Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
4         https://bugs.webkit.org/show_bug.cgi?id=181321
5
6         Reviewed by Saam Barati.
7
8         According to ECMA262 16.2[1], functions created using the bind method must not have
9         "caller" and "arguments" own properties.
10
11         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
12
13         * runtime/JSBoundFunction.cpp:
14         (JSC::JSBoundFunction::finishCreation):
15
16 2018-01-05  JF Bastien  <jfbastien@apple.com>
17
18         WebAssembly: poison JS object's secrets
19         https://bugs.webkit.org/show_bug.cgi?id=181339
20         <rdar://problem/36325001>
21
22         Reviewed by Mark Lam.
23
24         Separating WebAssembly's JS objects from their non-JS
25         implementation means that all interesting information lives
26         outside of the JS object itself. This patch poisons each JS
27         object's pointer to non-JS implementation using the poisoning
28         mechanism and a unique key per JS object type origin.
29
30         * runtime/JSCPoison.h:
31         * wasm/js/JSToWasm.cpp:
32         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
33         object in a stack slot when fast TLS is disabled. This requires
34         that we unpoison the Wasm::Instance.
35         * wasm/js/JSWebAssemblyCodeBlock.h:
36         * wasm/js/JSWebAssemblyInstance.h:
37         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
38         be explicit that the pointer is poisoned.
39         * wasm/js/JSWebAssemblyMemory.h:
40         * wasm/js/JSWebAssemblyModule.h:
41         * wasm/js/JSWebAssemblyTable.h:
42
43 2018-01-05  Michael Saboff  <msaboff@apple.com>
44
45         Add ability to disable indexed property masking for testing
46         https://bugs.webkit.org/show_bug.cgi?id=181350
47
48         Reviewed by Keith Miller.
49
50         Made the masking of indexed properties runtime controllable via a new JSC::Option
51         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
52
53         The new option has a generic name as it will probably be used to disable future mitigations.
54
55         * dfg/DFGSpeculativeJIT.cpp:
56         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
57         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
58         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
59         * dfg/DFGSpeculativeJIT.h:
60         * dfg/DFGSpeculativeJIT64.cpp:
61         (JSC::DFG::SpeculativeJIT::compile):
62         * ftl/FTLLowerDFGToB3.cpp:
63         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
64         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
65         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
66         * jit/JIT.cpp:
67         (JSC::JIT::JIT):
68         * jit/JIT.h:
69         * jit/JITPropertyAccess.cpp:
70         (JSC::JIT::emitDoubleLoad):
71         (JSC::JIT::emitContiguousLoad):
72         (JSC::JIT::emitArrayStorageLoad):
73         * runtime/Options.h:
74         * wasm/WasmB3IRGenerator.cpp:
75         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
76
77 2018-01-05  Michael Saboff  <msaboff@apple.com>
78
79         Allow JSC Config Files to set Restricted Options
80         https://bugs.webkit.org/show_bug.cgi?id=181352
81
82         Reviewed by Mark Lam.
83
84         * runtime/ConfigFile.cpp:
85         (JSC::ConfigFile::parse):
86
87 2018-01-04  Keith Miller  <keith_miller@apple.com>
88
89         TypedArrays and Wasm should use index masking.
90         https://bugs.webkit.org/show_bug.cgi?id=181313
91
92         Reviewed by Michael Saboff.
93
94         We should have index masking for our TypedArray code in the
95         DFG/FTL and for Wasm when doing bounds checking. Index masking for
96         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
97         WasmBoundsCheckValues we don't need to worry about combining a
98         bounds check for a load and a store. I went with fusing the
99         pointer masking in the WasmBoundsCheckValue since it should reduce
100         additional compiler overhead.
101
102         * b3/B3LowerToAir.cpp:
103         * b3/B3Validate.cpp:
104         * b3/B3WasmBoundsCheckValue.cpp:
105         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
106         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
107         * b3/B3WasmBoundsCheckValue.h:
108         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
109         * b3/air/AirCustom.h:
110         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
111         * b3/testb3.cpp:
112         (JSC::B3::testWasmBoundsCheck):
113         * dfg/DFGSpeculativeJIT.cpp:
114         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
115         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
116         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
117         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
118         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
119         * dfg/DFGSpeculativeJIT.h:
120         * dfg/DFGSpeculativeJIT64.cpp:
121         (JSC::DFG::SpeculativeJIT::compile):
122         * ftl/FTLLowerDFGToB3.cpp:
123         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
124         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
125         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
126         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
127         * jit/JITPropertyAccess.cpp:
128         (JSC::JIT::emitIntTypedArrayGetByVal):
129         * runtime/Butterfly.h:
130         (JSC::Butterfly::computeIndexingMask const):
131         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
132         * runtime/JSArrayBufferView.cpp:
133         (JSC::JSArrayBufferView::JSArrayBufferView):
134         * wasm/WasmB3IRGenerator.cpp:
135         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
136         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
137         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
138         (JSC::Wasm::B3IRGenerator::load):
139         (JSC::Wasm::B3IRGenerator::store):
140         (JSC::Wasm::B3IRGenerator::addCallIndirect):
141         * wasm/WasmBinding.cpp:
142         (JSC::Wasm::wasmToWasm):
143         * wasm/WasmMemory.cpp:
144         (JSC::Wasm::Memory::Memory):
145         (JSC::Wasm::Memory::grow):
146         * wasm/WasmMemory.h:
147         (JSC::Wasm::Memory::offsetOfIndexingMask):
148         * wasm/WasmMemoryInformation.cpp:
149         (JSC::Wasm::PinnedRegisterInfo::get):
150         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
151         * wasm/WasmMemoryInformation.h:
152         (JSC::Wasm::PinnedRegisterInfo::toSave const):
153         * wasm/js/JSToWasm.cpp:
154         (JSC::Wasm::createJSToWasmWrapper):
155
156 2018-01-05  Commit Queue  <commit-queue@webkit.org>
157
158         Unreviewed, rolling out r226434.
159         https://bugs.webkit.org/show_bug.cgi?id=181322
160
161         32bit JSC failure in x86 (Requested by yusukesuzuki on
162         #webkit).
163
164         Reverted changeset:
165
166         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
167         changing 32bit Int32Tag and LowestTag"
168         https://bugs.webkit.org/show_bug.cgi?id=181134
169         https://trac.webkit.org/changeset/226434
170
171 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
172
173         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
174         https://bugs.webkit.org/show_bug.cgi?id=180770
175
176         Reviewed by Joseph Pecoraro.
177
178         * inspector/protocol/Canvas.json:
179
180 2018-01-04  Commit Queue  <commit-queue@webkit.org>
181
182         Unreviewed, rolling out r226405.
183         https://bugs.webkit.org/show_bug.cgi?id=181318
184
185         Speculative rollout due to Octane/SplayLatency,Octane/Splay
186         regressions (Requested by yusukesuzuki on #webkit).
187
188         Reverted changeset:
189
190         "[JSC] Create parallel SlotVisitors apriori"
191         https://bugs.webkit.org/show_bug.cgi?id=180907
192         https://trac.webkit.org/changeset/226405
193
194 2018-01-04  Saam Barati  <sbarati@apple.com>
195
196         Do value profiling in to_this
197         https://bugs.webkit.org/show_bug.cgi?id=181299
198
199         Reviewed by Filip Pizlo.
200
201         This patch adds value profiling to to_this. We use the result of the value
202         profiling only for strict mode code when we don't predict that the input is
203         of a specific type. This helps when the input is SpecCellOther. Such cells
204         might implement a custom ToThis, which can produce an arbitrary result. Before
205         this patch, in prediction propagation, we were saying that a ToThis with a
206         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
207         given that the input may implement ToThis that produces an arbitrary result.
208         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
209         
210         Interestingly, this patch only does value profiling on the slow path. The fast
211         path of to_this in the LLInt/baseline just perform a structure check. If it
212         passes, the result is the same as the input. Therefore, doing value profiling
213         from the fast path wouldn't actually produce new information for the ValueProfile.
214
215         * bytecode/BytecodeDumper.cpp:
216         (JSC::BytecodeDumper<Block>::dumpBytecode):
217         * bytecode/BytecodeList.json:
218         * bytecode/CodeBlock.cpp:
219         (JSC::CodeBlock::finishCreation):
220         * bytecompiler/BytecodeGenerator.cpp:
221         (JSC::BytecodeGenerator::BytecodeGenerator):
222         (JSC::BytecodeGenerator::emitToThis):
223         * bytecompiler/BytecodeGenerator.h:
224         * dfg/DFGByteCodeParser.cpp:
225         (JSC::DFG::ByteCodeParser::parseBlock):
226         * dfg/DFGNode.h:
227         (JSC::DFG::Node::hasHeapPrediction):
228         * dfg/DFGPredictionPropagationPhase.cpp:
229         * runtime/CommonSlowPaths.cpp:
230         (JSC::SLOW_PATH_DECL):
231
232 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
233
234         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
235         https://bugs.webkit.org/show_bug.cgi?id=181134
236
237         Reviewed by Mark Lam.
238
239         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
240         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
241         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
242         implementation.
243
244         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
245         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
246         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
247         `<= LowestTag(Int32Tag)`.
248
249         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
250
251         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
252
253         * dfg/DFGSpeculativeJIT.cpp:
254         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
255         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
256         (JSC::DFG::SpeculativeJIT::speculateNumber):
257         (JSC::DFG::SpeculativeJIT::speculateMisc):
258         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
259         (JSC::DFG::SpeculativeJIT::compileToNumber):
260         * dfg/DFGSpeculativeJIT.h:
261         * dfg/DFGSpeculativeJIT32_64.cpp:
262         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
263         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
264         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
265         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
266         (JSC::DFG::SpeculativeJIT::compile):
267         * dfg/DFGSpeculativeJIT64.cpp:
268         (JSC::DFG::SpeculativeJIT::compile):
269         * jit/AssemblyHelpers.cpp:
270         (JSC::AssemblyHelpers::branchIfNotType):
271         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
272         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
273         * jit/AssemblyHelpers.h:
274         (JSC::AssemblyHelpers::branchIfMisc):
275         (JSC::AssemblyHelpers::branchIfNotMisc):
276         (JSC::AssemblyHelpers::branchIfNumber):
277         (JSC::AssemblyHelpers::branchIfNotNumber):
278         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
279         (JSC::AssemblyHelpers::emitTypeOf):
280         * jit/JITAddGenerator.cpp:
281         (JSC::JITAddGenerator::generateFastPath):
282         * jit/JITArithmetic32_64.cpp:
283         (JSC::JIT::emitBinaryDoubleOp):
284         * jit/JITDivGenerator.cpp:
285         (JSC::JITDivGenerator::loadOperand):
286         * jit/JITMulGenerator.cpp:
287         (JSC::JITMulGenerator::generateInline):
288         (JSC::JITMulGenerator::generateFastPath):
289         * jit/JITNegGenerator.cpp:
290         (JSC::JITNegGenerator::generateInline):
291         (JSC::JITNegGenerator::generateFastPath):
292         * jit/JITOpcodes32_64.cpp:
293         (JSC::JIT::emit_op_is_number):
294         (JSC::JIT::emit_op_jeq_null):
295         (JSC::JIT::emit_op_jneq_null):
296         (JSC::JIT::emit_op_to_number):
297         (JSC::JIT::emit_op_profile_type):
298         * jit/JITRightShiftGenerator.cpp:
299         (JSC::JITRightShiftGenerator::generateFastPath):
300         * jit/JITSubGenerator.cpp:
301         (JSC::JITSubGenerator::generateInline):
302         (JSC::JITSubGenerator::generateFastPath):
303         * llint/LLIntData.cpp:
304         (JSC::LLInt::Data::performAssertions):
305         * llint/LowLevelInterpreter.asm:
306         * llint/LowLevelInterpreter32_64.asm:
307         * runtime/JSCJSValue.h:
308
309 2018-01-04  JF Bastien  <jfbastien@apple.com>
310
311         Add assembler support for x86 lfence and sfence
312         https://bugs.webkit.org/show_bug.cgi?id=181311
313         <rdar://problem/36301780>
314
315         Reviewed by Michael Saboff.
316
317         Useful for testing performance of serializing instructions (hint:
318         it's not good).
319
320         * assembler/MacroAssemblerX86Common.h:
321         (JSC::MacroAssemblerX86Common::lfence):
322         (JSC::MacroAssemblerX86Common::sfence):
323         * assembler/X86Assembler.h:
324         (JSC::X86Assembler::lfence):
325         (JSC::X86Assembler::sfence):
326
327 2018-01-04  Saam Barati  <sbarati@apple.com>
328
329         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
330         https://bugs.webkit.org/show_bug.cgi?id=181296
331
332         Reviewed by Filip Pizlo.
333
334         Inside Speedometer's Ember test, there is a recompile loop like:
335         a: GetByVal(..., semanticOriginX)
336         b: SetLocal(Cell:@a, semanticOriginX)
337         
338         where the cell check always fails. For reasons I didn't investigate, the
339         baseline JIT's value profiling doesn't accurately capture the GetByVal's
340         result.
341         
342         However, when compiling this cell speculation check in the DFG, we get a null
343         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
344         this IR pattern because both @a and @b have the same semantic origin. We
345         should not follow the same semantic origin heuristic when dealing with
346         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
347         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
348         For this IR pattern, we will update the value profile for the semantic origin
349         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
350         will correctly update the GetByVal's value profile, which will prevent
351         an OSR exit loop.
352
353         * dfg/DFGGraph.cpp:
354         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
355
356 2018-01-04  Keith Miller  <keith_miller@apple.com>
357
358         Array Storage operations sometimes did not update the indexing mask correctly.
359         https://bugs.webkit.org/show_bug.cgi?id=181301
360
361         Reviewed by Mark Lam.
362
363         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
364
365         * runtime/JSArray.cpp:
366         (JSC::JSArray::shiftCountWithArrayStorage):
367         * runtime/JSObject.cpp:
368         (JSC::JSObject::increaseVectorLength):
369
370 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
371
372         [DFG] Define defs for MapSet/SetAdd to participate in CSE
373         https://bugs.webkit.org/show_bug.cgi?id=179911
374
375         Reviewed by Saam Barati.
376
377         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
378         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
379         produce added bucket as its result. Subsequent GetMapBucket will
380         be removed by CSE.
381
382         * dfg/DFGAbstractInterpreterInlines.h:
383         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
384         * dfg/DFGClobberize.h:
385         (JSC::DFG::clobberize):
386         * dfg/DFGNodeType.h:
387         * dfg/DFGOperations.cpp:
388         * dfg/DFGOperations.h:
389         * dfg/DFGPredictionPropagationPhase.cpp:
390         * dfg/DFGSpeculativeJIT.cpp:
391         (JSC::DFG::SpeculativeJIT::compileSetAdd):
392         (JSC::DFG::SpeculativeJIT::compileMapSet):
393         * dfg/DFGSpeculativeJIT.h:
394         (JSC::DFG::SpeculativeJIT::callOperation):
395         * ftl/FTLLowerDFGToB3.cpp:
396         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
397         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
398         * jit/JITOperations.h:
399         * runtime/HashMapImpl.h:
400         (JSC::HashMapImpl::addNormalized):
401         (JSC::HashMapImpl::addNormalizedInternal):
402
403 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
404
405         [JSC] Remove LocalScope
406         https://bugs.webkit.org/show_bug.cgi?id=181206
407
408         Reviewed by Geoffrey Garen.
409
410         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
411         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
412         and LocalScope.
413
414         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
415         JSObject* directly in their fields.
416
417         * JavaScriptCore.xcodeproj/project.pbxproj:
418         * Sources.txt:
419         * heap/HandleStack.cpp: Removed.
420         * heap/HandleStack.h: Removed.
421         * heap/Heap.cpp:
422         (JSC::Heap::addCoreConstraints):
423         * heap/Heap.h:
424         (JSC::Heap::handleSet):
425         (JSC::Heap::handleStack): Deleted.
426         * heap/Local.h: Removed.
427         * heap/LocalScope.h: Removed.
428         * runtime/JSONObject.cpp:
429         (JSC::Stringifier::Holder::object const):
430         (JSC::gap):
431         (JSC::Stringifier::Stringifier):
432         (JSC::Stringifier::stringify):
433         (JSC::Stringifier::appendStringifiedValue):
434         (JSC::Stringifier::Holder::Holder):
435         (JSC::Stringifier::Holder::appendNextProperty):
436         (JSC::Walker::Walker):
437         (JSC::Walker::callReviver):
438         (JSC::Walker::walk):
439         (JSC::JSONProtoFuncParse):
440         (JSC::JSONProtoFuncStringify):
441         (JSC::JSONParse):
442         (JSC::JSONStringify):
443
444 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
445
446         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
447         https://bugs.webkit.org/show_bug.cgi?id=180238
448
449         Reviewed by Saam Barati.
450
451         We can optimize ObjectAllocationSinking a bit by using removeIf.
452
453         * dfg/DFGObjectAllocationSinkingPhase.cpp:
454
455 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
456
457         [JSC] Create parallel SlotVisitors apriori
458         https://bugs.webkit.org/show_bug.cgi?id=180907
459
460         Reviewed by Saam Barati.
461
462         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
463         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
464         Then we do not need to grab locks while iterating all the SlotVisitors.
465
466         In addition, we do not need to consider the case that the number of SlotVisitors increases
467         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
468         does not increase any more.
469
470         * heap/Heap.cpp:
471         (JSC::Heap::Heap):
472         (JSC::Heap::runBeginPhase):
473         * heap/Heap.h:
474         * heap/HeapInlines.h:
475         (JSC::Heap::forEachSlotVisitor):
476         (JSC::Heap::numberOfSlotVisitors): Deleted.
477         * heap/MarkingConstraintSolver.cpp:
478         (JSC::MarkingConstraintSolver::didVisitSomething const):
479
480 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
481
482         Replace hard-coded paths in shebangs with #!/usr/bin/env
483         https://bugs.webkit.org/show_bug.cgi?id=181040
484
485         Reviewed by Alex Christensen.
486
487         * Scripts/UpdateContents.py:
488         * Scripts/cssmin.py:
489         * Scripts/generate-combined-inspector-json.py:
490         * Scripts/xxd.pl:
491         * create_hash_table:
492         * generate-bytecode-files:
493         * wasm/generateWasm.py:
494         * wasm/generateWasmOpsHeader.py:
495         * yarr/generateYarrCanonicalizeUnicode:
496
497 2018-01-03  Michael Saboff  <msaboff@apple.com>
498
499         Disable SharedArrayBuffers from Web API
500         https://bugs.webkit.org/show_bug.cgi?id=181266
501
502         Reviewed by Saam Barati.
503
504         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
505         to disable.
506
507         * runtime/JSGlobalObject.cpp:
508         (JSC::JSGlobalObject::init):
509         (JSC::JSGlobalObject::visitChildren):
510         * runtime/JSGlobalObject.h:
511         (JSC::JSGlobalObject::arrayBufferPrototype const):
512         (JSC::JSGlobalObject::arrayBufferStructure const):
513
514 2018-01-03  Michael Saboff  <msaboff@apple.com>
515
516         Add "noInline" to $vm
517         https://bugs.webkit.org/show_bug.cgi?id=181265
518
519         Reviewed by Mark Lam.
520
521         This would be useful for web based tests.
522
523         * tools/JSDollarVM.cpp:
524         (JSC::getExecutableForFunction):
525         (JSC::functionNoInline):
526         (JSC::JSDollarVM::finishCreation):
527
528 2018-01-03  Michael Saboff  <msaboff@apple.com>
529
530         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
531         https://bugs.webkit.org/show_bug.cgi?id=181263
532
533         Reviewed by Mark Lam.
534
535         Flushing the butterfly pointer provides no benefit and slows this function.
536
537         * tools/JSDollarVM.cpp:
538         (JSC::functionCpuClflush):
539
540 2018-01-03  Saam Barati  <sbarati@apple.com>
541
542         Fix BytecodeParser op_catch assert to work with useProfiler=1
543         https://bugs.webkit.org/show_bug.cgi?id=181260
544
545         Reviewed by Keith Miller.
546
547         op_catch was asserting that the current block was empty. This is only true
548         if the profiler isn't enabled. When the profiler is enabled, we will
549         insert a CountExecution node before each bytecode. This patch fixes the
550         assert to work with the profiler.
551
552         * dfg/DFGByteCodeParser.cpp:
553         (JSC::DFG::ByteCodeParser::parseBlock):
554
555 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
556
557         [Win][Debug] testapi link error.
558         https://bugs.webkit.org/show_bug.cgi?id=181247
559         <rdar://problem/36166729>
560
561         Reviewed by Brent Fulgham.
562
563         Do not set the runtime library compile flag for C files, it is already set to the correct value.
564  
565         * shell/PlatformWin.cmake:
566
567 2018-01-03  Robin Morisset  <rmorisset@apple.com>
568
569         Inlining of a function that ends in op_unreachable crashes
570         https://bugs.webkit.org/show_bug.cgi?id=181027
571
572         Reviewed by Filip Pizlo.
573
574         * dfg/DFGByteCodeParser.cpp:
575         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
576         (JSC::DFG::ByteCodeParser::inlineCall):
577
578 2018-01-02  Saam Barati  <sbarati@apple.com>
579
580         Incorrect assertion inside AccessCase
581         https://bugs.webkit.org/show_bug.cgi?id=181200
582         <rdar://problem/35494754>
583
584         Reviewed by Yusuke Suzuki.
585
586         Consider a PutById compiled to a setter in a function like so:
587         
588         ```
589         function foo(o) { o.f = o; }
590         ```
591         
592         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
593         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
594         to the same register. However, we're asserting that they're not the same register.
595         This patch just removes this invalid assertion.
596
597         * bytecode/AccessCase.cpp:
598         (JSC::AccessCase::generateImpl):
599
600 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
601
602         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
603         https://bugs.webkit.org/show_bug.cgi?id=175359
604
605         Reviewed by Yusuke Suzuki.
606
607         This patch is implementing BigIntConstructor and BigIntPrototype
608         following spec[1, 2]. As addition, we are also implementing BigIntObject
609         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
610         primitive. With these classes, now it's possible to syntetize
611         BigInt.prototype and then call "toString", "valueOf" and
612         "toLocaleString" when the primitive is a BigInt.
613         BigIntConstructor exposes an API to parse other primitives such as
614         Number, Boolean and String to BigInt.
615         We decided to skip parseInt implementation, since it was removed from
616         spec.
617
618         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
619         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
620
621         * CMakeLists.txt:
622         * DerivedSources.make:
623         * JavaScriptCore.xcodeproj/project.pbxproj:
624         * Sources.txt:
625         * jsc.cpp:
626         * runtime/BigIntConstructor.cpp: Added.
627         (JSC::BigIntConstructor::BigIntConstructor):
628         (JSC::BigIntConstructor::finishCreation):
629         (JSC::isSafeInteger):
630         (JSC::toBigInt):
631         (JSC::callBigIntConstructor):
632         (JSC::bigIntConstructorFuncAsUintN):
633         (JSC::bigIntConstructorFuncAsIntN):
634         * runtime/BigIntConstructor.h: Added.
635         (JSC::BigIntConstructor::create):
636         (JSC::BigIntConstructor::createStructure):
637         * runtime/BigIntObject.cpp: Added.
638         (JSC::BigIntObject::BigIntObject):
639         (JSC::BigIntObject::finishCreation):
640         (JSC::BigIntObject::toStringName):
641         (JSC::BigIntObject::defaultValue):
642         * runtime/BigIntObject.h: Added.
643         (JSC::BigIntObject::create):
644         (JSC::BigIntObject::internalValue const):
645         (JSC::BigIntObject::createStructure):
646         * runtime/BigIntPrototype.cpp: Added.
647         (JSC::BigIntPrototype::BigIntPrototype):
648         (JSC::BigIntPrototype::finishCreation):
649         (JSC::toThisBigIntValue):
650         (JSC::bigIntProtoFuncToString):
651         (JSC::bigIntProtoFuncToLocaleString):
652         (JSC::bigIntProtoFuncValueOf):
653         * runtime/BigIntPrototype.h: Added.
654         (JSC::BigIntPrototype::create):
655         (JSC::BigIntPrototype::createStructure):
656         * runtime/IntlCollator.cpp:
657         (JSC::IntlCollator::initializeCollator):
658         * runtime/IntlNumberFormat.cpp:
659         (JSC::IntlNumberFormat::initializeNumberFormat):
660         * runtime/JSBigInt.cpp:
661         (JSC::JSBigInt::createFrom):
662         (JSC::JSBigInt::parseInt):
663         (JSC::JSBigInt::toObject const):
664         * runtime/JSBigInt.h:
665         * runtime/JSCJSValue.cpp:
666         (JSC::JSValue::synthesizePrototype const):
667         * runtime/JSCPoisonedPtr.cpp:
668         * runtime/JSCell.cpp:
669         (JSC::JSCell::toObjectSlow const):
670         * runtime/JSGlobalObject.cpp:
671         (JSC::JSGlobalObject::init):
672         (JSC::JSGlobalObject::visitChildren):
673         * runtime/JSGlobalObject.h:
674         (JSC::JSGlobalObject::bigIntPrototype const):
675         (JSC::JSGlobalObject::bigIntObjectStructure const):
676         * runtime/StructureCache.h:
677         * runtime/StructureInlines.h:
678         (JSC::prototypeForLookupPrimitiveImpl):
679
680 2018-01-02  Tim Horton  <timothy_horton@apple.com>
681
682         Fix the MathCommon build with a recent compiler
683         https://bugs.webkit.org/show_bug.cgi?id=181216
684
685         Reviewed by Sam Weinig.
686
687         * runtime/MathCommon.cpp:
688         (JSC::fdlibmPow):
689         This cast drops the 'const' qualifier from the pointer to 'one',
690         but it doesn't have to, and it makes the compiler sad.
691
692 == Rolled over to ChangeLog-2018-01-01 ==