[CMake][Win] Conditionally select DLL CRT or static CRT
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
2
3         [CMake][Win] Conditionally select DLL CRT or static CRT
4         https://bugs.webkit.org/show_bug.cgi?id=170594
5
6         Reviewed by Alex Christensen.
7
8         * shell/PlatformWin.cmake:
9
10 2017-11-27  Saam Barati  <sbarati@apple.com>
11
12         Having a bad time watchpoint firing during compilation revealed a racy assertion
13         https://bugs.webkit.org/show_bug.cgi?id=180048
14         <rdar://problem/35700009>
15
16         Reviewed by Mark Lam.
17
18         While a DFG compilation is watching the having a bad time watchpoint, it was
19         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
20         However, if the having a bad time watchpoint fires during the compilation,
21         this particular structure will no longer have ArrayWithContiguous indexing type.
22         This patch fixes this racy assertion to be aware that the watchpoint may fire
23         during compilation.
24
25         * dfg/DFGSpeculativeJIT.cpp:
26         (JSC::DFG::SpeculativeJIT::compileCreateRest):
27         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
28
29 2017-11-27  Tim Horton  <timothy_horton@apple.com>
30
31         One too many zeroes in macOS version number in FeatureDefines
32         https://bugs.webkit.org/show_bug.cgi?id=180011
33
34         Reviewed by Dan Bernstein.
35
36         * Configurations/FeatureDefines.xcconfig:
37
38 2017-11-27  Robin Morisset  <rmorisset@apple.com>
39
40         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
41         https://bugs.webkit.org/show_bug.cgi?id=179821
42
43         Reviewed by Saam Barati.
44
45         * dfg/DFGSafeToExecute.h:
46         (JSC::DFG::safeToExecute):
47
48 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
49
50         [DFG] Add NormalizeMapKey DFG IR
51         https://bugs.webkit.org/show_bug.cgi?id=179912
52
53         Reviewed by Saam Barati.
54
55         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
56         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
57         do not need to call normalizeMapKey conservatively in DFG operations.
58         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
59
60         * dfg/DFGAbstractInterpreterInlines.h:
61         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
62         * dfg/DFGByteCodeParser.cpp:
63         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
64         * dfg/DFGClobberize.h:
65         (JSC::DFG::clobberize):
66         * dfg/DFGDoesGC.cpp:
67         (JSC::DFG::doesGC):
68         * dfg/DFGFixupPhase.cpp:
69         (JSC::DFG::FixupPhase::fixupNode):
70         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
71         * dfg/DFGNodeType.h:
72         * dfg/DFGOperations.cpp:
73         * dfg/DFGPredictionPropagationPhase.cpp:
74         * dfg/DFGSafeToExecute.h:
75         (JSC::DFG::safeToExecute):
76         * dfg/DFGSpeculativeJIT.cpp:
77         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
78         * dfg/DFGSpeculativeJIT.h:
79         * dfg/DFGSpeculativeJIT32_64.cpp:
80         (JSC::DFG::SpeculativeJIT::compile):
81         * dfg/DFGSpeculativeJIT64.cpp:
82         (JSC::DFG::SpeculativeJIT::compile):
83         * ftl/FTLCapabilities.cpp:
84         (JSC::FTL::canCompile):
85         * ftl/FTLLowerDFGToB3.cpp:
86         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
87         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
88         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
89         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
90         * runtime/HashMapImpl.h:
91
92 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
93
94         [FTL] Support DeleteById and DeleteByVal
95         https://bugs.webkit.org/show_bug.cgi?id=180022
96
97         Reviewed by Saam Barati.
98
99         We should increase the coverage of FTL. Even if the code includes DeleteById,
100         it does not mean that remaining part of the code should not be optimized in FTL.
101         Right now, even CallEval and `with` scope are handled in FTL.
102
103         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
104         code including them.
105
106         * ftl/FTLCapabilities.cpp:
107         (JSC::FTL::canCompile):
108         * ftl/FTLLowerDFGToB3.cpp:
109         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
110         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
111         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
112
113 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
114
115         [DFG] Introduce {Set,Map,WeakMap}Fields
116         https://bugs.webkit.org/show_bug.cgi?id=179925
117
118         Reviewed by Saam Barati.
119
120         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
121         writes readonly MiscFields which is used by various nodes and make optimization
122         conservative.
123
124         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
125
126         * dfg/DFGAbstractHeap.h:
127         * dfg/DFGByteCodeParser.cpp:
128         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
129         * dfg/DFGClobberize.h:
130         (JSC::DFG::clobberize):
131         * dfg/DFGHeapLocation.cpp:
132         (WTF::printInternal):
133         * dfg/DFGHeapLocation.h:
134         * dfg/DFGNode.h:
135         (JSC::DFG::Node::hasBucketOwnerType):
136
137 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
138
139         [JSC] Remove JSStringBuilder
140         https://bugs.webkit.org/show_bug.cgi?id=180016
141
142         Reviewed by Saam Barati.
143
144         JSStringBuilder is replaced with WTF::StringBuilder.
145         This patch removes remaning uses and drop JSStringBuilder.
146
147         * JavaScriptCore.xcodeproj/project.pbxproj:
148         * runtime/ArrayPrototype.cpp:
149         * runtime/AsyncFunctionPrototype.cpp:
150         * runtime/AsyncGeneratorFunctionPrototype.cpp:
151         * runtime/ErrorPrototype.cpp:
152         * runtime/FunctionPrototype.cpp:
153         * runtime/GeneratorFunctionPrototype.cpp:
154         * runtime/JSGlobalObjectFunctions.cpp:
155         (JSC::decode):
156         (JSC::globalFuncEscape):
157         * runtime/JSStringBuilder.h: Removed.
158         * runtime/JSStringInlines.h:
159         (JSC::jsMakeNontrivialString):
160         * runtime/RegExpPrototype.cpp:
161         * runtime/StringPrototype.cpp:
162
163 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
164
165         [DFG] Remove GetLocalUnlinked
166         https://bugs.webkit.org/show_bug.cgi?id=180017
167
168         Reviewed by Saam Barati.
169
170         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
171         This patch just removes it.
172
173         * dfg/DFGAbstractInterpreterInlines.h:
174         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
175         * dfg/DFGClobberize.h:
176         (JSC::DFG::clobberize):
177         * dfg/DFGCommon.h:
178         * dfg/DFGDoesGC.cpp:
179         (JSC::DFG::doesGC):
180         * dfg/DFGFixupPhase.cpp:
181         (JSC::DFG::FixupPhase::fixupNode):
182         * dfg/DFGGraph.cpp:
183         (JSC::DFG::Graph::dump):
184         * dfg/DFGNode.h:
185         (JSC::DFG::Node::hasUnlinkedLocal):
186         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
187         (JSC::DFG::Node::convertToGetLocal): Deleted.
188         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
189         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
190         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
191         * dfg/DFGNodeType.h:
192         * dfg/DFGPredictionPropagationPhase.cpp:
193         * dfg/DFGSafeToExecute.h:
194         (JSC::DFG::safeToExecute):
195         * dfg/DFGSpeculativeJIT32_64.cpp:
196         (JSC::DFG::SpeculativeJIT::compile):
197         * dfg/DFGSpeculativeJIT64.cpp:
198         (JSC::DFG::SpeculativeJIT::compile):
199         * dfg/DFGStackLayoutPhase.cpp:
200         (JSC::DFG::StackLayoutPhase::run):
201         * dfg/DFGValidate.cpp:
202
203 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
204
205         Make ArgList::data() private again when we can remove callWasmFunction().
206         https://bugs.webkit.org/show_bug.cgi?id=168582
207
208         Reviewed by JF Bastien.
209
210         Make ArgList::data() private since we already removed callWasmFunction.
211
212         * runtime/ArgList.h:
213
214 2016-08-05  Darin Adler  <darin@apple.com>
215
216         Fix some minor problems in the StringImpl header
217         https://bugs.webkit.org/show_bug.cgi?id=160630
218
219         Reviewed by Brent Fulgham.
220
221         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
222         Yarr namespacing since we use "using namespace" in this file.
223
224 2017-11-24  Mark Lam  <mark.lam@apple.com>
225
226         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
227         https://bugs.webkit.org/show_bug.cgi?id=179936
228         <rdar://problem/35623998>
229
230         Reviewed by Saam Barati.
231
232         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
233         See https://bugs.webkit.org/show_bug.cgi?id=179684.
234
235         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
236         was allocating stack space to stash arguments (to be forwarded) and new frame
237         info.  The location of this new stash space happens to lie beyond the top of frame
238         of the tail call caller frame.  After stashing the arguments, the code proceeded
239         to load the callee codeBlock.  This triggered an allocation, which in turn,
240         triggered stack sanitization.  The CLoop stack sanitizer was relying on
241         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
242         that turned out to be inadequate.  As a result, part of the stashed data was
243         zeroed out, and subsequently led to a crash.
244
245         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
246         1. JIT builds do stack sanitization in the LLInt code itself (different from the
247            CLoop implementation), and the sanitizer there is aware of the true top of
248            stack value (i.e. the stack pointer).
249         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
250            parallel stack is one condition necessary for reproducing this issue.
251
252         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
253         every time before it calls out to native C++ code.  This also brings the CLoop's
254         behavior closer to hardware behavior where we can know where the stack pointer
255         is after calling from JS back into native C++ code, which makes it easier to
256         reason about correctness.       
257
258         Also simplified the various stack boundary calculations (removed the +1 and -1
259         adjustments).  The CLoopStack bounds are now:
260
261             reservationTop(): the lowest reserved address that can be within stack bounds.
262             m_commitTop: the lowest address within stack bounds that has been committed.
263             lowAddress() aka m_end: the lowest stack address that JS code can use.
264             m_lastStackPointer: cache of the last m_currentStackPointer value.
265             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
266             highAddress(): the highest address just beyond the bounds of the stack.
267
268         Also deleted some unneeded code.
269
270         * interpreter/CLoopStack.cpp:
271         (JSC::CLoopStack::CLoopStack):
272         (JSC::CLoopStack::gatherConservativeRoots):
273         (JSC::CLoopStack::sanitizeStack):
274         (JSC::CLoopStack::setSoftReservedZoneSize):
275         * interpreter/CLoopStack.h:
276         (JSC::CLoopStack::setCurrentStackPointer):
277         (JSC::CLoopStack::lowAddress const):
278
279         (JSC::CLoopStack::baseOfStack const): Deleted.
280         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
281           Now, it has the exact same value as highAddress() and can be removed.
282
283         * interpreter/CLoopStackInlines.h:
284         (JSC::CLoopStack::ensureCapacityFor):
285         (JSC::CLoopStack::currentStackPointer):
286         (JSC::CLoopStack::setCLoopStackLimit):
287
288         (JSC::CLoopStack::topOfFrameFor): Deleted.
289         - Not needed.
290
291         (JSC::CLoopStack::topOfStack): Deleted.
292         - Supplanted by currentStackPointer().
293
294         (JSC::CLoopStack::shrink): Deleted.
295         - This is unused.
296
297         * llint/LowLevelInterpreter.cpp:
298         (JSC::CLoop::execute):
299         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
300           upon exitting the interpreter loop.
301
302         * offlineasm/cloop.rb:
303         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
304           call from JS into C++ code.
305
306         * tools/VMInspector.h:
307         - Added some default argument values. These were being used while debugging this
308           issue.
309
310 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
313         https://bugs.webkit.org/show_bug.cgi?id=179923
314
315         Reviewed by Darin Adler.
316
317         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
318         So we can use it as a marker of deleted bucket.
319
320         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
321         It shrinks the size of HashMapBucket much.
322
323         * dfg/DFGSpeculativeJIT.cpp:
324         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
325         * ftl/FTLAbstractHeapRepository.h:
326         * ftl/FTLLowerDFGToB3.cpp:
327         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
328         * runtime/HashMapImpl.h:
329         (JSC::HashMapBucket::createSentinel):
330         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
331         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
332         flag of sentinel bucket is not used.
333
334         (JSC::HashMapBucket::HashMapBucket):
335         (JSC::HashMapBucket::deleted const):
336         (JSC::HashMapBucket::makeDeleted):
337         (JSC::HashMapImpl::remove):
338         (JSC::HashMapImpl::clear):
339         (JSC::HashMapImpl::setUpHeadAndTail):
340         (JSC::HashMapImpl::addNormalizedInternal):
341         (JSC::HashMapBucket::setDeleted): Deleted.
342         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
343         (): Deleted.
344
345 2017-11-24  Mark Lam  <mark.lam@apple.com>
346
347         Move unsafe jsc shell test functions to the $vm object.
348         https://bugs.webkit.org/show_bug.cgi?id=179980
349
350         Reviewed by Yusuke Suzuki.
351
352         Also removed setElementRoot() which was not used.
353
354         * jsc.cpp:
355         (GlobalObject::finishCreation):
356         (WTF::Element::Element): Deleted.
357         (WTF::Element::root const): Deleted.
358         (WTF::Element::setRoot): Deleted.
359         (WTF::Element::create): Deleted.
360         (WTF::Element::visitChildren): Deleted.
361         (WTF::Element::createStructure): Deleted.
362         (WTF::Root::Root): Deleted.
363         (WTF::Root::element): Deleted.
364         (WTF::Root::setElement): Deleted.
365         (WTF::Root::create): Deleted.
366         (WTF::Root::createStructure): Deleted.
367         (WTF::Root::visitChildren): Deleted.
368         (WTF::ImpureGetter::ImpureGetter): Deleted.
369         (WTF::ImpureGetter::createStructure): Deleted.
370         (WTF::ImpureGetter::create): Deleted.
371         (WTF::ImpureGetter::finishCreation): Deleted.
372         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
373         (WTF::ImpureGetter::visitChildren): Deleted.
374         (WTF::ImpureGetter::setDelegate): Deleted.
375         (WTF::CustomGetter::CustomGetter): Deleted.
376         (WTF::CustomGetter::createStructure): Deleted.
377         (WTF::CustomGetter::create): Deleted.
378         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
379         (WTF::CustomGetter::customGetter): Deleted.
380         (WTF::CustomGetter::customGetterAcessor): Deleted.
381         (WTF::RuntimeArray::create): Deleted.
382         (WTF::RuntimeArray::~RuntimeArray): Deleted.
383         (WTF::RuntimeArray::destroy): Deleted.
384         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
385         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
386         (WTF::RuntimeArray::put): Deleted.
387         (WTF::RuntimeArray::deleteProperty): Deleted.
388         (WTF::RuntimeArray::getLength const): Deleted.
389         (WTF::RuntimeArray::createPrototype): Deleted.
390         (WTF::RuntimeArray::createStructure): Deleted.
391         (WTF::RuntimeArray::finishCreation): Deleted.
392         (WTF::RuntimeArray::RuntimeArray): Deleted.
393         (WTF::RuntimeArray::lengthGetter): Deleted.
394         (WTF::SimpleObject::SimpleObject): Deleted.
395         (WTF::SimpleObject::create): Deleted.
396         (WTF::SimpleObject::visitChildren): Deleted.
397         (WTF::SimpleObject::createStructure): Deleted.
398         (WTF::SimpleObject::hiddenValue): Deleted.
399         (WTF::SimpleObject::setHiddenValue): Deleted.
400         (WTF::DOMJITNode::DOMJITNode): Deleted.
401         (WTF::DOMJITNode::createStructure): Deleted.
402         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
403         (WTF::DOMJITNode::create): Deleted.
404         (WTF::DOMJITNode::value const): Deleted.
405         (WTF::DOMJITNode::offsetOfValue): Deleted.
406         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
407         (WTF::DOMJITGetter::createStructure): Deleted.
408         (WTF::DOMJITGetter::create): Deleted.
409         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
410         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
411         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
412         (WTF::DOMJITGetter::customGetter): Deleted.
413         (WTF::DOMJITGetter::finishCreation): Deleted.
414         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
415         (WTF::DOMJITGetterComplex::createStructure): Deleted.
416         (WTF::DOMJITGetterComplex::create): Deleted.
417         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
418         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
419         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
420         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
421         (WTF::DOMJITGetterComplex::customGetter): Deleted.
422         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
423         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
424         (WTF::DOMJITFunctionObject::createStructure): Deleted.
425         (WTF::DOMJITFunctionObject::create): Deleted.
426         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
427         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
428         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
429         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
430         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
431         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
432         (WTF::DOMJITCheckSubClassObject::create): Deleted.
433         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
434         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
435         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
436         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
437         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
438         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
439         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
440         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
441         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
442         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
443         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
444         (WTF::Element::handleOwner): Deleted.
445         (WTF::Element::finishCreation): Deleted.
446         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
447         (JSTestCustomGetterSetter::create): Deleted.
448         (JSTestCustomGetterSetter::createStructure): Deleted.
449         (customGetAccessor): Deleted.
450         (customGetValue): Deleted.
451         (customSetAccessor): Deleted.
452         (customSetValue): Deleted.
453         (JSTestCustomGetterSetter::finishCreation): Deleted.
454         (GlobalObject::addConstructableFunction): Deleted.
455         (functionCreateRoot): Deleted.
456         (functionCreateElement): Deleted.
457         (functionGetElement): Deleted.
458         (functionSetElementRoot): Deleted.
459         (functionCreateSimpleObject): Deleted.
460         (functionGetHiddenValue): Deleted.
461         (functionSetHiddenValue): Deleted.
462         (functionCreateProxy): Deleted.
463         (functionCreateRuntimeArray): Deleted.
464         (functionCreateImpureGetter): Deleted.
465         (functionCreateCustomGetterObject): Deleted.
466         (functionCreateDOMJITNodeObject): Deleted.
467         (functionCreateDOMJITGetterObject): Deleted.
468         (functionCreateDOMJITGetterComplexObject): Deleted.
469         (functionCreateDOMJITFunctionObject): Deleted.
470         (functionCreateDOMJITCheckSubClassObject): Deleted.
471         (functionCreateDOMJITGetterBaseJSObject): Deleted.
472         (functionSetImpureGetterDelegate): Deleted.
473         (functionGetGetterSetter): Deleted.
474         (functionShadowChickenFunctionsOnStack): Deleted.
475         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
476         (functionGlobalObjectForObject): Deleted.
477         (functionLoadGetterFromGetterSetter): Deleted.
478         (functionCreateCustomTestGetterSetter): Deleted.
479         (functionAbort): Deleted.
480         (functionFindTypeForExpression): Deleted.
481         (functionReturnTypeFor): Deleted.
482         (functionDumpBasicBlockExecutionRanges): Deleted.
483         (functionHasBasicBlockExecuted): Deleted.
484         (functionBasicBlockExecutionCount): Deleted.
485         (functionEnableExceptionFuzz): Deleted.
486         (functionCreateBuiltin): Deleted.
487         * runtime/JSGlobalObject.cpp:
488         (JSC::JSGlobalObject::init):
489         * tools/JSDollarVM.cpp:
490         (WTF::Element::Element):
491         (WTF::Element::root const):
492         (WTF::Element::setRoot):
493         (WTF::Element::create):
494         (WTF::Element::visitChildren):
495         (WTF::Element::createStructure):
496         (WTF::Root::Root):
497         (WTF::Root::element):
498         (WTF::Root::setElement):
499         (WTF::Root::create):
500         (WTF::Root::createStructure):
501         (WTF::Root::visitChildren):
502         (WTF::SimpleObject::SimpleObject):
503         (WTF::SimpleObject::create):
504         (WTF::SimpleObject::visitChildren):
505         (WTF::SimpleObject::createStructure):
506         (WTF::SimpleObject::hiddenValue):
507         (WTF::SimpleObject::setHiddenValue):
508         (WTF::ImpureGetter::ImpureGetter):
509         (WTF::ImpureGetter::createStructure):
510         (WTF::ImpureGetter::create):
511         (WTF::ImpureGetter::finishCreation):
512         (WTF::ImpureGetter::getOwnPropertySlot):
513         (WTF::ImpureGetter::visitChildren):
514         (WTF::ImpureGetter::setDelegate):
515         (WTF::CustomGetter::CustomGetter):
516         (WTF::CustomGetter::createStructure):
517         (WTF::CustomGetter::create):
518         (WTF::CustomGetter::getOwnPropertySlot):
519         (WTF::CustomGetter::customGetter):
520         (WTF::CustomGetter::customGetterAcessor):
521         (WTF::RuntimeArray::create):
522         (WTF::RuntimeArray::~RuntimeArray):
523         (WTF::RuntimeArray::destroy):
524         (WTF::RuntimeArray::getOwnPropertySlot):
525         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
526         (WTF::RuntimeArray::put):
527         (WTF::RuntimeArray::deleteProperty):
528         (WTF::RuntimeArray::getLength const):
529         (WTF::RuntimeArray::createPrototype):
530         (WTF::RuntimeArray::createStructure):
531         (WTF::RuntimeArray::finishCreation):
532         (WTF::RuntimeArray::RuntimeArray):
533         (WTF::RuntimeArray::lengthGetter):
534         (WTF::DOMJITNode::DOMJITNode):
535         (WTF::DOMJITNode::createStructure):
536         (WTF::DOMJITNode::checkSubClassSnippet):
537         (WTF::DOMJITNode::create):
538         (WTF::DOMJITNode::value const):
539         (WTF::DOMJITNode::offsetOfValue):
540         (WTF::DOMJITGetter::DOMJITGetter):
541         (WTF::DOMJITGetter::createStructure):
542         (WTF::DOMJITGetter::create):
543         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
544         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
545         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
546         (WTF::DOMJITGetter::customGetter):
547         (WTF::DOMJITGetter::finishCreation):
548         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
549         (WTF::DOMJITGetterComplex::createStructure):
550         (WTF::DOMJITGetterComplex::create):
551         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
552         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
553         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
554         (WTF::DOMJITGetterComplex::functionEnableException):
555         (WTF::DOMJITGetterComplex::customGetter):
556         (WTF::DOMJITGetterComplex::finishCreation):
557         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
558         (WTF::DOMJITFunctionObject::createStructure):
559         (WTF::DOMJITFunctionObject::create):
560         (WTF::DOMJITFunctionObject::safeFunction):
561         (WTF::DOMJITFunctionObject::unsafeFunction):
562         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
563         (WTF::DOMJITFunctionObject::finishCreation):
564         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
565         (WTF::DOMJITCheckSubClassObject::createStructure):
566         (WTF::DOMJITCheckSubClassObject::create):
567         (WTF::DOMJITCheckSubClassObject::safeFunction):
568         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
569         (WTF::DOMJITCheckSubClassObject::finishCreation):
570         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
571         (WTF::DOMJITGetterBaseJSObject::createStructure):
572         (WTF::DOMJITGetterBaseJSObject::create):
573         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
574         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
575         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
576         (WTF::DOMJITGetterBaseJSObject::customGetter):
577         (WTF::DOMJITGetterBaseJSObject::finishCreation):
578         (WTF::Message::releaseContents):
579         (WTF::Message::index const):
580         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
581         (WTF::JSTestCustomGetterSetter::create):
582         (WTF::JSTestCustomGetterSetter::createStructure):
583         (WTF::customGetAccessor):
584         (WTF::customGetValue):
585         (WTF::customSetAccessor):
586         (WTF::customSetValue):
587         (WTF::JSTestCustomGetterSetter::finishCreation):
588         (WTF::Element::handleOwner):
589         (WTF::Element::finishCreation):
590         (JSC::functionCrash):
591         (JSC::functionCreateProxy):
592         (JSC::functionCreateRuntimeArray):
593         (JSC::functionCreateImpureGetter):
594         (JSC::functionCreateCustomGetterObject):
595         (JSC::functionCreateDOMJITNodeObject):
596         (JSC::functionCreateDOMJITGetterObject):
597         (JSC::functionCreateDOMJITGetterComplexObject):
598         (JSC::functionCreateDOMJITFunctionObject):
599         (JSC::functionCreateDOMJITCheckSubClassObject):
600         (JSC::functionCreateDOMJITGetterBaseJSObject):
601         (JSC::functionSetImpureGetterDelegate):
602         (JSC::functionCreateBuiltin):
603         (JSC::functionCreateRoot):
604         (JSC::functionCreateElement):
605         (JSC::functionGetElement):
606         (JSC::functionCreateSimpleObject):
607         (JSC::functionGetHiddenValue):
608         (JSC::functionSetHiddenValue):
609         (JSC::functionShadowChickenFunctionsOnStack):
610         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
611         (JSC::functionFindTypeForExpression):
612         (JSC::functionReturnTypeFor):
613         (JSC::functionDumpBasicBlockExecutionRanges):
614         (JSC::functionHasBasicBlockExecuted):
615         (JSC::functionBasicBlockExecutionCount):
616         (JSC::functionEnableExceptionFuzz):
617         (JSC::functionGlobalObjectForObject):
618         (JSC::functionGetGetterSetter):
619         (JSC::functionLoadGetterFromGetterSetter):
620         (JSC::functionCreateCustomTestGetterSetter):
621         (JSC::JSDollarVM::finishCreation):
622         (JSC::JSDollarVM::addFunction):
623         (JSC::JSDollarVM::addConstructibleFunction):
624         * tools/JSDollarVM.h:
625         (JSC::JSDollarVM::create):
626
627 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
628
629         Minor ArrayBufferView cleanup
630         https://bugs.webkit.org/show_bug.cgi?id=179966
631
632         Reviewed by Darin Adler.
633         
634         Use void* for data pointers when we don't need to do offset math. Use const for
635         source pointers.
636         
637         Prefer uint8_t* to char*.
638         
639         Add comments noting that the assertions should not be made release assertions
640         as recommended by the style checker, since the point is to avoid the virtual byteLength()
641         call in release.
642
643         * runtime/ArrayBufferView.h:
644         (JSC::ArrayBufferView::setImpl):
645         (JSC::ArrayBufferView::setRangeImpl):
646         (JSC::ArrayBufferView::getRangeImpl):
647         (JSC::ArrayBufferView::zeroRangeImpl):
648
649 2017-11-23  Darin Adler  <darin@apple.com>
650
651         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
652         https://bugs.webkit.org/show_bug.cgi?id=179907
653
654         Reviewed by Sam Weinig.
655
656         * inspector/agents/InspectorDebuggerAgent.cpp:
657         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
658         defaults to that.
659
660         * runtime/StringPrototype.cpp:
661         (JSC::stringIncludesImpl): Use String::find since there is no overload of
662         String::contains that takes a start offset now that we removed the one that took a
663         caseSensitive boolean. We can add one later if we like, but this should do for now.
664
665         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
666         the StringImpl.h header because it is only used here.
667
668 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
669
670         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
671         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
672         
673         Also name the argument to zeroRange() to 'count' since it's an item count.
674
675         * runtime/GenericTypedArrayView.h:
676         (JSC::GenericTypedArrayView::zeroRange):
677         (JSC::GenericTypedArrayView::getRange):
678
679 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
680
681         Allow for more efficient use of GenericTypedArrayView
682         https://bugs.webkit.org/show_bug.cgi?id=179899
683
684         Reviewed by Sam Weinig.
685         
686         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
687         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
688         in a length.
689
690         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
691         byteLength() calls.
692         
693         Renamed 'dataLength' to 'count' in setRange() to be clearer.
694         
695         Added setNative() for callers who don't need clamping of doubles.
696
697         * runtime/ArrayBufferView.h:
698         (JSC::ArrayBufferView::setRangeImpl):
699         (JSC::ArrayBufferView::getRangeImpl):
700         * runtime/GenericTypedArrayView.h:
701         (JSC::GenericTypedArrayView::setRange):
702         (JSC::GenericTypedArrayView::setNative const):
703         (JSC::GenericTypedArrayView::getRange):
704         (JSC::GenericTypedArrayView::checkInboundData const):
705         (JSC::GenericTypedArrayView::internalByteLength const):
706
707 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
708
709         [DFG][FTL] Support MapSet / SetAdd intrinsics
710         https://bugs.webkit.org/show_bug.cgi?id=179858
711
712         Reviewed by Saam Barati.
713
714         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
715         By handling them as MapSet and SetAdd DFG nodes and decoupling
716         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
717         remove duplicate MapHash calculation for the same key.
718
719         One story is *set-if-not-exists*.
720
721             if (!map.has(key))
722                 map.set(key, value);
723
724         In the above code, both `has` and `set` require hash value for `key`.
725         If we can change `set` to the series of DFG nodes:
726
727             1: MapHash(key)
728             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
729
730         we can remove duplicate @1 produced by `has` operation.
731
732         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
733
734                                          baseline                  patched
735
736             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
737             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
738
739         Microbenchmarks
740
741             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
742
743         * dfg/DFGAbstractInterpreterInlines.h:
744         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
745         * dfg/DFGByteCodeParser.cpp:
746         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
747         * dfg/DFGClobberize.h:
748         (JSC::DFG::clobberize):
749         * dfg/DFGDoesGC.cpp:
750         (JSC::DFG::doesGC):
751         * dfg/DFGFixupPhase.cpp:
752         (JSC::DFG::FixupPhase::fixupNode):
753         * dfg/DFGNodeType.h:
754         * dfg/DFGOperations.cpp:
755         * dfg/DFGOperations.h:
756         * dfg/DFGPredictionPropagationPhase.cpp:
757         * dfg/DFGSafeToExecute.h:
758         (JSC::DFG::safeToExecute):
759         * dfg/DFGSpeculativeJIT.cpp:
760         (JSC::DFG::SpeculativeJIT::compileSetAdd):
761         (JSC::DFG::SpeculativeJIT::compileMapSet):
762         * dfg/DFGSpeculativeJIT.h:
763         (JSC::DFG::SpeculativeJIT::callOperation):
764         * dfg/DFGSpeculativeJIT32_64.cpp:
765         (JSC::DFG::SpeculativeJIT::compile):
766         * dfg/DFGSpeculativeJIT64.cpp:
767         (JSC::DFG::SpeculativeJIT::compile):
768         * ftl/FTLCapabilities.cpp:
769         (JSC::FTL::canCompile):
770         * ftl/FTLLowerDFGToB3.cpp:
771         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
772         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
773         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
774         * jit/JITOperations.h:
775         * runtime/HashMapImpl.h:
776         (JSC::HashMapImpl::addNormalized):
777         (JSC::HashMapImpl::addNormalizedInternal):
778         * runtime/Intrinsic.cpp:
779         (JSC::intrinsicName):
780         * runtime/Intrinsic.h:
781         * runtime/MapPrototype.cpp:
782         (JSC::MapPrototype::finishCreation):
783         * runtime/SetPrototype.cpp:
784         (JSC::SetPrototype::finishCreation):
785
786 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
787
788         [JSC] Allow poly proto for intrinsic getters
789         https://bugs.webkit.org/show_bug.cgi?id=179550
790
791         Reviewed by Saam Barati.
792
793         This patch allows intrinsic getters to accept poly proto.
794         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
795         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
796         code for poly proto case.
797
798         * bytecode/IntrinsicGetterAccessCase.cpp:
799         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
800         (JSC::IntrinsicGetterAccessCase::create):
801         * bytecode/IntrinsicGetterAccessCase.h:
802         * jit/IntrinsicEmitter.cpp:
803         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
804         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
805         * jit/Repatch.cpp:
806         (JSC::tryCacheGetByID):
807
808 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
809
810         Detect __declspec within JSBase.h
811         https://bugs.webkit.org/show_bug.cgi?id=179892
812
813         Reviewed by Darin Adler.
814
815         * API/JSBase.h:
816
817 2017-11-19  Tim Horton  <timothy_horton@apple.com>
818
819         Remove unused TOUCH_ICON_LOADING feature flag
820         https://bugs.webkit.org/show_bug.cgi?id=179873
821
822         Reviewed by Simon Fraser.
823
824         * Configurations/FeatureDefines.xcconfig:
825
826 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
827
828         Add CPU(UNKNOWN) to cover all the unknown CPU types
829         https://bugs.webkit.org/show_bug.cgi?id=179243
830
831         Reviewed by JF Bastien.
832
833         * CMakeLists.txt:
834
835 2017-11-19  Tim Horton  <timothy_horton@apple.com>
836
837         Remove unused LEGACY_VENDOR_PREFIXES feature flag
838         https://bugs.webkit.org/show_bug.cgi?id=179872
839
840         Reviewed by Darin Adler.
841
842         * Configurations/FeatureDefines.xcconfig:
843
844 2017-11-18  Tim Horton  <timothy_horton@apple.com>
845
846         Fix typos in closing ENABLE() comments
847         https://bugs.webkit.org/show_bug.cgi?id=179869
848
849         Unreviewed.
850
851         * wasm/WasmMemory.h:
852         * wasm/WasmMemoryMode.h:
853
854 2017-11-17  JF Bastien  <jfbastien@apple.com>
855
856         NFC update ClassInfo to C++14
857         https://bugs.webkit.org/show_bug.cgi?id=179783
858
859         Reviewed by Mark Lam.
860
861         Forked from #179734, use `using` instead of `typedef`. It's easier
862         to read.
863
864         * runtime/ClassInfo.h:
865
866 2017-11-17  JF Bastien  <jfbastien@apple.com>
867
868         WebAssembly JS API: throw when a promise can't be created
869         https://bugs.webkit.org/show_bug.cgi?id=179826
870         <rdar://problem/35455813>
871
872         Reviewed by Mark Lam.
873
874         Failure *in* a promise causes rejection, but failure to create a
875         promise (because of stack overflow) isn't really spec'd (as all
876         stack things JS). This applies to WebAssembly.compile and
877         WebAssembly.instantiate.
878
879         Dan's current proposal says:
880
881             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
882
883             Whenever a stack overflow occurs in WebAssembly code, the same
884             class of exception is thrown as for a stack overflow in
885             JavaScript. The particular exception here is
886             implementation-defined in both cases.
887
888             Note: ECMAScript doesn’t specify any sort of behavior on stack
889             overflow; implementations have been observed to throw RangeError,
890             InternalError or Error. Any is valid here.
891
892         This is for general stack overflow within WebAssembly, not
893         specifically for promise creation within JavaScript, but it seems
894         like a stack overflow in promise creation should follow the same
895         rule instead of, say, swallowing the overflow and returning
896         undefined.
897
898         * wasm/js/WebAssemblyPrototype.cpp:
899         (JSC::webAssemblyCompileFunc):
900         (JSC::webAssemblyInstantiateFunc):
901
902 2017-11-16  Daniel Bates  <dabates@apple.com>
903
904         Add feature define for alternative presentation button element
905         https://bugs.webkit.org/show_bug.cgi?id=179692
906         Part of <rdar://problem/34917108>
907
908         Reviewed by Andy Estes.
909
910         Only enabled on Cocoa platforms by default.
911
912         * Configurations/FeatureDefines.xcconfig:
913
914 2017-11-16  Saam Barati  <sbarati@apple.com>
915
916         Fix a bug with cpuid in the FTL.
917
918         Rubber stamped by Mark Lam.
919
920         Before uploading the previous patch, I tried to condense the code. I
921         accidentally removed a crucial line saying that CPUID clobbers various
922         registers.
923
924         * ftl/FTLLowerDFGToB3.cpp:
925         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
926
927 2017-11-16  Saam Barati  <sbarati@apple.com>
928
929         Add some X86 intrinsics to $vm to help with some perf testing
930         https://bugs.webkit.org/show_bug.cgi?id=179693
931
932         Reviewed by Mark Lam.
933
934         I've been doing some local perf testing of various ideas and have
935         had these come in handy. I'm going to land them to dollarVM to prevent
936         having to add them to my local build every time I do perf testing.
937
938         * assembler/MacroAssemblerX86Common.h:
939         (JSC::MacroAssemblerX86Common::mfence):
940         (JSC::MacroAssemblerX86Common::rdtsc):
941         (JSC::MacroAssemblerX86Common::pause):
942         (JSC::MacroAssemblerX86Common::cpuid):
943         * assembler/X86Assembler.h:
944         (JSC::X86Assembler::rdtsc):
945         (JSC::X86Assembler::pause):
946         (JSC::X86Assembler::cpuid):
947         * dfg/DFGAbstractInterpreterInlines.h:
948         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
949         * dfg/DFGByteCodeParser.cpp:
950         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
951         * dfg/DFGClobberize.h:
952         (JSC::DFG::clobberize):
953         * dfg/DFGDoesGC.cpp:
954         (JSC::DFG::doesGC):
955         * dfg/DFGFixupPhase.cpp:
956         (JSC::DFG::FixupPhase::fixupNode):
957         * dfg/DFGGraph.cpp:
958         (JSC::DFG::Graph::dump):
959         * dfg/DFGNode.h:
960         (JSC::DFG::Node::intrinsic):
961         * dfg/DFGNodeType.h:
962         * dfg/DFGPredictionPropagationPhase.cpp:
963         * dfg/DFGSafeToExecute.h:
964         (JSC::DFG::safeToExecute):
965         * dfg/DFGSpeculativeJIT32_64.cpp:
966         (JSC::DFG::SpeculativeJIT::compile):
967         * dfg/DFGSpeculativeJIT64.cpp:
968         (JSC::DFG::SpeculativeJIT::compile):
969         * dfg/DFGValidate.cpp:
970         * ftl/FTLCapabilities.cpp:
971         (JSC::FTL::canCompile):
972         * ftl/FTLLowerDFGToB3.cpp:
973         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
974         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
975         * runtime/Intrinsic.cpp:
976         (JSC::intrinsicName):
977         * runtime/Intrinsic.h:
978         * tools/JSDollarVM.cpp:
979         (JSC::functionCpuMfence):
980         (JSC::functionCpuRdtsc):
981         (JSC::functionCpuCpuid):
982         (JSC::functionCpuPause):
983         (JSC::functionCpuClflush):
984         (JSC::JSDollarVM::finishCreation):
985
986 2017-11-16  JF Bastien  <jfbastien@apple.com>
987
988         It should be easier to reify lazy property names
989         https://bugs.webkit.org/show_bug.cgi?id=179734
990         <rdar://problem/35492521>
991
992         Reviewed by Keith Miller.
993
994         We reify lazy property names in a few different ways, each
995         specific to the JSCell implementation, in put() instead of having
996         a special function to do reification. Let's make that simpler.
997
998         This patch makes it easier to reify property names in a uniform
999         manner, and does so in JSFunction. As a follow up I'll use the
1000         same mechanics for:
1001
1002         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
1003         ErrorConstructor  stackTraceLimit
1004         ErrorInstance     line, column, sourceURL, stack
1005         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
1006         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
1007         JSArray           length
1008         RegExpObject      lastIndex
1009         StringObject      length
1010
1011         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
1012         * runtime/JSCell.cpp:
1013         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
1014         * runtime/JSCell.h:
1015         * runtime/JSFunction.cpp: `name` and `length` can be reified.
1016         (JSC::JSFunction::reifyPropertyNameIfNeeded):
1017         (JSC::JSFunction::put):
1018         (JSC::JSFunction::reifyLength):
1019         (JSC::JSFunction::reifyName):
1020         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1021         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1022         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1023         (JSC::JSFunction::reifyLazyNameIfNeeded):
1024         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1025         * runtime/JSFunction.h:
1026         (JSC::JSFunction::isLazy):
1027         (JSC::JSFunction::isReified):
1028         * runtime/JSObjectInlines.h:
1029         (JSC::JSObject::putDirectInternal): do the reification here.
1030
1031 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1032
1033         Provide a runtime option for disabling the optimization of recursive tail calls
1034         https://bugs.webkit.org/show_bug.cgi?id=179765
1035
1036         Reviewed by Mark Lam.
1037
1038         * bytecode/PreciseJumpTargets.cpp:
1039         (JSC::getJumpTargetsForBytecodeOffset):
1040         * bytecompiler/BytecodeGenerator.cpp:
1041         (JSC::BytecodeGenerator::emitEnter):
1042         * dfg/DFGByteCodeParser.cpp:
1043         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1044         * runtime/Options.h:
1045
1046 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1047
1048         Fix null pointer dereference in bytecodeDumper
1049         https://bugs.webkit.org/show_bug.cgi?id=179764
1050
1051         Reviewed by Mark Lam.
1052
1053         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
1054
1055         * bytecode/BytecodeDumper.cpp:
1056         (JSC::BytecodeDumper<Block>::printCallOp):
1057
1058 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1059
1060         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1061         https://bugs.webkit.org/show_bug.cgi?id=179763
1062         <rdar://problem/35550513>
1063
1064         Reviewed by Keith Miller.
1065
1066         Fix null pointer dereference caused by an eliminated tdz_check
1067
1068         The problem was when doing an OSR entry in DFG while |this| was null
1069         (because super() had not yet been called in the constructor of this
1070         subclass), it would be marked as non-null, and the tdz_check eliminated.
1071
1072         * dfg/DFGInPlaceAbstractState.cpp:
1073         (JSC::DFG::InPlaceAbstractState::initialize):
1074
1075 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
1076
1077         Unreviewed, rolling out r224863.
1078
1079         Introduced LayoutTest crashes on iOS Simulator.
1080
1081         Reverted changeset:
1082
1083         "Move JSONValues to WTF and convert uses of InspectorValues.h
1084         to JSONValues.h"
1085         https://bugs.webkit.org/show_bug.cgi?id=173793
1086         https://trac.webkit.org/changeset/224863
1087
1088 2017-11-14  Mark Lam  <mark.lam@apple.com>
1089
1090         Gardening: CLoop build fix after r224862.
1091         https://bugs.webkit.org/show_bug.cgi?id=179699
1092
1093         Not reviewed..
1094
1095         * bytecode/CodeBlock.h:
1096         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1097
1098 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1099
1100         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1101         https://bugs.webkit.org/show_bug.cgi?id=173793
1102
1103         Reviewed by Brian Burg.
1104
1105         Based on patch by Brian Burg.
1106
1107         * JavaScriptCore.xcodeproj/project.pbxproj:
1108         * Sources.txt:
1109         * bindings/ScriptValue.cpp:
1110         (Inspector::jsToInspectorValue):
1111         (Inspector::toInspectorValue):
1112         (Deprecated::ScriptValue::toInspectorValue const):
1113         * bindings/ScriptValue.h:
1114         * inspector/AsyncStackTrace.cpp:
1115         * inspector/ConsoleMessage.cpp:
1116         * inspector/ContentSearchUtilities.cpp:
1117         * inspector/InjectedScript.cpp:
1118         (Inspector::InjectedScript::getFunctionDetails):
1119         (Inspector::InjectedScript::functionDetails):
1120         (Inspector::InjectedScript::getPreview):
1121         (Inspector::InjectedScript::getProperties):
1122         (Inspector::InjectedScript::getDisplayableProperties):
1123         (Inspector::InjectedScript::getInternalProperties):
1124         (Inspector::InjectedScript::getCollectionEntries):
1125         (Inspector::InjectedScript::saveResult):
1126         (Inspector::InjectedScript::wrapCallFrames const):
1127         (Inspector::InjectedScript::wrapObject const):
1128         (Inspector::InjectedScript::wrapTable const):
1129         (Inspector::InjectedScript::previewValue const):
1130         (Inspector::InjectedScript::setExceptionValue):
1131         (Inspector::InjectedScript::clearExceptionValue):
1132         (Inspector::InjectedScript::inspectObject):
1133         (Inspector::InjectedScript::releaseObject):
1134         * inspector/InjectedScriptBase.cpp:
1135         (Inspector::InjectedScriptBase::makeCall):
1136         (Inspector::InjectedScriptBase::makeEvalCall):
1137         * inspector/InjectedScriptBase.h:
1138         * inspector/InjectedScriptManager.cpp:
1139         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1140         * inspector/InspectorBackendDispatcher.cpp:
1141         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1142         (Inspector::BackendDispatcher::dispatch):
1143         (Inspector::BackendDispatcher::sendResponse):
1144         (Inspector::BackendDispatcher::sendPendingErrors):
1145         (Inspector::BackendDispatcher::getPropertyValue):
1146         (Inspector::castToInteger):
1147         (Inspector::castToNumber):
1148         (Inspector::BackendDispatcher::getInteger):
1149         (Inspector::BackendDispatcher::getDouble):
1150         (Inspector::BackendDispatcher::getString):
1151         (Inspector::BackendDispatcher::getBoolean):
1152         (Inspector::BackendDispatcher::getObject):
1153         (Inspector::BackendDispatcher::getArray):
1154         (Inspector::BackendDispatcher::getValue):
1155         * inspector/InspectorBackendDispatcher.h:
1156         * inspector/InspectorProtocolTypes.h:
1157         (Inspector::Protocol::Array::openAccessors):
1158         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1159         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1160         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1161         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1162         * inspector/ScriptCallFrame.cpp:
1163         * inspector/ScriptCallStack.cpp:
1164         * inspector/agents/InspectorAgent.cpp:
1165         (Inspector::InspectorAgent::inspect):
1166         * inspector/agents/InspectorAgent.h:
1167         * inspector/agents/InspectorDebuggerAgent.cpp:
1168         (Inspector::buildAssertPauseReason):
1169         (Inspector::buildCSPViolationPauseReason):
1170         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1171         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1172         (Inspector::buildObjectForBreakpointCookie):
1173         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1174         (Inspector::parseLocation):
1175         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1176         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1177         (Inspector::InspectorDebuggerAgent::continueToLocation):
1178         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1179         (Inspector::InspectorDebuggerAgent::didParseSource):
1180         (Inspector::InspectorDebuggerAgent::breakProgram):
1181         * inspector/agents/InspectorDebuggerAgent.h:
1182         * inspector/agents/InspectorRuntimeAgent.cpp:
1183         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1184         (Inspector::InspectorRuntimeAgent::saveResult):
1185         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1186         * inspector/agents/InspectorRuntimeAgent.h:
1187         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1188         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1189         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1190         (CppBackendDispatcherImplementationGenerator.generate_output):
1191         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1192         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1193         (CppFrontendDispatcherHeaderGenerator.generate_output):
1194         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1195         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1196         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1197         (_generate_unchecked_setter_for_member):
1198         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1199         (CppProtocolTypesImplementationGenerator):
1200         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1201         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1202         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1203         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1204         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1205         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1206         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1207         * inspector/scripts/codegen/generate_objc_internal_header.py:
1208         (ObjCInternalHeaderGenerator.generate_output):
1209         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1210         (ObjCProtocolTypesImplementationGenerator.generate_output):
1211         * inspector/scripts/codegen/generator.py:
1212         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1213         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1214         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1215         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1216         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1217         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1218         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1219         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1220         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1221         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1222         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1223         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1224         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1225         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1226         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1227         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1228         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1229         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1230         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1231         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1232
1233 2017-11-14  Mark Lam  <mark.lam@apple.com>
1234
1235         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
1236         https://bugs.webkit.org/show_bug.cgi?id=179699
1237         <rdar://problem/35462346>
1238
1239         Reviewed by Michael Saboff.
1240
1241         * interpreter/Interpreter.cpp:
1242         (JSC::Interpreter::dumpRegisters):
1243         - Need to skip the callee saved registers
1244
1245 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
1246
1247         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
1248         https://bugs.webkit.org/show_bug.cgi?id=179563
1249
1250         Reviewed by Carlos Alberto Lopez Perez.
1251
1252         When run with BranchIfTruncateSuccessful,
1253         branchTruncateDoubleToInt32() should set the destination register
1254         before branching.
1255         This change also removes branchTruncateDoubleToUInt32() as it is
1256         deprecated (see r160205), merges branchOnTruncateResult() into
1257         branchTruncateDoubleToInt32() and adds test cases in testmasm.
1258
1259         * assembler/MacroAssemblerMIPS.h:
1260         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
1261         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1262         Properly set dest before branching.
1263         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
1264         * assembler/testmasm.cpp:
1265         (JSC::testBranchTruncateDoubleToInt32):
1266         (JSC::run):
1267         Add tests for branchTruncateDoubleToInt32().
1268
1269 2017-11-14  Daniel Bates  <dabates@apple.com>
1270
1271         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
1272         for feature defines
1273
1274         Following r195498 and r201917 the Visual Studio property files for feature defines have
1275         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
1276         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
1277         files.
1278
1279         * Configurations/FeatureDefines.xcconfig:
1280
1281 2017-11-14  Mark Lam  <mark.lam@apple.com>
1282
1283         Remove JSDollarVMPrototype.
1284         https://bugs.webkit.org/show_bug.cgi?id=179685
1285
1286         Reviewed by Saam Barati.
1287
1288         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
1289
1290            This allows us to call these functions during lldb debugging sessions using
1291            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
1292            VMInspector provides VM debugging utility methods.  It doesn't make sense to
1293            have a JSDollarVMPrototype object provide these methods.
1294
1295            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
1296
1297         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
1298
1299            JSDollarVM is a special object used only for debugging purposes.  There's no
1300            gain in requiring its methods to be stored in a prototype object other than to
1301            conform to typical JS convention.  We can remove this complexity.
1302
1303         * JavaScriptCore.xcodeproj/project.pbxproj:
1304         * Sources.txt:
1305         * runtime/JSGlobalObject.cpp:
1306         (JSC::JSGlobalObject::init):
1307         * tools/JSDollarVM.cpp:
1308         (JSC::JSDollarVM::addFunction):
1309         (JSC::functionCrash):
1310         (JSC::functionDFGTrue):
1311         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1312         (JSC::CallerFrameJITTypeFunctor::operator() const):
1313         (JSC::CallerFrameJITTypeFunctor::jitType):
1314         (JSC::functionLLintTrue):
1315         (JSC::functionJITTrue):
1316         (JSC::functionGC):
1317         (JSC::functionEdenGC):
1318         (JSC::functionCodeBlockForFrame):
1319         (JSC::codeBlockFromArg):
1320         (JSC::functionCodeBlockFor):
1321         (JSC::functionPrintSourceFor):
1322         (JSC::functionPrintBytecodeFor):
1323         (JSC::functionPrint):
1324         (JSC::functionPrintCallFrame):
1325         (JSC::functionPrintStack):
1326         (JSC::functionValue):
1327         (JSC::functionGetPID):
1328         (JSC::JSDollarVM::finishCreation):
1329         * tools/JSDollarVM.h:
1330         (JSC::JSDollarVM::create):
1331         * tools/JSDollarVMPrototype.cpp: Removed.
1332         * tools/JSDollarVMPrototype.h: Removed.
1333         * tools/VMInspector.cpp:
1334         (JSC::VMInspector::currentThreadOwnsJSLock):
1335         (JSC::ensureCurrentThreadOwnsJSLock):
1336         (JSC::VMInspector::gc):
1337         (JSC::VMInspector::edenGC):
1338         (JSC::VMInspector::isInHeap):
1339         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1340         (JSC::CellAddressCheckFunctor::operator() const):
1341         (JSC::VMInspector::isValidCell):
1342         (JSC::VMInspector::isValidCodeBlock):
1343         (JSC::VMInspector::codeBlockForFrame):
1344         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1345         (JSC::PrintFrameFunctor::operator() const):
1346         (JSC::VMInspector::printCallFrame):
1347         (JSC::VMInspector::printStack):
1348         (JSC::VMInspector::printValue):
1349         * tools/VMInspector.h:
1350
1351 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1352
1353         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
1354         https://bugs.webkit.org/show_bug.cgi?id=179640
1355         <rdar://problem/35517361>
1356
1357         Reviewed by Devin Rousso.
1358
1359         * CMakeLists.txt:
1360         * DerivedSources.make:
1361         Gate the ServiceWorker domain on the ENABLE feature flag.
1362
1363         * inspector/protocol/ServiceWorker.json: Added.
1364         New domain to be made available inside of a ServiceWorker target.
1365
1366 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1367
1368         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1369         https://bugs.webkit.org/show_bug.cgi?id=179594
1370
1371         Reviewed by Saam Barati.
1372
1373         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
1374         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
1375         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
1376         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
1377         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
1378
1379         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
1380         accept this type, and emit optimized code compared to Array::Generic case.
1381
1382         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
1383         exit instead of ExoticObjectMode.
1384
1385         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
1386         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
1387
1388             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
1389
1390         * dfg/DFGArgumentsEliminationPhase.cpp:
1391         * dfg/DFGArrayMode.cpp:
1392         (JSC::DFG::ArrayMode::refine const):
1393         * dfg/DFGClobberize.h:
1394         (JSC::DFG::clobberize):
1395         * dfg/DFGSpeculativeJIT.cpp:
1396         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1397         * ftl/FTLLowerDFGToB3.cpp:
1398         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1399         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1400
1401 2017-11-14  Saam Barati  <sbarati@apple.com>
1402
1403         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1404         https://bugs.webkit.org/show_bug.cgi?id=179639
1405         <rdar://problem/35513018>
1406
1407         Reviewed by JF Bastien.
1408
1409         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
1410         walk the stack for ShadowChicken (and maybe other things). We weren't updating
1411         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
1412         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
1413         this bug by giving Wasm::Instance a lambda that is called when we need to store
1414         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
1415         Currently, JSWebAssemblyInstance passes in a lambda that stores to
1416         VM.topCallFrame.
1417
1418         * wasm/WasmB3IRGenerator.cpp:
1419         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1420         * wasm/WasmInstance.cpp:
1421         (JSC::Wasm::Instance::Instance):
1422         (JSC::Wasm::Instance::create):
1423         * wasm/WasmInstance.h:
1424         (JSC::Wasm::Instance::storeTopCallFrame):
1425         * wasm/js/JSWebAssemblyInstance.cpp:
1426         (JSC::JSWebAssemblyInstance::create):
1427         * wasm/js/JSWebAssemblyInstance.h:
1428         * wasm/js/WasmToJS.cpp:
1429         (JSC::Wasm::wasmToJSException):
1430         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1431         (JSC::constructJSWebAssemblyInstance):
1432         * wasm/js/WebAssemblyPrototype.cpp:
1433         (JSC::instantiate):
1434
1435 2017-11-13  Saam Barati  <sbarati@apple.com>
1436
1437         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
1438         https://bugs.webkit.org/show_bug.cgi?id=179203
1439
1440         Reviewed by Yusuke Suzuki.
1441
1442         This patch only removes the pointer caging for the described types in the title.
1443         These types still allocate out of the gigacage. This is a just a cost vs benefit
1444         tradeoff of performance vs security.
1445
1446         * dfg/DFGSpeculativeJIT.cpp:
1447         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1448         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1449         * ftl/FTLLowerDFGToB3.cpp:
1450         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1451         * jit/JITPropertyAccess.cpp:
1452         (JSC::JIT::emitDirectArgumentsGetByVal):
1453         (JSC::JIT::emitScopedArgumentsGetByVal):
1454         * runtime/DirectArguments.h:
1455         (JSC::DirectArguments::storage):
1456         * runtime/HashMapImpl.cpp:
1457         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1458         * runtime/HashMapImpl.h:
1459         * runtime/JSLexicalEnvironment.h:
1460         (JSC::JSLexicalEnvironment::variables):
1461         * runtime/ScopedArguments.h:
1462         (JSC::ScopedArguments::overflowStorage const):
1463
1464 2017-11-08  Keith Miller  <keith_miller@apple.com>
1465
1466         Async iteration should only fetch the next method once and add feature flag
1467         https://bugs.webkit.org/show_bug.cgi?id=179451
1468
1469         Reviewed by Geoffrey Garen.
1470
1471         Add feature flag for Async iteration. Also, change async iteration to match
1472         the expected behavior of the proposal.
1473
1474         * Configurations/FeatureDefines.xcconfig:
1475         * builtins/AsyncFromSyncIteratorPrototype.js:
1476         (globalPrivate.createAsyncFromSyncIterator):
1477         (globalPrivate.AsyncFromSyncIteratorConstructor):
1478         * builtins/BuiltinNames.h:
1479         * bytecompiler/BytecodeGenerator.cpp:
1480         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1481         * runtime/Options.h:
1482
1483 2017-11-13  Mark Lam  <mark.lam@apple.com>
1484
1485         Add more overflow check book-keeping for MarkedArgumentBuffer.
1486         https://bugs.webkit.org/show_bug.cgi?id=179634
1487         <rdar://problem/35492517>
1488
1489         Reviewed by Saam Barati.
1490
1491         * runtime/ArgList.h:
1492         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
1493         * runtime/JSJob.cpp:
1494         (JSC::JSJobMicrotask::run):
1495         * runtime/ObjectConstructor.cpp:
1496         (JSC::defineProperties):
1497         * runtime/ReflectObject.cpp:
1498         (JSC::reflectObjectConstruct):
1499
1500 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
1501
1502         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
1503         https://bugs.webkit.org/show_bug.cgi?id=179542
1504
1505         Reviewed by Alex Christensen.
1506
1507         * assembler/MacroAssemblerARM.h:
1508         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
1509
1510 2017-11-13  Mark Lam  <mark.lam@apple.com>
1511
1512         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1513         https://bugs.webkit.org/show_bug.cgi?id=179619
1514         <rdar://problem/35492518>
1515
1516         Reviewed by Saam Barati.
1517
1518         * jsc.cpp:
1519         (functionLoadGetterFromGetterSetter):
1520
1521 2017-11-12  Darin Adler  <darin@apple.com>
1522
1523         More is<> and downcast<>, less static_cast<>
1524         https://bugs.webkit.org/show_bug.cgi?id=179600
1525
1526         Reviewed by Chris Dumez.
1527
1528         * runtime/JSString.h:
1529         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
1530         (JSC::jsSubstringOfResolved): Ditto.
1531
1532 2017-11-12  Mark Lam  <mark.lam@apple.com>
1533
1534         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1535         https://bugs.webkit.org/show_bug.cgi?id=179562
1536         <rdar://problem/35467022>
1537
1538         Reviewed by Saam Barati.
1539
1540         * dfg/DFGFixupPhase.cpp:
1541         (JSC::DFG::FixupPhase::fixupNode):
1542         * dfg/DFGOperations.cpp:
1543         * dfg/DFGSafeToExecute.h:
1544         (JSC::DFG::SafeToExecuteEdge::operator()):
1545         * dfg/DFGSpeculativeJIT.cpp:
1546         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
1547         (JSC::DFG::SpeculativeJIT::speculate):
1548         * dfg/DFGSpeculativeJIT.h:
1549         * dfg/DFGUseKind.cpp:
1550         (WTF::printInternal):
1551         * dfg/DFGUseKind.h:
1552         (JSC::DFG::typeFilterFor):
1553         * ftl/FTLCapabilities.cpp:
1554         (JSC::FTL::canCompile):
1555         * ftl/FTLLowerDFGToB3.cpp:
1556         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1557         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
1558
1559 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
1560
1561         Web Inspector: Canvas tab: show detailed status during canvas recording
1562         https://bugs.webkit.org/show_bug.cgi?id=178185
1563         <rdar://problem/34939862>
1564
1565         Reviewed by Brian Burg.
1566
1567         * inspector/protocol/Canvas.json:
1568         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
1569         payloads since the last Canvas.recordingProgress event and the current buffer usage.
1570
1571         * inspector/protocol/Recording.json:
1572         Remove the required `frames` parameter from the Recording protocol object, as they will be
1573         sent in batches via the Canvas.recordingProgress event.
1574
1575 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
1576
1577         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
1578         https://bugs.webkit.org/show_bug.cgi?id=179543
1579
1580         Reviewed by Antoine Quint.
1581
1582         * inspector/protocol/Network.json:
1583         Use a better type for the status code.
1584
1585 2017-11-10  Robin Morisset  <rmorisset@apple.com>
1586
1587         The memory consumption of DFG::BasicBlock can be easily reduced a bit
1588         https://bugs.webkit.org/show_bug.cgi?id=179528
1589
1590         Reviewed by Saam Barati.
1591
1592         A few changes here:
1593         - Reordering some fields of DFG::BasicBlock to reduce padding
1594         - Making the enum fields that are glorified booleans fit into a u8
1595         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
1596           This change works because we never increase the number of arguments after allocating an Operands object.
1597           It lets us avoid one extra capacity field and one extra pointer field per Operands,
1598           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
1599           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
1600           we have a chance to avoid an allocation.
1601         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
1602
1603         * bytecode/Operands.h:
1604         (JSC::Operands::Operands):
1605         (JSC::Operands::numberOfArguments const):
1606         (JSC::Operands::numberOfLocals const):
1607         (JSC::Operands::argument):
1608         (JSC::Operands::argument const):
1609         (JSC::Operands::local):
1610         (JSC::Operands::local const):
1611         (JSC::Operands::ensureLocals):
1612         (JSC::Operands::setLocal):
1613         (JSC::Operands::getLocal):
1614         (JSC::Operands::setArgumentFirstTime):
1615         (JSC::Operands::setLocalFirstTime):
1616         (JSC::Operands::operand):
1617         (JSC::Operands::setOperand):
1618         (JSC::Operands::size const):
1619         (JSC::Operands::at const):
1620         (JSC::Operands::at):
1621         (JSC::Operands::isArgument const):
1622         (JSC::Operands::isVariable const):
1623         (JSC::Operands::virtualRegisterForIndex const):
1624         (JSC::Operands::fill):
1625         (JSC::Operands::operator== const):
1626         (JSC::Operands::argumentForIndex const): Deleted.
1627         (JSC::Operands::variableForIndex const): Deleted.
1628         (JSC::Operands::indexForOperand const): Deleted.
1629         * dfg/DFGBasicBlock.cpp:
1630         (JSC::DFG::BasicBlock::BasicBlock):
1631         * dfg/DFGBasicBlock.h:
1632         * dfg/DFGBranchDirection.h:
1633         * dfg/DFGStructureClobberState.h:
1634
1635 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1636
1637         [JSC] Retry module fetching if previous request fails
1638         https://bugs.webkit.org/show_bug.cgi?id=178168
1639
1640         Reviewed by Saam Barati.
1641
1642         According to the latest spec, the failed fetching operation can be retried if it is requested again.
1643         For example,
1644
1645             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
1646             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
1647
1648         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
1649         But when loading the second module, we do not use the cached failure result in the first module loading.
1650         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
1651         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
1652
1653         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
1654         like to cache modules based on their URLs. As a result,
1655
1656             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
1657             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
1658
1659         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
1660         instantiation are cached in the module pipeline.
1661
1662         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
1663         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
1664         if the previous one fails. As an overview of our change,
1665
1666         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
1667            be unified. But if currently executing one fails, other attempts should retry fetching.
1668
1669         2. Instantiation should be cached if fetching succeeds.
1670
1671         3. Satisfying should be cached if it succeeds.
1672
1673         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
1674
1675         * builtins/ModuleLoaderPrototype.js:
1676         (requestFetch):
1677         (requestInstantiate):
1678         (requestSatisfy):
1679         (link):
1680         (loadModule):
1681         * runtime/JSGlobalObject.cpp:
1682         (JSC::JSGlobalObject::init):
1683
1684 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
1685
1686         Web Inspector: support undo/redo of insertAdjacentHTML
1687         https://bugs.webkit.org/show_bug.cgi?id=179283
1688
1689         Reviewed by Joseph Pecoraro.
1690
1691         * inspector/protocol/DOM.json:
1692         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
1693         on the given node.
1694
1695 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
1696
1697         Web Inspector: Make domain availability a list of types instead of a single type
1698         https://bugs.webkit.org/show_bug.cgi?id=179457
1699
1700         Reviewed by Brian Burg.
1701
1702         * inspector/scripts/codegen/generate_js_backend_commands.py:
1703         (JSBackendCommandsGenerator.generate_domain):
1704         Update output of `InspectorBackend.activateDomain` to include the list.
1705
1706         * inspector/scripts/codegen/models.py:
1707         (Protocol.parse_domain):
1708         Parse `availability` as a list and include a new supported value of "service-worker".
1709
1710         * inspector/protocol/ApplicationCache.json:
1711         * inspector/protocol/CSS.json:
1712         * inspector/protocol/Canvas.json:
1713         * inspector/protocol/DOM.json:
1714         * inspector/protocol/DOMDebugger.json:
1715         * inspector/protocol/DOMStorage.json:
1716         * inspector/protocol/Database.json:
1717         * inspector/protocol/IndexedDB.json:
1718         * inspector/protocol/LayerTree.json:
1719         * inspector/protocol/Memory.json:
1720         * inspector/protocol/Network.json:
1721         * inspector/protocol/Page.json:
1722         * inspector/protocol/Timeline.json:
1723         * inspector/protocol/Worker.json:
1724         Update `availability` to be a list.
1725
1726         * inspector/scripts/tests/generic/domain-availability.json:
1727         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1728         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
1729         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
1730         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
1731         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1732         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1733         Update tests to include a test for the type and an invalid value.
1734
1735 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1736
1737         [JSC][JIT] Clean up SlowPathCall stubs
1738         https://bugs.webkit.org/show_bug.cgi?id=179247
1739
1740         Reviewed by Saam Barati.
1741
1742         We have bunch of duplicate functions that just call a slow path function.
1743         This patch cleans up the above duplication.
1744
1745         * jit/JIT.cpp:
1746         (JSC::JIT::emitSlowCaseCall):
1747         (JSC::JIT::privateCompileSlowCases):
1748         * jit/JIT.h:
1749         * jit/JITArithmetic.cpp:
1750         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1751         (JSC::JIT::emitSlow_op_inc): Deleted.
1752         (JSC::JIT::emitSlow_op_dec): Deleted.
1753         (JSC::JIT::emitSlow_op_bitand): Deleted.
1754         (JSC::JIT::emitSlow_op_bitor): Deleted.
1755         (JSC::JIT::emitSlow_op_bitxor): Deleted.
1756         (JSC::JIT::emitSlow_op_lshift): Deleted.
1757         (JSC::JIT::emitSlow_op_rshift): Deleted.
1758         (JSC::JIT::emitSlow_op_urshift): Deleted.
1759         (JSC::JIT::emitSlow_op_div): Deleted.
1760         * jit/JITArithmetic32_64.cpp:
1761         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1762         (JSC::JIT::emitSlow_op_inc): Deleted.
1763         (JSC::JIT::emitSlow_op_dec): Deleted.
1764         * jit/JITOpcodes.cpp:
1765         (JSC::JIT::emitSlow_op_create_this): Deleted.
1766         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1767         (JSC::JIT::emitSlow_op_to_this): Deleted.
1768         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1769         (JSC::JIT::emitSlow_op_not): Deleted.
1770         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1771         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1772         (JSC::JIT::emitSlow_op_to_number): Deleted.
1773         (JSC::JIT::emitSlow_op_to_string): Deleted.
1774         (JSC::JIT::emitSlow_op_to_object): Deleted.
1775         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1776         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
1777         * jit/JITOpcodes32_64.cpp:
1778         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1779         (JSC::JIT::emitSlow_op_not): Deleted.
1780         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1781         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1782         (JSC::JIT::emitSlow_op_to_number): Deleted.
1783         (JSC::JIT::emitSlow_op_to_string): Deleted.
1784         (JSC::JIT::emitSlow_op_to_object): Deleted.
1785         (JSC::JIT::emitSlow_op_create_this): Deleted.
1786         (JSC::JIT::emitSlow_op_to_this): Deleted.
1787         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1788         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1789         * jit/JITPropertyAccess.cpp:
1790         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1791         * jit/JITPropertyAccess32_64.cpp:
1792         (JSC::JIT::emit_op_resolve_scope):
1793         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1794         * jit/SlowPathCall.h:
1795         (JSC::JITSlowPathCall::JITSlowPathCall):
1796         * runtime/CommonSlowPaths.cpp:
1797         (JSC::SLOW_PATH_DECL):
1798         * runtime/CommonSlowPaths.h:
1799
1800 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
1801
1802         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
1803         https://bugs.webkit.org/show_bug.cgi?id=179446
1804
1805         Reviewed by Žan Doberšek.
1806
1807         The trunc.w.d mips instruction should give a 0x7fffffff result when
1808         the source value is Infinity, NaN, or rounds to an integer outside the
1809         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
1810         branchTruncateDoubleToUInt32() have been relying on. It turns out that
1811         this assumption is not true on some CPUs, including on the ci20 on
1812         which we run the testbot (we get 0x80000000 instead). We should the
1813         invalid operation cause bit instead to check whether the source value
1814         could be properly truncated. This requires the addition of the cfc1
1815         instruction, as well as the special registers that can be used with it
1816         (control registers of CP1).
1817
1818         * assembler/MIPSAssembler.h:
1819         (JSC::MIPSAssembler::firstSPRegister):
1820         (JSC::MIPSAssembler::lastSPRegister):
1821         (JSC::MIPSAssembler::numberOfSPRegisters):
1822         (JSC::MIPSAssembler::sprName):
1823         Added control registers of CP1.
1824         (JSC::MIPSAssembler::cfc1):
1825         Added.
1826         * assembler/MacroAssemblerMIPS.h:
1827         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
1828         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1829         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
1830         Use fcsr to check if the value could be properly truncated.
1831
1832 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
1833
1834         HTMLMediaElement should not use element fullscreen on iOS
1835         https://bugs.webkit.org/show_bug.cgi?id=179418
1836         rdar://problem/35409277
1837
1838         Reviewed by Eric Carlson.
1839
1840         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
1841
1842         * Configurations/FeatureDefines.xcconfig:
1843
1844 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1845
1846         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
1847         https://bugs.webkit.org/show_bug.cgi?id=179276
1848
1849         Reviewed by Andy Estes.
1850
1851         * inspector/InjectedScriptHost.h:
1852         * inspector/JSInjectedScriptHost.cpp:
1853         (Inspector::JSInjectedScriptHost::getInternalProperties):
1854         Call through to virtual implementation so that WebCore can provide custom
1855         internal properties for Web / DOM objects.
1856
1857 2017-11-08  Saam Barati  <sbarati@apple.com>
1858
1859         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1860         https://bugs.webkit.org/show_bug.cgi?id=177792
1861
1862         Reviewed by Yusuke Suzuki.
1863
1864         Before this patch, if a JSFunction's rare data initialized its allocation profile
1865         before its backing Executable's poly proto watchpoint was invalidated, that
1866         JSFunction would continue to allocate non-poly proto objects until its allocation
1867         profile was cleared (which essentially never happens in practice). This patch
1868         improves on this pathology. A JSFunction's rare data will now watch the poly
1869         proto watchpoint if it's still valid and clear its allocation profile when we
1870         detect that we should go poly proto.
1871
1872         * bytecode/ObjectAllocationProfile.h:
1873         * bytecode/ObjectAllocationProfileInlines.h:
1874         (JSC::ObjectAllocationProfile::initializeProfile):
1875         * runtime/FunctionRareData.cpp:
1876         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1877         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1878         * runtime/FunctionRareData.h:
1879         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
1880         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
1881         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
1882
1883 2017-11-08  Keith Miller  <keith_miller@apple.com>
1884
1885         Add super sampler begin and end bytecodes.
1886         https://bugs.webkit.org/show_bug.cgi?id=179376
1887
1888         Reviewed by Filip Pizlo.
1889
1890         This patch adds a way to measure a narrow range of bytecodes for
1891         performance. This is done using the same infrastructure as the
1892         super sampler. I also added a class that helps do the bytecode
1893         checking with RAII. One problem with the current way this is done
1894         is that we don't handle decrementing early exits, either from
1895         branches or exceptions. So, when using this API users need to
1896         ensure that there are no early exits or that those exits don't
1897         occur on the measure code.
1898
1899         * JavaScriptCore.xcodeproj/project.pbxproj:
1900         * bytecode/BytecodeDumper.cpp:
1901         (JSC::BytecodeDumper<Block>::dumpBytecode):
1902         * bytecode/BytecodeList.json:
1903         * bytecode/BytecodeUseDef.h:
1904         (JSC::computeUsesForBytecodeOffset):
1905         (JSC::computeDefsForBytecodeOffset):
1906         * bytecompiler/BytecodeGenerator.cpp:
1907         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
1908         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
1909         * bytecompiler/BytecodeGenerator.h:
1910         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
1911         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
1912         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1913         * dfg/DFGAbstractInterpreterInlines.h:
1914         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1915         * dfg/DFGByteCodeParser.cpp:
1916         (JSC::DFG::ByteCodeParser::parseBlock):
1917         * dfg/DFGClobberize.h:
1918         (JSC::DFG::clobberize):
1919         * dfg/DFGClobbersExitState.cpp:
1920         (JSC::DFG::clobbersExitState):
1921         * dfg/DFGDoesGC.cpp:
1922         (JSC::DFG::doesGC):
1923         * dfg/DFGFixupPhase.cpp:
1924         (JSC::DFG::FixupPhase::fixupNode):
1925         * dfg/DFGMayExit.cpp:
1926         * dfg/DFGNodeType.h:
1927         * dfg/DFGPredictionPropagationPhase.cpp:
1928         * dfg/DFGSafeToExecute.h:
1929         (JSC::DFG::safeToExecute):
1930         * dfg/DFGSpeculativeJIT.cpp:
1931         * dfg/DFGSpeculativeJIT32_64.cpp:
1932         (JSC::DFG::SpeculativeJIT::compile):
1933         * dfg/DFGSpeculativeJIT64.cpp:
1934         (JSC::DFG::SpeculativeJIT::compile):
1935         * ftl/FTLCapabilities.cpp:
1936         (JSC::FTL::canCompile):
1937         * ftl/FTLLowerDFGToB3.cpp:
1938         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1939         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1940         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1941         * jit/JIT.cpp:
1942         (JSC::JIT::privateCompileMainPass):
1943         * jit/JIT.h:
1944         * jit/JITOpcodes.cpp:
1945         (JSC::JIT::emit_op_super_sampler_begin):
1946         (JSC::JIT::emit_op_super_sampler_end):
1947         * llint/LLIntSlowPaths.cpp:
1948         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1949         * llint/LLIntSlowPaths.h:
1950         * llint/LowLevelInterpreter.asm:
1951
1952 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1953
1954         Turn recursive tail calls into loops
1955         https://bugs.webkit.org/show_bug.cgi?id=176601
1956
1957         Reviewed by Saam Barati.
1958
1959         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1960
1961         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1962         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1963         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1964         We do this part through modifying the computation of the jump targets.
1965         Importantly, we only do this splitting for functions that have tail calls.
1966         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1967
1968         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1969         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1970
1971         * bytecode/CodeBlock.h:
1972         (JSC::CodeBlock::hasTailCalls const):
1973         * bytecode/PreciseJumpTargets.cpp:
1974         (JSC::getJumpTargetsForBytecodeOffset):
1975         (JSC::computePreciseJumpTargetsInternal):
1976         * bytecode/UnlinkedCodeBlock.cpp:
1977         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1978         * bytecode/UnlinkedCodeBlock.h:
1979         (JSC::UnlinkedCodeBlock::hasTailCalls const):
1980         (JSC::UnlinkedCodeBlock::setHasTailCalls):
1981         * bytecompiler/BytecodeGenerator.cpp:
1982         (JSC::BytecodeGenerator::emitEnter):
1983         (JSC::BytecodeGenerator::emitCallInTailPosition):
1984         * dfg/DFGByteCodeParser.cpp:
1985         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1986         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1987         (JSC::DFG::ByteCodeParser::handleCall):
1988         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1989         (JSC::DFG::ByteCodeParser::parseBlock):
1990         (JSC::DFG::ByteCodeParser::parse):
1991
1992 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1993
1994         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1995         https://bugs.webkit.org/show_bug.cgi?id=179407
1996
1997         Reviewed by Matt Baker.
1998
1999         * inspector/protocol/Page.json:
2000         Remove unused protocol type.
2001
2002 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
2003
2004         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
2005         https://bugs.webkit.org/show_bug.cgi?id=173619
2006
2007         Reviewed by Alex Christensen and Brian Burg.
2008
2009         Eventually all classes used for our JSON-RPC message passing should be outside
2010         of the Inspector namespace since the protocol is used outside of Inspector code.
2011         This will also allow us to unify the primitive JSON types with parameteric types
2012         like Inspector::Protocol::Array<T> and other protocol-related types which don't
2013         need to be in the Inspector namespace.
2014
2015         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
2016         patches, other clients will move to use JSON::Value and friends. When all uses are
2017         changed, the actual implementation will be renamed. This patch just focuses on the typedef
2018         and making changes in generated protocol code.
2019
2020         Original patch by Brian Burg, rebased and updated by me.
2021
2022         * inspector/InspectorValues.cpp:
2023         * inspector/InspectorValues.h:
2024         * inspector/scripts/codegen/cpp_generator.py:
2025         (CppGenerator.cpp_protocol_type_for_type):
2026         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
2027         (CppGenerator.cpp_type_for_type_with_name):
2028         (CppGenerator.cpp_type_for_stack_in_parameter):
2029         * inspector/scripts/codegen/cpp_generator_templates.py:
2030         (void):
2031         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2032         (_generate_class_for_object_declaration):
2033         (_generate_forward_declarations_for_binding_traits):
2034         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2035         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2036         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
2037         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2038         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2039         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2040         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2041         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2042         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2043         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2044         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2045         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2046         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2047         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2048         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2049         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2050         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2051
2052 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
2053
2054         Get rid of unsightly hex numbers from unified build object files
2055         https://bugs.webkit.org/show_bug.cgi?id=179410
2056
2057         Reviewed by Saam Barati.
2058
2059         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
2060
2061 2017-11-07  Saam Barati  <sbarati@apple.com>
2062
2063         Only cage double butterfly accesses
2064         https://bugs.webkit.org/show_bug.cgi?id=179202
2065
2066         Reviewed by Mark Lam.
2067
2068         This patch removes caging from all butterfly accesses except double loads/stores.
2069         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
2070         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
2071         by caging. The other load/stores we are no longer caging to get back performance on
2072         various benchmarks.
2073
2074         * bytecode/AccessCase.cpp:
2075         (JSC::AccessCase::generateImpl):
2076         * bytecode/InlineAccess.cpp:
2077         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2078         (JSC::InlineAccess::generateSelfPropertyAccess):
2079         (JSC::InlineAccess::generateSelfPropertyReplace):
2080         (JSC::InlineAccess::generateArrayLength):
2081         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
2082         * dfg/DFGSpeculativeJIT.cpp:
2083         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2084         (JSC::DFG::SpeculativeJIT::compileSpread):
2085         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2086         * dfg/DFGSpeculativeJIT64.cpp:
2087         (JSC::DFG::SpeculativeJIT::compile):
2088         * ftl/FTLLowerDFGToB3.cpp:
2089         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2090         * jit/JITPropertyAccess.cpp:
2091         (JSC::JIT::emitContiguousLoad):
2092         (JSC::JIT::emitArrayStorageLoad):
2093         (JSC::JIT::emitGenericContiguousPutByVal):
2094         (JSC::JIT::emitArrayStoragePutByVal):
2095         (JSC::JIT::emit_op_get_from_scope):
2096         (JSC::JIT::emit_op_put_to_scope):
2097         * llint/LowLevelInterpreter64.asm:
2098         * runtime/AuxiliaryBarrier.h:
2099         (JSC::AuxiliaryBarrier::operator-> const):
2100         * runtime/Butterfly.h:
2101         (JSC::Butterfly::caged):
2102         (JSC::Butterfly::contiguousDouble):
2103         * runtime/JSArray.cpp:
2104         (JSC::JSArray::setLength):
2105         (JSC::JSArray::pop):
2106         (JSC::JSArray::shiftCountWithAnyIndexingType):
2107         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2108         (JSC::JSArray::fillArgList):
2109         (JSC::JSArray::copyToArguments):
2110         * runtime/JSArrayInlines.h:
2111         (JSC::JSArray::pushInline):
2112         * runtime/JSObject.cpp:
2113         (JSC::JSObject::heapSnapshot):
2114         (JSC::JSObject::createInitialIndexedStorage):
2115         (JSC::JSObject::createArrayStorage):
2116         (JSC::JSObject::convertUndecidedToInt32):
2117         (JSC::JSObject::ensureLengthSlow):
2118         (JSC::JSObject::reallocateAndShrinkButterfly):
2119         (JSC::JSObject::allocateMoreOutOfLineStorage):
2120         * runtime/JSObject.h:
2121         (JSC::JSObject::canGetIndexQuickly):
2122         (JSC::JSObject::getIndexQuickly):
2123         (JSC::JSObject::tryGetIndexQuickly const):
2124         (JSC::JSObject::canSetIndexQuickly):
2125         (JSC::JSObject::butterfly const):
2126         (JSC::JSObject::butterfly):
2127
2128 2017-11-07  Mark Lam  <mark.lam@apple.com>
2129
2130         Introduce a default RegisterSet constructor so that we can use { } notation.
2131         https://bugs.webkit.org/show_bug.cgi?id=179389
2132
2133         Reviewed by Saam Barati.
2134
2135         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2136         does not add any code documentation value.
2137
2138         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2139         * b3/air/AirCode.cpp:
2140         (JSC::B3::Air::Code::setRegsInPriorityOrder):
2141         * b3/air/AirPrintSpecial.cpp:
2142         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2143         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2144         * b3/air/testair.cpp:
2145         * bytecode/PolymorphicAccess.h:
2146         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2147         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2148         * dfg/DFGJITCode.cpp:
2149         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2150         * ftl/FTLJITCode.cpp:
2151         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2152         * jit/JITCode.cpp:
2153         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2154         * jit/RegisterSet.cpp:
2155         (JSC::RegisterSet::reservedHardwareRegisters):
2156         (JSC::RegisterSet::runtimeRegisters):
2157         (JSC::RegisterSet::macroScratchRegisters):
2158         * jit/RegisterSet.h:
2159         (JSC::RegisterSet::RegisterSet):
2160         * wasm/WasmB3IRGenerator.cpp:
2161         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2162
2163 2017-11-07  Mark Lam  <mark.lam@apple.com>
2164
2165         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2166         https://bugs.webkit.org/show_bug.cgi?id=179355
2167         <rdar://problem/35263053>
2168
2169         Reviewed by Saam Barati.
2170
2171         In the Transition case in AccessCase::generateImpl(), we were restoring registers
2172         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
2173         where we previously stashed the reallocated butterfly.  If the generated code is
2174         under heavy register pressure, scratchGPR could have been from the set of preserved
2175         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
2176         As a result, the restoration would trash the butterfly result we stored there.
2177         This patch fixes the issue by excluding the scratchGPR in the restoration.
2178
2179         * bytecode/AccessCase.cpp:
2180         (JSC::AccessCase::generateImpl):
2181
2182 2017-11-06  Robin Morisset  <rmorisset@apple.com>
2183
2184         CodeBlock::usesOpcode() is dead code
2185         https://bugs.webkit.org/show_bug.cgi?id=179316
2186
2187         Reviewed by Yusuke Suzuki.
2188
2189         Remove CodeBlock::usesOpcode which is dead code
2190
2191         * bytecode/CodeBlock.cpp:
2192         * bytecode/CodeBlock.h:
2193
2194 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2195
2196         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2197         https://bugs.webkit.org/show_bug.cgi?id=144458
2198
2199         Reviewed by Saam Barati.
2200
2201         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
2202         InternalFunction calls are not cached and they always go to the slow path. This is not good because
2203
2204         1. We need to query getCallData/getConstructData every time in the slow path.
2205         2. CallLinkInfo tells nothing in the higher tier JITs.
2206
2207         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
2208         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
2209         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
2210
2211         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
2212         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
2213         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
2214         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
2215
2216         Attached microbenchmarks show performance improvement.
2217
2218                                                            baseline                  patched
2219
2220         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
2221         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
2222         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
2223         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
2224
2225         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
2226
2227         * API/JSCallbackFunction.cpp:
2228         (JSC::JSCallbackFunction::JSCallbackFunction):
2229         (JSC::JSCallbackFunction::getCallData): Deleted.
2230         * API/JSCallbackFunction.h:
2231         (JSC::JSCallbackFunction::createStructure):
2232         * API/ObjCCallbackFunction.h:
2233         (JSC::ObjCCallbackFunction::createStructure):
2234         * API/ObjCCallbackFunction.mm:
2235         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
2236         (JSC::ObjCCallbackFunction::getCallData): Deleted.
2237         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
2238         * bytecode/BytecodeDumper.cpp:
2239         (JSC::BytecodeDumper<Block>::printCallOp):
2240         * bytecode/BytecodeList.json:
2241         * bytecode/CallLinkInfo.cpp:
2242         (JSC::CallLinkInfo::setCallee):
2243         (JSC::CallLinkInfo::callee):
2244         (JSC::CallLinkInfo::setLastSeenCallee):
2245         (JSC::CallLinkInfo::lastSeenCallee):
2246         (JSC::CallLinkInfo::visitWeak):
2247         * bytecode/CallLinkInfo.h:
2248         * bytecode/CallLinkStatus.cpp:
2249         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2250         * bytecode/LLIntCallLinkInfo.h:
2251         * jit/JITOperations.cpp:
2252         * jit/JITThunks.cpp:
2253         (JSC::JITThunks::ctiInternalFunctionCall):
2254         (JSC::JITThunks::ctiInternalFunctionConstruct):
2255         * jit/JITThunks.h:
2256         * jit/Repatch.cpp:
2257         (JSC::linkFor):
2258         (JSC::linkPolymorphicCall):
2259         * jit/Repatch.h:
2260         * jit/ThunkGenerators.cpp:
2261         (JSC::virtualThunkFor):
2262         (JSC::nativeForGenerator):
2263         (JSC::nativeCallGenerator):
2264         (JSC::nativeTailCallGenerator):
2265         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2266         (JSC::nativeConstructGenerator):
2267         (JSC::internalFunctionCallGenerator):
2268         (JSC::internalFunctionConstructGenerator):
2269         * jit/ThunkGenerators.h:
2270         * llint/LLIntSlowPaths.cpp:
2271         (JSC::LLInt::setUpCall):
2272         * llint/LowLevelInterpreter.asm:
2273         * llint/LowLevelInterpreter32_64.asm:
2274         * llint/LowLevelInterpreter64.asm:
2275         * runtime/ArrayConstructor.cpp:
2276         (JSC::ArrayConstructor::ArrayConstructor):
2277         (JSC::ArrayConstructor::getConstructData): Deleted.
2278         (JSC::ArrayConstructor::getCallData): Deleted.
2279         * runtime/ArrayConstructor.h:
2280         (JSC::ArrayConstructor::createStructure):
2281         * runtime/AsyncFunctionConstructor.cpp:
2282         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
2283         (JSC::AsyncFunctionConstructor::finishCreation):
2284         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
2285         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
2286         * runtime/AsyncFunctionConstructor.h:
2287         (JSC::AsyncFunctionConstructor::createStructure):
2288         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2289         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
2290         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
2291         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
2292         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
2293         * runtime/AsyncGeneratorFunctionConstructor.h:
2294         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
2295         * runtime/BooleanConstructor.cpp:
2296         (JSC::callBooleanConstructor):
2297         (JSC::BooleanConstructor::BooleanConstructor):
2298         (JSC::BooleanConstructor::finishCreation):
2299         (JSC::BooleanConstructor::getConstructData): Deleted.
2300         (JSC::BooleanConstructor::getCallData): Deleted.
2301         * runtime/BooleanConstructor.h:
2302         (JSC::BooleanConstructor::createStructure):
2303         * runtime/DateConstructor.cpp:
2304         (JSC::DateConstructor::DateConstructor):
2305         (JSC::DateConstructor::getConstructData): Deleted.
2306         (JSC::DateConstructor::getCallData): Deleted.
2307         * runtime/DateConstructor.h:
2308         (JSC::DateConstructor::createStructure):
2309         * runtime/Error.h:
2310         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2311         (JSC::StrictModeTypeErrorFunction::createStructure):
2312         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
2313         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
2314         * runtime/ErrorConstructor.cpp:
2315         (JSC::ErrorConstructor::ErrorConstructor):
2316         (JSC::ErrorConstructor::getConstructData): Deleted.
2317         (JSC::ErrorConstructor::getCallData): Deleted.
2318         * runtime/ErrorConstructor.h:
2319         (JSC::ErrorConstructor::createStructure):
2320         * runtime/FunctionConstructor.cpp:
2321         (JSC::FunctionConstructor::FunctionConstructor):
2322         (JSC::FunctionConstructor::finishCreation):
2323         (JSC::FunctionConstructor::getConstructData): Deleted.
2324         (JSC::FunctionConstructor::getCallData): Deleted.
2325         * runtime/FunctionConstructor.h:
2326         (JSC::FunctionConstructor::createStructure):
2327         * runtime/FunctionPrototype.cpp:
2328         (JSC::callFunctionPrototype):
2329         (JSC::FunctionPrototype::FunctionPrototype):
2330         (JSC::FunctionPrototype::getCallData): Deleted.
2331         * runtime/FunctionPrototype.h:
2332         (JSC::FunctionPrototype::createStructure):
2333         * runtime/GeneratorFunctionConstructor.cpp:
2334         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
2335         (JSC::GeneratorFunctionConstructor::finishCreation):
2336         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
2337         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
2338         * runtime/GeneratorFunctionConstructor.h:
2339         (JSC::GeneratorFunctionConstructor::createStructure):
2340         * runtime/InternalFunction.cpp:
2341         (JSC::InternalFunction::InternalFunction):
2342         (JSC::InternalFunction::finishCreation):
2343         (JSC::InternalFunction::getCallData):
2344         (JSC::InternalFunction::getConstructData):
2345         * runtime/InternalFunction.h:
2346         (JSC::InternalFunction::createStructure):
2347         (JSC::InternalFunction::nativeFunctionFor):
2348         (JSC::InternalFunction::offsetOfNativeFunctionFor):
2349         * runtime/IntlCollatorConstructor.cpp:
2350         (JSC::IntlCollatorConstructor::createStructure):
2351         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
2352         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
2353         (JSC::IntlCollatorConstructor::getCallData): Deleted.
2354         * runtime/IntlCollatorConstructor.h:
2355         * runtime/IntlDateTimeFormatConstructor.cpp:
2356         (JSC::IntlDateTimeFormatConstructor::createStructure):
2357         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
2358         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
2359         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
2360         * runtime/IntlDateTimeFormatConstructor.h:
2361         * runtime/IntlNumberFormatConstructor.cpp:
2362         (JSC::IntlNumberFormatConstructor::createStructure):
2363         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
2364         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
2365         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
2366         * runtime/IntlNumberFormatConstructor.h:
2367         * runtime/JSArrayBufferConstructor.cpp:
2368         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2369         (JSC::JSArrayBufferConstructor::createStructure):
2370         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
2371         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
2372         * runtime/JSArrayBufferConstructor.h:
2373         * runtime/JSGenericTypedArrayViewConstructor.h:
2374         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2375         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
2376         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
2377         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
2378         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
2379         * runtime/JSInternalPromiseConstructor.cpp:
2380         (JSC::JSInternalPromiseConstructor::createStructure):
2381         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2382         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
2383         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
2384         * runtime/JSInternalPromiseConstructor.h:
2385         * runtime/JSPromiseConstructor.cpp:
2386         (JSC::JSPromiseConstructor::createStructure):
2387         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2388         (JSC::JSPromiseConstructor::getConstructData): Deleted.
2389         (JSC::JSPromiseConstructor::getCallData): Deleted.
2390         * runtime/JSPromiseConstructor.h:
2391         * runtime/JSType.h:
2392         * runtime/JSTypedArrayViewConstructor.cpp:
2393         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
2394         (JSC::JSTypedArrayViewConstructor::createStructure):
2395         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
2396         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
2397         * runtime/JSTypedArrayViewConstructor.h:
2398         * runtime/MapConstructor.cpp:
2399         (JSC::MapConstructor::MapConstructor):
2400         (JSC::MapConstructor::getConstructData): Deleted.
2401         (JSC::MapConstructor::getCallData): Deleted.
2402         * runtime/MapConstructor.h:
2403         (JSC::MapConstructor::createStructure):
2404         (JSC::MapConstructor::MapConstructor): Deleted.
2405         * runtime/NativeErrorConstructor.cpp:
2406         (JSC::NativeErrorConstructor::NativeErrorConstructor):
2407         (JSC::NativeErrorConstructor::getConstructData): Deleted.
2408         (JSC::NativeErrorConstructor::getCallData): Deleted.
2409         * runtime/NativeErrorConstructor.h:
2410         (JSC::NativeErrorConstructor::createStructure):
2411         * runtime/NullGetterFunction.cpp:
2412         (JSC::NullGetterFunction::NullGetterFunction):
2413         (JSC::NullGetterFunction::getCallData): Deleted.
2414         (JSC::NullGetterFunction::getConstructData): Deleted.
2415         * runtime/NullGetterFunction.h:
2416         (JSC::NullGetterFunction::createStructure):
2417         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
2418         * runtime/NullSetterFunction.cpp:
2419         (JSC::NullSetterFunction::NullSetterFunction):
2420         (JSC::NullSetterFunction::getCallData): Deleted.
2421         (JSC::NullSetterFunction::getConstructData): Deleted.
2422         * runtime/NullSetterFunction.h:
2423         (JSC::NullSetterFunction::createStructure):
2424         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
2425         * runtime/NumberConstructor.cpp:
2426         (JSC::NumberConstructor::NumberConstructor):
2427         (JSC::constructNumberConstructor):
2428         (JSC::constructWithNumberConstructor): Deleted.
2429         (JSC::NumberConstructor::getConstructData): Deleted.
2430         (JSC::NumberConstructor::getCallData): Deleted.
2431         * runtime/NumberConstructor.h:
2432         (JSC::NumberConstructor::createStructure):
2433         * runtime/ObjectConstructor.cpp:
2434         (JSC::ObjectConstructor::ObjectConstructor):
2435         (JSC::ObjectConstructor::getConstructData): Deleted.
2436         (JSC::ObjectConstructor::getCallData): Deleted.
2437         * runtime/ObjectConstructor.h:
2438         (JSC::ObjectConstructor::createStructure):
2439         * runtime/ProxyConstructor.cpp:
2440         (JSC::ProxyConstructor::ProxyConstructor):
2441         (JSC::ProxyConstructor::getConstructData): Deleted.
2442         (JSC::ProxyConstructor::getCallData): Deleted.
2443         * runtime/ProxyConstructor.h:
2444         (JSC::ProxyConstructor::createStructure):
2445         * runtime/ProxyRevoke.cpp:
2446         (JSC::ProxyRevoke::ProxyRevoke):
2447         (JSC::ProxyRevoke::getCallData): Deleted.
2448         * runtime/ProxyRevoke.h:
2449         (JSC::ProxyRevoke::createStructure):
2450         * runtime/RegExpConstructor.cpp:
2451         (JSC::RegExpConstructor::RegExpConstructor):
2452         (JSC::RegExpConstructor::getConstructData): Deleted.
2453         (JSC::RegExpConstructor::getCallData): Deleted.
2454         * runtime/RegExpConstructor.h:
2455         (JSC::RegExpConstructor::createStructure):
2456         * runtime/SetConstructor.cpp:
2457         (JSC::SetConstructor::SetConstructor):
2458         (JSC::SetConstructor::getConstructData): Deleted.
2459         (JSC::SetConstructor::getCallData): Deleted.
2460         * runtime/SetConstructor.h:
2461         (JSC::SetConstructor::createStructure):
2462         (JSC::SetConstructor::SetConstructor): Deleted.
2463         * runtime/StringConstructor.cpp:
2464         (JSC::StringConstructor::StringConstructor):
2465         (JSC::StringConstructor::getConstructData): Deleted.
2466         (JSC::StringConstructor::getCallData): Deleted.
2467         * runtime/StringConstructor.h:
2468         (JSC::StringConstructor::createStructure):
2469         * runtime/SymbolConstructor.cpp:
2470         (JSC::SymbolConstructor::SymbolConstructor):
2471         (JSC::SymbolConstructor::getConstructData): Deleted.
2472         (JSC::SymbolConstructor::getCallData): Deleted.
2473         * runtime/SymbolConstructor.h:
2474         (JSC::SymbolConstructor::createStructure):
2475         * runtime/VM.cpp:
2476         (JSC::VM::VM):
2477         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2478         * runtime/VM.h:
2479         * runtime/WeakMapConstructor.cpp:
2480         (JSC::WeakMapConstructor::WeakMapConstructor):
2481         (JSC::WeakMapConstructor::getConstructData): Deleted.
2482         (JSC::WeakMapConstructor::getCallData): Deleted.
2483         * runtime/WeakMapConstructor.h:
2484         (JSC::WeakMapConstructor::createStructure):
2485         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
2486         * runtime/WeakSetConstructor.cpp:
2487         (JSC::WeakSetConstructor::WeakSetConstructor):
2488         (JSC::WeakSetConstructor::getConstructData): Deleted.
2489         (JSC::WeakSetConstructor::getCallData): Deleted.
2490         * runtime/WeakSetConstructor.h:
2491         (JSC::WeakSetConstructor::createStructure):
2492         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
2493         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2494         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
2495         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
2496         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
2497         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
2498         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2499         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2500         (JSC::WebAssemblyInstanceConstructor::createStructure):
2501         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
2502         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
2503         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
2504         * wasm/js/WebAssemblyInstanceConstructor.h:
2505         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2506         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
2507         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
2508         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
2509         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
2510         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2511         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2512         (JSC::WebAssemblyMemoryConstructor::createStructure):
2513         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
2514         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
2515         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
2516         * wasm/js/WebAssemblyMemoryConstructor.h:
2517         * wasm/js/WebAssemblyModuleConstructor.cpp:
2518         (JSC::WebAssemblyModuleConstructor::createStructure):
2519         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
2520         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
2521         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
2522         * wasm/js/WebAssemblyModuleConstructor.h:
2523         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2524         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
2525         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
2526         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
2527         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
2528         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2529         * wasm/js/WebAssemblyTableConstructor.cpp:
2530         (JSC::WebAssemblyTableConstructor::createStructure):
2531         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
2532         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
2533         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
2534         * wasm/js/WebAssemblyTableConstructor.h:
2535
2536 2017-11-03  Michael Saboff  <msaboff@apple.com>
2537
2538         The Abstract Interpreter needs to change similar to clobberize() in r224366
2539         https://bugs.webkit.org/show_bug.cgi?id=179267
2540
2541         Reviewed by Saam Barati.
2542
2543         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
2544         cases in the abstract interpreter to match what was done for r224366.
2545
2546         * dfg/DFGAbstractInterpreterInlines.h:
2547         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2548
2549 2017-11-03  Keith Miller  <keith_miller@apple.com>
2550
2551         PutProperytSlot should inform the IC about the property before effects.
2552         https://bugs.webkit.org/show_bug.cgi?id=179262
2553
2554         Reviewed by Mark Lam.
2555
2556         This patch fixes an issue where we choose to cache setters based on
2557         incorrect information. If we did so we might end up OSR exiting
2558         more than we would otherwise need to. The new model is that the
2559         PutPropertySlot should inform the IC of what the property looked
2560         like before any potential side effects might have occurred.
2561
2562         * runtime/JSObject.cpp:
2563         (JSC::JSObject::putInlineSlow):
2564         * runtime/Lookup.h:
2565         (JSC::putEntry):
2566
2567 2017-11-03  Mark Lam  <mark.lam@apple.com>
2568
2569         CachedCall (and its clients) needs overflow checks.
2570         https://bugs.webkit.org/show_bug.cgi?id=179185
2571
2572         Reviewed by JF Bastien.
2573
2574         * interpreter/CachedCall.h:
2575         (JSC::CachedCall::CachedCall):
2576         (JSC::CachedCall::hasOverflowedArguments):
2577         * runtime/ArgList.h:
2578         (JSC::MarkedArgumentBuffer::clear):
2579         * runtime/StringPrototype.cpp:
2580         (JSC::replaceUsingRegExpSearch):
2581
2582 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
2583
2584         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
2585         https://bugs.webkit.org/show_bug.cgi?id=178302
2586         <rdar://problem/33158849>
2587
2588         Reviewed by Brian Burg.
2589
2590         * inspector/protocol/Recording.json:
2591         Add `duration` to each Frame that represents the total time of all the recorded actions.
2592
2593 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
2594
2595         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
2596         https://bugs.webkit.org/show_bug.cgi?id=179070
2597         <rdar://problem/35278276>
2598
2599         Reviewed by Brian Burg.
2600
2601         * inspector/protocol/Canvas.json:
2602         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
2603         different string on a WebGL context.
2604
2605 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
2606
2607         Make ServiceWorker a Remote Inspector debuggable target
2608         https://bugs.webkit.org/show_bug.cgi?id=179043
2609         <rdar://problem/34126008>
2610
2611         Reviewed by Brian Burg.
2612
2613         * inspector/remote/RemoteControllableTarget.h:
2614         * inspector/remote/RemoteInspectionTarget.h:
2615         * inspector/remote/RemoteInspectorConstants.h:
2616         Include a new ServiceWorker remote inspector target type.
2617
2618         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2619         (Inspector::RemoteInspector::listingForInspectionTarget const):
2620         Implement listing for a ServiceWorker to include a URL like a page.
2621
2622         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2623         (Inspector::RemoteInspector::listingForInspectionTarget const):
2624         Bail for ServiceWorker support in glib. They will need to implement their support.
2625
2626 2017-11-02  Michael Saboff  <msaboff@apple.com>
2627
2628         DFG needs to handle code motion of code in for..in loop bodies
2629         https://bugs.webkit.org/show_bug.cgi?id=179212
2630
2631         Reviewed by Keith Miller.
2632
2633         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
2634         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
2635
2636         * dfg/DFGClobberize.h:
2637         (JSC::DFG::clobberize):
2638
2639 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
2640
2641         Inspector should display service worker served responses properly
2642         https://bugs.webkit.org/show_bug.cgi?id=178597
2643         <rdar://problem/35186111>
2644
2645         Reviewed by Brian Burg.
2646
2647         * inspector/protocol/Network.json:
2648         Expose a new "service-worker" response source.
2649
2650 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2651
2652         AI does not correctly model the clobber case of ArithClz32
2653         https://bugs.webkit.org/show_bug.cgi?id=179188
2654
2655         Reviewed by Michael Saboff.
2656
2657         The non-Int32 case clobbers the world because it may call valueOf.
2658
2659         * dfg/DFGAbstractInterpreterInlines.h:
2660         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2661
2662 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2663
2664         Unreviewed, release throw scope
2665         https://bugs.webkit.org/show_bug.cgi?id=178726
2666
2667         * dfg/DFGOperations.cpp:
2668
2669 2017-11-02  Frederic Wang  <fwang@igalia.com>
2670
2671         Add references to bug 179167 in FIXME comments
2672         https://bugs.webkit.org/show_bug.cgi?id=179168
2673
2674         Reviewed by Daniel Bates.
2675
2676         * Configurations/FeatureDefines.xcconfig:
2677
2678 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
2679
2680         Implement WKFullscreenWindowController for iOS.
2681         https://bugs.webkit.org/show_bug.cgi?id=178924
2682         rdar://problem/34697120
2683
2684         Reviewed by Simon Fraser.
2685
2686         Enable ENABLE_FULLSCREEN_API for iOS.
2687
2688         * Configurations/FeatureDefines.xcconfig:
2689
2690 2017-11-01  Mark Lam  <mark.lam@apple.com>
2691
2692         Add support to throw OOM if MarkedArgumentBuffer may overflow.
2693         https://bugs.webkit.org/show_bug.cgi?id=179092
2694         <rdar://problem/35116160>
2695
2696         Reviewed by Saam Barati.
2697
2698         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
2699         time, which renders it unsuitable for automated tests.  Instead, I've run a
2700         test manually to verify that an OutOfMemoryError will be thrown when an overflow
2701         occurs.
2702
2703         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
2704         checked for an overflow after invoking methods that may result in an overflow i.e.
2705         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
2706         This is only done on debug builds.
2707
2708         * API/JSObjectRef.cpp:
2709         (JSObjectMakeFunction):
2710         (JSObjectMakeArray):
2711         (JSObjectMakeDate):
2712         (JSObjectMakeRegExp):
2713         (JSObjectCallAsFunction):
2714         (JSObjectCallAsConstructor):
2715         * dfg/DFGOperations.cpp:
2716         * inspector/InjectedScriptManager.cpp:
2717         (Inspector::InjectedScriptManager::createInjectedScript):
2718         * inspector/JSJavaScriptCallFrame.cpp:
2719         (Inspector::JSJavaScriptCallFrame::scopeChain const):
2720         * interpreter/Interpreter.cpp:
2721         (JSC::Interpreter::executeProgram):
2722         * jsc.cpp:
2723         (functionDollarAgentReceiveBroadcast):
2724         * runtime/ArgList.cpp:
2725         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2726         (JSC::MarkedArgumentBuffer::expandCapacity):
2727         (JSC::MarkedArgumentBuffer::slowAppend):
2728         * runtime/ArgList.h:
2729         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
2730         (JSC::MarkedArgumentBuffer::appendWithAction):
2731         (JSC::MarkedArgumentBuffer::append):
2732         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
2733         (JSC::MarkedArgumentBuffer::hasOverflowed):
2734         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
2735         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
2736         * runtime/ArrayPrototype.cpp:
2737         * runtime/CommonSlowPaths.cpp:
2738         (JSC::SLOW_PATH_DECL):
2739         * runtime/GetterSetter.cpp:
2740         (JSC::callSetter):
2741         * runtime/IteratorOperations.cpp:
2742         (JSC::iteratorNext):
2743         (JSC::iteratorClose):
2744         * runtime/JSBoundFunction.cpp:
2745         (JSC::boundThisNoArgsFunctionCall):
2746         (JSC::boundFunctionCall):
2747         (JSC::boundThisNoArgsFunctionConstruct):
2748         (JSC::boundFunctionConstruct):
2749         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2750         (JSC::constructGenericTypedArrayViewFromIterator):
2751         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2752         (JSC::genericTypedArrayViewProtoFuncSlice):
2753         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2754         * runtime/JSGlobalObject.cpp:
2755         (JSC::JSGlobalObject::haveABadTime):
2756         * runtime/JSInternalPromise.cpp:
2757         (JSC::JSInternalPromise::then):
2758         * runtime/JSJob.cpp:
2759         (JSC::JSJobMicrotask::run):
2760         * runtime/JSMapIterator.cpp:
2761         (JSC::JSMapIterator::createPair):
2762         * runtime/JSModuleLoader.cpp:
2763         (JSC::JSModuleLoader::provideFetch):
2764         (JSC::JSModuleLoader::loadAndEvaluateModule):
2765         (JSC::JSModuleLoader::loadModule):
2766         (JSC::JSModuleLoader::linkAndEvaluateModule):
2767         (JSC::JSModuleLoader::requestImportModule):
2768         * runtime/JSONObject.cpp:
2769         (JSC::Stringifier::toJSONImpl):
2770         (JSC::Stringifier::appendStringifiedValue):
2771         (JSC::Walker::callReviver):
2772         * runtime/JSObject.cpp:
2773         (JSC::ordinarySetSlow):
2774         (JSC::callToPrimitiveFunction):
2775         (JSC::JSObject::hasInstance):
2776         * runtime/JSPromise.cpp:
2777         (JSC::JSPromise::initialize):
2778         (JSC::JSPromise::resolve):
2779         * runtime/JSPromiseDeferred.cpp:
2780         (JSC::newPromiseCapability):
2781         (JSC::callFunction):
2782         * runtime/JSSetIterator.cpp:
2783         (JSC::JSSetIterator::createPair):
2784         * runtime/LiteralParser.cpp:
2785         (JSC::LiteralParser<CharType>::parse):
2786         * runtime/MapConstructor.cpp:
2787         (JSC::constructMap):
2788         * runtime/ObjectConstructor.cpp:
2789         (JSC::defineProperties):
2790         * runtime/ProxyObject.cpp:
2791         (JSC::performProxyGet):
2792         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2793         (JSC::ProxyObject::performHasProperty):
2794         (JSC::ProxyObject::performPut):
2795         (JSC::performProxyCall):
2796         (JSC::performProxyConstruct):
2797         (JSC::ProxyObject::performDelete):
2798         (JSC::ProxyObject::performPreventExtensions):
2799         (JSC::ProxyObject::performIsExtensible):
2800         (JSC::ProxyObject::performDefineOwnProperty):
2801         (JSC::ProxyObject::performGetOwnPropertyNames):
2802         (JSC::ProxyObject::performSetPrototype):
2803         (JSC::ProxyObject::performGetPrototype):
2804         * runtime/ReflectObject.cpp:
2805         (JSC::reflectObjectConstruct):
2806         * runtime/SetConstructor.cpp:
2807         (JSC::constructSet):
2808         * runtime/StringPrototype.cpp:
2809         (JSC::replaceUsingRegExpSearch):
2810         (JSC::replaceUsingStringSearch):
2811         * runtime/WeakMapConstructor.cpp:
2812         (JSC::constructWeakMap):
2813         * runtime/WeakSetConstructor.cpp:
2814         (JSC::constructWeakSet):
2815         * wasm/js/WasmToJS.cpp:
2816         (JSC::Wasm::wasmToJS):
2817
2818 2017-11-01  Michael Saboff  <msaboff@apple.com>
2819
2820         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2821         https://bugs.webkit.org/show_bug.cgi?id=179140
2822
2823         Reviewed by Saam Barati.
2824
2825         Added overflow checks to computation of arg count plus this.
2826
2827         * dfg/DFGSpeculativeJIT32_64.cpp:
2828         (JSC::DFG::SpeculativeJIT::compile):
2829         * dfg/DFGSpeculativeJIT64.cpp:
2830         (JSC::DFG::SpeculativeJIT::compile):
2831         * ftl/FTLLowerDFGToB3.cpp:
2832         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2833
2834 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2835
2836         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
2837         https://bugs.webkit.org/show_bug.cgi?id=178934
2838
2839         * ftl/FTLLowerDFGToB3.cpp:
2840         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2841
2842 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2843
2844         [JSC] Introduce @toObject
2845         https://bugs.webkit.org/show_bug.cgi?id=178726
2846
2847         Reviewed by Saam Barati.
2848
2849         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
2850         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
2851         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
2852         ObjectConstructor in LLInt and Baseline.
2853
2854         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
2855         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
2856
2857             if (this === @undefined || this === null)
2858                 @throwTypeError("error message");
2859             var object = @Object(this);
2860
2861         with
2862
2863             var object = @toObject(this, "error message");
2864
2865         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
2866         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
2867         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
2868
2869         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
2870
2871         * builtins/ArrayConstructor.js:
2872         (from):
2873         * builtins/ArrayPrototype.js:
2874         (values):
2875         (keys):
2876         (entries):
2877         (reduce):
2878         (reduceRight):
2879         (every):
2880         (forEach):
2881         (filter):
2882         (map):
2883         (some):
2884         (fill):
2885         (find):
2886         (findIndex):
2887         (includes):
2888         (sort):
2889         (globalPrivate.concatSlowPath):
2890         (copyWithin):
2891         * builtins/DatePrototype.js:
2892         (toLocaleString.toDateTimeOptionsAnyAll):
2893         (toLocaleString):
2894         (toLocaleDateString.toDateTimeOptionsDateDate):
2895         (toLocaleDateString):
2896         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2897         (toLocaleTimeString):
2898         * builtins/GlobalOperations.js:
2899         (globalPrivate.copyDataProperties):
2900         (globalPrivate.copyDataPropertiesNoExclusions):
2901         * builtins/ObjectConstructor.js:
2902         (entries):
2903         * builtins/StringConstructor.js:
2904         (raw):
2905         * builtins/TypedArrayConstructor.js:
2906         (from):
2907         * builtins/TypedArrayPrototype.js:
2908         (map):
2909         (filter):
2910         * bytecode/BytecodeDumper.cpp:
2911         (JSC::BytecodeDumper<Block>::dumpBytecode):
2912         * bytecode/BytecodeIntrinsicRegistry.h:
2913         * bytecode/BytecodeList.json:
2914         * bytecode/BytecodeUseDef.h:
2915         (JSC::computeUsesForBytecodeOffset):
2916         (JSC::computeDefsForBytecodeOffset):
2917         * bytecode/CodeBlock.cpp:
2918         (JSC::CodeBlock::finishCreation):
2919         * bytecompiler/BytecodeGenerator.cpp:
2920         (JSC::BytecodeGenerator::emitToObject):
2921         * bytecompiler/BytecodeGenerator.h:
2922         * bytecompiler/NodesCodegen.cpp:
2923         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2924         * dfg/DFGAbstractInterpreterInlines.h:
2925         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2926         * dfg/DFGByteCodeParser.cpp:
2927         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2928         (JSC::DFG::ByteCodeParser::parseBlock):
2929         * dfg/DFGCapabilities.cpp:
2930         (JSC::DFG::capabilityLevel):
2931         * dfg/DFGClobberize.h:
2932         (JSC::DFG::clobberize):
2933         * dfg/DFGDoesGC.cpp:
2934         (JSC::DFG::doesGC):
2935         * dfg/DFGFixupPhase.cpp:
2936         (JSC::DFG::FixupPhase::fixupNode):
2937         (JSC::DFG::FixupPhase::fixupToObject):
2938         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2939         * dfg/DFGNode.h:
2940         (JSC::DFG::Node::convertToCallObjectConstructor):
2941         (JSC::DFG::Node::convertToNewStringObject):
2942         (JSC::DFG::Node::convertToNewObject):
2943         (JSC::DFG::Node::hasIdentifier):
2944         (JSC::DFG::Node::hasHeapPrediction):
2945         (JSC::DFG::Node::hasCellOperand):
2946         * dfg/DFGNodeType.h:
2947         * dfg/DFGOperations.cpp:
2948         * dfg/DFGOperations.h:
2949         * dfg/DFGPredictionPropagationPhase.cpp:
2950         * dfg/DFGSafeToExecute.h:
2951         (JSC::DFG::safeToExecute):
2952         * dfg/DFGSpeculativeJIT.cpp:
2953         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2954         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2955         * dfg/DFGSpeculativeJIT.h:
2956         (JSC::DFG::SpeculativeJIT::callOperation):
2957         * dfg/DFGSpeculativeJIT32_64.cpp:
2958         (JSC::DFG::SpeculativeJIT::compile):
2959         * dfg/DFGSpeculativeJIT64.cpp:
2960         (JSC::DFG::SpeculativeJIT::compile):
2961         * ftl/FTLCapabilities.cpp:
2962         (JSC::FTL::canCompile):
2963         * ftl/FTLLowerDFGToB3.cpp:
2964         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2965         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2966         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2967         * jit/JIT.cpp:
2968         (JSC::JIT::privateCompileMainPass):
2969         (JSC::JIT::privateCompileSlowCases):
2970         * jit/JIT.h:
2971         * jit/JITOpcodes.cpp:
2972         (JSC::JIT::emit_op_to_object):
2973         (JSC::JIT::emitSlow_op_to_object):
2974         * jit/JITOpcodes32_64.cpp:
2975         (JSC::JIT::emit_op_to_object):
2976         (JSC::JIT::emitSlow_op_to_object):
2977         * jit/JITOperations.cpp:
2978         * jit/JITOperations.h:
2979         * llint/LowLevelInterpreter32_64.asm:
2980         * llint/LowLevelInterpreter64.asm:
2981         * runtime/CommonSlowPaths.cpp:
2982         (JSC::SLOW_PATH_DECL):
2983         * runtime/CommonSlowPaths.h:
2984
2985 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2986
2987         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2988         https://bugs.webkit.org/show_bug.cgi?id=174979
2989
2990         Reviewed by Yusuke Suzuki.
2991
2992         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2993
2994 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2995
2996         [DFG][FTL] Introduce StringSlice
2997         https://bugs.webkit.org/show_bug.cgi?id=178934
2998
2999         Reviewed by Saam Barati.
3000
3001         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
3002         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
3003
3004         This patch's StringSlice node optimizes the following things.
3005
3006         1. Empty string generation is accelerated. It is fully executed inline.
3007         2. One char string generation is accelerated. `< 0x100` character is supported right now.
3008         It is the same to charAt acceleration.
3009         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
3010         operation.
3011
3012         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
3013         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
3014         in subsequent changes.
3015
3016         This patch improves ARES-6/Babylon performance by 3% in steady state.
3017
3018         Baseline:
3019             Running... Babylon ( 1  to go)
3020             firstIteration:     50.05 +- 13.68 ms
3021             averageWorstCase:   16.80 +- 1.27 ms
3022             steadyState:        7.53 +- 0.22 ms
3023
3024         Patched:
3025             Running... Babylon ( 1  to go)
3026             firstIteration:     50.91 +- 13.41 ms
3027             averageWorstCase:   16.12 +- 0.99 ms
3028             steadyState:        7.30 +- 0.29 ms
3029
3030         * dfg/DFGAbstractInterpreterInlines.h:
3031         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3032         * dfg/DFGBackwardsPropagationPhase.cpp:
3033         (JSC::DFG::BackwardsPropagationPhase::propagate):
3034         * dfg/DFGByteCodeParser.cpp:
3035         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3036         * dfg/DFGClobberize.h:
3037         (JSC::DFG::clobberize):
3038         * dfg/DFGDoesGC.cpp:
3039         (JSC::DFG::doesGC):
3040         * dfg/DFGFixupPhase.cpp:
3041         (JSC::DFG::FixupPhase::fixupNode):
3042         * dfg/DFGNodeType.h:
3043         * dfg/DFGOperations.cpp:
3044         * dfg/DFGOperations.h:
3045         * dfg/DFGPredictionPropagationPhase.cpp:
3046         * dfg/DFGSafeToExecute.h:
3047         (JSC::DFG::safeToExecute):
3048         * dfg/DFGSpeculativeJIT.cpp:
3049         (JSC::DFG::SpeculativeJIT::compileStringSlice):
3050         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
3051         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3052         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3053         * dfg/DFGSpeculativeJIT.h:
3054         (JSC::DFG::SpeculativeJIT::callOperation):
3055         * dfg/DFGSpeculativeJIT32_64.cpp:
3056         (JSC::DFG::SpeculativeJIT::compile):
3057         * dfg/DFGSpeculativeJIT64.cpp:
3058         (JSC::DFG::SpeculativeJIT::compile):
3059         * ftl/FTLCapabilities.cpp:
3060         (JSC::FTL::canCompile):
3061         * ftl/FTLLowerDFGToB3.cpp:
3062         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3063         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
3064         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3065         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3066         * jit/JITOperations.h:
3067         * runtime/Intrinsic.cpp:
3068         (JSC::intrinsicName):
3069         * runtime/Intrinsic.h:
3070         * runtime/StringPrototype.cpp:
3071         (JSC::StringPrototype::finishCreation):
3072
3073 2017-10-31  JF Bastien  <jfbastien@apple.com>
3074
3075         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
3076         https://bugs.webkit.org/show_bug.cgi?id=176644
3077
3078         Reviewed by Michael Saboff.
3079
3080         IndexOrName now keeps a RefPtr to its original NameSection, which
3081         holds the Name (or references nullptr if Index). Holding onto the
3082         entire section seems like the better thing to do, since backtraces
3083         probably contain multiple names from the same Module.
3084
3085         * JavaScriptCore.xcodeproj/project.pbxproj:
3086         * interpreter/Interpreter.cpp:
3087         (JSC::GetStackTraceFunctor::operator() const):
3088         * interpreter/StackVisitor.h: Frame is no longer POD because of the
3089         RefPtr.
3090         * runtime/StackFrame.cpp:
3091         (JSC::StackFrame::StackFrame):
3092         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
3093         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
3094         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
3095         * wasm/WasmBBQPlanInlines.h:
3096         (JSC::Wasm::BBQPlan::initializeCallees):
3097         * wasm/WasmCallee.cpp:
3098         (JSC::Wasm::Callee::Callee):
3099         * wasm/WasmCallee.h:
3100         (JSC::Wasm::Callee::create):
3101         * wasm/WasmFormat.h: Move NameSection to its own header.
3102         (JSC::Wasm::isValidNameType):
3103         (JSC::Wasm::NameSection::get): Deleted.
3104         * wasm/WasmIndexOrName.cpp:
3105         (JSC::Wasm::IndexOrName::IndexOrName):
3106         (JSC::Wasm::makeString):
3107         * wasm/WasmIndexOrName.h:
3108         (JSC::Wasm::IndexOrName::IndexOrName):
3109         (JSC::Wasm::IndexOrName::isEmpty const):
3110         (JSC::Wasm::IndexOrName::isIndex const):
3111         * wasm/WasmModuleInformation.cpp:
3112         (JSC::Wasm::ModuleInformation::ModuleInformation):
3113         * wasm/WasmModuleInformation.h:
3114         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
3115         * wasm/WasmNameSection.h:
3116         (JSC::Wasm::NameSection::get):
3117         (JSC::Wasm::NameSection::create): Deleted.
3118         * wasm/WasmNameSectionParser.cpp:
3119         (JSC::Wasm::NameSectionParser::parse):
3120         * wasm/WasmNameSectionParser.h:
3121         * wasm/WasmOMGPlan.cpp:
3122         (JSC::Wasm::OMGPlan::work):
3123
3124 2017-10-31  Tim Horton  <timothy_horton@apple.com>
3125
3126         Clean up some drag and drop feature flags
3127         https://bugs.webkit.org/show_bug.cgi?id=179082
3128
3129         Reviewed by Simon Fraser.
3130
3131         * Configurations/FeatureDefines.xcconfig:
3132
3133 2017-10-31  Commit Queue  <commit-queue@webkit.org>
3134
3135         Unreviewed, rolling out r224243, r224246, and r224248.
3136         https://bugs.webkit.org/show_bug.cgi?id=179083
3137
3138         The patch and fix broke the Windows build. (Requested by
3139         mlewis13 on #webkit).
3140
3141         Reverted changesets:
3142
3143         "StructureStubInfo should have GPRReg members not int8_ts"
3144         https://bugs.webkit.org/show_bug.cgi?id=179071
3145         https://trac.webkit.org/changeset/224243
3146
3147         "Make all register enums be backed by uint8_t."
3148         https://bugs.webkit.org/show_bug.cgi?id=179074
3149         https://trac.webkit.org/changeset/224246
3150
3151         "Unreviewed, windows build fix."
3152         https://trac.webkit.org/changeset/224248
3153
3154 2017-10-31  Tim Horton  <timothy_horton@apple.com>
3155
3156         Fix up some content filtering feature flags
3157         https://bugs.webkit.org/show_bug.cgi?id=179079
3158
3159         Reviewed by Simon Fraser.
3160
3161         * Configurations/FeatureDefines.xcconfig:
3162
3163 2017-10-31  Keith Miller  <keith_miller@apple.com>
3164
3165         Unreviewed, windows build fix.
3166
3167         * assembler/X86Assembler.h:
3168         (JSC::X86Assembler::numberOfRegisters):
3169         (JSC::X86Assembler::numberOfSPRegisters):
3170         (JSC::X86Assembler::numberOfFPRegisters):
3171
3172 2017-10-31  Keith Miller  <keith_miller@apple.com>
3173
3174         Make all register enums be backed by uint8_t.
3175         https://bugs.webkit.org/show_bug.cgi?id=179074
3176
3177         Reviewed by Mark Lam.
3178
3179         * assembler/ARM64Assembler.h:
3180         * assembler/ARMAssembler.h:
3181         * assembler/ARMv7Assembler.h:
3182         * assembler/MIPSAssembler.h:
3183         * assembler/MacroAssembler.h:
3184         * assembler/X86Assembler.h:
3185
3186 2017-10-31  Keith Miller  <keith_miller@apple.com>
3187
3188         StructureStubInfo should have GPRReg members not int8_ts
3189         https://bugs.webkit.org/show_bug.cgi?id=179071
3190
3191         Reviewed by Michael Saboff.
3192
3193         This patch makes the various RegisterID enums be backed by
3194         uint8_t. This means that we can remove the old int8_t members in
3195         StructureStubInfo and replace them with the correct enum types.
3196
3197         Also, this fixes an indentation issue in ARMv7Assembler.h.
3198
3199         * assembler/ARM64Assembler.h:
3200         * assembler/ARMAssembler.h:
3201         * assembler/ARMv7Assembler.h:
3202         (JSC::ARMRegisters::asSingle):
3203         (JSC::ARMRegisters::asDouble):
3204         * assembler/MIPSAssembler.h:
3205         * assembler/X86Assembler.h:
3206         * bytecode/InlineAccess.cpp:
3207         (JSC::InlineAccess::generateSelfPropertyAccess):
3208         (JSC::getScratchRegister):
3209         * bytecode/PolymorphicAccess.cpp:
3210         (JSC::PolymorphicAccess::regenerate):
3211         * bytecode/StructureStubInfo.h:
3212         (JSC::StructureStubInfo::valueRegs const):
3213         * dfg/DFGSpeculativeJIT.cpp:
3214         (JSC::DFG::SpeculativeJIT::compileIn):
3215         * ftl/FTLLowerDFGToB3.cpp:
3216         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3217         * jit/JITInlineCacheGenerator.cpp:
3218         (JSC::JITByIdGenerator::JITByIdGenerator):
3219         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
3220
3221 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
3222
3223         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
3224         https://bugs.webkit.org/show_bug.cgi?id=179048
3225
3226         Reviewed by Mark Lam.
3227
3228         * inspector/ScriptCallStackFactory.h:
3229         * inspector/ScriptCallStackFactory.cpp:
3230         (createScriptCallStack):
3231         (createScriptCallStackForConsole):
3232         (createScriptCallStackFromException):
3233
3234         * inspector/ConsoleMessage.cpp:
3235         (Inspector::ConsoleMessage::autogenerateMetadata):
3236         * inspector/JSGlobalObjectInspectorController.cpp:
3237         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3238         * inspector/agents/InspectorConsoleAgent.cpp:
3239         (Inspector::InspectorConsoleAgent::count):
3240         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3241         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3242
3243 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
3244
3245         Unreviewed. Fix GTK+ make distcheck.
3246
3247         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
3248
3249         * CMakeLists.txt:
3250
3251 2017-10-30  Saam Barati  <sbarati@apple.com>
3252
3253         We need a storeStoreFence before storing to the instruction stream's live variable catch data
3254         https://bugs.webkit.org/show_bug.cgi?id=178649
3255
3256         Reviewed by Keith Miller.
3257
3258         * bytecode/CodeBlock.cpp:
3259         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3260
3261 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
3262
3263         [WPE] Fix build warnings
3264         https://bugs.webkit.org/show_bug.cgi?id=178899
3265
3266         Reviewed by Carlos Alberto Lopez Perez.
3267
3268         * PlatformWPE.cmake:
3269
3270 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
3271
3272         [ARMv7] Fix initial start register support in YarrJIT
3273         https://bugs.webkit.org/show_bug.cgi?id=178641
3274
3275         Reviewed by Saam Barati.
3276
3277         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
3278         YarrGenerator class. r6 should be avoided since it's already used inside
3279         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
3280         can be used as the frame pointer register when targetting ARM Thumb2.
3281
3282 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
3283
3284         [ARM64][Linux] Re-enable Gigacage
3285         https://bugs.webkit.org/show_bug.cgi?id=178130
3286
3287         Reviewed by Michael Catanzaro.
3288
3289         Guard the current globaladdr opcode implementation for ARM64 with
3290         OS(DARWIN) as it's only usable for Mach-O.
3291
3292         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
3293         have to be used. The .loh directive can't be used as it's not supported
3294         in GCC or the ld linker.
3295
3296         On every other OS target, a compilation error is thrown.
3297
3298         * offlineasm/arm64.rb:
3299
3300 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
3301
3302         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
3303         https://bugs.webkit.org/show_bug.cgi?id=178799
3304         <rdar://problem/35175805>
3305
3306         Reviewed by Brian Burg.
3307
3308         * inspector/protocol/Canvas.json:
3309         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
3310
3311 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3312
3313         [JSC] Tweak ES6 generator function to allow inlining
3314         https://bugs.webkit.org/show_bug.cgi?id=178935
3315
3316         Reviewed by Saam Barati.
3317
3318         We optimize builtins' generator helper functions to allow them inlined in the caller side.
3319         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
3320         them inlined in DFG.
3321
3322                                        baseline                  patched
3323
3324         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
3325         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
3326
3327         * builtins/GeneratorPrototype.js:
3328         (globalPrivate.generatorResume):
3329         (next):
3330         (return):
3331         (throw):
3332
3333 2017-10-27  Saam Barati  <sbarati@apple.com>
3334
3335         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
3336         https://bugs.webkit.org/show_bug.cgi?id=178949
3337
3338         Reviewed by Keith Miller.
3339
3340         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
3341         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
3342         more than once. To do this, this patch solidifies the invariant that CodeBlock
3343         linking can't do anything that would change the result of liveness. For example,
3344         it can't introduce new locals. This invariant was met my JSC before, because we
3345         didn't do anything in bytecode linking that would change liveness. However, it is
3346         now a correctness requirement that we don't do anything that would change the
3347         result of running liveness. To support this change, I've refactored BytecodeGraph
3348         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
3349         CodeBlockType* and the instruction stream as needed. This means that we may
3350         compute liveness with one CodeBlock*'s instruction stream, and then perform
3351         queries on that analysis with a different CodeBlock*'s instruction stream.
3352
3353         This seems to be a 2% JSBench progression.
3354
3355         * bytecode/BytecodeGeneratorification.cpp:
3356         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3357         (JSC::BytecodeGeneratorification::graph):
3358         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3359         (JSC::GeneratorLivenessAnalysis::run):
3360         (JSC::BytecodeGeneratorification::run):
3361         * bytecode/BytecodeGraph.h:
3362         (JSC::BytecodeGraph::BytecodeGraph):
3363         (JSC::BytecodeGraph::codeBlock const): Deleted.
3364         (JSC::BytecodeGraph::instructions): Deleted.
3365         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
3366         * bytecode/BytecodeLivenessAnalysis.cpp:
3367         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
3368         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):