Web Inspector: support undo/redo of insertAdjacentHTML
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
2
3         Web Inspector: support undo/redo of insertAdjacentHTML
4         https://bugs.webkit.org/show_bug.cgi?id=179283
5
6         Reviewed by Joseph Pecoraro.
7
8         * inspector/protocol/DOM.json:
9         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
10         on the given node.
11
12 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
13
14         Web Inspector: Make domain availability a list of types instead of a single type
15         https://bugs.webkit.org/show_bug.cgi?id=179457
16
17         Reviewed by Brian Burg.
18
19         * inspector/scripts/codegen/generate_js_backend_commands.py:
20         (JSBackendCommandsGenerator.generate_domain):
21         Update output of `InspectorBackend.activateDomain` to include the list.
22
23         * inspector/scripts/codegen/models.py:
24         (Protocol.parse_domain):
25         Parse `availability` as a list and include a new supported value of "service-worker".
26
27         * inspector/protocol/ApplicationCache.json:
28         * inspector/protocol/CSS.json:
29         * inspector/protocol/Canvas.json:
30         * inspector/protocol/DOM.json:
31         * inspector/protocol/DOMDebugger.json:
32         * inspector/protocol/DOMStorage.json:
33         * inspector/protocol/Database.json:
34         * inspector/protocol/IndexedDB.json:
35         * inspector/protocol/LayerTree.json:
36         * inspector/protocol/Memory.json:
37         * inspector/protocol/Network.json:
38         * inspector/protocol/Page.json:
39         * inspector/protocol/Timeline.json:
40         * inspector/protocol/Worker.json:
41         Update `availability` to be a list.
42
43         * inspector/scripts/tests/generic/domain-availability.json:
44         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
45         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
46         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
47         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
48         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
49         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
50         Update tests to include a test for the type and an invalid value.
51
52 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
53
54         [JSC][JIT] Clean up SlowPathCall stubs
55         https://bugs.webkit.org/show_bug.cgi?id=179247
56
57         Reviewed by Saam Barati.
58
59         We have bunch of duplicate functions that just call a slow path function.
60         This patch cleans up the above duplication.
61
62         * jit/JIT.cpp:
63         (JSC::JIT::emitSlowCaseCall):
64         (JSC::JIT::privateCompileSlowCases):
65         * jit/JIT.h:
66         * jit/JITArithmetic.cpp:
67         (JSC::JIT::emitSlow_op_unsigned): Deleted.
68         (JSC::JIT::emitSlow_op_inc): Deleted.
69         (JSC::JIT::emitSlow_op_dec): Deleted.
70         (JSC::JIT::emitSlow_op_bitand): Deleted.
71         (JSC::JIT::emitSlow_op_bitor): Deleted.
72         (JSC::JIT::emitSlow_op_bitxor): Deleted.
73         (JSC::JIT::emitSlow_op_lshift): Deleted.
74         (JSC::JIT::emitSlow_op_rshift): Deleted.
75         (JSC::JIT::emitSlow_op_urshift): Deleted.
76         (JSC::JIT::emitSlow_op_div): Deleted.
77         * jit/JITArithmetic32_64.cpp:
78         (JSC::JIT::emitSlow_op_unsigned): Deleted.
79         (JSC::JIT::emitSlow_op_inc): Deleted.
80         (JSC::JIT::emitSlow_op_dec): Deleted.
81         * jit/JITOpcodes.cpp:
82         (JSC::JIT::emitSlow_op_create_this): Deleted.
83         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
84         (JSC::JIT::emitSlow_op_to_this): Deleted.
85         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
86         (JSC::JIT::emitSlow_op_not): Deleted.
87         (JSC::JIT::emitSlow_op_stricteq): Deleted.
88         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
89         (JSC::JIT::emitSlow_op_to_number): Deleted.
90         (JSC::JIT::emitSlow_op_to_string): Deleted.
91         (JSC::JIT::emitSlow_op_to_object): Deleted.
92         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
93         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
94         * jit/JITOpcodes32_64.cpp:
95         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
96         (JSC::JIT::emitSlow_op_not): Deleted.
97         (JSC::JIT::emitSlow_op_stricteq): Deleted.
98         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
99         (JSC::JIT::emitSlow_op_to_number): Deleted.
100         (JSC::JIT::emitSlow_op_to_string): Deleted.
101         (JSC::JIT::emitSlow_op_to_object): Deleted.
102         (JSC::JIT::emitSlow_op_create_this): Deleted.
103         (JSC::JIT::emitSlow_op_to_this): Deleted.
104         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
105         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
106         * jit/JITPropertyAccess.cpp:
107         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
108         * jit/JITPropertyAccess32_64.cpp:
109         (JSC::JIT::emit_op_resolve_scope):
110         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
111         * jit/SlowPathCall.h:
112         (JSC::JITSlowPathCall::JITSlowPathCall):
113         * runtime/CommonSlowPaths.cpp:
114         (JSC::SLOW_PATH_DECL):
115         * runtime/CommonSlowPaths.h:
116
117 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
118
119         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
120         https://bugs.webkit.org/show_bug.cgi?id=179446
121
122         Reviewed by Žan Doberšek.
123
124         The trunc.w.d mips instruction should give a 0x7fffffff result when
125         the source value is Infinity, NaN, or rounds to an integer outside the
126         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
127         branchTruncateDoubleToUInt32() have been relying on. It turns out that
128         this assumption is not true on some CPUs, including on the ci20 on
129         which we run the testbot (we get 0x80000000 instead). We should the
130         invalid operation cause bit instead to check whether the source value
131         could be properly truncated. This requires the addition of the cfc1
132         instruction, as well as the special registers that can be used with it
133         (control registers of CP1).
134
135         * assembler/MIPSAssembler.h:
136         (JSC::MIPSAssembler::firstSPRegister):
137         (JSC::MIPSAssembler::lastSPRegister):
138         (JSC::MIPSAssembler::numberOfSPRegisters):
139         (JSC::MIPSAssembler::sprName):
140         Added control registers of CP1.
141         (JSC::MIPSAssembler::cfc1):
142         Added.
143         * assembler/MacroAssemblerMIPS.h:
144         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
145         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
146         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
147         Use fcsr to check if the value could be properly truncated.
148
149 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
150
151         HTMLMediaElement should not use element fullscreen on iOS
152         https://bugs.webkit.org/show_bug.cgi?id=179418
153         rdar://problem/35409277
154
155         Reviewed by Eric Carlson.
156
157         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
158
159         * Configurations/FeatureDefines.xcconfig:
160
161 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
162
163         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
164         https://bugs.webkit.org/show_bug.cgi?id=179276
165
166         Reviewed by Andy Estes.
167
168         * inspector/InjectedScriptHost.h:
169         * inspector/JSInjectedScriptHost.cpp:
170         (Inspector::JSInjectedScriptHost::getInternalProperties):
171         Call through to virtual implementation so that WebCore can provide custom
172         internal properties for Web / DOM objects.
173
174 2017-11-08  Saam Barati  <sbarati@apple.com>
175
176         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
177         https://bugs.webkit.org/show_bug.cgi?id=177792
178
179         Reviewed by Yusuke Suzuki.
180
181         Before this patch, if a JSFunction's rare data initialized its allocation profile
182         before its backing Executable's poly proto watchpoint was invalidated, that
183         JSFunction would continue to allocate non-poly proto objects until its allocation
184         profile was cleared (which essentially never happens in practice). This patch
185         improves on this pathology. A JSFunction's rare data will now watch the poly
186         proto watchpoint if it's still valid and clear its allocation profile when we
187         detect that we should go poly proto.
188
189         * bytecode/ObjectAllocationProfile.h:
190         * bytecode/ObjectAllocationProfileInlines.h:
191         (JSC::ObjectAllocationProfile::initializeProfile):
192         * runtime/FunctionRareData.cpp:
193         (JSC::FunctionRareData::initializeObjectAllocationProfile):
194         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
195         * runtime/FunctionRareData.h:
196         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
197         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
198         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
199
200 2017-11-08  Keith Miller  <keith_miller@apple.com>
201
202         Add super sampler begin and end bytecodes.
203         https://bugs.webkit.org/show_bug.cgi?id=179376
204
205         Reviewed by Filip Pizlo.
206
207         This patch adds a way to measure a narrow range of bytecodes for
208         performance. This is done using the same infrastructure as the
209         super sampler. I also added a class that helps do the bytecode
210         checking with RAII. One problem with the current way this is done
211         is that we don't handle decrementing early exits, either from
212         branches or exceptions. So, when using this API users need to
213         ensure that there are no early exits or that those exits don't
214         occur on the measure code.
215
216         * JavaScriptCore.xcodeproj/project.pbxproj:
217         * bytecode/BytecodeDumper.cpp:
218         (JSC::BytecodeDumper<Block>::dumpBytecode):
219         * bytecode/BytecodeList.json:
220         * bytecode/BytecodeUseDef.h:
221         (JSC::computeUsesForBytecodeOffset):
222         (JSC::computeDefsForBytecodeOffset):
223         * bytecompiler/BytecodeGenerator.cpp:
224         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
225         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
226         * bytecompiler/BytecodeGenerator.h:
227         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
228         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
229         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
230         * dfg/DFGAbstractInterpreterInlines.h:
231         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
232         * dfg/DFGByteCodeParser.cpp:
233         (JSC::DFG::ByteCodeParser::parseBlock):
234         * dfg/DFGClobberize.h:
235         (JSC::DFG::clobberize):
236         * dfg/DFGClobbersExitState.cpp:
237         (JSC::DFG::clobbersExitState):
238         * dfg/DFGDoesGC.cpp:
239         (JSC::DFG::doesGC):
240         * dfg/DFGFixupPhase.cpp:
241         (JSC::DFG::FixupPhase::fixupNode):
242         * dfg/DFGMayExit.cpp:
243         * dfg/DFGNodeType.h:
244         * dfg/DFGPredictionPropagationPhase.cpp:
245         * dfg/DFGSafeToExecute.h:
246         (JSC::DFG::safeToExecute):
247         * dfg/DFGSpeculativeJIT.cpp:
248         * dfg/DFGSpeculativeJIT32_64.cpp:
249         (JSC::DFG::SpeculativeJIT::compile):
250         * dfg/DFGSpeculativeJIT64.cpp:
251         (JSC::DFG::SpeculativeJIT::compile):
252         * ftl/FTLCapabilities.cpp:
253         (JSC::FTL::canCompile):
254         * ftl/FTLLowerDFGToB3.cpp:
255         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
256         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
257         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
258         * jit/JIT.cpp:
259         (JSC::JIT::privateCompileMainPass):
260         * jit/JIT.h:
261         * jit/JITOpcodes.cpp:
262         (JSC::JIT::emit_op_super_sampler_begin):
263         (JSC::JIT::emit_op_super_sampler_end):
264         * llint/LLIntSlowPaths.cpp:
265         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
266         * llint/LLIntSlowPaths.h:
267         * llint/LowLevelInterpreter.asm:
268
269 2017-11-08  Robin Morisset  <rmorisset@apple.com>
270
271         Turn recursive tail calls into loops
272         https://bugs.webkit.org/show_bug.cgi?id=176601
273
274         Reviewed by Saam Barati.
275
276         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
277
278         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
279         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
280         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
281         We do this part through modifying the computation of the jump targets.
282         Importantly, we only do this splitting for functions that have tail calls.
283         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
284
285         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
286         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
287
288         * bytecode/CodeBlock.h:
289         (JSC::CodeBlock::hasTailCalls const):
290         * bytecode/PreciseJumpTargets.cpp:
291         (JSC::getJumpTargetsForBytecodeOffset):
292         (JSC::computePreciseJumpTargetsInternal):
293         * bytecode/UnlinkedCodeBlock.cpp:
294         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
295         * bytecode/UnlinkedCodeBlock.h:
296         (JSC::UnlinkedCodeBlock::hasTailCalls const):
297         (JSC::UnlinkedCodeBlock::setHasTailCalls):
298         * bytecompiler/BytecodeGenerator.cpp:
299         (JSC::BytecodeGenerator::emitEnter):
300         (JSC::BytecodeGenerator::emitCallInTailPosition):
301         * dfg/DFGByteCodeParser.cpp:
302         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
303         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
304         (JSC::DFG::ByteCodeParser::handleCall):
305         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
306         (JSC::DFG::ByteCodeParser::parseBlock):
307         (JSC::DFG::ByteCodeParser::parse):
308
309 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
310
311         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
312         https://bugs.webkit.org/show_bug.cgi?id=179407
313
314         Reviewed by Matt Baker.
315
316         * inspector/protocol/Page.json:
317         Remove unused protocol type.
318
319 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
320
321         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
322         https://bugs.webkit.org/show_bug.cgi?id=173619
323
324         Reviewed by Alex Christensen and Brian Burg.
325
326         Eventually all classes used for our JSON-RPC message passing should be outside
327         of the Inspector namespace since the protocol is used outside of Inspector code.
328         This will also allow us to unify the primitive JSON types with parameteric types
329         like Inspector::Protocol::Array<T> and other protocol-related types which don't
330         need to be in the Inspector namespace.
331
332         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
333         patches, other clients will move to use JSON::Value and friends. When all uses are
334         changed, the actual implementation will be renamed. This patch just focuses on the typedef
335         and making changes in generated protocol code.
336
337         Original patch by Brian Burg, rebased and updated by me.
338
339         * inspector/InspectorValues.cpp:
340         * inspector/InspectorValues.h:
341         * inspector/scripts/codegen/cpp_generator.py:
342         (CppGenerator.cpp_protocol_type_for_type):
343         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
344         (CppGenerator.cpp_type_for_type_with_name):
345         (CppGenerator.cpp_type_for_stack_in_parameter):
346         * inspector/scripts/codegen/cpp_generator_templates.py:
347         (void):
348         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
349         (_generate_class_for_object_declaration):
350         (_generate_forward_declarations_for_binding_traits):
351         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
352         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
353         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
354         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
355         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
356         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
357         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
358         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
359         * inspector/scripts/tests/generic/expected/enum-values.json-result:
360         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
361         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
362         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
363         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
364         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
365         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
366         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
367         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
368
369 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
370
371         Get rid of unsightly hex numbers from unified build object files
372         https://bugs.webkit.org/show_bug.cgi?id=179410
373
374         Reviewed by Saam Barati.
375
376         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
377
378 2017-11-07  Saam Barati  <sbarati@apple.com>
379
380         Only cage double butterfly accesses
381         https://bugs.webkit.org/show_bug.cgi?id=179202
382
383         Reviewed by Mark Lam.
384
385         This patch removes caging from all butterfly accesses except double loads/stores.
386         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
387         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
388         by caging. The other load/stores we are no longer caging to get back performance on
389         various benchmarks.
390
391         * bytecode/AccessCase.cpp:
392         (JSC::AccessCase::generateImpl):
393         * bytecode/InlineAccess.cpp:
394         (JSC::InlineAccess::dumpCacheSizesAndCrash):
395         (JSC::InlineAccess::generateSelfPropertyAccess):
396         (JSC::InlineAccess::generateSelfPropertyReplace):
397         (JSC::InlineAccess::generateArrayLength):
398         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
399         * dfg/DFGSpeculativeJIT.cpp:
400         (JSC::DFG::SpeculativeJIT::compileCreateRest):
401         (JSC::DFG::SpeculativeJIT::compileSpread):
402         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
403         * dfg/DFGSpeculativeJIT64.cpp:
404         (JSC::DFG::SpeculativeJIT::compile):
405         * ftl/FTLLowerDFGToB3.cpp:
406         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
407         * jit/JITPropertyAccess.cpp:
408         (JSC::JIT::emitContiguousLoad):
409         (JSC::JIT::emitArrayStorageLoad):
410         (JSC::JIT::emitGenericContiguousPutByVal):
411         (JSC::JIT::emitArrayStoragePutByVal):
412         (JSC::JIT::emit_op_get_from_scope):
413         (JSC::JIT::emit_op_put_to_scope):
414         * llint/LowLevelInterpreter64.asm:
415         * runtime/AuxiliaryBarrier.h:
416         (JSC::AuxiliaryBarrier::operator-> const):
417         * runtime/Butterfly.h:
418         (JSC::Butterfly::caged):
419         (JSC::Butterfly::contiguousDouble):
420         * runtime/JSArray.cpp:
421         (JSC::JSArray::setLength):
422         (JSC::JSArray::pop):
423         (JSC::JSArray::shiftCountWithAnyIndexingType):
424         (JSC::JSArray::unshiftCountWithAnyIndexingType):
425         (JSC::JSArray::fillArgList):
426         (JSC::JSArray::copyToArguments):
427         * runtime/JSArrayInlines.h:
428         (JSC::JSArray::pushInline):
429         * runtime/JSObject.cpp:
430         (JSC::JSObject::heapSnapshot):
431         (JSC::JSObject::createInitialIndexedStorage):
432         (JSC::JSObject::createArrayStorage):
433         (JSC::JSObject::convertUndecidedToInt32):
434         (JSC::JSObject::ensureLengthSlow):
435         (JSC::JSObject::reallocateAndShrinkButterfly):
436         (JSC::JSObject::allocateMoreOutOfLineStorage):
437         * runtime/JSObject.h:
438         (JSC::JSObject::canGetIndexQuickly):
439         (JSC::JSObject::getIndexQuickly):
440         (JSC::JSObject::tryGetIndexQuickly const):
441         (JSC::JSObject::canSetIndexQuickly):
442         (JSC::JSObject::butterfly const):
443         (JSC::JSObject::butterfly):
444
445 2017-11-07  Mark Lam  <mark.lam@apple.com>
446
447         Introduce a default RegisterSet constructor so that we can use { } notation.
448         https://bugs.webkit.org/show_bug.cgi?id=179389
449
450         Reviewed by Saam Barati.
451
452         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
453         does not add any code documentation value.
454
455         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
456         * b3/air/AirCode.cpp:
457         (JSC::B3::Air::Code::setRegsInPriorityOrder):
458         * b3/air/AirPrintSpecial.cpp:
459         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
460         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
461         * b3/air/testair.cpp:
462         * bytecode/PolymorphicAccess.h:
463         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
464         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
465         * dfg/DFGJITCode.cpp:
466         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
467         * ftl/FTLJITCode.cpp:
468         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
469         * jit/JITCode.cpp:
470         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
471         * jit/RegisterSet.cpp:
472         (JSC::RegisterSet::reservedHardwareRegisters):
473         (JSC::RegisterSet::runtimeRegisters):
474         (JSC::RegisterSet::macroScratchRegisters):
475         * jit/RegisterSet.h:
476         (JSC::RegisterSet::RegisterSet):
477         * wasm/WasmB3IRGenerator.cpp:
478         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
479
480 2017-11-07  Mark Lam  <mark.lam@apple.com>
481
482         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
483         https://bugs.webkit.org/show_bug.cgi?id=179355
484         <rdar://problem/35263053>
485
486         Reviewed by Saam Barati.
487
488         In the Transition case in AccessCase::generateImpl(), we were restoring registers
489         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
490         where we previously stashed the reallocated butterfly.  If the generated code is
491         under heavy register pressure, scratchGPR could have been from the set of preserved
492         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
493         As a result, the restoration would trash the butterfly result we stored there.
494         This patch fixes the issue by excluding the scratchGPR in the restoration.
495
496         * bytecode/AccessCase.cpp:
497         (JSC::AccessCase::generateImpl):
498
499 2017-11-06  Robin Morisset  <rmorisset@apple.com>
500
501         CodeBlock::usesOpcode() is dead code
502         https://bugs.webkit.org/show_bug.cgi?id=179316
503
504         Reviewed by Yusuke Suzuki.
505
506         Remove CodeBlock::usesOpcode which is dead code
507
508         * bytecode/CodeBlock.cpp:
509         * bytecode/CodeBlock.h:
510
511 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
512
513         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
514         https://bugs.webkit.org/show_bug.cgi?id=144458
515
516         Reviewed by Saam Barati.
517
518         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
519         InternalFunction calls are not cached and they always go to the slow path. This is not good because
520
521         1. We need to query getCallData/getConstructData every time in the slow path.
522         2. CallLinkInfo tells nothing in the higher tier JITs.
523
524         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
525         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
526         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
527
528         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
529         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
530         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
531         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
532
533         Attached microbenchmarks show performance improvement.
534
535                                                            baseline                  patched
536
537         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
538         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
539         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
540         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
541
542         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
543
544         * API/JSCallbackFunction.cpp:
545         (JSC::JSCallbackFunction::JSCallbackFunction):
546         (JSC::JSCallbackFunction::getCallData): Deleted.
547         * API/JSCallbackFunction.h:
548         (JSC::JSCallbackFunction::createStructure):
549         * API/ObjCCallbackFunction.h:
550         (JSC::ObjCCallbackFunction::createStructure):
551         * API/ObjCCallbackFunction.mm:
552         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
553         (JSC::ObjCCallbackFunction::getCallData): Deleted.
554         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
555         * bytecode/BytecodeDumper.cpp:
556         (JSC::BytecodeDumper<Block>::printCallOp):
557         * bytecode/BytecodeList.json:
558         * bytecode/CallLinkInfo.cpp:
559         (JSC::CallLinkInfo::setCallee):
560         (JSC::CallLinkInfo::callee):
561         (JSC::CallLinkInfo::setLastSeenCallee):
562         (JSC::CallLinkInfo::lastSeenCallee):
563         (JSC::CallLinkInfo::visitWeak):
564         * bytecode/CallLinkInfo.h:
565         * bytecode/CallLinkStatus.cpp:
566         (JSC::CallLinkStatus::computeFromCallLinkInfo):
567         * bytecode/LLIntCallLinkInfo.h:
568         * jit/JITOperations.cpp:
569         * jit/JITThunks.cpp:
570         (JSC::JITThunks::ctiInternalFunctionCall):
571         (JSC::JITThunks::ctiInternalFunctionConstruct):
572         * jit/JITThunks.h:
573         * jit/Repatch.cpp:
574         (JSC::linkFor):
575         (JSC::linkPolymorphicCall):
576         * jit/Repatch.h:
577         * jit/ThunkGenerators.cpp:
578         (JSC::virtualThunkFor):
579         (JSC::nativeForGenerator):
580         (JSC::nativeCallGenerator):
581         (JSC::nativeTailCallGenerator):
582         (JSC::nativeTailCallWithoutSavedTagsGenerator):
583         (JSC::nativeConstructGenerator):
584         (JSC::internalFunctionCallGenerator):
585         (JSC::internalFunctionConstructGenerator):
586         * jit/ThunkGenerators.h:
587         * llint/LLIntSlowPaths.cpp:
588         (JSC::LLInt::setUpCall):
589         * llint/LowLevelInterpreter.asm:
590         * llint/LowLevelInterpreter32_64.asm:
591         * llint/LowLevelInterpreter64.asm:
592         * runtime/ArrayConstructor.cpp:
593         (JSC::ArrayConstructor::ArrayConstructor):
594         (JSC::ArrayConstructor::getConstructData): Deleted.
595         (JSC::ArrayConstructor::getCallData): Deleted.
596         * runtime/ArrayConstructor.h:
597         (JSC::ArrayConstructor::createStructure):
598         * runtime/AsyncFunctionConstructor.cpp:
599         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
600         (JSC::AsyncFunctionConstructor::finishCreation):
601         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
602         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
603         * runtime/AsyncFunctionConstructor.h:
604         (JSC::AsyncFunctionConstructor::createStructure):
605         * runtime/AsyncGeneratorFunctionConstructor.cpp:
606         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
607         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
608         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
609         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
610         * runtime/AsyncGeneratorFunctionConstructor.h:
611         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
612         * runtime/BooleanConstructor.cpp:
613         (JSC::callBooleanConstructor):
614         (JSC::BooleanConstructor::BooleanConstructor):
615         (JSC::BooleanConstructor::finishCreation):
616         (JSC::BooleanConstructor::getConstructData): Deleted.
617         (JSC::BooleanConstructor::getCallData): Deleted.
618         * runtime/BooleanConstructor.h:
619         (JSC::BooleanConstructor::createStructure):
620         * runtime/DateConstructor.cpp:
621         (JSC::DateConstructor::DateConstructor):
622         (JSC::DateConstructor::getConstructData): Deleted.
623         (JSC::DateConstructor::getCallData): Deleted.
624         * runtime/DateConstructor.h:
625         (JSC::DateConstructor::createStructure):
626         * runtime/Error.h:
627         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
628         (JSC::StrictModeTypeErrorFunction::createStructure):
629         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
630         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
631         * runtime/ErrorConstructor.cpp:
632         (JSC::ErrorConstructor::ErrorConstructor):
633         (JSC::ErrorConstructor::getConstructData): Deleted.
634         (JSC::ErrorConstructor::getCallData): Deleted.
635         * runtime/ErrorConstructor.h:
636         (JSC::ErrorConstructor::createStructure):
637         * runtime/FunctionConstructor.cpp:
638         (JSC::FunctionConstructor::FunctionConstructor):
639         (JSC::FunctionConstructor::finishCreation):
640         (JSC::FunctionConstructor::getConstructData): Deleted.
641         (JSC::FunctionConstructor::getCallData): Deleted.
642         * runtime/FunctionConstructor.h:
643         (JSC::FunctionConstructor::createStructure):
644         * runtime/FunctionPrototype.cpp:
645         (JSC::callFunctionPrototype):
646         (JSC::FunctionPrototype::FunctionPrototype):
647         (JSC::FunctionPrototype::getCallData): Deleted.
648         * runtime/FunctionPrototype.h:
649         (JSC::FunctionPrototype::createStructure):
650         * runtime/GeneratorFunctionConstructor.cpp:
651         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
652         (JSC::GeneratorFunctionConstructor::finishCreation):
653         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
654         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
655         * runtime/GeneratorFunctionConstructor.h:
656         (JSC::GeneratorFunctionConstructor::createStructure):
657         * runtime/InternalFunction.cpp:
658         (JSC::InternalFunction::InternalFunction):
659         (JSC::InternalFunction::finishCreation):
660         (JSC::InternalFunction::getCallData):
661         (JSC::InternalFunction::getConstructData):
662         * runtime/InternalFunction.h:
663         (JSC::InternalFunction::createStructure):
664         (JSC::InternalFunction::nativeFunctionFor):
665         (JSC::InternalFunction::offsetOfNativeFunctionFor):
666         * runtime/IntlCollatorConstructor.cpp:
667         (JSC::IntlCollatorConstructor::createStructure):
668         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
669         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
670         (JSC::IntlCollatorConstructor::getCallData): Deleted.
671         * runtime/IntlCollatorConstructor.h:
672         * runtime/IntlDateTimeFormatConstructor.cpp:
673         (JSC::IntlDateTimeFormatConstructor::createStructure):
674         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
675         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
676         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
677         * runtime/IntlDateTimeFormatConstructor.h:
678         * runtime/IntlNumberFormatConstructor.cpp:
679         (JSC::IntlNumberFormatConstructor::createStructure):
680         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
681         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
682         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
683         * runtime/IntlNumberFormatConstructor.h:
684         * runtime/JSArrayBufferConstructor.cpp:
685         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
686         (JSC::JSArrayBufferConstructor::createStructure):
687         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
688         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
689         * runtime/JSArrayBufferConstructor.h:
690         * runtime/JSGenericTypedArrayViewConstructor.h:
691         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
692         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
693         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
694         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
695         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
696         * runtime/JSInternalPromiseConstructor.cpp:
697         (JSC::JSInternalPromiseConstructor::createStructure):
698         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
699         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
700         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
701         * runtime/JSInternalPromiseConstructor.h:
702         * runtime/JSPromiseConstructor.cpp:
703         (JSC::JSPromiseConstructor::createStructure):
704         (JSC::JSPromiseConstructor::JSPromiseConstructor):
705         (JSC::JSPromiseConstructor::getConstructData): Deleted.
706         (JSC::JSPromiseConstructor::getCallData): Deleted.
707         * runtime/JSPromiseConstructor.h:
708         * runtime/JSType.h:
709         * runtime/JSTypedArrayViewConstructor.cpp:
710         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
711         (JSC::JSTypedArrayViewConstructor::createStructure):
712         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
713         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
714         * runtime/JSTypedArrayViewConstructor.h:
715         * runtime/MapConstructor.cpp:
716         (JSC::MapConstructor::MapConstructor):
717         (JSC::MapConstructor::getConstructData): Deleted.
718         (JSC::MapConstructor::getCallData): Deleted.
719         * runtime/MapConstructor.h:
720         (JSC::MapConstructor::createStructure):
721         (JSC::MapConstructor::MapConstructor): Deleted.
722         * runtime/NativeErrorConstructor.cpp:
723         (JSC::NativeErrorConstructor::NativeErrorConstructor):
724         (JSC::NativeErrorConstructor::getConstructData): Deleted.
725         (JSC::NativeErrorConstructor::getCallData): Deleted.
726         * runtime/NativeErrorConstructor.h:
727         (JSC::NativeErrorConstructor::createStructure):
728         * runtime/NullGetterFunction.cpp:
729         (JSC::NullGetterFunction::NullGetterFunction):
730         (JSC::NullGetterFunction::getCallData): Deleted.
731         (JSC::NullGetterFunction::getConstructData): Deleted.
732         * runtime/NullGetterFunction.h:
733         (JSC::NullGetterFunction::createStructure):
734         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
735         * runtime/NullSetterFunction.cpp:
736         (JSC::NullSetterFunction::NullSetterFunction):
737         (JSC::NullSetterFunction::getCallData): Deleted.
738         (JSC::NullSetterFunction::getConstructData): Deleted.
739         * runtime/NullSetterFunction.h:
740         (JSC::NullSetterFunction::createStructure):
741         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
742         * runtime/NumberConstructor.cpp:
743         (JSC::NumberConstructor::NumberConstructor):
744         (JSC::constructNumberConstructor):
745         (JSC::constructWithNumberConstructor): Deleted.
746         (JSC::NumberConstructor::getConstructData): Deleted.
747         (JSC::NumberConstructor::getCallData): Deleted.
748         * runtime/NumberConstructor.h:
749         (JSC::NumberConstructor::createStructure):
750         * runtime/ObjectConstructor.cpp:
751         (JSC::ObjectConstructor::ObjectConstructor):
752         (JSC::ObjectConstructor::getConstructData): Deleted.
753         (JSC::ObjectConstructor::getCallData): Deleted.
754         * runtime/ObjectConstructor.h:
755         (JSC::ObjectConstructor::createStructure):
756         * runtime/ProxyConstructor.cpp:
757         (JSC::ProxyConstructor::ProxyConstructor):
758         (JSC::ProxyConstructor::getConstructData): Deleted.
759         (JSC::ProxyConstructor::getCallData): Deleted.
760         * runtime/ProxyConstructor.h:
761         (JSC::ProxyConstructor::createStructure):
762         * runtime/ProxyRevoke.cpp:
763         (JSC::ProxyRevoke::ProxyRevoke):
764         (JSC::ProxyRevoke::getCallData): Deleted.
765         * runtime/ProxyRevoke.h:
766         (JSC::ProxyRevoke::createStructure):
767         * runtime/RegExpConstructor.cpp:
768         (JSC::RegExpConstructor::RegExpConstructor):
769         (JSC::RegExpConstructor::getConstructData): Deleted.
770         (JSC::RegExpConstructor::getCallData): Deleted.
771         * runtime/RegExpConstructor.h:
772         (JSC::RegExpConstructor::createStructure):
773         * runtime/SetConstructor.cpp:
774         (JSC::SetConstructor::SetConstructor):
775         (JSC::SetConstructor::getConstructData): Deleted.
776         (JSC::SetConstructor::getCallData): Deleted.
777         * runtime/SetConstructor.h:
778         (JSC::SetConstructor::createStructure):
779         (JSC::SetConstructor::SetConstructor): Deleted.
780         * runtime/StringConstructor.cpp:
781         (JSC::StringConstructor::StringConstructor):
782         (JSC::StringConstructor::getConstructData): Deleted.
783         (JSC::StringConstructor::getCallData): Deleted.
784         * runtime/StringConstructor.h:
785         (JSC::StringConstructor::createStructure):
786         * runtime/SymbolConstructor.cpp:
787         (JSC::SymbolConstructor::SymbolConstructor):
788         (JSC::SymbolConstructor::getConstructData): Deleted.
789         (JSC::SymbolConstructor::getCallData): Deleted.
790         * runtime/SymbolConstructor.h:
791         (JSC::SymbolConstructor::createStructure):
792         * runtime/VM.cpp:
793         (JSC::VM::VM):
794         (JSC::VM::getCTIInternalFunctionTrampolineFor):
795         * runtime/VM.h:
796         * runtime/WeakMapConstructor.cpp:
797         (JSC::WeakMapConstructor::WeakMapConstructor):
798         (JSC::WeakMapConstructor::getConstructData): Deleted.
799         (JSC::WeakMapConstructor::getCallData): Deleted.
800         * runtime/WeakMapConstructor.h:
801         (JSC::WeakMapConstructor::createStructure):
802         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
803         * runtime/WeakSetConstructor.cpp:
804         (JSC::WeakSetConstructor::WeakSetConstructor):
805         (JSC::WeakSetConstructor::getConstructData): Deleted.
806         (JSC::WeakSetConstructor::getCallData): Deleted.
807         * runtime/WeakSetConstructor.h:
808         (JSC::WeakSetConstructor::createStructure):
809         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
810         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
811         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
812         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
813         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
814         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
815         * wasm/js/WebAssemblyCompileErrorConstructor.h:
816         * wasm/js/WebAssemblyInstanceConstructor.cpp:
817         (JSC::WebAssemblyInstanceConstructor::createStructure):
818         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
819         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
820         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
821         * wasm/js/WebAssemblyInstanceConstructor.h:
822         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
823         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
824         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
825         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
826         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
827         * wasm/js/WebAssemblyLinkErrorConstructor.h:
828         * wasm/js/WebAssemblyMemoryConstructor.cpp:
829         (JSC::WebAssemblyMemoryConstructor::createStructure):
830         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
831         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
832         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
833         * wasm/js/WebAssemblyMemoryConstructor.h:
834         * wasm/js/WebAssemblyModuleConstructor.cpp:
835         (JSC::WebAssemblyModuleConstructor::createStructure):
836         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
837         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
838         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
839         * wasm/js/WebAssemblyModuleConstructor.h:
840         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
841         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
842         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
843         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
844         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
845         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
846         * wasm/js/WebAssemblyTableConstructor.cpp:
847         (JSC::WebAssemblyTableConstructor::createStructure):
848         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
849         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
850         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
851         * wasm/js/WebAssemblyTableConstructor.h:
852
853 2017-11-03  Michael Saboff  <msaboff@apple.com>
854
855         The Abstract Interpreter needs to change similar to clobberize() in r224366
856         https://bugs.webkit.org/show_bug.cgi?id=179267
857
858         Reviewed by Saam Barati.
859
860         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
861         cases in the abstract interpreter to match what was done for r224366.
862
863         * dfg/DFGAbstractInterpreterInlines.h:
864         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
865
866 2017-11-03  Keith Miller  <keith_miller@apple.com>
867
868         PutProperytSlot should inform the IC about the property before effects.
869         https://bugs.webkit.org/show_bug.cgi?id=179262
870
871         Reviewed by Mark Lam.
872
873         This patch fixes an issue where we choose to cache setters based on
874         incorrect information. If we did so we might end up OSR exiting
875         more than we would otherwise need to. The new model is that the
876         PutPropertySlot should inform the IC of what the property looked
877         like before any potential side effects might have occurred.
878
879         * runtime/JSObject.cpp:
880         (JSC::JSObject::putInlineSlow):
881         * runtime/Lookup.h:
882         (JSC::putEntry):
883
884 2017-11-03  Mark Lam  <mark.lam@apple.com>
885
886         CachedCall (and its clients) needs overflow checks.
887         https://bugs.webkit.org/show_bug.cgi?id=179185
888
889         Reviewed by JF Bastien.
890
891         * interpreter/CachedCall.h:
892         (JSC::CachedCall::CachedCall):
893         (JSC::CachedCall::hasOverflowedArguments):
894         * runtime/ArgList.h:
895         (JSC::MarkedArgumentBuffer::clear):
896         * runtime/StringPrototype.cpp:
897         (JSC::replaceUsingRegExpSearch):
898
899 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
900
901         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
902         https://bugs.webkit.org/show_bug.cgi?id=178302
903         <rdar://problem/33158849>
904
905         Reviewed by Brian Burg.
906
907         * inspector/protocol/Recording.json:
908         Add `duration` to each Frame that represents the total time of all the recorded actions.
909
910 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
911
912         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
913         https://bugs.webkit.org/show_bug.cgi?id=179070
914         <rdar://problem/35278276>
915
916         Reviewed by Brian Burg.
917
918         * inspector/protocol/Canvas.json:
919         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
920         different string on a WebGL context.
921
922 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
923
924         Make ServiceWorker a Remote Inspector debuggable target
925         https://bugs.webkit.org/show_bug.cgi?id=179043
926         <rdar://problem/34126008>
927
928         Reviewed by Brian Burg.
929
930         * inspector/remote/RemoteControllableTarget.h:
931         * inspector/remote/RemoteInspectionTarget.h:
932         * inspector/remote/RemoteInspectorConstants.h:
933         Include a new ServiceWorker remote inspector target type.
934
935         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
936         (Inspector::RemoteInspector::listingForInspectionTarget const):
937         Implement listing for a ServiceWorker to include a URL like a page.
938
939         * inspector/remote/glib/RemoteInspectorGlib.cpp:
940         (Inspector::RemoteInspector::listingForInspectionTarget const):
941         Bail for ServiceWorker support in glib. They will need to implement their support.
942
943 2017-11-02  Michael Saboff  <msaboff@apple.com>
944
945         DFG needs to handle code motion of code in for..in loop bodies
946         https://bugs.webkit.org/show_bug.cgi?id=179212
947
948         Reviewed by Keith Miller.
949
950         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
951         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
952
953         * dfg/DFGClobberize.h:
954         (JSC::DFG::clobberize):
955
956 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
957
958         Inspector should display service worker served responses properly
959         https://bugs.webkit.org/show_bug.cgi?id=178597
960         <rdar://problem/35186111>
961
962         Reviewed by Brian Burg.
963
964         * inspector/protocol/Network.json:
965         Expose a new "service-worker" response source.
966
967 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
968
969         AI does not correctly model the clobber case of ArithClz32
970         https://bugs.webkit.org/show_bug.cgi?id=179188
971
972         Reviewed by Michael Saboff.
973
974         The non-Int32 case clobbers the world because it may call valueOf.
975
976         * dfg/DFGAbstractInterpreterInlines.h:
977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
978
979 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
980
981         Unreviewed, release throw scope
982         https://bugs.webkit.org/show_bug.cgi?id=178726
983
984         * dfg/DFGOperations.cpp:
985
986 2017-11-02  Frederic Wang  <fwang@igalia.com>
987
988         Add references to bug 179167 in FIXME comments
989         https://bugs.webkit.org/show_bug.cgi?id=179168
990
991         Reviewed by Daniel Bates.
992
993         * Configurations/FeatureDefines.xcconfig:
994
995 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
996
997         Implement WKFullscreenWindowController for iOS.
998         https://bugs.webkit.org/show_bug.cgi?id=178924
999         rdar://problem/34697120
1000
1001         Reviewed by Simon Fraser.
1002
1003         Enable ENABLE_FULLSCREEN_API for iOS.
1004
1005         * Configurations/FeatureDefines.xcconfig:
1006
1007 2017-11-01  Mark Lam  <mark.lam@apple.com>
1008
1009         Add support to throw OOM if MarkedArgumentBuffer may overflow.
1010         https://bugs.webkit.org/show_bug.cgi?id=179092
1011         <rdar://problem/35116160>
1012
1013         Reviewed by Saam Barati.
1014
1015         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
1016         time, which renders it unsuitable for automated tests.  Instead, I've run a
1017         test manually to verify that an OutOfMemoryError will be thrown when an overflow
1018         occurs.
1019
1020         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
1021         checked for an overflow after invoking methods that may result in an overflow i.e.
1022         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
1023         This is only done on debug builds.
1024
1025         * API/JSObjectRef.cpp:
1026         (JSObjectMakeFunction):
1027         (JSObjectMakeArray):
1028         (JSObjectMakeDate):
1029         (JSObjectMakeRegExp):
1030         (JSObjectCallAsFunction):
1031         (JSObjectCallAsConstructor):
1032         * dfg/DFGOperations.cpp:
1033         * inspector/InjectedScriptManager.cpp:
1034         (Inspector::InjectedScriptManager::createInjectedScript):
1035         * inspector/JSJavaScriptCallFrame.cpp:
1036         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1037         * interpreter/Interpreter.cpp:
1038         (JSC::Interpreter::executeProgram):
1039         * jsc.cpp:
1040         (functionDollarAgentReceiveBroadcast):
1041         * runtime/ArgList.cpp:
1042         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
1043         (JSC::MarkedArgumentBuffer::expandCapacity):
1044         (JSC::MarkedArgumentBuffer::slowAppend):
1045         * runtime/ArgList.h:
1046         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
1047         (JSC::MarkedArgumentBuffer::appendWithAction):
1048         (JSC::MarkedArgumentBuffer::append):
1049         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
1050         (JSC::MarkedArgumentBuffer::hasOverflowed):
1051         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
1052         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
1053         * runtime/ArrayPrototype.cpp:
1054         * runtime/CommonSlowPaths.cpp:
1055         (JSC::SLOW_PATH_DECL):
1056         * runtime/GetterSetter.cpp:
1057         (JSC::callSetter):
1058         * runtime/IteratorOperations.cpp:
1059         (JSC::iteratorNext):
1060         (JSC::iteratorClose):
1061         * runtime/JSBoundFunction.cpp:
1062         (JSC::boundThisNoArgsFunctionCall):
1063         (JSC::boundFunctionCall):
1064         (JSC::boundThisNoArgsFunctionConstruct):
1065         (JSC::boundFunctionConstruct):
1066         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1067         (JSC::constructGenericTypedArrayViewFromIterator):
1068         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1069         (JSC::genericTypedArrayViewProtoFuncSlice):
1070         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1071         * runtime/JSGlobalObject.cpp:
1072         (JSC::JSGlobalObject::haveABadTime):
1073         * runtime/JSInternalPromise.cpp:
1074         (JSC::JSInternalPromise::then):
1075         * runtime/JSJob.cpp:
1076         (JSC::JSJobMicrotask::run):
1077         * runtime/JSMapIterator.cpp:
1078         (JSC::JSMapIterator::createPair):
1079         * runtime/JSModuleLoader.cpp:
1080         (JSC::JSModuleLoader::provideFetch):
1081         (JSC::JSModuleLoader::loadAndEvaluateModule):
1082         (JSC::JSModuleLoader::loadModule):
1083         (JSC::JSModuleLoader::linkAndEvaluateModule):
1084         (JSC::JSModuleLoader::requestImportModule):
1085         * runtime/JSONObject.cpp:
1086         (JSC::Stringifier::toJSONImpl):
1087         (JSC::Stringifier::appendStringifiedValue):
1088         (JSC::Walker::callReviver):
1089         * runtime/JSObject.cpp:
1090         (JSC::ordinarySetSlow):
1091         (JSC::callToPrimitiveFunction):
1092         (JSC::JSObject::hasInstance):
1093         * runtime/JSPromise.cpp:
1094         (JSC::JSPromise::initialize):
1095         (JSC::JSPromise::resolve):
1096         * runtime/JSPromiseDeferred.cpp:
1097         (JSC::newPromiseCapability):
1098         (JSC::callFunction):
1099         * runtime/JSSetIterator.cpp:
1100         (JSC::JSSetIterator::createPair):
1101         * runtime/LiteralParser.cpp:
1102         (JSC::LiteralParser<CharType>::parse):
1103         * runtime/MapConstructor.cpp:
1104         (JSC::constructMap):
1105         * runtime/ObjectConstructor.cpp:
1106         (JSC::defineProperties):
1107         * runtime/ProxyObject.cpp:
1108         (JSC::performProxyGet):
1109         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1110         (JSC::ProxyObject::performHasProperty):
1111         (JSC::ProxyObject::performPut):
1112         (JSC::performProxyCall):
1113         (JSC::performProxyConstruct):
1114         (JSC::ProxyObject::performDelete):
1115         (JSC::ProxyObject::performPreventExtensions):
1116         (JSC::ProxyObject::performIsExtensible):
1117         (JSC::ProxyObject::performDefineOwnProperty):
1118         (JSC::ProxyObject::performGetOwnPropertyNames):
1119         (JSC::ProxyObject::performSetPrototype):
1120         (JSC::ProxyObject::performGetPrototype):
1121         * runtime/ReflectObject.cpp:
1122         (JSC::reflectObjectConstruct):
1123         * runtime/SetConstructor.cpp:
1124         (JSC::constructSet):
1125         * runtime/StringPrototype.cpp:
1126         (JSC::replaceUsingRegExpSearch):
1127         (JSC::replaceUsingStringSearch):
1128         * runtime/WeakMapConstructor.cpp:
1129         (JSC::constructWeakMap):
1130         * runtime/WeakSetConstructor.cpp:
1131         (JSC::constructWeakSet):
1132         * wasm/js/WasmToJS.cpp:
1133         (JSC::Wasm::wasmToJS):
1134
1135 2017-11-01  Michael Saboff  <msaboff@apple.com>
1136
1137         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1138         https://bugs.webkit.org/show_bug.cgi?id=179140
1139
1140         Reviewed by Saam Barati.
1141
1142         Added overflow checks to computation of arg count plus this.
1143
1144         * dfg/DFGSpeculativeJIT32_64.cpp:
1145         (JSC::DFG::SpeculativeJIT::compile):
1146         * dfg/DFGSpeculativeJIT64.cpp:
1147         (JSC::DFG::SpeculativeJIT::compile):
1148         * ftl/FTLLowerDFGToB3.cpp:
1149         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
1150
1151 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1152
1153         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
1154         https://bugs.webkit.org/show_bug.cgi?id=178934
1155
1156         * ftl/FTLLowerDFGToB3.cpp:
1157         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1158
1159 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1160
1161         [JSC] Introduce @toObject
1162         https://bugs.webkit.org/show_bug.cgi?id=178726
1163
1164         Reviewed by Saam Barati.
1165
1166         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
1167         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
1168         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
1169         ObjectConstructor in LLInt and Baseline.
1170
1171         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
1172         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
1173
1174             if (this === @undefined || this === null)
1175                 @throwTypeError("error message");
1176             var object = @Object(this);
1177
1178         with
1179
1180             var object = @toObject(this, "error message");
1181
1182         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
1183         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
1184         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
1185
1186         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
1187
1188         * builtins/ArrayConstructor.js:
1189         (from):
1190         * builtins/ArrayPrototype.js:
1191         (values):
1192         (keys):
1193         (entries):
1194         (reduce):
1195         (reduceRight):
1196         (every):
1197         (forEach):
1198         (filter):
1199         (map):
1200         (some):
1201         (fill):
1202         (find):
1203         (findIndex):
1204         (includes):
1205         (sort):
1206         (globalPrivate.concatSlowPath):
1207         (copyWithin):
1208         * builtins/DatePrototype.js:
1209         (toLocaleString.toDateTimeOptionsAnyAll):
1210         (toLocaleString):
1211         (toLocaleDateString.toDateTimeOptionsDateDate):
1212         (toLocaleDateString):
1213         (toLocaleTimeString.toDateTimeOptionsTimeTime):
1214         (toLocaleTimeString):
1215         * builtins/GlobalOperations.js:
1216         (globalPrivate.copyDataProperties):
1217         (globalPrivate.copyDataPropertiesNoExclusions):
1218         * builtins/ObjectConstructor.js:
1219         (entries):
1220         * builtins/StringConstructor.js:
1221         (raw):
1222         * builtins/TypedArrayConstructor.js:
1223         (from):
1224         * builtins/TypedArrayPrototype.js:
1225         (map):
1226         (filter):
1227         * bytecode/BytecodeDumper.cpp:
1228         (JSC::BytecodeDumper<Block>::dumpBytecode):
1229         * bytecode/BytecodeIntrinsicRegistry.h:
1230         * bytecode/BytecodeList.json:
1231         * bytecode/BytecodeUseDef.h:
1232         (JSC::computeUsesForBytecodeOffset):
1233         (JSC::computeDefsForBytecodeOffset):
1234         * bytecode/CodeBlock.cpp:
1235         (JSC::CodeBlock::finishCreation):
1236         * bytecompiler/BytecodeGenerator.cpp:
1237         (JSC::BytecodeGenerator::emitToObject):
1238         * bytecompiler/BytecodeGenerator.h:
1239         * bytecompiler/NodesCodegen.cpp:
1240         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1241         * dfg/DFGAbstractInterpreterInlines.h:
1242         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1243         * dfg/DFGByteCodeParser.cpp:
1244         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1245         (JSC::DFG::ByteCodeParser::parseBlock):
1246         * dfg/DFGCapabilities.cpp:
1247         (JSC::DFG::capabilityLevel):
1248         * dfg/DFGClobberize.h:
1249         (JSC::DFG::clobberize):
1250         * dfg/DFGDoesGC.cpp:
1251         (JSC::DFG::doesGC):
1252         * dfg/DFGFixupPhase.cpp:
1253         (JSC::DFG::FixupPhase::fixupNode):
1254         (JSC::DFG::FixupPhase::fixupToObject):
1255         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
1256         * dfg/DFGNode.h:
1257         (JSC::DFG::Node::convertToCallObjectConstructor):
1258         (JSC::DFG::Node::convertToNewStringObject):
1259         (JSC::DFG::Node::convertToNewObject):
1260         (JSC::DFG::Node::hasIdentifier):
1261         (JSC::DFG::Node::hasHeapPrediction):
1262         (JSC::DFG::Node::hasCellOperand):
1263         * dfg/DFGNodeType.h:
1264         * dfg/DFGOperations.cpp:
1265         * dfg/DFGOperations.h:
1266         * dfg/DFGPredictionPropagationPhase.cpp:
1267         * dfg/DFGSafeToExecute.h:
1268         (JSC::DFG::safeToExecute):
1269         * dfg/DFGSpeculativeJIT.cpp:
1270         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
1271         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
1272         * dfg/DFGSpeculativeJIT.h:
1273         (JSC::DFG::SpeculativeJIT::callOperation):
1274         * dfg/DFGSpeculativeJIT32_64.cpp:
1275         (JSC::DFG::SpeculativeJIT::compile):
1276         * dfg/DFGSpeculativeJIT64.cpp:
1277         (JSC::DFG::SpeculativeJIT::compile):
1278         * ftl/FTLCapabilities.cpp:
1279         (JSC::FTL::canCompile):
1280         * ftl/FTLLowerDFGToB3.cpp:
1281         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1282         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
1283         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
1284         * jit/JIT.cpp:
1285         (JSC::JIT::privateCompileMainPass):
1286         (JSC::JIT::privateCompileSlowCases):
1287         * jit/JIT.h:
1288         * jit/JITOpcodes.cpp:
1289         (JSC::JIT::emit_op_to_object):
1290         (JSC::JIT::emitSlow_op_to_object):
1291         * jit/JITOpcodes32_64.cpp:
1292         (JSC::JIT::emit_op_to_object):
1293         (JSC::JIT::emitSlow_op_to_object):
1294         * jit/JITOperations.cpp:
1295         * jit/JITOperations.h:
1296         * llint/LowLevelInterpreter32_64.asm:
1297         * llint/LowLevelInterpreter64.asm:
1298         * runtime/CommonSlowPaths.cpp:
1299         (JSC::SLOW_PATH_DECL):
1300         * runtime/CommonSlowPaths.h:
1301
1302 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
1303
1304         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
1305         https://bugs.webkit.org/show_bug.cgi?id=174979
1306
1307         Reviewed by Yusuke Suzuki.
1308
1309         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
1310
1311 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1312
1313         [DFG][FTL] Introduce StringSlice
1314         https://bugs.webkit.org/show_bug.cgi?id=178934
1315
1316         Reviewed by Saam Barati.
1317
1318         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
1319         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
1320
1321         This patch's StringSlice node optimizes the following things.
1322
1323         1. Empty string generation is accelerated. It is fully executed inline.
1324         2. One char string generation is accelerated. `< 0x100` character is supported right now.
1325         It is the same to charAt acceleration.
1326         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
1327         operation.
1328
1329         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
1330         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
1331         in subsequent changes.
1332
1333         This patch improves ARES-6/Babylon performance by 3% in steady state.
1334
1335         Baseline:
1336             Running... Babylon ( 1  to go)
1337             firstIteration:     50.05 +- 13.68 ms
1338             averageWorstCase:   16.80 +- 1.27 ms
1339             steadyState:        7.53 +- 0.22 ms
1340
1341         Patched:
1342             Running... Babylon ( 1  to go)
1343             firstIteration:     50.91 +- 13.41 ms
1344             averageWorstCase:   16.12 +- 0.99 ms
1345             steadyState:        7.30 +- 0.29 ms
1346
1347         * dfg/DFGAbstractInterpreterInlines.h:
1348         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1349         * dfg/DFGBackwardsPropagationPhase.cpp:
1350         (JSC::DFG::BackwardsPropagationPhase::propagate):
1351         * dfg/DFGByteCodeParser.cpp:
1352         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1353         * dfg/DFGClobberize.h:
1354         (JSC::DFG::clobberize):
1355         * dfg/DFGDoesGC.cpp:
1356         (JSC::DFG::doesGC):
1357         * dfg/DFGFixupPhase.cpp:
1358         (JSC::DFG::FixupPhase::fixupNode):
1359         * dfg/DFGNodeType.h:
1360         * dfg/DFGOperations.cpp:
1361         * dfg/DFGOperations.h:
1362         * dfg/DFGPredictionPropagationPhase.cpp:
1363         * dfg/DFGSafeToExecute.h:
1364         (JSC::DFG::safeToExecute):
1365         * dfg/DFGSpeculativeJIT.cpp:
1366         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1367         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
1368         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1369         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1370         * dfg/DFGSpeculativeJIT.h:
1371         (JSC::DFG::SpeculativeJIT::callOperation):
1372         * dfg/DFGSpeculativeJIT32_64.cpp:
1373         (JSC::DFG::SpeculativeJIT::compile):
1374         * dfg/DFGSpeculativeJIT64.cpp:
1375         (JSC::DFG::SpeculativeJIT::compile):
1376         * ftl/FTLCapabilities.cpp:
1377         (JSC::FTL::canCompile):
1378         * ftl/FTLLowerDFGToB3.cpp:
1379         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1380         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
1381         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1382         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1383         * jit/JITOperations.h:
1384         * runtime/Intrinsic.cpp:
1385         (JSC::intrinsicName):
1386         * runtime/Intrinsic.h:
1387         * runtime/StringPrototype.cpp:
1388         (JSC::StringPrototype::finishCreation):
1389
1390 2017-10-31  JF Bastien  <jfbastien@apple.com>
1391
1392         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
1393         https://bugs.webkit.org/show_bug.cgi?id=176644
1394
1395         Reviewed by Michael Saboff.
1396
1397         IndexOrName now keeps a RefPtr to its original NameSection, which
1398         holds the Name (or references nullptr if Index). Holding onto the
1399         entire section seems like the better thing to do, since backtraces
1400         probably contain multiple names from the same Module.
1401
1402         * JavaScriptCore.xcodeproj/project.pbxproj:
1403         * interpreter/Interpreter.cpp:
1404         (JSC::GetStackTraceFunctor::operator() const):
1405         * interpreter/StackVisitor.h: Frame is no longer POD because of the
1406         RefPtr.
1407         * runtime/StackFrame.cpp:
1408         (JSC::StackFrame::StackFrame):
1409         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
1410         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
1411         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
1412         * wasm/WasmBBQPlanInlines.h:
1413         (JSC::Wasm::BBQPlan::initializeCallees):
1414         * wasm/WasmCallee.cpp:
1415         (JSC::Wasm::Callee::Callee):
1416         * wasm/WasmCallee.h:
1417         (JSC::Wasm::Callee::create):
1418         * wasm/WasmFormat.h: Move NameSection to its own header.
1419         (JSC::Wasm::isValidNameType):
1420         (JSC::Wasm::NameSection::get): Deleted.
1421         * wasm/WasmIndexOrName.cpp:
1422         (JSC::Wasm::IndexOrName::IndexOrName):
1423         (JSC::Wasm::makeString):
1424         * wasm/WasmIndexOrName.h:
1425         (JSC::Wasm::IndexOrName::IndexOrName):
1426         (JSC::Wasm::IndexOrName::isEmpty const):
1427         (JSC::Wasm::IndexOrName::isIndex const):
1428         * wasm/WasmModuleInformation.cpp:
1429         (JSC::Wasm::ModuleInformation::ModuleInformation):
1430         * wasm/WasmModuleInformation.h:
1431         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
1432         * wasm/WasmNameSection.h:
1433         (JSC::Wasm::NameSection::get):
1434         (JSC::Wasm::NameSection::create): Deleted.
1435         * wasm/WasmNameSectionParser.cpp:
1436         (JSC::Wasm::NameSectionParser::parse):
1437         * wasm/WasmNameSectionParser.h:
1438         * wasm/WasmOMGPlan.cpp:
1439         (JSC::Wasm::OMGPlan::work):
1440
1441 2017-10-31  Tim Horton  <timothy_horton@apple.com>
1442
1443         Clean up some drag and drop feature flags
1444         https://bugs.webkit.org/show_bug.cgi?id=179082
1445
1446         Reviewed by Simon Fraser.
1447
1448         * Configurations/FeatureDefines.xcconfig:
1449
1450 2017-10-31  Commit Queue  <commit-queue@webkit.org>
1451
1452         Unreviewed, rolling out r224243, r224246, and r224248.
1453         https://bugs.webkit.org/show_bug.cgi?id=179083
1454
1455         The patch and fix broke the Windows build. (Requested by
1456         mlewis13 on #webkit).
1457
1458         Reverted changesets:
1459
1460         "StructureStubInfo should have GPRReg members not int8_ts"
1461         https://bugs.webkit.org/show_bug.cgi?id=179071
1462         https://trac.webkit.org/changeset/224243
1463
1464         "Make all register enums be backed by uint8_t."
1465         https://bugs.webkit.org/show_bug.cgi?id=179074
1466         https://trac.webkit.org/changeset/224246
1467
1468         "Unreviewed, windows build fix."
1469         https://trac.webkit.org/changeset/224248
1470
1471 2017-10-31  Tim Horton  <timothy_horton@apple.com>
1472
1473         Fix up some content filtering feature flags
1474         https://bugs.webkit.org/show_bug.cgi?id=179079
1475
1476         Reviewed by Simon Fraser.
1477
1478         * Configurations/FeatureDefines.xcconfig:
1479
1480 2017-10-31  Keith Miller  <keith_miller@apple.com>
1481
1482         Unreviewed, windows build fix.
1483
1484         * assembler/X86Assembler.h:
1485         (JSC::X86Assembler::numberOfRegisters):
1486         (JSC::X86Assembler::numberOfSPRegisters):
1487         (JSC::X86Assembler::numberOfFPRegisters):
1488
1489 2017-10-31  Keith Miller  <keith_miller@apple.com>
1490
1491         Make all register enums be backed by uint8_t.
1492         https://bugs.webkit.org/show_bug.cgi?id=179074
1493
1494         Reviewed by Mark Lam.
1495
1496         * assembler/ARM64Assembler.h:
1497         * assembler/ARMAssembler.h:
1498         * assembler/ARMv7Assembler.h:
1499         * assembler/MIPSAssembler.h:
1500         * assembler/MacroAssembler.h:
1501         * assembler/X86Assembler.h:
1502
1503 2017-10-31  Keith Miller  <keith_miller@apple.com>
1504
1505         StructureStubInfo should have GPRReg members not int8_ts
1506         https://bugs.webkit.org/show_bug.cgi?id=179071
1507
1508         Reviewed by Michael Saboff.
1509
1510         This patch makes the various RegisterID enums be backed by
1511         uint8_t. This means that we can remove the old int8_t members in
1512         StructureStubInfo and replace them with the correct enum types.
1513
1514         Also, this fixes an indentation issue in ARMv7Assembler.h.
1515
1516         * assembler/ARM64Assembler.h:
1517         * assembler/ARMAssembler.h:
1518         * assembler/ARMv7Assembler.h:
1519         (JSC::ARMRegisters::asSingle):
1520         (JSC::ARMRegisters::asDouble):
1521         * assembler/MIPSAssembler.h:
1522         * assembler/X86Assembler.h:
1523         * bytecode/InlineAccess.cpp:
1524         (JSC::InlineAccess::generateSelfPropertyAccess):
1525         (JSC::getScratchRegister):
1526         * bytecode/PolymorphicAccess.cpp:
1527         (JSC::PolymorphicAccess::regenerate):
1528         * bytecode/StructureStubInfo.h:
1529         (JSC::StructureStubInfo::valueRegs const):
1530         * dfg/DFGSpeculativeJIT.cpp:
1531         (JSC::DFG::SpeculativeJIT::compileIn):
1532         * ftl/FTLLowerDFGToB3.cpp:
1533         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1534         * jit/JITInlineCacheGenerator.cpp:
1535         (JSC::JITByIdGenerator::JITByIdGenerator):
1536         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
1537
1538 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
1539
1540         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
1541         https://bugs.webkit.org/show_bug.cgi?id=179048
1542
1543         Reviewed by Mark Lam.
1544
1545         * inspector/ScriptCallStackFactory.h:
1546         * inspector/ScriptCallStackFactory.cpp:
1547         (createScriptCallStack):
1548         (createScriptCallStackForConsole):
1549         (createScriptCallStackFromException):
1550
1551         * inspector/ConsoleMessage.cpp:
1552         (Inspector::ConsoleMessage::autogenerateMetadata):
1553         * inspector/JSGlobalObjectInspectorController.cpp:
1554         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1555         * inspector/agents/InspectorConsoleAgent.cpp:
1556         (Inspector::InspectorConsoleAgent::count):
1557         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1558         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1559
1560 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
1561
1562         Unreviewed. Fix GTK+ make distcheck.
1563
1564         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
1565
1566         * CMakeLists.txt:
1567
1568 2017-10-30  Saam Barati  <sbarati@apple.com>
1569
1570         We need a storeStoreFence before storing to the instruction stream's live variable catch data
1571         https://bugs.webkit.org/show_bug.cgi?id=178649
1572
1573         Reviewed by Keith Miller.
1574
1575         * bytecode/CodeBlock.cpp:
1576         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1577
1578 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
1579
1580         [WPE] Fix build warnings
1581         https://bugs.webkit.org/show_bug.cgi?id=178899
1582
1583         Reviewed by Carlos Alberto Lopez Perez.
1584
1585         * PlatformWPE.cmake:
1586
1587 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
1588
1589         [ARMv7] Fix initial start register support in YarrJIT
1590         https://bugs.webkit.org/show_bug.cgi?id=178641
1591
1592         Reviewed by Saam Barati.
1593
1594         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
1595         YarrGenerator class. r6 should be avoided since it's already used inside
1596         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
1597         can be used as the frame pointer register when targetting ARM Thumb2.
1598
1599 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
1600
1601         [ARM64][Linux] Re-enable Gigacage
1602         https://bugs.webkit.org/show_bug.cgi?id=178130
1603
1604         Reviewed by Michael Catanzaro.
1605
1606         Guard the current globaladdr opcode implementation for ARM64 with
1607         OS(DARWIN) as it's only usable for Mach-O.
1608
1609         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
1610         have to be used. The .loh directive can't be used as it's not supported
1611         in GCC or the ld linker.
1612
1613         On every other OS target, a compilation error is thrown.
1614
1615         * offlineasm/arm64.rb:
1616
1617 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
1618
1619         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
1620         https://bugs.webkit.org/show_bug.cgi?id=178799
1621         <rdar://problem/35175805>
1622
1623         Reviewed by Brian Burg.
1624
1625         * inspector/protocol/Canvas.json:
1626         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
1627
1628 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1629
1630         [JSC] Tweak ES6 generator function to allow inlining
1631         https://bugs.webkit.org/show_bug.cgi?id=178935
1632
1633         Reviewed by Saam Barati.
1634
1635         We optimize builtins' generator helper functions to allow them inlined in the caller side.
1636         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
1637         them inlined in DFG.
1638
1639                                        baseline                  patched
1640
1641         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
1642         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
1643
1644         * builtins/GeneratorPrototype.js:
1645         (globalPrivate.generatorResume):
1646         (next):
1647         (return):
1648         (throw):
1649
1650 2017-10-27  Saam Barati  <sbarati@apple.com>
1651
1652         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
1653         https://bugs.webkit.org/show_bug.cgi?id=178949
1654
1655         Reviewed by Keith Miller.
1656
1657         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
1658         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
1659         more than once. To do this, this patch solidifies the invariant that CodeBlock
1660         linking can't do anything that would change the result of liveness. For example,
1661         it can't introduce new locals. This invariant was met my JSC before, because we
1662         didn't do anything in bytecode linking that would change liveness. However, it is
1663         now a correctness requirement that we don't do anything that would change the
1664         result of running liveness. To support this change, I've refactored BytecodeGraph
1665         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
1666         CodeBlockType* and the instruction stream as needed. This means that we may
1667         compute liveness with one CodeBlock*'s instruction stream, and then perform
1668         queries on that analysis with a different CodeBlock*'s instruction stream.
1669
1670         This seems to be a 2% JSBench progression.
1671
1672         * bytecode/BytecodeGeneratorification.cpp:
1673         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1674         (JSC::BytecodeGeneratorification::graph):
1675         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1676         (JSC::GeneratorLivenessAnalysis::run):
1677         (JSC::BytecodeGeneratorification::run):
1678         * bytecode/BytecodeGraph.h:
1679         (JSC::BytecodeGraph::BytecodeGraph):
1680         (JSC::BytecodeGraph::codeBlock const): Deleted.
1681         (JSC::BytecodeGraph::instructions): Deleted.
1682         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
1683         * bytecode/BytecodeLivenessAnalysis.cpp:
1684         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
1685         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1686         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1687         (JSC::BytecodeLivenessAnalysis::computeKills):
1688         (JSC::BytecodeLivenessAnalysis::dumpResults):
1689         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
1690         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
1691         * bytecode/BytecodeLivenessAnalysis.h:
1692         * bytecode/BytecodeLivenessAnalysisInlines.h:
1693         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
1694         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
1695         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
1696         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
1697         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
1698         * bytecode/BytecodeRewriter.cpp:
1699         (JSC::BytecodeRewriter::applyModification):
1700         (JSC::BytecodeRewriter::execute):
1701         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1702         * bytecode/BytecodeRewriter.h:
1703         (JSC::BytecodeRewriter::BytecodeRewriter):
1704         (JSC::BytecodeRewriter::removeBytecode):
1705         (JSC::BytecodeRewriter::graph):
1706         * bytecode/CodeBlock.cpp:
1707         (JSC::CodeBlock::finishCreation):
1708         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1709         (JSC::CodeBlock::validate):
1710         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
1711         * bytecode/CodeBlock.h:
1712         (JSC::CodeBlock::livenessAnalysis):
1713         * bytecode/UnlinkedCodeBlock.cpp:
1714         (JSC::UnlinkedCodeBlock::applyModification):
1715         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
1716         * bytecode/UnlinkedCodeBlock.h:
1717         (JSC::UnlinkedCodeBlock::livenessAnalysis):
1718         * dfg/DFGGraph.cpp:
1719         (JSC::DFG::Graph::livenessFor):
1720         (JSC::DFG::Graph::killsFor):
1721         * dfg/DFGPlan.cpp:
1722         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1723         * jit/JIT.cpp:
1724         (JSC::JIT::privateCompileMainPass):
1725
1726 2017-10-27  Keith Miller  <keith_miller@apple.com>
1727
1728         Add unified source list files and build scripts to Xcode project navigator
1729         https://bugs.webkit.org/show_bug.cgi?id=178959
1730
1731         Reviewed by Andy Estes.
1732
1733         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
1734         to fail right away. We already do this in WebCore.
1735
1736         * JavaScriptCore.xcodeproj/project.pbxproj:
1737         * PlatformMac.cmake:
1738         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
1739
1740 2017-10-27  JF Bastien  <jfbastien@apple.com>
1741
1742         WebAssembly: update arbitrary limits to what browsers use
1743         https://bugs.webkit.org/show_bug.cgi?id=178946
1744         <rdar://problem/34257412>
1745         <rdar://problem/34501154>
1746
1747         Reviewed by Saam Barati.
1748
1749         https://github.com/WebAssembly/design/issues/1138 discusses the
1750         arbitrary function size limit, which it turns out Chrome and
1751         Firefox didn't enforce. We didn't use it because it was
1752         ridiculously low and actual programs ran into that limit (bummer
1753         for Edge which just shipped it...). Now that we agree on a high
1754         arbitrary program limit, let's update it! While I'm doing this
1755         there are a few other spots that I polished to use Checked or
1756         better check limits overall.
1757
1758         * wasm/WasmB3IRGenerator.cpp:
1759         (JSC::Wasm::B3IRGenerator::addLocal):
1760         * wasm/WasmFormat.cpp:
1761         (JSC::Wasm::Segment::create):
1762         * wasm/WasmFunctionParser.h:
1763         (JSC::Wasm::FunctionParser<Context>::parse):
1764         * wasm/WasmInstance.cpp:
1765         * wasm/WasmLimits.h:
1766         * wasm/WasmModuleParser.cpp:
1767         (JSC::Wasm::ModuleParser::parseGlobal):
1768         (JSC::Wasm::ModuleParser::parseCode):
1769         (JSC::Wasm::ModuleParser::parseData):
1770         * wasm/WasmSignature.h:
1771         (JSC::Wasm::Signature::allocatedSize):
1772         * wasm/WasmTable.cpp:
1773         (JSC::Wasm::Table::Table):
1774         * wasm/js/JSWebAssemblyTable.cpp:
1775         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1776         (JSC::JSWebAssemblyTable::grow):
1777
1778 2017-10-26  Michael Saboff  <msaboff@apple.com>
1779
1780         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1781         https://bugs.webkit.org/show_bug.cgi?id=178890
1782
1783         Reviewed by Keith Miller.
1784
1785         We need to let a contained subpattern backtrack before declaring that the containing
1786         parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
1787         can check to see if we trying to backtrack below the minimum match count.
1788         
1789         * yarr/YarrInterpreter.cpp:
1790         (JSC::Yarr::Interpreter::backtrackParentheses):
1791
1792 2017-10-26  Mark Lam  <mark.lam@apple.com>
1793
1794         JSRopeString::RopeBuilder::append() should check for overflows.
1795         https://bugs.webkit.org/show_bug.cgi?id=178385
1796         <rdar://problem/35027468>
1797
1798         Reviewed by Saam Barati.
1799
1800         1. Made RopeString check for overflow like the Checked class does.
1801         2. Added a missing overflow check in objectProtoFuncToString().
1802
1803         * runtime/JSString.cpp:
1804         (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
1805         (JSC::JSRopeString::RopeBuilder::expand): Deleted.
1806         * runtime/JSString.h:
1807         * runtime/ObjectPrototype.cpp:
1808         (JSC::objectProtoFuncToString):
1809         * runtime/Operations.h:
1810         (JSC::jsStringFromRegisterArray):
1811         (JSC::jsStringFromArguments):
1812
1813 2017-10-26  JF Bastien  <jfbastien@apple.com>
1814
1815         WebAssembly: no VM / JS version of our implementation
1816         https://bugs.webkit.org/show_bug.cgi?id=177472
1817
1818         Reviewed by Michael Saboff.
1819
1820         This patch removes all appearances of "JS" and "VM" in the wasm
1821         directory. These now only appear in the wasm/js directory, which
1822         is only used in a JS embedding of wasm. It should therefore now be
1823         possible to create non-JS embeddings of wasm through JSC, though
1824         it'll still require:
1825
1826           - Mild codegen for wasm<->embedder calls;
1827           - A strategy for trap handling (no need for full unwind! Could kill).
1828           - Creation of the Wasm::* objects.
1829           - Calling convention handling to call the embedder.
1830           - Handling of multiple embedders (see #177475, this is optional).
1831
1832         Most of the patch consists in renaming JSWebAssemblyInstance to
1833         Instance, and removing temporary copies which I'd added to make
1834         this specific patch very simple.
1835
1836         * interpreter/CallFrame.cpp:
1837         (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
1838         which needs to know about who "owns" the Wasm::Instance. In a JS
1839         embedding it's the JSWebAssemblyInstance.
1840         * wasm/WasmB3IRGenerator.cpp:
1841         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1842         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1843         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1844         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
1845         (JSC::Wasm::B3IRGenerator::getGlobal):
1846         (JSC::Wasm::B3IRGenerator::setGlobal):
1847         (JSC::Wasm::B3IRGenerator::addCall):
1848         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1849         * wasm/WasmBinding.cpp:
1850         (JSC::Wasm::wasmToWasm):
1851         * wasm/WasmContext.cpp:
1852         (JSC::Wasm::Context::load const):
1853         (JSC::Wasm::Context::store):
1854         * wasm/WasmContext.h:
1855         * wasm/WasmEmbedder.h:
1856         * wasm/WasmInstance.cpp:
1857         (JSC::Wasm::Instance::Instance):
1858         (JSC::Wasm::Instance::create):
1859         (JSC::Wasm::Instance::extraMemoryAllocated const):
1860         * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
1861         "tail" import information from JSWebAssemblyInstance over to here.
1862         (JSC::Wasm::Instance::finalizeCreation):
1863         (JSC::Wasm::Instance::owner const):
1864         (JSC::Wasm::Instance::offsetOfOwner):
1865         (JSC::Wasm::Instance::context const):
1866         (JSC::Wasm::Instance::setMemory):
1867         (JSC::Wasm::Instance::setTable):
1868         (JSC::Wasm::Instance::offsetOfMemory):
1869         (JSC::Wasm::Instance::offsetOfGlobals):
1870         (JSC::Wasm::Instance::offsetOfTable):
1871         (JSC::Wasm::Instance::offsetOfTail):
1872         (JSC::Wasm::Instance::numImportFunctions const):
1873         (JSC::Wasm::Instance::importFunctionInfo):
1874         (JSC::Wasm::Instance::offsetOfTargetInstance):
1875         (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
1876         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
1877         (JSC::Wasm::Instance::offsetOfImportFunction):
1878         (JSC::Wasm::Instance::importFunction):
1879         (JSC::Wasm::Instance::allocationSize):
1880         (JSC::Wasm::Instance::create): Deleted.
1881         * wasm/WasmOMGPlan.cpp:
1882         (JSC::Wasm::OMGPlan::runForIndex):
1883         * wasm/WasmOMGPlan.h:
1884         * wasm/WasmTable.cpp:
1885         (JSC::Wasm::Table::Table):
1886         (JSC::Wasm::Table::setFunction):
1887         * wasm/WasmTable.h:
1888         * wasm/WasmThunks.cpp:
1889         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1890         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1891         * wasm/js/JSToWasm.cpp:
1892         (JSC::Wasm::createJSToWasmWrapper):
1893         * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
1894         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
1895         decides what the import function is. Here we must properly
1896         placement-new it to what we've elected (and initialize it later).
1897         (JSC::JSWebAssemblyInstance::visitChildren):
1898         (JSC::JSWebAssemblyInstance::finalizeCreation):
1899         (JSC::JSWebAssemblyInstance::create):
1900         * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
1901         (JSC::JSWebAssemblyInstance::instance):
1902         (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
1903         (JSC::JSWebAssemblyInstance::setMemory):
1904         (JSC::JSWebAssemblyInstance::table):
1905         (JSC::JSWebAssemblyInstance::setTable):
1906         (JSC::JSWebAssemblyInstance::offsetOfInstance):
1907         (JSC::JSWebAssemblyInstance::offsetOfCallee):
1908         (JSC::JSWebAssemblyInstance::context const): Deleted.
1909         (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
1910         (): Deleted.
1911         (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
1912         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
1913         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
1914         (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
1915         (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
1916         (JSC::JSWebAssemblyInstance::importFunction): Deleted.
1917         (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
1918         (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
1919         (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
1920         (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
1921         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
1922         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
1923         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
1924         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
1925         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
1926         (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
1927         (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
1928         (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
1929         (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
1930         (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
1931         * wasm/js/JSWebAssemblyTable.cpp:
1932         (JSC::JSWebAssemblyTable::setFunction):
1933         * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
1934         (JSC::Wasm::materializeImportJSCell):
1935         (JSC::Wasm::handleBadI64Use):
1936         (JSC::Wasm::wasmToJS):
1937         (JSC::Wasm::wasmToJSException):
1938         * wasm/js/WasmToJS.h:
1939         * wasm/js/WebAssemblyFunction.cpp:
1940         (JSC::callWebAssemblyFunction):
1941         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1942         (JSC::constructJSWebAssemblyInstance):
1943         * wasm/js/WebAssemblyModuleRecord.cpp:
1944         (JSC::WebAssemblyModuleRecord::link):
1945         (JSC::WebAssemblyModuleRecord::evaluate):
1946         * wasm/js/WebAssemblyPrototype.cpp:
1947         (JSC::instantiate):
1948         * wasm/js/WebAssemblyWrapperFunction.cpp:
1949         (JSC::WebAssemblyWrapperFunction::create):
1950
1951 2017-10-25  Devin Rousso  <webkit@devinrousso.com>
1952
1953         Web Inspector: provide a way to enable/disable event listeners
1954         https://bugs.webkit.org/show_bug.cgi?id=177451
1955         <rdar://problem/34994925>
1956
1957         Reviewed by Joseph Pecoraro.
1958
1959         * inspector/protocol/DOM.json:
1960         Add `setEventListenerDisabled` command that enables/disables a specific event listener
1961         during event dispatch. When a disabled event listener is fired, the listener's callback will
1962         not be called.
1963
1964 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1965
1966         Unreviewed, rolling out r223691 and r223729.
1967         https://bugs.webkit.org/show_bug.cgi?id=178834
1968
1969         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1970         by rniwa on #webkit).
1971
1972         Reverted changesets:
1973
1974         "Turn recursive tail calls into loops"
1975         https://bugs.webkit.org/show_bug.cgi?id=176601
1976         https://trac.webkit.org/changeset/223691
1977
1978         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1979         comparison is always false due to limited range of data type
1980         [-Wtype-limits]"
1981         https://bugs.webkit.org/show_bug.cgi?id=178543
1982         https://trac.webkit.org/changeset/223729
1983
1984 2017-10-25  Michael Saboff  <msaboff@apple.com>
1985
1986         REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
1987         https://bugs.webkit.org/show_bug.cgi?id=178825
1988
1989         Reviewed by Mark Lam.
1990
1991         Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
1992
1993         * Configurations/ToolExecutable.xcconfig:
1994
1995 2017-10-25  Keith Miller  <keith_miller@apple.com>
1996
1997         Fix implicit cast of enum, which seems to break the windows build of unified sources.
1998         https://bugs.webkit.org/show_bug.cgi?id=178822
1999
2000         Reviewed by Saam Barati.
2001
2002         * bytecode/DFGExitProfile.h:
2003         (JSC::DFG::FrequentExitSite::hash const):
2004
2005 2017-10-24  Michael Saboff  <msaboff@apple.com>
2006
2007         Allow OjbC Weak References when building TestAPI
2008         https://bugs.webkit.org/show_bug.cgi?id=178748
2009
2010         Reviewed by Dan Bernstein.
2011
2012         Set TestAPI build flag Weak References in Manual Retain Release to true.
2013
2014         * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
2015         * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
2016
2017 2017-10-24  Eric Carlson  <eric.carlson@apple.com>
2018
2019         Web Inspector: Enable WebKit logging configuration and display
2020         https://bugs.webkit.org/show_bug.cgi?id=177027
2021         <rdar://problem/33964767>
2022
2023         Reviewed by Joseph Pecoraro.
2024
2025         * inspector/ConsoleMessage.cpp:
2026         (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
2027             Inspector::Protocol::Console::ChannelSource.
2028         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2029         (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
2030             specific to a JSContext yet, so return an empty channel array.
2031         (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
2032         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2033
2034         * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
2035             and setLoggingChannelLevel.
2036
2037         * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
2038         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2039         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2040         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2041         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2042         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2043
2044         * runtime/ConsoleTypes.h: Add Media and WebRTC.
2045
2046 2017-10-24  Michael Saboff  <msaboff@apple.com>
2047
2048         Allow OjbC Weak References when building TestAPI
2049         https://bugs.webkit.org/show_bug.cgi?id=178748
2050
2051         Reviewed by Saam Barati.
2052
2053         Set TestAPI build flag Weak References in Manual Retain Release to true.
2054
2055         * JavaScriptCore.xcodeproj/project.pbxproj:
2056
2057 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2058
2059         [FTL] Support NewStringObject
2060         https://bugs.webkit.org/show_bug.cgi?id=178737
2061
2062         Reviewed by Saam Barati.
2063
2064         FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
2065         After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
2066
2067         * ftl/FTLAbstractHeapRepository.h:
2068         * ftl/FTLCapabilities.cpp:
2069         (JSC::FTL::canCompile):
2070         * ftl/FTLLowerDFGToB3.cpp:
2071         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2072         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2073
2074 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
2075
2076         [mips] fix offsets of branches that have to go over a jump
2077         https://bugs.webkit.org/show_bug.cgi?id=153464
2078
2079         The jump() function creates 8 instructions, but the offsets of branches
2080         meant to go over them only account for 6. In most cases, this is not an
2081         issue as the last two instructions of jump() would be nops, but in the
2082         rarer case where the jump destination is in a different 256 MB segment,
2083         MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
2084         the last 4 instructions would be a 2 instruction load (lui/ori) into
2085         $t9, a "j $t9" and then a nop. The wrong offset will mean that the
2086         previous branches meant to go over the whole jump will branch to the
2087         "j $t9" instruction, which would jump to whatever is currently in $t9
2088         (since lui/ori would not be executed).
2089
2090         Reviewed by Michael Catanzaro.
2091
2092         * assembler/MacroAssemblerMIPS.h:
2093         (JSC::MacroAssemblerMIPS::branchAdd32):
2094         (JSC::MacroAssemblerMIPS::branchMul32):
2095         (JSC::MacroAssemblerMIPS::branchSub32):
2096         Fix the offsets of branches meant to go over code generated by jump().
2097
2098 2017-10-24  JF Bastien  <jfbastien@apple.com>
2099
2100         WebAssembly: NFC renames of things that aren't JS-specific
2101         https://bugs.webkit.org/show_bug.cgi?id=178738
2102
2103         Reviewed by Saam Barati.
2104
2105         * wasm/WasmB3IRGenerator.cpp:
2106         (JSC::Wasm::parseAndCompile):
2107         * wasm/WasmB3IRGenerator.h:
2108         * wasm/WasmBBQPlan.cpp:
2109         (JSC::Wasm::BBQPlan::complete):
2110         * wasm/WasmCodeBlock.cpp:
2111         (JSC::Wasm::CodeBlock::CodeBlock):
2112         * wasm/WasmCodeBlock.h:
2113         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
2114         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
2115         * wasm/WasmFormat.h:
2116         * wasm/js/JSToWasm.cpp:
2117         (JSC::Wasm::createJSToWasmWrapper):
2118         * wasm/js/WebAssemblyModuleRecord.cpp:
2119         (JSC::WebAssemblyModuleRecord::link):
2120         (JSC::WebAssemblyModuleRecord::evaluate):
2121
2122 2017-10-24  Stephan Szabo  <stephan.szabo@sony.com>
2123
2124         [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
2125         https://bugs.webkit.org/show_bug.cgi?id=177279
2126
2127         Reviewed by Yusuke Suzuki.
2128
2129         * shell/PlatformJSCOnly.cmake: Added.
2130
2131 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2132
2133         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2134         https://bugs.webkit.org/show_bug.cgi?id=178308
2135
2136         Reviewed by Mark Lam.
2137
2138         With the change of the spec[1], we now do not need to remember star resolution modules.
2139         We reflect this change to our implementation. Since this change is covered by test262,
2140         this patch improves the score of test262.
2141
2142         We also add logging to ResolveExport to debug it easily.
2143
2144         [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
2145
2146         * runtime/AbstractModuleRecord.cpp:
2147         (JSC::AbstractModuleRecord::ResolveQuery::dump const):
2148         (JSC::AbstractModuleRecord::resolveExportImpl):
2149
2150 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2151
2152         [JSC] Use emitDumbVirtualCall in 32bit JIT
2153         https://bugs.webkit.org/show_bug.cgi?id=178644
2154
2155         Reviewed by Mark Lam.
2156
2157         This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
2158
2159         * jit/JITCall32_64.cpp:
2160         (JSC::JIT::compileCallEvalSlowCase):
2161
2162 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2163
2164         [JSC] Drop ArityCheckData
2165         https://bugs.webkit.org/show_bug.cgi?id=178648
2166
2167         Reviewed by Mark Lam.
2168
2169         ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
2170         However, use of `thunkToCall` is removed in 64bit environment at r189575.
2171
2172         We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
2173         Since we no longer need to have the above pair, we can remove ArityCheckData too.
2174
2175         * llint/LowLevelInterpreter32_64.asm:
2176         * llint/LowLevelInterpreter64.asm:
2177         * runtime/CommonSlowPaths.cpp:
2178         (JSC::SLOW_PATH_DECL):
2179         (JSC::setupArityCheckData): Deleted.
2180         * runtime/CommonSlowPaths.h:
2181         * runtime/VM.cpp:
2182         (JSC::VM::VM):
2183         * runtime/VM.h:
2184
2185 2017-10-23  Keith Miller  <keith_miller@apple.com>
2186
2187         Unreviewed, reland r223866
2188
2189         Didn't break the windows build...
2190
2191         Restored changeset:
2192
2193         "WebAssembly: topEntryFrame on Wasm::Instance"
2194         https://bugs.webkit.org/show_bug.cgi?id=178690
2195         https://trac.webkit.org/changeset/223866
2196
2197
2198 2017-10-23  Commit Queue  <commit-queue@webkit.org>
2199
2200         Unreviewed, rolling out r223866.
2201         https://bugs.webkit.org/show_bug.cgi?id=178699
2202
2203         Probably broke the windows build (Requested by keith_miller on
2204         #webkit).
2205
2206         Reverted changeset:
2207
2208         "WebAssembly: topEntryFrame on Wasm::Instance"
2209         https://bugs.webkit.org/show_bug.cgi?id=178690
2210         https://trac.webkit.org/changeset/223866
2211
2212 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
2213
2214         Web Inspector: Remove unused Console.setMonitoringXHREnabled
2215         https://bugs.webkit.org/show_bug.cgi?id=178617
2216
2217         Reviewed by Sam Weinig.
2218
2219         * JavaScriptCore.xcodeproj/project.pbxproj:
2220         * Sources.txt:
2221         * inspector/agents/InspectorConsoleAgent.h:
2222         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
2223         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
2224         * inspector/protocol/Console.json:
2225         Removed files and method.
2226
2227         * inspector/JSGlobalObjectInspectorController.cpp:
2228         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2229         This can use the base ConsoleAgent now.
2230
2231 2017-10-23  JF Bastien  <jfbastien@apple.com>
2232
2233         WebAssembly: topEntryFrame on Wasm::Instance
2234         https://bugs.webkit.org/show_bug.cgi?id=178690
2235
2236         Reviewed by Saam Barati.
2237
2238         topEntryFrame is usually on VM, but for a no-VM WebAssembly we
2239         need to hold topEntryFrame elsewhere, and generated code cannot
2240         hard-code where topEntryFrame live. Do this at creation time of
2241         Wasm::Instance, and then generated code will just load from
2242         wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
2243         embedding this is still from VM, so all of the unwinding machinery
2244         stays the same.
2245
2246         * dfg/DFGOSREntry.cpp:
2247         (JSC::DFG::prepareOSREntry):
2248         * dfg/DFGOSRExit.cpp:
2249         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2250         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2251         * ftl/FTLOSRExitCompiler.cpp:
2252         (JSC::FTL::compileStub):
2253         * interpreter/Interpreter.cpp:
2254         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2255         * jit/AssemblyHelpers.cpp:
2256         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
2257         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
2258         * jit/AssemblyHelpers.h:
2259         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
2260         The default parameter was never non-defaulted from any of the
2261         callers. The new version calls the impl directly because it
2262         doesn't have VM and doesn't hard-code the address of
2263         topEntryFrame.
2264         * jit/RegisterSet.cpp:
2265         (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
2266         VM because it's not really VM-specific.
2267         * jit/RegisterSet.h:
2268         * runtime/VM.cpp:
2269         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
2270         * runtime/VM.h:
2271         (JSC::VM::getCTIStub):
2272         * wasm/WasmB3IRGenerator.cpp:
2273         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2274         (JSC::Wasm::B3IRGenerator::addCall):
2275         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2276         * wasm/WasmInstance.cpp:
2277         (JSC::Wasm::Instance::Instance):
2278         * wasm/WasmInstance.h: topEntryFramePointer will eventually live
2279         here for real. Right now it's mirrored in JSWebAssemblyInstance
2280         because that's the acting Context.
2281         (JSC::Wasm::Instance::create):
2282         (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
2283         * wasm/WasmThunks.cpp:
2284         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2285         * wasm/js/JSWebAssemblyInstance.cpp:
2286         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2287         * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
2288         (JSC::JSWebAssemblyInstance::offsetOfCallee):
2289         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
2290         (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
2291         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2292         (JSC::constructJSWebAssemblyInstance):
2293         * wasm/js/WebAssemblyPrototype.cpp:
2294         (JSC::instantiate):
2295
2296 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
2297
2298         Web Inspector: Please support HAR Export for network traffic
2299         https://bugs.webkit.org/show_bug.cgi?id=146692
2300         <rdar://problem/7463672>
2301
2302         Reviewed by Brian Burg.
2303
2304         * inspector/protocol/Network.json:
2305         Add a walltime to each send request.
2306
2307 2017-10-23  Matt Lewis  <jlewis3@apple.com>
2308
2309         Unreviewed, rolling out r223820.
2310
2311         This caused a build break on Windows.
2312
2313         Reverted changeset:
2314
2315         "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
2316         https://bugs.webkit.org/show_bug.cgi?id=178617
2317         https://trac.webkit.org/changeset/223820
2318
2319 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2320
2321         [JSC] Use fastJoin in Array#toString
2322         https://bugs.webkit.org/show_bug.cgi?id=178062
2323
2324         Reviewed by Darin Adler.
2325
2326         Array#toString()'s fast path uses original join operation.
2327         But this should use fastJoin if possible.
2328         This patch adds a fast path using fastJoin in Array#toString.
2329         And we also extend fastJoin to perform fast joining for int32
2330         arrays.
2331
2332                                              baseline                  patched
2333
2334         double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
2335         int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
2336         contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
2337
2338
2339         * runtime/ArrayPrototype.cpp:
2340         (JSC::fastJoin):
2341         (JSC::arrayProtoFuncToString):
2342         (JSC::arrayProtoFuncToLocaleString):
2343         * runtime/JSStringJoiner.h:
2344         (JSC::JSStringJoiner::appendWithoutSideEffects):
2345         (JSC::JSStringJoiner::appendInt32):
2346         (JSC::JSStringJoiner::appendDouble):
2347
2348 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2349
2350         [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
2351         https://bugs.webkit.org/show_bug.cgi?id=178452
2352
2353         Reviewed by Yusuke Suzuki.
2354
2355         * heap/RegisterState.h: Re-enable the custom RegisterState and
2356         ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
2357         cause any crashes nowadays.
2358
2359 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2360
2361         [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
2362         https://bugs.webkit.org/show_bug.cgi?id=178647
2363
2364         Reviewed by Saam Barati.
2365
2366         There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
2367         since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
2368         which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
2369         this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
2370
2371         * jit/JIT.h:
2372         (JSC::JIT::linkAllSlowCases):
2373         * jit/JITArithmetic.cpp:
2374         (JSC::JIT::emitSlow_op_unsigned):
2375         (JSC::JIT::emit_compareAndJump):
2376         (JSC::JIT::emit_compareAndJumpSlow):
2377         (JSC::JIT::emitSlow_op_inc):
2378         (JSC::JIT::emitSlow_op_dec):
2379         (JSC::JIT::emitSlow_op_mod):
2380         (JSC::JIT::emitSlow_op_negate):
2381         (JSC::JIT::emitSlow_op_bitand):
2382         (JSC::JIT::emitSlow_op_bitor):
2383         (JSC::JIT::emitSlow_op_bitxor):
2384         (JSC::JIT::emitSlow_op_lshift):
2385         (JSC::JIT::emitSlow_op_rshift):
2386         (JSC::JIT::emitSlow_op_urshift):
2387         (JSC::JIT::emitSlow_op_add):
2388         (JSC::JIT::emitSlow_op_div):
2389         (JSC::JIT::emitSlow_op_mul):
2390         (JSC::JIT::emitSlow_op_sub):
2391         * jit/JITArithmetic32_64.cpp:
2392         (JSC::JIT::emit_compareAndJumpSlow):
2393         (JSC::JIT::emitSlow_op_unsigned):
2394         (JSC::JIT::emitSlow_op_inc):
2395         (JSC::JIT::emitSlow_op_dec):
2396         (JSC::JIT::emitSlow_op_mod):
2397         * jit/JITCall.cpp:
2398         (JSC::JIT::compileCallEvalSlowCase):
2399         (JSC::JIT::compileOpCallSlowCase):
2400         * jit/JITCall32_64.cpp:
2401         (JSC::JIT::compileCallEvalSlowCase):
2402         (JSC::JIT::compileOpCallSlowCase):
2403         * jit/JITInlines.h:
2404         (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
2405         * jit/JITOpcodes.cpp:
2406         (JSC::JIT::emitSlow_op_new_object):
2407         (JSC::JIT::emitSlow_op_create_this):
2408         (JSC::JIT::emitSlow_op_check_tdz):
2409         (JSC::JIT::emitSlow_op_to_this):
2410         (JSC::JIT::emitSlow_op_to_primitive):
2411         (JSC::JIT::emitSlow_op_not):
2412         (JSC::JIT::emitSlow_op_eq):
2413         (JSC::JIT::emitSlow_op_neq):
2414         (JSC::JIT::emitSlow_op_stricteq):
2415         (JSC::JIT::emitSlow_op_nstricteq):
2416         (JSC::JIT::emitSlow_op_instanceof):
2417         (JSC::JIT::emitSlow_op_instanceof_custom):
2418         (JSC::JIT::emitSlow_op_to_number):
2419         (JSC::JIT::emitSlow_op_to_string):
2420         (JSC::JIT::emitSlow_op_loop_hint):
2421         (JSC::JIT::emitSlow_op_check_traps):
2422         (JSC::JIT::emitSlow_op_has_indexed_property):
2423         (JSC::JIT::emitSlow_op_get_direct_pname):
2424         (JSC::JIT::emitSlow_op_has_structure_property):
2425         * jit/JITOpcodes32_64.cpp:
2426         (JSC::JIT::emitSlow_op_new_object):
2427         (JSC::JIT::emitSlow_op_instanceof):
2428         (JSC::JIT::emitSlow_op_instanceof_custom):
2429         (JSC::JIT::emitSlow_op_to_primitive):
2430         (JSC::JIT::emitSlow_op_not):
2431         (JSC::JIT::emitSlow_op_stricteq):
2432         (JSC::JIT::emitSlow_op_nstricteq):
2433         (JSC::JIT::emitSlow_op_to_number):
2434         (JSC::JIT::emitSlow_op_to_string):
2435         (JSC::JIT::emitSlow_op_create_this):
2436         (JSC::JIT::emitSlow_op_to_this):
2437         (JSC::JIT::emitSlow_op_check_tdz):
2438         (JSC::JIT::emitSlow_op_has_indexed_property):
2439         (JSC::JIT::emitSlow_op_get_direct_pname):
2440         * jit/JITPropertyAccess.cpp:
2441         (JSC::JIT::emitSlow_op_try_get_by_id):
2442         (JSC::JIT::emitSlow_op_get_by_id):
2443         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2444         (JSC::JIT::emitSlow_op_put_by_id):
2445         (JSC::JIT::emitSlow_op_resolve_scope):
2446         (JSC::JIT::emitSlow_op_get_from_scope):
2447         (JSC::JIT::emitSlow_op_put_to_scope):
2448         * jit/JITPropertyAccess32_64.cpp:
2449         (JSC::JIT::emitSlow_op_try_get_by_id):
2450         (JSC::JIT::emitSlow_op_get_by_id):
2451         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2452         (JSC::JIT::emitSlow_op_put_by_id):
2453         (JSC::JIT::emitSlow_op_resolve_scope):
2454         (JSC::JIT::emitSlow_op_get_from_scope):
2455         (JSC::JIT::emitSlow_op_put_to_scope):
2456
2457 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2458
2459         [JSC] Clean up baseline slow path
2460         https://bugs.webkit.org/show_bug.cgi?id=178646
2461
2462         Reviewed by Saam Barati.
2463
2464         If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
2465         It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
2466         function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
2467         code in baseline JIT.
2468
2469         * jit/JIT.cpp:
2470         (JSC::JIT::privateCompileMainPass):
2471         * jit/JIT.h:
2472         * jit/JITArithmetic.cpp:
2473         (JSC::JIT::emit_op_pow): Deleted.
2474         * jit/JITArithmetic32_64.cpp:
2475         (JSC::JIT::emitSlow_op_mod):
2476         * jit/JITOpcodes.cpp:
2477         (JSC::JIT::emit_op_strcat): Deleted.
2478         (JSC::JIT::emit_op_push_with_scope): Deleted.
2479         (JSC::JIT::emit_op_assert): Deleted.
2480         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2481         (JSC::JIT::emit_op_throw_static_error): Deleted.
2482         (JSC::JIT::emit_op_new_array_with_spread): Deleted.
2483         (JSC::JIT::emit_op_spread): Deleted.
2484         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
2485         (JSC::JIT::emit_op_has_generic_property): Deleted.
2486         (JSC::JIT::emit_op_get_property_enumerator): Deleted.
2487         (JSC::JIT::emit_op_to_index_string): Deleted.
2488         (JSC::JIT::emit_op_create_direct_arguments): Deleted.
2489         (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
2490         (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
2491         (JSC::JIT::emit_op_create_rest): Deleted.
2492         (JSC::JIT::emit_op_unreachable): Deleted.
2493         * jit/JITOpcodes32_64.cpp:
2494         (JSC::JIT::emit_op_strcat): Deleted.
2495         (JSC::JIT::emit_op_push_with_scope): Deleted.
2496         (JSC::JIT::emit_op_assert): Deleted.
2497         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2498         * jit/JITPropertyAccess.cpp:
2499         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2500         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2501         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2502         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2503         (JSC::JIT::emit_op_define_data_property): Deleted.
2504         (JSC::JIT::emit_op_define_accessor_property): Deleted.
2505         * jit/JITPropertyAccess32_64.cpp:
2506         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2507         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2508         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2509         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2510
2511 2017-10-21  Joseph Pecoraro  <pecoraro@apple.com>
2512
2513         Web Inspector: Remove unused Console.setMonitoringXHREnabled
2514         https://bugs.webkit.org/show_bug.cgi?id=178617
2515
2516         Reviewed by Sam Weinig.
2517
2518         * JavaScriptCore.xcodeproj/project.pbxproj:
2519         * Sources.txt:
2520         * inspector/agents/InspectorConsoleAgent.h:
2521         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
2522         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
2523         * inspector/protocol/Console.json:
2524         Removed files and method.
2525
2526         * inspector/JSGlobalObjectInspectorController.cpp:
2527         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2528         This can use the base ConsoleAgent now.
2529
2530 2017-10-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2531
2532         [JSC] Remove per-host-function CTI stub in 32bit environment
2533         https://bugs.webkit.org/show_bug.cgi?id=178581
2534
2535         Reviewed by Saam Barati.
2536
2537         JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
2538         The only difference is that it embed the address of the host function directly in the generated stub. This means
2539         that we have per-host-function CTI stub only in 32bit environment.
2540
2541         This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
2542
2543         * jit/JIT.cpp:
2544         (JSC::JIT::compileCTINativeCall): Deleted.
2545         * jit/JIT.h:
2546         * jit/JITOpcodes.cpp:
2547         (JSC::JIT::privateCompileCTINativeCall): Deleted.
2548         * jit/JITOpcodes32_64.cpp:
2549         (JSC::JIT::privateCompileCTINativeCall): Deleted.
2550         * jit/JITThunks.cpp:
2551         (JSC::JITThunks::hostFunctionStub):
2552
2553 2017-10-20  Antoine Quint  <graouts@apple.com>
2554
2555         [Web Animations] Provide basic timeline and animation interfaces
2556         https://bugs.webkit.org/show_bug.cgi?id=178526
2557
2558         Reviewed by Dean Jackson.
2559
2560         Remove the WEB_ANIMATIONS compile-time flag.
2561
2562         * Configurations/FeatureDefines.xcconfig:
2563
2564 2017-10-20  Commit Queue  <commit-queue@webkit.org>
2565
2566         Unreviewed, rolling out r223744, r223750, and r223751.
2567         https://bugs.webkit.org/show_bug.cgi?id=178594
2568
2569         These caused consistent failures in test that existed and were
2570         added in the patches. (Requested by mlewis13 on #webkit).
2571
2572         Reverted changesets:
2573
2574         "[JSC] ScriptFetcher should be notified directly from module
2575         pipeline"
2576         https://bugs.webkit.org/show_bug.cgi?id=178340
2577         https://trac.webkit.org/changeset/223744
2578
2579         "Unreviewed, fix changed line number in test expect files"
2580         https://bugs.webkit.org/show_bug.cgi?id=178340
2581         https://trac.webkit.org/changeset/223750
2582
2583         "Unreviewed, follow up to reflect comments"
2584         https://bugs.webkit.org/show_bug.cgi?id=178340
2585         https://trac.webkit.org/changeset/223751
2586
2587 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2588
2589         Unreviewed, follow up to reflect comments
2590         https://bugs.webkit.org/show_bug.cgi?id=178340
2591
2592         * runtime/JSModuleLoader.cpp:
2593         (JSC::JSModuleLoader::notifyCompleted):
2594
2595 2017-10-20  Saam Barati  <sbarati@apple.com>
2596
2597         Optimize accesses to how we get the direct prototype
2598         https://bugs.webkit.org/show_bug.cgi?id=178548
2599
2600         Reviewed by Yusuke Suzuki.
2601
2602         This patch makes JSObject::getPrototypeDirect take VM& as a parameter
2603         so it can use the faster version of the structure accessor function.
2604         The reason for making this change is that JSObjet::getPrototypeDirect
2605         is called on the hot path in property lookup.
2606
2607         * API/JSObjectRef.cpp:
2608         (JSObjectGetPrototype):
2609         * jsc.cpp:
2610         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2611         (WTF::DOMJITGetterBaseJSObject::customGetter):
2612         (functionCreateProxy):
2613         * runtime/ArrayPrototype.cpp:
2614         (JSC::speciesWatchpointIsValid):
2615         * runtime/ErrorInstance.cpp:
2616         (JSC::ErrorInstance::sanitizedToString):
2617         * runtime/JSArray.cpp:
2618         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2619         * runtime/JSGlobalObject.cpp:
2620         (JSC::JSGlobalObject::init):
2621         (JSC::lastInPrototypeChain):
2622         (JSC::JSGlobalObject::resetPrototype):
2623         (JSC::JSGlobalObject::finishCreation):
2624         * runtime/JSGlobalObjectInlines.h:
2625         (JSC::JSGlobalObject::objectPrototypeIsSane):
2626         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2627         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2628         * runtime/JSLexicalEnvironment.cpp:
2629         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2630         * runtime/JSMap.cpp:
2631         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2632         * runtime/JSObject.cpp:
2633         (JSC::JSObject::calculatedClassName):
2634         (JSC::JSObject::setPrototypeWithCycleCheck):
2635         (JSC::JSObject::getPrototype):
2636         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2637         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2638         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
2639         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
2640         * runtime/JSObject.h:
2641         (JSC::JSObject::finishCreation):
2642         (JSC::JSObject::getPrototypeDirect const):
2643         (JSC::JSObject::getPrototype):
2644         * runtime/JSObjectInlines.h:
2645         (JSC::JSObject::canPerformFastPutInline):
2646         (JSC::JSObject::getPropertySlot):
2647         (JSC::JSObject::getNonIndexPropertySlot):
2648         * runtime/JSProxy.cpp:
2649         (JSC::JSProxy::setTarget):
2650         * runtime/JSSet.cpp:
2651         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2652         * runtime/ProgramExecutable.cpp:
2653         (JSC::ProgramExecutable::initializeGlobalProperties):
2654         * runtime/StructureInlines.h:
2655         (JSC::Structure::isValid const):
2656
2657 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2658
2659         [ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
2660         https://bugs.webkit.org/show_bug.cgi?id=178379
2661
2662         Reviewed by Saam Barati.
2663
2664         We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
2665         in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.
2666
2667         * bytecompiler/NodesCodegen.cpp:
2668         (JSC::BinaryOpNode::emitBytecode):
2669
2670 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2671
2672         [JSC] ScriptFetcher should be notified directly from module pipeline
2673         https://bugs.webkit.org/show_bug.cgi?id=178340
2674
2675         Reviewed by Sam Weinig.
2676
2677         Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
2678         We setup JSStdFunction to the resulted promise of the module pipeline. It is super
2679         ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
2680         JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.
2681
2682         But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
2683         notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
2684         from the module pipeline by observer style.
2685
2686         This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
2687         completion/failure notifications from the module pipeline.
2688
2689         * builtins/ModuleLoaderPrototype.js:
2690         (loadModule):
2691         (loadAndEvaluateModule):
2692         * runtime/Completion.cpp:
2693         (JSC::loadModule):
2694         * runtime/Completion.h:
2695         * runtime/JSModuleLoader.cpp:
2696         (JSC::jsValueToModuleKey):
2697         (JSC::JSModuleLoader::notifyCompleted):
2698         (JSC::JSModuleLoader::notifyFailed):
2699         * runtime/JSModuleLoader.h:
2700         * runtime/ModuleLoaderPrototype.cpp:
2701         (JSC::moduleLoaderPrototypeNotifyCompleted):
2702         (JSC::moduleLoaderPrototypeNotifyFailed):
2703         * runtime/ScriptFetcher.h:
2704         (JSC::ScriptFetcher::notifyLoadCompleted):
2705         (JSC::ScriptFetcher::notifyLoadFailed):
2706
2707 2017-10-19  JF Bastien  <jfbastien@apple.com>
2708
2709         WebAssembly: no VM / JS version of everything but Instance
2710         https://bugs.webkit.org/show_bug.cgi?id=177473
2711
2712         Reviewed by Filip Pizlo, Saam Barati.
2713
2714         This change entails cleaning up and splitting a bunch of code which we had
2715         intertwined between C++ classes which represent JS objects, and pure C++
2716         implementation objects. This specific change goes most of the way towards
2717         allowing JSC's WebAssembly to work without VM / JS, up to but excluding
2718         JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
2719         yet). Because of this we still have a few FIXME identifying places that need to
2720         change. A follow-up change will go the rest of the way.
2721
2722         I went about this change in the simplest way possible: grep the
2723         JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
2724         sub-directory (which contains the JS implementation of WebAssembly).
2725
2726         None of this change removes the need for a JIT entitlement to be able to use
2727         WebAssembly. We don't have an interpreter, the process therefore still needs to
2728         be allowed to JIT to use these pure-C++ APIs.
2729
2730         Interesting things to note:
2731
2732           - Remove VM from Plan and associated places. It can just live as a capture in
2733             the callback lambda if it's needed.
2734           - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
2735             collect. We now instead pass two lambdas at construction time for this
2736             purpose: one to notify of memory pressure, and the other to ask for
2737             syncrhonous memory reclamation. This allows whoever creates the memory to
2738             dictate how to react to both these cases, and for a JS embedding that's to
2739             call the GC (async or sync, respectively).
2740           - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
2741             there, with an enum class for failure types.
2742           - Exceeding max on memory growth now returns a range error as per spec. This
2743             is a (very minor) breaking change: it used to throw OOM error. Update the
2744             corresponding test.
2745           - When generating the grow_memory opcode, no need to get the VM. Instead,
2746             reach directly for Wasm::Memory and grow it.
2747           - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
2748             ever called from JS (not from grow_memory as before).
2749           - Wasm::Memory now takes a callback for successful growth. This allows JS
2750             wrappers to register themselves when growth succeeds without Wasm::Memory
2751             knowning anything about JS. It'll also allow creating a list of callbacks
2752             for when we add thread support (we'll want to notify many wrappers, all
2753             under a lock).
2754           - Wasm::Memory is now back to being the source of truth about address / size,
2755             used directly by generated code instead of JSWebAssemblyMemory.
2756           - Move wasmToJS from the general WasmBinding header to its own header under
2757             wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
2758             and therefore isn't general WebAssembly.
2759           - Make Wasm::Context an actual type (just a struct holding a
2760             JSWebAssemlyInstance for now) instead of an alias for that. Notably this
2761             doesn't add anything to the Context and doesn't change what actually gets
2762             passed around in JIT code (fast TLS or registers) because these changes
2763             potentially impact performance. The entire purpose of this change is to
2764             allow passing Wasm::Context around without having to know about VM. Since VM
2765             contains a Wasm::Context the JS embedding is effectively the same, but with
2766             this setup a non-JS embedding is much better off.
2767           - Move JSWebAssembly into the JS folder.
2768           - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
2769           - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
2770             being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
2771             stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
2772             called wasm->JS stub. This move means that the embedder must, after creating
2773             a Wasm::CodeBlock, somehow create the stubs to call back into the
2774             embedder. This removes an indirection in the generated code because
2775             the B3 IR generator now reaches into the instance instead of
2776             JSWebAssemblyCodeBlock.
2777           - Move more CodeBlock things. Compilation completion is now marked by its own
2778             atomic<bool> flag instead of a nullptr plan: that required using a lock, and
2779             was causing a deadlock in stack-trace.js because before my changes
2780             JSWebAssemblyCodeBlock did its own completion checking separately from
2781             Wasm::CodeBlock, without getting the lock. Now that everything points to
2782             Wasm::CodeBlock and there's no cached completion marker, the lock was being
2783             acquired in a sanity-check assertion.
2784           - Embedder -> Wasm wrappers are now generated through a function that's passed
2785             in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
2786           - WasmMemory doens't need to know about fault handling thunks. Only the IR
2787             generator should know, and should make sure that the exception throwing
2788             thunk is generated if any memory is present (note: with signal handling not
2789             all of them generate an exception check).
2790           - Make exception throwing pluggable: instead of having a hard-coded
2791             JS-specific lambda we now have a regular C++ function being called from JIT
2792             code when a WebAssembly exception is thrown. This allows any embedder to get
2793             called as they wish. For now a process can only have a single of these
2794             functions (i.e. only one embedder per process) because the trap handler is a
2795             singleton. That can be fixed in in #177475.
2796           - Create WasmEmbedder.h where all embedder plugging will live.
2797           - Split up JSWebAssemblyTable into Wasm::Table which is
2798             refcounted. JSWebAssemblyTable now only contains the JS functions in the
2799             table, and Wasm::Table is what's used by the JIT code to lookup where to
2800             call and do the instance check (for context switch). Note that this creates
2801             an extra allocation for all the instances in Wasm::Table, and in exchange
2802             removes an indirection in JIT code because the instance used to be obtained
2803             off of the JS function. Also note that it's the embedder than keeps the
2804             instances alive, not Wasm::Table (which holds a dumb pointer to the
2805             instance), because doing otherwise would cause reference cycles.
2806            - Add WasmInstance. It doesn't do much for now, owns globals.
2807            - JSWebAssembly instance now doesn't just contain the imported functions as
2808              JSObjects, it also has the corresponding import's instance and wasm
2809              entrypoint. This triples the space allocated per instance's imported
2810              function, but there shouldn't be that many imports. This has two upsides: it
2811              creates smaller and faster code, and makes is easier to disassociate
2812              embedder-specific things from embedder-neutral things. The small / faster
2813              win is in two places: B3 IR generator only needs offsetOfImportFunction for
2814              the call opcode (when the called index is an import) to know whether the
2815              import is wasm->wasm or wasm->embedder (this isn't known at compile-time
2816              because it's dependent on the import object), this is now done by seeing if
2817              that import function has an associated target instance (only wasm->wasm
2818              does); the other place is wasmBinding which uses offsetOfImportFunction to
2819              figure out the wasm->wasm target instance, and then gets
2820              WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
2821              call. The disassociation comes because the target instance can be
2822              Wasm::Instance once we change what the Context is, and
2823              WasmEntrypointLoadLocation is already embedder-independent. As a next step I
2824              can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
2825              and leave importFunction in as an opaque pointer which is embedder-specific,
2826              and in JS will remain WriteBarrier<JSObject>.
2827            - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
2828              around instead of VM. This is a first step in allowing entry frames which
2829              aren't stored on VM, but which are instead stored in an embedder-specific
2830              location. That change won't really affect JS except through code churn, but
2831              will allow WebAssembly to use some machinery in a generic manner without
2832              having a VM.
2833
2834         * JavaScriptCore.xcodeproj/project.pbxproj:
2835         * Sources.txt:
2836         * bytecode/PolymorphicAccess.cpp:
2837         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2838         * debugger/Debugger.cpp:
2839         (JSC::Debugger::stepOutOfFunction):
2840         (JSC::Debugger::returnEvent):
2841         (JSC::Debugger::unwindEvent):
2842         (JSC::Debugger::didExecuteProgram):
2843         * dfg/DFGJITCompiler.cpp:
2844         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2845         * dfg/DFGOSREntry.cpp:
2846         (JSC::DFG::prepareOSREntry):
2847         * dfg/DFGOSRExit.cpp:
2848         (JSC::DFG::OSRExit::compileOSRExit):
2849         (JSC::DFG::OSRExit::compileExit):
2850         * dfg/DFGThunks.cpp:
2851         (JSC::DFG::osrEntryThunkGenerator):
2852         * ftl/FTLCompile.cpp:
2853         (JSC::FTL::compile):
2854         * ftl/FTLLink.cpp:
2855         (JSC::FTL::link):
2856         * ftl/FTLLowerDFGToB3.cpp:
2857         (JSC::FTL::DFG::LowerDFGToB3::lower):
2858         * ftl/FTLOSRExitCompiler.cpp:
2859         (JSC::FTL::compileStub):
2860         * interpreter/CallFrame.cpp:
2861         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
2862         (JSC::CallFrame::callerFrame):
2863         (JSC::CallFrame::unsafeCallerFrame):
2864         * interpreter/CallFrame.h:
2865         (JSC::ExecState::callerFrame const):
2866         (JSC::ExecState::callerFrameOrEntryFrame const):
2867         (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
2868         * interpreter/FrameTracers.h:
2869         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2870         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2871         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
2872         * interpreter/Interpreter.cpp:
2873         (JSC::UnwindFunctor::operator() const):
2874         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2875         (JSC::Interpreter::unwind):
2876         * interpreter/StackVisitor.cpp:
2877         (JSC::StackVisitor::StackVisitor):
2878         (JSC::StackVisitor::gotoNextFrame):
2879         (JSC::StackVisitor::readNonInlinedFrame):
2880         (JSC::StackVisitor::Frame::dump const):
2881         * interpreter/StackVisitor.h:
2882         (JSC::StackVisitor::Frame::callerIsEntryFrame const):
2883         * interpreter/VMEntryRecord.h:
2884         (JSC::VMEntryRecord::prevTopEntryFrame):
2885         (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
2886         (JSC::EntryFrame::vmEntryRecordOffset):
2887         * jit/AssemblyHelpers.cpp:
2888         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
2889         (JSC::AssemblyHelpers::loadWasmContextInstance):
2890         (JSC::AssemblyHelpers::storeWasmContextInstance):
2891         (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
2892         (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
2893         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
2894         * jit/AssemblyHelpers.h:
2895         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2896         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
2897         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
2898         * jit/JIT.cpp:
2899         (JSC::JIT::emitEnterOptimizationCheck):
2900         (JSC::JIT::privateCompileExceptionHandlers):
2901         * jit/JITExceptions.cpp:
2902         (JSC::genericUnwind):
2903         * jit/JITOpcodes.cpp:
2904         (JSC::JIT::emit_op_throw):
2905         (JSC::JIT::emit_op_catch):
2906         (JSC::JIT::emitSlow_op_loop_hint):
2907         * jit/JITOpcodes32_64.cpp:
2908         (JSC::JIT::emit_op_throw):
2909         (JSC::JIT::emit_op_catch):
2910         * jit/JITOperations.cpp:
2911         * jit/ThunkGenerators.cpp:
2912         (JSC::throwExceptionFromCallSlowPathGenerator):
2913         (JSC::nativeForGenerator):
2914         * jsc.cpp:
2915         (functionDumpCallFrame):
2916         * llint/LLIntSlowPaths.cpp:
2917         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2918         * llint/LLIntThunks.cpp:
2919         (JSC::vmEntryRecord):
2920         * llint/LowLevelInterpreter.asm:
2921         * llint/LowLevelInterpreter32_64.asm:
2922         * llint/LowLevelInterpreter64.asm:
2923         * runtime/Options.cpp:
2924         (JSC::recomputeDependentOptions):
2925         * runtime/Options.h:
2926         * runtime/SamplingProfiler.cpp:
2927         (JSC::FrameWalker::FrameWalker):
2928         (JSC::FrameWalker::advanceToParentFrame):
2929         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2930         * runtime/ThrowScope.cpp:
2931         (JSC::ThrowScope::~ThrowScope):
2932         * runtime/VM.cpp:
2933         (JSC::VM::VM):
2934         (JSC::VM::~VM):
2935         * runtime/VM.h:
2936         (JSC::VM::topEntryFrameOffset):
2937         * runtime/VMTraps.cpp:
2938         (JSC::isSaneFrame):
2939         (JSC::VMTraps::tryInstallTrapBreakpoints):
2940         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2941         * wasm/WasmB3IRGenerator.cpp:
2942         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
2943         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2944         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2945         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2946         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2947         (JSC::Wasm::B3IRGenerator::addCall):
2948         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2949         (JSC::Wasm::parseAndCompile):
2950         * wasm/WasmB3IRGenerator.h:
2951         * wasm/WasmBBQPlan.cpp:
2952         (JSC::Wasm::BBQPlan::BBQPlan):
2953         (JSC::Wasm::BBQPlan::compileFunctions):
2954         (JSC::Wasm::BBQPlan::complete):
2955         * wasm/WasmBBQPlan.h:
2956         * wasm/WasmBBQPlanInlines.h:
2957         (JSC::Wasm::BBQPlan::initializeCallees):
2958         * wasm/WasmBinding.cpp:
2959         (JSC::Wasm::wasmToWasm):
2960         * wasm/WasmBinding.h:
2961         * wasm/WasmCodeBlock.cpp:
2962         (JSC::Wasm::CodeBlock::create):
2963         (JSC::Wasm::CodeBlock::CodeBlock):
2964         (JSC::Wasm::CodeBlock::compileAsync):
2965         (JSC::Wasm::CodeBlock::setCompilationFinished):
2966         * wasm/WasmCodeBlock.h:
2967         (JSC::Wasm::CodeBlock::offsetOfImportStubs):
2968         (JSC::Wasm::CodeBlock::allocationSize):
2969         (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
2970         (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
2971         (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
2972         (JSC::Wasm::CodeBlock::compilationFinished):
2973         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2974         (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
2975         * wasm/WasmContext.cpp:
2976         (JSC::Wasm::Context::useFastTLS):
2977         (JSC::Wasm::Context::load const):
2978         (JSC::Wasm::Context::store):
2979         * wasm/WasmContext.h:
2980         * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
2981         * wasm/WasmFaultSignalHandler.cpp:
2982         * wasm/WasmFaultSignalHandler.h:
2983         * wasm/WasmFormat.h:
2984         * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2985         (JSC::Wasm::Instance::Instance):
2986         (JSC::Wasm::Instance::~Instance):
2987         (JSC::Wasm::Instance::extraMemoryAllocated const):
2988         * wasm/WasmInstance.h: Added.
2989         (JSC::Wasm::Instance::create):
2990         (JSC::Wasm::Instance::finalizeCreation):
2991         (JSC::Wasm::Instance::module):
2992         (JSC::Wasm::Instance::codeBlock):
2993         (JSC::Wasm::Instance::memory):
2994         (JSC::Wasm::Instance::table):
2995         (JSC::Wasm::Instance::loadI32Global const):
2996         (JSC::Wasm::Instance::loadI64Global const):
2997         (JSC::Wasm::Instance::loadF32Global const):
2998         (JSC::Wasm::Instance::loadF64Global const):
2999         (JSC::Wasm::Instance::setGlobal):
3000         (JSC::Wasm::Instance::offsetOfCachedStackLimit):
3001         (JSC::Wasm::Instance::cachedStackLimit const):
3002         (JSC::Wasm::Instance::setCachedStackLimit):
3003         * wasm/WasmMemory.cpp:
3004         (JSC::Wasm::Memory::Memory):
3005         (JSC::Wasm::Memory::create):
3006         (JSC::Wasm::Memory::~Memory):
3007         (JSC::Wasm::Memory::grow):
3008         * wasm/WasmMemory.h:
3009         (JSC::Wasm::Memory::offsetOfMemory):
3010         (JSC::Wasm::Memory::offsetOfSize):
3011         * wasm/WasmMemoryInformation.cpp:
3012         (JSC::Wasm::PinnedRegisterInfo::get):
3013         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
3014         * wasm/WasmMemoryInformation.h:
3015         (JSC::Wasm::PinnedRegisterInfo::toSave const):
3016         * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
3017         (JSC::Wasm::makeString):
3018         * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
3019         * wasm/WasmModule.cpp:
3020         (JSC::Wasm::makeValidationCallback):
3021         (JSC::Wasm::Module::validateSync):
3022         (JSC::Wasm::Module::validateAsync):
3023         (JSC::Wasm::Module::getOrCreateCodeBlock):
3024         (JSC::Wasm::Module::compileSync):
3025         (JSC::Wasm::Module::compileAsync):
3026         * wasm/WasmModule.h:
3027         * wasm/WasmModuleParser.cpp:
3028         (JSC::Wasm::ModuleParser::parseTableHelper):
3029         * wasm/WasmOMGPlan.cpp:
3030         (JSC::Wasm::OMGPlan::OMGPlan):
3031         (JSC::Wasm::OMGPlan::runForIndex):
3032         * wasm/WasmOMGPlan.h:
3033         * wasm/WasmPageCount.h:
3034         (JSC::Wasm::PageCount::isValid const):
3035         * wasm/WasmPlan.cpp:
3036         (JSC::Wasm::Plan::Plan):
3037         (JSC::Wasm::Plan::runCompletionTasks):
3038         (JSC::Wasm::Plan::addCompletionTask):
3039         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
3040         * wasm/WasmPlan.h:
3041         (JSC::Wasm::Plan::dontFinalize):
3042         * wasm/WasmSignature.cpp:
3043         * wasm/WasmSignature.h:
3044         * wasm/WasmTable.cpp: Added.
3045         (JSC::Wasm::Table::create):
3046         (JSC::Wasm::Table::~Table):
3047         (JSC::Wasm::Table::Table):
3048         (JSC::Wasm::Table::grow):
3049         (JSC::Wasm::Table::clearFunction):
3050         (JSC::Wasm::Table::setFunction):
3051         * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
3052         (JSC::Wasm::Table::maximum const):
3053         (JSC::Wasm::Table::size const):
3054         (JSC::Wasm::Table::offsetOfSize):
3055         (JSC::Wasm::Table::offsetOfFunctions):
3056         (JSC::Wasm::Table::offsetOfInstances):
3057         (JSC::Wasm::Table::isValidSize):
3058         * wasm/WasmThunks.cpp:
3059         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3060         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3061         (JSC::Wasm::Thunks::setThrowWasmException):
3062         (JSC::Wasm::Thunks::throwWasmException):
3063         * wasm/WasmThunks.h:
3064         * wasm/WasmWorklist.cpp:
3065         (JSC::Wasm::Worklist::stopAllPlansForContext):
3066         * wasm/WasmWorklist.h:
3067         * wasm/js/JSToWasm.cpp: Added.
3068         (JSC::Wasm::createJSToWasmWrapper):
3069         * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
3070         * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
3071         * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
3072         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3073         (JSC::JSWebAssemblyCodeBlock::create):
3074         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3075         * wasm/js/JSWebAssemblyCodeBlock.h:
3076         * wasm/js/JSWebAssemblyInstance.cpp:
3077         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3078         (JSC::JSWebAssemblyInstance::finishCreation):
3079         (JSC::JSWebAssemblyInstance::visitChildren):
3080         (JSC::JSWebAssemblyInstance::finalizeCreation):
3081         (JSC::JSWebAssemblyInstance::create):
3082         * wasm/js/JSWebAssemblyInstance.h:
3083         (JSC::JSWebAssemblyInstance::instance):
3084         (JSC::JSWebAssemblyInstance::context const):
3085         (JSC::JSWebAssemblyInstance::table):
3086         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
3087         (JSC::JSWebAssemblyInstance::setMemory):
3088         (JSC::JSWebAssemblyInstance::offsetOfTail):
3089         (JSC::JSWebAssemblyInstance::importFunctionInfo):
3090         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
3091         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
3092         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
3093         (JSC::JSWebAssemblyInstance::importFunction):
3094         (JSC::JSWebAssemblyInstance::internalMemory):
3095         (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
3096         (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
3097         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3098         (JSC::JSWebAssemblyInstance::offsetOfGlobals):
3099         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
3100         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
3101         (JSC::JSWebAssemblyInstance::cachedStackLimit const):
3102         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
3103         (JSC::JSWebAssemblyInstance::wasmMemory):
3104         (JSC::JSWebAssemblyInstance::wasmModule):
3105         (JSC::JSWebAssemblyInstance::allocationSize):
3106         (JSC::JSWebAssemblyInstance::module const):
3107         * wasm/js/JSWebAssemblyMemory.cpp:
3108         (JSC::JSWebAssemblyMemory::create):
3109         (JSC::JSWebAssemblyMemory::adopt):
3110         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
3111         (JSC::JSWebAssemblyMemory::grow):
3112         (JSC::JSWebAssemblyMemory::growSuccessCallback):
3113         * wasm/js/JSWebAssemblyMemory.h:
3114         * wasm/js/JSWebAssemblyModule.cpp:
3115         (JSC::JSWebAssemblyModule::moduleInformation const):
3116         (JSC::JSWebAssemblyModule::exportSymbolTable const):
3117         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
3118         (JSC::JSWebAssemblyModule::callee const):
3119         (JSC::JSWebAssemblyModule::codeBlock):
3120         (JSC::JSWebAssemblyModule::module):
3121         * wasm/js/JSWebAssemblyModule.h:
3122         * wasm/js/JSWebAssemblyTable.cpp:
3123         (JSC::JSWebAssemblyTable::create):
3124         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
3125         (JSC::JSWebAssemblyTable::visitChildren):
3126         (JSC::JSWebAssemblyTable::grow):
3127         (JSC::JSWebAssemblyTable::getFunction):
3128         (JSC::JSWebAssemblyTable::clearFunction):
3129         (JSC::JSWebAssemblyTable::setFunction):
3130         * wasm/js/JSWebAssemblyTable.h:
3131         (JSC::JSWebAssemblyTable::isValidSize):
3132         (JSC::JSWebAssemblyTable::maximum const):
3133         (JSC::JSWebAssemblyTable::size const):
3134         (JSC::JSWebAssemblyTable::table):
3135         * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
3136         (JSC::Wasm::materializeImportJSCell):
3137         (JSC::Wasm::wasmToJS):
3138         (JSC::Wasm::wasmToJSException):
3139         * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
3140         * wasm/js/WebAssemblyFunction.cpp:
3141         (JSC::callWebAssemblyFunction):
3142         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3143         (JSC::constructJSWebAssemblyInstance):
3144         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3145         (JSC::constructJSWebAssemblyMemory):
3146         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3147         (JSC::webAssemblyMemoryProtoFuncGrow):
3148         * wasm/js/WebAssemblyModuleConstructor.cpp:
3149         (JSC::constructJSWebAssemblyModule):
3150         (JSC::WebAssemblyModuleConstructor::createModule):
3151         * wasm/js/WebAssemblyModuleConstructor.h:
3152         * wasm/js/WebAssemblyModuleRecord.cpp:
3153         (JSC::WebAssemblyModuleRecord::link):
3154         (JSC::WebAssemblyModuleRecord::evaluate):
3155         * wasm/js/WebAssemblyPrototype.cpp:
3156         (JSC::webAssemblyCompileFunc):
3157         (JSC::instantiate):
3158         (JSC::compileAndInstantiate):
3159         (JSC::webAssemblyValidateFunc):
3160         * wasm/js/WebAssemblyTableConstructor.cpp:
3161         (JSC::constructJSWebAssemblyTable):
3162         * wasm/js/WebAssemblyWrapperFunction.cpp:
3163         (JSC::WebAssemblyWrapperFunction::create):
3164
3165 2017-10-19  Mark Lam  <mark.lam@apple.com>
3166
3167         Stringifier::appendStringifiedValue() is missing an exception check.
3168         https://bugs.webkit.org/show_bug.cgi?id=178386
3169         <rdar://problem/35027610>
3170
3171         Reviewed by Saam Barati.
3172
3173         * runtime/JSONObject.cpp:
3174         (JSC::Stringifier::appendStringifiedValue):
3175
3176 2017-10-19  Saam Barati  <sbarati@apple.com>
3177
3178         REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]
3179         https://bugs.webkit.org/show_bug.cgi?id=178543
3180
3181         Reviewed by Filip Pizlo.
3182
3183         * dfg/DFGByteCodeParser.cpp:
3184         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3185
3186 2017-10-19  Saam Barati  <sbarati@apple.com>
3187
3188         re-inline ObjectAllocationProfile::initializeProfile
3189         https://bugs.webkit.org/show_bug.cgi?id=178532
3190
3191         Rubber stamped by Michael Saboff.
3192
3193         I un-inlined this function when implementing poly proto.
3194         This patch re-inlines it. In my testing, it looks like it
3195         might be a 0.5% speedometer progression to inline it.
3196
3197         * JavaScriptCore.xcodeproj/project.pbxproj:
3198         * Sources.txt:
3199         * bytecode/CodeBlock.cpp:
3200         * bytecode/ObjectAllocationProfile.cpp: Removed.
3201         * bytecode/ObjectAllocationProfileInlines.h: Copied from Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp.
3202         (JSC::ObjectAllocationProfile::initializeProfile):
3203         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
3204         * runtime/FunctionRareData.cpp:
3205
3206 2017-10-19  Michael Saboff  <msaboff@apple.com>
3207
3208         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3209         https://bugs.webkit.org/show_bug.cgi?id=178521
3210
3211         Reviewed by JF Bastien.
3212
3213         * ucd/emoji-data.txt: Replaced with the Unicode Emoji 5.0 version of the file as that is the most recent
3214         standard version.  The prior version was the draft 6.0 version.
3215
3216 2017-10-19  Saam Barati  <sbarati@apple.com>
3217
3218         We should hard code the poly proto offset
3219         https://bugs.webkit.org/show_bug.cgi?id=178531
3220
3221         Reviewed by Filip Pizlo.
3222
3223         This patch embraces that the poly proto offset is always zero. It's already
3224         the case that we would always get the inline offset zero for poly proto just
3225         by construction. This just hardcodes this assumption throughout the codebase.
3226         This appears to be a 1% speedometer progression in my testing.
3227         
3228         The downside of this patch is that it may require changing how we do
3229         things when we implement poly proto when inheriting from builtin
3230         types. I think we can face this problem when we decide to implement
3231         that.
3232
3233         * bytecode/AccessCase.cpp:
3234         (JSC::AccessCase::generateWithGuard):
3235         * dfg/DFGOperations.cpp:
3236         * dfg/DFGSpeculativeJIT.cpp:
3237         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3238         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3239         * ftl/FTLLowerDFGToB3.cpp:
3240         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3241         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3242         * jit/JITOpcodes.cpp:
3243         (JSC::JIT::emit_op_instanceof):
3244         * jit/JITOpcodes32_64.cpp:
3245         (JSC::JIT::emit_op_instanceof):
3246         * runtime/CommonSlowPaths.cpp:
3247         (JSC::SLOW_PATH_DECL):
3248         * runtime/JSObject.cpp:
3249         (JSC::JSObject::setPrototypeDirect):
3250         * runtime/JSObject.h:
3251         (JSC::JSObject::locationForOffset const):
3252         (JSC::JSObject::locationForOffset):
3253         (JSC::JSObject::getDirect const):
3254         * runtime/PropertyOffset.h:
3255         * runtime/Structure.cpp:
3256         (JSC::Structure::create):
3257         (JSC::Structure::dump const):
3258         * runtime/Structure.h:
3259         * runtime/StructureInlines.h:
3260         (JSC::Structure::storedPrototype const):
3261         (JSC::Structure::storedPrototypeObject const):
3262
3263 2017-10-19  Saam Barati  <sbarati@apple.com>
3264
3265         Turn various poly proto RELEASE_ASSERTs into ASSERTs because they're on the hot path in speedometer
3266         https://bugs.webkit.org/show_bug.cgi?id=178529
3267
3268         Reviewed by Mark Lam.
3269
3270         * runtime/Structure.h:
3271         * runtime/StructureInlines.h:
3272         (JSC::Structure::storedPrototypeObject const):
3273         (JSC::Structure::storedPrototypeStructure const):
3274         (JSC::Structure::storedPrototype const):
3275         (JSC::Structure::prototypeForLookup const):
3276         (JSC::Structure::prototypeChain const):
3277
3278 2017-10-19  Saam Barati  <sbarati@apple.com>
3279
3280         Turn poly proto back on by default and remove the option
3281         https://bugs.webkit.org/show_bug.cgi?id=178525
3282
3283         Reviewed by Mark Lam.
3284
3285         I added this option because I thought it'd speed speedometer up because the
3286         original poly proto patch slowed speedometer down. It turns out that
3287         allocating poly proto objects is not what slows speedometer down. It's
3288         other code I added in the runtime that needs to be poly proto aware. I'll
3289         be addressing these in follow up patches.
3290
3291         * runtime/Options.h:
3292         * runtime/StructureInlines.h:
3293         (JSC::Structure::shouldConvertToPolyProto):
3294
3295 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3296
3297         Turn recursive tail calls into loops
3298         https://bugs.webkit.org/show_bug.cgi?id=176601
3299
3300         Reviewed by Saam Barati.
3301
3302         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
3303         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
3304         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
3305         We do this part through modifying the computation of the jump targets.
3306         Importantly, we only do this splitting for functions that have tail calls.
3307         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
3308
3309         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
3310         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
3311
3312         * bytecode/CodeBlock.h:
3313         (JSC::CodeBlock::hasTailCalls const):
3314         * bytecode/PreciseJumpTargets.cpp:
3315         (JSC::getJumpTargetsForBytecodeOffset):
3316         (JSC::computePreciseJumpTargetsInternal):
3317         * bytecode/UnlinkedCodeBlock.cpp:
3318         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3319         * bytecode/UnlinkedCodeBlock.h:
3320         (JSC::UnlinkedCodeBlock::hasTailCalls const):
3321         (JSC::UnlinkedCodeBlock::setHasTailCalls):
3322         * bytecompiler/BytecodeGenerator.cpp:
3323         (JSC::BytecodeGenerator::emitEnter):
3324         (JSC::BytecodeGenerator::emitCallInTailPosition):
3325         * dfg/DFGByteCodeParser.cpp:
3326         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
3327         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
3328         (JSC::DFG::ByteCodeParser::handleCall):
3329         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3330         (JSC::DFG::ByteCodeParser::parseBlock):
3331         (JSC::DFG::ByteCodeParser::parse):
3332
3333 2017-10-18  Mark Lam  <mark.lam@apple.com>
3334
3335         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.