12e3dc42abc8e134d8e4d4a21a09ba1e36a6257d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-03  Saam Barati  <sbarati@apple.com>
2
3         Add better crash logging for allocation sinking phase
4         https://bugs.webkit.org/show_bug.cgi?id=174102
5         <rdar://problem/33112092>
6
7         Rubber stamped by Filip Pizlo.
8
9         I'm trying to gather better information from crashlogs about why
10         we're crashing in the allocation sinking phase. I'm adding a allocation
11         sinking specific RELEASE_ASSERT as well as marking a few functions as
12         NEVER_INLINE to have the stack traces in the crash trace contain more
13         actionable information.
14
15         * dfg/DFGObjectAllocationSinkingPhase.cpp:
16
17 2017-07-03  Sam Weinig  <sam@webkit.org>
18
19         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
20         https://bugs.webkit.org/show_bug.cgi?id=174083
21
22         Reviewed by Alex Christensen.
23
24         * Configurations/FeatureDefines.xcconfig:
25         Add ENABLE_NAVIGATOR_STANDALONE.
26
27 2017-07-03  Andy Estes  <aestes@apple.com>
28
29         [Xcode] Add an experimental setting to build with ccache
30         https://bugs.webkit.org/show_bug.cgi?id=173875
31
32         Reviewed by Tim Horton.
33
34         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
35
36 2017-07-03  Devin Rousso  <drousso@apple.com>
37
38         Web Inspector: Support listing WebGL2 and WebGPU contexts
39         https://bugs.webkit.org/show_bug.cgi?id=173396
40
41         Reviewed by Joseph Pecoraro.
42
43         * inspector/protocol/Canvas.json:
44         * inspector/scripts/codegen/generator.py:
45         (Generator.stylized_name_for_enum_value):
46         Add cases for handling new Canvas.ContextType protocol enumerations:
47          - "webgl2" maps to `WebGL2`
48          - "webgpu" maps to `WebGPU`
49
50 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
51
52         WTF::Thread should have the threads stack bounds.
53         https://bugs.webkit.org/show_bug.cgi?id=173975
54
55         Reviewed by Mark Lam.
56
57         There is a site in JSC that try to walk another thread's stack.
58         Currently, stack bounds are stored in WTFThreadData which is located
59         in TLS. Thus, only the thread itself can access its own WTFThreadData.
60         We workaround this situation by holding StackBounds in MachineThread in JSC,
61         but StackBounds should be put in WTF::Thread instead.
62
63         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
64         information is tightly coupled with Thread. Thus putting it in WTF::Thread
65         is natural choice.
66
67         * heap/MachineStackMarker.cpp:
68         (JSC::MachineThreads::MachineThread::MachineThread):
69         (JSC::MachineThreads::MachineThread::captureStack):
70         * heap/MachineStackMarker.h:
71         (JSC::MachineThreads::MachineThread::stackBase):
72         (JSC::MachineThreads::MachineThread::stackEnd):
73         * runtime/InitializeThreading.cpp:
74         (JSC::initializeThreading):
75         * runtime/VM.cpp:
76         (JSC::VM::VM):
77         (JSC::VM::updateStackLimits):
78         (JSC::VM::committedStackByteCount):
79         * runtime/VM.h:
80         (JSC::VM::isSafeToRecurse):
81         * runtime/VMEntryScope.cpp:
82         (JSC::VMEntryScope::VMEntryScope):
83         * runtime/VMInlines.h:
84         (JSC::VM::ensureStackCapacityFor):
85         * runtime/VMTraps.cpp:
86         * yarr/YarrPattern.cpp:
87         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
88
89 2017-07-01  Dan Bernstein  <mitz@apple.com>
90
91         [iOS] Remove code only needed when building for iOS 9.x
92         https://bugs.webkit.org/show_bug.cgi?id=174068
93
94         Reviewed by Tim Horton.
95
96         * Configurations/FeatureDefines.xcconfig:
97         * jit/ExecutableAllocator.cpp:
98         * runtime/Options.cpp:
99         (JSC::recomputeDependentOptions):
100
101 2017-07-01  Dan Bernstein  <mitz@apple.com>
102
103         [macOS] Remove code only needed when building for OS X Yosemite
104         https://bugs.webkit.org/show_bug.cgi?id=174067
105
106         Reviewed by Tim Horton.
107
108         * API/WebKitAvailability.h:
109         * Configurations/Base.xcconfig:
110         * Configurations/DebugRelease.xcconfig:
111         * Configurations/FeatureDefines.xcconfig:
112         * Configurations/Version.xcconfig:
113
114 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
115
116         Unreviewed, build fix for GCC
117         https://bugs.webkit.org/show_bug.cgi?id=174034
118
119         * b3/testb3.cpp:
120         (JSC::B3::testDoubleLiteralComparison):
121
122 2017-06-30  Keith Miller  <keith_miller@apple.com>
123
124         Force crashWithInfo to be out of line.
125         https://bugs.webkit.org/show_bug.cgi?id=174028
126
127         Reviewed by Filip Pizlo.
128
129         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
130
131         * dfg/DFGGraph.cpp:
132         (JSC::DFG::logDFGAssertionFailure):
133         (JSC::DFG::Graph::logAssertionFailure):
134         (JSC::DFG::crash): Deleted.
135         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
136         * dfg/DFGGraph.h:
137
138 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
139
140         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
141         https://bugs.webkit.org/show_bug.cgi?id=174053
142
143         Reviewed by Geoffrey Garen.
144
145         We already have AbstractMacroAssembler::random() function. Use it instead.
146
147         * jit/JIT.cpp:
148         (JSC::JIT::JIT):
149         (JSC::JIT::compileWithoutLinking):
150         * jit/JIT.h:
151
152 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
153
154         [WTF] Drop SymbolRegistry::keyForSymbol
155         https://bugs.webkit.org/show_bug.cgi?id=174052
156
157         Reviewed by Sam Weinig.
158
159         * runtime/SymbolConstructor.cpp:
160         (JSC::symbolConstructorKeyFor):
161
162 2017-06-30  Saam Barati  <sbarati@apple.com>
163
164         B3ReduceStrength should reduce EqualOrUnordered over const float input
165         https://bugs.webkit.org/show_bug.cgi?id=174039
166
167         Reviewed by Michael Saboff.
168
169         We perform this folding for ConstDoubleValue. It is simply
170         an oversight that we didn't do it for ConstFloatValue.
171
172         * b3/B3ConstFloatValue.cpp:
173         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
174         * b3/B3ConstFloatValue.h:
175         * b3/testb3.cpp:
176         (JSC::B3::testFloatEqualOrUnorderedFolding):
177         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
178         (JSC::B3::testFloatEqualOrUnorderedDontFold):
179         (JSC::B3::run):
180
181 2017-06-30  Matt Baker  <mattbaker@apple.com>
182
183         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
184         https://bugs.webkit.org/show_bug.cgi?id=173840
185         <rdar://problem/30840820>
186
187         Reviewed by Joseph Pecoraro.
188
189         When truncating an asynchronous stack trace, the parent chain is traversed
190         until a locked node is found. The path from this node to the root is shared
191         by more than one stack trace, and cannot be safely modified. Starting at
192         the first locked node, the path is cloned and becomes a new stack trace tree.
193
194         However, the clone operation initialized each new AsyncStackTrace node with
195         the original node's parent. This would increment the child count of the original
196         node. When cloning nodes, new nodes should not have their parent set until the
197         next node up the parent chain is cloned.
198
199         * inspector/AsyncStackTrace.cpp:
200         (Inspector::AsyncStackTrace::truncate):
201
202 2017-06-30  Michael Saboff  <msaboff@apple.com>
203
204         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
205         https://bugs.webkit.org/show_bug.cgi?id=174044
206
207         Reviewed by Oliver Hunt.
208
209         The .* enclosure optimization didn't respect that we can start matching from a non-zero
210         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
211         then finding the extent of the match by going back to the beginning of the line and going
212         forward to the end of the line.  The code that went back to the beginning of the line
213         checked for an index of 0 instead of comparing the index to the start position.  This start
214         position is passed as the initial index.
215
216         Added another temporary register to the YARR JIT to contain the start position for
217         platforms that have spare registers.
218
219         * yarr/Yarr.h:
220         * yarr/YarrInterpreter.cpp:
221         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
222         (JSC::Yarr::Interpreter::Interpreter):
223         * yarr/YarrJIT.cpp:
224         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
225         (JSC::Yarr::YarrGenerator::compile):
226         * yarr/YarrPattern.cpp:
227         (JSC::Yarr::YarrPattern::YarrPattern):
228         * yarr/YarrPattern.h:
229         (JSC::Yarr::YarrPattern::reset):
230
231 2017-06-30  Saam Barati  <sbarati@apple.com>
232
233         B3MoveConstants floatZero() returns the wrong ValueKey
234         https://bugs.webkit.org/show_bug.cgi?id=174040
235
236         Reviewed by Filip Pizlo.
237
238         It had a typo where the ValueKey for floatZero() produces a Double
239         instead of a Float.
240
241         * b3/B3MoveConstants.cpp:
242
243 2017-06-30  Saam Barati  <sbarati@apple.com>
244
245         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
246         https://bugs.webkit.org/show_bug.cgi?id=174034
247         <rdar://problem/30793007>
248
249         Reviewed by Filip Pizlo.
250
251         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
252         reduce binary operations over double constants into the same binary
253         operation over the double constants casted to floats. This is clearly
254         incorrect as these two things will produce different values. For example:
255         
256         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
257         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
258         c = EqualOrUnordered(@a, @b) // produces 0
259         
260         into:
261         
262         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
263         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
264         c = EqualOrUnordered(@a, @b) // produces 1
265         
266         Which produces a different value for @c.
267
268         * b3/B3ReduceDoubleToFloat.cpp:
269         * b3/testb3.cpp:
270         (JSC::B3::doubleEq):
271         (JSC::B3::doubleNeq):
272         (JSC::B3::doubleGt):
273         (JSC::B3::doubleGte):
274         (JSC::B3::doubleLt):
275         (JSC::B3::doubleLte):
276         (JSC::B3::testDoubleLiteralComparison):
277         (JSC::B3::run):
278
279 2017-06-29  Jer Noble  <jer.noble@apple.com>
280
281         Make Legacy EME API controlled by RuntimeEnabled setting.
282         https://bugs.webkit.org/show_bug.cgi?id=173994
283
284         Reviewed by Sam Weinig.
285
286         * Configurations/FeatureDefines.xcconfig:
287         * runtime/CommonIdentifiers.h:
288
289 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
290
291         Ran sort-Xcode-project-file.
292
293         * JavaScriptCore.xcodeproj/project.pbxproj:
294
295 2017-06-30  Matt Lewis  <jlewis3@apple.com>
296
297         Unreviewed, rolling out r218992.
298
299         The patch broke the iOS device builds.
300
301         Reverted changeset:
302
303         "DFG_ASSERT should allow stuffing registers before trapping."
304         https://bugs.webkit.org/show_bug.cgi?id=174005
305         http://trac.webkit.org/changeset/218992
306
307 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
308
309         RegExpCachedResult::setInput should reify left and right contexts
310         https://bugs.webkit.org/show_bug.cgi?id=173818
311
312         Reviewed by Keith Miller.
313         
314         If you don't reify them in setInput, then when you later try to reify them, you'll end up
315         using indices into an old input string to create a substring of a new input string. That
316         never goes well.
317
318         * runtime/RegExpCachedResult.cpp:
319         (JSC::RegExpCachedResult::setInput):
320
321 2017-06-30  Keith Miller  <keith_miller@apple.com>
322
323         DFG_ASSERT should allow stuffing registers before trapping.
324         https://bugs.webkit.org/show_bug.cgi?id=174005
325
326         Reviewed by Mark Lam.
327
328         DFG_ASSERT currently prints error data to stderr before crashing,
329         which is nice for local development. In the wild, however, we
330         can't see this information in crash logs. This patch enables
331         stuffing some of the most useful information from DFG_ASSERTS into
332         up to five registers right before crashing. The values stuffed
333         should not impact any logging during local development.
334
335         * assembler/AbortReason.h:
336         * dfg/DFGAbstractInterpreterInlines.h:
337         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
338         * dfg/DFGGraph.cpp:
339         (JSC::DFG::logForCrash):
340         (JSC::DFG::Graph::logAssertionFailure):
341         (JSC::DFG::crash): Deleted.
342         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
343         * dfg/DFGGraph.h:
344
345 2017-06-29  Saam Barati  <sbarati@apple.com>
346
347         Calculating postCapacity in unshiftCountSlowCase is wrong
348         https://bugs.webkit.org/show_bug.cgi?id=173992
349         <rdar://problem/32283199>
350
351         Reviewed by Keith Miller.
352
353         This patch fixes a bug inside unshiftCountSlowCase where we would use
354         more memory than we allocated. The bug was when deciding how much extra
355         space we have after the vector we've allocated. This area is called the
356         postCapacity. The largest legal postCapacity value we could use is the
357         space we allocated minus the space we need:
358         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
359         However, the code was calculating the postCapacity as:
360         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
361         
362         where count is how many elements we're appending. Depending on the inputs,
363         count could be larger than (newStorageCapacity - requiredVectorLength). This
364         would cause us to use more memory than we actually allocated.
365
366         * runtime/JSArray.cpp:
367         (JSC::JSArray::unshiftCountSlowCase):
368
369 2017-06-29  Commit Queue  <commit-queue@webkit.org>
370
371         Unreviewed, rolling out r218512.
372         https://bugs.webkit.org/show_bug.cgi?id=173981
373
374         "It changes the behavior of the JS API's JSEvaluateScript
375         which breaks TurboTax" (Requested by saamyjoon on #webkit).
376
377         Reverted changeset:
378
379         "test262: Completion values for control flow do not match the
380         spec"
381         https://bugs.webkit.org/show_bug.cgi?id=171265
382         http://trac.webkit.org/changeset/218512
383
384 2017-06-29  JF Bastien  <jfbastien@apple.com>
385
386         WebAssembly: disable some APIs under CSP
387         https://bugs.webkit.org/show_bug.cgi?id=173892
388         <rdar://problem/32914613>
389
390         Reviewed by Daniel Bates.
391
392         We should disable parts of WebAssembly under Content Security
393         Policy as discussed here:
394
395         https://github.com/WebAssembly/design/issues/1092
396
397         Exactly what should be disabled isn't super clear, so we may as
398         well be conservative and disable many things if developers already
399         opted into CSP. It's easy to loosen what we disable later.
400
401         This patch disables:
402         - WebAssembly.Instance
403         - WebAssembly.instantiate
404         - WebAssembly.Memory
405         - WebAssembly.Table
406
407         And leaves:
408         - WebAssembly on the global object
409         - WebAssembly.Module
410         - WebAssembly.compile
411         - WebAssembly.CompileError
412         - WebAssembly.LinkError
413
414         Nothing because currently unimplmented:
415         - WebAssembly.compileStreaming
416         - WebAssembly.instantiateStreaming
417
418         That way it won't be possible to call WebAssembly-compiled code,
419         or create memories (which use fancy 4GiB allocations
420         sometimes). Table isn't really useful on its own, and eventually
421         we may make them shareable so without more details it seems benign
422         to disable them (and useless if we don't).
423
424         I haven't done anything with postMessage, so you can still
425         postMessage a WebAssembly.Module cross-CSP, but you can't
426         instantiate it so it's useless. Because of this I elected to leave
427         WebAssembly.Module and friends available.
428
429         I haven't added any new directives. It's still unsafe-eval. We can
430         add something else later, but it seems odd to add a WebAssembly as
431         a new capability and tell developers "you should have been using
432         this directive which we just implemented if you wanted to disable
433         WebAssembly which didn't exist when you adopted CSP". So IMO we
434         should keep unsafe-eval as it currently is, add WebAssembly to
435         what it disables, and later consider having two new directives
436         which do each individually or something.
437
438         In all cases I throw an EvalError *before* other WebAssembly
439         errors would be produced.
440
441         Note that, as for eval, reporting doesn't work and is tracked by
442         https://webkit.org/b/111869
443
444         * runtime/JSGlobalObject.cpp:
445         (JSC::JSGlobalObject::JSGlobalObject):
446         * runtime/JSGlobalObject.h:
447         (JSC::JSGlobalObject::webAssemblyEnabled):
448         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
449         (JSC::JSGlobalObject::setWebAssemblyEnabled):
450         * wasm/js/JSWebAssemblyInstance.cpp:
451         (JSC::JSWebAssemblyInstance::create):
452         * wasm/js/JSWebAssemblyMemory.cpp:
453         (JSC::JSWebAssemblyMemory::create):
454         * wasm/js/JSWebAssemblyMemory.h:
455         * wasm/js/JSWebAssemblyTable.cpp:
456         (JSC::JSWebAssemblyTable::create):
457         * wasm/js/WebAssemblyMemoryConstructor.cpp:
458         (JSC::constructJSWebAssemblyMemory):
459
460 2017-06-28  Keith Miller  <keith_miller@apple.com>
461
462         VMTraps has some races
463         https://bugs.webkit.org/show_bug.cgi?id=173941
464
465         Reviewed by Michael Saboff.
466
467         This patch refactors much of the VMTraps API.
468
469         On the message sending side:
470
471         1) No longer uses the Yarr JIT check to determine if we are in
472         RegExp code. That was unsound because RegExp JIT code can be run
473         on compilation threads.  Instead it looks at the current frame's
474         code block slot and checks if it is valid, which is the same as
475         what it did for JIT code previously.
476
477         2) Only have one signal sender thread, previously, there could be
478         many at once, which caused some data races. Additionally, the
479         signal sender thread is an automatic thread so it will deallocate
480         itself when not in use.
481
482         On the VMTraps breakpoint side:
483
484         1) We now have a true mapping of if we hit a breakpoint instead of
485         a JIT assertion. So the exception handler won't eat JIT assertions
486         anymore.
487
488         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
489         them instead of every CodeBlock on the stack. This both prevents
490         us from hitting stale VMTraps breakpoints and also doesn't OSR
491         codeblocks that otherwise don't need to be jettisoned.
492
493         3) The old exception handler could theoretically fail for a couple
494         of reasons then resume execution with a clobbered instruction
495         set. This patch will kill the program if the exception handler
496         would fail.
497
498         This patch also refactors some of the jsc.cpp functions to take the
499         CommandLine options object instead of individual options. Also, there
500         is a new command line option that makes exceptions due to watchdog
501         timeouts an acceptable result.
502
503         * API/tests/testapi.c:
504         (main):
505         * bytecode/CodeBlock.cpp:
506         (JSC::CodeBlock::installVMTrapBreakpoints):
507         * dfg/DFGCommonData.cpp:
508         (JSC::DFG::pcCodeBlockMap):
509         (JSC::DFG::CommonData::invalidate):
510         (JSC::DFG::CommonData::~CommonData):
511         (JSC::DFG::CommonData::installVMTrapBreakpoints):
512         (JSC::DFG::codeBlockForVMTrapPC):
513         * dfg/DFGCommonData.h:
514         * jsc.cpp:
515         (functionDollarAgentStart):
516         (checkUncaughtException):
517         (checkException):
518         (runWithOptions):
519         (printUsageStatement):
520         (CommandLine::parseArguments):
521         (jscmain):
522         (runWithScripts): Deleted.
523         * runtime/JSLock.cpp:
524         (JSC::JSLock::didAcquireLock):
525         * runtime/VMTraps.cpp:
526         (JSC::sanitizedTopCallFrame):
527         (JSC::VMTraps::tryInstallTrapBreakpoints):
528         (JSC::VMTraps::willDestroyVM):
529         (JSC::VMTraps::fireTrap):
530         (JSC::VMTraps::handleTraps):
531         (JSC::VMTraps::VMTraps):
532         (JSC::VMTraps::~VMTraps):
533         (JSC::findActiveVMAndStackBounds): Deleted.
534         (JSC::installSignalHandler): Deleted.
535         (JSC::VMTraps::addSignalSender): Deleted.
536         (JSC::VMTraps::removeSignalSender): Deleted.
537         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
538         (JSC::VMTraps::SignalSender::send): Deleted.
539         * runtime/VMTraps.h:
540         (JSC::VMTraps::~VMTraps): Deleted.
541         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
542
543 2017-06-28  Devin Rousso  <drousso@apple.com>
544
545         Web Inspector: Instrument active pixel memory used by canvases
546         https://bugs.webkit.org/show_bug.cgi?id=173087
547         <rdar://problem/32719261>
548
549         Reviewed by Joseph Pecoraro.
550
551         * inspector/protocol/Canvas.json:
552          - Add optional `memoryCost` attribute to the `Canvas` type.
553          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
554
555 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
556
557         Web Inspector: Cleanup Protocol JSON files
558         https://bugs.webkit.org/show_bug.cgi?id=173934
559
560         Reviewed by Matt Baker.
561
562         * inspector/protocol/ApplicationCache.json:
563         * inspector/protocol/CSS.json:
564         * inspector/protocol/Console.json:
565         * inspector/protocol/DOM.json:
566         * inspector/protocol/DOMDebugger.json:
567         * inspector/protocol/Debugger.json:
568         * inspector/protocol/LayerTree.json:
569         * inspector/protocol/Network.json:
570         * inspector/protocol/Page.json:
571         * inspector/protocol/Runtime.json:
572         Be more consistent about placement of `description` property.
573
574 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
575
576         Web Inspector: Remove unused Inspector domain events
577         https://bugs.webkit.org/show_bug.cgi?id=173905
578
579         Reviewed by Matt Baker.
580
581         * inspector/protocol/Inspector.json:
582
583 2017-06-28  JF Bastien  <jfbastien@apple.com>
584
585         Ensure that computed new stack pointer values do not underflow.
586         https://bugs.webkit.org/show_bug.cgi?id=173700
587         <rdar://problem/32926032>
588
589         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
590
591         Patch by Mark Lam, with the following fix:
592
593         Re-apply this patch, it originally broke the ARM build because the llint code
594         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
595         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
596         and operands to emit valid code (because the second operand can be SP).
597
598         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
599            m_numCalleeLocals is sane.
600
601         2. Added underflow checks in LLInt code and VarargsFrame code.
602
603         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
604            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
605            Ensure that Options::softReservedZoneSize() is at least greater than
606            Options::reservedZoneSize() by minimumReservedZoneSize.
607
608         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
609            and only if the max size of the frame is greater than Options::reservedZoneSize().
610
611            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
612            of memory at the bottom (end) of the stack.  This means that, at any time, the
613            frame pointer must be at least Options::reservedZoneSize() bytes away from the
614            end of the stack.  Hence, if the max frame size is less than
615            Options::reservedZoneSize(), there's no way that frame pointer - max
616            frame size can underflow, and we can elide the underflow check.
617
618            Note that we use Options::reservedZoneSize() instead of
619            Options::softReservedZoneSize() for determine if we need an underflow check.
620            This is because the softStackLimit that is used for stack checks can be set
621            based on Options::reservedZoneSize() during error handling (e.g. when creating
622            strings for instantiating the Error object).  Hence, the guaranteed minimum of
623            distance between the frame pointer and the end of the stack is
624            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
625
626            Note also that we ensure that Options::reservedZoneSize() is at least
627            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
628            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
629            instead of minimumReservedZoneSize gives us more chances to elide underflow
630            checks.
631
632         * JavaScriptCore.xcodeproj/project.pbxproj:
633         * bytecompiler/BytecodeGenerator.cpp:
634         (JSC::BytecodeGenerator::generate):
635         * dfg/DFGGraph.cpp:
636         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
637         * dfg/DFGJITCompiler.cpp:
638         (JSC::DFG::emitStackOverflowCheck):
639         (JSC::DFG::JITCompiler::compile):
640         (JSC::DFG::JITCompiler::compileFunction):
641         * ftl/FTLLowerDFGToB3.cpp:
642         (JSC::FTL::DFG::LowerDFGToB3::lower):
643         * jit/JIT.cpp:
644         (JSC::JIT::compileWithoutLinking):
645         * jit/SetupVarargsFrame.cpp:
646         (JSC::emitSetupVarargsFrameFastCase):
647         * llint/LLIntSlowPaths.cpp:
648         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
649         * llint/LowLevelInterpreter.asm:
650         * llint/LowLevelInterpreter32_64.asm:
651         * llint/LowLevelInterpreter64.asm:
652         * runtime/MinimumReservedZoneSize.h: Added.
653         * runtime/Options.cpp:
654         (JSC::recomputeDependentOptions):
655         * runtime/VM.cpp:
656         (JSC::VM::updateStackLimits):
657         * wasm/WasmB3IRGenerator.cpp:
658         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
659         * wasm/js/WebAssemblyFunction.cpp:
660         (JSC::callWebAssemblyFunction):
661
662 2017-06-28  Chris Dumez  <cdumez@apple.com>
663
664         Unreviewed, rolling out r218869.
665
666         Broke the iOS build
667
668         Reverted changeset:
669
670         "Ensure that computed new stack pointer values do not
671         underflow."
672         https://bugs.webkit.org/show_bug.cgi?id=173700
673         http://trac.webkit.org/changeset/218869
674
675 2017-06-28  Chris Dumez  <cdumez@apple.com>
676
677         Unreviewed, rolling out r218873.
678
679         Broke the iOS build
680
681         Reverted changeset:
682
683         "Gardening: CLoop build fix."
684         https://bugs.webkit.org/show_bug.cgi?id=173700
685         http://trac.webkit.org/changeset/218873
686
687 2017-06-28  Mark Lam  <mark.lam@apple.com>
688
689         Gardening: CLoop build fix.
690         https://bugs.webkit.org/show_bug.cgi?id=173700
691         <rdar://problem/32926032>
692
693         Not reviewed.
694
695         * llint/LLIntSlowPaths.cpp:
696         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
697
698 2017-06-28  Mark Lam  <mark.lam@apple.com>
699
700         Ensure that computed new stack pointer values do not underflow.
701         https://bugs.webkit.org/show_bug.cgi?id=173700
702         <rdar://problem/32926032>
703
704         Reviewed by Filip Pizlo and Saam Barati.
705
706         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
707            m_numCalleeLocals is sane.
708
709         2. Added underflow checks in LLInt code and VarargsFrame code.
710
711         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
712            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
713            Ensure that Options::softReservedZoneSize() is at least greater than
714            Options::reservedZoneSize() by minimumReservedZoneSize.
715
716         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
717            and only if the max size of the frame is greater than Options::reservedZoneSize().
718
719            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
720            of memory at the bottom (end) of the stack.  This means that, at any time, the
721            frame pointer must be at least Options::reservedZoneSize() bytes away from the
722            end of the stack.  Hence, if the max frame size is less than
723            Options::reservedZoneSize(), there's no way that frame pointer - max
724            frame size can underflow, and we can elide the underflow check.
725
726            Note that we use Options::reservedZoneSize() instead of
727            Options::softReservedZoneSize() for determine if we need an underflow check.
728            This is because the softStackLimit that is used for stack checks can be set
729            based on Options::reservedZoneSize() during error handling (e.g. when creating
730            strings for instantiating the Error object).  Hence, the guaranteed minimum of
731            distance between the frame pointer and the end of the stack is
732            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
733
734            Note also that we ensure that Options::reservedZoneSize() is at least
735            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
736            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
737            instead of minimumReservedZoneSize gives us more chances to elide underflow
738            checks.
739
740         * JavaScriptCore.xcodeproj/project.pbxproj:
741         * bytecompiler/BytecodeGenerator.cpp:
742         (JSC::BytecodeGenerator::generate):
743         * dfg/DFGGraph.cpp:
744         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
745         * dfg/DFGJITCompiler.cpp:
746         (JSC::DFG::JITCompiler::compile):
747         (JSC::DFG::JITCompiler::compileFunction):
748         * ftl/FTLLowerDFGToB3.cpp:
749         (JSC::FTL::DFG::LowerDFGToB3::lower):
750         * jit/JIT.cpp:
751         (JSC::JIT::compileWithoutLinking):
752         * jit/SetupVarargsFrame.cpp:
753         (JSC::emitSetupVarargsFrameFastCase):
754         * llint/LLIntSlowPaths.cpp:
755         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
756         * llint/LowLevelInterpreter.asm:
757         * llint/LowLevelInterpreter32_64.asm:
758         * llint/LowLevelInterpreter64.asm:
759         * runtime/MinimumReservedZoneSize.h: Added.
760         * runtime/Options.cpp:
761         (JSC::recomputeDependentOptions):
762         * runtime/VM.cpp:
763         (JSC::VM::updateStackLimits):
764         * wasm/WasmB3IRGenerator.cpp:
765         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
766         * wasm/js/WebAssemblyFunction.cpp:
767         (JSC::callWebAssemblyFunction):
768
769 2017-06-27  JF Bastien  <jfbastien@apple.com>
770
771         WebAssembly: running out of executable memory should throw OoM
772         https://bugs.webkit.org/show_bug.cgi?id=171537
773         <rdar://problem/32963338>
774
775         Reviewed by Saam Barati.
776
777         Both on first compile with BBQ as well as on tier-up with OMG,
778         running out of X memory shouldn't cause the entire program to
779         terminate. An exception will do when compiling initial code (since
780         we don't have any other fallback at the moment), and refusal to
781         tier up will do as well (it'll just be slower).
782
783         This is useful because programs which generate huge amounts of
784         code simply look like crashes, which developers report to
785         us. Getting a JavaScript exception instead is much clearer.
786
787         * jit/ExecutableAllocator.cpp:
788         (JSC::ExecutableAllocator::allocate):
789         * llint/LLIntSlowPaths.cpp:
790         (JSC::LLInt::shouldJIT):
791         * runtime/Options.h:
792         * wasm/WasmBBQPlan.cpp:
793         (JSC::Wasm::BBQPlan::prepare):
794         (JSC::Wasm::BBQPlan::complete):
795         * wasm/WasmBinding.cpp:
796         (JSC::Wasm::wasmToJs):
797         (JSC::Wasm::wasmToWasm):
798         * wasm/WasmBinding.h:
799         * wasm/WasmOMGPlan.cpp:
800         (JSC::Wasm::OMGPlan::work):
801         * wasm/js/JSWebAssemblyCodeBlock.cpp:
802         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
803         * wasm/js/JSWebAssemblyCodeBlock.h:
804         * wasm/js/JSWebAssemblyInstance.cpp:
805         (JSC::JSWebAssemblyInstance::finalizeCreation):
806
807 2017-06-27  Saam Barati  <sbarati@apple.com>
808
809         JITStubRoutine::passesFilter should use isJITPC
810         https://bugs.webkit.org/show_bug.cgi?id=173906
811
812         Reviewed by JF Bastien.
813
814         This patch makes JITStubRoutine use the isJITPC abstraction defined
815         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
816         hardcoded platform size constant. This means it'd do the wrong thing
817         if Options::jitMemoryReservationSize() was larger than the defined
818         constant for that platform. This patch also removes a bunch of
819         dead code in that file.
820
821         * jit/ExecutableAllocator.cpp:
822         * jit/ExecutableAllocator.h:
823         * jit/JITStubRoutine.h:
824         (JSC::JITStubRoutine::passesFilter):
825         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
826         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
827         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
828
829 2017-06-27  Saam Barati  <sbarati@apple.com>
830
831         Fix some stale comments in Wasm code base
832         https://bugs.webkit.org/show_bug.cgi?id=173814
833
834         Reviewed by Mark Lam.
835
836         * wasm/WasmBinding.cpp:
837         (JSC::Wasm::wasmToJs):
838         * wasm/WasmOMGPlan.cpp:
839         (JSC::Wasm::runOMGPlanForIndex):
840
841 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
842
843         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
844         https://bugs.webkit.org/show_bug.cgi?id=167962
845
846         Reviewed by Saam Barati.
847
848         Object Rest/Spread Destructing proposal is in stage 3[1] and this
849         Patch is a prototype implementation of it. A simple change over the
850         parser was necessary to support the new '...' token on Object Pattern
851         destruction rule. In the bytecode generator side, We changed the
852         bytecode generated on ObjectPatternNode::bindValue to store in an
853         set the identifiers of already destructured properties, following spec draft
854         section[2], and then pass it as excludedNames to CopyDataProperties.
855         The rest destructuring calls copyDataProperties to perform the
856         copy of rest properties in rhs.
857
858         We also implemented CopyDataProperties as private JS global operation
859         on builtins/GlobalOperations.js following it's specification on [3].
860         It is implemented using Set object to verify if a property is on
861         excludedNames to keep this algorithm with O(n + m) complexity, where n
862         = number of source's own properties and m = excludedNames.length.
863
864         In this implementation we aren't using excludeList as constant if
865         destructuring pattern contains computed property, i.e. we can
866         just determine the key to be excluded at runtime. If we can define all
867         identifiers in the pattern in compile time, we then create a
868         constant JSSet. This approach gives a good performance improvement,
869         since we allocate the excludeSet just once, reducing GC pressure.
870
871         [1] - https://github.com/tc39/proposal-object-rest-spread
872         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
873         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
874
875         * builtins/BuiltinNames.h:
876         * builtins/GlobalOperations.js:
877         (globalPrivate.copyDataProperties):
878         * bytecode/CodeBlock.cpp:
879         (JSC::CodeBlock::finishCreation):
880         * bytecompiler/NodesCodegen.cpp:
881         (JSC::ObjectPatternNode::bindValue):
882         * parser/ASTBuilder.h:
883         (JSC::ASTBuilder::appendObjectPatternEntry):
884         (JSC::ASTBuilder::appendObjectPatternRestEntry):
885         (JSC::ASTBuilder::setContainsObjectRestElement):
886         * parser/Nodes.h:
887         (JSC::ObjectPatternNode::appendEntry):
888         (JSC::ObjectPatternNode::setContainsRestElement):
889         * parser/Parser.cpp:
890         (JSC::Parser<LexerType>::parseDestructuringPattern):
891         (JSC::Parser<LexerType>::parseProperty):
892         * parser/SyntaxChecker.h:
893         (JSC::SyntaxChecker::operatorStackPop):
894         * runtime/JSGlobalObject.cpp:
895         (JSC::JSGlobalObject::init):
896         * runtime/JSGlobalObject.h:
897         (JSC::JSGlobalObject::asyncFunctionStructure):
898         (JSC::JSGlobalObject::setStructure): Deleted.
899         * runtime/JSGlobalObjectFunctions.cpp:
900         (JSC::privateToObject):
901         * runtime/JSGlobalObjectFunctions.h:
902         * runtime/ObjectConstructor.cpp:
903         (JSC::ObjectConstructor::finishCreation):
904         * runtime/SetPrototype.cpp:
905         (JSC::SetPrototype::finishCreation):
906
907 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
908
909         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
910         https://bugs.webkit.org/show_bug.cgi?id=173888
911
912         Reviewed by Saam Barati.
913
914         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
915         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
916         This causes occasional SEGV / assertion failures in workers/bomb test.
917
918         * dfg/DFGWorklist.cpp:
919
920 2017-06-27  Saam Barati  <sbarati@apple.com>
921
922         Remove an inaccurate comment inside DFGClobberize.h
923         https://bugs.webkit.org/show_bug.cgi?id=163874
924
925         Reviewed by Filip Pizlo.
926
927         The comment said that Clobberize may or may not be sound if run prior to
928         doing type inference. This is not correct, though. Clobberize *must* be sound
929         prior do doing type inference since we use it inside the BytecodeParser, which
930         is the very first thing the DFG does.
931
932         * dfg/DFGClobberize.h:
933         (JSC::DFG::clobberize):
934
935 2017-06-27  Saam Barati  <sbarati@apple.com>
936
937         Function constructor needs to follow the spec and validate parameters and body independently
938         https://bugs.webkit.org/show_bug.cgi?id=173303
939         <rdar://problem/32732526>
940
941         Reviewed by Keith Miller.
942
943         The Function constructor must check the arguments and body strings
944         independently for syntax errors. People rely on this specified behavior
945         to verify that a particular string is a valid function body. We used
946         to check these things strings concatenated together, instead of
947         independently. For example, this used to be valid: `Function("/*", "*/){")`.
948         However, we should throw a syntax error here since "(/*)" is not a valid
949         parameter list, and "*/){" is not a valid body.
950         
951         To implement the specified behavior, we check the syntax independently of
952         both the body and the parameter list. To check that the parameter list has
953         valid syntax, we check that it is valid if in a function with an empty body.
954         To check that the body has valid syntax, we check it is valid in a function
955         with an empty parameter list.
956
957         * runtime/FunctionConstructor.cpp:
958         (JSC::constructFunctionSkippingEvalEnabledCheck):
959
960 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
961
962         Add missing includes to fix compilation error on FreeBSD
963         https://bugs.webkit.org/show_bug.cgi?id=172919
964
965         Reviewed by Mark Lam.
966
967         * API/JSRemoteInspector.h:
968         * API/tests/GlobalContextWithFinalizerTest.cpp:
969         * API/tests/TypedArrayCTest.cpp:
970
971 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
972
973         Web Inspector: Crash generating object preview for ArrayIterator
974         https://bugs.webkit.org/show_bug.cgi?id=173754
975         <rdar://problem/32859012>
976
977         Reviewed by Saam Barati.
978
979         When Inspector generates an object preview for an ArrayIterator instance it made
980         a "clone" of the original ArrayIterator instance by constructing a new object with
981         the instance's structure. However, user code could have modified that instance's
982         structure, such as adding / removing properties. The `return` property had special
983         meaning, and our clone did not fill that slot. This approach is brittle in that
984         we weren't satisfying the expectations of an object with a particular Structure,
985         and the original goal of having Web Inspector peek values of built-in Iterators
986         was to avoid observable behavior.
987
988         This tightens Web Inspector's Iterator preview to only peek values if the
989         Iterators would actually be non-observable. It also builds an ArrayIterator
990         clone like a regular object construction.
991
992         * inspector/JSInjectedScriptHost.cpp:
993         (Inspector::cloneArrayIteratorObject):
994         Build up the Object from scratch with a new ArrayIterator prototype.
995
996         (Inspector::JSInjectedScriptHost::iteratorEntries):
997         Only clone and peek iterators if it would not be observable.
998         Also update iteration to be more in line with IterationOperations, such as when
999         we call iteratorClose.
1000
1001         * runtime/JSGlobalObject.cpp:
1002         (JSC::JSGlobalObject::JSGlobalObject):
1003         (JSC::JSGlobalObject::init):
1004         * runtime/JSGlobalObject.h:
1005         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
1006         * runtime/JSGlobalObjectInlines.h:
1007         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
1008         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
1009
1010         * runtime/JSMap.cpp:
1011         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1012         (JSC::JSMap::canCloneFastAndNonObservable):
1013         * runtime/JSMap.h:
1014         * runtime/JSSet.cpp:
1015         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1016         (JSC::JSSet::canCloneFastAndNonObservable):
1017         * runtime/JSSet.h:
1018         Promote isIteratorProtocolFastAndNonObservable to a method.
1019
1020         * runtime/JSObject.cpp:
1021         (JSC::canDoFastPutDirectIndex):
1022         * runtime/JSTypeInfo.h:
1023         (JSC::TypeInfo::isArgumentsType):
1024         Helper to detect if an Object is an Arguments type.
1025
1026 2017-06-26  Saam Barati  <sbarati@apple.com>
1027
1028         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
1029         https://bugs.webkit.org/show_bug.cgi?id=173740
1030
1031         Reviewed by Mark Lam.
1032
1033         The builtin was using for-of iteration to iterate over an internal
1034         list in its algorithm. For-of iteration is observable via user code
1035         in the global object, so this approach was wrong as it would break if
1036         a user changed the Array iteration protocol in some way.
1037
1038         * builtins/RegExpPrototype.js:
1039         (replace):
1040
1041 2017-06-26  Mark Lam  <mark.lam@apple.com>
1042
1043         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
1044         https://bugs.webkit.org/show_bug.cgi?id=173848
1045
1046         Reviewed by JF Bastien.
1047
1048         This functor only dumps the return VirtualPC.
1049
1050         * interpreter/Interpreter.cpp:
1051         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
1052         (JSC::Interpreter::dumpRegisters):
1053         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
1054         (JSC::DumpRegisterFunctor::operator()): Deleted.
1055
1056 2017-06-26  Saam Barati  <sbarati@apple.com>
1057
1058         Crash in JSC::Lexer<unsigned char>::setCode
1059         https://bugs.webkit.org/show_bug.cgi?id=172754
1060
1061         Reviewed by Mark Lam.
1062
1063         The lexer was asking one of its buffers to reserve initial space that
1064         was O(text size in bytes). For large sources, this would end up causing
1065         the vector to overflow and crash. This patch changes this code be like
1066         the Lexer's other buffers and to only reserve a small starting buffer.
1067
1068         * parser/Lexer.cpp:
1069         (JSC::Lexer<T>::setCode):
1070
1071 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1072
1073         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
1074         https://bugs.webkit.org/show_bug.cgi?id=173825
1075
1076         Reviewed by Saam Barati.
1077
1078         * jsc.cpp:
1079         (startTimeoutThreadIfNeeded):
1080         (timeoutThreadMain): Deleted.
1081
1082 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
1083
1084         Unreviewed, add missing header for CLoop
1085
1086         * runtime/SymbolTable.cpp:
1087
1088 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
1089
1090         Unreviewed, add missing header icncludes
1091
1092         * parser/Lexer.h:
1093
1094 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
1095
1096         Remove excessive headers from JavaScriptCore
1097         https://bugs.webkit.org/show_bug.cgi?id=173812
1098
1099         Reviewed by Darin Adler.
1100
1101         * API/APIUtils.h:
1102         * assembler/LinkBuffer.cpp:
1103         * assembler/MacroAssemblerCodeRef.cpp:
1104         * b3/air/AirLiveness.h:
1105         * b3/air/AirLowerAfterRegAlloc.cpp:
1106         * bindings/ScriptValue.cpp:
1107         * bindings/ScriptValue.h:
1108         * bytecode/AccessCase.cpp:
1109         * bytecode/AccessCase.h:
1110         * bytecode/ArrayProfile.h:
1111         * bytecode/BytecodeDumper.h:
1112         * bytecode/BytecodeIntrinsicRegistry.cpp:
1113         * bytecode/BytecodeKills.h:
1114         * bytecode/BytecodeLivenessAnalysis.h:
1115         * bytecode/BytecodeUseDef.h:
1116         * bytecode/CallLinkStatus.h:
1117         * bytecode/CodeBlock.h:
1118         * bytecode/CodeOrigin.h:
1119         * bytecode/ComplexGetStatus.h:
1120         * bytecode/GetByIdStatus.h:
1121         * bytecode/GetByIdVariant.h:
1122         * bytecode/InlineCallFrame.h:
1123         * bytecode/InlineCallFrameSet.h:
1124         * bytecode/Instruction.h:
1125         * bytecode/InternalFunctionAllocationProfile.h:
1126         * bytecode/JumpTable.h:
1127         * bytecode/MethodOfGettingAValueProfile.h:
1128         * bytecode/ObjectPropertyConditionSet.h:
1129         * bytecode/Operands.h:
1130         * bytecode/PolymorphicAccess.h:
1131         * bytecode/PutByIdStatus.h:
1132         * bytecode/SpeculatedType.cpp:
1133         * bytecode/StructureSet.h:
1134         * bytecode/StructureStubInfo.h:
1135         * bytecode/UnlinkedCodeBlock.h:
1136         * bytecode/UnlinkedFunctionExecutable.h:
1137         * bytecode/ValueProfile.h:
1138         * bytecompiler/BytecodeGenerator.cpp:
1139         * bytecompiler/BytecodeGenerator.h:
1140         * bytecompiler/Label.h:
1141         * bytecompiler/StaticPropertyAnalysis.h:
1142         * debugger/DebuggerCallFrame.cpp:
1143         * dfg/DFGAbstractInterpreter.h:
1144         * dfg/DFGAdjacencyList.h:
1145         * dfg/DFGArgumentsUtilities.h:
1146         * dfg/DFGArrayMode.h:
1147         * dfg/DFGArrayifySlowPathGenerator.h:
1148         * dfg/DFGBackwardsPropagationPhase.h:
1149         * dfg/DFGBasicBlock.h:
1150         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1151         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1152         * dfg/DFGCapabilities.h:
1153         * dfg/DFGCommon.h:
1154         * dfg/DFGCommonData.h:
1155         * dfg/DFGDesiredIdentifiers.h:
1156         * dfg/DFGDesiredWatchpoints.h:
1157         * dfg/DFGDisassembler.cpp:
1158         * dfg/DFGDominators.h:
1159         * dfg/DFGDriver.cpp:
1160         * dfg/DFGDriver.h:
1161         * dfg/DFGEdgeDominates.h:
1162         * dfg/DFGFinalizer.h:
1163         * dfg/DFGGenerationInfo.h:
1164         * dfg/DFGJITCompiler.cpp:
1165         * dfg/DFGJITCompiler.h:
1166         * dfg/DFGJITFinalizer.h:
1167         * dfg/DFGLivenessAnalysisPhase.h:
1168         * dfg/DFGMinifiedNode.h:
1169         * dfg/DFGMultiGetByOffsetData.h:
1170         * dfg/DFGNaturalLoops.cpp:
1171         * dfg/DFGNaturalLoops.h:
1172         * dfg/DFGNode.h:
1173         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1174         * dfg/DFGOSRExit.h:
1175         * dfg/DFGOSRExitCompilationInfo.h:
1176         * dfg/DFGOSRExitCompiler.cpp:
1177         * dfg/DFGOSRExitCompiler.h:
1178         * dfg/DFGOSRExitJumpPlaceholder.h:
1179         * dfg/DFGOperations.cpp:
1180         * dfg/DFGOperations.h:
1181         * dfg/DFGPlan.h:
1182         * dfg/DFGPreciseLocalClobberize.h:
1183         * dfg/DFGPromotedHeapLocation.h:
1184         * dfg/DFGRegisteredStructure.h:
1185         * dfg/DFGRegisteredStructureSet.h:
1186         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1187         * dfg/DFGSlowPathGenerator.h:
1188         * dfg/DFGSnippetParams.h:
1189         * dfg/DFGSpeculativeJIT.h:
1190         * dfg/DFGToFTLDeferredCompilationCallback.h:
1191         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
1192         * dfg/DFGValidate.h:
1193         * dfg/DFGValueSource.h:
1194         * dfg/DFGVariableEvent.h:
1195         * dfg/DFGVariableEventStream.h:
1196         * dfg/DFGWorklist.h:
1197         * domjit/DOMJITCallDOMGetterSnippet.h:
1198         * domjit/DOMJITEffect.h:
1199         * ftl/FTLLink.cpp:
1200         * ftl/FTLLowerDFGToB3.cpp:
1201         * ftl/FTLPatchpointExceptionHandle.h:
1202         * heap/AllocatorAttributes.h:
1203         * heap/CodeBlockSet.h:
1204         * heap/DeferGC.h:
1205         * heap/GCSegmentedArray.h:
1206         * heap/Heap.cpp:
1207         * heap/Heap.h:
1208         * heap/IncrementalSweeper.h:
1209         * heap/ListableHandler.h:
1210         * heap/MachineStackMarker.h:
1211         * heap/MarkedAllocator.h:
1212         * heap/MarkedBlock.cpp:
1213         * heap/MarkedBlock.h:
1214         * heap/MarkingConstraint.h:
1215         * heap/SlotVisitor.cpp:
1216         * heap/SlotVisitor.h:
1217         * inspector/ConsoleMessage.cpp:
1218         * inspector/ConsoleMessage.h:
1219         * inspector/InjectedScript.h:
1220         * inspector/InjectedScriptHost.h:
1221         * inspector/InjectedScriptManager.cpp:
1222         * inspector/JSGlobalObjectInspectorController.cpp:
1223         * inspector/JavaScriptCallFrame.h:
1224         * inspector/ScriptCallStack.h:
1225         * inspector/ScriptCallStackFactory.cpp:
1226         * inspector/ScriptDebugServer.h:
1227         * inspector/agents/InspectorConsoleAgent.h:
1228         * inspector/agents/InspectorDebuggerAgent.cpp:
1229         * inspector/agents/InspectorDebuggerAgent.h:
1230         * inspector/agents/InspectorHeapAgent.cpp:
1231         * inspector/agents/InspectorHeapAgent.h:
1232         * inspector/agents/InspectorRuntimeAgent.h:
1233         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1234         * inspector/agents/InspectorScriptProfilerAgent.h:
1235         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1236         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1237         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1238         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1239         * inspector/augmentable/AlternateDispatchableAgent.h:
1240         * interpreter/CLoopStack.h:
1241         * interpreter/CachedCall.h:
1242         * interpreter/CallFrame.h:
1243         * interpreter/Interpreter.cpp:
1244         * interpreter/Interpreter.h:
1245         * jit/AssemblyHelpers.cpp:
1246         * jit/AssemblyHelpers.h:
1247         * jit/CCallHelpers.h:
1248         * jit/CallFrameShuffler.h:
1249         * jit/ExecutableAllocator.h:
1250         * jit/GCAwareJITStubRoutine.h:
1251         * jit/HostCallReturnValue.h:
1252         * jit/ICStats.h:
1253         * jit/JIT.cpp:
1254         * jit/JIT.h:
1255         * jit/JITAddGenerator.h:
1256         * jit/JITCall32_64.cpp:
1257         * jit/JITCode.h:
1258         * jit/JITDisassembler.cpp:
1259         * jit/JITExceptions.cpp:
1260         * jit/JITMathIC.h:
1261         * jit/JITOpcodes.cpp:
1262         * jit/JITOperations.cpp:
1263         * jit/JITOperations.h:
1264         * jit/JITThunks.cpp:
1265         * jit/JITThunks.h:
1266         * jit/JSInterfaceJIT.h:
1267         * jit/PCToCodeOriginMap.h:
1268         * jit/PolymorphicCallStubRoutine.h:
1269         * jit/RegisterSet.h:
1270         * jit/Repatch.h:
1271         * jit/SetupVarargsFrame.h:
1272         * jit/Snippet.h:
1273         * jit/SnippetParams.h:
1274         * jit/ThunkGenerators.h:
1275         * jsc.cpp:
1276         * llint/LLIntCLoop.h:
1277         * llint/LLIntEntrypoint.h:
1278         * llint/LLIntExceptions.h:
1279         * llint/LLIntOfflineAsmConfig.h:
1280         * llint/LLIntSlowPaths.cpp:
1281         * parser/NodeConstructors.h:
1282         * parser/Nodes.cpp:
1283         * parser/Nodes.h:
1284         * parser/Parser.cpp:
1285         * parser/Parser.h:
1286         * parser/ParserTokens.h:
1287         * parser/SourceProviderCacheItem.h:
1288         * profiler/ProfilerBytecodeSequence.h:
1289         * profiler/ProfilerDatabase.cpp:
1290         * profiler/ProfilerDatabase.h:
1291         * profiler/ProfilerOrigin.h:
1292         * profiler/ProfilerOriginStack.h:
1293         * profiler/ProfilerProfiledBytecodes.h:
1294         * profiler/ProfilerUID.h:
1295         * runtime/AbstractModuleRecord.h:
1296         * runtime/ArrayConstructor.h:
1297         * runtime/ArrayConventions.h:
1298         * runtime/ArrayIteratorPrototype.h:
1299         * runtime/ArrayPrototype.h:
1300         * runtime/BasicBlockLocation.h:
1301         * runtime/Butterfly.h:
1302         * runtime/CallData.cpp:
1303         * runtime/CodeCache.h:
1304         * runtime/CommonSlowPaths.cpp:
1305         * runtime/CommonSlowPaths.h:
1306         * runtime/CommonSlowPathsExceptions.cpp:
1307         * runtime/Completion.cpp:
1308         * runtime/ControlFlowProfiler.h:
1309         * runtime/DateInstanceCache.h:
1310         * runtime/ErrorConstructor.h:
1311         * runtime/ErrorInstance.h:
1312         * runtime/ExceptionHelpers.cpp:
1313         * runtime/ExceptionHelpers.h:
1314         * runtime/ExecutableBase.h:
1315         * runtime/FunctionExecutable.h:
1316         * runtime/HasOwnPropertyCache.h:
1317         * runtime/Identifier.h:
1318         * runtime/InternalFunction.h:
1319         * runtime/IntlCollator.cpp:
1320         * runtime/IntlCollatorPrototype.h:
1321         * runtime/IntlDateTimeFormatPrototype.h:
1322         * runtime/IntlNumberFormat.cpp:
1323         * runtime/IntlNumberFormatPrototype.h:
1324         * runtime/IteratorOperations.cpp:
1325         * runtime/JSArray.h:
1326         * runtime/JSArrayBufferPrototype.h:
1327         * runtime/JSCJSValue.h:
1328         * runtime/JSCJSValueInlines.h:
1329         * runtime/JSCell.h:
1330         * runtime/JSFunction.cpp:
1331         * runtime/JSFunction.h:
1332         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1333         * runtime/JSGlobalObject.cpp:
1334         * runtime/JSGlobalObject.h:
1335         * runtime/JSGlobalObjectDebuggable.cpp:
1336         * runtime/JSGlobalObjectDebuggable.h:
1337         * runtime/JSGlobalObjectFunctions.cpp:
1338         * runtime/JSGlobalObjectFunctions.h:
1339         * runtime/JSJob.cpp:
1340         * runtime/JSLock.h:
1341         * runtime/JSModuleLoader.cpp:
1342         * runtime/JSModuleNamespaceObject.h:
1343         * runtime/JSModuleRecord.h:
1344         * runtime/JSObject.cpp:
1345         * runtime/JSObject.h:
1346         * runtime/JSRunLoopTimer.h:
1347         * runtime/JSTemplateRegistryKey.h:
1348         * runtime/JSTypedArrayPrototypes.cpp:
1349         * runtime/JSTypedArrayPrototypes.h:
1350         * runtime/JSTypedArrays.h:
1351         * runtime/LiteralParser.h:
1352         * runtime/MatchResult.h:
1353         * runtime/MemoryStatistics.h:
1354         * runtime/PrivateName.h:
1355         * runtime/PromiseDeferredTimer.h:
1356         * runtime/ProxyObject.h:
1357         * runtime/RegExp.h:
1358         * runtime/SamplingProfiler.cpp:
1359         * runtime/SmallStrings.h:
1360         * runtime/StringPrototype.cpp:
1361         * runtime/StringRecursionChecker.h:
1362         * runtime/Structure.h:
1363         * runtime/SymbolConstructor.h:
1364         * runtime/SymbolPrototype.cpp:
1365         * runtime/SymbolPrototype.h:
1366         * runtime/TypeProfiler.h:
1367         * runtime/TypeProfilerLog.h:
1368         * runtime/TypedArrayType.h:
1369         * runtime/VM.cpp:
1370         * runtime/VM.h:
1371         * runtime/VMEntryScope.h:
1372         * runtime/WeakMapData.h:
1373         * runtime/WriteBarrier.h:
1374         * tools/FunctionOverrides.cpp:
1375         * tools/FunctionOverrides.h:
1376         * wasm/WasmBinding.cpp:
1377         * wasm/js/JSWebAssemblyCodeBlock.h:
1378         * wasm/js/WebAssemblyPrototype.cpp:
1379         * yarr/Yarr.h:
1380         * yarr/YarrJIT.cpp:
1381         * yarr/YarrJIT.h:
1382         * yarr/YarrParser.h:
1383
1384 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1385
1386         [JSC] Clean up Object.entries implementation
1387         https://bugs.webkit.org/show_bug.cgi?id=173759
1388
1389         Reviewed by Sam Weinig.
1390
1391         This patch cleans up Object.entries implementation.
1392         We drop unused private functions. And we merge the
1393         implementation into Object.entries.
1394
1395         It slightly speeds up Object.entries speed.
1396
1397                                      baseline                  patched
1398
1399             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
1400
1401
1402         * builtins/BuiltinNames.h:
1403         * builtins/ObjectConstructor.js:
1404         (entries):
1405         (globalPrivate.enumerableOwnProperties): Deleted.
1406         * runtime/JSGlobalObject.cpp:
1407         (JSC::JSGlobalObject::init):
1408         * runtime/ObjectConstructor.cpp:
1409         (JSC::ownEnumerablePropertyKeys): Deleted.
1410         * runtime/ObjectConstructor.h:
1411
1412 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
1413
1414         Remove Reflect.enumerate
1415         https://bugs.webkit.org/show_bug.cgi?id=173806
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         * CMakeLists.txt:
1420         * JavaScriptCore.xcodeproj/project.pbxproj:
1421         * inspector/JSInjectedScriptHost.cpp:
1422         (Inspector::JSInjectedScriptHost::subtype):
1423         (Inspector::JSInjectedScriptHost::getInternalProperties):
1424         (Inspector::JSInjectedScriptHost::iteratorEntries):
1425         * runtime/JSGlobalObject.cpp:
1426         (JSC::JSGlobalObject::init):
1427         (JSC::JSGlobalObject::visitChildren):
1428         * runtime/JSPropertyNameIterator.cpp: Removed.
1429         * runtime/JSPropertyNameIterator.h: Removed.
1430         * runtime/ReflectObject.cpp:
1431         (JSC::reflectObjectEnumerate): Deleted.
1432
1433 2017-06-23  Keith Miller  <keith_miller@apple.com>
1434
1435         Switch VMTraps to use halt instructions rather than breakpoint instructions
1436         https://bugs.webkit.org/show_bug.cgi?id=173677
1437         <rdar://problem/32178892>
1438
1439         Reviewed by JF Bastien.
1440
1441         Using the breakpoint instruction for VMTraps caused issues with lldb.
1442         Since we only need some way to stop execution we can, in theory, use
1443         any exceptioning instruction we want. I went with the halt instruction
1444         on X86 since that is the only one byte instruction that does not
1445         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
1446         On ARM we use the data cache clearing instruction with the zero register,
1447         which triggers a segmentation fault.
1448
1449         Also, update the platform code to only use signaling VMTraps
1450         on where we have an appropriate instruction (x86 and ARM64).
1451
1452         * API/tests/ExecutionTimeLimitTest.cpp:
1453         (testExecutionTimeLimit):
1454         * assembler/ARM64Assembler.h:
1455         (JSC::ARM64Assembler::replaceWithVMHalt):
1456         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
1457         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
1458         * assembler/ARMAssembler.h:
1459         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
1460         * assembler/ARMv7Assembler.h:
1461         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
1462         * assembler/MIPSAssembler.h:
1463         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
1464         * assembler/MacroAssemblerARM.h:
1465         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
1466         * assembler/MacroAssemblerARM64.h:
1467         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1468         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
1469         * assembler/MacroAssemblerARMv7.h:
1470         (JSC::MacroAssemblerARMv7::storeFence):
1471         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
1472         * assembler/MacroAssemblerMIPS.h:
1473         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
1474         * assembler/MacroAssemblerX86Common.h:
1475         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1476         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
1477         * assembler/X86Assembler.h:
1478         (JSC::X86Assembler::replaceWithHlt):
1479         (JSC::X86Assembler::replaceWithInt3): Deleted.
1480         * dfg/DFGJumpReplacement.cpp:
1481         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
1482         * runtime/VMTraps.cpp:
1483         (JSC::SignalContext::SignalContext):
1484         (JSC::installSignalHandler):
1485         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
1486         * wasm/WasmFaultSignalHandler.cpp:
1487         (JSC::Wasm::enableFastMemory):
1488
1489 2017-06-22  Saam Barati  <sbarati@apple.com>
1490
1491         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
1492         https://bugs.webkit.org/show_bug.cgi?id=173743
1493         <rdar://problem/32932536>
1494
1495         Reviewed by Mark Lam.
1496
1497         The code always manually speculates, however, we weren't specifying
1498         ManualOperandSpeculation when creating a JSValueOperand. This would
1499         fire an assertion in JSValueOperand construction for a node like:
1500         Identity(String:@otherNode)
1501         
1502         I spent about 45 minutes trying to craft a test and came up
1503         empty. However, this fixes a debug assertion on an internal
1504         Apple website.
1505
1506         * dfg/DFGSpeculativeJIT32_64.cpp:
1507         (JSC::DFG::SpeculativeJIT::compile):
1508         * dfg/DFGSpeculativeJIT64.cpp:
1509         (JSC::DFG::SpeculativeJIT::compile):
1510
1511 2017-06-22  Saam Barati  <sbarati@apple.com>
1512
1513         ValueRep(DoubleRep(@v)) can not simply convert to @v
1514         https://bugs.webkit.org/show_bug.cgi?id=173687
1515         <rdar://problem/32855563>
1516
1517         Reviewed by Mark Lam.
1518
1519         Consider this IR:
1520          block#x
1521           p: Phi() // int32 and double flows into this phi from various control flow
1522           d: DoubleRep(@p)
1523           some uses of @d here
1524           v: ValueRep(DoubleRepUse:@d)
1525           a: NewArrayWithSize(Int32:@v)
1526           some more nodes here ...
1527         
1528         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
1529         AI proves that the Int32 check will fail. Constant folding phase removes
1530         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
1531         
1532         The IR then looks like this:
1533         block#x
1534           p: Phi() // int32 and double flows into this phi from various control flow
1535           d: DoubleRep(@p)
1536           some uses of @d here
1537           v: ValueRep(DoubleRepUse:@d)
1538           a: NewArrayWithSize(Int32:@v)
1539           Unreachable
1540         
1541         However, there was a strength reduction rule that tries eliminate redundant
1542         conversions. It used to convert the program to:
1543         block#x
1544           p: Phi() // int32 and double flows into this phi from various control flow
1545           d: DoubleRep(@p)
1546           some uses of @d here
1547           a: NewArrayWithSize(Int32:@p)
1548           Unreachable
1549         
1550         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
1551         and we'll crash. This patch removes this strength reduction rule since it
1552         does not maintain what would have happened if we executed the program before
1553         the rule.
1554         
1555         This rule is also wrong for other types of programs (I'm not sure we'd
1556         actually emit this code, but if such IR were generated, we would previously
1557         optimize it incorrectly):
1558         @a: Constant(JSTrue)
1559         @b: DoubleRep(@a)
1560         @c: ValueRep(@b)
1561         @d: use(@c)
1562         
1563         However, the strength reduction rule would've transformed this into:
1564         @a: Constant(JSTrue)
1565         @d: use(@a)
1566         
1567         And this would be wrong because node @c before the transformation would
1568         have produced the JSValue jsNumber(1.0).
1569         
1570         This patch was neutral in the benchmark run I did.
1571
1572         * dfg/DFGStrengthReductionPhase.cpp:
1573         (JSC::DFG::StrengthReductionPhase::handleNode):
1574
1575 2017-06-22  JF Bastien  <jfbastien@apple.com>
1576
1577         ARM64: doubled executable memory limit from 32MiB to 64MiB
1578         https://bugs.webkit.org/show_bug.cgi?id=173734
1579         <rdar://problem/32932407>
1580
1581         Reviewed by Oliver Hunt.
1582
1583         Some WebAssembly programs stress the amount of memory we have
1584         available, especially when we consider tiering (BBQ never dies,
1585         and is bigger that OMG). Tiering to OMG just piles on more memory,
1586         and we're also competing with JavaScript.
1587
1588         * jit/ExecutableAllocator.h:
1589
1590 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1591
1592         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
1593         https://bugs.webkit.org/show_bug.cgi?id=173698
1594
1595         Reviewed by Matt Baker.
1596
1597         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
1598         when preparing Inspector pause information is spent generating object previews for
1599         the `thisObject` of each of the call frames. In some cases, this could be more
1600         than 95% of the time generating pause information. In the common case, only one of
1601         these (the top frame) will ever be seen by users. This change avoids eagerly
1602         generating object previews up front and let the frontend request previews if they
1603         are needed.
1604
1605         This introduces the `Runtime.getPreview` protocol command. This can be used to:
1606
1607             - Get a preview for a RemoteObject that did not have a preview but could.
1608             - Update a preview for a RemoteObject that had a preview.
1609
1610         This patch only uses it for the first case, but the second is valid and may be
1611         something we want to do in the future.
1612
1613         * inspector/protocol/Runtime.json:
1614         A new command to get an up to date preview for an object.
1615
1616         * inspector/InjectedScript.h:
1617         * inspector/InjectedScript.cpp:
1618         (Inspector::InjectedScript::getPreview):
1619         * inspector/agents/InspectorRuntimeAgent.cpp:
1620         (Inspector::InspectorRuntimeAgent::getPreview):
1621         * inspector/agents/InspectorRuntimeAgent.h:
1622         Plumbing for the new command.
1623
1624         * inspector/InjectedScriptSource.js:
1625         (InjectedScript.prototype.getPreview):
1626         Implementation just uses the existing helper.
1627
1628         (InjectedScript.CallFrameProxy):
1629         Do not generate a preview for the this object as it may not be shown.
1630         Let the frontend request a preview if it wants or needs one.
1631
1632 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1633
1634         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
1635         https://bugs.webkit.org/show_bug.cgi?id=173686
1636
1637         Reviewed by Mark Lam.
1638
1639         * inspector/InjectedScript.cpp:
1640         (Inspector::InjectedScript::functionDetails):
1641         * inspector/InjectedScriptSource.js:
1642         (InjectedScript.prototype.functionDetails):
1643         * inspector/JSInjectedScriptHost.cpp:
1644         (Inspector::JSInjectedScriptHost::functionDetails):
1645
1646 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1647
1648         [JSC] Object.values should be implemented in C++
1649         https://bugs.webkit.org/show_bug.cgi?id=173703
1650
1651         Reviewed by Sam Weinig.
1652
1653         As the same to Object.assign, Object.values() is also inherently polymorphic.
1654         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
1655         result is costly.
1656
1657         In this patch, we implement Object.values() in C++. It can avoid above allocations.
1658         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
1659         non-observable JSObject::get() calls.
1660
1661         This improves performance by 2.49x. And also now Object.values() beats
1662         Object.keys(object).map(key => object[key]) implementation.
1663
1664                                              baseline                  patched
1665
1666             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
1667             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
1668
1669         * builtins/ObjectConstructor.js:
1670         (values): Deleted.
1671         * runtime/ObjectConstructor.cpp:
1672         (JSC::objectConstructorValues):
1673
1674 2017-06-21  Saam Barati  <sbarati@apple.com>
1675
1676         ArrayPrototype.map builtin declares a var it does not use
1677         https://bugs.webkit.org/show_bug.cgi?id=173685
1678
1679         Reviewed by Keith Miller.
1680
1681         * builtins/ArrayPrototype.js:
1682         (map):
1683
1684 2017-06-21  Saam Barati  <sbarati@apple.com>
1685
1686         eval virtual call is incorrect in the baseline JIT
1687         https://bugs.webkit.org/show_bug.cgi?id=173587
1688         <rdar://problem/32867897>
1689
1690         Reviewed by Michael Saboff.
1691
1692         When making a virtual call for call_eval, e.g, when the thing
1693         we're calling isn't actually eval, we end up calling the caller
1694         instead of the callee. This is clearly wrong. The code ends up
1695         issuing a load for the Callee in the callers frame instead of
1696         the callee we're calling. The fix is simple, we just need to
1697         load the real callee. Only the 32-bit baseline JIT had this bug.
1698
1699         * jit/JITCall32_64.cpp:
1700         (JSC::JIT::compileCallEvalSlowCase):
1701
1702 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
1703
1704         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
1705         https://bugs.webkit.org/show_bug.cgi?id=172432
1706         <rdar://problem/29870873>
1707
1708         Reviewed by Saam Barati.
1709
1710         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
1711         We will proceed to improve debugging of these cases in the follow-up bugs.
1712
1713         * debugger/Debugger.cpp:
1714         (JSC::Debugger::exception):
1715         Ignore pausing on these errors.
1716
1717         * runtime/ErrorInstance.h:
1718         (JSC::ErrorInstance::setStackOverflowError):
1719         (JSC::ErrorInstance::isStackOverflowError):
1720         (JSC::ErrorInstance::setOutOfMemoryError):
1721         (JSC::ErrorInstance::isOutOfMemoryError):
1722         * runtime/ExceptionHelpers.cpp:
1723         (JSC::createStackOverflowError):
1724         * runtime/Error.cpp:
1725         (JSC::createOutOfMemoryError):
1726         Mark these kinds of errors.
1727
1728 2017-06-21  Saam Barati  <sbarati@apple.com>
1729
1730         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
1731         https://bugs.webkit.org/show_bug.cgi?id=173609
1732
1733         Reviewed by Keith Miller.
1734
1735         This patch makes many of the IC generating functions require a locker as
1736         a parameter. We do this in other places in JSC to indicate that
1737         a particular API is only valid while a particular lock is held.
1738         This is the case when generating ICs. This patch just makes it
1739         explicit in the IC generating interface.
1740
1741         * bytecode/PolymorphicAccess.cpp:
1742         (JSC::PolymorphicAccess::addCases):
1743         (JSC::PolymorphicAccess::addCase):
1744         (JSC::PolymorphicAccess::commit):
1745         (JSC::PolymorphicAccess::regenerate):
1746         * bytecode/PolymorphicAccess.h:
1747         * bytecode/StructureStubInfo.cpp:
1748         (JSC::StructureStubInfo::addAccessCase):
1749         (JSC::StructureStubInfo::initStub): Deleted.
1750         * bytecode/StructureStubInfo.h:
1751         * jit/Repatch.cpp:
1752         (JSC::tryCacheGetByID):
1753         (JSC::repatchGetByID):
1754         (JSC::tryCachePutByID):
1755         (JSC::repatchPutByID):
1756         (JSC::tryRepatchIn):
1757         (JSC::repatchIn):
1758
1759 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
1760
1761         Disable font variations on macOS Sierra and iOS 10
1762         https://bugs.webkit.org/show_bug.cgi?id=173618
1763         <rdar://problem/32879164>
1764
1765         Reviewed by Jon Lee.
1766
1767         * Configurations/FeatureDefines.xcconfig:
1768
1769 2017-06-20  Keith Miller  <keith_miller@apple.com>
1770
1771         Fix leak of ModuleInformations in BBQPlan constructors.
1772         https://bugs.webkit.org/show_bug.cgi?id=173577
1773
1774         Reviewed by Saam Barati.
1775
1776         This patch fixes a leak in the BBQPlan constructiors. Previously,
1777         the plans were calling makeRef on the newly constructed objects.
1778         This patch fixes the issue and uses adoptRef instead. Additionally,
1779         an old, incorrect, attempt to fix the leak is removed.
1780
1781         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1782         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1783         * jit/JITWorklist.cpp:
1784         (JSC::JITWorklist::Thread::Thread):
1785         * runtime/PromiseDeferredTimer.cpp:
1786         (JSC::PromiseDeferredTimer::addPendingPromise):
1787         * runtime/VM.cpp:
1788         (JSC::VM::VM):
1789         * wasm/WasmBBQPlan.cpp:
1790         (JSC::Wasm::BBQPlan::BBQPlan):
1791         * wasm/WasmPlan.cpp:
1792         (JSC::Wasm::Plan::Plan):
1793
1794 2017-06-20  Devin Rousso  <drousso@apple.com>
1795
1796         Web Inspector: Send context attributes for tracked canvases
1797         https://bugs.webkit.org/show_bug.cgi?id=173327
1798
1799         Reviewed by Joseph Pecoraro.
1800
1801         * inspector/protocol/Canvas.json:
1802         Add ContextAttributes object type that is optionally used for WebGL canvases.
1803
1804 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
1805
1806         Remove excessive include directives from WTF
1807         https://bugs.webkit.org/show_bug.cgi?id=173553
1808
1809         Reviewed by Saam Barati.
1810
1811         * profiler/ProfilerDatabase.cpp: Added missing include directive.
1812         * runtime/SamplingProfiler.cpp: Ditto.
1813
1814 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
1815
1816         Revert changes in bug#160417 about extending `null` not being a derived class
1817         https://bugs.webkit.org/show_bug.cgi?id=169293
1818
1819         Reviewed by Saam Barati.
1820
1821         Reverted changes in bug#160417 about extending `null` not being a derived class 
1822         according to changes in spec:
1823         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
1824
1825         * builtins/BuiltinNames.h:
1826         * bytecompiler/BytecodeGenerator.cpp:
1827         (JSC::BytecodeGenerator::BytecodeGenerator):
1828         (JSC::BytecodeGenerator::emitReturn):
1829         * bytecompiler/NodesCodegen.cpp:
1830         (JSC::ClassExprNode::emitBytecode):
1831
1832 2017-06-20  Saam Barati  <sbarati@apple.com>
1833
1834         repatchIn needs to lock the CodeBlock's lock
1835         https://bugs.webkit.org/show_bug.cgi?id=173573
1836
1837         Reviewed by Yusuke Suzuki.
1838
1839         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
1840         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
1841         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
1842         with the marking thread. repatchIn was not grabbing the lock. I haven't been
1843         able to get it to crash, but this is needed for the same reasons that get and put IC
1844         regeneration grab the lock.
1845
1846         * jit/Repatch.cpp:
1847         (JSC::repatchIn):
1848
1849 2017-06-19  Devin Rousso  <drousso@apple.com>
1850
1851         Web Inspector: create canvas content view and details sidebar panel
1852         https://bugs.webkit.org/show_bug.cgi?id=138941
1853         <rdar://problem/19051672>
1854
1855         Reviewed by Joseph Pecoraro.
1856
1857         * inspector/protocol/Canvas.json:
1858          - Add an optional `nodeId` attribute to the `Canvas` type.
1859          - Add `requestNode` command for getting the node id of the backing canvas element.
1860          - Add `requestContent` command for getting the current image content of the canvas.
1861
1862 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1863
1864         Unreviewed, build fix for ARM
1865
1866         * assembler/MacroAssemblerARM.h:
1867         (JSC::MacroAssemblerARM::internalCompare32):
1868
1869 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1870
1871         [DFG] More ArrayIndexOf fixups for various types
1872         https://bugs.webkit.org/show_bug.cgi?id=173176
1873
1874         Reviewed by Saam Barati.
1875
1876         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
1877
1878         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
1879         never contains the given search value.
1880
1881         2. We support Symbol and Other specialization additionally. Especially, Other is
1882         useful because null/undefined can be used as a sentinel value.
1883
1884         One interesting thing is that Array.prototype.indexOf does not consider holes as
1885         undefineds. Thus,
1886
1887             var array = [,,,,,,,];
1888             array.indexOf(undefined); // => -1
1889
1890         This can be trivially achieved in JSC because Empty and Undefined are different values.
1891
1892         * dfg/DFGFixupPhase.cpp:
1893         (JSC::DFG::FixupPhase::fixupNode):
1894         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
1895         * dfg/DFGSpeculativeJIT.cpp:
1896         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1897         (JSC::DFG::SpeculativeJIT::speculateOther):
1898         * dfg/DFGSpeculativeJIT.h:
1899         * ftl/FTLLowerDFGToB3.cpp:
1900         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1901
1902 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
1903
1904         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
1905         https://bugs.webkit.org/show_bug.cgi?id=172972
1906
1907         Reviewed by Mark Lam.
1908
1909         We are changing internalCompare32 implementation in ARM
1910         MacroAssembler to emit "cmp" when the "right.value" is 0.
1911         It is generating wrong comparison cases, since the
1912         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
1913         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
1914         resulting in following assembly code:
1915
1916         ```
1917         cmn $r0, #0
1918         bhi <address>
1919         ```
1920
1921         However, as cmn is similar to "adds", it will never take the branch
1922         when $r0 > 0. In that case, the correct opcode is "cmp". With this
1923         patch we will fix current broken tests that uses
1924         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
1925         such as ForwardVarargs, Spread and GetRestLength.
1926
1927         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
1928
1929         * assembler/MacroAssemblerARM.h:
1930         (JSC::MacroAssemblerARM::internalCompare32):
1931
1932 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1933
1934         test262: Completion values for control flow do not match the spec
1935         https://bugs.webkit.org/show_bug.cgi?id=171265
1936
1937         Reviewed by Saam Barati.
1938
1939         * bytecompiler/BytecodeGenerator.h:
1940         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1941         When we care about having proper completion values (global code
1942         in programs, modules, and eval) insert undefined results for
1943         control flow statements.
1944
1945         * bytecompiler/NodesCodegen.cpp:
1946         (JSC::SourceElements::emitBytecode):
1947         Reduce writing a default `undefined` value to the completion result to
1948         only once before the last statement we know will produce a value.
1949
1950         (JSC::IfElseNode::emitBytecode):
1951         (JSC::WithNode::emitBytecode):
1952         (JSC::WhileNode::emitBytecode):
1953         (JSC::ForNode::emitBytecode):
1954         (JSC::ForInNode::emitBytecode):
1955         (JSC::ForOfNode::emitBytecode):
1956         (JSC::SwitchNode::emitBytecode):
1957         Insert an undefined to handle cases where code may break out of an
1958         if/else or with statement (break/continue).
1959
1960         (JSC::TryNode::emitBytecode):
1961         Same handling for break cases. Also, finally block statement completion
1962         values are always ignored for the try statement result.
1963
1964         (JSC::ClassDeclNode::emitBytecode):
1965         Class declarations, like function declarations, produce an empty result.
1966
1967         * parser/Nodes.cpp:
1968         (JSC::SourceElements::lastStatement):
1969         (JSC::SourceElements::hasCompletionValue):
1970         (JSC::SourceElements::hasEarlyBreakOrContinue):
1971         (JSC::BlockNode::lastStatement):
1972         (JSC::BlockNode::singleStatement):
1973         (JSC::BlockNode::hasCompletionValue):
1974         (JSC::BlockNode::hasEarlyBreakOrContinue):
1975         (JSC::ScopeNode::singleStatement):
1976         (JSC::ScopeNode::hasCompletionValue):
1977         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1978         The only non-trivial cases need to loop through their list of statements
1979         to determine if this has a completion value or not. Likewise for
1980         determining if there is an early break / continue, meaning a break or
1981         continue statement with no preceding statement that has a completion value.
1982
1983         * parser/Nodes.h:
1984         (JSC::StatementNode::next):
1985         (JSC::StatementNode::hasCompletionValue):
1986         Helper to check if a statement nodes produces a completion value or not.
1987
1988 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
1989
1990         Missing <functional> includes make builds fail with GCC 7.x
1991         https://bugs.webkit.org/show_bug.cgi?id=173544
1992
1993         Unreviewed gardening.
1994
1995         Fix compilation with GCC 7.
1996
1997         * API/tests/CompareAndSwapTest.cpp:
1998         * runtime/VMEntryScope.h:
1999
2000 2017-06-17  Keith Miller  <keith_miller@apple.com>
2001
2002         ArrayBuffer constructor needs to create subclass structures before its buffer
2003         https://bugs.webkit.org/show_bug.cgi?id=173510
2004
2005         Reviewed by Yusuke Suzuki.
2006
2007         * runtime/JSArrayBufferConstructor.cpp:
2008         (JSC::constructArrayBuffer):
2009
2010 2017-06-17  Keith Miller  <keith_miller@apple.com>
2011
2012         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
2013         https://bugs.webkit.org/show_bug.cgi?id=173506
2014
2015         Reviewed by Ryosuke Niwa.
2016
2017         This patch changes the result of unshift if old length +
2018         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
2019         the getLength function, which was always incorrect to use, has
2020         been removed. Additionally, some cases where we were using a
2021         constant for (2 ** 53) - 1 have been replaced with
2022         maxSafeInteger()
2023
2024         * interpreter/Interpreter.cpp:
2025         (JSC::sizeOfVarargs):
2026         * runtime/ArrayPrototype.cpp:
2027         (JSC::arrayProtoFuncToLocaleString):
2028         (JSC::arrayProtoFuncPop):
2029         (JSC::arrayProtoFuncPush):
2030         (JSC::arrayProtoFuncReverse):
2031         (JSC::arrayProtoFuncShift):
2032         (JSC::arrayProtoFuncSlice):
2033         (JSC::arrayProtoFuncSplice):
2034         (JSC::arrayProtoFuncUnShift):
2035         (JSC::arrayProtoFuncIndexOf):
2036         (JSC::arrayProtoFuncLastIndexOf):
2037         * runtime/JSArrayInlines.h:
2038         (JSC::getLength): Deleted.
2039         * runtime/JSCJSValue.cpp:
2040         (JSC::JSValue::toLength):
2041         * runtime/NumberConstructor.cpp:
2042         (JSC::numberConstructorFuncIsSafeInteger):
2043
2044 2017-06-16  Matt Baker  <mattbaker@apple.com>
2045
2046         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
2047         https://bugs.webkit.org/show_bug.cgi?id=172623
2048         <rdar://problem/32415986>
2049
2050         Reviewed by Devin Rousso and Joseph Pecoraro.
2051
2052         This patch adds a basic Canvas protocol. It includes Canvas and related
2053         types and events for monitoring the lifetime of canvases in the page.
2054
2055         * CMakeLists.txt:
2056         * DerivedSources.make:
2057         * inspector/protocol/Canvas.json: Added.
2058
2059         * inspector/scripts/codegen/generator.py:
2060         (Generator.stylized_name_for_enum_value):
2061         Add special handling for Canvas.ContextType protocol enumeration,
2062         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
2063
2064 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
2065
2066         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
2067         https://bugs.webkit.org/show_bug.cgi?id=173366
2068         <rdar://problem/32767014>
2069
2070         Reviewed by Tim Horton.
2071
2072         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
2073
2074         * Configurations/FeatureDefines.xcconfig:
2075
2076 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2077
2078         [JSC] Add fast path for Object.assign
2079         https://bugs.webkit.org/show_bug.cgi?id=173416
2080
2081         Reviewed by Mark Lam.
2082
2083         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
2084         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
2085         check in the face of Proxy. Proxy can observe that this check is done correctly.
2086
2087         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
2088         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
2089         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
2090         value by calling `slot.getValue()`.
2091
2092         This further improves performance of Object.assign.
2093
2094                                         baseline                  patched
2095
2096             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
2097
2098         * runtime/ObjectConstructor.cpp:
2099         (JSC::objectConstructorAssign):
2100
2101 2017-06-16  Michael Saboff  <msaboff@apple.com>
2102
2103         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
2104         https://bugs.webkit.org/show_bug.cgi?id=173488
2105
2106         Reviewed by Filip Pizlo.
2107
2108         ClonedArguments lazily sets its callee and interator properties and it used its own inline
2109         code to initialize its butterfly.  This means that these lazily set properties can have
2110         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
2111         to create the butterfly as it clears out of line properties.
2112
2113         * runtime/ClonedArguments.cpp:
2114         (JSC::ClonedArguments::createEmpty):
2115
2116 2017-06-16  Mark Lam  <mark.lam@apple.com>
2117
2118         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
2119         https://bugs.webkit.org/show_bug.cgi?id=173491
2120
2121         Reviewed by Keith Miller.
2122
2123         The implementation are based on static data. There's no need to get the
2124         interpreter instance. Hence, we can make these methods static and avoid doing
2125         unnecessary work to compute the interpreter this pointer.
2126
2127         Also removed the unused isCallBytecode method.
2128
2129         * bytecode/BytecodeBasicBlock.cpp:
2130         (JSC::BytecodeBasicBlock::computeImpl):
2131         * bytecode/BytecodeDumper.cpp:
2132         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2133         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2134         (JSC::BytecodeDumper<Block>::dumpBytecode):
2135         (JSC::BytecodeDumper<Block>::dumpBlock):
2136         * bytecode/BytecodeLivenessAnalysis.cpp:
2137         (JSC::BytecodeLivenessAnalysis::dumpResults):
2138         * bytecode/BytecodeLivenessAnalysisInlines.h:
2139         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
2140         * bytecode/BytecodeRewriter.cpp:
2141         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2142         * bytecode/CallLinkStatus.cpp:
2143         (JSC::CallLinkStatus::computeFromLLInt):
2144         * bytecode/CodeBlock.cpp:
2145         (JSC::CodeBlock::finishCreation):
2146         (JSC::CodeBlock::propagateTransitions):
2147         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2148         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
2149         (JSC::CodeBlock::usesOpcode):
2150         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2151         (JSC::CodeBlock::arithProfileForPC):
2152         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2153         * bytecode/PreciseJumpTargets.cpp:
2154         (JSC::getJumpTargetsForBytecodeOffset):
2155         (JSC::computePreciseJumpTargetsInternal):
2156         (JSC::findJumpTargetsForBytecodeOffset):
2157         * bytecode/PreciseJumpTargetsInlines.h:
2158         (JSC::extractStoredJumpTargetsForBytecodeOffset):
2159         * bytecode/UnlinkedCodeBlock.cpp:
2160         (JSC::UnlinkedCodeBlock::applyModification):
2161         * dfg/DFGByteCodeParser.cpp:
2162         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2163         (JSC::DFG::ByteCodeParser::parseBlock):
2164         * dfg/DFGCapabilities.cpp:
2165         (JSC::DFG::capabilityLevel):
2166         * interpreter/Interpreter.cpp:
2167         (JSC::Interpreter::Interpreter):
2168         (JSC::Interpreter::isOpcode):
2169         (): Deleted.
2170         * interpreter/Interpreter.h:
2171         (JSC::Interpreter::getOpcode): Deleted.
2172         (JSC::Interpreter::getOpcodeID): Deleted.
2173         (JSC::Interpreter::isCallBytecode): Deleted.
2174         * interpreter/InterpreterInlines.h:
2175         (JSC::Interpreter::getOpcode):
2176         (JSC::Interpreter::getOpcodeID):
2177         * jit/JIT.cpp:
2178         (JSC::JIT::privateCompileMainPass):
2179         (JSC::JIT::privateCompileSlowCases):
2180         * jit/JITOpcodes.cpp:
2181         (JSC::JIT::emitNewFuncCommon):
2182         (JSC::JIT::emitNewFuncExprCommon):
2183         * jit/JITPropertyAccess.cpp:
2184         (JSC::JIT::emitSlow_op_put_by_val):
2185         (JSC::JIT::privateCompilePutByVal):
2186         * jit/JITPropertyAccess32_64.cpp:
2187         (JSC::JIT::emitSlow_op_put_by_val):
2188         * llint/LLIntSlowPaths.cpp:
2189         (JSC::LLInt::llint_trace_operand):
2190         (JSC::LLInt::llint_trace_value):
2191         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2192         * profiler/ProfilerBytecodeSequence.cpp:
2193         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2194
2195 2017-06-16  Matt Lewis  <jlewis3@apple.com>
2196
2197         Unreviewed, rolling out r218376.
2198
2199         The patch cause multiple Layout Test Crashes.
2200
2201         Reverted changeset:
2202
2203         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
2204         backend"
2205         https://bugs.webkit.org/show_bug.cgi?id=172623
2206         http://trac.webkit.org/changeset/218376
2207
2208 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
2209
2210         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
2211         https://bugs.webkit.org/show_bug.cgi?id=173470
2212
2213         Reviewed by Joseph Pecoraro.
2214
2215         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
2216         const char* overload of StringBuilder::append() that assummes Latin1
2217         encoding, not UTF8.
2218
2219         * runtime/ConsoleClient.cpp:
2220         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2221
2222 2017-06-15  Mark Lam  <mark.lam@apple.com>
2223
2224         Add a JSRunLoopTimer registry in VM.
2225         https://bugs.webkit.org/show_bug.cgi?id=173429
2226         <rdar://problem/31287961>
2227
2228         Reviewed by Filip Pizlo.
2229
2230         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
2231         need to change their run loop (e.g. when setting to the WebThread's run loop).
2232
2233         * heap/Heap.cpp:
2234         (JSC::Heap::Heap):
2235         (JSC::Heap::setRunLoop): Deleted.
2236         * heap/Heap.h:
2237         (JSC::Heap::runLoop): Deleted.
2238         * runtime/JSRunLoopTimer.cpp:
2239         (JSC::JSRunLoopTimer::JSRunLoopTimer):
2240         (JSC::JSRunLoopTimer::setRunLoop):
2241         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
2242         * runtime/VM.cpp:
2243         (JSC::VM::VM):
2244         (JSC::VM::registerRunLoopTimer):
2245         (JSC::VM::unregisterRunLoopTimer):
2246         (JSC::VM::setRunLoop):
2247         * runtime/VM.h:
2248         (JSC::VM::runLoop):
2249
2250 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
2251
2252         [Cocoa] Modernize some internal initializers to use instancetype instead of id
2253         https://bugs.webkit.org/show_bug.cgi?id=173112
2254
2255         Reviewed by Wenson Hsieh.
2256
2257         * API/JSContextInternal.h:
2258         * API/JSWrapperMap.h:
2259         * API/JSWrapperMap.mm:
2260         (-[JSObjCClassInfo initForClass:]):
2261         (-[JSWrapperMap initWithGlobalContextRef:]):
2262
2263 2017-06-15  Matt Baker  <mattbaker@apple.com>
2264
2265         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
2266         https://bugs.webkit.org/show_bug.cgi?id=172623
2267         <rdar://problem/32415986>
2268
2269         Reviewed by Devin Rousso.
2270
2271         This patch adds a basic Canvas protocol. It includes Canvas and related
2272         types and events for monitoring the lifetime of canvases in the page.
2273
2274         * CMakeLists.txt:
2275         * DerivedSources.make:
2276         * inspector/protocol/Canvas.json: Added.
2277
2278         * inspector/scripts/codegen/generator.py:
2279         (Generator.stylized_name_for_enum_value):
2280         Add special handling for Canvas.ContextType protocol enumeration,
2281         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
2282
2283 2017-06-15  Keith Miller  <keith_miller@apple.com>
2284
2285         Add logging to MachineStackMarker to try to diagnose crashes in the wild
2286         https://bugs.webkit.org/show_bug.cgi?id=173427
2287
2288         Reviewed by Mark Lam.
2289
2290         This patch adds some logging to the MachineStackMarker constructor
2291         to help figure out where we are seeing crashes. Since macOS does
2292         not support os_log_info my hope is that if we set all the callee
2293         save registers before making any calls in the C++ code we can
2294         figure out which calls is the source of the crash. We also, set
2295         all the caller save registers before returning in case some
2296         weirdness is happening in the Heap constructor.
2297
2298         This logging should not matter from a performance perspective. We
2299         only create MachineStackMarkers when we are creating a new VM,
2300         which is already expensive.
2301
2302         * heap/MachineStackMarker.cpp:
2303         (JSC::MachineThreads::MachineThreads):
2304
2305 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2306
2307         [JSC] Implement Object.assign in C++
2308         https://bugs.webkit.org/show_bug.cgi?id=173414
2309
2310         Reviewed by Saam Barati.
2311
2312         Implementing Object.assign in JS is not so good compared to C++ version because,
2313
2314         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
2315         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
2316
2317         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
2318         So JS's type profile doesn't help well.
2319
2320         3. We have a chance to introduce various fast path for Object.assign in C++.
2321
2322         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
2323
2324         We can see 1.65x improvement in SixSpeed object-assign.es6.
2325
2326                                     baseline                  patched
2327
2328         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
2329
2330         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
2331
2332         * builtins/ObjectConstructor.js:
2333         (entries):
2334         (assign): Deleted.
2335         * runtime/JSCJSValueInlines.h:
2336         (JSC::JSValue::putInline):
2337         * runtime/JSCell.h:
2338         * runtime/JSCellInlines.h:
2339         (JSC::JSCell::putInline):
2340         * runtime/JSObject.cpp:
2341         (JSC::JSObject::put):
2342         * runtime/JSObject.h:
2343         * runtime/JSObjectInlines.h:
2344         (JSC::JSObject::putInlineForJSObject):
2345         (JSC::JSObject::putInline): Deleted.
2346         * runtime/ObjectConstructor.cpp:
2347         (JSC::objectConstructorAssign):
2348
2349 2017-06-14  Dan Bernstein  <mitz@apple.com>
2350
2351         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
2352         https://bugs.webkit.org/show_bug.cgi?id=168578
2353
2354         Reviewed by Geoff Garen.
2355
2356         * API/JSWrapperMap.mm:
2357         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
2358         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
2359         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
2360           it defines conformance to a JSExport-derived protocol and if so, avoid using the
2361           superclass as a substitute as we’d normally do.
2362
2363         * API/ObjcRuntimeExtras.h:
2364         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
2365           bail out.
2366
2367         * API/tests/JSExportTests.mm:
2368         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
2369         (runJSExportTests): Run new test.
2370
2371 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2372
2373         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
2374         https://bugs.webkit.org/show_bug.cgi?id=172421
2375
2376         * dfg/DFGSpeculativeJIT.cpp:
2377         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2378
2379 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
2380
2381         REGRESSION: 15 new jsc failures in WPE and GTK+
2382         https://bugs.webkit.org/show_bug.cgi?id=173349
2383
2384         Reviewed by JF Bastien.
2385
2386         Recent changes to generateWasm.py are not accounted for from
2387         CMake, which leads to WasmOps.h not being regenerated in partial
2388         builds. Make generateWasm.py an additional dependency.
2389         * CMakeLists.txt:
2390
2391 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
2392
2393         Debugger has unexpected effect on program correctness
2394         https://bugs.webkit.org/show_bug.cgi?id=172683
2395
2396         Reviewed by Saam Barati.
2397
2398         * inspector/InjectedScriptSource.js:
2399         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2400         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
2401         (BasicCommandLineAPI):
2402         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
2403         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
2404
2405 2017-06-13  JF Bastien  <jfbastien@apple.com>
2406
2407         WebAssembly: fix erroneous signature comment
2408         https://bugs.webkit.org/show_bug.cgi?id=173334
2409
2410         Reviewed by Keith Miller.
2411
2412         * wasm/WasmSignature.h:
2413
2414 2017-06-13  Michael Saboff  <msaboff@apple.com>
2415
2416         Refactor AbsenceOfSetter to AbsenceOfSetEffects
2417         https://bugs.webkit.org/show_bug.cgi?id=173322
2418
2419         Reviewed by Filip Pizlo.
2420
2421         * bytecode/ObjectPropertyCondition.h:
2422         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
2423         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
2424         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2425         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
2426         * bytecode/ObjectPropertyConditionSet.cpp:
2427         (JSC::generateConditionsForPropertySetterMiss):
2428         (JSC::generateConditionsForPropertySetterMissConcurrently):
2429         * bytecode/PropertyCondition.cpp:
2430         (JSC::PropertyCondition::dumpInContext):
2431         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2432         (JSC::PropertyCondition::isStillValid):
2433         (WTF::printInternal):
2434         * bytecode/PropertyCondition.h:
2435         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2436         (JSC::PropertyCondition::absenceOfSetEffect):
2437         (JSC::PropertyCondition::hasPrototype):
2438         (JSC::PropertyCondition::hash):
2439         (JSC::PropertyCondition::operator==):
2440         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2441         (JSC::PropertyCondition::absenceOfSetter): Deleted.
2442
2443 2017-06-13  JF Bastien  <jfbastien@apple.com>
2444
2445         WebAssembly: import updated spec tests
2446         https://bugs.webkit.org/show_bug.cgi?id=173287
2447         <rdar://problem/32725975>
2448
2449         Reviewed by Saam Barati.
2450
2451         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
2452         with a few modifications so things work.
2453
2454         Fix a bunch of bugs found through this process, and punt a few tests (which I
2455         marked as blocked by this bug).
2456
2457         Fixes:
2458
2459         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
2460         instead of byte alignment. It was also missing memory-alignment.js despite it
2461         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
2462         pass.
2463
2464         Tables can be imported or in a section. There can be only one, but sections can
2465         be empty. An Elements section can exist if there's no Table, as long as it is
2466         also empty.
2467
2468         Memories can be imported or in a section. There can be only one, but sections
2469         can be empty. A Data section can exist if there's no Memory, as long as it is
2470         also empty.
2471
2472         Prototypes: stringify without .prototype. in the string.
2473
2474         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
2475         not a final size, and throws a RangeError on failure, not a TypeError.
2476
2477         Fix compile / instantiate so the reject the promise if given an argument of the
2478         wrong type (instead of failing instantly).
2479
2480         Fix async on neuter test.
2481
2482         Element section shouldn't affect any Table if any of the elements are out of
2483         bounds. We need to process it in two passes.
2484
2485         Segment section shouldn't affect any Data if any of the segments are out of
2486         bounds. We need to process it in two passes.
2487
2488         Empty data segments are valid, but only when there is no memory. Their index
2489         still gets validated, and has to be zero.
2490
2491         Punts:
2492
2493         Error messages with context, the test seems overly restrictive but this is
2494         minor.
2495
2496         compile/instantiate/validate property descriptors.
2497
2498         UTF-8 bugs.
2499
2500         Temporarily disable NaN tests. We need to go back and implement the following
2501         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
2502         much as getting all the other tests passing.
2503
2504         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
2505         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
2506         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
2507         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
2508         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
2509         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
2510         why they're not allowed.
2511
2512         * wasm/WasmB3IRGenerator.cpp:
2513         * wasm/WasmFunctionParser.h:
2514         * wasm/WasmModuleParser.cpp:
2515         * wasm/WasmModuleParser.h:
2516         * wasm/WasmParser.h:
2517         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2518         * wasm/generateWasm.py:
2519         (memoryLog2Alignment):
2520         * wasm/js/JSWebAssemblyTable.cpp:
2521         (JSC::JSWebAssemblyTable::grow):
2522         * wasm/js/JSWebAssemblyTable.h:
2523         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2524         * wasm/js/WebAssemblyInstancePrototype.cpp:
2525         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2526         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2527         * wasm/js/WebAssemblyModulePrototype.cpp:
2528         * wasm/js/WebAssemblyModuleRecord.cpp:
2529         (JSC::WebAssemblyModuleRecord::evaluate):
2530         * wasm/js/WebAssemblyPrototype.cpp:
2531         (JSC::webAssemblyCompileFunc):
2532         (JSC::resolve):
2533         (JSC::instantiate):
2534         (JSC::compileAndInstantiate):
2535         (JSC::webAssemblyInstantiateFunc):
2536         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2537         * wasm/js/WebAssemblyTablePrototype.cpp:
2538         (JSC::webAssemblyTableProtoFuncGrow):
2539
2540 2017-06-13  Michael Saboff  <msaboff@apple.com>
2541
2542         DFG doesn't properly handle a property that is change to read only in a prototype
2543         https://bugs.webkit.org/show_bug.cgi?id=173321
2544
2545         Reviewed by Filip Pizlo.
2546
2547         We need to check for ReadOnly as well as a not being a Setter when checking
2548         an AbsenceOfSetter.
2549
2550         * bytecode/PropertyCondition.cpp:
2551         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2552
2553 2017-06-13  Daniel Bates  <dabates@apple.com>
2554
2555         Implement W3C Secure Contexts Draft Specification
2556         https://bugs.webkit.org/show_bug.cgi?id=158121
2557         <rdar://problem/26012994>
2558
2559         Reviewed by Brent Fulgham.
2560
2561         Part 4
2562
2563         Adds isSecureContext to the list of common identifiers as needed to support
2564         toggling its exposure from a runtime enabled feature flag.
2565
2566         * runtime/CommonIdentifiers.h:
2567
2568 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
2569
2570         [JSC] Remove redundant includes in config.h
2571         https://bugs.webkit.org/show_bug.cgi?id=173294
2572
2573         Reviewed by Alex Christensen.
2574
2575         * config.h:
2576
2577 2017-06-12  Saam Barati  <sbarati@apple.com>
2578
2579         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
2580         https://bugs.webkit.org/show_bug.cgi?id=172957
2581         <rdar://problem/32602704>
2582
2583         Reviewed by Filip Pizlo.
2584
2585         Consider this program:
2586         ```
2587         block#1:
2588         n: GetClosureVar(..., |this|) // this will load empty JSValue()
2589         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
2590         Branch(#2, #3)
2591         
2592         Block#3:
2593         x: GetLocal(locFoo)
2594         y: CheckNotEmpty(@x)
2595         ```
2596         
2597         If we claim that a cell check filters out the empty value, we will
2598         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
2599         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
2600         
2601         On 64 bit platforms:
2602         - Cell use kind *now allows* the empty value to pass through.
2603         - CellOrOther use kind *now allows* for the empty value to pass through
2604         - NotCell use kind *no longer allows* the empty value to pass through.
2605
2606         * assembler/CPU.h:
2607         (JSC::isARMv7IDIVSupported):
2608         (JSC::isARM64):
2609         (JSC::isX86):
2610         (JSC::isX86_64):
2611         (JSC::is64Bit):
2612         (JSC::is32Bit):
2613         (JSC::isMIPS):
2614         Make these functions constexpr so we can use them in static variable assignment.
2615
2616         * bytecode/SpeculatedType.h:
2617         * dfg/DFGSpeculativeJIT.cpp:
2618         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2619         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2620         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2621         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2622         (JSC::DFG::SpeculativeJIT::speculateCell):
2623         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2624         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2625         (JSC::DFG::SpeculativeJIT::speculateString):
2626         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2627         (JSC::DFG::SpeculativeJIT::speculateSymbol):
2628         (JSC::DFG::SpeculativeJIT::speculateNotCell):
2629         * dfg/DFGSpeculativeJIT32_64.cpp:
2630         * dfg/DFGSpeculativeJIT64.cpp:
2631         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2632         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2633         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2634         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2635         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2636         * dfg/DFGUseKind.h:
2637         (JSC::DFG::typeFilterFor):
2638         * ftl/FTLLowerDFGToB3.cpp:
2639         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2640         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2641         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2642         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2643         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2644         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2645         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
2646         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2647         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
2648         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
2649         (JSC::FTL::DFG::LowerDFGToB3::isCell):
2650         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2651         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
2652         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
2653         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2654         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
2655
2656 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2657
2658         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
2659         https://bugs.webkit.org/show_bug.cgi?id=172421
2660
2661         * dfg/DFGSpeculativeJIT.cpp:
2662         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2663
2664 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
2665
2666         We incorrectly allow escaped characters in keyword tokens
2667         https://bugs.webkit.org/show_bug.cgi?id=171310
2668
2669         Reviewed by Yusuke Suzuki.
2670
2671         According spec it is not allow to use escaped characters in 
2672         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
2673         Current patch implements this requirements.
2674
2675
2676         * parser/Lexer.cpp:
2677         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2678         * parser/Parser.cpp:
2679         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2680         * parser/ParserTokens.h:
2681
2682 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2683
2684         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
2685         https://bugs.webkit.org/show_bug.cgi?id=172421
2686
2687         * assembler/MacroAssemblerARM64.h:
2688         (JSC::MacroAssemblerARM64::branch64):
2689         (JSC::MacroAssemblerARM64::branchPtr):
2690
2691 2017-06-12  Commit Queue  <commit-queue@webkit.org>
2692
2693         Unreviewed, rolling out r218093.
2694         https://bugs.webkit.org/show_bug.cgi?id=173259
2695
2696         Break builds (Requested by yusukesuzuki on #webkit).
2697
2698         Reverted changeset:
2699
2700         "Unreviewed, build fix for ARM64"
2701         https://bugs.webkit.org/show_bug.cgi?id=172421
2702         http://trac.webkit.org/changeset/218093
2703
2704 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2705
2706         Unreviewed, build fix for ARM64
2707         https://bugs.webkit.org/show_bug.cgi?id=172421
2708
2709         * dfg/DFGSpeculativeJIT.cpp:
2710         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2711
2712 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2713
2714         [DFG] Add ArrayIndexOf intrinsic
2715         https://bugs.webkit.org/show_bug.cgi?id=172421
2716
2717         Reviewed by Saam Barati.
2718
2719         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
2720         We emit array check and go fast path if the array is Array::Int32, Array::Double
2721         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
2722         we have inlined fast paths.
2723
2724         With updated ARES-6 Babylon,
2725
2726         Before
2727             firstIteration:     45.76 +- 3.87 ms
2728             averageWorstCase:   24.41 +- 2.17 ms
2729             steadyState:        8.01 +- 0.22 ms
2730         After
2731             firstIteration:     45.64 +- 4.23 ms
2732             averageWorstCase:   23.03 +- 3.34 ms
2733             steadyState:        7.33 +- 0.34 ms
2734
2735         In SixSpeed.
2736                                          baseline                  patched
2737
2738             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
2739             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
2740             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
2741
2742         * dfg/DFGAbstractInterpreterInlines.h:
2743         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2744         * dfg/DFGByteCodeParser.cpp:
2745         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2746         * dfg/DFGClobberize.h:
2747         (JSC::DFG::clobberize):
2748         * dfg/DFGDoesGC.cpp:
2749         (JSC::DFG::doesGC):
2750         * dfg/DFGFixupPhase.cpp:
2751         (JSC::DFG::FixupPhase::fixupNode):
2752         * dfg/DFGNode.h:
2753         (JSC::DFG::Node::hasArrayMode):
2754         * dfg/DFGNodeType.h:
2755         * dfg/DFGOperations.cpp:
2756         * dfg/DFGOperations.h:
2757         * dfg/DFGPredictionPropagationPhase.cpp:
2758         * dfg/DFGSafeToExecute.h:
2759         (JSC::DFG::safeToExecute):
2760         * dfg/DFGSpeculativeJIT.cpp:
2761         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2762         (JSC::DFG::SpeculativeJIT::speculateObject):
2763         * dfg/DFGSpeculativeJIT.h:
2764         (JSC::DFG::SpeculativeJIT::callOperation):
2765         * dfg/DFGSpeculativeJIT32_64.cpp:
2766         (JSC::DFG::SpeculativeJIT::compile):
2767         * dfg/DFGSpeculativeJIT64.cpp:
2768         (JSC::DFG::SpeculativeJIT::compile):
2769         (JSC::DFG::SpeculativeJIT::speculateInt32):
2770         * ftl/FTLCapabilities.cpp:
2771         (JSC::FTL::canCompile):
2772         * ftl/FTLLowerDFGToB3.cpp:
2773         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2774         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2775         * jit/JITOperations.h:
2776         * runtime/ArrayPrototype.cpp:
2777         (JSC::ArrayPrototype::finishCreation):
2778         * runtime/Intrinsic.cpp:
2779         (JSC::intrinsicName):
2780         * runtime/Intrinsic.h:
2781
2782 2017-06-11  Keith Miller  <keith_miller@apple.com>
2783
2784         TypedArray constructor with string shouldn't throw
2785         https://bugs.webkit.org/show_bug.cgi?id=173181
2786
2787         Reviewed by JF Bastien.
2788
2789         We should be coercing primitive arguments to numbers in the various
2790         TypedArray constructors.
2791
2792         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2793         (JSC::constructGenericTypedArrayViewWithArguments):
2794
2795 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2796
2797         [WTF] Make ThreadMessage portable
2798         https://bugs.webkit.org/show_bug.cgi?id=172073
2799
2800         Reviewed by Keith Miller.
2801
2802         * runtime/MachineContext.h:
2803         (JSC::MachineContext::stackPointer):
2804         * tools/CodeProfiling.cpp:
2805         (JSC::profilingTimer):
2806
2807 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2808
2809         [JSC] Shrink Structure size
2810         https://bugs.webkit.org/show_bug.cgi?id=173239
2811
2812         Reviewed by Mark Lam.
2813
2814         We find that the size of our Structure is slightly enlarged due to paddings.
2815         By changing the order of members, we can reduce the size from 120 to 112.
2816         This is good because 120 and 112 are categorized into different size classes.
2817         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
2818         We now save 16 bytes per Structure for free.
2819
2820         * runtime/ConcurrentJSLock.h:
2821         * runtime/Structure.cpp:
2822         (JSC::Structure::Structure):
2823         * runtime/Structure.h:
2824
2825 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
2826
2827         Unreviewed, attempt to fix JSC tests on Win after r217771
2828
2829         * jsc.cpp:
2830         (currentWorkingDirectory): buffer is not NULL-terminated
2831
2832 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2833
2834         [WTF] Add RegisteredSymbolImpl
2835         https://bugs.webkit.org/show_bug.cgi?id=173230
2836
2837         Reviewed by Mark Lam.
2838
2839         * runtime/SymbolConstructor.cpp:
2840         (JSC::symbolConstructorKeyFor):
2841
2842 2017-06-10  Dan Bernstein  <mitz@apple.com>
2843
2844         Reverted r218056 because it made the IDE reindex constantly.
2845
2846         * Configurations/DebugRelease.xcconfig:
2847
2848 2017-06-10  Dan Bernstein  <mitz@apple.com>
2849
2850         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
2851         https://bugs.webkit.org/show_bug.cgi?id=173223
2852
2853         Reviewed by Sam Weinig.
2854
2855         The rebuilds were happening due to a difference in the compiler options that the IDE and
2856         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
2857         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
2858         specify an appropriate path in CLANG_INDEX_STORE_PATH.
2859
2860         * Configurations/DebugRelease.xcconfig:
2861
2862 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2863
2864         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
2865         https://bugs.webkit.org/show_bug.cgi?id=173227
2866
2867         Reviewed by Mark Lam.
2868
2869         The latest spec introduces slight change to RegExp.prototype.[@@search].
2870         This patch applies this change. Basically, this change is done in the slow path of
2871         the RegExp.prototype[@@search].
2872         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
2873
2874         * builtins/RegExpPrototype.js:
2875         (search):
2876
2877 2017-06-09  Chris Dumez  <cdumez@apple.com>
2878
2879         Update Thread::create() to take in a WTF::Function instead of a std::function
2880         https://bugs.webkit.org/show_bug.cgi?id=173175
2881
2882         Reviewed by Mark Lam.
2883
2884         * API/tests/CompareAndSwapTest.cpp:
2885         (testCompareAndSwap):
2886
2887 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2888
2889         [DFG] Add verboseDFGOSRExit
2890         https://bugs.webkit.org/show_bug.cgi?id=173156
2891
2892         Reviewed by Saam Barati.
2893
2894         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
2895
2896         * dfg/DFGOSRExitCompiler.cpp:
2897         * runtime/Options.h:
2898
2899 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
2900
2901         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
2902         https://bugs.webkit.org/show_bug.cgi?id=173170
2903
2904         Reviewed by Yusuke Suzuki.
2905
2906         MIPS does not build since r217711 because it is missing this
2907         implementation. This patch fixes the build.
2908
2909         * assembler/MacroAssemblerMIPS.h:
2910         (JSC::MacroAssemblerMIPS::xor32):
2911
2912 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2913
2914         [JSC] FTL does not require dlfcn
2915         https://bugs.webkit.org/show_bug.cgi?id=173143
2916
2917         Reviewed by Darin Adler.
2918
2919         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
2920         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
2921
2922         * ftl/FTLLowerDFGToB3.cpp:
2923
2924 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2925
2926         [DFG] Add --verboseDFGFailure
2927         https://bugs.webkit.org/show_bug.cgi?id=173155
2928
2929         Reviewed by Sam Weinig.
2930
2931         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
2932
2933         * dfg/DFGCapabilities.cpp:
2934         (JSC::DFG::verboseCapabilities):
2935         (JSC::DFG::debugFail):
2936         * runtime/Options.cpp:
2937         (JSC::recomputeDependentOptions):
2938         * runtime/Options.h:
2939
2940 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2941
2942         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
2943         https://bugs.webkit.org/show_bug.cgi?id=173147
2944
2945         Reviewed by JF Bastien.
2946
2947         Because this value becomes -1 in non-Darwin environments.
2948         Thus, we do not need to use OS(DARWIN) here.
2949
2950         * wasm/WasmMemory.cpp:
2951
2952 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
2953
2954         Reduce compiler warnings
2955         https://bugs.webkit.org/show_bug.cgi?id=172078
2956
2957         Reviewed by Yusuke Suzuki.
2958
2959         * runtime/IntlDateTimeFormat.h:
2960
2961 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
2962
2963         [Cocoa] JSWrapperMap leaks for all JSContexts
2964         https://bugs.webkit.org/show_bug.cgi?id=173110
2965         <rdar://problem/32602198>
2966
2967         Reviewed by Geoffrey Garen.
2968
2969         * API/JSContext.mm:
2970         (-[JSContext ensureWrapperMap]):
2971         Ensure this allocation gets released.
2972
2973 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
2974
2975         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
2976         https://bugs.webkit.org/show_bug.cgi?id=161156
2977
2978         Reviewed by Saam Barati.
2979         
2980         Since LLInt does not register impure property watchpoints for self property accesses, it
2981         shouldn't try to cache accesses that require a watchpoint.
2982         
2983         This manifested as a flaky failure because the test would fire the watchpoint after we had
2984         usually already tiered up. Without concurrent JIT, we would have always tiered up before
2985         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
2986         also adds a test that deterministically failed in LLInt without this change; it does so by just
2987         running a lot shorter.
2988
2989         * llint/LLIntSlowPaths.cpp:
2990         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2991
2992 2017-06-08  Keith Miller  <keith_miller@apple.com>
2993
2994         WebAssembly: We should only create wrappers for functions that can be exported
2995         https://bugs.webkit.org/show_bug.cgi?id=173088
2996
2997         Reviewed by Saam Barati.
2998
2999         This patch makes it so we only create wrappers for WebAssembly functions that
3000         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
3001
3002         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
3003         Most of the tests were duplicates of ones in the spec-tests directory. The others I
3004         have converted to use the normal API.
3005
3006         * jsc.cpp:
3007         (GlobalObject::finishCreation):
3008         (valueWithTypeOfWasmValue): Deleted.
3009         (box): Deleted.
3010         (callWasmFunction): Deleted.
3011         (functionTestWasmModuleFunctions): Deleted.
3012         * wasm/WasmB3IRGenerator.cpp:
3013         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3014         (JSC::Wasm::createJSToWasmWrapper):
3015         (JSC::Wasm::parseAndCompile):
3016         * wasm/WasmB3IRGenerator.h:
3017         * wasm/WasmBBQPlan.cpp:
3018         (JSC::Wasm::BBQPlan::prepare):
3019         (JSC::Wasm::BBQPlan::compileFunctions):
3020         (JSC::Wasm::BBQPlan::complete):
3021         * wasm/WasmBBQPlan.h:
3022         * wasm/WasmBBQPlanInlines.h:
3023         (JSC::Wasm::BBQPlan::initializeCallees):
3024         * wasm/WasmCodeBlock.cpp:
3025         (JSC::Wasm::CodeBlock::CodeBlock):
3026         * wasm/WasmCodeBlock.h:
3027         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
3028         * wasm/WasmFormat.h:
3029         * wasm/WasmOMGPlan.cpp:
3030         (JSC::Wasm::OMGPlan::work):
3031
3032 2017-06-07  JF Bastien  <jfbastien@apple.com>
3033
3034         WebAssembly: test imports and exports with 16-bit characters
3035         https://bugs.webkit.org/show_bug.cgi?id=165977
3036         <rdar://problem/29760130>
3037
3038         Reviewed by Saam Barati.
3039
3040         Add the missing UTF-8 conversions. Improve import failure error
3041         messages, otherwise it's hard to figure out which import is wrong.
3042
3043         * wasm/js/JSWebAssemblyInstance.cpp:
3044         (JSC::JSWebAssemblyInstance::create):
3045         * wasm/js/WebAssemblyModuleRecord.cpp:
3046         (JSC::WebAssemblyModuleRecord::finishCreation):
3047         (JSC::WebAssemblyModuleRecord::link):
3048
3049 2017-06-07  Devin Rousso  <drousso@apple.com>
3050
3051         Web Inspector: Add ContextMenu item to log WebSocket object to console
3052         https://bugs.webkit.org/show_bug.cgi?id=172878
3053
3054         Reviewed by Joseph Pecoraro.
3055
3056         * inspector/protocol/Network.json:
3057         Add resolveWebSocket command.
3058
3059 2017-06-07  Jon Davis  <jond@apple.com>
3060
3061         Update feature status for features Supported In Preview
3062         https://bugs.webkit.org/show_bug.cgi?id=173071
3063
3064         Reviewed by Darin Adler.
3065
3066         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
3067         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
3068
3069         * features.json:
3070
3071 2017-06-07  Saam Barati  <sbarati@apple.com>
3072
3073         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
3074         https://bugs.webkit.org/show_bug.cgi?id=172673
3075         <rdar://problem/32250144>
3076
3077         Reviewed by Mark Lam.
3078
3079         This patch simply removes this assertion. It's faulty because it
3080         races with the main thread when doing concurrent compilation.
3081         
3082         Consider a program with:
3083         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
3084         - Structure S2
3085         
3086         The DFG IR is like so:
3087           a: JSConstant(O) // FrozenValue {O, S1}
3088           b: CheckStructure(@a, S2)
3089           c: ToThis(@a)
3090           d: CheckEq(@c, nullConstant)
3091           Branch(@d)
3092         
3093         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
3094         When running AI, we'll notice that node @b will OSR exit, so nodes after
3095         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
3096         Now, when running AI, @a will have Top for its structure set. No longer will
3097         we think @b exits.
3098         
3099         The DFG backend asserts that under such a situation, we should have simplified
3100         the CheckEq to false. However, this is a racy thing to assert, since the
3101         transition from dfgWatchable() to !dfgWatchable() can happen right before we
3102         enter the backend. Hence, this assertion is not valid.
3103         
3104         (Note, the generated code for the above program will never actually execute.
3105         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
3106         S1 not transitioning. S1 transitions, so we won't actually run the code that
3107         gets compiled.)
3108
3109         * dfg/DFGSpeculativeJIT64.cpp:
3110         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
3111
3112 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3113
3114         [JSC] has_generic_property never accepts non-String
3115         https://bugs.webkit.org/show_bug.cgi?id=173057
3116
3117         Reviewed by Darin Adler.
3118
3119         We never pass non-String value to has_generic_property bytecode.
3120
3121         * runtime/CommonSlowPaths.cpp:
3122         (JSC::SLOW_PATH_DECL):
3123
3124 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
3125
3126         [Win][x86-64] Some callee saved registers aren't preserved
3127         https://bugs.webkit.org/show_bug.cgi?id=171266
3128
3129         Reviewed by Saam Barati.
3130
3131         * jit/RegisterSet.cpp:
3132         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
3133
3134 2017-06-06  Mark Lam  <mark.lam@apple.com>
3135
3136         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
3137         https://bugs.webkit.org/show_bug.cgi?id=173035
3138         <rdar://problem/32554593>
3139
3140         Reviewed by Geoffrey Garen and Filip Pizlo.
3141
3142         Also added and fixed up some assertions.
3143
3144         * runtime/ArrayConventions.h:
3145         * runtime/JSArray.cpp:
3146         (JSC::JSArray::setLength):
3147         * runtime/JSObject.cpp:
3148         (JSC::JSObject::createInitialIndexedStorage):
3149         (JSC::JSObject::ensureLengthSlow):
3150         (JSC::JSObject::reallocateAndShrinkButterfly):
3151         * runtime/JSObject.h:
3152         (JSC::JSObject::ensureLength):
3153         * runtime/RegExpObject.cpp:
3154         (JSC::collectMatches):
3155         * runtime/RegExpPrototype.cpp:
3156         (JSC::regExpProtoFuncSplitFast):
3157
3158 2017-06-06  Saam Barati  <sbarati@apple.com>
3159
3160         Make sure we restore SP when doing calls that could be to JS
3161         https://bugs.webkit.org/show_bug.cgi?id=172946
3162         <rdar://problem/32579026>
3163
3164         Reviewed by JF Bastien.
3165
3166         I was worried that there was a bug where we'd call JS, JS would tail call,
3167         and we'd end up with a bogus SP. However, this bug does not exist since wasm
3168         always calls to JS through a stub, and the stub treats SP as a callee save.
3169         
3170         I wrote a test for this, and also made a note that this is the needed ABI.
3171
3172         * wasm/WasmBinding.cpp:
3173         (JSC::Wasm::wasmToJs):
3174
3175 2017-06-06  Keith Miller  <keith_miller@apple.com>
3176
3177         OMG tier up checks should be a patchpoint
3178         https://bugs.webkit.org/show_bug.cgi?id=172944
3179
3180         Reviewed by Saam Barati.
3181
3182         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
3183         In order to reduce code generated out of line in each function. We generate a single stub
3184         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
3185
3186         * wasm/WasmB3IRGenerator.cpp:
3187         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3188         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3189         (JSC::Wasm::B3IRGenerator::addLoop):
3190         * wasm/WasmThunks.cpp:
3191         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3192         * wasm/WasmThunks.h:
3193
3194 2017-06-06  Darin Adler  <darin@apple.com>
3195
3196         Cut down use of WTF_ARRAY_LENGTH
3197         https://bugs.webkit.org/show_bug.cgi?id=172997
3198
3199         Reviewed by Chris Dumez.
3200
3201         * parser/Lexer.cpp:
3202         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
3203
3204         * runtime/NumberPrototype.cpp:
3205         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
3206
3207 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
3208
3209         Add missing <functional> includes
3210         https://bugs.webkit.org/show_bug.cgi?id=173017
3211
3212         Patch by Thiago Macieira <thiago.macieira@intel.com>
3213         Reviewed by Yusuke Suzuki.
3214
3215         This patch fixes compilation with GCC 7.
3216
3217         * inspector/InspectorBackendDispatcher.h:
3218
3219 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
3220
3221         Unreviewed, fix 32-bit build.
3222
3223         * jit/JITOpcodes.cpp:
3224         (JSC::JIT::emit_op_unreachable):
3225
3226 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
3227
3228         Unreviewed rollout r217807. Caused a test to crash.
3229
3230         * heap/HeapSnapshotBuilder.cpp:
3231         (JSC::HeapSnapshotBuilder::buildSnapshot):
3232         (JSC::HeapSnapshotBuilder::json):
3233         (): Deleted.
3234         * heap/HeapSnapshotBuilder.h:
3235         * runtime/JSObject.cpp:
3236         (JSC::JSObject::calculatedClassName):
3237
3238 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
3239
3240         index out of bound in bytecodebasicblock
3241         https://bugs.webkit.org/show_bug.cgi?id=172963
3242
3243         Reviewed by Saam Barati and Mark Lam.
3244         
3245         We were leaving an unterminated basic block when generating CodeForCall for a class
3246         constructor. This was mostly benign since that unterminated block was not reachable, but it
3247         does cause an ASSERT.
3248         
3249         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
3250         this really is the cleanest and most idiomatic way to solve this problem, so even though it
3251         makes the change bigger it's probabably worth it.
3252
3253         * bytecode/BytecodeDumper.cpp:
3254         (JSC::BytecodeDumper<Block>::dumpBytecode):
3255         * bytecode/BytecodeList.json:
3256         * bytecode/BytecodeUseDef.h:
3257         (JSC::computeUsesForBytecodeOffset):
3258         (JSC::computeDefsForBytecodeOffset):
3259         * bytecode/Opcode.h:
3260         (JSC::isTerminal):
3261         * bytecompiler/BytecodeGenerator.cpp:
3262         (JSC::BytecodeGenerator::generate):
3263         (JSC::BytecodeGenerator::emitUnreachable):
3264         * bytecompiler/BytecodeGenerator.h:
3265         * dfg/DFGByteCodeParser.cpp:
3266         (JSC::DFG::ByteCodeParser::parseBlock):
3267         * dfg/DFGCapabilities.cpp:
3268         (JSC::DFG::capabilityLevel):
3269         * ftl/FTLLowerDFGToB3.cpp:
3270         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
3271         * jit/JIT.cpp:
3272         (JSC::JIT::privateCompileMainPass):
3273         * jit/JIT.h:
3274         * jit/JITOpcodes.cpp:
3275         (JSC::JIT::emit_op_unreachable):
3276         * llint/LowLevelInterpreter.asm:
3277         * runtime/CommonSlowPaths.cpp:
3278         (JSC::SLOW_PATH_DECL):
3279         * runtime/CommonSlowPaths.h:
3280
3281 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
3282
3283         Unreviewed, rolling out r217812.
3284
3285         This change caused test failures on arm64.
3286
3287         Reverted changeset:
3288
3289         "OMG tier up checks should be a patchpoint"
3290         https://bugs.webkit.org/show_bug.cgi?id=172944
3291         http://trac.webkit.org/changeset/217812
3292
3293 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3294
3295         [WPE] Enable remote inspector
3296         https://bugs.webkit.org/show_bug.cgi?id=172971
3297
3298         Reviewed by Žan Doberšek.
3299
3300         We can just build the current glib remote inspector, without adding a frontend implementation and using a
3301         WebKitGTK+ browser as frontend for now.
3302
3303         * PlatformWPE.cmake: Add remote inspector files to compilation.
3304         * inspector/remote/glib/RemoteInspectorUtils.cpp:
3305         (Inspector::backendCommands): Load the inspector resources library.
3306
3307 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3308
3309         [GLIB] Make remote inspector DBus protocol common to all glib based ports
3310         https://bugs.webkit.org/show_bug.cgi?id=172970
3311
3312         Reviewed by Žan Doberšek.
3313
3314         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
3315         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
3316         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
3317         debug WPE, without having to implement the frontend part in WPE yet.
3318
3319         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
3320         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
3321
3322 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3323
3324         [GTK] Web Process deadlock when closing the remote inspector frontend
3325         https://bugs.webkit.org/show_bug.cgi?id=172973
3326
3327         Reviewed by Žan Doberšek.
3328
3329         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
3330         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
3331         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
3332         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
3333
3334         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3335         (Inspector::RemoteInspector::receivedCloseMessage):
3336
3337 2017-06-05  Saam Barati  <sbarati@apple.com>
3338
3339         Try to fix features.json by adding an ESNext section.
3340
3341         Unreviewed.
3342
3343         * features.json:
3344
3345 2017-06-05  David Kilzer  <ddkilzer@apple.com>
3346
3347         Follow-up: Update JSC's features.json
3348         https://bugs.webkit.org/show_bug.cgi?id=172942
3349
3350         Rubber-stamped by Jon Davis.
3351
3352         * features.json: Change "Supported in preview" to
3353         "Supported" to try to fix <https://webkit.org/status/>.
3354
3355 2017-06-05  Saam Barati  <sbarati@apple.com>
3356
3357         We don't properly parse init_expr when the opcode is an unexpected opcode
3358         https://bugs.webkit.org/show_bug.cgi?id=172945
3359
3360         Reviewed by JF Bastien.
3361
3362         The bug is a simple typo. It should use the constant
3363         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
3364         macro. This failure is already caught by spec tests that fail
3365         on arm64 devices.
3366
3367         * wasm/WasmModuleParser.cpp:
3368
3369 2017-06-05  Keith Miller  <keith_miller@apple.com>
3370
3371         OMG tier up checks should be a patchpoint
3372         https://bugs.webkit.org/show_bug.cgi?id=172944
3373
3374         Reviewed by Saam Barati.
3375
3376         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
3377         In order to reduce code generated out of line in each function. We generate a single stub
3378         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
3379
3380         * wasm/WasmB3IRGenerator.cpp:
3381         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3382         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3383         (JSC::Wasm::B3IRGenerator::addLoop):
3384         * wasm/WasmThunks.cpp:
3385         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3386         * wasm/WasmThunks.h:
3387
3388 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3389
3390         Remove unused VM members
3391         https://bugs.webkit.org/show_bug.cgi?id=172941
3392
3393         Reviewed by Mark Lam.
3394
3395         * runtime/HashMapImpl.h:
3396         (JSC::HashMapImpl::selectStructure): Deleted.
3397         * runtime/VM.cpp:
3398         (JSC::VM::VM):
3399         * runtime/VM.h:
3400
3401 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3402
3403         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3404         https://bugs.webkit.org/show_bug.cgi?id=172848
3405         <rdar://problem/25709212>
3406
3407         Reviewed by Saam Barati.
3408
3409         * heap/HeapSnapshotBuilder.h:
3410         * heap/HeapSnapshotBuilder.cpp:
3411         Update the snapshot version. Change the node's 0 | 1 internal value
3412         to be a 32bit bit flag. This is nice in that it is both compatible
3413         with the previous snapshot version and the same size. We can use more
3414         flags in the future.
3415
3416         (JSC::HeapSnapshotBuilder::json):
3417         In cases where the classInfo gives us "Object" check for a better
3418         class name by checking (o).__proto__.constructor.name. We avoid this
3419         check in cases where (o).hasOwnProperty("constructor") which is the
3420         case for most Foo.prototype objects. Otherwise this would get the
3421         name of the Foo superclass for the Foo.prototype object.
3422
3423         * runtime/JSObject.cpp:
3424         (JSC::JSObject::calculatedClassName):
3425         Handle some possible edge cases that were not handled before. Such
3426         as a JSObject without a GlobalObject, and an object which doesn't
3427         have a default getPrototype. Try to make the code a little clearer.
3428
3429 2017-06-05  Saam Barati  <sbarati@apple.com>
3430
3431         Update JSC's features.json
3432         https://bugs.webkit.org/show_bug.cgi?id=172942
3433
3434         Rubber stamped by Mark Lam.
3435
3436         * features.json:
3437
3438 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
3439
3440         Fix build of Windows-specific code with ICU 59.1
3441         https://bugs.webkit.org/show_bug.cgi?id=172729
3442
3443         Reviewed by Darin Adler.
3444
3445         Fix conversions from WTF::String to wchar_t* and vice versa.
3446
3447         * jsc.cpp:
3448         (currentWorkingDirectory):
3449         (fetchModuleFromLocalFileSystem):
3450         * runtime/DateConversion.cpp:
3451         (JSC::formatDateTime):
3452
3453 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3454
3455         [JSC] Drop unnecessary USE(CF) guard for getenv
3456         https://bugs.webkit.org/show_bug.cgi?id=172903
3457
3458         Reviewed by Sam Weinig.
3459
3460         getenv is not related to USE(CF) and OS(UNIX). It seems that this
3461         ifdef only hits in WinCairo, but WinCairo can use getenv.
3462         Moreover, in VM::VM, we already use getenv without any ifdef guard.
3463
3464         This patch just drops it.
3465
3466         * runtime/VM.cpp:
3467         (JSC::enableAssembler):
3468
3469 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3470
3471         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
3472         https://bugs.webkit.org/show_bug.cgi?id=172904
3473
3474         Reviewed by Sam Weinig.
3475
3476         In non-Darwin environment, uintptr_t may have the same type
3477         to uint64_t. We avoided the compile error by using OS(DARWIN).
3478         But, since it depends on cstdint implementaion rather than OS, it is flaky.
3479         Instead, we just use template parameter IntegralType.
3480         And we describe the type constraint in a SFINAE manner.
3481
3482         * dfg/DFGOpInfo.h:
3483         (JSC::DFG::OpInfo::OpInfo):
3484
3485 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
3486
3487         [ARM] Unreviewed buildfix after r217711.
3488
3489         * assembler/MacroAssemblerARM.h:
3490         (JSC::MacroAssemblerARM::xor32):
3491
3492 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3493
3494         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
3495         https://bugs.webkit.org/show_bug.cgi?id=168844
3496
3497         Reviewed by Saam Barati.
3498
3499         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
3500
3501         * parser/Parser.cpp:
3502         (JSC::DepthManager::DepthManager):
3503         (JSC::Parser<LexerType>::parseExportDeclaration):
3504         * parser/Parser.h:
3505         (JSC::Parser::DepthManager::DepthManager): Deleted.
3506         (JSC::Parser::DepthManager::~DepthManager): Deleted.
3507
3508 2017-06-02  Keith Miller  <keith_miller@apple.com>
3509
3510         Defer installing mach breakpoint handler until watchdog is actually called
3511         https://bugs.webkit.org/show_bug.cgi?id=172885
3512
3513         Reviewed by Saam Barati.
3514
3515         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
3516         This hides the issue, so it won't occur as often.
3517
3518         * runtime/VMTraps.cpp:
3519         (JSC::VMTraps::SignalSender::send):
3520         (JSC::VMTraps::VMTraps): Deleted.
3521         * runtime/VMTraps.h:
3522
3523 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
3524
3525         Atomics.load and Atomics.store need to be fully fenced
3526         https://bugs.webkit.org/show_bug.cgi?id=172844
3527
3528         Reviewed by Keith Miller.
3529         
3530         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
3531         AtomicXchg(value, ptr) for the store.
3532         
3533         DFG needed no changes because it implements all atomics using a CAS loop.
3534         
3535         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
3536         
3537         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
3538         is not correct according to my current understanding of the SAB memory model, which requires
3539         that atomic operations are SC with respect to everything not just other atomics.
3540
3541         * ftl/FTLLowerDFGToB3.cpp:
3542         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3543         * ftl/FTLOutput.cpp:
3544         (JSC::FTL::Output::atomicWeakCAS):
3545         * ftl/FTLOutput.h:
3546         * runtime/AtomicsObject.cpp:
3547
3548 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
3549
3550         Unreviewed, attempt to fix the iOS build after r217711.
3551
3552         * assembler/MacroAssemblerARM64.h:
3553         (JSC::MacroAssemblerARM64::xor32):
3554         (JSC::MacroAssemblerARM64::xor64):
3555
3556 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
3557
3558         GC should use scrambled free-lists
3559         https://bugs.webkit.org/show_bug.cgi?id=172793
3560
3561         Reviewed by Mark Lam.
3562         
3563         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
3564         The linked-list would be threaded through free memory, as is the usual convention.
3565         
3566         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
3567         this leads to a more natural fast-path structure and saves one register on ARM64.
3568         
3569         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
3570         every time they do a sweep-to-pop.
3571         
3572         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
3573         quite a bit. Previously, there were four copies of the allocator fast path: two in
3574         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
3575         was obviously different-looking, but the other three were almost identical. This moves all of
3576         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
3577         AssemblyHelpers.h.
3578         
3579         This appears to be just as fast as our previously allocator.
3580
3581         * JavaScriptCore.xcodeproj/project.pbxproj:
3582         * heap/FreeList.cpp:
3583         (JSC::FreeList::FreeList):
3584         (JSC::FreeList::~FreeList):
3585         (JSC::FreeList::clear):
3586         (JSC::FreeList::initializeList):
3587         (JSC::FreeList::initializeBump):
3588         (JSC::FreeList::contains):
3589         (JSC::FreeList::dump):
3590         * heap/FreeList.h:
3591         (JSC::FreeList::allocationWillFail):
3592         (JSC::FreeList::originalSize):
3593         (JSC::FreeList::addressOfList):
3594         (JSC::FreeList::offsetOfBlock):
3595         (JSC::FreeList::offsetOfList):
3596         (JSC::FreeList::offsetOfIndex):
3597         (JSC::FreeList::offsetOfPayloadEnd):
3598         (JSC::FreeList::offsetOfRemaining):
3599         (JSC::FreeList::offsetOfOriginalSize):
3600         (JSC::FreeList::FreeList): Deleted.
3601         (JSC::FreeList::list): Deleted.
3602         (JSC::FreeList::bump): Deleted.
3603         (JSC::FreeList::operator==): Deleted.
3604         (JSC::FreeList::operator!=): Deleted.
3605         (JSC::FreeList::operator bool): Deleted.
3606         * heap/FreeListInlines.h: Added.
3607         (JSC::FreeList::addFreeCell):
3608         (JSC::FreeList::allocate):
3609         (JSC::FreeList::forEach):
3610         (JSC::FreeList::toOffset):
3611         (JSC::FreeList::fromOffset):
3612         * heap/IncrementalSweeper.cpp:
3613         (JSC::IncrementalSweeper::sweepNextBlock):
3614         * heap/MarkedAllocator.cpp:
3615         (JSC::MarkedAllocator::MarkedAllocator):
3616         (JSC::MarkedAllocator::didConsumeFreeList):
3617         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3618         (JSC::MarkedAllocator::tryAllocateIn):
3619         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3620         (JSC::MarkedAllocator::stopAllocating):
3621         (JSC::MarkedAllocator::prepareForAllocation):
3622         (JSC::MarkedAllocator::resumeAllocating):
3623         (JSC::MarkedAllocator::sweep):
3624         (JSC::MarkedAllocator::setFreeList): Deleted.
3625         * heap/MarkedAllocator.h:
3626         (JSC::MarkedAllocator::freeList):
3627         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
3628         * heap/MarkedAllocatorInlines.h:
3629         (JSC::MarkedAllocator::isFreeListedCell):
3630         (JSC::MarkedAllocator::tryAllocate):
3631         (JSC::MarkedAllocator::allocate):
3632         * heap/MarkedBlock.cpp:
3633         (JSC::MarkedBlock::Handle::stopAllocating):
3634         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3635         (JSC::MarkedBlock::Handle::resumeAllocating):
3636         (JSC::MarkedBlock::Handle::zap):
3637         (JSC::MarkedBlock::Handle::sweep):
3638         (JSC::MarkedBlock::Handle::isFreeListedCell):
3639         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
3640         * heap/MarkedBlock.h:
3641         * heap/MarkedBlockInlines.h:
3642         (JSC::MarkedBlock::Handle::specializedSweep):
3643         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3644         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
3645         * heap/Subspace.cpp:
3646         (JSC::Subspace::finishSweep):
3647         * heap/Subspace.h:
3648         * jit/AssemblyHelpers.h:
3649         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3650         * runtime/JSDestructibleObjectSubspace.cpp:
3651         (JSC::JSDestructibleObjectSubspace::finishSweep):
3652         * runtime/JSDestructibleObjectSubspace.h:
3653         * runtime/JSSegmentedVariableObjectSubspace.cpp:
3654         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
3655         * runtime/JSSegmentedVariableObjectSubspace.h:
3656         * runtime/JSStringSubspace.cpp:
3657         (JSC::JSStringSubspace::finishSweep):
3658         * runtime/JSStringSubspace.h:
3659         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
3660         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
3661         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
3662
3663 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3664
3665         [JSC] Use @globalPrivate for concatSlowPath
3666         https://bugs.webkit.org/show_bug.cgi?id=172802
3667
3668         Reviewed by Darin Adler.
3669
3670         Use @globalPrivate instead of manually putting it to JSGlobalObject.
3671
3672         * builtins/ArrayPrototype.js:
3673         (concatSlowPath): Deleted.
3674         * runtime/JSGlobalObject.cpp:
3675         (JSC::JSGlobalObject::init):
3676
3677 2017-06-01  Andy Estes  <aestes@apple.com>
3678
3679         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
3680         https://bugs.webkit.org/show_bug.cgi?id=172828
3681
3682         Reviewed by Beth Dakin.
3683
3684         * Configurations/FeatureDefines.xcconfig:
3685
3686 2017-06-01  Keith Miller  <keith_miller@apple.com>
3687
3688         Undo rollout in r217638 with bug fix
3689         https://bugs.webkit.org/show_bug.cgi?id=172824
3690
3691         Unreviewed, reland patch with unused set_state code removed.
3692
3693         * API/tests/ExecutionTimeLimitTest.cpp:
3694         (dispatchTermitateCallback):
3695         (testExecutionTimeLimit):
3696         * runtime/JSLock.cpp:
3697         (JSC::JSLock::didAcquireLock):
3698         * runtime/Options.cpp:
3699         (JSC::overrideDefaults):
3700         (JSC::Options::initialize):
3701         * runtime/Options.h:
3702         * runtime/VMTraps.cpp:
3703         (JSC::SignalContext::SignalContext):
3704         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3705         (JSC::installSignalHandler):
3706         (JSC::VMTraps::SignalSender::send):
3707         * tools/SigillCrashAnalyzer.cpp:
3708         (JSC::SignalContext::SignalContext):
3709         (JSC::SignalContext::dump):
3710         (JSC::installCrashHandler):
3711         * wasm/WasmBBQPlan.cpp:
3712         (JSC::Wasm::BBQPlan::compileFunctions):
3713         * wasm/WasmFaultSignalHandler.cpp:
3714         (JSC::Wasm::trapHandler):
3715         (JSC::Wasm::enableFastMemory):
3716         * wasm/WasmMachineThreads.cpp:
3717         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3718
3719 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
3720
3721         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
3722         https://bugs.webkit.org/show_bug.cgi?id=172800
3723
3724         Reviewed by Saam Barati.
3725
3726         This fixes a static_cast<uint64_t> by making it a cast to int64_t
3727         instead, which looks like the original intent. This fixes the
3728         sampling-profiler tests in JSTests/stress.
3729
3730         * runtime/SamplingProfiler.cpp:
3731         (JSC::SamplingProfiler::timerLoop):
3732
3733 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
3734
3735         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
3736         https://bugs.webkit.org/show_bug.cgi?id=170945
3737
3738         Reviewed by Mark Lam.
3739
3740         Re-define PutByIdFlags as a int32_t enum explicitly because it is
3741         stored as an int32_t value in UnlinkedInstruction.  This prevents
3742         a bug on 64-bit big endian architectures where the word order is
3743         inverted (when we convert the UnlinkedInstruction into a CodeBlock
3744         Instruction), resulting in the PutByIdFlags value not being stored in
3745         the 32-bit word that the rest of the code expects it to be in.
3746
3747         * bytecode/PutByIdFlags.h:
3748
3749 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3750
3751         [JSC] Implement String.prototype.concat in JS builtins
3752         https://bugs.webkit.org/show_bug.cgi?id=172798
3753
3754         Reviewed by Sam Weinig.
3755
3756         Since we have highly effective + operation for strings,
3757         implementing String.prototype.concat in JS simplifies the
3758         implementation and improves performance by using speculated
3759         types.
3760
3761         Added microbenchmarks show performance improvement.
3762
3763         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
3764         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
3765         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
3766         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
3767
3768         * builtins/StringPrototype.js:
3769         (globalPrivate.stringConcatSlowPath):
3770         (concat):
3771         * runtime/StringPrototype.cpp:
3772         (JSC::StringPrototype::finishCreation):
3773         (JSC::stringProtoFuncConcat): Deleted.
3774
3775 2017-05-31  Mark Lam  <mark.lam@apple.com>
3776
3777         Remove overrides of visitChildren() that do not add any functionality.
3778         https://bugs.webkit.org/show_bug.cgi?id=172789
3779         <rdar://problem/32500865>
3780
3781         Reviewed by Andreas Kling.
3782
3783         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3784         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3785         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3786         * bytecode/UnlinkedProgramCodeBlock.cpp:
3787         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3788         * bytecode/UnlinkedProgramCodeBlock.h:
3789         * wasm/js/WebAssemblyFunction.cpp:
3790         (JSC::WebAssemblyFunction::visitChildren): Deleted.
3791         * wasm/js/WebAssemblyFunction.h:
3792         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3793         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
3794         * wasm/js/WebAssemblyInstanceConstructor.h:
3795         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3796         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
3797         * wasm/js/WebAssemblyMemoryConstructor.h:
3798         * wasm/js/WebAssemblyModuleConstructor.cpp:
3799         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
3800         * wasm/js/WebAssemblyModuleConstructor.h:
3801         * wasm/js/WebAssemblyTableConstructor.cpp:
3802         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
3803         * wasm/js/WebAssemblyTableConstructor.h:
3804
3805 2017-05-31  Commit Queue  <commit-queue@webkit.org>
3806
3807         Unreviewed, rolling out r217611 and r217631.
3808         https://bugs.webkit.org/show_bug.cgi?id=172785
3809
3810         "caused wasm-hashset-many.html to become flaky." (Requested by
3811         keith_miller on #webkit).
3812
3813         Reverted changesets:
3814
3815         "Reland r216808, underlying lldb bug has been fixed."
3816         https://bugs.webkit.org/show_bug.cgi?id=172759
3817         http://trac.webkit.org/changeset/217611
3818
3819         "Use dispatch queues for mach exceptions"
3820         https://bugs.webkit.org/show_bug.cgi?id=172775
3821         http://trac.webkit.org/changeset/217631
3822
3823 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
3824
3825         Rolling out: Prevent async methods named 'function'
3826         https://bugs.webkit.org/show_bug.cgi?id=172776
3827
3828         Reviewed by Mark Lam.
3829
3830         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
3831         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
3832         PR to spec was closed, so changes need to roll out. See
3833         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
3834
3835         * parser/Parser.cpp:
3836         (JSC::Parser<LexerType>::parseClass):
3837         (JSC::Parser<LexerType>::parsePropertyMethod):
3838
3839 2017-05-31  Andy Estes  <aestes@apple.com>
3840
3841         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
3842         https://bugs.webkit.org/show_bug.cgi?id=172366
3843
3844         Reviewed by Daniel Bates.
3845
3846         * Configurations/FeatureDefines.xcconfig:
3847
3848 2017-05-31  Keith Miller  <keith_miller@apple.com>
3849
3850         Reland r216808, underlying lldb bug has been fixed.
3851         https://bugs.webkit.org/show_bug.cgi?id=172759
3852
3853
3854         Unreviewed, relanding old patch. See: rdar://problem/31183352
3855
3856         * API/tests/ExecutionTimeLimitTest.cpp:
3857         (dispatchTermitateCallback):
3858         (testExecutionTimeLimit):
3859         * runtime/JSLock.cpp:
3860         (JSC::JSLock::didAcquireLock):
3861         * runtime/Options.cpp:
3862         (JSC::overrideDefaults):
3863         (JSC::Options::initialize):
3864         * runtime/Options.h:
3865         * runtime/VMTraps.cpp:
3866         (JSC::SignalContext::SignalContext):
3867         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3868         (JSC::installSignalHandler):
3869         (JSC::VMTraps::SignalSender::send):
3870         * tools/SigillCrashAnalyzer.cpp:
3871         (JSC::SignalContext::SignalContext):
3872         (JSC::SignalContext::dump):
3873         (JSC::installCrashHandler):
3874         * wasm/WasmBBQPlan.cpp:
3875         (JSC::Wasm::BBQPlan::compileFunctions):
3876         * wasm/WasmFaultSignalHandler.cpp:
3877         (JSC::Wasm::trapHandler):
3878         (JSC::Wasm::enableFastMemory):
3879         * wasm/WasmMachineThreads.cpp:
3880         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3881
3882 2017-05-31  Keith Miller  <keith_miller@apple.com>
3883
3884         Fix leak in PromiseDeferredTimer
3885         https://bugs.webkit.org/show_bug.cgi?id=172755
3886
3887         Reviewed by JF Bastien.
3888
3889         We were not properly freeing the list of dependencies if we were already tracking the promise before.
3890         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
3891         where we were already tracking the promise we append the provided dependency list to the existing list.
3892         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
3893         contents.
3894
3895         * runtime/PromiseDeferredTimer.cpp:
3896         (JSC::PromiseDeferredTimer::addPendingPromise):
3897
3898 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3899
3900         Prevent async methods named 'function' in Object literal
3901         https://bugs.webkit.org/show_bug.cgi?id=172660
3902
3903         Reviewed by Saam Barati.
3904
3905         Prevent async method named 'function' in object.
3906         https://github.com/tc39/ecma262/pull/884
3907
3908         * parser/Parser.cpp:
3909         (JSC::Parser<LexerType>::parsePropertyMethod):
3910
3911 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3912
3913         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
3914         https://bugs.webkit.org/show_bug.cgi?id=171274
3915
3916         Reviewed by Saam Barati.
3917
3918         Current patch allow to use async arrow function within constructor,
3919         and allow to access to `this`. Current patch force load 'this' from 
3920         virtual scope each time as we access to `this` in async arrow function
3921         within constructor it is neccessary because async function can be 
3922         suspended and `superCall` can be called and async function resumed. 
3923    
3924         * bytecompiler/BytecodeGenerator.cpp:
3925         (JSC::BytecodeGenerator::emitPutGeneratorFields):
3926         (JSC::BytecodeGenerator::ensureThis):
3927         * bytecompiler/BytecodeGenerator.h:
3928         (JSC::BytecodeGenerator::makeFunction):
3929
3930 2017-05-30  Ali Juma  <ajuma@chromium.org>
3931
3932         [CredentialManagement] Incorporate IDL updates from latest spec
3933         https://bugs.webkit.org/show_bug.cgi?id=172011
3934
3935         Reviewed by Daniel Bates.
3936
3937         * runtime/CommonIdentifiers.h:
3938
3939 2017-05-30  Alex Christensen  <achristensen@webkit.org>
3940
3941         Update libwebrtc configuration
3942         https://bugs.webkit.org/show_bug.cgi?id=172727
3943
3944         Reviewed by Geoffrey Garen.
3945
3946         * Configurations/FeatureDefines.xcconfig:
3947
3948 2017-05-28  Dan Bernstein  <mitz@apple.com>
3949
3950         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
3951         https://bugs.webkit.org/show_bug.cgi?id=172691
3952
3953         Reviewed by Tim Horton.
3954
3955         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
3956         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
3957
3958 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3959
3960         [JSC] Provide better type information of toLength and tighten bytecode
3961         https://bugs.webkit.org/show_bug.cgi?id=172690
3962
3963         Reviewed by Sam Weinig.
3964
3965         In this patch, we carefully leverage operator + in order to
3966
3967         1. tighten bytecode
3968
3969         operator+ emits to_number bytecode. What this bytecode does is the same
3970         to @Number() call. It is more efficient, and it is smaller bytecode
3971         than @Number() call (load global variable @Number, set up arguments, and
3972         call it).
3973
3974         2. offer better type prediction data
3975
3976         Now, we have code like
3977
3978             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
3979
3980         This is not good because DFG prediction propagation phase predicts as Double
3981         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
3982         Usually, the result becomes Int32. This patch leverages to_number in a bit
3983         interesting way: to_number has value profiling to offer better type prediction.
3984         This value profiling can offer a chance to change the prediction to Int32 efficiently.
3985         It is a bit tricky. But it is worth doing to speed up our builtin functions,
3986         which should leverage all the JSC's tricky things to be optimized.
3987
3988         Related microbenchmarks show performance improvement.
3989
3990                                                   baseline                  patched
3991
3992             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
3993             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
3994             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
3995             array-prototype-every             52.7394+-2.0712          &nbs