG just piles on more memory,
1560         and we're also competing with JavaScript.
1561
1562         * jit/ExecutableAllocator.h:
1563
1564 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1565
1566         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
1567         https://bugs.webkit.org/show_bug.cgi?id=173698
1568
1569         Reviewed by Matt Baker.
1570
1571         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
1572         when preparing Inspector pause information is spent generating object previews for
1573         the `thisObject` of each of the call frames. In some cases, this could be more
1574         than 95% of the time generating pause information. In the common case, only one of
1575         these (the top frame) will ever be seen by users. This change avoids eagerly
1576         generating object previews up front and let the frontend request previews if they
1577         are needed.
1578
1579         This introduces the `Runtime.getPreview` protocol command. This can be used to:
1580
1581             - Get a preview for a RemoteObject that did not have a preview but could.
1582             - Update a preview for a RemoteObject that had a preview.
1583
1584         This patch only uses it for the first case, but the second is valid and may be
1585         something we want to do in the future.
1586
1587         * inspector/protocol/Runtime.json:
1588         A new command to get an up to date preview for an object.
1589
1590         * inspector/InjectedScript.h:
1591         * inspector/InjectedScript.cpp:
1592         (Inspector::InjectedScript::getPreview):
1593         * inspector/agents/InspectorRuntimeAgent.cpp:
1594         (Inspector::InspectorRuntimeAgent::getPreview):
1595         * inspector/agents/InspectorRuntimeAgent.h:
1596         Plumbing for the new command.
1597
1598         * inspector/InjectedScriptSource.js:
1599         (InjectedScript.prototype.getPreview):
1600         Implementation just uses the existing helper.
1601
1602         (InjectedScript.CallFrameProxy):
1603         Do not generate a preview for the this object as it may not be shown.
1604         Let the frontend request a preview if it wants or needs one.
1605
1606 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1607
1608         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
1609         https://bugs.webkit.org/show_bug.cgi?id=173686
1610
1611         Reviewed by Mark Lam.
1612
1613         * inspector/InjectedScript.cpp:
1614         (Inspector::InjectedScript::functionDetails):
1615         * inspector/InjectedScriptSource.js:
1616         (InjectedScript.prototype.functionDetails):
1617         * inspector/JSInjectedScriptHost.cpp:
1618         (Inspector::JSInjectedScriptHost::functionDetails):
1619
1620 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1621
1622         [JSC] Object.values should be implemented in C++
1623         https://bugs.webkit.org/show_bug.cgi?id=173703
1624
1625         Reviewed by Sam Weinig.
1626
1627         As the same to Object.assign, Object.values() is also inherently polymorphic.
1628         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
1629         result is costly.
1630
1631         In this patch, we implement Object.values() in C++. It can avoid above allocations.
1632         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
1633         non-observable JSObject::get() calls.
1634
1635         This improves performance by 2.49x. And also now Object.values() beats
1636         Object.keys(object).map(key => object[key]) implementation.
1637
1638                                              baseline                  patched
1639
1640             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
1641             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
1642
1643         * builtins/ObjectConstructor.js:
1644         (values): Deleted.
1645         * runtime/ObjectConstructor.cpp:
1646         (JSC::objectConstructorValues):
1647
1648 2017-06-21  Saam Barati  <sbarati@apple.com>
1649
1650         ArrayPrototype.map builtin declares a var it does not use
1651         https://bugs.webkit.org/show_bug.cgi?id=173685
1652
1653         Reviewed by Keith Miller.
1654
1655         * builtins/ArrayPrototype.js:
1656         (map):
1657
1658 2017-06-21  Saam Barati  <sbarati@apple.com>
1659
1660         eval virtual call is incorrect in the baseline JIT
1661         https://bugs.webkit.org/show_bug.cgi?id=173587
1662         <rdar://problem/32867897>
1663
1664         Reviewed by Michael Saboff.
1665
1666         When making a virtual call for call_eval, e.g, when the thing
1667         we're calling isn't actually eval, we end up calling the caller
1668         instead of the callee. This is clearly wrong. The code ends up
1669         issuing a load for the Callee in the callers frame instead of
1670         the callee we're calling. The fix is simple, we just need to
1671         load the real callee. Only the 32-bit baseline JIT had this bug.
1672
1673         * jit/JITCall32_64.cpp:
1674         (JSC::JIT::compileCallEvalSlowCase):
1675
1676 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
1677
1678         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
1679         https://bugs.webkit.org/show_bug.cgi?id=172432
1680         <rdar://problem/29870873>
1681
1682         Reviewed by Saam Barati.
1683
1684         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
1685         We will proceed to improve debugging of these cases in the follow-up bugs.
1686
1687         * debugger/Debugger.cpp:
1688         (JSC::Debugger::exception):
1689         Ignore pausing on these errors.
1690
1691         * runtime/ErrorInstance.h:
1692         (JSC::ErrorInstance::setStackOverflowError):
1693         (JSC::ErrorInstance::isStackOverflowError):
1694         (JSC::ErrorInstance::setOutOfMemoryError):
1695         (JSC::ErrorInstance::isOutOfMemoryError):
1696         * runtime/ExceptionHelpers.cpp:
1697         (JSC::createStackOverflowError):
1698         * runtime/Error.cpp:
1699         (JSC::createOutOfMemoryError):
1700         Mark these kinds of errors.
1701
1702 2017-06-21  Saam Barati  <sbarati@apple.com>
1703
1704         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
1705         https://bugs.webkit.org/show_bug.cgi?id=173609
1706
1707         Reviewed by Keith Miller.
1708
1709         This patch makes many of the IC generating functions require a locker as
1710         a parameter. We do this in other places in JSC to indicate that
1711         a particular API is only valid while a particular lock is held.
1712         This is the case when generating ICs. This patch just makes it
1713         explicit in the IC generating interface.
1714
1715         * bytecode/PolymorphicAccess.cpp:
1716         (JSC::PolymorphicAccess::addCases):
1717         (JSC::PolymorphicAccess::addCase):
1718         (JSC::PolymorphicAccess::commit):
1719         (JSC::PolymorphicAccess::regenerate):
1720         * bytecode/PolymorphicAccess.h:
1721         * bytecode/StructureStubInfo.cpp:
1722         (JSC::StructureStubInfo::addAccessCase):
1723         (JSC::StructureStubInfo::initStub): Deleted.
1724         * bytecode/StructureStubInfo.h:
1725         * jit/Repatch.cpp:
1726         (JSC::tryCacheGetByID):
1727         (JSC::repatchGetByID):
1728         (JSC::tryCachePutByID):
1729         (JSC::repatchPutByID):
1730         (JSC::tryRepatchIn):
1731         (JSC::repatchIn):
1732
1733 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
1734
1735         Disable font variations on macOS Sierra and iOS 10
1736         https://bugs.webkit.org/show_bug.cgi?id=173618
1737         <rdar://problem/32879164>
1738
1739         Reviewed by Jon Lee.
1740
1741         * Configurations/FeatureDefines.xcconfig:
1742
1743 2017-06-20  Keith Miller  <keith_miller@apple.com>
1744
1745         Fix leak of ModuleInformations in BBQPlan constructors.
1746         https://bugs.webkit.org/show_bug.cgi?id=173577
1747
1748         Reviewed by Saam Barati.
1749
1750         This patch fixes a leak in the BBQPlan constructiors. Previously,
1751         the plans were calling makeRef on the newly constructed objects.
1752         This patch fixes the issue and uses adoptRef instead. Additionally,
1753         an old, incorrect, attempt to fix the leak is removed.
1754
1755         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1756         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1757         * jit/JITWorklist.cpp:
1758         (JSC::JITWorklist::Thread::Thread):
1759         * runtime/PromiseDeferredTimer.cpp:
1760         (JSC::PromiseDeferredTimer::addPendingPromise):
1761         * runtime/VM.cpp:
1762         (JSC::VM::VM):
1763         * wasm/WasmBBQPlan.cpp:
1764         (JSC::Wasm::BBQPlan::BBQPlan):
1765         * wasm/WasmPlan.cpp:
1766         (JSC::Wasm::Plan::Plan):
1767
1768 2017-06-20  Devin Rousso  <drousso@apple.com>
1769
1770         Web Inspector: Send context attributes for tracked canvases
1771         https://bugs.webkit.org/show_bug.cgi?id=173327
1772
1773         Reviewed by Joseph Pecoraro.
1774
1775         * inspector/protocol/Canvas.json:
1776         Add ContextAttributes object type that is optionally used for WebGL canvases.
1777
1778 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
1779
1780         Remove excessive include directives from WTF
1781         https://bugs.webkit.org/show_bug.cgi?id=173553
1782
1783         Reviewed by Saam Barati.
1784
1785         * profiler/ProfilerDatabase.cpp: Added missing include directive.
1786         * runtime/SamplingProfiler.cpp: Ditto.
1787
1788 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
1789
1790         Revert changes in bug#160417 about extending `null` not being a derived class
1791         https://bugs.webkit.org/show_bug.cgi?id=169293
1792
1793         Reviewed by Saam Barati.
1794
1795         Reverted changes in bug#160417 about extending `null` not being a derived class 
1796         according to changes in spec:
1797         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
1798
1799         * builtins/BuiltinNames.h:
1800         * bytecompiler/BytecodeGenerator.cpp:
1801         (JSC::BytecodeGenerator::BytecodeGenerator):
1802         (JSC::BytecodeGenerator::emitReturn):
1803         * bytecompiler/NodesCodegen.cpp:
1804         (JSC::ClassExprNode::emitBytecode):
1805
1806 2017-06-20  Saam Barati  <sbarati@apple.com>
1807
1808         repatchIn needs to lock the CodeBlock's lock
1809         https://bugs.webkit.org/show_bug.cgi?id=173573
1810
1811         Reviewed by Yusuke Suzuki.
1812
1813         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
1814         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
1815         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
1816         with the marking thread. repatchIn was not grabbing the lock. I haven't been
1817         able to get it to crash, but this is needed for the same reasons that get and put IC
1818         regeneration grab the lock.
1819
1820         * jit/Repatch.cpp:
1821         (JSC::repatchIn):
1822
1823 2017-06-19  Devin Rousso  <drousso@apple.com>
1824
1825         Web Inspector: create canvas content view and details sidebar panel
1826         https://bugs.webkit.org/show_bug.cgi?id=138941
1827         <rdar://problem/19051672>
1828
1829         Reviewed by Joseph Pecoraro.
1830
1831         * inspector/protocol/Canvas.json:
1832          - Add an optional `nodeId` attribute to the `Canvas` type.
1833          - Add `requestNode` command for getting the node id of the backing canvas element.
1834          - Add `requestContent` command for getting the current image content of the canvas.
1835
1836 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1837
1838         Unreviewed, build fix for ARM
1839
1840         * assembler/MacroAssemblerARM.h:
1841         (JSC::MacroAssemblerARM::internalCompare32):
1842
1843 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1844
1845         [DFG] More ArrayIndexOf fixups for various types
1846         https://bugs.webkit.org/show_bug.cgi?id=173176
1847
1848         Reviewed by Saam Barati.
1849
1850         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
1851
1852         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
1853         never contains the given search value.
1854
1855         2. We support Symbol and Other specialization additionally. Especially, Other is
1856         useful because null/undefined can be used as a sentinel value.
1857
1858         One interesting thing is that Array.prototype.indexOf does not consider holes as
1859         undefineds. Thus,
1860
1861             var array = [,,,,,,,];
1862             array.indexOf(undefined); // => -1
1863
1864         This can be trivially achieved in JSC because Empty and Undefined are different values.
1865
1866         * dfg/DFGFixupPhase.cpp:
1867         (JSC::DFG::FixupPhase::fixupNode):
1868         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
1869         * dfg/DFGSpeculativeJIT.cpp:
1870         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1871         (JSC::DFG::SpeculativeJIT::speculateOther):
1872         * dfg/DFGSpeculativeJIT.h:
1873         * ftl/FTLLowerDFGToB3.cpp:
1874         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1875
1876 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
1877
1878         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
1879         https://bugs.webkit.org/show_bug.cgi?id=172972
1880
1881         Reviewed by Mark Lam.
1882
1883         We are changing internalCompare32 implementation in ARM
1884         MacroAssembler to emit "cmp" when the "right.value" is 0.
1885         It is generating wrong comparison cases, since the
1886         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
1887         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
1888         resulting in following assembly code:
1889
1890         ```
1891         cmn $r0, #0
1892         bhi <address>
1893         ```
1894
1895         However, as cmn is similar to "adds", it will never take the branch
1896         when $r0 > 0. In that case, the correct opcode is "cmp". With this
1897         patch we will fix current broken tests that uses
1898         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
1899         such as ForwardVarargs, Spread and GetRestLength.
1900
1901         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
1902
1903         * assembler/MacroAssemblerARM.h:
1904         (JSC::MacroAssemblerARM::internalCompare32):
1905
1906 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1907
1908         test262: Completion values for control flow do not match the spec
1909         https://bugs.webkit.org/show_bug.cgi?id=171265
1910
1911         Reviewed by Saam Barati.
1912
1913         * bytecompiler/BytecodeGenerator.h:
1914         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1915         When we care about having proper completion values (global code
1916         in programs, modules, and eval) insert undefined results for
1917         control flow statements.
1918
1919         * bytecompiler/NodesCodegen.cpp:
1920         (JSC::SourceElements::emitBytecode):
1921         Reduce writing a default `undefined` value to the completion result to
1922         only once before the last statement we know will produce a value.
1923
1924         (JSC::IfElseNode::emitBytecode):
1925         (JSC::WithNode::emitBytecode):
1926         (JSC::WhileNode::emitBytecode):
1927         (JSC::ForNode::emitBytecode):
1928         (JSC::ForInNode::emitBytecode):
1929         (JSC::ForOfNode::emitBytecode):
1930         (JSC::SwitchNode::emitBytecode):
1931         Insert an undefined to handle cases where code may break out of an
1932         if/else or with statement (break/continue).
1933
1934         (JSC::TryNode::emitBytecode):
1935         Same handling for break cases. Also, finally block statement completion
1936         values are always ignored for the try statement result.
1937
1938         (JSC::ClassDeclNode::emitBytecode):
1939         Class declarations, like function declarations, produce an empty result.
1940
1941         * parser/Nodes.cpp:
1942         (JSC::SourceElements::lastStatement):
1943         (JSC::SourceElements::hasCompletionValue):
1944         (JSC::SourceElements::hasEarlyBreakOrContinue):
1945         (JSC::BlockNode::lastStatement):
1946         (JSC::BlockNode::singleStatement):
1947         (JSC::BlockNode::hasCompletionValue):
1948         (JSC::BlockNode::hasEarlyBreakOrContinue):
1949         (JSC::ScopeNode::singleStatement):
1950         (JSC::ScopeNode::hasCompletionValue):
1951         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1952         The only non-trivial cases need to loop through their list of statements
1953         to determine if this has a completion value or not. Likewise for
1954         determining if there is an early break / continue, meaning a break or
1955         continue statement with no preceding statement that has a completion value.
1956
1957         * parser/Nodes.h:
1958         (JSC::StatementNode::next):
1959         (JSC::StatementNode::hasCompletionValue):
1960         Helper to check if a statement nodes produces a completion value or not.
1961
1962 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
1963
1964         Missing <functional> includes make builds fail with GCC 7.x
1965         https://bugs.webkit.org/show_bug.cgi?id=173544
1966
1967         Unreviewed gardening.
1968
1969         Fix compilation with GCC 7.
1970
1971         * API/tests/CompareAndSwapTest.cpp:
1972         * runtime/VMEntryScope.h:
1973
1974 2017-06-17  Keith Miller  <keith_miller@apple.com>
1975
1976         ArrayBuffer constructor needs to create subclass structures before its buffer
1977         https://bugs.webkit.org/show_bug.cgi?id=173510
1978
1979         Reviewed by Yusuke Suzuki.
1980
1981         * runtime/JSArrayBufferConstructor.cpp:
1982         (JSC::constructArrayBuffer):
1983
1984 2017-06-17  Keith Miller  <keith_miller@apple.com>
1985
1986         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
1987         https://bugs.webkit.org/show_bug.cgi?id=173506
1988
1989         Reviewed by Ryosuke Niwa.
1990
1991         This patch changes the result of unshift if old length +
1992         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
1993         the getLength function, which was always incorrect to use, has
1994         been removed. Additionally, some cases where we were using a
1995         constant for (2 ** 53) - 1 have been replaced with
1996         maxSafeInteger()
1997
1998         * interpreter/Interpreter.cpp:
1999         (JSC::sizeOfVarargs):
2000         * runtime/ArrayPrototype.cpp:
2001         (JSC::arrayProtoFuncToLocaleString):
2002         (JSC::arrayProtoFuncPop):
2003         (JSC::arrayProtoFuncPush):
2004         (JSC::arrayProtoFuncReverse):
2005         (JSC::arrayProtoFuncShift):
2006         (JSC::arrayProtoFuncSlice):
2007         (JSC::arrayProtoFuncSplice):
2008         (JSC::arrayProtoFuncUnShift):
2009         (JSC::arrayProtoFuncIndexOf):
2010         (JSC::arrayProtoFuncLastIndexOf):
2011         * runtime/JSArrayInlines.h:
2012         (JSC::getLength): Deleted.
2013         * runtime/JSCJSValue.cpp:
2014         (JSC::JSValue::toLength):
2015         * runtime/NumberConstructor.cpp:
2016         (JSC::numberConstructorFuncIsSafeInteger):
2017
2018 2017-06-16  Matt Baker  <mattbaker@apple.com>
2019
2020         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
2021         https://bugs.webkit.org/show_bug.cgi?id=172623
2022         <rdar://problem/32415986>
2023
2024         Reviewed by Devin Rousso and Joseph Pecoraro.
2025
2026         This patch adds a basic Canvas protocol. It includes Canvas and related
2027         types and events for monitoring the lifetime of canvases in the page.
2028
2029         * CMakeLists.txt:
2030         * DerivedSources.make:
2031         * inspector/protocol/Canvas.json: Added.
2032
2033         * inspector/scripts/codegen/generator.py:
2034         (Generator.stylized_name_for_enum_value):
2035         Add special handling for Canvas.ContextType protocol enumeration,
2036         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
2037
2038 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
2039
2040         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
2041         https://bugs.webkit.org/show_bug.cgi?id=173366
2042         <rdar://problem/32767014>
2043
2044         Reviewed by Tim Horton.
2045
2046         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
2047
2048         * Configurations/FeatureDefines.xcconfig:
2049
2050 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2051
2052         [JSC] Add fast path for Object.assign
2053         https://bugs.webkit.org/show_bug.cgi?id=173416
2054
2055         Reviewed by Mark Lam.
2056
2057         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
2058         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
2059         check in the face of Proxy. Proxy can observe that this check is done correctly.
2060
2061         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
2062         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
2063         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
2064         value by calling `slot.getValue()`.
2065
2066         This further improves performance of Object.assign.
2067
2068                                         baseline                  patched
2069
2070             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
2071
2072         * runtime/ObjectConstructor.cpp:
2073         (JSC::objectConstructorAssign):
2074
2075 2017-06-16  Michael Saboff  <msaboff@apple.com>
2076
2077         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
2078         https://bugs.webkit.org/show_bug.cgi?id=173488
2079
2080         Reviewed by Filip Pizlo.
2081
2082         ClonedArguments lazily sets its callee and interator properties and it used its own inline
2083         code to initialize its butterfly.  This means that these lazily set properties can have
2084         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
2085         to create the butterfly as it clears out of line properties.
2086
2087         * runtime/ClonedArguments.cpp:
2088         (JSC::ClonedArguments::createEmpty):
2089
2090 2017-06-16  Mark Lam  <mark.lam@apple.com>
2091
2092         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
2093         https://bugs.webkit.org/show_bug.cgi?id=173491
2094
2095         Reviewed by Keith Miller.
2096
2097         The implementation are based on static data. There's no need to get the
2098         interpreter instance. Hence, we can make these methods static and avoid doing
2099         unnecessary work to compute the interpreter this pointer.
2100
2101         Also removed the unused isCallBytecode method.
2102
2103         * bytecode/BytecodeBasicBlock.cpp:
2104         (JSC::BytecodeBasicBlock::computeImpl):
2105         * bytecode/BytecodeDumper.cpp:
2106         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2107         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2108         (JSC::BytecodeDumper<Block>::dumpBytecode):
2109         (JSC::BytecodeDumper<Block>::dumpBlock):
2110         * bytecode/BytecodeLivenessAnalysis.cpp:
2111         (JSC::BytecodeLivenessAnalysis::dumpResults):
2112         * bytecode/BytecodeLivenessAnalysisInlines.h:
2113         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
2114         * bytecode/BytecodeRewriter.cpp:
2115         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2116         * bytecode/CallLinkStatus.cpp:
2117         (JSC::CallLinkStatus::computeFromLLInt):
2118         * bytecode/CodeBlock.cpp:
2119         (JSC::CodeBlock::finishCreation):
2120         (JSC::CodeBlock::propagateTransitions):
2121         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2122         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
2123         (JSC::CodeBlock::usesOpcode):
2124         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2125         (JSC::CodeBlock::arithProfileForPC):
2126         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2127         * bytecode/PreciseJumpTargets.cpp:
2128         (JSC::getJumpTargetsForBytecodeOffset):
2129         (JSC::computePreciseJumpTargetsInternal):
2130         (JSC::findJumpTargetsForBytecodeOffset):
2131         * bytecode/PreciseJumpTargetsInlines.h:
2132         (JSC::extractStoredJumpTargetsForBytecodeOffset):
2133         * bytecode/UnlinkedCodeBlock.cpp:
2134         (JSC::UnlinkedCodeBlock::applyModification):
2135         * dfg/DFGByteCodeParser.cpp:
2136         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2137         (JSC::DFG::ByteCodeParser::parseBlock):
2138         * dfg/DFGCapabilities.cpp:
2139         (JSC::DFG::capabilityLevel):
2140         * interpreter/Interpreter.cpp:
2141         (JSC::Interpreter::Interpreter):
2142         (JSC::Interpreter::isOpcode):
2143         (): Deleted.
2144         * interpreter/Interpreter.h:
2145         (JSC::Interpreter::getOpcode): Deleted.
2146         (JSC::Interpreter::getOpcodeID): Deleted.
2147         (JSC::Interpreter::isCallBytecode): Deleted.
2148         * interpreter/InterpreterInlines.h:
2149         (JSC::Interpreter::getOpcode):
2150         (JSC::Interpreter::getOpcodeID):
2151         * jit/JIT.cpp:
2152         (JSC::JIT::privateCompileMainPass):
2153         (JSC::JIT::privateCompileSlowCases):
2154         * jit/JITOpcodes.cpp:
2155         (JSC::JIT::emitNewFuncCommon):
2156         (JSC::JIT::emitNewFuncExprCommon):
2157         * jit/JITPropertyAccess.cpp:
2158         (JSC::JIT::emitSlow_op_put_by_val):
2159         (JSC::JIT::privateCompilePutByVal):
2160         * jit/JITPropertyAccess32_64.cpp:
2161         (JSC::JIT::emitSlow_op_put_by_val):
2162         * llint/LLIntSlowPaths.cpp:
2163         (JSC::LLInt::llint_trace_operand):
2164         (JSC::LLInt::llint_trace_value):
2165         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2166         * profiler/ProfilerBytecodeSequence.cpp:
2167         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2168
2169 2017-06-16  Matt Lewis  <jlewis3@apple.com>
2170
2171         Unreviewed, rolling out r218376.
2172
2173         The patch cause multiple Layout Test Crashes.
2174
2175         Reverted changeset:
2176
2177         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
2178         backend"
2179         https://bugs.webkit.org/show_bug.cgi?id=172623
2180         http://trac.webkit.org/changeset/218376
2181
2182 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
2183
2184         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
2185         https://bugs.webkit.org/show_bug.cgi?id=173470
2186
2187         Reviewed by Joseph Pecoraro.
2188
2189         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
2190         const char* overload of StringBuilder::append() that assummes Latin1
2191         encoding, not UTF8.
2192
2193         * runtime/ConsoleClient.cpp:
2194         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2195
2196 2017-06-15  Mark Lam  <mark.lam@apple.com>
2197
2198         Add a JSRunLoopTimer registry in VM.
2199         https://bugs.webkit.org/show_bug.cgi?id=173429
2200         <rdar://problem/31287961>
2201
2202         Reviewed by Filip Pizlo.
2203
2204         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
2205         need to change their run loop (e.g. when setting to the WebThread's run loop).
2206
2207         * heap/Heap.cpp:
2208         (JSC::Heap::Heap):
2209         (JSC::Heap::setRunLoop): Deleted.
2210         * heap/Heap.h:
2211         (JSC::Heap::runLoop): Deleted.
2212         * runtime/JSRunLoopTimer.cpp:
2213         (JSC::JSRunLoopTimer::JSRunLoopTimer):
2214         (JSC::JSRunLoopTimer::setRunLoop):
2215         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
2216         * runtime/VM.cpp:
2217         (JSC::VM::VM):
2218         (JSC::VM::registerRunLoopTimer):
2219         (JSC::VM::unregisterRunLoopTimer):
2220         (JSC::VM::setRunLoop):
2221         * runtime/VM.h:
2222         (JSC::VM::runLoop):
2223
2224 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
2225
2226         [Cocoa] Modernize some internal initializers to use instancetype instead of id
2227         https://bugs.webkit.org/show_bug.cgi?id=173112
2228
2229         Reviewed by Wenson Hsieh.
2230
2231         * API/JSContextInternal.h:
2232         * API/JSWrapperMap.h:
2233         * API/JSWrapperMap.mm:
2234         (-[JSObjCClassInfo initForClass:]):
2235         (-[JSWrapperMap initWithGlobalContextRef:]):
2236
2237 2017-06-15  Matt Baker  <mattbaker@apple.com>
2238
2239         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
2240         https://bugs.webkit.org/show_bug.cgi?id=172623
2241         <rdar://problem/32415986>
2242
2243         Reviewed by Devin Rousso.
2244
2245         This patch adds a basic Canvas protocol. It includes Canvas and related
2246         types and events for monitoring the lifetime of canvases in the page.
2247
2248         * CMakeLists.txt:
2249         * DerivedSources.make:
2250         * inspector/protocol/Canvas.json: Added.
2251
2252         * inspector/scripts/codegen/generator.py:
2253         (Generator.stylized_name_for_enum_value):
2254         Add special handling for Canvas.ContextType protocol enumeration,
2255         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
2256
2257 2017-06-15  Keith Miller  <keith_miller@apple.com>
2258
2259         Add logging to MachineStackMarker to try to diagnose crashes in the wild
2260         https://bugs.webkit.org/show_bug.cgi?id=173427
2261
2262         Reviewed by Mark Lam.
2263
2264         This patch adds some logging to the MachineStackMarker constructor
2265         to help figure out where we are seeing crashes. Since macOS does
2266         not support os_log_info my hope is that if we set all the callee
2267         save registers before making any calls in the C++ code we can
2268         figure out which calls is the source of the crash. We also, set
2269         all the caller save registers before returning in case some
2270         weirdness is happening in the Heap constructor.
2271
2272         This logging should not matter from a performance perspective. We
2273         only create MachineStackMarkers when we are creating a new VM,
2274         which is already expensive.
2275
2276         * heap/MachineStackMarker.cpp:
2277         (JSC::MachineThreads::MachineThreads):
2278
2279 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2280
2281         [JSC] Implement Object.assign in C++
2282         https://bugs.webkit.org/show_bug.cgi?id=173414
2283
2284         Reviewed by Saam Barati.
2285
2286         Implementing Object.assign in JS is not so good compared to C++ version because,
2287
2288         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
2289         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
2290
2291         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
2292         So JS's type profile doesn't help well.
2293
2294         3. We have a chance to introduce various fast path for Object.assign in C++.
2295
2296         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
2297
2298         We can see 1.65x improvement in SixSpeed object-assign.es6.
2299
2300                                     baseline                  patched
2301
2302         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
2303
2304         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
2305
2306         * builtins/ObjectConstructor.js:
2307         (entries):
2308         (assign): Deleted.
2309         * runtime/JSCJSValueInlines.h:
2310         (JSC::JSValue::putInline):
2311         * runtime/JSCell.h:
2312         * runtime/JSCellInlines.h:
2313         (JSC::JSCell::putInline):
2314         * runtime/JSObject.cpp:
2315         (JSC::JSObject::put):
2316         * runtime/JSObject.h:
2317         * runtime/JSObjectInlines.h:
2318         (JSC::JSObject::putInlineForJSObject):
2319         (JSC::JSObject::putInline): Deleted.
2320         * runtime/ObjectConstructor.cpp:
2321         (JSC::objectConstructorAssign):
2322
2323 2017-06-14  Dan Bernstein  <mitz@apple.com>
2324
2325         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
2326         https://bugs.webkit.org/show_bug.cgi?id=168578
2327
2328         Reviewed by Geoff Garen.
2329
2330         * API/JSWrapperMap.mm:
2331         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
2332         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
2333         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
2334           it defines conformance to a JSExport-derived protocol and if so, avoid using the
2335           superclass as a substitute as we’d normally do.
2336
2337         * API/ObjcRuntimeExtras.h:
2338         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
2339           bail out.
2340
2341         * API/tests/JSExportTests.mm:
2342         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
2343         (runJSExportTests): Run new test.
2344
2345 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
2348         https://bugs.webkit.org/show_bug.cgi?id=172421
2349
2350         * dfg/DFGSpeculativeJIT.cpp:
2351         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2352
2353 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
2354
2355         REGRESSION: 15 new jsc failures in WPE and GTK+
2356         https://bugs.webkit.org/show_bug.cgi?id=173349
2357
2358         Reviewed by JF Bastien.
2359
2360         Recent changes to generateWasm.py are not accounted for from
2361         CMake, which leads to WasmOps.h not being regenerated in partial
2362         builds. Make generateWasm.py an additional dependency.
2363         * CMakeLists.txt:
2364
2365 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
2366
2367         Debugger has unexpected effect on program correctness
2368         https://bugs.webkit.org/show_bug.cgi?id=172683
2369
2370         Reviewed by Saam Barati.
2371
2372         * inspector/InjectedScriptSource.js:
2373         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2374         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
2375         (BasicCommandLineAPI):
2376         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
2377         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
2378
2379 2017-06-13  JF Bastien  <jfbastien@apple.com>
2380
2381         WebAssembly: fix erroneous signature comment
2382         https://bugs.webkit.org/show_bug.cgi?id=173334
2383
2384         Reviewed by Keith Miller.
2385
2386         * wasm/WasmSignature.h:
2387
2388 2017-06-13  Michael Saboff  <msaboff@apple.com>
2389
2390         Refactor AbsenceOfSetter to AbsenceOfSetEffects
2391         https://bugs.webkit.org/show_bug.cgi?id=173322
2392
2393         Reviewed by Filip Pizlo.
2394
2395         * bytecode/ObjectPropertyCondition.h:
2396         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
2397         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
2398         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2399         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
2400         * bytecode/ObjectPropertyConditionSet.cpp:
2401         (JSC::generateConditionsForPropertySetterMiss):
2402         (JSC::generateConditionsForPropertySetterMissConcurrently):
2403         * bytecode/PropertyCondition.cpp:
2404         (JSC::PropertyCondition::dumpInContext):
2405         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2406         (JSC::PropertyCondition::isStillValid):
2407         (WTF::printInternal):
2408         * bytecode/PropertyCondition.h:
2409         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2410         (JSC::PropertyCondition::absenceOfSetEffect):
2411         (JSC::PropertyCondition::hasPrototype):
2412         (JSC::PropertyCondition::hash):
2413         (JSC::PropertyCondition::operator==):
2414         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2415         (JSC::PropertyCondition::absenceOfSetter): Deleted.
2416
2417 2017-06-13  JF Bastien  <jfbastien@apple.com>
2418
2419         WebAssembly: import updated spec tests
2420         https://bugs.webkit.org/show_bug.cgi?id=173287
2421         <rdar://problem/32725975>
2422
2423         Reviewed by Saam Barati.
2424
2425         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
2426         with a few modifications so things work.
2427
2428         Fix a bunch of bugs found through this process, and punt a few tests (which I
2429         marked as blocked by this bug).
2430
2431         Fixes:
2432
2433         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
2434         instead of byte alignment. It was also missing memory-alignment.js despite it
2435         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
2436         pass.
2437
2438         Tables can be imported or in a section. There can be only one, but sections can
2439         be empty. An Elements section can exist if there's no Table, as long as it is
2440         also empty.
2441
2442         Memories can be imported or in a section. There can be only one, but sections
2443         can be empty. A Data section can exist if there's no Memory, as long as it is
2444         also empty.
2445
2446         Prototypes: stringify without .prototype. in the string.
2447
2448         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
2449         not a final size, and throws a RangeError on failure, not a TypeError.
2450
2451         Fix compile / instantiate so the reject the promise if given an argument of the
2452         wrong type (instead of failing instantly).
2453
2454         Fix async on neuter test.
2455
2456         Element section shouldn't affect any Table if any of the elements are out of
2457         bounds. We need to process it in two passes.
2458
2459         Segment section shouldn't affect any Data if any of the segments are out of
2460         bounds. We need to process it in two passes.
2461
2462         Empty data segments are valid, but only when there is no memory. Their index
2463         still gets validated, and has to be zero.
2464
2465         Punts:
2466
2467         Error messages with context, the test seems overly restrictive but this is
2468         minor.
2469
2470         compile/instantiate/validate property descriptors.
2471
2472         UTF-8 bugs.
2473
2474         Temporarily disable NaN tests. We need to go back and implement the following
2475         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
2476         much as getting all the other tests passing.
2477
2478         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
2479         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
2480         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
2481         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
2482         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
2483         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
2484         why they're not allowed.
2485
2486         * wasm/WasmB3IRGenerator.cpp:
2487         * wasm/WasmFunctionParser.h:
2488         * wasm/WasmModuleParser.cpp:
2489         * wasm/WasmModuleParser.h:
2490         * wasm/WasmParser.h:
2491         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2492         * wasm/generateWasm.py:
2493         (memoryLog2Alignment):
2494         * wasm/js/JSWebAssemblyTable.cpp:
2495         (JSC::JSWebAssemblyTable::grow):
2496         * wasm/js/JSWebAssemblyTable.h:
2497         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2498         * wasm/js/WebAssemblyInstancePrototype.cpp:
2499         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2500         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2501         * wasm/js/WebAssemblyModulePrototype.cpp:
2502         * wasm/js/WebAssemblyModuleRecord.cpp:
2503         (JSC::WebAssemblyModuleRecord::evaluate):
2504         * wasm/js/WebAssemblyPrototype.cpp:
2505         (JSC::webAssemblyCompileFunc):
2506         (JSC::resolve):
2507         (JSC::instantiate):
2508         (JSC::compileAndInstantiate):
2509         (JSC::webAssemblyInstantiateFunc):
2510         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2511         * wasm/js/WebAssemblyTablePrototype.cpp:
2512         (JSC::webAssemblyTableProtoFuncGrow):
2513
2514 2017-06-13  Michael Saboff  <msaboff@apple.com>
2515
2516         DFG doesn't properly handle a property that is change to read only in a prototype
2517         https://bugs.webkit.org/show_bug.cgi?id=173321
2518
2519         Reviewed by Filip Pizlo.
2520
2521         We need to check for ReadOnly as well as a not being a Setter when checking
2522         an AbsenceOfSetter.
2523
2524         * bytecode/PropertyCondition.cpp:
2525         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2526
2527 2017-06-13  Daniel Bates  <dabates@apple.com>
2528
2529         Implement W3C Secure Contexts Draft Specification
2530         https://bugs.webkit.org/show_bug.cgi?id=158121
2531         <rdar://problem/26012994>
2532
2533         Reviewed by Brent Fulgham.
2534
2535         Part 4
2536
2537         Adds isSecureContext to the list of common identifiers as needed to support
2538         toggling its exposure from a runtime enabled feature flag.
2539
2540         * runtime/CommonIdentifiers.h:
2541
2542 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
2543
2544         [JSC] Remove redundant includes in config.h
2545         https://bugs.webkit.org/show_bug.cgi?id=173294
2546
2547         Reviewed by Alex Christensen.
2548
2549         * config.h:
2550
2551 2017-06-12  Saam Barati  <sbarati@apple.com>
2552
2553         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
2554         https://bugs.webkit.org/show_bug.cgi?id=172957
2555         <rdar://problem/32602704>
2556
2557         Reviewed by Filip Pizlo.
2558
2559         Consider this program:
2560         ```
2561         block#1:
2562         n: GetClosureVar(..., |this|) // this will load empty JSValue()
2563         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
2564         Branch(#2, #3)
2565         
2566         Block#3:
2567         x: GetLocal(locFoo)
2568         y: CheckNotEmpty(@x)
2569         ```
2570         
2571         If we claim that a cell check filters out the empty value, we will
2572         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
2573         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
2574         
2575         On 64 bit platforms:
2576         - Cell use kind *now allows* the empty value to pass through.
2577         - CellOrOther use kind *now allows* for the empty value to pass through
2578         - NotCell use kind *no longer allows* the empty value to pass through.
2579
2580         * assembler/CPU.h:
2581         (JSC::isARMv7IDIVSupported):
2582         (JSC::isARM64):
2583         (JSC::isX86):
2584         (JSC::isX86_64):
2585         (JSC::is64Bit):
2586         (JSC::is32Bit):
2587         (JSC::isMIPS):
2588         Make these functions constexpr so we can use them in static variable assignment.
2589
2590         * bytecode/SpeculatedType.h:
2591         * dfg/DFGSpeculativeJIT.cpp:
2592         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2593         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2594         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2595         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2596         (JSC::DFG::SpeculativeJIT::speculateCell):
2597         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2598         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2599         (JSC::DFG::SpeculativeJIT::speculateString):
2600         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2601         (JSC::DFG::SpeculativeJIT::speculateSymbol):
2602         (JSC::DFG::SpeculativeJIT::speculateNotCell):
2603         * dfg/DFGSpeculativeJIT32_64.cpp:
2604         * dfg/DFGSpeculativeJIT64.cpp:
2605         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2606         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2607         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2608         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2609         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2610         * dfg/DFGUseKind.h:
2611         (JSC::DFG::typeFilterFor):
2612         * ftl/FTLLowerDFGToB3.cpp:
2613         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2614         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2615         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2616         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2617         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2618         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2619         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
2620         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2621         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
2622         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
2623         (JSC::FTL::DFG::LowerDFGToB3::isCell):
2624         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2625         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
2626         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
2627         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2628         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
2629
2630 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2631
2632         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
2633         https://bugs.webkit.org/show_bug.cgi?id=172421
2634
2635         * dfg/DFGSpeculativeJIT.cpp:
2636         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2637
2638 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
2639
2640         We incorrectly allow escaped characters in keyword tokens
2641         https://bugs.webkit.org/show_bug.cgi?id=171310
2642
2643         Reviewed by Yusuke Suzuki.
2644
2645         According spec it is not allow to use escaped characters in 
2646         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
2647         Current patch implements this requirements.
2648
2649
2650         * parser/Lexer.cpp:
2651         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2652         * parser/Parser.cpp:
2653         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2654         * parser/ParserTokens.h:
2655
2656 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2657
2658         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
2659         https://bugs.webkit.org/show_bug.cgi?id=172421
2660
2661         * assembler/MacroAssemblerARM64.h:
2662         (JSC::MacroAssemblerARM64::branch64):
2663         (JSC::MacroAssemblerARM64::branchPtr):
2664
2665 2017-06-12  Commit Queue  <commit-queue@webkit.org>
2666
2667         Unreviewed, rolling out r218093.
2668         https://bugs.webkit.org/show_bug.cgi?id=173259
2669
2670         Break builds (Requested by yusukesuzuki on #webkit).
2671
2672         Reverted changeset:
2673
2674         "Unreviewed, build fix for ARM64"
2675         https://bugs.webkit.org/show_bug.cgi?id=172421
2676         http://trac.webkit.org/changeset/218093
2677
2678 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2679
2680         Unreviewed, build fix for ARM64
2681         https://bugs.webkit.org/show_bug.cgi?id=172421
2682
2683         * dfg/DFGSpeculativeJIT.cpp:
2684         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2685
2686 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2687
2688         [DFG] Add ArrayIndexOf intrinsic
2689         https://bugs.webkit.org/show_bug.cgi?id=172421
2690
2691         Reviewed by Saam Barati.
2692
2693         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
2694         We emit array check and go fast path if the array is Array::Int32, Array::Double
2695         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
2696         we have inlined fast paths.
2697
2698         With updated ARES-6 Babylon,
2699
2700         Before
2701             firstIteration:     45.76 +- 3.87 ms
2702             averageWorstCase:   24.41 +- 2.17 ms
2703             steadyState:        8.01 +- 0.22 ms
2704         After
2705             firstIteration:     45.64 +- 4.23 ms
2706             averageWorstCase:   23.03 +- 3.34 ms
2707             steadyState:        7.33 +- 0.34 ms
2708
2709         In SixSpeed.
2710                                          baseline                  patched
2711
2712             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
2713             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
2714             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
2715
2716         * dfg/DFGAbstractInterpreterInlines.h:
2717         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2718         * dfg/DFGByteCodeParser.cpp:
2719         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2720         * dfg/DFGClobberize.h:
2721         (JSC::DFG::clobberize):
2722         * dfg/DFGDoesGC.cpp:
2723         (JSC::DFG::doesGC):
2724         * dfg/DFGFixupPhase.cpp:
2725         (JSC::DFG::FixupPhase::fixupNode):
2726         * dfg/DFGNode.h:
2727         (JSC::DFG::Node::hasArrayMode):
2728         * dfg/DFGNodeType.h:
2729         * dfg/DFGOperations.cpp:
2730         * dfg/DFGOperations.h:
2731         * dfg/DFGPredictionPropagationPhase.cpp:
2732         * dfg/DFGSafeToExecute.h:
2733         (JSC::DFG::safeToExecute):
2734         * dfg/DFGSpeculativeJIT.cpp:
2735         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2736         (JSC::DFG::SpeculativeJIT::speculateObject):
2737         * dfg/DFGSpeculativeJIT.h:
2738         (JSC::DFG::SpeculativeJIT::callOperation):
2739         * dfg/DFGSpeculativeJIT32_64.cpp:
2740         (JSC::DFG::SpeculativeJIT::compile):
2741         * dfg/DFGSpeculativeJIT64.cpp:
2742         (JSC::DFG::SpeculativeJIT::compile):
2743         (JSC::DFG::SpeculativeJIT::speculateInt32):
2744         * ftl/FTLCapabilities.cpp:
2745         (JSC::FTL::canCompile):
2746         * ftl/FTLLowerDFGToB3.cpp:
2747         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2748         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2749         * jit/JITOperations.h:
2750         * runtime/ArrayPrototype.cpp:
2751         (JSC::ArrayPrototype::finishCreation):
2752         * runtime/Intrinsic.cpp:
2753         (JSC::intrinsicName):
2754         * runtime/Intrinsic.h:
2755
2756 2017-06-11  Keith Miller  <keith_miller@apple.com>
2757
2758         TypedArray constructor with string shouldn't throw
2759         https://bugs.webkit.org/show_bug.cgi?id=173181
2760
2761         Reviewed by JF Bastien.
2762
2763         We should be coercing primitive arguments to numbers in the various
2764         TypedArray constructors.
2765
2766         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2767         (JSC::constructGenericTypedArrayViewWithArguments):
2768
2769 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2770
2771         [WTF] Make ThreadMessage portable
2772         https://bugs.webkit.org/show_bug.cgi?id=172073
2773
2774         Reviewed by Keith Miller.
2775
2776         * runtime/MachineContext.h:
2777         (JSC::MachineContext::stackPointer):
2778         * tools/CodeProfiling.cpp:
2779         (JSC::profilingTimer):
2780
2781 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2782
2783         [JSC] Shrink Structure size
2784         https://bugs.webkit.org/show_bug.cgi?id=173239
2785
2786         Reviewed by Mark Lam.
2787
2788         We find that the size of our Structure is slightly enlarged due to paddings.
2789         By changing the order of members, we can reduce the size from 120 to 112.
2790         This is good because 120 and 112 are categorized into different size classes.
2791         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
2792         We now save 16 bytes per Structure for free.
2793
2794         * runtime/ConcurrentJSLock.h:
2795         * runtime/Structure.cpp:
2796         (JSC::Structure::Structure):
2797         * runtime/Structure.h:
2798
2799 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
2800
2801         Unreviewed, attempt to fix JSC tests on Win after r217771
2802
2803         * jsc.cpp:
2804         (currentWorkingDirectory): buffer is not NULL-terminated
2805
2806 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2807
2808         [WTF] Add RegisteredSymbolImpl
2809         https://bugs.webkit.org/show_bug.cgi?id=173230
2810
2811         Reviewed by Mark Lam.
2812
2813         * runtime/SymbolConstructor.cpp:
2814         (JSC::symbolConstructorKeyFor):
2815
2816 2017-06-10  Dan Bernstein  <mitz@apple.com>
2817
2818         Reverted r218056 because it made the IDE reindex constantly.
2819
2820         * Configurations/DebugRelease.xcconfig:
2821
2822 2017-06-10  Dan Bernstein  <mitz@apple.com>
2823
2824         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
2825         https://bugs.webkit.org/show_bug.cgi?id=173223
2826
2827         Reviewed by Sam Weinig.
2828
2829         The rebuilds were happening due to a difference in the compiler options that the IDE and
2830         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
2831         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
2832         specify an appropriate path in CLANG_INDEX_STORE_PATH.
2833
2834         * Configurations/DebugRelease.xcconfig:
2835
2836 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2837
2838         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
2839         https://bugs.webkit.org/show_bug.cgi?id=173227
2840
2841         Reviewed by Mark Lam.
2842
2843         The latest spec introduces slight change to RegExp.prototype.[@@search].
2844         This patch applies this change. Basically, this change is done in the slow path of
2845         the RegExp.prototype[@@search].
2846         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
2847
2848         * builtins/RegExpPrototype.js:
2849         (search):
2850
2851 2017-06-09  Chris Dumez  <cdumez@apple.com>
2852
2853         Update Thread::create() to take in a WTF::Function instead of a std::function
2854         https://bugs.webkit.org/show_bug.cgi?id=173175
2855
2856         Reviewed by Mark Lam.
2857
2858         * API/tests/CompareAndSwapTest.cpp:
2859         (testCompareAndSwap):
2860
2861 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2862
2863         [DFG] Add verboseDFGOSRExit
2864         https://bugs.webkit.org/show_bug.cgi?id=173156
2865
2866         Reviewed by Saam Barati.
2867
2868         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
2869
2870         * dfg/DFGOSRExitCompiler.cpp:
2871         * runtime/Options.h:
2872
2873 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
2874
2875         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
2876         https://bugs.webkit.org/show_bug.cgi?id=173170
2877
2878         Reviewed by Yusuke Suzuki.
2879
2880         MIPS does not build since r217711 because it is missing this
2881         implementation. This patch fixes the build.
2882
2883         * assembler/MacroAssemblerMIPS.h:
2884         (JSC::MacroAssemblerMIPS::xor32):
2885
2886 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2887
2888         [JSC] FTL does not require dlfcn
2889         https://bugs.webkit.org/show_bug.cgi?id=173143
2890
2891         Reviewed by Darin Adler.
2892
2893         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
2894         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
2895
2896         * ftl/FTLLowerDFGToB3.cpp:
2897
2898 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2899
2900         [DFG] Add --verboseDFGFailure
2901         https://bugs.webkit.org/show_bug.cgi?id=173155
2902
2903         Reviewed by Sam Weinig.
2904
2905         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
2906
2907         * dfg/DFGCapabilities.cpp:
2908         (JSC::DFG::verboseCapabilities):
2909         (JSC::DFG::debugFail):
2910         * runtime/Options.cpp:
2911         (JSC::recomputeDependentOptions):
2912         * runtime/Options.h:
2913
2914 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2915
2916         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
2917         https://bugs.webkit.org/show_bug.cgi?id=173147
2918
2919         Reviewed by JF Bastien.
2920
2921         Because this value becomes -1 in non-Darwin environments.
2922         Thus, we do not need to use OS(DARWIN) here.
2923
2924         * wasm/WasmMemory.cpp:
2925
2926 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
2927
2928         Reduce compiler warnings
2929         https://bugs.webkit.org/show_bug.cgi?id=172078
2930
2931         Reviewed by Yusuke Suzuki.
2932
2933         * runtime/IntlDateTimeFormat.h:
2934
2935 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
2936
2937         [Cocoa] JSWrapperMap leaks for all JSContexts
2938         https://bugs.webkit.org/show_bug.cgi?id=173110
2939         <rdar://problem/32602198>
2940
2941         Reviewed by Geoffrey Garen.
2942
2943         * API/JSContext.mm:
2944         (-[JSContext ensureWrapperMap]):
2945         Ensure this allocation gets released.
2946
2947 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
2948
2949         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
2950         https://bugs.webkit.org/show_bug.cgi?id=161156
2951
2952         Reviewed by Saam Barati.
2953         
2954         Since LLInt does not register impure property watchpoints for self property accesses, it
2955         shouldn't try to cache accesses that require a watchpoint.
2956         
2957         This manifested as a flaky failure because the test would fire the watchpoint after we had
2958         usually already tiered up. Without concurrent JIT, we would have always tiered up before
2959         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
2960         also adds a test that deterministically failed in LLInt without this change; it does so by just
2961         running a lot shorter.
2962
2963         * llint/LLIntSlowPaths.cpp:
2964         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2965
2966 2017-06-08  Keith Miller  <keith_miller@apple.com>
2967
2968         WebAssembly: We should only create wrappers for functions that can be exported
2969         https://bugs.webkit.org/show_bug.cgi?id=173088
2970
2971         Reviewed by Saam Barati.
2972
2973         This patch makes it so we only create wrappers for WebAssembly functions that
2974         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
2975
2976         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
2977         Most of the tests were duplicates of ones in the spec-tests directory. The others I
2978         have converted to use the normal API.
2979
2980         * jsc.cpp:
2981         (GlobalObject::finishCreation):
2982         (valueWithTypeOfWasmValue): Deleted.
2983         (box): Deleted.
2984         (callWasmFunction): Deleted.
2985         (functionTestWasmModuleFunctions): Deleted.
2986         * wasm/WasmB3IRGenerator.cpp:
2987         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2988         (JSC::Wasm::createJSToWasmWrapper):
2989         (JSC::Wasm::parseAndCompile):
2990         * wasm/WasmB3IRGenerator.h:
2991         * wasm/WasmBBQPlan.cpp:
2992         (JSC::Wasm::BBQPlan::prepare):
2993         (JSC::Wasm::BBQPlan::compileFunctions):
2994         (JSC::Wasm::BBQPlan::complete):
2995         * wasm/WasmBBQPlan.h:
2996         * wasm/WasmBBQPlanInlines.h:
2997         (JSC::Wasm::BBQPlan::initializeCallees):
2998         * wasm/WasmCodeBlock.cpp:
2999         (JSC::Wasm::CodeBlock::CodeBlock):
3000         * wasm/WasmCodeBlock.h:
3001         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
3002         * wasm/WasmFormat.h:
3003         * wasm/WasmOMGPlan.cpp:
3004         (JSC::Wasm::OMGPlan::work):
3005
3006 2017-06-07  JF Bastien  <jfbastien@apple.com>
3007
3008         WebAssembly: test imports and exports with 16-bit characters
3009         https://bugs.webkit.org/show_bug.cgi?id=165977
3010         <rdar://problem/29760130>
3011
3012         Reviewed by Saam Barati.
3013
3014         Add the missing UTF-8 conversions. Improve import failure error
3015         messages, otherwise it's hard to figure out which import is wrong.
3016
3017         * wasm/js/JSWebAssemblyInstance.cpp:
3018         (JSC::JSWebAssemblyInstance::create):
3019         * wasm/js/WebAssemblyModuleRecord.cpp:
3020         (JSC::WebAssemblyModuleRecord::finishCreation):
3021         (JSC::WebAssemblyModuleRecord::link):
3022
3023 2017-06-07  Devin Rousso  <drousso@apple.com>
3024
3025         Web Inspector: Add ContextMenu item to log WebSocket object to console
3026         https://bugs.webkit.org/show_bug.cgi?id=172878
3027
3028         Reviewed by Joseph Pecoraro.
3029
3030         * inspector/protocol/Network.json:
3031         Add resolveWebSocket command.
3032
3033 2017-06-07  Jon Davis  <jond@apple.com>
3034
3035         Update feature status for features Supported In Preview
3036         https://bugs.webkit.org/show_bug.cgi?id=173071
3037
3038         Reviewed by Darin Adler.
3039
3040         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
3041         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
3042
3043         * features.json:
3044
3045 2017-06-07  Saam Barati  <sbarati@apple.com>
3046
3047         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
3048         https://bugs.webkit.org/show_bug.cgi?id=172673
3049         <rdar://problem/32250144>
3050
3051         Reviewed by Mark Lam.
3052
3053         This patch simply removes this assertion. It's faulty because it
3054         races with the main thread when doing concurrent compilation.
3055         
3056         Consider a program with:
3057         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
3058         - Structure S2
3059         
3060         The DFG IR is like so:
3061           a: JSConstant(O) // FrozenValue {O, S1}
3062           b: CheckStructure(@a, S2)
3063           c: ToThis(@a)
3064           d: CheckEq(@c, nullConstant)
3065           Branch(@d)
3066         
3067         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
3068         When running AI, we'll notice that node @b will OSR exit, so nodes after
3069         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
3070         Now, when running AI, @a will have Top for its structure set. No longer will
3071         we think @b exits.
3072         
3073         The DFG backend asserts that under such a situation, we should have simplified
3074         the CheckEq to false. However, this is a racy thing to assert, since the
3075         transition from dfgWatchable() to !dfgWatchable() can happen right before we
3076         enter the backend. Hence, this assertion is not valid.
3077         
3078         (Note, the generated code for the above program will never actually execute.
3079         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
3080         S1 not transitioning. S1 transitions, so we won't actually run the code that
3081         gets compiled.)
3082
3083         * dfg/DFGSpeculativeJIT64.cpp:
3084         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
3085
3086 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3087
3088         [JSC] has_generic_property never accepts non-String
3089         https://bugs.webkit.org/show_bug.cgi?id=173057
3090
3091         Reviewed by Darin Adler.
3092
3093         We never pass non-String value to has_generic_property bytecode.
3094
3095         * runtime/CommonSlowPaths.cpp:
3096         (JSC::SLOW_PATH_DECL):
3097
3098 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
3099
3100         [Win][x86-64] Some callee saved registers aren't preserved
3101         https://bugs.webkit.org/show_bug.cgi?id=171266
3102
3103         Reviewed by Saam Barati.
3104
3105         * jit/RegisterSet.cpp:
3106         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
3107
3108 2017-06-06  Mark Lam  <mark.lam@apple.com>
3109
3110         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
3111         https://bugs.webkit.org/show_bug.cgi?id=173035
3112         <rdar://problem/32554593>
3113
3114         Reviewed by Geoffrey Garen and Filip Pizlo.
3115
3116         Also added and fixed up some assertions.
3117
3118         * runtime/ArrayConventions.h:
3119         * runtime/JSArray.cpp:
3120         (JSC::JSArray::setLength):
3121         * runtime/JSObject.cpp:
3122         (JSC::JSObject::createInitialIndexedStorage):
3123         (JSC::JSObject::ensureLengthSlow):
3124         (JSC::JSObject::reallocateAndShrinkButterfly):
3125         * runtime/JSObject.h:
3126         (JSC::JSObject::ensureLength):
3127         * runtime/RegExpObject.cpp:
3128         (JSC::collectMatches):
3129         * runtime/RegExpPrototype.cpp:
3130         (JSC::regExpProtoFuncSplitFast):
3131
3132 2017-06-06  Saam Barati  <sbarati@apple.com>
3133
3134         Make sure we restore SP when doing calls that could be to JS
3135         https://bugs.webkit.org/show_bug.cgi?id=172946
3136         <rdar://problem/32579026>
3137
3138         Reviewed by JF Bastien.
3139
3140         I was worried that there was a bug where we'd call JS, JS would tail call,
3141         and we'd end up with a bogus SP. However, this bug does not exist since wasm
3142         always calls to JS through a stub, and the stub treats SP as a callee save.
3143         
3144         I wrote a test for this, and also made a note that this is the needed ABI.
3145
3146         * wasm/WasmBinding.cpp:
3147         (JSC::Wasm::wasmToJs):
3148
3149 2017-06-06  Keith Miller  <keith_miller@apple.com>
3150
3151         OMG tier up checks should be a patchpoint
3152         https://bugs.webkit.org/show_bug.cgi?id=172944
3153
3154         Reviewed by Saam Barati.
3155
3156         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
3157         In order to reduce code generated out of line in each function. We generate a single stub
3158         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
3159
3160         * wasm/WasmB3IRGenerator.cpp:
3161         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3162         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3163         (JSC::Wasm::B3IRGenerator::addLoop):
3164         * wasm/WasmThunks.cpp:
3165         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3166         * wasm/WasmThunks.h:
3167
3168 2017-06-06  Darin Adler  <darin@apple.com>
3169
3170         Cut down use of WTF_ARRAY_LENGTH
3171         https://bugs.webkit.org/show_bug.cgi?id=172997
3172
3173         Reviewed by Chris Dumez.
3174
3175         * parser/Lexer.cpp:
3176         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
3177
3178         * runtime/NumberPrototype.cpp:
3179         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
3180
3181 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
3182
3183         Add missing <functional> includes
3184         https://bugs.webkit.org/show_bug.cgi?id=173017
3185
3186         Patch by Thiago Macieira <thiago.macieira@intel.com>
3187         Reviewed by Yusuke Suzuki.
3188
3189         This patch fixes compilation with GCC 7.
3190
3191         * inspector/InspectorBackendDispatcher.h:
3192
3193 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
3194
3195         Unreviewed, fix 32-bit build.
3196
3197         * jit/JITOpcodes.cpp:
3198         (JSC::JIT::emit_op_unreachable):
3199
3200 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
3201
3202         Unreviewed rollout r217807. Caused a test to crash.
3203
3204         * heap/HeapSnapshotBuilder.cpp:
3205         (JSC::HeapSnapshotBuilder::buildSnapshot):
3206         (JSC::HeapSnapshotBuilder::json):
3207         (): Deleted.
3208         * heap/HeapSnapshotBuilder.h:
3209         * runtime/JSObject.cpp:
3210         (JSC::JSObject::calculatedClassName):
3211
3212 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
3213
3214         index out of bound in bytecodebasicblock
3215         https://bugs.webkit.org/show_bug.cgi?id=172963
3216
3217         Reviewed by Saam Barati and Mark Lam.
3218         
3219         We were leaving an unterminated basic block when generating CodeForCall for a class
3220         constructor. This was mostly benign since that unterminated block was not reachable, but it
3221         does cause an ASSERT.
3222         
3223         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
3224         this really is the cleanest and most idiomatic way to solve this problem, so even though it
3225         makes the change bigger it's probabably worth it.
3226
3227         * bytecode/BytecodeDumper.cpp:
3228         (JSC::BytecodeDumper<Block>::dumpBytecode):
3229         * bytecode/BytecodeList.json:
3230         * bytecode/BytecodeUseDef.h:
3231         (JSC::computeUsesForBytecodeOffset):
3232         (JSC::computeDefsForBytecodeOffset):
3233         * bytecode/Opcode.h:
3234         (JSC::isTerminal):
3235         * bytecompiler/BytecodeGenerator.cpp:
3236         (JSC::BytecodeGenerator::generate):
3237         (JSC::BytecodeGenerator::emitUnreachable):
3238         * bytecompiler/BytecodeGenerator.h:
3239         * dfg/DFGByteCodeParser.cpp:
3240         (JSC::DFG::ByteCodeParser::parseBlock):
3241         * dfg/DFGCapabilities.cpp:
3242         (JSC::DFG::capabilityLevel):
3243         * ftl/FTLLowerDFGToB3.cpp:
3244         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
3245         * jit/JIT.cpp:
3246         (JSC::JIT::privateCompileMainPass):
3247         * jit/JIT.h:
3248         * jit/JITOpcodes.cpp:
3249         (JSC::JIT::emit_op_unreachable):
3250         * llint/LowLevelInterpreter.asm:
3251         * runtime/CommonSlowPaths.cpp:
3252         (JSC::SLOW_PATH_DECL):
3253         * runtime/CommonSlowPaths.h:
3254
3255 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
3256
3257         Unreviewed, rolling out r217812.
3258
3259         This change caused test failures on arm64.
3260
3261         Reverted changeset:
3262
3263         "OMG tier up checks should be a patchpoint"
3264         https://bugs.webkit.org/show_bug.cgi?id=172944
3265         http://trac.webkit.org/changeset/217812
3266
3267 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3268
3269         [WPE] Enable remote inspector
3270         https://bugs.webkit.org/show_bug.cgi?id=172971
3271
3272         Reviewed by Žan Doberšek.
3273
3274         We can just build the current glib remote inspector, without adding a frontend implementation and using a
3275         WebKitGTK+ browser as frontend for now.
3276
3277         * PlatformWPE.cmake: Add remote inspector files to compilation.
3278         * inspector/remote/glib/RemoteInspectorUtils.cpp:
3279         (Inspector::backendCommands): Load the inspector resources library.
3280
3281 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3282
3283         [GLIB] Make remote inspector DBus protocol common to all glib based ports
3284         https://bugs.webkit.org/show_bug.cgi?id=172970
3285
3286         Reviewed by Žan Doberšek.
3287
3288         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
3289         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
3290         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
3291         debug WPE, without having to implement the frontend part in WPE yet.
3292
3293         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
3294         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
3295
3296 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3297
3298         [GTK] Web Process deadlock when closing the remote inspector frontend
3299         https://bugs.webkit.org/show_bug.cgi?id=172973
3300
3301         Reviewed by Žan Doberšek.
3302
3303         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
3304         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
3305         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
3306         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
3307
3308         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3309         (Inspector::RemoteInspector::receivedCloseMessage):
3310
3311 2017-06-05  Saam Barati  <sbarati@apple.com>
3312
3313         Try to fix features.json by adding an ESNext section.
3314
3315         Unreviewed.
3316
3317         * features.json:
3318
3319 2017-06-05  David Kilzer  <ddkilzer@apple.com>
3320
3321         Follow-up: Update JSC's features.json
3322         https://bugs.webkit.org/show_bug.cgi?id=172942
3323
3324         Rubber-stamped by Jon Davis.
3325
3326         * features.json: Change "Supported in preview" to
3327         "Supported" to try to fix <https://webkit.org/status/>.
3328
3329 2017-06-05  Saam Barati  <sbarati@apple.com>
3330
3331         We don't properly parse init_expr when the opcode is an unexpected opcode
3332         https://bugs.webkit.org/show_bug.cgi?id=172945
3333
3334         Reviewed by JF Bastien.
3335
3336         The bug is a simple typo. It should use the constant
3337         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
3338         macro. This failure is already caught by spec tests that fail
3339         on arm64 devices.
3340
3341         * wasm/WasmModuleParser.cpp:
3342
3343 2017-06-05  Keith Miller  <keith_miller@apple.com>
3344
3345         OMG tier up checks should be a patchpoint
3346         https://bugs.webkit.org/show_bug.cgi?id=172944
3347
3348         Reviewed by Saam Barati.
3349
3350         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
3351         In order to reduce code generated out of line in each function. We generate a single stub
3352         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
3353
3354         * wasm/WasmB3IRGenerator.cpp:
3355         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3356         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3357         (JSC::Wasm::B3IRGenerator::addLoop):
3358         * wasm/WasmThunks.cpp:
3359         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3360         * wasm/WasmThunks.h:
3361
3362 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3363
3364         Remove unused VM members
3365         https://bugs.webkit.org/show_bug.cgi?id=172941
3366
3367         Reviewed by Mark Lam.
3368
3369         * runtime/HashMapImpl.h:
3370         (JSC::HashMapImpl::selectStructure): Deleted.
3371         * runtime/VM.cpp:
3372         (JSC::VM::VM):
3373         * runtime/VM.h:
3374
3375 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3376
3377         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3378         https://bugs.webkit.org/show_bug.cgi?id=172848
3379         <rdar://problem/25709212>
3380
3381         Reviewed by Saam Barati.
3382
3383         * heap/HeapSnapshotBuilder.h:
3384         * heap/HeapSnapshotBuilder.cpp:
3385         Update the snapshot version. Change the node's 0 | 1 internal value
3386         to be a 32bit bit flag. This is nice in that it is both compatible
3387         with the previous snapshot version and the same size. We can use more
3388         flags in the future.
3389
3390         (JSC::HeapSnapshotBuilder::json):
3391         In cases where the classInfo gives us "Object" check for a better
3392         class name by checking (o).__proto__.constructor.name. We avoid this
3393         check in cases where (o).hasOwnProperty("constructor") which is the
3394         case for most Foo.prototype objects. Otherwise this would get the
3395         name of the Foo superclass for the Foo.prototype object.
3396
3397         * runtime/JSObject.cpp:
3398         (JSC::JSObject::calculatedClassName):
3399         Handle some possible edge cases that were not handled before. Such
3400         as a JSObject without a GlobalObject, and an object which doesn't
3401         have a default getPrototype. Try to make the code a little clearer.
3402
3403 2017-06-05  Saam Barati  <sbarati@apple.com>
3404
3405         Update JSC's features.json
3406         https://bugs.webkit.org/show_bug.cgi?id=172942
3407
3408         Rubber stamped by Mark Lam.
3409
3410         * features.json:
3411
3412 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
3413
3414         Fix build of Windows-specific code with ICU 59.1
3415         https://bugs.webkit.org/show_bug.cgi?id=172729
3416
3417         Reviewed by Darin Adler.
3418
3419         Fix conversions from WTF::String to wchar_t* and vice versa.
3420
3421         * jsc.cpp:
3422         (currentWorkingDirectory):
3423         (fetchModuleFromLocalFileSystem):
3424         * runtime/DateConversion.cpp:
3425         (JSC::formatDateTime):
3426
3427 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3428
3429         [JSC] Drop unnecessary USE(CF) guard for getenv
3430         https://bugs.webkit.org/show_bug.cgi?id=172903
3431
3432         Reviewed by Sam Weinig.
3433
3434         getenv is not related to USE(CF) and OS(UNIX). It seems that this
3435         ifdef only hits in WinCairo, but WinCairo can use getenv.
3436         Moreover, in VM::VM, we already use getenv without any ifdef guard.
3437
3438         This patch just drops it.
3439
3440         * runtime/VM.cpp:
3441         (JSC::enableAssembler):
3442
3443 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3444
3445         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
3446         https://bugs.webkit.org/show_bug.cgi?id=172904
3447
3448         Reviewed by Sam Weinig.
3449
3450         In non-Darwin environment, uintptr_t may have the same type
3451         to uint64_t. We avoided the compile error by using OS(DARWIN).
3452         But, since it depends on cstdint implementaion rather than OS, it is flaky.
3453         Instead, we just use template parameter IntegralType.
3454         And we describe the type constraint in a SFINAE manner.
3455
3456         * dfg/DFGOpInfo.h:
3457         (JSC::DFG::OpInfo::OpInfo):
3458
3459 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
3460
3461         [ARM] Unreviewed buildfix after r217711.
3462
3463         * assembler/MacroAssemblerARM.h:
3464         (JSC::MacroAssemblerARM::xor32):
3465
3466 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3467
3468         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
3469         https://bugs.webkit.org/show_bug.cgi?id=168844
3470
3471         Reviewed by Saam Barati.
3472
3473         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
3474
3475         * parser/Parser.cpp:
3476         (JSC::DepthManager::DepthManager):
3477         (JSC::Parser<LexerType>::parseExportDeclaration):
3478         * parser/Parser.h:
3479         (JSC::Parser::DepthManager::DepthManager): Deleted.
3480         (JSC::Parser::DepthManager::~DepthManager): Deleted.
3481
3482 2017-06-02  Keith Miller  <keith_miller@apple.com>
3483
3484         Defer installing mach breakpoint handler until watchdog is actually called
3485         https://bugs.webkit.org/show_bug.cgi?id=172885
3486
3487         Reviewed by Saam Barati.
3488
3489         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
3490         This hides the issue, so it won't occur as often.
3491
3492         * runtime/VMTraps.cpp:
3493         (JSC::VMTraps::SignalSender::send):
3494         (JSC::VMTraps::VMTraps): Deleted.
3495         * runtime/VMTraps.h:
3496
3497 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
3498
3499         Atomics.load and Atomics.store need to be fully fenced
3500         https://bugs.webkit.org/show_bug.cgi?id=172844
3501
3502         Reviewed by Keith Miller.
3503         
3504         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
3505         AtomicXchg(value, ptr) for the store.
3506         
3507         DFG needed no changes because it implements all atomics using a CAS loop.
3508         
3509         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
3510         
3511         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
3512         is not correct according to my current understanding of the SAB memory model, which requires
3513         that atomic operations are SC with respect to everything not just other atomics.
3514
3515         * ftl/FTLLowerDFGToB3.cpp:
3516         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3517         * ftl/FTLOutput.cpp:
3518         (JSC::FTL::Output::atomicWeakCAS):
3519         * ftl/FTLOutput.h:
3520         * runtime/AtomicsObject.cpp:
3521
3522 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
3523
3524         Unreviewed, attempt to fix the iOS build after r217711.
3525
3526         * assembler/MacroAssemblerARM64.h:
3527         (JSC::MacroAssemblerARM64::xor32):
3528         (JSC::MacroAssemblerARM64::xor64):
3529
3530 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
3531
3532         GC should use scrambled free-lists
3533         https://bugs.webkit.org/show_bug.cgi?id=172793
3534
3535         Reviewed by Mark Lam.
3536         
3537         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
3538         The linked-list would be threaded through free memory, as is the usual convention.
3539         
3540         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
3541         this leads to a more natural fast-path structure and saves one register on ARM64.
3542         
3543         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
3544         every time they do a sweep-to-pop.
3545         
3546         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
3547         quite a bit. Previously, there were four copies of the allocator fast path: two in
3548         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
3549         was obviously different-looking, but the other three were almost identical. This moves all of
3550         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
3551         AssemblyHelpers.h.
3552         
3553         This appears to be just as fast as our previously allocator.
3554
3555         * JavaScriptCore.xcodeproj/project.pbxproj:
3556         * heap/FreeList.cpp:
3557         (JSC::FreeList::FreeList):
3558         (JSC::FreeList::~FreeList):
3559         (JSC::FreeList::clear):
3560         (JSC::FreeList::initializeList):
3561         (JSC::FreeList::initializeBump):
3562         (JSC::FreeList::contains):
3563         (JSC::FreeList::dump):
3564         * heap/FreeList.h:
3565         (JSC::FreeList::allocationWillFail):
3566         (JSC::FreeList::originalSize):
3567         (JSC::FreeList::addressOfList):
3568         (JSC::FreeList::offsetOfBlock):
3569         (JSC::FreeList::offsetOfList):
3570         (JSC::FreeList::offsetOfIndex):
3571         (JSC::FreeList::offsetOfPayloadEnd):
3572         (JSC::FreeList::offsetOfRemaining):
3573         (JSC::FreeList::offsetOfOriginalSize):
3574         (JSC::FreeList::FreeList): Deleted.
3575         (JSC::FreeList::list): Deleted.
3576         (JSC::FreeList::bump): Deleted.
3577         (JSC::FreeList::operator==): Deleted.
3578         (JSC::FreeList::operator!=): Deleted.
3579         (JSC::FreeList::operator bool): Deleted.
3580         * heap/FreeListInlines.h: Added.
3581         (JSC::FreeList::addFreeCell):
3582         (JSC::FreeList::allocate):
3583         (JSC::FreeList::forEach):
3584         (JSC::FreeList::toOffset):
3585         (JSC::FreeList::fromOffset):
3586         * heap/IncrementalSweeper.cpp:
3587         (JSC::IncrementalSweeper::sweepNextBlock):
3588         * heap/MarkedAllocator.cpp:
3589         (JSC::MarkedAllocator::MarkedAllocator):
3590         (JSC::MarkedAllocator::didConsumeFreeList):
3591         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3592         (JSC::MarkedAllocator::tryAllocateIn):
3593         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3594         (JSC::MarkedAllocator::stopAllocating):
3595         (JSC::MarkedAllocator::prepareForAllocation):
3596         (JSC::MarkedAllocator::resumeAllocating):
3597         (JSC::MarkedAllocator::sweep):
3598         (JSC::MarkedAllocator::setFreeList): Deleted.
3599         * heap/MarkedAllocator.h:
3600         (JSC::MarkedAllocator::freeList):
3601         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
3602         * heap/MarkedAllocatorInlines.h:
3603         (JSC::MarkedAllocator::isFreeListedCell):
3604         (JSC::MarkedAllocator::tryAllocate):
3605         (JSC::MarkedAllocator::allocate):
3606         * heap/MarkedBlock.cpp:
3607         (JSC::MarkedBlock::Handle::stopAllocating):
3608         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3609         (JSC::MarkedBlock::Handle::resumeAllocating):
3610         (JSC::MarkedBlock::Handle::zap):
3611         (JSC::MarkedBlock::Handle::sweep):
3612         (JSC::MarkedBlock::Handle::isFreeListedCell):
3613         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
3614         * heap/MarkedBlock.h:
3615         * heap/MarkedBlockInlines.h:
3616         (JSC::MarkedBlock::Handle::specializedSweep):
3617         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3618         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
3619         * heap/Subspace.cpp:
3620         (JSC::Subspace::finishSweep):
3621         * heap/Subspace.h:
3622         * jit/AssemblyHelpers.h:
3623         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3624         * runtime/JSDestructibleObjectSubspace.cpp:
3625         (JSC::JSDestructibleObjectSubspace::finishSweep):
3626         * runtime/JSDestructibleObjectSubspace.h:
3627         * runtime/JSSegmentedVariableObjectSubspace.cpp:
3628         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
3629         * runtime/JSSegmentedVariableObjectSubspace.h:
3630         * runtime/JSStringSubspace.cpp:
3631         (JSC::JSStringSubspace::finishSweep):
3632         * runtime/JSStringSubspace.h:
3633         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
3634         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
3635         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
3636
3637 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3638
3639         [JSC] Use @globalPrivate for concatSlowPath
3640         https://bugs.webkit.org/show_bug.cgi?id=172802
3641
3642         Reviewed by Darin Adler.
3643
3644         Use @globalPrivate instead of manually putting it to JSGlobalObject.
3645
3646         * builtins/ArrayPrototype.js:
3647         (concatSlowPath): Deleted.
3648         * runtime/JSGlobalObject.cpp:
3649         (JSC::JSGlobalObject::init):
3650
3651 2017-06-01  Andy Estes  <aestes@apple.com>
3652
3653         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
3654         https://bugs.webkit.org/show_bug.cgi?id=172828
3655
3656         Reviewed by Beth Dakin.
3657
3658         * Configurations/FeatureDefines.xcconfig:
3659
3660 2017-06-01  Keith Miller  <keith_miller@apple.com>
3661
3662         Undo rollout in r217638 with bug fix
3663         https://bugs.webkit.org/show_bug.cgi?id=172824
3664
3665         Unreviewed, reland patch with unused set_state code removed.
3666
3667         * API/tests/ExecutionTimeLimitTest.cpp:
3668         (dispatchTermitateCallback):
3669         (testExecutionTimeLimit):
3670         * runtime/JSLock.cpp:
3671         (JSC::JSLock::didAcquireLock):
3672         * runtime/Options.cpp:
3673         (JSC::overrideDefaults):
3674         (JSC::Options::initialize):
3675         * runtime/Options.h:
3676         * runtime/VMTraps.cpp:
3677         (JSC::SignalContext::SignalContext):
3678         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3679         (JSC::installSignalHandler):
3680         (JSC::VMTraps::SignalSender::send):
3681         * tools/SigillCrashAnalyzer.cpp:
3682         (JSC::SignalContext::SignalContext):
3683         (JSC::SignalContext::dump):
3684         (JSC::installCrashHandler):
3685         * wasm/WasmBBQPlan.cpp:
3686         (JSC::Wasm::BBQPlan::compileFunctions):
3687         * wasm/WasmFaultSignalHandler.cpp:
3688         (JSC::Wasm::trapHandler):
3689         (JSC::Wasm::enableFastMemory):
3690         * wasm/WasmMachineThreads.cpp:
3691         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3692
3693 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
3694
3695         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
3696         https://bugs.webkit.org/show_bug.cgi?id=172800
3697
3698         Reviewed by Saam Barati.
3699
3700         This fixes a static_cast<uint64_t> by making it a cast to int64_t
3701         instead, which looks like the original intent. This fixes the
3702         sampling-profiler tests in JSTests/stress.
3703
3704         * runtime/SamplingProfiler.cpp:
3705         (JSC::SamplingProfiler::timerLoop):
3706
3707 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
3708
3709         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
3710         https://bugs.webkit.org/show_bug.cgi?id=170945
3711
3712         Reviewed by Mark Lam.
3713
3714         Re-define PutByIdFlags as a int32_t enum explicitly because it is
3715         stored as an int32_t value in UnlinkedInstruction.  This prevents
3716         a bug on 64-bit big endian architectures where the word order is
3717         inverted (when we convert the UnlinkedInstruction into a CodeBlock
3718         Instruction), resulting in the PutByIdFlags value not being stored in
3719         the 32-bit word that the rest of the code expects it to be in.
3720
3721         * bytecode/PutByIdFlags.h:
3722
3723 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3724
3725         [JSC] Implement String.prototype.concat in JS builtins
3726         https://bugs.webkit.org/show_bug.cgi?id=172798
3727
3728         Reviewed by Sam Weinig.
3729
3730         Since we have highly effective + operation for strings,
3731         implementing String.prototype.concat in JS simplifies the
3732         implementation and improves performance by using speculated
3733         types.
3734
3735         Added microbenchmarks show performance improvement.
3736
3737         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
3738         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
3739         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
3740         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
3741
3742         * builtins/StringPrototype.js:
3743         (globalPrivate.stringConcatSlowPath):
3744         (concat):
3745         * runtime/StringPrototype.cpp:
3746         (JSC::StringPrototype::finishCreation):
3747         (JSC::stringProtoFuncConcat): Deleted.
3748
3749 2017-05-31  Mark Lam  <mark.lam@apple.com>
3750
3751         Remove overrides of visitChildren() that do not add any functionality.
3752         https://bugs.webkit.org/show_bug.cgi?id=172789
3753         <rdar://problem/32500865>
3754
3755         Reviewed by Andreas Kling.
3756
3757         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3758         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3759         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3760         * bytecode/UnlinkedProgramCodeBlock.cpp:
3761         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3762         * bytecode/UnlinkedProgramCodeBlock.h:
3763         * wasm/js/WebAssemblyFunction.cpp:
3764         (JSC::WebAssemblyFunction::visitChildren): Deleted.
3765         * wasm/js/WebAssemblyFunction.h:
3766         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3767         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
3768         * wasm/js/WebAssemblyInstanceConstructor.h:
3769         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3770         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
3771         * wasm/js/WebAssemblyMemoryConstructor.h:
3772         * wasm/js/WebAssemblyModuleConstructor.cpp:
3773         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
3774         * wasm/js/WebAssemblyModuleConstructor.h:
3775         * wasm/js/WebAssemblyTableConstructor.cpp:
3776         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
3777         * wasm/js/WebAssemblyTableConstructor.h:
3778
3779 2017-05-31  Commit Queue  <commit-queue@webkit.org>
3780
3781         Unreviewed, rolling out r217611 and r217631.
3782         https://bugs.webkit.org/show_bug.cgi?id=172785
3783
3784         "caused wasm-hashset-many.html to become flaky." (Requested by
3785         keith_miller on #webkit).
3786
3787         Reverted changesets:
3788
3789         "Reland r216808, underlying lldb bug has been fixed."
3790         https://bugs.webkit.org/show_bug.cgi?id=172759
3791         http://trac.webkit.org/changeset/217611
3792
3793         "Use dispatch queues for mach exceptions"
3794         https://bugs.webkit.org/show_bug.cgi?id=172775
3795         http://trac.webkit.org/changeset/217631
3796
3797 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
3798
3799         Rolling out: Prevent async methods named 'function'
3800         https://bugs.webkit.org/show_bug.cgi?id=172776
3801
3802         Reviewed by Mark Lam.
3803
3804         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
3805         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
3806         PR to spec was closed, so changes need to roll out. See
3807         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
3808
3809         * parser/Parser.cpp:
3810         (JSC::Parser<LexerType>::parseClass):
3811         (JSC::Parser<LexerType>::parsePropertyMethod):
3812
3813 2017-05-31  Andy Estes  <aestes@apple.com>
3814
3815         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
3816         https://bugs.webkit.org/show_bug.cgi?id=172366
3817
3818         Reviewed by Daniel Bates.
3819
3820         * Configurations/FeatureDefines.xcconfig:
3821
3822 2017-05-31  Keith Miller  <keith_miller@apple.com>
3823
3824         Reland r216808, underlying lldb bug has been fixed.
3825         https://bugs.webkit.org/show_bug.cgi?id=172759
3826
3827
3828         Unreviewed, relanding old patch. See: rdar://problem/31183352
3829
3830         * API/tests/ExecutionTimeLimitTest.cpp:
3831         (dispatchTermitateCallback):
3832         (testExecutionTimeLimit):
3833         * runtime/JSLock.cpp:
3834         (JSC::JSLock::didAcquireLock):
3835         * runtime/Options.cpp:
3836         (JSC::overrideDefaults):
3837         (JSC::Options::initialize):
3838         * runtime/Options.h:
3839         * runtime/VMTraps.cpp:
3840         (JSC::SignalContext::SignalContext):
3841         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3842         (JSC::installSignalHandler):
3843         (JSC::VMTraps::SignalSender::send):
3844         * tools/SigillCrashAnalyzer.cpp:
3845         (JSC::SignalContext::SignalContext):
3846         (JSC::SignalContext::dump):
3847         (JSC::installCrashHandler):
3848         * wasm/WasmBBQPlan.cpp:
3849         (JSC::Wasm::BBQPlan::compileFunctions):
3850         * wasm/WasmFaultSignalHandler.cpp:
3851         (JSC::Wasm::trapHandler):
3852         (JSC::Wasm::enableFastMemory):
3853         * wasm/WasmMachineThreads.cpp:
3854         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3855
3856 2017-05-31  Keith Miller  <keith_miller@apple.com>
3857
3858         Fix leak in PromiseDeferredTimer
3859         https://bugs.webkit.org/show_bug.cgi?id=172755
3860
3861         Reviewed by JF Bastien.
3862
3863         We were not properly freeing the list of dependencies if we were already tracking the promise before.
3864         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
3865         where we were already tracking the promise we append the provided dependency list to the existing list.
3866         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
3867         contents.
3868
3869         * runtime/PromiseDeferredTimer.cpp:
3870         (JSC::PromiseDeferredTimer::addPendingPromise):
3871
3872 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3873
3874         Prevent async methods named 'function' in Object literal
3875         https://bugs.webkit.org/show_bug.cgi?id=172660
3876
3877         Reviewed by Saam Barati.
3878
3879         Prevent async method named 'function' in object.
3880         https://github.com/tc39/ecma262/pull/884
3881
3882         * parser/Parser.cpp:
3883         (JSC::Parser<LexerType>::parsePropertyMethod):
3884
3885 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3886
3887         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
3888         https://bugs.webkit.org/show_bug.cgi?id=171274
3889
3890         Reviewed by Saam Barati.
3891
3892         Current patch allow to use async arrow function within constructor,
3893         and allow to access to `this`. Current patch force load 'this' from 
3894         virtual scope each time as we access to `this` in async arrow function
3895         within constructor it is neccessary because async function can be 
3896         suspended and `superCall` can be called and async function resumed. 
3897    
3898         * bytecompiler/BytecodeGenerator.cpp:
3899         (JSC::BytecodeGenerator::emitPutGeneratorFields):
3900         (JSC::BytecodeGenerator::ensureThis):
3901         * bytecompiler/BytecodeGenerator.h:
3902         (JSC::BytecodeGenerator::makeFunction):
3903
3904 2017-05-30  Ali Juma  <ajuma@chromium.org>
3905
3906         [CredentialManagement] Incorporate IDL updates from latest spec
3907         https://bugs.webkit.org/show_bug.cgi?id=172011
3908
3909         Reviewed by Daniel Bates.
3910
3911         * runtime/CommonIdentifiers.h:
3912
3913 2017-05-30  Alex Christensen  <achristensen@webkit.org>
3914
3915         Update libwebrtc configuration
3916         https://bugs.webkit.org/show_bug.cgi?id=172727
3917
3918         Reviewed by Geoffrey Garen.
3919
3920         * Configurations/FeatureDefines.xcconfig:
3921
3922 2017-05-28  Dan Bernstein  <mitz@apple.com>
3923
3924         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
3925         https://bugs.webkit.org/show_bug.cgi?id=172691
3926
3927         Reviewed by Tim Horton.
3928
3929         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
3930         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
3931
3932 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3933
3934         [JSC] Provide better type information of toLength and tighten bytecode
3935         https://bugs.webkit.org/show_bug.cgi?id=172690
3936
3937         Reviewed by Sam Weinig.
3938
3939         In this patch, we carefully leverage operator + in order to
3940
3941         1. tighten bytecode
3942
3943         operator+ emits to_number bytecode. What this bytecode does is the same
3944         to @Number() call. It is more efficient, and it is smaller bytecode
3945         than @Number() call (load global variable @Number, set up arguments, and
3946         call it).
3947
3948         2. offer better type prediction data
3949
3950         Now, we have code like
3951
3952             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
3953
3954         This is not good because DFG prediction propagation phase predicts as Double
3955         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
3956         Usually, the result becomes Int32. This patch leverages to_number in a bit
3957         interesting way: to_number has value profiling to offer better type prediction.
3958         This value profiling can offer a chance to change the prediction to Int32 efficiently.
3959         It is a bit tricky. But it is worth doing to speed up our builtin functions,
3960         which should leverage all the JSC's tricky things to be optimized.
3961
3962         Related microbenchmarks show performance improvement.
3963
3964                                                   baseline                  patched
3965
3966             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
3967             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
3968             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
3969             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
3970             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
3971             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
3972
3973
3974         * builtins/GlobalOperations.js:
3975         (globalPrivate.toInteger):
3976         (globalPrivate.toLength):
3977
3978 2017-05-28  Sam Weinig  <sam@webkit.org>
3979
3980         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
3981         https://bugs.webkit.org/show_bug.cgi?id=172684
3982
3983         Reviewed by Yusuke Suzuki.
3984
3985         * runtime/IteratorOperations.cpp:
3986         (JSC::iteratorMethod):
3987         (JSC::iteratorForIterable):
3988         * runtime/IteratorOperations.h:
3989         (JSC::forEachInIterable):
3990         Add additional iterator helpers to allow union + sequence conversion code
3991         to check for iterability by getting the iterator method, and iterate using
3992         that method later on.
3993 <