GC constraint solving should be parallel
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2
3         GC constraint solving should be parallel
4         https://bugs.webkit.org/show_bug.cgi?id=179934
5
6         Reviewed by JF Bastien.
7         
8         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
9         speed-up. It's more than 1% on trunk-Speedometer.
10         
11         The constraint solver supports running constraints in parallel in two different ways:
12         
13         - Run multiple constraints in parallel to each other. This only works for constraints that can
14           tolerate other constraints running concurrently to them (constraint.concurrency() ==
15           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
16           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
17           could probably make them concurrent, but I'm playing it safe for now.
18         
19         - A constraint can create parallel work for itself, which the constraint solver will interleave
20           with other stuff. A constraint can report that it has parallel work by returning
21           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
22           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
23           for as long as that function wants to run.
24         
25         It's not possible to have a non-concurrent constraint that creates parallel work.
26         
27         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
28         most natural for two reasons:
29         
30         - No need to start any other threads.
31         
32         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
33           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
34           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
35           thread, that thread will have work it can start doing immediately. Before this change, we had to
36           contribute the work found by the constraint solver to the global worklist so that it could be
37           distributed to the marker threads by load balancing. This change probably helps to avoid that
38           load balancing step.
39         
40         A lot of this change is about making it easy to iterate GC data structures in parallel. This
41         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
42         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
43         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
44         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
45         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
46         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
47         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
48         done is indicated by null).
49         
50         * API/JSMarkingConstraintPrivate.cpp:
51         (JSContextGroupAddMarkingConstraint):
52         * API/JSVirtualMachine.mm:
53         (scanExternalObjectGraph):
54         (scanExternalRememberedSet):
55         * JavaScriptCore.xcodeproj/project.pbxproj:
56         * Sources.txt:
57         * bytecode/AccessCase.cpp:
58         (JSC::AccessCase::propagateTransitions const):
59         * bytecode/CodeBlock.cpp:
60         (JSC::CodeBlock::visitWeakly):
61         (JSC::CodeBlock::shouldJettisonDueToOldAge):
62         (JSC::shouldMarkTransition):
63         (JSC::CodeBlock::propagateTransitions):
64         (JSC::CodeBlock::determineLiveness):
65         * dfg/DFGWorklist.cpp:
66         * ftl/FTLCompile.cpp:
67         (JSC::FTL::compile):
68         * heap/ConstraintParallelism.h: Added.
69         (WTF::printInternal):
70         * heap/Heap.cpp:
71         (JSC::Heap::Heap):
72         (JSC::Heap::addToRememberedSet):
73         (JSC::Heap::runFixpointPhase):
74         (JSC::Heap::stopThePeriphery):
75         (JSC::Heap::resumeThePeriphery):
76         (JSC::Heap::addCoreConstraints):
77         (JSC::Heap::setBonusVisitorTask):
78         (JSC::Heap::runTaskInParallel):
79         (JSC::Heap::forEachSlotVisitor): Deleted.
80         * heap/Heap.h:
81         (JSC::Heap::worldIsRunning const):
82         (JSC::Heap::runFunctionInParallel):
83         * heap/HeapInlines.h:
84         (JSC::Heap::worldIsStopped const):
85         (JSC::Heap::isMarked):
86         (JSC::Heap::incrementDeferralDepth):
87         (JSC::Heap::decrementDeferralDepth):
88         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
89         (JSC::Heap::forEachSlotVisitor):
90         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
91         (JSC::Heap::isMarkedConcurrently): Deleted.
92         * heap/HeapSnapshotBuilder.cpp:
93         (JSC::HeapSnapshotBuilder::appendNode):
94         * heap/LargeAllocation.h:
95         (JSC::LargeAllocation::isMarked):
96         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
97         * heap/LockDuringMarking.h:
98         (JSC::lockDuringMarking):
99         * heap/MarkedAllocator.cpp:
100         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
101         * heap/MarkedAllocator.h:
102         * heap/MarkedBlock.h:
103         (JSC::MarkedBlock::aboutToMark):
104         (JSC::MarkedBlock::isMarked):
105         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
106         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
107         * heap/MarkedSpace.h:
108         (JSC::MarkedSpace::activeWeakSetsBegin):
109         (JSC::MarkedSpace::activeWeakSetsEnd):
110         (JSC::MarkedSpace::newActiveWeakSetsBegin):
111         (JSC::MarkedSpace::newActiveWeakSetsEnd):
112         * heap/MarkingConstraint.cpp:
113         (JSC::MarkingConstraint::MarkingConstraint):
114         (JSC::MarkingConstraint::execute):
115         (JSC::MarkingConstraint::quickWorkEstimate):
116         (JSC::MarkingConstraint::workEstimate):
117         (JSC::MarkingConstraint::doParallelWork):
118         (JSC::MarkingConstraint::finishParallelWork):
119         (JSC::MarkingConstraint::doParallelWorkImpl):
120         (JSC::MarkingConstraint::finishParallelWorkImpl):
121         * heap/MarkingConstraint.h:
122         (JSC::MarkingConstraint::lastExecuteParallelism const):
123         (JSC::MarkingConstraint::parallelism const):
124         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
125         (JSC::MarkingConstraint::workEstimate): Deleted.
126         * heap/MarkingConstraintSet.cpp:
127         (JSC::MarkingConstraintSet::MarkingConstraintSet):
128         (JSC::MarkingConstraintSet::add):
129         (JSC::MarkingConstraintSet::executeConvergence):
130         (JSC::MarkingConstraintSet::executeConvergenceImpl):
131         (JSC::MarkingConstraintSet::executeAll):
132         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
133         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
134         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
135         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
136         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
137         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
138         (): Deleted.
139         * heap/MarkingConstraintSet.h:
140         * heap/MarkingConstraintSolver.cpp: Added.
141         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
142         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
143         (JSC::MarkingConstraintSolver::didVisitSomething const):
144         (JSC::MarkingConstraintSolver::execute):
145         (JSC::MarkingConstraintSolver::drain):
146         (JSC::MarkingConstraintSolver::converge):
147         (JSC::MarkingConstraintSolver::runExecutionThread):
148         (JSC::MarkingConstraintSolver::didExecute):
149         * heap/MarkingConstraintSolver.h: Added.
150         * heap/OpaqueRootSet.h: Removed.
151         * heap/ParallelSourceAdapter.h: Added.
152         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
153         (JSC::createParallelSourceAdapter):
154         * heap/SimpleMarkingConstraint.cpp: Added.
155         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
156         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
157         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
158         (JSC::SimpleMarkingConstraint::executeImpl):
159         * heap/SimpleMarkingConstraint.h: Added.
160         * heap/SlotVisitor.cpp:
161         (JSC::SlotVisitor::didStartMarking):
162         (JSC::SlotVisitor::reset):
163         (JSC::SlotVisitor::appendToMarkStack):
164         (JSC::SlotVisitor::visitChildren):
165         (JSC::SlotVisitor::updateMutatorIsStopped):
166         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
167         (JSC::SlotVisitor::drain):
168         (JSC::SlotVisitor::performIncrementOfDraining):
169         (JSC::SlotVisitor::didReachTermination):
170         (JSC::SlotVisitor::hasWork):
171         (JSC::SlotVisitor::drainFromShared):
172         (JSC::SlotVisitor::drainInParallelPassively):
173         (JSC::SlotVisitor::waitForTermination):
174         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
175         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
176         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
177         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
178         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
179         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
180         * heap/SlotVisitor.h:
181         * heap/SlotVisitorInlines.h:
182         (JSC::SlotVisitor::addOpaqueRoot):
183         (JSC::SlotVisitor::containsOpaqueRoot const):
184         (JSC::SlotVisitor::vm):
185         (JSC::SlotVisitor::vm const):
186         * heap/Subspace.cpp:
187         (JSC::Subspace::parallelAllocatorSource):
188         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
189         * heap/Subspace.h:
190         * heap/SubspaceInlines.h:
191         (JSC::Subspace::forEachMarkedCellInParallel):
192         * heap/VisitCounter.h: Added.
193         (JSC::VisitCounter::VisitCounter):
194         (JSC::VisitCounter::visitCount const):
195         * heap/VisitingTimeout.h: Removed.
196         * heap/WeakBlock.cpp:
197         (JSC::WeakBlock::specializedVisit):
198         * runtime/Structure.cpp:
199         (JSC::Structure::isCheapDuringGC):
200         (JSC::Structure::markIfCheap):
201
202 2017-12-04  JF Bastien  <jfbastien@apple.com>
203
204         Math: don't redundantly check for exceptions, just release scope
205         https://bugs.webkit.org/show_bug.cgi?id=180395
206
207         Rubber stamped by Mark Lam.
208
209         Two of the exceptions checks could just have been exception scope
210         releases before the return, which is ever-so-slightly more
211         efficient. The same technically applies where we have loops over
212         parameters, but doing the scope release there isn't really more
213         efficient and is way harder to read.
214
215         * runtime/MathObject.cpp:
216         (JSC::mathProtoFuncATan2):
217         (JSC::mathProtoFuncPow):
218
219 2017-12-04  David Quesada  <david_quesada@apple.com>
220
221         Add a class for parsing application manifests
222         https://bugs.webkit.org/show_bug.cgi?id=177973
223         rdar://problem/34747949
224
225         Reviewed by Geoffrey Garen.
226
227         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
228
229 2017-12-04  JF Bastien  <jfbastien@apple.com>
230
231         Update std::expected to match libc++ coding style
232         https://bugs.webkit.org/show_bug.cgi?id=180264
233
234         Reviewed by Alex Christensen.
235
236         Update various uses of Expected.
237
238         * wasm/WasmModule.h:
239         * wasm/WasmModuleParser.cpp:
240         (JSC::Wasm::ModuleParser::parseImport):
241         (JSC::Wasm::ModuleParser::parseTableHelper):
242         (JSC::Wasm::ModuleParser::parseTable):
243         (JSC::Wasm::ModuleParser::parseMemoryHelper):
244         * wasm/WasmParser.h:
245         * wasm/generateWasmValidateInlinesHeader.py:
246         (loadMacro):
247         (storeMacro):
248         * wasm/js/JSWebAssemblyModule.cpp:
249         (JSC::JSWebAssemblyModule::createStub):
250         * wasm/js/JSWebAssemblyModule.h:
251
252 2017-12-04  Saam Barati  <sbarati@apple.com>
253
254         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
255         https://bugs.webkit.org/show_bug.cgi?id=180366
256         <rdar://problem/35685877>
257
258         Reviewed by Michael Saboff.
259
260         On the TailCall slow path, the CallFrameShuffler will build the frame with
261         respect to SP instead of FP. However, this may overwrite slots on the stack
262         that are needed if the slow path C call does a stack walk. The slow path
263         C call does a stack walk when it throws an exception. This patch fixes
264         this bug by ensuring that the top of the stack in the FTL always has enough
265         space to allow CallFrameShuffler to build a frame without overwriting any
266         items on the stack that are needed when doing a stack walk.
267
268         * ftl/FTLLowerDFGToB3.cpp:
269         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
270
271 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
272
273         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
274         https://bugs.webkit.org/show_bug.cgi?id=175166
275         <rdar://problem/34040740>
276
277         Reviewed by Joseph Pecoraro.
278
279         * inspector/protocol/Recording.json:
280         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
281
282         * inspector/JSGlobalObjectConsoleClient.h:
283         * inspector/JSGlobalObjectConsoleClient.cpp:
284         (Inspector::JSGlobalObjectConsoleClient::record):
285         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
286
287         * runtime/ConsoleClient.h:
288         * runtime/ConsoleObject.cpp:
289         (JSC::ConsoleObject::finishCreation):
290         (JSC::consoleProtoFuncRecord):
291         (JSC::consoleProtoFuncRecordEnd):
292
293 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
294
295         WTF shouldn't have both Thread and ThreadIdentifier
296         https://bugs.webkit.org/show_bug.cgi?id=180308
297
298         Reviewed by Darin Adler.
299
300         * heap/MachineStackMarker.cpp:
301         (JSC::MachineThreads::tryCopyOtherThreadStacks):
302         * llint/LLIntSlowPaths.cpp:
303         (JSC::LLInt::llint_trace_operand):
304         (JSC::LLInt::llint_trace_value):
305         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
306         (JSC::LLInt::traceFunctionPrologue):
307         * runtime/ExceptionScope.cpp:
308         (JSC::ExceptionScope::unexpectedExceptionMessage):
309         * runtime/JSLock.h:
310         (JSC::JSLock::currentThreadIsHoldingLock):
311         * runtime/VM.cpp:
312         (JSC::VM::throwException):
313         * runtime/VM.h:
314         (JSC::VM::throwingThread const):
315         (JSC::VM::clearException):
316         * tools/HeapVerifier.cpp:
317         (JSC::HeapVerifier::printVerificationHeader):
318
319 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
320
321         Rename DestroyFunc to avoid redefinition on unified build
322         https://bugs.webkit.org/show_bug.cgi?id=180335
323
324         Reviewed by Filip Pizlo.
325
326         Changing DestroyFunc structures to more specific names to avoid
327         conflits on unified builds.
328
329         * heap/HeapCellType.cpp:
330         (JSC::HeapCellType::finishSweep):
331         (JSC::HeapCellType::destroy):
332         * runtime/JSDestructibleObjectHeapCellType.cpp:
333         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
334         (JSC::JSDestructibleObjectHeapCellType::destroy):
335         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
336         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
337         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
338         * runtime/JSStringHeapCellType.cpp:
339         (JSC::JSStringHeapCellType::finishSweep):
340         (JSC::JSStringHeapCellType::destroy):
341         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
342         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
343         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
344
345 2017-12-01  JF Bastien  <jfbastien@apple.com>
346
347         JavaScriptCore: missing exception checks in Math functions that take more than one argument
348         https://bugs.webkit.org/show_bug.cgi?id=180297
349         <rdar://problem/35745556>
350
351         Reviewed by Mark Lam.
352
353         * runtime/MathObject.cpp:
354         (JSC::mathProtoFuncATan2):
355         (JSC::mathProtoFuncMax):
356         (JSC::mathProtoFuncMin):
357         (JSC::mathProtoFuncPow):
358
359 2017-12-01  Mark Lam  <mark.lam@apple.com>
360
361         Let's scramble ClassInfo pointers in cells.
362         https://bugs.webkit.org/show_bug.cgi?id=180291
363         <rdar://problem/35807620>
364
365         Reviewed by JF Bastien.
366
367         * API/JSCallbackObject.h:
368         * API/JSObjectRef.cpp:
369         (classInfoPrivate):
370         * JavaScriptCore.xcodeproj/project.pbxproj:
371         * Sources.txt:
372         * assembler/MacroAssemblerCodeRef.cpp:
373         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
374         * assembler/MacroAssemblerCodeRef.h:
375         (JSC::MacroAssemblerCodePtr:: const):
376         (JSC::MacroAssemblerCodePtr::hash const):
377         * dfg/DFGSpeculativeJIT.cpp:
378         (JSC::DFG::SpeculativeJIT::checkArray):
379         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
380         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
381         * ftl/FTLLowerDFGToB3.cpp:
382         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
383         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
384         * jit/AssemblyHelpers.h:
385         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
386         * jit/SpecializedThunkJIT.h:
387         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
388         * runtime/InitializeThreading.cpp:
389         (JSC::initializeThreading):
390         * runtime/JSCScrambledPtr.cpp: Added.
391         (JSC::initializeScrambledPtrKeys):
392         * runtime/JSCScrambledPtr.h: Added.
393         * runtime/JSDestructibleObject.h:
394         (JSC::JSDestructibleObject::classInfo const):
395         * runtime/JSSegmentedVariableObject.h:
396         (JSC::JSSegmentedVariableObject::classInfo const):
397         * runtime/Structure.h:
398         * runtime/VM.h:
399
400 2017-12-01  Brian Burg  <bburg@apple.com>
401
402         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
403         https://bugs.webkit.org/show_bug.cgi?id=173662
404
405         Reviewed by Joseph Pecoraro.
406
407         Adopt new type names. Fix protocol generator to use correct type names.
408
409         * inspector/ConsoleMessage.cpp:
410         (Inspector::ConsoleMessage::addToFrontend):
411         Improve namings and use 'auto' when the type is obvious and repeated.
412
413         * inspector/ContentSearchUtilities.cpp:
414         (Inspector::ContentSearchUtilities::searchInTextByLines):
415         * inspector/ContentSearchUtilities.h:
416         * inspector/InjectedScript.cpp:
417         (Inspector::InjectedScript::getProperties):
418         (Inspector::InjectedScript::getDisplayableProperties):
419         (Inspector::InjectedScript::getInternalProperties):
420         (Inspector::InjectedScript::getCollectionEntries):
421         (Inspector::InjectedScript::wrapCallFrames const):
422         * inspector/InjectedScript.h:
423         * inspector/InspectorProtocolTypes.h:
424         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
425         (Inspector::Protocol::Array::Array): Deleted.
426         (Inspector::Protocol::Array::openAccessors): Deleted.
427         (Inspector::Protocol::Array::addItem): Deleted.
428         (Inspector::Protocol::Array::create): Deleted.
429         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
430         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
431         Move the implementation out of this file.
432
433         * inspector/ScriptCallStack.cpp:
434         (Inspector::ScriptCallStack::buildInspectorArray const):
435         * inspector/ScriptCallStack.h:
436         * inspector/agents/InspectorAgent.cpp:
437         (Inspector::InspectorAgent::activateExtraDomain):
438         (Inspector::InspectorAgent::activateExtraDomains):
439         * inspector/agents/InspectorAgent.h:
440         * inspector/agents/InspectorConsoleAgent.cpp:
441         (Inspector::InspectorConsoleAgent::getLoggingChannels):
442         * inspector/agents/InspectorConsoleAgent.h:
443         * inspector/agents/InspectorDebuggerAgent.cpp:
444         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
445         (Inspector::InspectorDebuggerAgent::searchInContent):
446         (Inspector::InspectorDebuggerAgent::currentCallFrames):
447         * inspector/agents/InspectorDebuggerAgent.h:
448         * inspector/agents/InspectorRuntimeAgent.cpp:
449         (Inspector::InspectorRuntimeAgent::getProperties):
450         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
451         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
452         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
453         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
454         * inspector/agents/InspectorRuntimeAgent.h:
455         * inspector/agents/InspectorScriptProfilerAgent.cpp:
456         (Inspector::buildSamples):
457         Use more 'auto' and rename a variable.
458
459         * inspector/scripts/codegen/cpp_generator.py:
460         (CppGenerator.cpp_protocol_type_for_type):
461         Adopt new type names. This exposed a latent bug where we should have been
462         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
463         type may be an array, in which case we would have generated the wrong type.
464
465         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
466         (_generate_typedefs_for_domain.JSON):
467         (_generate_typedefs_for_domain.Inspector): Deleted.
468         * inspector/scripts/codegen/objc_generator.py:
469         (ObjCGenerator.protocol_type_for_type):
470         (ObjCGenerator.objc_protocol_export_expression_for_variable):
471         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
472         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
473         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
474         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
475         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
476         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
477         Rebaseline.
478
479         * runtime/TypeSet.cpp:
480         (JSC::TypeSet::allStructureRepresentations const):
481         (JSC::StructureShape::inspectorRepresentation):
482         * runtime/TypeSet.h:
483
484 2017-12-01  Saam Barati  <sbarati@apple.com>
485
486         Having a bad time needs to handle ArrayClass indexing type as well
487         https://bugs.webkit.org/show_bug.cgi?id=180274
488         <rdar://problem/35667869>
489
490         Reviewed by Keith Miller and Mark Lam.
491
492         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
493         Otherwise, we'll end up with the wrong Structure, which will lead us to not
494         adhere to the spec. The bug was that we were not considering ArrayClass inside 
495         hasBrokenIndexing. This patch rewrites that function to automatically opt
496         in non-empty indexing types as broken, instead of having to opt out all
497         non-empty indexing types besides SlowPutArrayStorage.
498
499         * runtime/IndexingType.h:
500         (JSC::hasSlowPutArrayStorage):
501         (JSC::shouldUseSlowPut):
502         * runtime/JSGlobalObject.cpp:
503         * runtime/JSObject.cpp:
504         (JSC::JSObject::switchToSlowPutArrayStorage):
505
506 2017-12-01  JF Bastien  <jfbastien@apple.com>
507
508         WebAssembly: stack trace improvement follow-ups
509         https://bugs.webkit.org/show_bug.cgi?id=180273
510
511         Reviewed by Saam Barati.
512
513         * wasm/WasmIndexOrName.cpp:
514         (JSC::Wasm::makeString):
515         * wasm/WasmIndexOrName.h:
516         (JSC::Wasm::IndexOrName::nameSection const):
517         * wasm/WasmNameSection.h:
518         (JSC::Wasm::NameSection::NameSection):
519         (JSC::Wasm::NameSection::get):
520
521 2017-12-01  JF Bastien  <jfbastien@apple.com>
522
523         WebAssembly: restore cached stack limit after out-call
524         https://bugs.webkit.org/show_bug.cgi?id=179106
525         <rdar://problem/35337525>
526
527         Reviewed by Saam Barati.
528
529         We cache the stack limit on the Instance so that we can do fast
530         stack checks where required. In regular usage the stack limit
531         never changes because we always run on the same thread, but in
532         rare cases an API user can totally migrate which thread (and
533         therefore stack) is used for execution between WebAssembly
534         traces. For that reason we set the cached stack limit to
535         UINTPTR_MAX on the outgoing Instance when transitioning back into
536         a different Instance. We usually restore the cached stack limit in
537         Context::store, but this wasn't called on all code paths. We had a
538         bug where an Instance calling into itself indirectly would
539         therefore fail to restore its cached stack limit properly.
540
541         This patch therefore restores the cached stack limit after direct
542         calls which could be to imports (both wasm->wasm and
543         wasm->embedder). We have to do all of them because we have no way
544         of knowing what imports will do (they're known at instantiation
545         time, not compilation time, and different instances can have
546         different imports). To make this efficient we also add a pointer
547         to the canonical location of the stack limit (i.e. the extra
548         indirection we're trying to save by caching the stack limit on the
549         Instance in the first place). This is potentially a small perf hit
550         on imported direct calls.
551
552         It's hard to say what the performance cost will be because we
553         haven't seen much code in the wild which does this. We're adding
554         two dependent loads and a store of the loaded value, which is
555         unlikely to get used soon after. It's more code, but on an
556         out-of-order processor it doesn't contribute to the critical path.
557
558         * wasm/WasmB3IRGenerator.cpp:
559         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
560         (JSC::Wasm::B3IRGenerator::addGrowMemory):
561         (JSC::Wasm::B3IRGenerator::addCall):
562         (JSC::Wasm::B3IRGenerator::addCallIndirect):
563         * wasm/WasmInstance.cpp:
564         (JSC::Wasm::Instance::Instance):
565         (JSC::Wasm::Instance::create):
566         * wasm/WasmInstance.h:
567         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
568         (JSC::Wasm::Instance::cachedStackLimit const):
569         (JSC::Wasm::Instance::setCachedStackLimit):
570         * wasm/js/JSWebAssemblyInstance.cpp:
571         (JSC::JSWebAssemblyInstance::create):
572         * wasm/js/WebAssemblyFunction.cpp:
573         (JSC::callWebAssemblyFunction):
574
575 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
576
577         [JSC] Use JSFixedArray for op_new_array_buffer
578         https://bugs.webkit.org/show_bug.cgi?id=180084
579
580         Reviewed by Saam Barati.
581
582         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
583         But using JSFixedArray is better because,
584
585         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
586            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
587
588         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
589            has JSFixedArray, we can just emit a held JSFixedArray.
590
591         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
592
593         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
594
595         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
596            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
597            will be introduced in [1].
598
599         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
600
601         * bytecode/BytecodeDumper.cpp:
602         (JSC::BytecodeDumper<Block>::dumpBytecode):
603         * bytecode/BytecodeList.json:
604         * bytecode/BytecodeUseDef.h:
605         (JSC::computeUsesForBytecodeOffset):
606         * bytecode/CodeBlock.cpp:
607         (JSC::CodeBlock::finishCreation):
608         * bytecode/CodeBlock.h:
609         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
610         (JSC::CodeBlock::addConstantBuffer): Deleted.
611         (JSC::CodeBlock::constantBufferAsVector): Deleted.
612         (JSC::CodeBlock::constantBuffer): Deleted.
613         * bytecode/UnlinkedCodeBlock.cpp:
614         (JSC::UnlinkedCodeBlock::shrinkToFit):
615         * bytecode/UnlinkedCodeBlock.h:
616         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
617         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
618         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
619         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
620         * bytecompiler/BytecodeGenerator.cpp:
621         (JSC::BytecodeGenerator::emitNewArray):
622         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
623         * bytecompiler/BytecodeGenerator.h:
624         * dfg/DFGByteCodeParser.cpp:
625         (JSC::DFG::ByteCodeParser::parseBlock):
626         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
627         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
628         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
629         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
630         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
631         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
632         (JSC::DFG::ConstantBufferKey::index const): Deleted.
633         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
634         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
635         * dfg/DFGClobberize.h:
636         (JSC::DFG::clobberize):
637         * dfg/DFGGraph.cpp:
638         (JSC::DFG::Graph::dump):
639         * dfg/DFGGraph.h:
640         * dfg/DFGNode.h:
641         (JSC::DFG::Node::hasNewArrayBufferData):
642         (JSC::DFG::Node::newArrayBufferData):
643         (JSC::DFG::Node::hasVectorLengthHint):
644         (JSC::DFG::Node::vectorLengthHint):
645         (JSC::DFG::Node::indexingType):
646         (JSC::DFG::Node::hasCellOperand):
647         (JSC::DFG::Node::OpInfoWrapper::operator=):
648         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
649         (JSC::DFG::Node::hasConstantBuffer): Deleted.
650         (JSC::DFG::Node::startConstant): Deleted.
651         (JSC::DFG::Node::numConstants): Deleted.
652         * dfg/DFGOperations.cpp:
653         * dfg/DFGOperations.h:
654         * dfg/DFGSpeculativeJIT.h:
655         (JSC::DFG::SpeculativeJIT::callOperation):
656         * dfg/DFGSpeculativeJIT32_64.cpp:
657         (JSC::DFG::SpeculativeJIT::compile):
658         * dfg/DFGSpeculativeJIT64.cpp:
659         (JSC::DFG::SpeculativeJIT::compile):
660         * ftl/FTLLowerDFGToB3.cpp:
661         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
662         * jit/JIT.cpp:
663         (JSC::JIT::privateCompileMainPass):
664         * jit/JIT.h:
665         * jit/JITOpcodes.cpp:
666         (JSC::JIT::emit_op_new_array_buffer): Deleted.
667         * jit/JITOperations.cpp:
668         * jit/JITOperations.h:
669         * llint/LLIntSlowPaths.cpp:
670         * llint/LLIntSlowPaths.h:
671         * llint/LowLevelInterpreter.asm:
672         * runtime/CommonSlowPaths.cpp:
673         (JSC::SLOW_PATH_DECL):
674         * runtime/CommonSlowPaths.h:
675         * runtime/JSFixedArray.cpp:
676         (JSC::JSFixedArray::dumpToStream):
677         * runtime/JSFixedArray.h:
678         (JSC::JSFixedArray::create):
679         (JSC::JSFixedArray::get const):
680         (JSC::JSFixedArray::set):
681         (JSC::JSFixedArray::buffer const):
682         (JSC::JSFixedArray::values const):
683         (JSC::JSFixedArray::length const):
684         (JSC::JSFixedArray::get): Deleted.
685
686 2017-11-30  JF Bastien  <jfbastien@apple.com>
687
688         WebAssembly: improve stack trace
689         https://bugs.webkit.org/show_bug.cgi?id=179343
690
691         Reviewed by Saam Barati.
692
693         Stack traces now include:
694
695           - Module name, if provided by the name section.
696           - Module SHA1 hash if no name was provided
697           - Stub identification, to differentiate from user code
698           - Slightly different naming to match design from:
699               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
700
701         * interpreter/StackVisitor.cpp:
702         (JSC::StackVisitor::Frame::functionName const):
703         * runtime/StackFrame.cpp:
704         (JSC::StackFrame::functionName const):
705         (JSC::StackFrame::visitChildren):
706         * wasm/WasmIndexOrName.cpp:
707         (JSC::Wasm::IndexOrName::IndexOrName):
708         (JSC::Wasm::makeString):
709         * wasm/WasmIndexOrName.h:
710         (JSC::Wasm::IndexOrName::nameSection const):
711         * wasm/WasmModuleInformation.cpp:
712         (JSC::Wasm::ModuleInformation::ModuleInformation):
713         * wasm/WasmModuleInformation.h:
714         * wasm/WasmNameSection.h:
715         (JSC::Wasm::NameSection::NameSection):
716         (JSC::Wasm::NameSection::get):
717         * wasm/WasmNameSectionParser.cpp:
718         (JSC::Wasm::NameSectionParser::parse):
719
720 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
721
722         Make LegacyCustomProtocolManager optional for network process
723         https://bugs.webkit.org/show_bug.cgi?id=176230
724
725         Reviewed by Alex Christensen.
726
727         * Configurations/FeatureDefines.xcconfig:
728
729 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
730
731         [JSC] Remove easy toRemove & map.remove() use in OAS phase
732         https://bugs.webkit.org/show_bug.cgi?id=180208
733
734         Reviewed by Mark Lam.
735
736         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
737         to optimize this common pattern. This patch only modifies apparent ones.
738         But we can apply this refactoring further to OAS phase in the future.
739
740         One thing we should care is that predicate of removeIf should not touch the
741         removing set itself. In this patch, we apply this change to (1) apparently
742         correct one and (2) things in DFG OAS phase since it is very slow.
743
744         * b3/B3MoveConstants.cpp:
745         * dfg/DFGObjectAllocationSinkingPhase.cpp:
746
747 2017-11-30  Commit Queue  <commit-queue@webkit.org>
748
749         Unreviewed, rolling out r225362.
750         https://bugs.webkit.org/show_bug.cgi?id=180225
751
752         removeIf predicate function can touch remove target set
753         (Requested by yusukesuzuki on #webkit).
754
755         Reverted changeset:
756
757         "[JSC] Remove easy toRemove & map.remove() use"
758         https://bugs.webkit.org/show_bug.cgi?id=180208
759         https://trac.webkit.org/changeset/225362
760
761 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
762
763         [JSC] Use AllocatorIfExists for MaterializeNewObject
764         https://bugs.webkit.org/show_bug.cgi?id=180189
765
766         Reviewed by Filip Pizlo.
767
768         I don't think anyone guarantees this allocator exists at this phase.
769         And nullptr allocator just works here. We change AllocatorForMode
770         to AllocatorIfExists to accept nullptr for allocator.
771
772         * ftl/FTLLowerDFGToB3.cpp:
773         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
774
775 2017-11-30  Mark Lam  <mark.lam@apple.com>
776
777         Let's scramble MacroAssemblerCodePtr values.
778         https://bugs.webkit.org/show_bug.cgi?id=180169
779         <rdar://problem/35758340>
780
781         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
782
783         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
784
785         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
786            template argument type that will be used to cast the result.  This makes the
787            client code that uses these functions a little less verbose.
788
789         3. Change the code base in general to minimize passing void* code pointers around.
790            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
791            at the last moment when we need the underlying code pointer.
792
793         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
794            default.  I'm leaving them in because they are instrumental in finding bugs
795            where not all MacroAssemblerCodePtr values were not scrambled as expected.
796            I expect them to be useful in the near future as we add more scrambling.
797
798         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
799            explicit casts to a boolean).  This ensures that clients will always explicitly
800            use scrambledBits() or executableAddress() to get a value based on which value
801            they actually need.
802
803         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
804            This was helpful when debugging tests that ran multiple VMs concurrently on
805            different threads.
806
807         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
808         CLoop).  It is not yet supported in 32-bit and Windows because we don't
809         currently have a way to read a global variable from their LLInt code.
810
811         * assembler/AbstractMacroAssembler.h:
812         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
813         (JSC::AbstractMacroAssembler::linkPointer):
814         * assembler/CodeLocation.h:
815         (JSC::CodeLocationCommon::instructionAtOffset):
816         (JSC::CodeLocationCommon::labelAtOffset):
817         (JSC::CodeLocationCommon::jumpAtOffset):
818         (JSC::CodeLocationCommon::callAtOffset):
819         (JSC::CodeLocationCommon::nearCallAtOffset):
820         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
821         (JSC::CodeLocationCommon::dataLabel32AtOffset):
822         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
823         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
824         * assembler/LinkBuffer.cpp:
825         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
826         * assembler/LinkBuffer.h:
827         (JSC::LinkBuffer::link):
828         (JSC::LinkBuffer::patch):
829         * assembler/MacroAssemblerCodeRef.cpp:
830         (JSC::MacroAssemblerCodePtr::initialize):
831         * assembler/MacroAssemblerCodeRef.h:
832         (JSC::FunctionPtr::FunctionPtr):
833         (JSC::FunctionPtr::value const):
834         (JSC::FunctionPtr::executableAddress const):
835         (JSC::ReturnAddressPtr::ReturnAddressPtr):
836         (JSC::ReturnAddressPtr::value const):
837         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
838         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
839         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
840         (JSC::MacroAssemblerCodePtr:: const):
841         (JSC::MacroAssemblerCodePtr::operator! const):
842         (JSC::MacroAssemblerCodePtr::operator bool const):
843         (JSC::MacroAssemblerCodePtr::operator== const):
844         (JSC::MacroAssemblerCodePtr::hash const):
845         (JSC::MacroAssemblerCodePtr::emptyValue):
846         (JSC::MacroAssemblerCodePtr::deletedValue):
847         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
848         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
849         * b3/B3LowerMacros.cpp:
850         * b3/testb3.cpp:
851         (JSC::B3::testInterpreter):
852         * dfg/DFGDisassembler.cpp:
853         (JSC::DFG::Disassembler::dumpDisassembly):
854         * dfg/DFGJITCompiler.cpp:
855         (JSC::DFG::JITCompiler::link):
856         (JSC::DFG::JITCompiler::compileFunction):
857         * dfg/DFGOperations.cpp:
858         * dfg/DFGSpeculativeJIT.cpp:
859         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
860         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
861         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
862         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
863         * dfg/DFGSpeculativeJIT.h:
864         * disassembler/Disassembler.cpp:
865         (JSC::disassemble):
866         * disassembler/UDis86Disassembler.cpp:
867         (JSC::tryToDisassembleWithUDis86):
868         * ftl/FTLCompile.cpp:
869         (JSC::FTL::compile):
870         * ftl/FTLJITCode.cpp:
871         (JSC::FTL::JITCode::executableAddressAtOffset):
872         * ftl/FTLLink.cpp:
873         (JSC::FTL::link):
874         * ftl/FTLLowerDFGToB3.cpp:
875         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
876         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
877         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
878         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
879         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
880         * interpreter/InterpreterInlines.h:
881         (JSC::Interpreter::getOpcodeID):
882         * jit/JITArithmetic.cpp:
883         (JSC::JIT::emitMathICFast):
884         (JSC::JIT::emitMathICSlow):
885         * jit/JITCode.cpp:
886         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
887         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
888         (JSC::JITCodeWithCodeRef::offsetOf):
889         * jit/JITDisassembler.cpp:
890         (JSC::JITDisassembler::dumpDisassembly):
891         * jit/PCToCodeOriginMap.cpp:
892         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
893         * jit/Repatch.cpp:
894         (JSC::ftlThunkAwareRepatchCall):
895         * jit/ThunkGenerators.cpp:
896         (JSC::virtualThunkFor):
897         (JSC::boundThisNoArgsFunctionCallGenerator):
898         * llint/LLIntSlowPaths.cpp:
899         (JSC::LLInt::llint_trace_operand):
900         (JSC::LLInt::llint_trace_value):
901         (JSC::LLInt::handleHostCall):
902         (JSC::LLInt::setUpCall):
903         * llint/LowLevelInterpreter64.asm:
904         * offlineasm/cloop.rb:
905         * runtime/InitializeThreading.cpp:
906         (JSC::initializeThreading):
907         * wasm/WasmBBQPlan.cpp:
908         (JSC::Wasm::BBQPlan::complete):
909         * wasm/WasmCallee.h:
910         (JSC::Wasm::Callee::entrypoint const):
911         * wasm/WasmCodeBlock.cpp:
912         (JSC::Wasm::CodeBlock::CodeBlock):
913         * wasm/WasmOMGPlan.cpp:
914         (JSC::Wasm::OMGPlan::work):
915         * wasm/js/WasmToJS.cpp:
916         (JSC::Wasm::wasmToJS):
917         * wasm/js/WebAssemblyFunction.cpp:
918         (JSC::callWebAssemblyFunction):
919         * wasm/js/WebAssemblyFunction.h:
920         * wasm/js/WebAssemblyWrapperFunction.cpp:
921         (JSC::WebAssemblyWrapperFunction::create):
922
923 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
924
925         [JSC] Remove easy toRemove & map.remove() use
926         https://bugs.webkit.org/show_bug.cgi?id=180208
927
928         Reviewed by Mark Lam.
929
930         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
931         to optimize this common pattern. This patch only modifies apparent ones.
932         But we can apply this refactoring further to OAS phase in the future.
933
934         * b3/B3MoveConstants.cpp:
935         * dfg/DFGArgumentsEliminationPhase.cpp:
936         * dfg/DFGObjectAllocationSinkingPhase.cpp:
937         * wasm/WasmSignature.cpp:
938         (JSC::Wasm::SignatureInformation::tryCleanup):
939
940 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
941
942         [JSC] Use getEffectiveAddress more in JSC
943         https://bugs.webkit.org/show_bug.cgi?id=180154
944
945         Reviewed by Mark Lam.
946
947         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
948         And we also add MacroAssembler::negPtr(src, dest) variation.
949
950         * assembler/MacroAssembler.h:
951         (JSC::MacroAssembler::negPtr):
952         * assembler/MacroAssemblerARM.h:
953         (JSC::MacroAssemblerARM::neg32):
954         * assembler/MacroAssemblerARM64.h:
955         (JSC::MacroAssemblerARM64::neg32):
956         (JSC::MacroAssemblerARM64::neg64):
957         * assembler/MacroAssemblerARMv7.h:
958         (JSC::MacroAssemblerARMv7::neg32):
959         * assembler/MacroAssemblerMIPS.h:
960         (JSC::MacroAssemblerMIPS::neg32):
961         * assembler/MacroAssemblerX86Common.h:
962         (JSC::MacroAssemblerX86Common::neg32):
963         * assembler/MacroAssemblerX86_64.h:
964         (JSC::MacroAssemblerX86_64::neg64):
965         * dfg/DFGThunks.cpp:
966         (JSC::DFG::osrEntryThunkGenerator):
967         * ftl/FTLLowerDFGToB3.cpp:
968         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
969         * jit/SetupVarargsFrame.cpp:
970         (JSC::emitSetVarargsFrame):
971
972 2017-11-30  Mark Lam  <mark.lam@apple.com>
973
974         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
975         https://bugs.webkit.org/show_bug.cgi?id=180219
976         <rdar://problem/35696536>
977
978         Reviewed by Filip Pizlo.
979
980         * jsc.cpp:
981         (functionFlashHeapAccess):
982
983 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
984
985         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
986         https://bugs.webkit.org/show_bug.cgi?id=180190
987
988         Reviewed by Mark Lam.
989
990         If DFG HasIndexedProperty node observes negative index, it goes to a slow
991         path by calling operationHasIndexedProperty. The problem is that
992         operationHasIndexedProperty does not account negative index. Negative index
993         was used as uint32 array index.
994
995         In this patch we add a path for negative index in operationHasIndexedProperty.
996         And rename it to operationHasIndexedPropertyByInt to make intension clear.
997         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
998         since it is only used in DFG and FTL.
999
1000         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
1001         This causes repeated OSR exit and significantly regresses the performance. We opened
1002         a bug to track this issue[1].
1003
1004         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
1005
1006         * dfg/DFGOperations.cpp:
1007         * dfg/DFGOperations.h:
1008         * dfg/DFGSpeculativeJIT32_64.cpp:
1009         (JSC::DFG::SpeculativeJIT::compile):
1010         * dfg/DFGSpeculativeJIT64.cpp:
1011         (JSC::DFG::SpeculativeJIT::compile):
1012         * ftl/FTLLowerDFGToB3.cpp:
1013         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1014         * jit/JITOperations.cpp:
1015         * jit/JITOperations.h:
1016
1017 2017-11-30  Michael Saboff  <msaboff@apple.com>
1018
1019         Allow JSC command line tool to accept UTF8
1020         https://bugs.webkit.org/show_bug.cgi?id=180205
1021
1022         Reviewed by Keith Miller.
1023
1024         This unifies the UTF8 handling of interactive mode with that of source files.
1025
1026         * jsc.cpp:
1027         (runInteractive):
1028
1029 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1030
1031         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
1032         https://bugs.webkit.org/show_bug.cgi?id=180185
1033
1034         Reviewed by Carlos Garcia Campos.
1035
1036         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
1037         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
1038         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
1039         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
1040         DFG node can be emitted if we see untaken path includes String + String code.
1041
1042         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
1043         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
1044         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
1045         original code used before r225314.
1046
1047         * dfg/DFGSpeculativeJIT.cpp:
1048         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1049         * ftl/FTLLowerDFGToB3.cpp:
1050         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1051
1052 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
1053
1054         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
1055         https://bugs.webkit.org/show_bug.cgi?id=180108
1056
1057         Reviewed by Saam Barati.
1058         
1059         This was creating a vector of things to remove and then removing them. I think I remember writing
1060         this code, and I did that because at the time we did not have removeAllMatching, which is
1061         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
1062         obvious improvement before I did more fundamental things to this code.
1063
1064         * heap/CodeBlockSet.cpp:
1065         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1066
1067 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
1068
1069         GC should support isoheaps
1070         https://bugs.webkit.org/show_bug.cgi?id=179288
1071
1072         Reviewed by Saam Barati.
1073         
1074         This expands the power of the Subspace API in JSC:
1075         
1076         - Everything associated with describing the types of objects is now part of the HeapCellType class.
1077           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
1078           HeapCellType; these are orthogonal things.
1079         
1080         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
1081           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
1082           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
1083           pages but releases the physical pages as part of the respective allocator's scavenging policy
1084           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
1085           IsoSubspace).
1086         
1087         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
1088         for more things.
1089         
1090         This does not have any effect on JetStream (0.18% faster with p = 0.69).
1091
1092         * JavaScriptCore.xcodeproj/project.pbxproj:
1093         * Sources.txt:
1094         * bytecode/AccessCase.cpp:
1095         (JSC::AccessCase::generateImpl):
1096         * bytecode/ObjectAllocationProfileInlines.h:
1097         (JSC::ObjectAllocationProfile::initializeProfile):
1098         * dfg/DFGSpeculativeJIT.cpp:
1099         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1100         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1101         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1102         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1103         * dfg/DFGSpeculativeJIT64.cpp:
1104         (JSC::DFG::SpeculativeJIT::compile):
1105         * ftl/FTLAbstractHeapRepository.h:
1106         * ftl/FTLLowerDFGToB3.cpp:
1107         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1108         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1109         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1110         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1111         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1112         * heap/AlignedMemoryAllocator.cpp:
1113         (JSC::AlignedMemoryAllocator::registerAllocator):
1114         (JSC::AlignedMemoryAllocator::registerSubspace):
1115         * heap/AlignedMemoryAllocator.h:
1116         (JSC::AlignedMemoryAllocator::firstAllocator const):
1117         * heap/AllocationFailureMode.h: Added.
1118         * heap/CompleteSubspace.cpp: Added.
1119         (JSC::CompleteSubspace::CompleteSubspace):
1120         (JSC::CompleteSubspace::~CompleteSubspace):
1121         (JSC::CompleteSubspace::allocatorFor):
1122         (JSC::CompleteSubspace::allocate):
1123         (JSC::CompleteSubspace::allocateNonVirtual):
1124         (JSC::CompleteSubspace::allocatorForSlow):
1125         (JSC::CompleteSubspace::allocateSlow):
1126         (JSC::CompleteSubspace::tryAllocateSlow):
1127         * heap/CompleteSubspace.h: Added.
1128         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
1129         (JSC::CompleteSubspace::allocatorForSizeStep):
1130         (JSC::CompleteSubspace::allocatorForNonVirtual):
1131         * heap/HeapCellType.cpp: Added.
1132         (JSC::HeapCellType::HeapCellType):
1133         (JSC::HeapCellType::~HeapCellType):
1134         (JSC::HeapCellType::finishSweep):
1135         (JSC::HeapCellType::destroy):
1136         * heap/HeapCellType.h: Added.
1137         (JSC::HeapCellType::attributes const):
1138         * heap/IsoAlignedMemoryAllocator.cpp: Added.
1139         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
1140         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1141         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1142         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1143         (JSC::IsoAlignedMemoryAllocator::dump const):
1144         * heap/IsoAlignedMemoryAllocator.h: Added.
1145         * heap/IsoSubspace.cpp: Added.
1146         (JSC::IsoSubspace::IsoSubspace):
1147         (JSC::IsoSubspace::~IsoSubspace):
1148         (JSC::IsoSubspace::allocatorFor):
1149         (JSC::IsoSubspace::allocatorForNonVirtual):
1150         (JSC::IsoSubspace::allocate):
1151         (JSC::IsoSubspace::allocateNonVirtual):
1152         * heap/IsoSubspace.h: Added.
1153         (JSC::IsoSubspace::size const):
1154         * heap/MarkedAllocator.cpp:
1155         (JSC::MarkedAllocator::MarkedAllocator):
1156         (JSC::MarkedAllocator::setSubspace):
1157         (JSC::MarkedAllocator::allocateSlowCase):
1158         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
1159         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
1160         * heap/MarkedAllocator.h:
1161         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
1162         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
1163         * heap/MarkedAllocatorInlines.h:
1164         (JSC::MarkedAllocator::allocate):
1165         (JSC::MarkedAllocator::tryAllocate): Deleted.
1166         * heap/MarkedBlock.h:
1167         * heap/MarkedBlockInlines.h:
1168         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
1169         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
1170         * heap/MarkedSpace.cpp:
1171         (JSC::MarkedSpace::addMarkedAllocator):
1172         * heap/MarkedSpace.h:
1173         * heap/Subspace.cpp:
1174         (JSC::Subspace::Subspace):
1175         (JSC::Subspace::initialize):
1176         (JSC::Subspace::finishSweep):
1177         (JSC::Subspace::destroy):
1178         (JSC::Subspace::prepareForAllocation):
1179         (JSC::Subspace::findEmptyBlockToSteal):
1180         (): Deleted.
1181         (JSC::Subspace::allocate): Deleted.
1182         (JSC::Subspace::tryAllocate): Deleted.
1183         (JSC::Subspace::allocatorForSlow): Deleted.
1184         (JSC::Subspace::allocateSlow): Deleted.
1185         (JSC::Subspace::tryAllocateSlow): Deleted.
1186         (JSC::Subspace::didAllocate): Deleted.
1187         * heap/Subspace.h:
1188         (JSC::Subspace::heapCellType const):
1189         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
1190         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
1191         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
1192         (JSC::Subspace::allocatorForSizeStep): Deleted.
1193         (JSC::Subspace::tryAllocatorFor): Deleted.
1194         (JSC::Subspace::allocatorFor): Deleted.
1195         * jit/AssemblyHelpers.h:
1196         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1197         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1198         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1199         * jit/JITOpcodes.cpp:
1200         (JSC::JIT::emit_op_new_object):
1201         * runtime/ButterflyInlines.h:
1202         (JSC::Butterfly::createUninitialized):
1203         (JSC::Butterfly::tryCreate):
1204         (JSC::Butterfly::growArrayRight):
1205         * runtime/DirectArguments.cpp:
1206         (JSC::DirectArguments::overrideThings):
1207         * runtime/DirectArguments.h:
1208         (JSC::DirectArguments::subspaceFor):
1209         * runtime/DirectEvalExecutable.h:
1210         * runtime/EvalExecutable.h:
1211         * runtime/ExecutableBase.h:
1212         (JSC::ExecutableBase::subspaceFor):
1213         * runtime/FunctionExecutable.h:
1214         * runtime/GenericArgumentsInlines.h:
1215         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1216         * runtime/HashMapImpl.h:
1217         (JSC::HashMapBuffer::create):
1218         * runtime/IndirectEvalExecutable.h:
1219         * runtime/JSArray.cpp:
1220         (JSC::JSArray::tryCreateUninitializedRestricted):
1221         (JSC::JSArray::unshiftCountSlowCase):
1222         * runtime/JSArray.h:
1223         (JSC::JSArray::tryCreate):
1224         * runtime/JSArrayBufferView.cpp:
1225         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1226         * runtime/JSCell.h:
1227         (JSC::subspaceFor):
1228         * runtime/JSCellInlines.h:
1229         (JSC::JSCell::subspaceFor):
1230         (JSC::tryAllocateCellHelper):
1231         (JSC::allocateCell):
1232         (JSC::tryAllocateCell):
1233         * runtime/JSDestructibleObject.h:
1234         (JSC::JSDestructibleObject::subspaceFor):
1235         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
1236         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1237         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
1238         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
1239         (JSC::JSDestructibleObjectHeapCellType::destroy):
1240         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
1241         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
1242         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
1243         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
1244         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
1245         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
1246         * runtime/JSDestructibleObjectSubspace.h: Removed.
1247         * runtime/JSLexicalEnvironment.h:
1248         (JSC::JSLexicalEnvironment::subspaceFor):
1249         * runtime/JSSegmentedVariableObject.h:
1250         (JSC::JSSegmentedVariableObject::subspaceFor):
1251         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
1252         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1253         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
1254         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
1255         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
1256         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
1257         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
1258         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
1259         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
1260         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
1261         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
1262         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
1263         * runtime/JSString.h:
1264         (JSC::JSString::subspaceFor):
1265         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
1266         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1267         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
1268         (JSC::JSStringHeapCellType::finishSweep):
1269         (JSC::JSStringHeapCellType::destroy):
1270         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
1271         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
1272         (JSC::JSStringSubspace::finishSweep): Deleted.
1273         (JSC::JSStringSubspace::destroy): Deleted.
1274         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
1275         * runtime/JSStringSubspace.cpp: Removed.
1276         * runtime/JSStringSubspace.h: Removed.
1277         * runtime/ModuleProgramExecutable.h:
1278         * runtime/NativeExecutable.h:
1279         * runtime/ProgramExecutable.h:
1280         * runtime/RegExpMatchesArray.h:
1281         (JSC::tryCreateUninitializedRegExpMatchesArray):
1282         * runtime/ScopedArguments.h:
1283         (JSC::ScopedArguments::subspaceFor):
1284         * runtime/VM.cpp:
1285         (JSC::VM::VM):
1286         * runtime/VM.h:
1287         (JSC::VM::gigacageAuxiliarySpace):
1288         * wasm/js/JSWebAssemblyCodeBlock.h:
1289         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
1290         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1291         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
1292         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
1293         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
1294         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
1295         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
1296         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
1297         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
1298         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
1299         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
1300         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
1301         * wasm/js/JSWebAssemblyMemory.h:
1302         (JSC::JSWebAssemblyMemory::subspaceFor):
1303
1304 2017-11-29  Saam Barati  <sbarati@apple.com>
1305
1306         Remove pointer caging for double arrays
1307         https://bugs.webkit.org/show_bug.cgi?id=180163
1308
1309         Reviewed by Mark Lam.
1310
1311         This patch removes pointer caging from double arrays. Like
1312         my previous removals of pointer caging, this is a security vs
1313         performance tradeoff. We believe that butterflies being allocated
1314         in the cage and with a 32GB runway gives us enough security that
1315         pointer caging the butterfly just for double arrays does not add
1316         enough security benefit for the performance hit it incurs.
1317         
1318         This patch also removes the GetButterflyWithoutCaging node and
1319         the FixedButterflyAccessUncaging phase. The node is no longer needed
1320         because now all GetButterfly nodes are not caged. The phase is removed
1321         since we no longer have two nodes.
1322
1323         * dfg/DFGAbstractInterpreterInlines.h:
1324         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1325         * dfg/DFGArgumentsEliminationPhase.cpp:
1326         * dfg/DFGClobberize.h:
1327         (JSC::DFG::clobberize):
1328         * dfg/DFGDoesGC.cpp:
1329         (JSC::DFG::doesGC):
1330         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
1331         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
1332         * dfg/DFGFixupPhase.cpp:
1333         (JSC::DFG::FixupPhase::fixupNode):
1334         * dfg/DFGHeapLocation.cpp:
1335         (WTF::printInternal):
1336         * dfg/DFGHeapLocation.h:
1337         * dfg/DFGNodeType.h:
1338         * dfg/DFGPlan.cpp:
1339         (JSC::DFG::Plan::compileInThreadImpl):
1340         * dfg/DFGPredictionPropagationPhase.cpp:
1341         * dfg/DFGSafeToExecute.h:
1342         (JSC::DFG::safeToExecute):
1343         * dfg/DFGSpeculativeJIT.cpp:
1344         (JSC::DFG::SpeculativeJIT::compileSpread):
1345         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1346         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1347         * dfg/DFGSpeculativeJIT32_64.cpp:
1348         (JSC::DFG::SpeculativeJIT::compile):
1349         * dfg/DFGSpeculativeJIT64.cpp:
1350         (JSC::DFG::SpeculativeJIT::compile):
1351         * dfg/DFGTypeCheckHoistingPhase.cpp:
1352         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1353         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1354         * ftl/FTLCapabilities.cpp:
1355         (JSC::FTL::canCompile):
1356         * ftl/FTLLowerDFGToB3.cpp:
1357         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1358         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1359         * jit/JITPropertyAccess.cpp:
1360         (JSC::JIT::emitDoubleLoad):
1361         (JSC::JIT::emitGenericContiguousPutByVal):
1362         * runtime/Butterfly.h:
1363         (JSC::Butterfly::pointer):
1364         (JSC::Butterfly::contiguousDouble):
1365         (JSC::Butterfly::caged): Deleted.
1366         * runtime/ButterflyInlines.h:
1367         (JSC::Butterfly::createOrGrowPropertyStorage):
1368         * runtime/JSObject.cpp:
1369         (JSC::JSObject::ensureLengthSlow):
1370         (JSC::JSObject::reallocateAndShrinkButterfly):
1371
1372 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1373
1374         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1375         https://bugs.webkit.org/show_bug.cgi?id=175447
1376
1377         Reviewed by Carlos Alberto Lopez Perez.
1378
1379         This patch allows DFG JIT to be enabled on MIPS platforms.
1380
1381         * Sources.txt:
1382         * assembler/MIPSAssembler.h:
1383         (JSC::MIPSAssembler::lastSPRegister):
1384         (JSC::MIPSAssembler::numberOfSPRegisters):
1385         (JSC::MIPSAssembler::sprName):
1386         * assembler/MacroAssemblerMIPS.cpp: Added.
1387         (JSC::MacroAssembler::probe):
1388         * assembler/ProbeContext.cpp:
1389         (JSC::Probe::executeProbe):
1390         * assembler/ProbeContext.h:
1391         (JSC::Probe::CPUState::pc):
1392         * assembler/testmasm.cpp:
1393         (JSC::isSpecialGPR):
1394         (JSC::testProbePreservesGPRS):
1395         (JSC::testProbeModifiesStackPointer):
1396         (JSC::testProbeModifiesStackValues):
1397
1398 2017-11-29  Matt Lewis  <jlewis3@apple.com>
1399
1400         Unreviewed, rolling out r225286.
1401
1402         The source files within this patch have been marked as
1403         executable.
1404
1405         Reverted changeset:
1406
1407         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
1408         https://bugs.webkit.org/show_bug.cgi?id=175447
1409         https://trac.webkit.org/changeset/225286
1410
1411 2017-11-29  Alex Christensen  <achristensen@webkit.org>
1412
1413         Fix Mac CMake build.
1414
1415         * PlatformMac.cmake:
1416
1417 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1418
1419         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1420         https://bugs.webkit.org/show_bug.cgi?id=175447
1421
1422         Reviewed by Carlos Alberto Lopez Perez.
1423
1424         This patch allows DFG JIT to be enabled on MIPS platforms.
1425
1426         * Sources.txt:
1427         * assembler/MIPSAssembler.h:
1428         (JSC::MIPSAssembler::lastSPRegister):
1429         (JSC::MIPSAssembler::numberOfSPRegisters):
1430         (JSC::MIPSAssembler::sprName):
1431         * assembler/MacroAssemblerMIPS.cpp: Added.
1432         (JSC::MacroAssembler::probe):
1433         * assembler/ProbeContext.cpp:
1434         (JSC::Probe::executeProbe):
1435         * assembler/ProbeContext.h:
1436         (JSC::Probe::CPUState::pc):
1437         * assembler/testmasm.cpp:
1438         (JSC::isSpecialGPR):
1439         (JSC::testProbePreservesGPRS):
1440         (JSC::testProbeModifiesStackPointer):
1441         (JSC::testProbeModifiesStackValues):
1442
1443 2017-11-28  JF Bastien  <jfbastien@apple.com>
1444
1445         Strict and sloppy functions shouldn't share structure
1446         https://bugs.webkit.org/show_bug.cgi?id=180103
1447         <rdar://problem/35667847>
1448
1449         Reviewed by Saam Barati.
1450
1451         Sloppy and strict functions don't act the same when it comes to
1452         arguments, caller, and callee. Sharing a structure means that
1453         anything that is cached gets shared, and that's incorrect.
1454
1455         * dfg/DFGAbstractInterpreterInlines.h:
1456         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1457         * dfg/DFGSpeculativeJIT.cpp:
1458         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1459         * ftl/FTLLowerDFGToB3.cpp:
1460         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1461         * runtime/FunctionConstructor.cpp:
1462         (JSC::constructFunctionSkippingEvalEnabledCheck):
1463         * runtime/JSFunction.cpp:
1464         (JSC::JSFunction::create): the second ::create is always strict
1465         because it applies to native functions.
1466         * runtime/JSFunctionInlines.h:
1467         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1468         * runtime/JSGlobalObject.cpp:
1469         (JSC::JSGlobalObject::init):
1470         (JSC::JSGlobalObject::visitChildren):
1471         * runtime/JSGlobalObject.h:
1472         (JSC::JSGlobalObject::strictFunctionStructure const):
1473         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1474         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
1475         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
1476         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
1477
1478 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1479
1480         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
1481         https://bugs.webkit.org/show_bug.cgi?id=180070
1482
1483         Reviewed by Saam Barati.
1484
1485         This patch adds getEffectiveAddress in all JIT platforms.
1486         This is abstracted version of x86 lea.
1487
1488         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
1489
1490         * assembler/MacroAssemblerARM.h:
1491         (JSC::MacroAssemblerARM::getEffectiveAddress):
1492         * assembler/MacroAssemblerARM64.h:
1493         (JSC::MacroAssemblerARM64::getEffectiveAddress):
1494         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
1495         * assembler/MacroAssemblerARMv7.h:
1496         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
1497         * assembler/MacroAssemblerMIPS.h:
1498         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1499         * assembler/MacroAssemblerX86.h:
1500         (JSC::MacroAssemblerX86::getEffectiveAddress):
1501         * assembler/MacroAssemblerX86_64.h:
1502         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
1503         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
1504         * assembler/testmasm.cpp:
1505         (JSC::testGetEffectiveAddress):
1506         (JSC::run):
1507         * dfg/DFGSpeculativeJIT.cpp:
1508         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1509         * yarr/YarrJIT.cpp:
1510         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1511         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1512
1513 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1514
1515         The recursive tail call optimisation is wrong on closures
1516         https://bugs.webkit.org/show_bug.cgi?id=179835
1517
1518         Reviewed by Saam Barati.
1519
1520         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
1521         As a stopgap measure this patch just does not do the optimisation for closures.
1522
1523         * dfg/DFGByteCodeParser.cpp:
1524         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1525
1526 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1527
1528         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
1529         https://bugs.webkit.org/show_bug.cgi?id=180119
1530
1531         Reviewed by Devin Rousso.
1532
1533         * inspector/InjectedScriptManager.h:
1534         * inspector/JSGlobalObjectScriptDebugServer.h:
1535         * inspector/agents/InspectorHeapAgent.h:
1536         * inspector/agents/InspectorRuntimeAgent.h:
1537         * inspector/agents/InspectorScriptProfilerAgent.h:
1538         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1539
1540 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1541
1542         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
1543         https://bugs.webkit.org/show_bug.cgi?id=179642
1544         <rdar://problem/35517704>
1545
1546         Reviewed by Brian Burg.
1547
1548         * inspector/protocol/Network.json:
1549         Expose the NetworkAgent for a Service Worker inspector.
1550
1551  2017-11-28  Brian Burg  <bburg@apple.com>
1552
1553         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
1554         https://bugs.webkit.org/show_bug.cgi?id=179696
1555
1556         Reviewed by Timothy Hatcher.
1557
1558         * inspector/scripts/codegen/generate_objc_header.py:
1559         (ObjCHeaderGenerator._generate_type_interface):
1560         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1561         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1562         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
1563         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
1564         * inspector/scripts/codegen/objc_generator.py:
1565         (ObjCGenerator.protocol_type_for_raw_name):
1566         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1567         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
1568         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1569         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
1570         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
1571         (ObjCGenerator.objc_to_protocol_expression_for_member):
1572         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
1573         (ObjCGenerator.protocol_to_objc_expression_for_member):
1574         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
1575         (ObjCGenerator.objc_setter_method_for_member_internal):
1576         (ObjCGenerator.objc_getter_method_for_member_internal):
1577         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1578         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1579         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1580         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1581         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1582         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1583         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1584         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1585         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1586         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1587
1588 2017-11-27  JF Bastien  <jfbastien@apple.com>
1589
1590         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1591         https://bugs.webkit.org/show_bug.cgi?id=180051
1592         <rdar://problem/35614371>
1593
1594         Reviewed by Saam Barati.
1595
1596         Checking for int32 isn't sufficient when uint32 is expected
1597         afterwards. While we're here, also use Checked<>.
1598
1599         * dfg/DFGAbstractInterpreterInlines.h:
1600         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1601
1602 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1603
1604         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1605         https://bugs.webkit.org/show_bug.cgi?id=173793
1606
1607         Reviewed by Joseph Pecoraro.
1608
1609         Based on patch by Brian Burg.
1610
1611         * JavaScriptCore.xcodeproj/project.pbxproj:
1612         * Sources.txt:
1613         * bindings/ScriptValue.cpp:
1614         (Inspector::jsToInspectorValue):
1615         (Inspector::toInspectorValue):
1616         (Deprecated::ScriptValue::toInspectorValue const):
1617         * bindings/ScriptValue.h:
1618         * inspector/AsyncStackTrace.cpp:
1619         * inspector/ConsoleMessage.cpp:
1620         * inspector/ContentSearchUtilities.cpp:
1621         * inspector/DeprecatedInspectorValues.cpp: Added.
1622         * inspector/DeprecatedInspectorValues.h: Added.
1623         Keep the old symbols around in JavaScriptCore so that builds with the
1624         public iOS SDK continue to work. These older SDKs include a version of
1625         WebInspector.framework that expects to find InspectorArray and other
1626         symbols in JavaScriptCore.framework.
1627
1628         * inspector/InjectedScript.cpp:
1629         (Inspector::InjectedScript::getFunctionDetails):
1630         (Inspector::InjectedScript::functionDetails):
1631         (Inspector::InjectedScript::getPreview):
1632         (Inspector::InjectedScript::getProperties):
1633         (Inspector::InjectedScript::getDisplayableProperties):
1634         (Inspector::InjectedScript::getInternalProperties):
1635         (Inspector::InjectedScript::getCollectionEntries):
1636         (Inspector::InjectedScript::saveResult):
1637         (Inspector::InjectedScript::wrapCallFrames const):
1638         (Inspector::InjectedScript::wrapObject const):
1639         (Inspector::InjectedScript::wrapTable const):
1640         (Inspector::InjectedScript::previewValue const):
1641         (Inspector::InjectedScript::setExceptionValue):
1642         (Inspector::InjectedScript::clearExceptionValue):
1643         (Inspector::InjectedScript::inspectObject):
1644         (Inspector::InjectedScript::releaseObject):
1645         * inspector/InjectedScriptBase.cpp:
1646         (Inspector::InjectedScriptBase::makeCall):
1647         (Inspector::InjectedScriptBase::makeEvalCall):
1648         * inspector/InjectedScriptBase.h:
1649         * inspector/InjectedScriptManager.cpp:
1650         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1651         * inspector/InspectorBackendDispatcher.cpp:
1652         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1653         (Inspector::BackendDispatcher::dispatch):
1654         (Inspector::BackendDispatcher::sendResponse):
1655         (Inspector::BackendDispatcher::sendPendingErrors):
1656         (Inspector::BackendDispatcher::getPropertyValue):
1657         (Inspector::castToInteger):
1658         (Inspector::castToNumber):
1659         (Inspector::BackendDispatcher::getInteger):
1660         (Inspector::BackendDispatcher::getDouble):
1661         (Inspector::BackendDispatcher::getString):
1662         (Inspector::BackendDispatcher::getBoolean):
1663         (Inspector::BackendDispatcher::getObject):
1664         (Inspector::BackendDispatcher::getArray):
1665         (Inspector::BackendDispatcher::getValue):
1666         * inspector/InspectorBackendDispatcher.h:
1667         We need to keep around the sendResponse() variant with a parameter that
1668         has the InspectorObject type, as older WebInspector.framework versions
1669         expect this symbol to exist. Introduce a variant with arity 3 that can
1670         be used in TOT so as to avoid having two methods with the same name, arity, and
1671         different parameter types.
1672
1673         When system WebInspector.framework is updated, we can remove the legacy
1674         method variant that uses the InspectorObject type. At that point, we can
1675         transition TOT to use the 2-arity variant, and delete the 3-arity variant
1676         when system WebInspector.framework is updated once more to use the 2-arity one.
1677
1678         * inspector/InspectorProtocolTypes.h:
1679         (Inspector::Protocol::Array::openAccessors):
1680         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1681         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1682         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1683         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1684         * inspector/ScriptCallFrame.cpp:
1685         * inspector/ScriptCallStack.cpp:
1686         * inspector/agents/InspectorAgent.cpp:
1687         (Inspector::InspectorAgent::inspect):
1688         * inspector/agents/InspectorAgent.h:
1689         * inspector/agents/InspectorDebuggerAgent.cpp:
1690         (Inspector::buildAssertPauseReason):
1691         (Inspector::buildCSPViolationPauseReason):
1692         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1693         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1694         (Inspector::buildObjectForBreakpointCookie):
1695         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1696         (Inspector::parseLocation):
1697         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1698         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1699         (Inspector::InspectorDebuggerAgent::continueToLocation):
1700         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1701         (Inspector::InspectorDebuggerAgent::didParseSource):
1702         (Inspector::InspectorDebuggerAgent::breakProgram):
1703         * inspector/agents/InspectorDebuggerAgent.h:
1704         * inspector/agents/InspectorRuntimeAgent.cpp:
1705         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1706         (Inspector::InspectorRuntimeAgent::saveResult):
1707         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1708         * inspector/agents/InspectorRuntimeAgent.h:
1709         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1710         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1711         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1712         (CppBackendDispatcherImplementationGenerator.generate_output):
1713         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1714         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1715         (CppFrontendDispatcherHeaderGenerator.generate_output):
1716         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1717         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1718         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1719         (_generate_unchecked_setter_for_member):
1720         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1721         (CppProtocolTypesImplementationGenerator):
1722         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1723         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1724         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1725         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1726         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1727         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1728         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1729         * inspector/scripts/codegen/generate_objc_internal_header.py:
1730         (ObjCInternalHeaderGenerator.generate_output):
1731         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1732         (ObjCProtocolTypesImplementationGenerator.generate_output):
1733         * inspector/scripts/codegen/generator.py:
1734         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1735         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1736         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1737         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1738         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1739         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1740         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1741         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1742         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1743         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1744         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1745         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1746         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1747         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1748         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1749         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1750         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1751         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1752         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1753         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1754
1755 2017-11-28  Robin Morisset  <rmorisset@apple.com>
1756
1757         Support recursive tail call optimization for polymorphic calls
1758         https://bugs.webkit.org/show_bug.cgi?id=178390
1759
1760         Reviewed by Saam Barati.
1761
1762         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
1763         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
1764
1765         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
1766
1767         * dfg/DFGByteCodeParser.cpp:
1768         (JSC::DFG::ByteCodeParser::handleCall):
1769         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1770         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1771         (JSC::DFG::ByteCodeParser::inlineCall):
1772         (JSC::DFG::ByteCodeParser::handleCallVariant):
1773         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1774         (JSC::DFG::ByteCodeParser::getInliningBalance):
1775         (JSC::DFG::ByteCodeParser::handleInlining):
1776         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
1777
1778 2017-11-27  Saam Barati  <sbarati@apple.com>
1779
1780         Spread can escape when CreateRest does not
1781         https://bugs.webkit.org/show_bug.cgi?id=180057
1782         <rdar://problem/35676119>
1783
1784         Reviewed by JF Bastien.
1785
1786         We previously did not handle Spread(PhantomCreateRest) only because I did not
1787         think it was possible to generate this IR. I was wrong. We can generate
1788         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
1789         This IR is rare to generate since we normally don't PutStack(Spread) because
1790         the SetLocal almost always gets eliminated because of how our bytecode generates
1791         op_spread. However, there exists a test case showing it is possible. Supporting
1792         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
1793         the Validation rule for Spread.
1794
1795         * dfg/DFGOperations.cpp:
1796         * dfg/DFGOperations.h:
1797         * dfg/DFGValidate.cpp:
1798         * ftl/FTLLowerDFGToB3.cpp:
1799         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1800         * runtime/JSFixedArray.h:
1801         (JSC::JSFixedArray::tryCreate):
1802
1803 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
1804
1805         [CMake][Win] Conditionally select DLL CRT or static CRT
1806         https://bugs.webkit.org/show_bug.cgi?id=170594
1807
1808         Reviewed by Alex Christensen.
1809
1810         * shell/PlatformWin.cmake:
1811
1812 2017-11-27  Saam Barati  <sbarati@apple.com>
1813
1814         Having a bad time watchpoint firing during compilation revealed a racy assertion
1815         https://bugs.webkit.org/show_bug.cgi?id=180048
1816         <rdar://problem/35700009>
1817
1818         Reviewed by Mark Lam.
1819
1820         While a DFG compilation is watching the having a bad time watchpoint, it was
1821         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
1822         However, if the having a bad time watchpoint fires during the compilation,
1823         this particular structure will no longer have ArrayWithContiguous indexing type.
1824         This patch fixes this racy assertion to be aware that the watchpoint may fire
1825         during compilation.
1826
1827         * dfg/DFGSpeculativeJIT.cpp:
1828         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1829         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1830
1831 2017-11-27  Tim Horton  <timothy_horton@apple.com>
1832
1833         One too many zeroes in macOS version number in FeatureDefines
1834         https://bugs.webkit.org/show_bug.cgi?id=180011
1835
1836         Reviewed by Dan Bernstein.
1837
1838         * Configurations/FeatureDefines.xcconfig:
1839
1840 2017-11-27  Robin Morisset  <rmorisset@apple.com>
1841
1842         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
1843         https://bugs.webkit.org/show_bug.cgi?id=179821
1844
1845         Reviewed by Saam Barati.
1846
1847         * dfg/DFGSafeToExecute.h:
1848         (JSC::DFG::safeToExecute):
1849
1850 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1851
1852         [DFG] Add NormalizeMapKey DFG IR
1853         https://bugs.webkit.org/show_bug.cgi?id=179912
1854
1855         Reviewed by Saam Barati.
1856
1857         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
1858         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
1859         do not need to call normalizeMapKey conservatively in DFG operations.
1860         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
1861
1862         * dfg/DFGAbstractInterpreterInlines.h:
1863         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1864         * dfg/DFGByteCodeParser.cpp:
1865         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1866         * dfg/DFGClobberize.h:
1867         (JSC::DFG::clobberize):
1868         * dfg/DFGDoesGC.cpp:
1869         (JSC::DFG::doesGC):
1870         * dfg/DFGFixupPhase.cpp:
1871         (JSC::DFG::FixupPhase::fixupNode):
1872         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
1873         * dfg/DFGNodeType.h:
1874         * dfg/DFGOperations.cpp:
1875         * dfg/DFGPredictionPropagationPhase.cpp:
1876         * dfg/DFGSafeToExecute.h:
1877         (JSC::DFG::safeToExecute):
1878         * dfg/DFGSpeculativeJIT.cpp:
1879         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1880         * dfg/DFGSpeculativeJIT.h:
1881         * dfg/DFGSpeculativeJIT32_64.cpp:
1882         (JSC::DFG::SpeculativeJIT::compile):
1883         * dfg/DFGSpeculativeJIT64.cpp:
1884         (JSC::DFG::SpeculativeJIT::compile):
1885         * ftl/FTLCapabilities.cpp:
1886         (JSC::FTL::canCompile):
1887         * ftl/FTLLowerDFGToB3.cpp:
1888         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1889         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1890         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1891         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1892         * runtime/HashMapImpl.h:
1893
1894 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1895
1896         [FTL] Support DeleteById and DeleteByVal
1897         https://bugs.webkit.org/show_bug.cgi?id=180022
1898
1899         Reviewed by Saam Barati.
1900
1901         We should increase the coverage of FTL. Even if the code includes DeleteById,
1902         it does not mean that remaining part of the code should not be optimized in FTL.
1903         Right now, even CallEval and `with` scope are handled in FTL.
1904
1905         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
1906         code including them.
1907
1908         * ftl/FTLCapabilities.cpp:
1909         (JSC::FTL::canCompile):
1910         * ftl/FTLLowerDFGToB3.cpp:
1911         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1912         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1913         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1914
1915 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1916
1917         [DFG] Introduce {Set,Map,WeakMap}Fields
1918         https://bugs.webkit.org/show_bug.cgi?id=179925
1919
1920         Reviewed by Saam Barati.
1921
1922         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
1923         writes readonly MiscFields which is used by various nodes and make optimization
1924         conservative.
1925
1926         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
1927
1928         * dfg/DFGAbstractHeap.h:
1929         * dfg/DFGByteCodeParser.cpp:
1930         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1931         * dfg/DFGClobberize.h:
1932         (JSC::DFG::clobberize):
1933         * dfg/DFGHeapLocation.cpp:
1934         (WTF::printInternal):
1935         * dfg/DFGHeapLocation.h:
1936         * dfg/DFGNode.h:
1937         (JSC::DFG::Node::hasBucketOwnerType):
1938
1939 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1940
1941         [JSC] Remove JSStringBuilder
1942         https://bugs.webkit.org/show_bug.cgi?id=180016
1943
1944         Reviewed by Saam Barati.
1945
1946         JSStringBuilder is replaced with WTF::StringBuilder.
1947         This patch removes remaning uses and drop JSStringBuilder.
1948
1949         * JavaScriptCore.xcodeproj/project.pbxproj:
1950         * runtime/ArrayPrototype.cpp:
1951         * runtime/AsyncFunctionPrototype.cpp:
1952         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1953         * runtime/ErrorPrototype.cpp:
1954         * runtime/FunctionPrototype.cpp:
1955         * runtime/GeneratorFunctionPrototype.cpp:
1956         * runtime/JSGlobalObjectFunctions.cpp:
1957         (JSC::decode):
1958         (JSC::globalFuncEscape):
1959         * runtime/JSStringBuilder.h: Removed.
1960         * runtime/JSStringInlines.h:
1961         (JSC::jsMakeNontrivialString):
1962         * runtime/RegExpPrototype.cpp:
1963         * runtime/StringPrototype.cpp:
1964
1965 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1966
1967         [DFG] Remove GetLocalUnlinked
1968         https://bugs.webkit.org/show_bug.cgi?id=180017
1969
1970         Reviewed by Saam Barati.
1971
1972         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
1973         This patch just removes it.
1974
1975         * dfg/DFGAbstractInterpreterInlines.h:
1976         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1977         * dfg/DFGClobberize.h:
1978         (JSC::DFG::clobberize):
1979         * dfg/DFGCommon.h:
1980         * dfg/DFGDoesGC.cpp:
1981         (JSC::DFG::doesGC):
1982         * dfg/DFGFixupPhase.cpp:
1983         (JSC::DFG::FixupPhase::fixupNode):
1984         * dfg/DFGGraph.cpp:
1985         (JSC::DFG::Graph::dump):
1986         * dfg/DFGNode.h:
1987         (JSC::DFG::Node::hasUnlinkedLocal):
1988         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
1989         (JSC::DFG::Node::convertToGetLocal): Deleted.
1990         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
1991         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
1992         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
1993         * dfg/DFGNodeType.h:
1994         * dfg/DFGPredictionPropagationPhase.cpp:
1995         * dfg/DFGSafeToExecute.h:
1996         (JSC::DFG::safeToExecute):
1997         * dfg/DFGSpeculativeJIT32_64.cpp:
1998         (JSC::DFG::SpeculativeJIT::compile):
1999         * dfg/DFGSpeculativeJIT64.cpp:
2000         (JSC::DFG::SpeculativeJIT::compile):
2001         * dfg/DFGStackLayoutPhase.cpp:
2002         (JSC::DFG::StackLayoutPhase::run):
2003         * dfg/DFGValidate.cpp:
2004
2005 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2006
2007         Make ArgList::data() private again when we can remove callWasmFunction().
2008         https://bugs.webkit.org/show_bug.cgi?id=168582
2009
2010         Reviewed by JF Bastien.
2011
2012         Make ArgList::data() private since we already removed callWasmFunction.
2013
2014         * runtime/ArgList.h:
2015
2016 2016-08-05  Darin Adler  <darin@apple.com>
2017
2018         Fix some minor problems in the StringImpl header
2019         https://bugs.webkit.org/show_bug.cgi?id=160630
2020
2021         Reviewed by Brent Fulgham.
2022
2023         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
2024         Yarr namespacing since we use "using namespace" in this file.
2025
2026 2017-11-24  Mark Lam  <mark.lam@apple.com>
2027
2028         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
2029         https://bugs.webkit.org/show_bug.cgi?id=179936
2030         <rdar://problem/35623998>
2031
2032         Reviewed by Saam Barati.
2033
2034         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
2035         See https://bugs.webkit.org/show_bug.cgi?id=179684.
2036
2037         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
2038         was allocating stack space to stash arguments (to be forwarded) and new frame
2039         info.  The location of this new stash space happens to lie beyond the top of frame
2040         of the tail call caller frame.  After stashing the arguments, the code proceeded
2041         to load the callee codeBlock.  This triggered an allocation, which in turn,
2042         triggered stack sanitization.  The CLoop stack sanitizer was relying on
2043         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
2044         that turned out to be inadequate.  As a result, part of the stashed data was
2045         zeroed out, and subsequently led to a crash.
2046
2047         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
2048         1. JIT builds do stack sanitization in the LLInt code itself (different from the
2049            CLoop implementation), and the sanitizer there is aware of the true top of
2050            stack value (i.e. the stack pointer).
2051         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
2052            parallel stack is one condition necessary for reproducing this issue.
2053
2054         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
2055         every time before it calls out to native C++ code.  This also brings the CLoop's
2056         behavior closer to hardware behavior where we can know where the stack pointer
2057         is after calling from JS back into native C++ code, which makes it easier to
2058         reason about correctness.       
2059
2060         Also simplified the various stack boundary calculations (removed the +1 and -1
2061         adjustments).  The CLoopStack bounds are now:
2062
2063             reservationTop(): the lowest reserved address that can be within stack bounds.
2064             m_commitTop: the lowest address within stack bounds that has been committed.
2065             lowAddress() aka m_end: the lowest stack address that JS code can use.
2066             m_lastStackPointer: cache of the last m_currentStackPointer value.
2067             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
2068             highAddress(): the highest address just beyond the bounds of the stack.
2069
2070         Also deleted some unneeded code.
2071
2072         * interpreter/CLoopStack.cpp:
2073         (JSC::CLoopStack::CLoopStack):
2074         (JSC::CLoopStack::gatherConservativeRoots):
2075         (JSC::CLoopStack::sanitizeStack):
2076         (JSC::CLoopStack::setSoftReservedZoneSize):
2077         * interpreter/CLoopStack.h:
2078         (JSC::CLoopStack::setCurrentStackPointer):
2079         (JSC::CLoopStack::lowAddress const):
2080
2081         (JSC::CLoopStack::baseOfStack const): Deleted.
2082         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
2083           Now, it has the exact same value as highAddress() and can be removed.
2084
2085         * interpreter/CLoopStackInlines.h:
2086         (JSC::CLoopStack::ensureCapacityFor):
2087         (JSC::CLoopStack::currentStackPointer):
2088         (JSC::CLoopStack::setCLoopStackLimit):
2089
2090         (JSC::CLoopStack::topOfFrameFor): Deleted.
2091         - Not needed.
2092
2093         (JSC::CLoopStack::topOfStack): Deleted.
2094         - Supplanted by currentStackPointer().
2095
2096         (JSC::CLoopStack::shrink): Deleted.
2097         - This is unused.
2098
2099         * llint/LowLevelInterpreter.cpp:
2100         (JSC::CLoop::execute):
2101         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
2102           upon exitting the interpreter loop.
2103
2104         * offlineasm/cloop.rb:
2105         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
2106           call from JS into C++ code.
2107
2108         * tools/VMInspector.h:
2109         - Added some default argument values. These were being used while debugging this
2110           issue.
2111
2112 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2113
2114         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
2115         https://bugs.webkit.org/show_bug.cgi?id=179923
2116
2117         Reviewed by Darin Adler.
2118
2119         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
2120         So we can use it as a marker of deleted bucket.
2121
2122         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
2123         It shrinks the size of HashMapBucket much.
2124
2125         * dfg/DFGSpeculativeJIT.cpp:
2126         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2127         * ftl/FTLAbstractHeapRepository.h:
2128         * ftl/FTLLowerDFGToB3.cpp:
2129         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
2130         * runtime/HashMapImpl.h:
2131         (JSC::HashMapBucket::createSentinel):
2132         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
2133         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
2134         flag of sentinel bucket is not used.
2135
2136         (JSC::HashMapBucket::HashMapBucket):
2137         (JSC::HashMapBucket::deleted const):
2138         (JSC::HashMapBucket::makeDeleted):
2139         (JSC::HashMapImpl::remove):
2140         (JSC::HashMapImpl::clear):
2141         (JSC::HashMapImpl::setUpHeadAndTail):
2142         (JSC::HashMapImpl::addNormalizedInternal):
2143         (JSC::HashMapBucket::setDeleted): Deleted.
2144         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
2145         (): Deleted.
2146
2147 2017-11-24  Mark Lam  <mark.lam@apple.com>
2148
2149         Move unsafe jsc shell test functions to the $vm object.
2150         https://bugs.webkit.org/show_bug.cgi?id=179980
2151
2152         Reviewed by Yusuke Suzuki.
2153
2154         Also removed setElementRoot() which was not used.
2155
2156         * jsc.cpp:
2157         (GlobalObject::finishCreation):
2158         (WTF::Element::Element): Deleted.
2159         (WTF::Element::root const): Deleted.
2160         (WTF::Element::setRoot): Deleted.
2161         (WTF::Element::create): Deleted.
2162         (WTF::Element::visitChildren): Deleted.
2163         (WTF::Element::createStructure): Deleted.
2164         (WTF::Root::Root): Deleted.
2165         (WTF::Root::element): Deleted.
2166         (WTF::Root::setElement): Deleted.
2167         (WTF::Root::create): Deleted.
2168         (WTF::Root::createStructure): Deleted.
2169         (WTF::Root::visitChildren): Deleted.
2170         (WTF::ImpureGetter::ImpureGetter): Deleted.
2171         (WTF::ImpureGetter::createStructure): Deleted.
2172         (WTF::ImpureGetter::create): Deleted.
2173         (WTF::ImpureGetter::finishCreation): Deleted.
2174         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
2175         (WTF::ImpureGetter::visitChildren): Deleted.
2176         (WTF::ImpureGetter::setDelegate): Deleted.
2177         (WTF::CustomGetter::CustomGetter): Deleted.
2178         (WTF::CustomGetter::createStructure): Deleted.
2179         (WTF::CustomGetter::create): Deleted.
2180         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
2181         (WTF::CustomGetter::customGetter): Deleted.
2182         (WTF::CustomGetter::customGetterAcessor): Deleted.
2183         (WTF::RuntimeArray::create): Deleted.
2184         (WTF::RuntimeArray::~RuntimeArray): Deleted.
2185         (WTF::RuntimeArray::destroy): Deleted.
2186         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
2187         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
2188         (WTF::RuntimeArray::put): Deleted.
2189         (WTF::RuntimeArray::deleteProperty): Deleted.
2190         (WTF::RuntimeArray::getLength const): Deleted.
2191         (WTF::RuntimeArray::createPrototype): Deleted.
2192         (WTF::RuntimeArray::createStructure): Deleted.
2193         (WTF::RuntimeArray::finishCreation): Deleted.
2194         (WTF::RuntimeArray::RuntimeArray): Deleted.
2195         (WTF::RuntimeArray::lengthGetter): Deleted.
2196         (WTF::SimpleObject::SimpleObject): Deleted.
2197         (WTF::SimpleObject::create): Deleted.
2198         (WTF::SimpleObject::visitChildren): Deleted.
2199         (WTF::SimpleObject::createStructure): Deleted.
2200         (WTF::SimpleObject::hiddenValue): Deleted.
2201         (WTF::SimpleObject::setHiddenValue): Deleted.
2202         (WTF::DOMJITNode::DOMJITNode): Deleted.
2203         (WTF::DOMJITNode::createStructure): Deleted.
2204         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
2205         (WTF::DOMJITNode::create): Deleted.
2206         (WTF::DOMJITNode::value const): Deleted.
2207         (WTF::DOMJITNode::offsetOfValue): Deleted.
2208         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
2209         (WTF::DOMJITGetter::createStructure): Deleted.
2210         (WTF::DOMJITGetter::create): Deleted.
2211         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
2212         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
2213         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
2214         (WTF::DOMJITGetter::customGetter): Deleted.
2215         (WTF::DOMJITGetter::finishCreation): Deleted.
2216         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
2217         (WTF::DOMJITGetterComplex::createStructure): Deleted.
2218         (WTF::DOMJITGetterComplex::create): Deleted.
2219         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
2220         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
2221         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
2222         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
2223         (WTF::DOMJITGetterComplex::customGetter): Deleted.
2224         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
2225         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
2226         (WTF::DOMJITFunctionObject::createStructure): Deleted.
2227         (WTF::DOMJITFunctionObject::create): Deleted.
2228         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
2229         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
2230         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
2231         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
2232         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
2233         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
2234         (WTF::DOMJITCheckSubClassObject::create): Deleted.
2235         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
2236         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
2237         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
2238         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
2239         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
2240         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
2241         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
2242         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
2243         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
2244         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
2245         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
2246         (WTF::Element::handleOwner): Deleted.
2247         (WTF::Element::finishCreation): Deleted.
2248         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
2249         (JSTestCustomGetterSetter::create): Deleted.
2250         (JSTestCustomGetterSetter::createStructure): Deleted.
2251         (customGetAccessor): Deleted.
2252         (customGetValue): Deleted.
2253         (customSetAccessor): Deleted.
2254         (customSetValue): Deleted.
2255         (JSTestCustomGetterSetter::finishCreation): Deleted.
2256         (GlobalObject::addConstructableFunction): Deleted.
2257         (functionCreateRoot): Deleted.
2258         (functionCreateElement): Deleted.
2259         (functionGetElement): Deleted.
2260         (functionSetElementRoot): Deleted.
2261         (functionCreateSimpleObject): Deleted.
2262         (functionGetHiddenValue): Deleted.
2263         (functionSetHiddenValue): Deleted.
2264         (functionCreateProxy): Deleted.
2265         (functionCreateRuntimeArray): Deleted.
2266         (functionCreateImpureGetter): Deleted.
2267         (functionCreateCustomGetterObject): Deleted.
2268         (functionCreateDOMJITNodeObject): Deleted.
2269         (functionCreateDOMJITGetterObject): Deleted.
2270         (functionCreateDOMJITGetterComplexObject): Deleted.
2271         (functionCreateDOMJITFunctionObject): Deleted.
2272         (functionCreateDOMJITCheckSubClassObject): Deleted.
2273         (functionCreateDOMJITGetterBaseJSObject): Deleted.
2274         (functionSetImpureGetterDelegate): Deleted.
2275         (functionGetGetterSetter): Deleted.
2276         (functionShadowChickenFunctionsOnStack): Deleted.
2277         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
2278         (functionGlobalObjectForObject): Deleted.
2279         (functionLoadGetterFromGetterSetter): Deleted.
2280         (functionCreateCustomTestGetterSetter): Deleted.
2281         (functionAbort): Deleted.
2282         (functionFindTypeForExpression): Deleted.
2283         (functionReturnTypeFor): Deleted.
2284         (functionDumpBasicBlockExecutionRanges): Deleted.
2285         (functionHasBasicBlockExecuted): Deleted.
2286         (functionBasicBlockExecutionCount): Deleted.
2287         (functionEnableExceptionFuzz): Deleted.
2288         (functionCreateBuiltin): Deleted.
2289         * runtime/JSGlobalObject.cpp:
2290         (JSC::JSGlobalObject::init):
2291         * tools/JSDollarVM.cpp:
2292         (WTF::Element::Element):
2293         (WTF::Element::root const):
2294         (WTF::Element::setRoot):
2295         (WTF::Element::create):
2296         (WTF::Element::visitChildren):
2297         (WTF::Element::createStructure):
2298         (WTF::Root::Root):
2299         (WTF::Root::element):
2300         (WTF::Root::setElement):
2301         (WTF::Root::create):
2302         (WTF::Root::createStructure):
2303         (WTF::Root::visitChildren):
2304         (WTF::SimpleObject::SimpleObject):
2305         (WTF::SimpleObject::create):
2306         (WTF::SimpleObject::visitChildren):
2307         (WTF::SimpleObject::createStructure):
2308         (WTF::SimpleObject::hiddenValue):
2309         (WTF::SimpleObject::setHiddenValue):
2310         (WTF::ImpureGetter::ImpureGetter):
2311         (WTF::ImpureGetter::createStructure):
2312         (WTF::ImpureGetter::create):
2313         (WTF::ImpureGetter::finishCreation):
2314         (WTF::ImpureGetter::getOwnPropertySlot):
2315         (WTF::ImpureGetter::visitChildren):
2316         (WTF::ImpureGetter::setDelegate):
2317         (WTF::CustomGetter::CustomGetter):
2318         (WTF::CustomGetter::createStructure):
2319         (WTF::CustomGetter::create):
2320         (WTF::CustomGetter::getOwnPropertySlot):
2321         (WTF::CustomGetter::customGetter):
2322         (WTF::CustomGetter::customGetterAcessor):
2323         (WTF::RuntimeArray::create):
2324         (WTF::RuntimeArray::~RuntimeArray):
2325         (WTF::RuntimeArray::destroy):
2326         (WTF::RuntimeArray::getOwnPropertySlot):
2327         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2328         (WTF::RuntimeArray::put):
2329         (WTF::RuntimeArray::deleteProperty):
2330         (WTF::RuntimeArray::getLength const):
2331         (WTF::RuntimeArray::createPrototype):
2332         (WTF::RuntimeArray::createStructure):
2333         (WTF::RuntimeArray::finishCreation):
2334         (WTF::RuntimeArray::RuntimeArray):
2335         (WTF::RuntimeArray::lengthGetter):
2336         (WTF::DOMJITNode::DOMJITNode):
2337         (WTF::DOMJITNode::createStructure):
2338         (WTF::DOMJITNode::checkSubClassSnippet):
2339         (WTF::DOMJITNode::create):
2340         (WTF::DOMJITNode::value const):
2341         (WTF::DOMJITNode::offsetOfValue):
2342         (WTF::DOMJITGetter::DOMJITGetter):
2343         (WTF::DOMJITGetter::createStructure):
2344         (WTF::DOMJITGetter::create):
2345         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2346         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2347         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2348         (WTF::DOMJITGetter::customGetter):
2349         (WTF::DOMJITGetter::finishCreation):
2350         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
2351         (WTF::DOMJITGetterComplex::createStructure):
2352         (WTF::DOMJITGetterComplex::create):
2353         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2354         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2355         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2356         (WTF::DOMJITGetterComplex::functionEnableException):
2357         (WTF::DOMJITGetterComplex::customGetter):
2358         (WTF::DOMJITGetterComplex::finishCreation):
2359         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2360         (WTF::DOMJITFunctionObject::createStructure):
2361         (WTF::DOMJITFunctionObject::create):
2362         (WTF::DOMJITFunctionObject::safeFunction):
2363         (WTF::DOMJITFunctionObject::unsafeFunction):
2364         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2365         (WTF::DOMJITFunctionObject::finishCreation):
2366         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2367         (WTF::DOMJITCheckSubClassObject::createStructure):
2368         (WTF::DOMJITCheckSubClassObject::create):
2369         (WTF::DOMJITCheckSubClassObject::safeFunction):
2370         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2371         (WTF::DOMJITCheckSubClassObject::finishCreation):
2372         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2373         (WTF::DOMJITGetterBaseJSObject::createStructure):
2374         (WTF::DOMJITGetterBaseJSObject::create):
2375         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2376         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2377         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2378         (WTF::DOMJITGetterBaseJSObject::customGetter):
2379         (WTF::DOMJITGetterBaseJSObject::finishCreation):
2380         (WTF::Message::releaseContents):
2381         (WTF::Message::index const):
2382         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2383         (WTF::JSTestCustomGetterSetter::create):
2384         (WTF::JSTestCustomGetterSetter::createStructure):
2385         (WTF::customGetAccessor):
2386         (WTF::customGetValue):
2387         (WTF::customSetAccessor):
2388         (WTF::customSetValue):
2389         (WTF::JSTestCustomGetterSetter::finishCreation):
2390         (WTF::Element::handleOwner):
2391         (WTF::Element::finishCreation):
2392         (JSC::functionCrash):
2393         (JSC::functionCreateProxy):
2394         (JSC::functionCreateRuntimeArray):
2395         (JSC::functionCreateImpureGetter):
2396         (JSC::functionCreateCustomGetterObject):
2397         (JSC::functionCreateDOMJITNodeObject):
2398         (JSC::functionCreateDOMJITGetterObject):
2399         (JSC::functionCreateDOMJITGetterComplexObject):
2400         (JSC::functionCreateDOMJITFunctionObject):
2401         (JSC::functionCreateDOMJITCheckSubClassObject):
2402         (JSC::functionCreateDOMJITGetterBaseJSObject):
2403         (JSC::functionSetImpureGetterDelegate):
2404         (JSC::functionCreateBuiltin):
2405         (JSC::functionCreateRoot):
2406         (JSC::functionCreateElement):
2407         (JSC::functionGetElement):
2408         (JSC::functionCreateSimpleObject):
2409         (JSC::functionGetHiddenValue):
2410         (JSC::functionSetHiddenValue):
2411         (JSC::functionShadowChickenFunctionsOnStack):
2412         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2413         (JSC::functionFindTypeForExpression):
2414         (JSC::functionReturnTypeFor):
2415         (JSC::functionDumpBasicBlockExecutionRanges):
2416         (JSC::functionHasBasicBlockExecuted):
2417         (JSC::functionBasicBlockExecutionCount):
2418         (JSC::functionEnableExceptionFuzz):
2419         (JSC::functionGlobalObjectForObject):
2420         (JSC::functionGetGetterSetter):
2421         (JSC::functionLoadGetterFromGetterSetter):
2422         (JSC::functionCreateCustomTestGetterSetter):
2423         (JSC::JSDollarVM::finishCreation):
2424         (JSC::JSDollarVM::addFunction):
2425         (JSC::JSDollarVM::addConstructibleFunction):
2426         * tools/JSDollarVM.h:
2427         (JSC::JSDollarVM::create):
2428
2429 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
2430
2431         Minor ArrayBufferView cleanup
2432         https://bugs.webkit.org/show_bug.cgi?id=179966
2433
2434         Reviewed by Darin Adler.
2435         
2436         Use void* for data pointers when we don't need to do offset math. Use const for
2437         source pointers.
2438         
2439         Prefer uint8_t* to char*.
2440         
2441         Add comments noting that the assertions should not be made release assertions
2442         as recommended by the style checker, since the point is to avoid the virtual byteLength()
2443         call in release.
2444
2445         * runtime/ArrayBufferView.h:
2446         (JSC::ArrayBufferView::setImpl):
2447         (JSC::ArrayBufferView::setRangeImpl):
2448         (JSC::ArrayBufferView::getRangeImpl):
2449         (JSC::ArrayBufferView::zeroRangeImpl):
2450
2451 2017-11-23  Darin Adler  <darin@apple.com>
2452
2453         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
2454         https://bugs.webkit.org/show_bug.cgi?id=179907
2455
2456         Reviewed by Sam Weinig.
2457
2458         * inspector/agents/InspectorDebuggerAgent.cpp:
2459         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
2460         defaults to that.
2461
2462         * runtime/StringPrototype.cpp:
2463         (JSC::stringIncludesImpl): Use String::find since there is no overload of
2464         String::contains that takes a start offset now that we removed the one that took a
2465         caseSensitive boolean. We can add one later if we like, but this should do for now.
2466
2467         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
2468         the StringImpl.h header because it is only used here.
2469
2470 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
2471
2472         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
2473         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
2474         
2475         Also name the argument to zeroRange() to 'count' since it's an item count.
2476
2477         * runtime/GenericTypedArrayView.h:
2478         (JSC::GenericTypedArrayView::zeroRange):
2479         (JSC::GenericTypedArrayView::getRange):
2480
2481 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
2482
2483         Allow for more efficient use of GenericTypedArrayView
2484         https://bugs.webkit.org/show_bug.cgi?id=179899
2485
2486         Reviewed by Sam Weinig.
2487         
2488         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
2489         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
2490         in a length.
2491
2492         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
2493         byteLength() calls.
2494         
2495         Renamed 'dataLength' to 'count' in setRange() to be clearer.
2496         
2497         Added setNative() for callers who don't need clamping of doubles.
2498
2499         * runtime/ArrayBufferView.h:
2500         (JSC::ArrayBufferView::setRangeImpl):
2501         (JSC::ArrayBufferView::getRangeImpl):
2502         * runtime/GenericTypedArrayView.h:
2503         (JSC::GenericTypedArrayView::setRange):
2504         (JSC::GenericTypedArrayView::setNative const):
2505         (JSC::GenericTypedArrayView::getRange):
2506         (JSC::GenericTypedArrayView::checkInboundData const):
2507         (JSC::GenericTypedArrayView::internalByteLength const):
2508
2509 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2510
2511         [DFG][FTL] Support MapSet / SetAdd intrinsics
2512         https://bugs.webkit.org/show_bug.cgi?id=179858
2513
2514         Reviewed by Saam Barati.
2515
2516         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
2517         By handling them as MapSet and SetAdd DFG nodes and decoupling
2518         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
2519         remove duplicate MapHash calculation for the same key.
2520
2521         One story is *set-if-not-exists*.
2522
2523             if (!map.has(key))
2524                 map.set(key, value);
2525
2526         In the above code, both `has` and `set` require hash value for `key`.
2527         If we can change `set` to the series of DFG nodes:
2528
2529             1: MapHash(key)
2530             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
2531
2532         we can remove duplicate @1 produced by `has` operation.
2533
2534         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
2535
2536                                          baseline                  patched
2537
2538             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
2539             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
2540
2541         Microbenchmarks
2542
2543             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
2544
2545         * dfg/DFGAbstractInterpreterInlines.h:
2546         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2547         * dfg/DFGByteCodeParser.cpp:
2548         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2549         * dfg/DFGClobberize.h:
2550         (JSC::DFG::clobberize):
2551         * dfg/DFGDoesGC.cpp:
2552         (JSC::DFG::doesGC):
2553         * dfg/DFGFixupPhase.cpp:
2554         (JSC::DFG::FixupPhase::fixupNode):
2555         * dfg/DFGNodeType.h:
2556         * dfg/DFGOperations.cpp:
2557         * dfg/DFGOperations.h:
2558         * dfg/DFGPredictionPropagationPhase.cpp:
2559         * dfg/DFGSafeToExecute.h:
2560         (JSC::DFG::safeToExecute):
2561         * dfg/DFGSpeculativeJIT.cpp:
2562         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2563         (JSC::DFG::SpeculativeJIT::compileMapSet):
2564         * dfg/DFGSpeculativeJIT.h:
2565         (JSC::DFG::SpeculativeJIT::callOperation):
2566         * dfg/DFGSpeculativeJIT32_64.cpp:
2567         (JSC::DFG::SpeculativeJIT::compile):
2568         * dfg/DFGSpeculativeJIT64.cpp:
2569         (JSC::DFG::SpeculativeJIT::compile):
2570         * ftl/FTLCapabilities.cpp:
2571         (JSC::FTL::canCompile):
2572         * ftl/FTLLowerDFGToB3.cpp:
2573         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2574         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2575         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2576         * jit/JITOperations.h:
2577         * runtime/HashMapImpl.h:
2578         (JSC::HashMapImpl::addNormalized):
2579         (JSC::HashMapImpl::addNormalizedInternal):
2580         * runtime/Intrinsic.cpp:
2581         (JSC::intrinsicName):
2582         * runtime/Intrinsic.h:
2583         * runtime/MapPrototype.cpp:
2584         (JSC::MapPrototype::finishCreation):
2585         * runtime/SetPrototype.cpp:
2586         (JSC::SetPrototype::finishCreation):
2587
2588 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2589
2590         [JSC] Allow poly proto for intrinsic getters
2591         https://bugs.webkit.org/show_bug.cgi?id=179550
2592
2593         Reviewed by Saam Barati.
2594
2595         This patch allows intrinsic getters to accept poly proto.
2596         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
2597         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
2598         code for poly proto case.
2599
2600         * bytecode/IntrinsicGetterAccessCase.cpp:
2601         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2602         (JSC::IntrinsicGetterAccessCase::create):
2603         * bytecode/IntrinsicGetterAccessCase.h:
2604         * jit/IntrinsicEmitter.cpp:
2605         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2606         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2607         * jit/Repatch.cpp:
2608         (JSC::tryCacheGetByID):
2609
2610 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
2611
2612         Detect __declspec within JSBase.h
2613         https://bugs.webkit.org/show_bug.cgi?id=179892
2614
2615         Reviewed by Darin Adler.
2616
2617         * API/JSBase.h:
2618
2619 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2620
2621         Remove unused TOUCH_ICON_LOADING feature flag
2622         https://bugs.webkit.org/show_bug.cgi?id=179873
2623
2624         Reviewed by Simon Fraser.
2625
2626         * Configurations/FeatureDefines.xcconfig:
2627
2628 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2629
2630         Add CPU(UNKNOWN) to cover all the unknown CPU types
2631         https://bugs.webkit.org/show_bug.cgi?id=179243
2632
2633         Reviewed by JF Bastien.
2634
2635         * CMakeLists.txt:
2636
2637 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2638
2639         Remove unused LEGACY_VENDOR_PREFIXES feature flag
2640         https://bugs.webkit.org/show_bug.cgi?id=179872
2641
2642         Reviewed by Darin Adler.
2643
2644         * Configurations/FeatureDefines.xcconfig:
2645
2646 2017-11-18  Tim Horton  <timothy_horton@apple.com>
2647
2648         Fix typos in closing ENABLE() comments
2649         https://bugs.webkit.org/show_bug.cgi?id=179869
2650
2651         Unreviewed.
2652
2653         * wasm/WasmMemory.h:
2654         * wasm/WasmMemoryMode.h:
2655
2656 2017-11-17  JF Bastien  <jfbastien@apple.com>
2657
2658         NFC update ClassInfo to C++14
2659         https://bugs.webkit.org/show_bug.cgi?id=179783
2660
2661         Reviewed by Mark Lam.
2662
2663         Forked from #179734, use `using` instead of `typedef`. It's easier
2664         to read.
2665
2666         * runtime/ClassInfo.h:
2667
2668 2017-11-17  JF Bastien  <jfbastien@apple.com>
2669
2670         WebAssembly JS API: throw when a promise can't be created
2671         https://bugs.webkit.org/show_bug.cgi?id=179826
2672         <rdar://problem/35455813>
2673
2674         Reviewed by Mark Lam.
2675
2676         Failure *in* a promise causes rejection, but failure to create a
2677         promise (because of stack overflow) isn't really spec'd (as all
2678         stack things JS). This applies to WebAssembly.compile and
2679         WebAssembly.instantiate.
2680
2681         Dan's current proposal says:
2682
2683             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
2684
2685             Whenever a stack overflow occurs in WebAssembly code, the same
2686             class of exception is thrown as for a stack overflow in
2687             JavaScript. The particular exception here is
2688             implementation-defined in both cases.
2689
2690             Note: ECMAScript doesn’t specify any sort of behavior on stack
2691             overflow; implementations have been observed to throw RangeError,
2692             InternalError or Error. Any is valid here.
2693
2694         This is for general stack overflow within WebAssembly, not
2695         specifically for promise creation within JavaScript, but it seems
2696         like a stack overflow in promise creation should follow the same
2697         rule instead of, say, swallowing the overflow and returning
2698         undefined.
2699
2700         * wasm/js/WebAssemblyPrototype.cpp:
2701         (JSC::webAssemblyCompileFunc):
2702         (JSC::webAssemblyInstantiateFunc):
2703
2704 2017-11-16  Daniel Bates  <dabates@apple.com>
2705
2706         Add feature define for alternative presentation button element
2707         https://bugs.webkit.org/show_bug.cgi?id=179692
2708         Part of <rdar://problem/34917108>
2709
2710         Reviewed by Andy Estes.
2711
2712         Only enabled on Cocoa platforms by default.
2713
2714         * Configurations/FeatureDefines.xcconfig:
2715
2716 2017-11-16  Saam Barati  <sbarati@apple.com>
2717
2718         Fix a bug with cpuid in the FTL.
2719
2720         Rubber stamped by Mark Lam.
2721
2722         Before uploading the previous patch, I tried to condense the code. I
2723         accidentally removed a crucial line saying that CPUID clobbers various
2724         registers.
2725
2726         * ftl/FTLLowerDFGToB3.cpp:
2727         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2728
2729 2017-11-16  Saam Barati  <sbarati@apple.com>
2730
2731         Add some X86 intrinsics to $vm to help with some perf testing
2732         https://bugs.webkit.org/show_bug.cgi?id=179693
2733
2734         Reviewed by Mark Lam.
2735
2736         I've been doing some local perf testing of various ideas and have
2737         had these come in handy. I'm going to land them to dollarVM to prevent
2738         having to add them to my local build every time I do perf testing.
2739
2740         * assembler/MacroAssemblerX86Common.h:
2741         (JSC::MacroAssemblerX86Common::mfence):
2742         (JSC::MacroAssemblerX86Common::rdtsc):
2743         (JSC::MacroAssemblerX86Common::pause):
2744         (JSC::MacroAssemblerX86Common::cpuid):
2745         * assembler/X86Assembler.h:
2746         (JSC::X86Assembler::rdtsc):
2747         (JSC::X86Assembler::pause):
2748         (JSC::X86Assembler::cpuid):
2749         * dfg/DFGAbstractInterpreterInlines.h:
2750         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2751         * dfg/DFGByteCodeParser.cpp:
2752         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2753         * dfg/DFGClobberize.h:
2754         (JSC::DFG::clobberize):
2755         * dfg/DFGDoesGC.cpp:
2756         (JSC::DFG::doesGC):
2757         * dfg/DFGFixupPhase.cpp:
2758         (JSC::DFG::FixupPhase::fixupNode):
2759         * dfg/DFGGraph.cpp:
2760         (JSC::DFG::Graph::dump):
2761         * dfg/DFGNode.h:
2762         (JSC::DFG::Node::intrinsic):
2763         * dfg/DFGNodeType.h:
2764         * dfg/DFGPredictionPropagationPhase.cpp:
2765         * dfg/DFGSafeToExecute.h:
2766         (JSC::DFG::safeToExecute):
2767         * dfg/DFGSpeculativeJIT32_64.cpp:
2768         (JSC::DFG::SpeculativeJIT::compile):
2769         * dfg/DFGSpeculativeJIT64.cpp:
2770         (JSC::DFG::SpeculativeJIT::compile):
2771         * dfg/DFGValidate.cpp:
2772         * ftl/FTLCapabilities.cpp:
2773         (JSC::FTL::canCompile):
2774         * ftl/FTLLowerDFGToB3.cpp:
2775         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2776         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2777         * runtime/Intrinsic.cpp:
2778         (JSC::intrinsicName):
2779         * runtime/Intrinsic.h:
2780         * tools/JSDollarVM.cpp:
2781         (JSC::functionCpuMfence):
2782         (JSC::functionCpuRdtsc):
2783         (JSC::functionCpuCpuid):
2784         (JSC::functionCpuPause):
2785         (JSC::functionCpuClflush):
2786         (JSC::JSDollarVM::finishCreation):
2787
2788 2017-11-16  JF Bastien  <jfbastien@apple.com>
2789
2790         It should be easier to reify lazy property names
2791         https://bugs.webkit.org/show_bug.cgi?id=179734
2792         <rdar://problem/35492521>
2793
2794         Reviewed by Keith Miller.
2795
2796         We reify lazy property names in a few different ways, each
2797         specific to the JSCell implementation, in put() instead of having
2798         a special function to do reification. Let's make that simpler.
2799
2800         This patch makes it easier to reify property names in a uniform
2801         manner, and does so in JSFunction. As a follow up I'll use the
2802         same mechanics for:
2803
2804         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
2805         ErrorConstructor  stackTraceLimit
2806         ErrorInstance     line, column, sourceURL, stack
2807         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
2808         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
2809         JSArray           length
2810         RegExpObject      lastIndex
2811         StringObject      length
2812
2813         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
2814         * runtime/JSCell.cpp:
2815         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
2816         * runtime/JSCell.h:
2817         * runtime/JSFunction.cpp: `name` and `length` can be reified.
2818         (JSC::JSFunction::reifyPropertyNameIfNeeded):
2819         (JSC::JSFunction::put):
2820         (JSC::JSFunction::reifyLength):
2821         (JSC::JSFunction::reifyName):
2822         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2823         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2824         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2825         (JSC::JSFunction::reifyLazyNameIfNeeded):
2826         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2827         * runtime/JSFunction.h:
2828         (JSC::JSFunction::isLazy):
2829         (JSC::JSFunction::isReified):
2830         * runtime/JSObjectInlines.h:
2831         (JSC::JSObject::putDirectInternal): do the reification here.
2832
2833 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2834
2835         Provide a runtime option for disabling the optimization of recursive tail calls
2836         https://bugs.webkit.org/show_bug.cgi?id=179765
2837
2838         Reviewed by Mark Lam.
2839
2840         * bytecode/PreciseJumpTargets.cpp:
2841         (JSC::getJumpTargetsForBytecodeOffset):
2842         * bytecompiler/BytecodeGenerator.cpp:
2843         (JSC::BytecodeGenerator::emitEnter):
2844         * dfg/DFGByteCodeParser.cpp:
2845         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2846         * runtime/Options.h:
2847
2848 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2849
2850         Fix null pointer dereference in bytecodeDumper
2851         https://bugs.webkit.org/show_bug.cgi?id=179764
2852
2853         Reviewed by Mark Lam.
2854
2855         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
2856
2857         * bytecode/BytecodeDumper.cpp:
2858         (JSC::BytecodeDumper<Block>::printCallOp):
2859
2860 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2861
2862         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2863         https://bugs.webkit.org/show_bug.cgi?id=179763
2864         <rdar://problem/35550513>
2865
2866         Reviewed by Keith Miller.
2867
2868         Fix null pointer dereference caused by an eliminated tdz_check
2869
2870         The problem was when doing an OSR entry in DFG while |this| was null
2871         (because super() had not yet been called in the constructor of this
2872         subclass), it would be marked as non-null, and the tdz_check eliminated.
2873
2874         * dfg/DFGInPlaceAbstractState.cpp:
2875         (JSC::DFG::InPlaceAbstractState::initialize):
2876
2877 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
2878
2879         Unreviewed, rolling out r224863.
2880
2881         Introduced LayoutTest crashes on iOS Simulator.
2882
2883         Reverted changeset:
2884
2885         "Move JSONValues to WTF and convert uses of InspectorValues.h
2886         to JSONValues.h"
2887         https://bugs.webkit.org/show_bug.cgi?id=173793
2888         https://trac.webkit.org/changeset/224863
2889
2890 2017-11-14  Mark Lam  <mark.lam@apple.com>
2891
2892         Gardening: CLoop build fix after r224862.
2893         https://bugs.webkit.org/show_bug.cgi?id=179699
2894
2895         Not reviewed..
2896
2897         * bytecode/CodeBlock.h:
2898         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2899
2900 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2901
2902         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2903         https://bugs.webkit.org/show_bug.cgi?id=173793
2904
2905         Reviewed by Brian Burg.
2906
2907         Based on patch by Brian Burg.
2908
2909         * JavaScriptCore.xcodeproj/project.pbxproj:
2910         * Sources.txt:
2911         * bindings/ScriptValue.cpp:
2912         (Inspector::jsToInspectorValue):
2913         (Inspector::toInspectorValue):
2914         (Deprecated::ScriptValue::toInspectorValue const):
2915         * bindings/ScriptValue.h:
2916         * inspector/AsyncStackTrace.cpp:
2917         * inspector/ConsoleMessage.cpp:
2918         * inspector/ContentSearchUtilities.cpp:
2919         * inspector/InjectedScript.cpp:
2920         (Inspector::InjectedScript::getFunctionDetails):
2921         (Inspector::InjectedScript::functionDetails):
2922         (Inspector::InjectedScript::getPreview):
2923         (Inspector::InjectedScript::getProperties):
2924         (Inspector::InjectedScript::getDisplayableProperties):
2925         (Inspector::InjectedScript::getInternalProperties):
2926         (Inspector::InjectedScript::getCollectionEntries):
2927         (Inspector::InjectedScript::saveResult):
2928         (Inspector::InjectedScript::wrapCallFrames const):
2929         (Inspector::InjectedScript::wrapObject const):
2930         (Inspector::InjectedScript::wrapTable const):
2931         (Inspector::InjectedScript::previewValue const):
2932         (Inspector::InjectedScript::setExceptionValue):
2933         (Inspector::InjectedScript::clearExceptionValue):
2934         (Inspector::InjectedScript::inspectObject):
2935         (Inspector::InjectedScript::releaseObject):
2936         * inspector/InjectedScriptBase.cpp:
2937         (Inspector::InjectedScriptBase::makeCall):
2938         (Inspector::InjectedScriptBase::makeEvalCall):
2939         * inspector/InjectedScriptBase.h:
2940         * inspector/InjectedScriptManager.cpp:
2941         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2942         * inspector/InspectorBackendDispatcher.cpp:
2943         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
2944         (Inspector::BackendDispatcher::dispatch):
2945         (Inspector::BackendDispatcher::sendResponse):
2946         (Inspector::BackendDispatcher::sendPendingErrors):
2947         (Inspector::BackendDispatcher::getPropertyValue):
2948         (Inspector::castToInteger):
2949         (Inspector::castToNumber):
2950         (Inspector::BackendDispatcher::getInteger):
2951         (Inspector::BackendDispatcher::getDouble):
2952         (Inspector::BackendDispatcher::getString):
2953         (Inspector::BackendDispatcher::getBoolean):
2954         (Inspector::BackendDispatcher::getObject):
2955         (Inspector::BackendDispatcher::getArray):
2956         (Inspector::BackendDispatcher::getValue):
2957         * inspector/InspectorBackendDispatcher.h:
2958         * inspector/InspectorProtocolTypes.h:
2959         (Inspector::Protocol::Array::openAccessors):
2960         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
2961         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
2962         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
2963         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
2964         * inspector/ScriptCallFrame.cpp:
2965         * inspector/ScriptCallStack.cpp:
2966         * inspector/agents/InspectorAgent.cpp:
2967         (Inspector::InspectorAgent::inspect):
2968         * inspector/agents/InspectorAgent.h:
2969         * inspector/agents/InspectorDebuggerAgent.cpp:
2970         (Inspector::buildAssertPauseReason):
2971         (Inspector::buildCSPViolationPauseReason):
2972         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2973         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
2974         (Inspector::buildObjectForBreakpointCookie):
2975         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2976         (Inspector::parseLocation):
2977         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2978         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2979         (Inspector::InspectorDebuggerAgent::continueToLocation):
2980         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2981         (Inspector::InspectorDebuggerAgent::didParseSource):
2982         (Inspector::InspectorDebuggerAgent::breakProgram):
2983         * inspector/agents/InspectorDebuggerAgent.h:
2984         * inspector/agents/InspectorRuntimeAgent.cpp:
2985         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2986         (Inspector::InspectorRuntimeAgent::saveResult):
2987         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2988         * inspector/agents/InspectorRuntimeAgent.h:
2989         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2990         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2991         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2992         (CppBackendDispatcherImplementationGenerator.generate_output):
2993         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2994         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2995         (CppFrontendDispatcherHeaderGenerator.generate_output):
2996         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2997         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2998         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2999         (_generate_unchecked_setter_for_member):
3000         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3001         (CppProtocolTypesImplementationGenerator):
3002         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3003         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3004         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3005         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3006         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3007         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3008         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3009         * inspector/scripts/codegen/generate_objc_internal_header.py:
3010         (ObjCInternalHeaderGenerator.generate_output):
3011         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3012         (ObjCProtocolTypesImplementationGenerator.generate_output):
3013         * inspector/scripts/codegen/generator.py:
3014         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3015         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3016         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3017         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3018         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3019         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3020         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3021         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3022         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3023         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3024         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3025         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3026         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3027         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3028         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3029         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3030         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3031         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3032         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3033         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3034
3035 2017-11-14  Mark Lam  <mark.lam@apple.com>
3036
3037         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
3038         https://bugs.webkit.org/show_bug.cgi?id=179699
3039         <rdar://problem/35462346>
3040
3041         Reviewed by Michael Saboff.
3042
3043         * interpreter/Interpreter.cpp:
3044         (JSC::Interpreter::dumpRegisters):
3045         - Need to skip the callee saved registers
3046
3047 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
3048
3049         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
3050         https://bugs.webkit.org/show_bug.cgi?id=179563
3051
3052         Reviewed by Carlos Alberto Lopez Perez.
3053
3054         When run with BranchIfTruncateSuccessful,
3055         branchTruncateDoubleToInt32() should set the destination register
3056         before branching.
3057         This change also removes branchTruncateDoubleToUInt32() as it is
3058         deprecated (see r160205), merges branchOnTruncateResult() into
3059         branchTruncateDoubleToInt32() and adds test cases in testmasm.
3060
3061         * assembler/MacroAssemblerMIPS.h:
3062         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
3063         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3064         Properly set dest before branching.
3065         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
3066         * assembler/testmasm.cpp:
3067         (JSC::testBranchTruncateDoubleToInt32):
3068         (JSC::run):
3069         Add tests for branchTruncateDoubleToInt32().
3070
3071 2017-11-14  Daniel Bates  <dabates@apple.com>
3072
3073         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
3074         for feature defines
3075
3076         Following r195498 and r201917 the Visual Studio property files for feature defines have
3077         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
3078         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
3079         files.
3080
3081         * Configurations/FeatureDefines.xcconfig:
3082
3083 2017-11-14  Mark Lam  <mark.lam@apple.com>
3084
3085         Remove JSDollarVMPrototype.
3086         https://bugs.webkit.org/show_bug.cgi?id=179685
3087
3088         Reviewed by Saam Barati.
3089
3090         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
3091
3092            This allows us to call these functions during lldb debugging sessions using
3093            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
3094            VMInspector provides VM debugging utility methods.  It doesn't make sense to
3095            have a JSDollarVMPrototype object provide these methods.
3096
3097            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
3098
3099         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
3100
3101            JSDollarVM is a special object used only for debugging purposes.  There's no
3102            gain in requiring its methods to be stored in a prototype object other than to
3103            conform to typical JS convention.  We can remove this complexity.
3104
3105         * JavaScriptCore.xcodeproj/project.pbxproj:
3106         * Sources.txt:
3107         * runtime/JSGlobalObject.cpp:
3108         (JSC::JSGlobalObject::init):
3109         * tools/JSDollarVM.cpp:
3110         (JSC::JSDollarVM::addFunction):
3111         (JSC::functionCrash):
3112         (JSC::functionDFGTrue):
3113         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3114         (JSC::CallerFrameJITTypeFunctor::operator() const):
3115         (JSC::CallerFrameJITTypeFunctor::jitType):
3116         (JSC::functionLLintTrue):
3117         (JSC::functionJITTrue):
3118         (JSC::functionGC):
3119         (JSC::functionEdenGC):
3120         (JSC::functionCodeBlockForFrame):
3121         (JSC::codeBlockFromArg):
3122         (JSC::functionCodeBlockFor):
3123         (JSC::functionPrintSourceFor):
3124         (JSC::functionPrintBytecodeFor):
3125         (JSC::functionPrint):
3126         (JSC::functionPrintCallFrame):
3127         (JSC::functionPrintStack):
3128         (JSC::functionValue):
3129         (JSC::functionGetPID):
3130         (JSC::JSDollarVM::finishCreation):
3131         * tools/JSDollarVM.h:
3132         (JSC::JSDollarVM::create):
3133         * tools/JSDollarVMPrototype.cpp: Removed.
3134         * tools/JSDollarVMPrototype.h: Removed.
3135         * tools/VMInspector.cpp:
3136         (JSC::VMInspector::currentThreadOwnsJSLock):
3137         (JSC::ensureCurrentThreadOwnsJSLock):
3138         (JSC::VMInspector::gc):
3139         (JSC::VMInspector::edenGC):
3140         (JSC::VMInspector::isInHeap):
3141         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3142         (JSC::CellAddressCheckFunctor::operator() const):
3143         (JSC::VMInspector::isValidCell):
3144         (JSC::VMInspector::isValidCodeBlock):
3145         (JSC::VMInspector::codeBlockForFrame):
3146         (JSC::PrintFrameFunctor::PrintFrameFunctor):
3147         (JSC::PrintFrameFunctor::operator() const):
3148         (JSC::VMInspector::printCallFrame):
3149         (JSC::VMInspector::printStack):
3150         (JSC::VMInspector::printValue):
3151         * tools/VMInspector.h:
3152
3153 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
3154
3155         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
3156         https://bugs.webkit.org/show_bug.cgi?id=179640
3157         <rdar://problem/35517361>
3158
3159         Reviewed by Devin Rousso.
3160
3161         * CMakeLists.txt:
3162         * DerivedSources.make:
3163         Gate the ServiceWorker domain on the ENABLE feature flag.
3164
3165         * inspector/protocol/ServiceWorker.json: Added.
3166         New domain to be made available inside of a ServiceWorker target.
3167
3168 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3169
3170         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3171         https://bugs.webkit.org/show_bug.cgi?id=179594
3172
3173         Reviewed by Saam Barati.
3174
3175         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
3176         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
3177         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
3178         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
3179         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
3180
3181         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
3182         accept this type, and emit optimized code compared to Array::Generic case.
3183
3184         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
3185         exit instead of ExoticObjectMode.
3186
3187         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
3188         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
3189
3190             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
3191
3192         * dfg/DFGArgumentsEliminationPhase.cpp:
3193         * dfg/DFGArrayMode.cpp:
3194         (JSC::DFG::ArrayMode::refine const):
3195         * dfg/DFGClobberize.h:
3196         (JSC::DFG::clobberize):
3197         * dfg/DFGSpeculativeJIT.cpp:
3198         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3199         * ftl/FTLLowerDFGToB3.cpp:
3200         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3201         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3202
3203 2017-11-14  Saam Barati  <sbarati@apple.com>
3204
3205         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3206         https://bugs.webkit.org/show_bug.cgi?id=179639
3207         <rdar://problem/35513018>
3208
3209         Reviewed by JF Bastien.
3210
3211         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
3212         walk the stack for ShadowChicken (and maybe other things). We weren't updating
3213         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
3214         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
3215         this bug by giving Wasm::Instance a lambda that is called when we need to store
3216         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
3217         Currently, JSWebAssemblyInstance passes in a lambda that stores to
3218         VM.topCallFrame.
3219
3220         * wasm/WasmB3IRGenerator.cpp:
3221         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3222         * wasm/WasmInstance.cpp:
3223         (JSC::Wasm::Instance::Instance):
3224         (JSC::Wasm::Instance::create):
3225         * wasm/WasmInstance.h:
3226         (JSC::Wasm::Instance::storeTopCallFrame):
3227         * wasm/js/JSWebAssemblyInstance.cpp:
3228         (JSC::JSWebAssemblyInstance::create):
3229         * wasm/js/JSWebAssemblyInstance.h:
3230         * wasm/js/WasmToJS.cpp:
3231         (JSC::Wasm::wasmToJSException):
3232         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3233         (JSC::constructJSWebAssemblyInstance):
3234         * wasm/js/WebAssemblyPrototype.cpp:
3235         (JSC::instantiate):
3236
3237 2017-11-13  Saam Barati  <sbarati@apple.com>
3238
3239         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
3240         https://bugs.webkit.org/show_bug.cgi?id=179203
3241
3242         Reviewed by Yusuke Suzuki.
3243
3244         This patch only removes the pointer caging for the described types in the title.
3245         These types still allocate out of the gigacage. This is a just a cost vs benefit
3246         tradeoff of performance vs security.
3247
3248         * dfg/DFGSpeculativeJIT.cpp:
3249         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3250         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3251         * ftl/FTLLowerDFGToB3.cpp:
3252         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3253         * jit/JITPropertyAccess.cpp:
3254         (JSC::JIT::emitDirectArgumentsGetByVal):
3255         (JSC::JIT::emitScopedArgumentsGetByVal):
3256         * runtime/DirectArguments.h:
3257         (JSC::DirectArguments::storage):
3258         * runtime/HashMapImpl.cpp:
3259         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3260         * runtime/HashMapImpl.h:
3261         * runtime/JSLexicalEnvironment.h:
3262         (JSC::JSLexicalEnvironment::variables):
3263         * runtime/ScopedArguments.h:
3264         (JSC::ScopedArguments::overflowStorage const):
3265
3266 2017-11-08  Keith Miller  <keith_miller@apple.com>
3267
3268         Async iteration should only fetch the next method once and add feature flag
3269         https://bugs.webkit.org/show_bug.cgi?id=179451
3270
3271         Reviewed by Geoffrey Garen.
3272
3273         Add feature flag for Async iteration. Also, change async iteration to match
3274         the expected behavior of the proposal.
3275
3276         * Configurations/FeatureDefines.xcconfig:
3277         * builtins/AsyncFromSyncIteratorPrototype.js:
3278         (globalPrivate.createAsyncFromSyncIterator):
3279         (globalPrivate.AsyncFromSyncIteratorConstructor):
3280         * builtins/BuiltinNames.h:
3281         * bytecompiler/BytecodeGenerator.cpp:
3282         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3283         * runtime/Options.h:
3284
3285 2017-11-13  Mark Lam  <mark.lam@apple.com>
3286
3287         Add more overflow check book-keeping for MarkedArgumentBuffer.
3288         https://bugs.webkit.org/show_bug.cgi?id=179634
3289         <rdar://problem/35492517>
3290
3291         Reviewed by Saam Barati.
3292
3293         * runtime/ArgList.h:
3294         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
3295         * runtime/JSJob.cpp:
3296         (JSC::JSJobMicrotask::run):
3297         * runtime/ObjectConstructor.cpp:
3298         (JSC::defineProperties):
3299         * runtime/ReflectObject.cpp:
3300         (JSC::reflectObjectConstruct):
3301
3302 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
3303
3304         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
3305         https://bugs.webkit.org/show_bug.cgi?id=179542
3306
3307         Reviewed by Alex Christensen.
3308
3309         * assembler/MacroAssemblerARM.h:
3310         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
3311
3312 2017-11-13  Mark Lam  <mark.lam@apple.com>
3313
3314         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3315         https://bugs.webkit.org/show_bug.cgi?id=179619
3316         <rdar://problem/35492518>
3317
3318         Reviewed by Saam Barati.
3319
3320         * jsc.cpp:
3321         (functionLoadGetterFromGetterSetter):
3322
3323 2017-11-12  Darin Adler  <darin@apple.com>
3324
3325         More is<> and downcast<>, less static_cast<>
3326         https://bugs.webkit.org/show_bug.cgi?id=179600
3327
3328         Reviewed by Chris Dumez.
3329
3330         * runtime/JSString.h:
3331         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
3332         (JSC::jsSubstringOfResolved): Ditto.
3333
3334 2017-11-12  Mark Lam  <mark.lam@apple.com>
3335
3336         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3337         https://bugs.webkit.org/show_bug.cgi?id=179562
3338         <rdar://problem/35467022>
3339
3340         Reviewed by Saam Barati.
3341
3342         * dfg/DFGFixupPhase.cpp:
3343         (JSC::DFG::FixupPhase::fixupNode):
3344         * dfg/DFGOperations.cpp:
3345         * dfg/DFGSafeToExecute.h:
3346         (JSC::DFG::SafeToExecuteEdge::operator()):
3347         * dfg/DFGSpeculativeJIT.cpp:
3348         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
3349         (JSC::DFG::SpeculativeJIT::speculate):
3350         * dfg/DFGSpeculativeJIT.h:
3351         * dfg/DFGUseKind.cpp: