53fd9ff3f30e3e3c65547b763ef18ff285f359c7
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-29  Saam Barati  <sbarati@apple.com>
2
3         Calculating postCapacity in unshiftCountSlowCase is wrong
4         https://bugs.webkit.org/show_bug.cgi?id=173992
5         <rdar://problem/32283199>
6
7         Reviewed by Keith Miller.
8
9         This patch fixes a bug inside unshiftCountSlowCase where we would use
10         more memory than we allocated. The bug was when deciding how much extra
11         space we have after the vector we've allocated. This area is called the
12         postCapacity. The largest legal postCapacity value we could use is the
13         space we allocated minus the space we need:
14         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
15         However, the code was calculating the postCapacity as:
16         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
17         
18         where count is how many elements we're appending. Depending on the inputs,
19         count could be larger than (newStorageCapacity - requiredVectorLength). This
20         would cause us to use more memory than we actually allocated.
21
22         * runtime/JSArray.cpp:
23         (JSC::JSArray::unshiftCountSlowCase):
24
25 2017-06-29  Commit Queue  <commit-queue@webkit.org>
26
27         Unreviewed, rolling out r218512.
28         https://bugs.webkit.org/show_bug.cgi?id=173981
29
30         "It changes the behavior of the JS API's JSEvaluateScript
31         which breaks TurboTax" (Requested by saamyjoon on #webkit).
32
33         Reverted changeset:
34
35         "test262: Completion values for control flow do not match the
36         spec"
37         https://bugs.webkit.org/show_bug.cgi?id=171265
38         http://trac.webkit.org/changeset/218512
39
40 2017-06-29  JF Bastien  <jfbastien@apple.com>
41
42         WebAssembly: disable some APIs under CSP
43         https://bugs.webkit.org/show_bug.cgi?id=173892
44         <rdar://problem/32914613>
45
46         Reviewed by Daniel Bates.
47
48         We should disable parts of WebAssembly under Content Security
49         Policy as discussed here:
50
51         https://github.com/WebAssembly/design/issues/1092
52
53         Exactly what should be disabled isn't super clear, so we may as
54         well be conservative and disable many things if developers already
55         opted into CSP. It's easy to loosen what we disable later.
56
57         This patch disables:
58         - WebAssembly.Instance
59         - WebAssembly.instantiate
60         - WebAssembly.Memory
61         - WebAssembly.Table
62
63         And leaves:
64         - WebAssembly on the global object
65         - WebAssembly.Module
66         - WebAssembly.compile
67         - WebAssembly.CompileError
68         - WebAssembly.LinkError
69
70         Nothing because currently unimplmented:
71         - WebAssembly.compileStreaming
72         - WebAssembly.instantiateStreaming
73
74         That way it won't be possible to call WebAssembly-compiled code,
75         or create memories (which use fancy 4GiB allocations
76         sometimes). Table isn't really useful on its own, and eventually
77         we may make them shareable so without more details it seems benign
78         to disable them (and useless if we don't).
79
80         I haven't done anything with postMessage, so you can still
81         postMessage a WebAssembly.Module cross-CSP, but you can't
82         instantiate it so it's useless. Because of this I elected to leave
83         WebAssembly.Module and friends available.
84
85         I haven't added any new directives. It's still unsafe-eval. We can
86         add something else later, but it seems odd to add a WebAssembly as
87         a new capability and tell developers "you should have been using
88         this directive which we just implemented if you wanted to disable
89         WebAssembly which didn't exist when you adopted CSP". So IMO we
90         should keep unsafe-eval as it currently is, add WebAssembly to
91         what it disables, and later consider having two new directives
92         which do each individually or something.
93
94         In all cases I throw an EvalError *before* other WebAssembly
95         errors would be produced.
96
97         Note that, as for eval, reporting doesn't work and is tracked by
98         https://webkit.org/b/111869
99
100         * runtime/JSGlobalObject.cpp:
101         (JSC::JSGlobalObject::JSGlobalObject):
102         * runtime/JSGlobalObject.h:
103         (JSC::JSGlobalObject::webAssemblyEnabled):
104         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
105         (JSC::JSGlobalObject::setWebAssemblyEnabled):
106         * wasm/js/JSWebAssemblyInstance.cpp:
107         (JSC::JSWebAssemblyInstance::create):
108         * wasm/js/JSWebAssemblyMemory.cpp:
109         (JSC::JSWebAssemblyMemory::create):
110         * wasm/js/JSWebAssemblyMemory.h:
111         * wasm/js/JSWebAssemblyTable.cpp:
112         (JSC::JSWebAssemblyTable::create):
113         * wasm/js/WebAssemblyMemoryConstructor.cpp:
114         (JSC::constructJSWebAssemblyMemory):
115
116 2017-06-28  Keith Miller  <keith_miller@apple.com>
117
118         VMTraps has some races
119         https://bugs.webkit.org/show_bug.cgi?id=173941
120
121         Reviewed by Michael Saboff.
122
123         This patch refactors much of the VMTraps API.
124
125         On the message sending side:
126
127         1) No longer uses the Yarr JIT check to determine if we are in
128         RegExp code. That was unsound because RegExp JIT code can be run
129         on compilation threads.  Instead it looks at the current frame's
130         code block slot and checks if it is valid, which is the same as
131         what it did for JIT code previously.
132
133         2) Only have one signal sender thread, previously, there could be
134         many at once, which caused some data races. Additionally, the
135         signal sender thread is an automatic thread so it will deallocate
136         itself when not in use.
137
138         On the VMTraps breakpoint side:
139
140         1) We now have a true mapping of if we hit a breakpoint instead of
141         a JIT assertion. So the exception handler won't eat JIT assertions
142         anymore.
143
144         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
145         them instead of every CodeBlock on the stack. This both prevents
146         us from hitting stale VMTraps breakpoints and also doesn't OSR
147         codeblocks that otherwise don't need to be jettisoned.
148
149         3) The old exception handler could theoretically fail for a couple
150         of reasons then resume execution with a clobbered instruction
151         set. This patch will kill the program if the exception handler
152         would fail.
153
154         This patch also refactors some of the jsc.cpp functions to take the
155         CommandLine options object instead of individual options. Also, there
156         is a new command line option that makes exceptions due to watchdog
157         timeouts an acceptable result.
158
159         * API/tests/testapi.c:
160         (main):
161         * bytecode/CodeBlock.cpp:
162         (JSC::CodeBlock::installVMTrapBreakpoints):
163         * dfg/DFGCommonData.cpp:
164         (JSC::DFG::pcCodeBlockMap):
165         (JSC::DFG::CommonData::invalidate):
166         (JSC::DFG::CommonData::~CommonData):
167         (JSC::DFG::CommonData::installVMTrapBreakpoints):
168         (JSC::DFG::codeBlockForVMTrapPC):
169         * dfg/DFGCommonData.h:
170         * jsc.cpp:
171         (functionDollarAgentStart):
172         (checkUncaughtException):
173         (checkException):
174         (runWithOptions):
175         (printUsageStatement):
176         (CommandLine::parseArguments):
177         (jscmain):
178         (runWithScripts): Deleted.
179         * runtime/JSLock.cpp:
180         (JSC::JSLock::didAcquireLock):
181         * runtime/VMTraps.cpp:
182         (JSC::sanitizedTopCallFrame):
183         (JSC::VMTraps::tryInstallTrapBreakpoints):
184         (JSC::VMTraps::willDestroyVM):
185         (JSC::VMTraps::fireTrap):
186         (JSC::VMTraps::handleTraps):
187         (JSC::VMTraps::VMTraps):
188         (JSC::VMTraps::~VMTraps):
189         (JSC::findActiveVMAndStackBounds): Deleted.
190         (JSC::installSignalHandler): Deleted.
191         (JSC::VMTraps::addSignalSender): Deleted.
192         (JSC::VMTraps::removeSignalSender): Deleted.
193         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
194         (JSC::VMTraps::SignalSender::send): Deleted.
195         * runtime/VMTraps.h:
196         (JSC::VMTraps::~VMTraps): Deleted.
197         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
198
199 2017-06-28  Devin Rousso  <drousso@apple.com>
200
201         Web Inspector: Instrument active pixel memory used by canvases
202         https://bugs.webkit.org/show_bug.cgi?id=173087
203         <rdar://problem/32719261>
204
205         Reviewed by Joseph Pecoraro.
206
207         * inspector/protocol/Canvas.json:
208          - Add optional `memoryCost` attribute to the `Canvas` type.
209          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
210
211 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
212
213         Web Inspector: Cleanup Protocol JSON files
214         https://bugs.webkit.org/show_bug.cgi?id=173934
215
216         Reviewed by Matt Baker.
217
218         * inspector/protocol/ApplicationCache.json:
219         * inspector/protocol/CSS.json:
220         * inspector/protocol/Console.json:
221         * inspector/protocol/DOM.json:
222         * inspector/protocol/DOMDebugger.json:
223         * inspector/protocol/Debugger.json:
224         * inspector/protocol/LayerTree.json:
225         * inspector/protocol/Network.json:
226         * inspector/protocol/Page.json:
227         * inspector/protocol/Runtime.json:
228         Be more consistent about placement of `description` property.
229
230 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
231
232         Web Inspector: Remove unused Inspector domain events
233         https://bugs.webkit.org/show_bug.cgi?id=173905
234
235         Reviewed by Matt Baker.
236
237         * inspector/protocol/Inspector.json:
238
239 2017-06-28  JF Bastien  <jfbastien@apple.com>
240
241         Ensure that computed new stack pointer values do not underflow.
242         https://bugs.webkit.org/show_bug.cgi?id=173700
243         <rdar://problem/32926032>
244
245         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
246
247         Patch by Mark Lam, with the following fix:
248
249         Re-apply this patch, it originally broke the ARM build because the llint code
250         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
251         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
252         and operands to emit valid code (because the second operand can be SP).
253
254         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
255            m_numCalleeLocals is sane.
256
257         2. Added underflow checks in LLInt code and VarargsFrame code.
258
259         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
260            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
261            Ensure that Options::softReservedZoneSize() is at least greater than
262            Options::reservedZoneSize() by minimumReservedZoneSize.
263
264         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
265            and only if the max size of the frame is greater than Options::reservedZoneSize().
266
267            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
268            of memory at the bottom (end) of the stack.  This means that, at any time, the
269            frame pointer must be at least Options::reservedZoneSize() bytes away from the
270            end of the stack.  Hence, if the max frame size is less than
271            Options::reservedZoneSize(), there's no way that frame pointer - max
272            frame size can underflow, and we can elide the underflow check.
273
274            Note that we use Options::reservedZoneSize() instead of
275            Options::softReservedZoneSize() for determine if we need an underflow check.
276            This is because the softStackLimit that is used for stack checks can be set
277            based on Options::reservedZoneSize() during error handling (e.g. when creating
278            strings for instantiating the Error object).  Hence, the guaranteed minimum of
279            distance between the frame pointer and the end of the stack is
280            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
281
282            Note also that we ensure that Options::reservedZoneSize() is at least
283            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
284            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
285            instead of minimumReservedZoneSize gives us more chances to elide underflow
286            checks.
287
288         * JavaScriptCore.xcodeproj/project.pbxproj:
289         * bytecompiler/BytecodeGenerator.cpp:
290         (JSC::BytecodeGenerator::generate):
291         * dfg/DFGGraph.cpp:
292         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
293         * dfg/DFGJITCompiler.cpp:
294         (JSC::DFG::emitStackOverflowCheck):
295         (JSC::DFG::JITCompiler::compile):
296         (JSC::DFG::JITCompiler::compileFunction):
297         * ftl/FTLLowerDFGToB3.cpp:
298         (JSC::FTL::DFG::LowerDFGToB3::lower):
299         * jit/JIT.cpp:
300         (JSC::JIT::compileWithoutLinking):
301         * jit/SetupVarargsFrame.cpp:
302         (JSC::emitSetupVarargsFrameFastCase):
303         * llint/LLIntSlowPaths.cpp:
304         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
305         * llint/LowLevelInterpreter.asm:
306         * llint/LowLevelInterpreter32_64.asm:
307         * llint/LowLevelInterpreter64.asm:
308         * runtime/MinimumReservedZoneSize.h: Added.
309         * runtime/Options.cpp:
310         (JSC::recomputeDependentOptions):
311         * runtime/VM.cpp:
312         (JSC::VM::updateStackLimits):
313         * wasm/WasmB3IRGenerator.cpp:
314         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
315         * wasm/js/WebAssemblyFunction.cpp:
316         (JSC::callWebAssemblyFunction):
317
318 2017-06-28  Chris Dumez  <cdumez@apple.com>
319
320         Unreviewed, rolling out r218869.
321
322         Broke the iOS build
323
324         Reverted changeset:
325
326         "Ensure that computed new stack pointer values do not
327         underflow."
328         https://bugs.webkit.org/show_bug.cgi?id=173700
329         http://trac.webkit.org/changeset/218869
330
331 2017-06-28  Chris Dumez  <cdumez@apple.com>
332
333         Unreviewed, rolling out r218873.
334
335         Broke the iOS build
336
337         Reverted changeset:
338
339         "Gardening: CLoop build fix."
340         https://bugs.webkit.org/show_bug.cgi?id=173700
341         http://trac.webkit.org/changeset/218873
342
343 2017-06-28  Mark Lam  <mark.lam@apple.com>
344
345         Gardening: CLoop build fix.
346         https://bugs.webkit.org/show_bug.cgi?id=173700
347         <rdar://problem/32926032>
348
349         Not reviewed.
350
351         * llint/LLIntSlowPaths.cpp:
352         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
353
354 2017-06-28  Mark Lam  <mark.lam@apple.com>
355
356         Ensure that computed new stack pointer values do not underflow.
357         https://bugs.webkit.org/show_bug.cgi?id=173700
358         <rdar://problem/32926032>
359
360         Reviewed by Filip Pizlo and Saam Barati.
361
362         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
363            m_numCalleeLocals is sane.
364
365         2. Added underflow checks in LLInt code and VarargsFrame code.
366
367         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
368            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
369            Ensure that Options::softReservedZoneSize() is at least greater than
370            Options::reservedZoneSize() by minimumReservedZoneSize.
371
372         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
373            and only if the max size of the frame is greater than Options::reservedZoneSize().
374
375            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
376            of memory at the bottom (end) of the stack.  This means that, at any time, the
377            frame pointer must be at least Options::reservedZoneSize() bytes away from the
378            end of the stack.  Hence, if the max frame size is less than
379            Options::reservedZoneSize(), there's no way that frame pointer - max
380            frame size can underflow, and we can elide the underflow check.
381
382            Note that we use Options::reservedZoneSize() instead of
383            Options::softReservedZoneSize() for determine if we need an underflow check.
384            This is because the softStackLimit that is used for stack checks can be set
385            based on Options::reservedZoneSize() during error handling (e.g. when creating
386            strings for instantiating the Error object).  Hence, the guaranteed minimum of
387            distance between the frame pointer and the end of the stack is
388            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
389
390            Note also that we ensure that Options::reservedZoneSize() is at least
391            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
392            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
393            instead of minimumReservedZoneSize gives us more chances to elide underflow
394            checks.
395
396         * JavaScriptCore.xcodeproj/project.pbxproj:
397         * bytecompiler/BytecodeGenerator.cpp:
398         (JSC::BytecodeGenerator::generate):
399         * dfg/DFGGraph.cpp:
400         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
401         * dfg/DFGJITCompiler.cpp:
402         (JSC::DFG::JITCompiler::compile):
403         (JSC::DFG::JITCompiler::compileFunction):
404         * ftl/FTLLowerDFGToB3.cpp:
405         (JSC::FTL::DFG::LowerDFGToB3::lower):
406         * jit/JIT.cpp:
407         (JSC::JIT::compileWithoutLinking):
408         * jit/SetupVarargsFrame.cpp:
409         (JSC::emitSetupVarargsFrameFastCase):
410         * llint/LLIntSlowPaths.cpp:
411         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
412         * llint/LowLevelInterpreter.asm:
413         * llint/LowLevelInterpreter32_64.asm:
414         * llint/LowLevelInterpreter64.asm:
415         * runtime/MinimumReservedZoneSize.h: Added.
416         * runtime/Options.cpp:
417         (JSC::recomputeDependentOptions):
418         * runtime/VM.cpp:
419         (JSC::VM::updateStackLimits):
420         * wasm/WasmB3IRGenerator.cpp:
421         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
422         * wasm/js/WebAssemblyFunction.cpp:
423         (JSC::callWebAssemblyFunction):
424
425 2017-06-27  JF Bastien  <jfbastien@apple.com>
426
427         WebAssembly: running out of executable memory should throw OoM
428         https://bugs.webkit.org/show_bug.cgi?id=171537
429         <rdar://problem/32963338>
430
431         Reviewed by Saam Barati.
432
433         Both on first compile with BBQ as well as on tier-up with OMG,
434         running out of X memory shouldn't cause the entire program to
435         terminate. An exception will do when compiling initial code (since
436         we don't have any other fallback at the moment), and refusal to
437         tier up will do as well (it'll just be slower).
438
439         This is useful because programs which generate huge amounts of
440         code simply look like crashes, which developers report to
441         us. Getting a JavaScript exception instead is much clearer.
442
443         * jit/ExecutableAllocator.cpp:
444         (JSC::ExecutableAllocator::allocate):
445         * llint/LLIntSlowPaths.cpp:
446         (JSC::LLInt::shouldJIT):
447         * runtime/Options.h:
448         * wasm/WasmBBQPlan.cpp:
449         (JSC::Wasm::BBQPlan::prepare):
450         (JSC::Wasm::BBQPlan::complete):
451         * wasm/WasmBinding.cpp:
452         (JSC::Wasm::wasmToJs):
453         (JSC::Wasm::wasmToWasm):
454         * wasm/WasmBinding.h:
455         * wasm/WasmOMGPlan.cpp:
456         (JSC::Wasm::OMGPlan::work):
457         * wasm/js/JSWebAssemblyCodeBlock.cpp:
458         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
459         * wasm/js/JSWebAssemblyCodeBlock.h:
460         * wasm/js/JSWebAssemblyInstance.cpp:
461         (JSC::JSWebAssemblyInstance::finalizeCreation):
462
463 2017-06-27  Saam Barati  <sbarati@apple.com>
464
465         JITStubRoutine::passesFilter should use isJITPC
466         https://bugs.webkit.org/show_bug.cgi?id=173906
467
468         Reviewed by JF Bastien.
469
470         This patch makes JITStubRoutine use the isJITPC abstraction defined
471         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
472         hardcoded platform size constant. This means it'd do the wrong thing
473         if Options::jitMemoryReservationSize() was larger than the defined
474         constant for that platform. This patch also removes a bunch of
475         dead code in that file.
476
477         * jit/ExecutableAllocator.cpp:
478         * jit/ExecutableAllocator.h:
479         * jit/JITStubRoutine.h:
480         (JSC::JITStubRoutine::passesFilter):
481         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
482         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
483         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
484
485 2017-06-27  Saam Barati  <sbarati@apple.com>
486
487         Fix some stale comments in Wasm code base
488         https://bugs.webkit.org/show_bug.cgi?id=173814
489
490         Reviewed by Mark Lam.
491
492         * wasm/WasmBinding.cpp:
493         (JSC::Wasm::wasmToJs):
494         * wasm/WasmOMGPlan.cpp:
495         (JSC::Wasm::runOMGPlanForIndex):
496
497 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
498
499         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
500         https://bugs.webkit.org/show_bug.cgi?id=167962
501
502         Reviewed by Saam Barati.
503
504         Object Rest/Spread Destructing proposal is in stage 3[1] and this
505         Patch is a prototype implementation of it. A simple change over the
506         parser was necessary to support the new '...' token on Object Pattern
507         destruction rule. In the bytecode generator side, We changed the
508         bytecode generated on ObjectPatternNode::bindValue to store in an
509         set the identifiers of already destructured properties, following spec draft
510         section[2], and then pass it as excludedNames to CopyDataProperties.
511         The rest destructuring calls copyDataProperties to perform the
512         copy of rest properties in rhs.
513
514         We also implemented CopyDataProperties as private JS global operation
515         on builtins/GlobalOperations.js following it's specification on [3].
516         It is implemented using Set object to verify if a property is on
517         excludedNames to keep this algorithm with O(n + m) complexity, where n
518         = number of source's own properties and m = excludedNames.length.
519
520         In this implementation we aren't using excludeList as constant if
521         destructuring pattern contains computed property, i.e. we can
522         just determine the key to be excluded at runtime. If we can define all
523         identifiers in the pattern in compile time, we then create a
524         constant JSSet. This approach gives a good performance improvement,
525         since we allocate the excludeSet just once, reducing GC pressure.
526
527         [1] - https://github.com/tc39/proposal-object-rest-spread
528         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
529         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
530
531         * builtins/BuiltinNames.h:
532         * builtins/GlobalOperations.js:
533         (globalPrivate.copyDataProperties):
534         * bytecode/CodeBlock.cpp:
535         (JSC::CodeBlock::finishCreation):
536         * bytecompiler/NodesCodegen.cpp:
537         (JSC::ObjectPatternNode::bindValue):
538         * parser/ASTBuilder.h:
539         (JSC::ASTBuilder::appendObjectPatternEntry):
540         (JSC::ASTBuilder::appendObjectPatternRestEntry):
541         (JSC::ASTBuilder::setContainsObjectRestElement):
542         * parser/Nodes.h:
543         (JSC::ObjectPatternNode::appendEntry):
544         (JSC::ObjectPatternNode::setContainsRestElement):
545         * parser/Parser.cpp:
546         (JSC::Parser<LexerType>::parseDestructuringPattern):
547         (JSC::Parser<LexerType>::parseProperty):
548         * parser/SyntaxChecker.h:
549         (JSC::SyntaxChecker::operatorStackPop):
550         * runtime/JSGlobalObject.cpp:
551         (JSC::JSGlobalObject::init):
552         * runtime/JSGlobalObject.h:
553         (JSC::JSGlobalObject::asyncFunctionStructure):
554         (JSC::JSGlobalObject::setStructure): Deleted.
555         * runtime/JSGlobalObjectFunctions.cpp:
556         (JSC::privateToObject):
557         * runtime/JSGlobalObjectFunctions.h:
558         * runtime/ObjectConstructor.cpp:
559         (JSC::ObjectConstructor::finishCreation):
560         * runtime/SetPrototype.cpp:
561         (JSC::SetPrototype::finishCreation):
562
563 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
564
565         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
566         https://bugs.webkit.org/show_bug.cgi?id=173888
567
568         Reviewed by Saam Barati.
569
570         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
571         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
572         This causes occasional SEGV / assertion failures in workers/bomb test.
573
574         * dfg/DFGWorklist.cpp:
575
576 2017-06-27  Saam Barati  <sbarati@apple.com>
577
578         Remove an inaccurate comment inside DFGClobberize.h
579         https://bugs.webkit.org/show_bug.cgi?id=163874
580
581         Reviewed by Filip Pizlo.
582
583         The comment said that Clobberize may or may not be sound if run prior to
584         doing type inference. This is not correct, though. Clobberize *must* be sound
585         prior do doing type inference since we use it inside the BytecodeParser, which
586         is the very first thing the DFG does.
587
588         * dfg/DFGClobberize.h:
589         (JSC::DFG::clobberize):
590
591 2017-06-27  Saam Barati  <sbarati@apple.com>
592
593         Function constructor needs to follow the spec and validate parameters and body independently
594         https://bugs.webkit.org/show_bug.cgi?id=173303
595         <rdar://problem/32732526>
596
597         Reviewed by Keith Miller.
598
599         The Function constructor must check the arguments and body strings
600         independently for syntax errors. People rely on this specified behavior
601         to verify that a particular string is a valid function body. We used
602         to check these things strings concatenated together, instead of
603         independently. For example, this used to be valid: `Function("/*", "*/){")`.
604         However, we should throw a syntax error here since "(/*)" is not a valid
605         parameter list, and "*/){" is not a valid body.
606         
607         To implement the specified behavior, we check the syntax independently of
608         both the body and the parameter list. To check that the parameter list has
609         valid syntax, we check that it is valid if in a function with an empty body.
610         To check that the body has valid syntax, we check it is valid in a function
611         with an empty parameter list.
612
613         * runtime/FunctionConstructor.cpp:
614         (JSC::constructFunctionSkippingEvalEnabledCheck):
615
616 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
617
618         Add missing includes to fix compilation error on FreeBSD
619         https://bugs.webkit.org/show_bug.cgi?id=172919
620
621         Reviewed by Mark Lam.
622
623         * API/JSRemoteInspector.h:
624         * API/tests/GlobalContextWithFinalizerTest.cpp:
625         * API/tests/TypedArrayCTest.cpp:
626
627 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
628
629         Web Inspector: Crash generating object preview for ArrayIterator
630         https://bugs.webkit.org/show_bug.cgi?id=173754
631         <rdar://problem/32859012>
632
633         Reviewed by Saam Barati.
634
635         When Inspector generates an object preview for an ArrayIterator instance it made
636         a "clone" of the original ArrayIterator instance by constructing a new object with
637         the instance's structure. However, user code could have modified that instance's
638         structure, such as adding / removing properties. The `return` property had special
639         meaning, and our clone did not fill that slot. This approach is brittle in that
640         we weren't satisfying the expectations of an object with a particular Structure,
641         and the original goal of having Web Inspector peek values of built-in Iterators
642         was to avoid observable behavior.
643
644         This tightens Web Inspector's Iterator preview to only peek values if the
645         Iterators would actually be non-observable. It also builds an ArrayIterator
646         clone like a regular object construction.
647
648         * inspector/JSInjectedScriptHost.cpp:
649         (Inspector::cloneArrayIteratorObject):
650         Build up the Object from scratch with a new ArrayIterator prototype.
651
652         (Inspector::JSInjectedScriptHost::iteratorEntries):
653         Only clone and peek iterators if it would not be observable.
654         Also update iteration to be more in line with IterationOperations, such as when
655         we call iteratorClose.
656
657         * runtime/JSGlobalObject.cpp:
658         (JSC::JSGlobalObject::JSGlobalObject):
659         (JSC::JSGlobalObject::init):
660         * runtime/JSGlobalObject.h:
661         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
662         * runtime/JSGlobalObjectInlines.h:
663         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
664         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
665
666         * runtime/JSMap.cpp:
667         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
668         (JSC::JSMap::canCloneFastAndNonObservable):
669         * runtime/JSMap.h:
670         * runtime/JSSet.cpp:
671         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
672         (JSC::JSSet::canCloneFastAndNonObservable):
673         * runtime/JSSet.h:
674         Promote isIteratorProtocolFastAndNonObservable to a method.
675
676         * runtime/JSObject.cpp:
677         (JSC::canDoFastPutDirectIndex):
678         * runtime/JSTypeInfo.h:
679         (JSC::TypeInfo::isArgumentsType):
680         Helper to detect if an Object is an Arguments type.
681
682 2017-06-26  Saam Barati  <sbarati@apple.com>
683
684         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
685         https://bugs.webkit.org/show_bug.cgi?id=173740
686
687         Reviewed by Mark Lam.
688
689         The builtin was using for-of iteration to iterate over an internal
690         list in its algorithm. For-of iteration is observable via user code
691         in the global object, so this approach was wrong as it would break if
692         a user changed the Array iteration protocol in some way.
693
694         * builtins/RegExpPrototype.js:
695         (replace):
696
697 2017-06-26  Mark Lam  <mark.lam@apple.com>
698
699         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
700         https://bugs.webkit.org/show_bug.cgi?id=173848
701
702         Reviewed by JF Bastien.
703
704         This functor only dumps the return VirtualPC.
705
706         * interpreter/Interpreter.cpp:
707         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
708         (JSC::Interpreter::dumpRegisters):
709         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
710         (JSC::DumpRegisterFunctor::operator()): Deleted.
711
712 2017-06-26  Saam Barati  <sbarati@apple.com>
713
714         Crash in JSC::Lexer<unsigned char>::setCode
715         https://bugs.webkit.org/show_bug.cgi?id=172754
716
717         Reviewed by Mark Lam.
718
719         The lexer was asking one of its buffers to reserve initial space that
720         was O(text size in bytes). For large sources, this would end up causing
721         the vector to overflow and crash. This patch changes this code be like
722         the Lexer's other buffers and to only reserve a small starting buffer.
723
724         * parser/Lexer.cpp:
725         (JSC::Lexer<T>::setCode):
726
727 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
728
729         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
730         https://bugs.webkit.org/show_bug.cgi?id=173825
731
732         Reviewed by Saam Barati.
733
734         * jsc.cpp:
735         (startTimeoutThreadIfNeeded):
736         (timeoutThreadMain): Deleted.
737
738 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
739
740         Unreviewed, add missing header for CLoop
741
742         * runtime/SymbolTable.cpp:
743
744 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
745
746         Unreviewed, add missing header icncludes
747
748         * parser/Lexer.h:
749
750 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
751
752         Remove excessive headers from JavaScriptCore
753         https://bugs.webkit.org/show_bug.cgi?id=173812
754
755         Reviewed by Darin Adler.
756
757         * API/APIUtils.h:
758         * assembler/LinkBuffer.cpp:
759         * assembler/MacroAssemblerCodeRef.cpp:
760         * b3/air/AirLiveness.h:
761         * b3/air/AirLowerAfterRegAlloc.cpp:
762         * bindings/ScriptValue.cpp:
763         * bindings/ScriptValue.h:
764         * bytecode/AccessCase.cpp:
765         * bytecode/AccessCase.h:
766         * bytecode/ArrayProfile.h:
767         * bytecode/BytecodeDumper.h:
768         * bytecode/BytecodeIntrinsicRegistry.cpp:
769         * bytecode/BytecodeKills.h:
770         * bytecode/BytecodeLivenessAnalysis.h:
771         * bytecode/BytecodeUseDef.h:
772         * bytecode/CallLinkStatus.h:
773         * bytecode/CodeBlock.h:
774         * bytecode/CodeOrigin.h:
775         * bytecode/ComplexGetStatus.h:
776         * bytecode/GetByIdStatus.h:
777         * bytecode/GetByIdVariant.h:
778         * bytecode/InlineCallFrame.h:
779         * bytecode/InlineCallFrameSet.h:
780         * bytecode/Instruction.h:
781         * bytecode/InternalFunctionAllocationProfile.h:
782         * bytecode/JumpTable.h:
783         * bytecode/MethodOfGettingAValueProfile.h:
784         * bytecode/ObjectPropertyConditionSet.h:
785         * bytecode/Operands.h:
786         * bytecode/PolymorphicAccess.h:
787         * bytecode/PutByIdStatus.h:
788         * bytecode/SpeculatedType.cpp:
789         * bytecode/StructureSet.h:
790         * bytecode/StructureStubInfo.h:
791         * bytecode/UnlinkedCodeBlock.h:
792         * bytecode/UnlinkedFunctionExecutable.h:
793         * bytecode/ValueProfile.h:
794         * bytecompiler/BytecodeGenerator.cpp:
795         * bytecompiler/BytecodeGenerator.h:
796         * bytecompiler/Label.h:
797         * bytecompiler/StaticPropertyAnalysis.h:
798         * debugger/DebuggerCallFrame.cpp:
799         * dfg/DFGAbstractInterpreter.h:
800         * dfg/DFGAdjacencyList.h:
801         * dfg/DFGArgumentsUtilities.h:
802         * dfg/DFGArrayMode.h:
803         * dfg/DFGArrayifySlowPathGenerator.h:
804         * dfg/DFGBackwardsPropagationPhase.h:
805         * dfg/DFGBasicBlock.h:
806         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
807         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
808         * dfg/DFGCapabilities.h:
809         * dfg/DFGCommon.h:
810         * dfg/DFGCommonData.h:
811         * dfg/DFGDesiredIdentifiers.h:
812         * dfg/DFGDesiredWatchpoints.h:
813         * dfg/DFGDisassembler.cpp:
814         * dfg/DFGDominators.h:
815         * dfg/DFGDriver.cpp:
816         * dfg/DFGDriver.h:
817         * dfg/DFGEdgeDominates.h:
818         * dfg/DFGFinalizer.h:
819         * dfg/DFGGenerationInfo.h:
820         * dfg/DFGJITCompiler.cpp:
821         * dfg/DFGJITCompiler.h:
822         * dfg/DFGJITFinalizer.h:
823         * dfg/DFGLivenessAnalysisPhase.h:
824         * dfg/DFGMinifiedNode.h:
825         * dfg/DFGMultiGetByOffsetData.h:
826         * dfg/DFGNaturalLoops.cpp:
827         * dfg/DFGNaturalLoops.h:
828         * dfg/DFGNode.h:
829         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
830         * dfg/DFGOSRExit.h:
831         * dfg/DFGOSRExitCompilationInfo.h:
832         * dfg/DFGOSRExitCompiler.cpp:
833         * dfg/DFGOSRExitCompiler.h:
834         * dfg/DFGOSRExitJumpPlaceholder.h:
835         * dfg/DFGOperations.cpp:
836         * dfg/DFGOperations.h:
837         * dfg/DFGPlan.h:
838         * dfg/DFGPreciseLocalClobberize.h:
839         * dfg/DFGPromotedHeapLocation.h:
840         * dfg/DFGRegisteredStructure.h:
841         * dfg/DFGRegisteredStructureSet.h:
842         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
843         * dfg/DFGSlowPathGenerator.h:
844         * dfg/DFGSnippetParams.h:
845         * dfg/DFGSpeculativeJIT.h:
846         * dfg/DFGToFTLDeferredCompilationCallback.h:
847         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
848         * dfg/DFGValidate.h:
849         * dfg/DFGValueSource.h:
850         * dfg/DFGVariableEvent.h:
851         * dfg/DFGVariableEventStream.h:
852         * dfg/DFGWorklist.h:
853         * domjit/DOMJITCallDOMGetterSnippet.h:
854         * domjit/DOMJITEffect.h:
855         * ftl/FTLLink.cpp:
856         * ftl/FTLLowerDFGToB3.cpp:
857         * ftl/FTLPatchpointExceptionHandle.h:
858         * heap/AllocatorAttributes.h:
859         * heap/CodeBlockSet.h:
860         * heap/DeferGC.h:
861         * heap/GCSegmentedArray.h:
862         * heap/Heap.cpp:
863         * heap/Heap.h:
864         * heap/IncrementalSweeper.h:
865         * heap/ListableHandler.h:
866         * heap/MachineStackMarker.h:
867         * heap/MarkedAllocator.h:
868         * heap/MarkedBlock.cpp:
869         * heap/MarkedBlock.h:
870         * heap/MarkingConstraint.h:
871         * heap/SlotVisitor.cpp:
872         * heap/SlotVisitor.h:
873         * inspector/ConsoleMessage.cpp:
874         * inspector/ConsoleMessage.h:
875         * inspector/InjectedScript.h:
876         * inspector/InjectedScriptHost.h:
877         * inspector/InjectedScriptManager.cpp:
878         * inspector/JSGlobalObjectInspectorController.cpp:
879         * inspector/JavaScriptCallFrame.h:
880         * inspector/ScriptCallStack.h:
881         * inspector/ScriptCallStackFactory.cpp:
882         * inspector/ScriptDebugServer.h:
883         * inspector/agents/InspectorConsoleAgent.h:
884         * inspector/agents/InspectorDebuggerAgent.cpp:
885         * inspector/agents/InspectorDebuggerAgent.h:
886         * inspector/agents/InspectorHeapAgent.cpp:
887         * inspector/agents/InspectorHeapAgent.h:
888         * inspector/agents/InspectorRuntimeAgent.h:
889         * inspector/agents/InspectorScriptProfilerAgent.cpp:
890         * inspector/agents/InspectorScriptProfilerAgent.h:
891         * inspector/agents/JSGlobalObjectConsoleAgent.h:
892         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
893         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
894         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
895         * inspector/augmentable/AlternateDispatchableAgent.h:
896         * interpreter/CLoopStack.h:
897         * interpreter/CachedCall.h:
898         * interpreter/CallFrame.h:
899         * interpreter/Interpreter.cpp:
900         * interpreter/Interpreter.h:
901         * jit/AssemblyHelpers.cpp:
902         * jit/AssemblyHelpers.h:
903         * jit/CCallHelpers.h:
904         * jit/CallFrameShuffler.h:
905         * jit/ExecutableAllocator.h:
906         * jit/GCAwareJITStubRoutine.h:
907         * jit/HostCallReturnValue.h:
908         * jit/ICStats.h:
909         * jit/JIT.cpp:
910         * jit/JIT.h:
911         * jit/JITAddGenerator.h:
912         * jit/JITCall32_64.cpp:
913         * jit/JITCode.h:
914         * jit/JITDisassembler.cpp:
915         * jit/JITExceptions.cpp:
916         * jit/JITMathIC.h:
917         * jit/JITOpcodes.cpp:
918         * jit/JITOperations.cpp:
919         * jit/JITOperations.h:
920         * jit/JITThunks.cpp:
921         * jit/JITThunks.h:
922         * jit/JSInterfaceJIT.h:
923         * jit/PCToCodeOriginMap.h:
924         * jit/PolymorphicCallStubRoutine.h:
925         * jit/RegisterSet.h:
926         * jit/Repatch.h:
927         * jit/SetupVarargsFrame.h:
928         * jit/Snippet.h:
929         * jit/SnippetParams.h:
930         * jit/ThunkGenerators.h:
931         * jsc.cpp:
932         * llint/LLIntCLoop.h:
933         * llint/LLIntEntrypoint.h:
934         * llint/LLIntExceptions.h:
935         * llint/LLIntOfflineAsmConfig.h:
936         * llint/LLIntSlowPaths.cpp:
937         * parser/NodeConstructors.h:
938         * parser/Nodes.cpp:
939         * parser/Nodes.h:
940         * parser/Parser.cpp:
941         * parser/Parser.h:
942         * parser/ParserTokens.h:
943         * parser/SourceProviderCacheItem.h:
944         * profiler/ProfilerBytecodeSequence.h:
945         * profiler/ProfilerDatabase.cpp:
946         * profiler/ProfilerDatabase.h:
947         * profiler/ProfilerOrigin.h:
948         * profiler/ProfilerOriginStack.h:
949         * profiler/ProfilerProfiledBytecodes.h:
950         * profiler/ProfilerUID.h:
951         * runtime/AbstractModuleRecord.h:
952         * runtime/ArrayConstructor.h:
953         * runtime/ArrayConventions.h:
954         * runtime/ArrayIteratorPrototype.h:
955         * runtime/ArrayPrototype.h:
956         * runtime/BasicBlockLocation.h:
957         * runtime/Butterfly.h:
958         * runtime/CallData.cpp:
959         * runtime/CodeCache.h:
960         * runtime/CommonSlowPaths.cpp:
961         * runtime/CommonSlowPaths.h:
962         * runtime/CommonSlowPathsExceptions.cpp:
963         * runtime/Completion.cpp:
964         * runtime/ControlFlowProfiler.h:
965         * runtime/DateInstanceCache.h:
966         * runtime/ErrorConstructor.h:
967         * runtime/ErrorInstance.h:
968         * runtime/ExceptionHelpers.cpp:
969         * runtime/ExceptionHelpers.h:
970         * runtime/ExecutableBase.h:
971         * runtime/FunctionExecutable.h:
972         * runtime/HasOwnPropertyCache.h:
973         * runtime/Identifier.h:
974         * runtime/InternalFunction.h:
975         * runtime/IntlCollator.cpp:
976         * runtime/IntlCollatorPrototype.h:
977         * runtime/IntlDateTimeFormatPrototype.h:
978         * runtime/IntlNumberFormat.cpp:
979         * runtime/IntlNumberFormatPrototype.h:
980         * runtime/IteratorOperations.cpp:
981         * runtime/JSArray.h:
982         * runtime/JSArrayBufferPrototype.h:
983         * runtime/JSCJSValue.h:
984         * runtime/JSCJSValueInlines.h:
985         * runtime/JSCell.h:
986         * runtime/JSFunction.cpp:
987         * runtime/JSFunction.h:
988         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
989         * runtime/JSGlobalObject.cpp:
990         * runtime/JSGlobalObject.h:
991         * runtime/JSGlobalObjectDebuggable.cpp:
992         * runtime/JSGlobalObjectDebuggable.h:
993         * runtime/JSGlobalObjectFunctions.cpp:
994         * runtime/JSGlobalObjectFunctions.h:
995         * runtime/JSJob.cpp:
996         * runtime/JSLock.h:
997         * runtime/JSModuleLoader.cpp:
998         * runtime/JSModuleNamespaceObject.h:
999         * runtime/JSModuleRecord.h:
1000         * runtime/JSObject.cpp:
1001         * runtime/JSObject.h:
1002         * runtime/JSRunLoopTimer.h:
1003         * runtime/JSTemplateRegistryKey.h:
1004         * runtime/JSTypedArrayPrototypes.cpp:
1005         * runtime/JSTypedArrayPrototypes.h:
1006         * runtime/JSTypedArrays.h:
1007         * runtime/LiteralParser.h:
1008         * runtime/MatchResult.h:
1009         * runtime/MemoryStatistics.h:
1010         * runtime/PrivateName.h:
1011         * runtime/PromiseDeferredTimer.h:
1012         * runtime/ProxyObject.h:
1013         * runtime/RegExp.h:
1014         * runtime/SamplingProfiler.cpp:
1015         * runtime/SmallStrings.h:
1016         * runtime/StringPrototype.cpp:
1017         * runtime/StringRecursionChecker.h:
1018         * runtime/Structure.h:
1019         * runtime/SymbolConstructor.h:
1020         * runtime/SymbolPrototype.cpp:
1021         * runtime/SymbolPrototype.h:
1022         * runtime/TypeProfiler.h:
1023         * runtime/TypeProfilerLog.h:
1024         * runtime/TypedArrayType.h:
1025         * runtime/VM.cpp:
1026         * runtime/VM.h:
1027         * runtime/VMEntryScope.h:
1028         * runtime/WeakMapData.h:
1029         * runtime/WriteBarrier.h:
1030         * tools/FunctionOverrides.cpp:
1031         * tools/FunctionOverrides.h:
1032         * wasm/WasmBinding.cpp:
1033         * wasm/js/JSWebAssemblyCodeBlock.h:
1034         * wasm/js/WebAssemblyPrototype.cpp:
1035         * yarr/Yarr.h:
1036         * yarr/YarrJIT.cpp:
1037         * yarr/YarrJIT.h:
1038         * yarr/YarrParser.h:
1039
1040 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1041
1042         [JSC] Clean up Object.entries implementation
1043         https://bugs.webkit.org/show_bug.cgi?id=173759
1044
1045         Reviewed by Sam Weinig.
1046
1047         This patch cleans up Object.entries implementation.
1048         We drop unused private functions. And we merge the
1049         implementation into Object.entries.
1050
1051         It slightly speeds up Object.entries speed.
1052
1053                                      baseline                  patched
1054
1055             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
1056
1057
1058         * builtins/BuiltinNames.h:
1059         * builtins/ObjectConstructor.js:
1060         (entries):
1061         (globalPrivate.enumerableOwnProperties): Deleted.
1062         * runtime/JSGlobalObject.cpp:
1063         (JSC::JSGlobalObject::init):
1064         * runtime/ObjectConstructor.cpp:
1065         (JSC::ownEnumerablePropertyKeys): Deleted.
1066         * runtime/ObjectConstructor.h:
1067
1068 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
1069
1070         Remove Reflect.enumerate
1071         https://bugs.webkit.org/show_bug.cgi?id=173806
1072
1073         Reviewed by Yusuke Suzuki.
1074
1075         * CMakeLists.txt:
1076         * JavaScriptCore.xcodeproj/project.pbxproj:
1077         * inspector/JSInjectedScriptHost.cpp:
1078         (Inspector::JSInjectedScriptHost::subtype):
1079         (Inspector::JSInjectedScriptHost::getInternalProperties):
1080         (Inspector::JSInjectedScriptHost::iteratorEntries):
1081         * runtime/JSGlobalObject.cpp:
1082         (JSC::JSGlobalObject::init):
1083         (JSC::JSGlobalObject::visitChildren):
1084         * runtime/JSPropertyNameIterator.cpp: Removed.
1085         * runtime/JSPropertyNameIterator.h: Removed.
1086         * runtime/ReflectObject.cpp:
1087         (JSC::reflectObjectEnumerate): Deleted.
1088
1089 2017-06-23  Keith Miller  <keith_miller@apple.com>
1090
1091         Switch VMTraps to use halt instructions rather than breakpoint instructions
1092         https://bugs.webkit.org/show_bug.cgi?id=173677
1093         <rdar://problem/32178892>
1094
1095         Reviewed by JF Bastien.
1096
1097         Using the breakpoint instruction for VMTraps caused issues with lldb.
1098         Since we only need some way to stop execution we can, in theory, use
1099         any exceptioning instruction we want. I went with the halt instruction
1100         on X86 since that is the only one byte instruction that does not
1101         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
1102         On ARM we use the data cache clearing instruction with the zero register,
1103         which triggers a segmentation fault.
1104
1105         Also, update the platform code to only use signaling VMTraps
1106         on where we have an appropriate instruction (x86 and ARM64).
1107
1108         * API/tests/ExecutionTimeLimitTest.cpp:
1109         (testExecutionTimeLimit):
1110         * assembler/ARM64Assembler.h:
1111         (JSC::ARM64Assembler::replaceWithVMHalt):
1112         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
1113         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
1114         * assembler/ARMAssembler.h:
1115         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
1116         * assembler/ARMv7Assembler.h:
1117         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
1118         * assembler/MIPSAssembler.h:
1119         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
1120         * assembler/MacroAssemblerARM.h:
1121         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
1122         * assembler/MacroAssemblerARM64.h:
1123         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1124         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
1125         * assembler/MacroAssemblerARMv7.h:
1126         (JSC::MacroAssemblerARMv7::storeFence):
1127         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
1128         * assembler/MacroAssemblerMIPS.h:
1129         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
1130         * assembler/MacroAssemblerX86Common.h:
1131         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1132         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
1133         * assembler/X86Assembler.h:
1134         (JSC::X86Assembler::replaceWithHlt):
1135         (JSC::X86Assembler::replaceWithInt3): Deleted.
1136         * dfg/DFGJumpReplacement.cpp:
1137         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
1138         * runtime/VMTraps.cpp:
1139         (JSC::SignalContext::SignalContext):
1140         (JSC::installSignalHandler):
1141         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
1142         * wasm/WasmFaultSignalHandler.cpp:
1143         (JSC::Wasm::enableFastMemory):
1144
1145 2017-06-22  Saam Barati  <sbarati@apple.com>
1146
1147         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
1148         https://bugs.webkit.org/show_bug.cgi?id=173743
1149         <rdar://problem/32932536>
1150
1151         Reviewed by Mark Lam.
1152
1153         The code always manually speculates, however, we weren't specifying
1154         ManualOperandSpeculation when creating a JSValueOperand. This would
1155         fire an assertion in JSValueOperand construction for a node like:
1156         Identity(String:@otherNode)
1157         
1158         I spent about 45 minutes trying to craft a test and came up
1159         empty. However, this fixes a debug assertion on an internal
1160         Apple website.
1161
1162         * dfg/DFGSpeculativeJIT32_64.cpp:
1163         (JSC::DFG::SpeculativeJIT::compile):
1164         * dfg/DFGSpeculativeJIT64.cpp:
1165         (JSC::DFG::SpeculativeJIT::compile):
1166
1167 2017-06-22  Saam Barati  <sbarati@apple.com>
1168
1169         ValueRep(DoubleRep(@v)) can not simply convert to @v
1170         https://bugs.webkit.org/show_bug.cgi?id=173687
1171         <rdar://problem/32855563>
1172
1173         Reviewed by Mark Lam.
1174
1175         Consider this IR:
1176          block#x
1177           p: Phi() // int32 and double flows into this phi from various control flow
1178           d: DoubleRep(@p)
1179           some uses of @d here
1180           v: ValueRep(DoubleRepUse:@d)
1181           a: NewArrayWithSize(Int32:@v)
1182           some more nodes here ...
1183         
1184         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
1185         AI proves that the Int32 check will fail. Constant folding phase removes
1186         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
1187         
1188         The IR then looks like this:
1189         block#x
1190           p: Phi() // int32 and double flows into this phi from various control flow
1191           d: DoubleRep(@p)
1192           some uses of @d here
1193           v: ValueRep(DoubleRepUse:@d)
1194           a: NewArrayWithSize(Int32:@v)
1195           Unreachable
1196         
1197         However, there was a strength reduction rule that tries eliminate redundant
1198         conversions. It used to convert the program to:
1199         block#x
1200           p: Phi() // int32 and double flows into this phi from various control flow
1201           d: DoubleRep(@p)
1202           some uses of @d here
1203           a: NewArrayWithSize(Int32:@p)
1204           Unreachable
1205         
1206         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
1207         and we'll crash. This patch removes this strength reduction rule since it
1208         does not maintain what would have happened if we executed the program before
1209         the rule.
1210         
1211         This rule is also wrong for other types of programs (I'm not sure we'd
1212         actually emit this code, but if such IR were generated, we would previously
1213         optimize it incorrectly):
1214         @a: Constant(JSTrue)
1215         @b: DoubleRep(@a)
1216         @c: ValueRep(@b)
1217         @d: use(@c)
1218         
1219         However, the strength reduction rule would've transformed this into:
1220         @a: Constant(JSTrue)
1221         @d: use(@a)
1222         
1223         And this would be wrong because node @c before the transformation would
1224         have produced the JSValue jsNumber(1.0).
1225         
1226         This patch was neutral in the benchmark run I did.
1227
1228         * dfg/DFGStrengthReductionPhase.cpp:
1229         (JSC::DFG::StrengthReductionPhase::handleNode):
1230
1231 2017-06-22  JF Bastien  <jfbastien@apple.com>
1232
1233         ARM64: doubled executable memory limit from 32MiB to 64MiB
1234         https://bugs.webkit.org/show_bug.cgi?id=173734
1235         <rdar://problem/32932407>
1236
1237         Reviewed by Oliver Hunt.
1238
1239         Some WebAssembly programs stress the amount of memory we have
1240         available, especially when we consider tiering (BBQ never dies,
1241         and is bigger that OMG). Tiering to OMG just piles on more memory,
1242         and we're also competing with JavaScript.
1243
1244         * jit/ExecutableAllocator.h:
1245
1246 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1247
1248         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
1249         https://bugs.webkit.org/show_bug.cgi?id=173698
1250
1251         Reviewed by Matt Baker.
1252
1253         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
1254         when preparing Inspector pause information is spent generating object previews for
1255         the `thisObject` of each of the call frames. In some cases, this could be more
1256         than 95% of the time generating pause information. In the common case, only one of
1257         these (the top frame) will ever be seen by users. This change avoids eagerly
1258         generating object previews up front and let the frontend request previews if they
1259         are needed.
1260
1261         This introduces the `Runtime.getPreview` protocol command. This can be used to:
1262
1263             - Get a preview for a RemoteObject that did not have a preview but could.
1264             - Update a preview for a RemoteObject that had a preview.
1265
1266         This patch only uses it for the first case, but the second is valid and may be
1267         something we want to do in the future.
1268
1269         * inspector/protocol/Runtime.json:
1270         A new command to get an up to date preview for an object.
1271
1272         * inspector/InjectedScript.h:
1273         * inspector/InjectedScript.cpp:
1274         (Inspector::InjectedScript::getPreview):
1275         * inspector/agents/InspectorRuntimeAgent.cpp:
1276         (Inspector::InspectorRuntimeAgent::getPreview):
1277         * inspector/agents/InspectorRuntimeAgent.h:
1278         Plumbing for the new command.
1279
1280         * inspector/InjectedScriptSource.js:
1281         (InjectedScript.prototype.getPreview):
1282         Implementation just uses the existing helper.
1283
1284         (InjectedScript.CallFrameProxy):
1285         Do not generate a preview for the this object as it may not be shown.
1286         Let the frontend request a preview if it wants or needs one.
1287
1288 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1289
1290         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
1291         https://bugs.webkit.org/show_bug.cgi?id=173686
1292
1293         Reviewed by Mark Lam.
1294
1295         * inspector/InjectedScript.cpp:
1296         (Inspector::InjectedScript::functionDetails):
1297         * inspector/InjectedScriptSource.js:
1298         (InjectedScript.prototype.functionDetails):
1299         * inspector/JSInjectedScriptHost.cpp:
1300         (Inspector::JSInjectedScriptHost::functionDetails):
1301
1302 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1303
1304         [JSC] Object.values should be implemented in C++
1305         https://bugs.webkit.org/show_bug.cgi?id=173703
1306
1307         Reviewed by Sam Weinig.
1308
1309         As the same to Object.assign, Object.values() is also inherently polymorphic.
1310         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
1311         result is costly.
1312
1313         In this patch, we implement Object.values() in C++. It can avoid above allocations.
1314         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
1315         non-observable JSObject::get() calls.
1316
1317         This improves performance by 2.49x. And also now Object.values() beats
1318         Object.keys(object).map(key => object[key]) implementation.
1319
1320                                              baseline                  patched
1321
1322             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
1323             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
1324
1325         * builtins/ObjectConstructor.js:
1326         (values): Deleted.
1327         * runtime/ObjectConstructor.cpp:
1328         (JSC::objectConstructorValues):
1329
1330 2017-06-21  Saam Barati  <sbarati@apple.com>
1331
1332         ArrayPrototype.map builtin declares a var it does not use
1333         https://bugs.webkit.org/show_bug.cgi?id=173685
1334
1335         Reviewed by Keith Miller.
1336
1337         * builtins/ArrayPrototype.js:
1338         (map):
1339
1340 2017-06-21  Saam Barati  <sbarati@apple.com>
1341
1342         eval virtual call is incorrect in the baseline JIT
1343         https://bugs.webkit.org/show_bug.cgi?id=173587
1344         <rdar://problem/32867897>
1345
1346         Reviewed by Michael Saboff.
1347
1348         When making a virtual call for call_eval, e.g, when the thing
1349         we're calling isn't actually eval, we end up calling the caller
1350         instead of the callee. This is clearly wrong. The code ends up
1351         issuing a load for the Callee in the callers frame instead of
1352         the callee we're calling. The fix is simple, we just need to
1353         load the real callee. Only the 32-bit baseline JIT had this bug.
1354
1355         * jit/JITCall32_64.cpp:
1356         (JSC::JIT::compileCallEvalSlowCase):
1357
1358 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
1359
1360         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
1361         https://bugs.webkit.org/show_bug.cgi?id=172432
1362         <rdar://problem/29870873>
1363
1364         Reviewed by Saam Barati.
1365
1366         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
1367         We will proceed to improve debugging of these cases in the follow-up bugs.
1368
1369         * debugger/Debugger.cpp:
1370         (JSC::Debugger::exception):
1371         Ignore pausing on these errors.
1372
1373         * runtime/ErrorInstance.h:
1374         (JSC::ErrorInstance::setStackOverflowError):
1375         (JSC::ErrorInstance::isStackOverflowError):
1376         (JSC::ErrorInstance::setOutOfMemoryError):
1377         (JSC::ErrorInstance::isOutOfMemoryError):
1378         * runtime/ExceptionHelpers.cpp:
1379         (JSC::createStackOverflowError):
1380         * runtime/Error.cpp:
1381         (JSC::createOutOfMemoryError):
1382         Mark these kinds of errors.
1383
1384 2017-06-21  Saam Barati  <sbarati@apple.com>
1385
1386         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
1387         https://bugs.webkit.org/show_bug.cgi?id=173609
1388
1389         Reviewed by Keith Miller.
1390
1391         This patch makes many of the IC generating functions require a locker as
1392         a parameter. We do this in other places in JSC to indicate that
1393         a particular API is only valid while a particular lock is held.
1394         This is the case when generating ICs. This patch just makes it
1395         explicit in the IC generating interface.
1396
1397         * bytecode/PolymorphicAccess.cpp:
1398         (JSC::PolymorphicAccess::addCases):
1399         (JSC::PolymorphicAccess::addCase):
1400         (JSC::PolymorphicAccess::commit):
1401         (JSC::PolymorphicAccess::regenerate):
1402         * bytecode/PolymorphicAccess.h:
1403         * bytecode/StructureStubInfo.cpp:
1404         (JSC::StructureStubInfo::addAccessCase):
1405         (JSC::StructureStubInfo::initStub): Deleted.
1406         * bytecode/StructureStubInfo.h:
1407         * jit/Repatch.cpp:
1408         (JSC::tryCacheGetByID):
1409         (JSC::repatchGetByID):
1410         (JSC::tryCachePutByID):
1411         (JSC::repatchPutByID):
1412         (JSC::tryRepatchIn):
1413         (JSC::repatchIn):
1414
1415 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
1416
1417         Disable font variations on macOS Sierra and iOS 10
1418         https://bugs.webkit.org/show_bug.cgi?id=173618
1419         <rdar://problem/32879164>
1420
1421         Reviewed by Jon Lee.
1422
1423         * Configurations/FeatureDefines.xcconfig:
1424
1425 2017-06-20  Keith Miller  <keith_miller@apple.com>
1426
1427         Fix leak of ModuleInformations in BBQPlan constructors.
1428         https://bugs.webkit.org/show_bug.cgi?id=173577
1429
1430         Reviewed by Saam Barati.
1431
1432         This patch fixes a leak in the BBQPlan constructiors. Previously,
1433         the plans were calling makeRef on the newly constructed objects.
1434         This patch fixes the issue and uses adoptRef instead. Additionally,
1435         an old, incorrect, attempt to fix the leak is removed.
1436
1437         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1438         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1439         * jit/JITWorklist.cpp:
1440         (JSC::JITWorklist::Thread::Thread):
1441         * runtime/PromiseDeferredTimer.cpp:
1442         (JSC::PromiseDeferredTimer::addPendingPromise):
1443         * runtime/VM.cpp:
1444         (JSC::VM::VM):
1445         * wasm/WasmBBQPlan.cpp:
1446         (JSC::Wasm::BBQPlan::BBQPlan):
1447         * wasm/WasmPlan.cpp:
1448         (JSC::Wasm::Plan::Plan):
1449
1450 2017-06-20  Devin Rousso  <drousso@apple.com>
1451
1452         Web Inspector: Send context attributes for tracked canvases
1453         https://bugs.webkit.org/show_bug.cgi?id=173327
1454
1455         Reviewed by Joseph Pecoraro.
1456
1457         * inspector/protocol/Canvas.json:
1458         Add ContextAttributes object type that is optionally used for WebGL canvases.
1459
1460 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
1461
1462         Remove excessive include directives from WTF
1463         https://bugs.webkit.org/show_bug.cgi?id=173553
1464
1465         Reviewed by Saam Barati.
1466
1467         * profiler/ProfilerDatabase.cpp: Added missing include directive.
1468         * runtime/SamplingProfiler.cpp: Ditto.
1469
1470 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
1471
1472         Revert changes in bug#160417 about extending `null` not being a derived class
1473         https://bugs.webkit.org/show_bug.cgi?id=169293
1474
1475         Reviewed by Saam Barati.
1476
1477         Reverted changes in bug#160417 about extending `null` not being a derived class 
1478         according to changes in spec:
1479         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
1480
1481         * builtins/BuiltinNames.h:
1482         * bytecompiler/BytecodeGenerator.cpp:
1483         (JSC::BytecodeGenerator::BytecodeGenerator):
1484         (JSC::BytecodeGenerator::emitReturn):
1485         * bytecompiler/NodesCodegen.cpp:
1486         (JSC::ClassExprNode::emitBytecode):
1487
1488 2017-06-20  Saam Barati  <sbarati@apple.com>
1489
1490         repatchIn needs to lock the CodeBlock's lock
1491         https://bugs.webkit.org/show_bug.cgi?id=173573
1492
1493         Reviewed by Yusuke Suzuki.
1494
1495         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
1496         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
1497         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
1498         with the marking thread. repatchIn was not grabbing the lock. I haven't been
1499         able to get it to crash, but this is needed for the same reasons that get and put IC
1500         regeneration grab the lock.
1501
1502         * jit/Repatch.cpp:
1503         (JSC::repatchIn):
1504
1505 2017-06-19  Devin Rousso  <drousso@apple.com>
1506
1507         Web Inspector: create canvas content view and details sidebar panel
1508         https://bugs.webkit.org/show_bug.cgi?id=138941
1509         <rdar://problem/19051672>
1510
1511         Reviewed by Joseph Pecoraro.
1512
1513         * inspector/protocol/Canvas.json:
1514          - Add an optional `nodeId` attribute to the `Canvas` type.
1515          - Add `requestNode` command for getting the node id of the backing canvas element.
1516          - Add `requestContent` command for getting the current image content of the canvas.
1517
1518 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1519
1520         Unreviewed, build fix for ARM
1521
1522         * assembler/MacroAssemblerARM.h:
1523         (JSC::MacroAssemblerARM::internalCompare32):
1524
1525 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1526
1527         [DFG] More ArrayIndexOf fixups for various types
1528         https://bugs.webkit.org/show_bug.cgi?id=173176
1529
1530         Reviewed by Saam Barati.
1531
1532         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
1533
1534         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
1535         never contains the given search value.
1536
1537         2. We support Symbol and Other specialization additionally. Especially, Other is
1538         useful because null/undefined can be used as a sentinel value.
1539
1540         One interesting thing is that Array.prototype.indexOf does not consider holes as
1541         undefineds. Thus,
1542
1543             var array = [,,,,,,,];
1544             array.indexOf(undefined); // => -1
1545
1546         This can be trivially achieved in JSC because Empty and Undefined are different values.
1547
1548         * dfg/DFGFixupPhase.cpp:
1549         (JSC::DFG::FixupPhase::fixupNode):
1550         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
1551         * dfg/DFGSpeculativeJIT.cpp:
1552         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1553         (JSC::DFG::SpeculativeJIT::speculateOther):
1554         * dfg/DFGSpeculativeJIT.h:
1555         * ftl/FTLLowerDFGToB3.cpp:
1556         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1557
1558 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
1559
1560         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
1561         https://bugs.webkit.org/show_bug.cgi?id=172972
1562
1563         Reviewed by Mark Lam.
1564
1565         We are changing internalCompare32 implementation in ARM
1566         MacroAssembler to emit "cmp" when the "right.value" is 0.
1567         It is generating wrong comparison cases, since the
1568         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
1569         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
1570         resulting in following assembly code:
1571
1572         ```
1573         cmn $r0, #0
1574         bhi <address>
1575         ```
1576
1577         However, as cmn is similar to "adds", it will never take the branch
1578         when $r0 > 0. In that case, the correct opcode is "cmp". With this
1579         patch we will fix current broken tests that uses
1580         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
1581         such as ForwardVarargs, Spread and GetRestLength.
1582
1583         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
1584
1585         * assembler/MacroAssemblerARM.h:
1586         (JSC::MacroAssemblerARM::internalCompare32):
1587
1588 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1589
1590         test262: Completion values for control flow do not match the spec
1591         https://bugs.webkit.org/show_bug.cgi?id=171265
1592
1593         Reviewed by Saam Barati.
1594
1595         * bytecompiler/BytecodeGenerator.h:
1596         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1597         When we care about having proper completion values (global code
1598         in programs, modules, and eval) insert undefined results for
1599         control flow statements.
1600
1601         * bytecompiler/NodesCodegen.cpp:
1602         (JSC::SourceElements::emitBytecode):
1603         Reduce writing a default `undefined` value to the completion result to
1604         only once before the last statement we know will produce a value.
1605
1606         (JSC::IfElseNode::emitBytecode):
1607         (JSC::WithNode::emitBytecode):
1608         (JSC::WhileNode::emitBytecode):
1609         (JSC::ForNode::emitBytecode):
1610         (JSC::ForInNode::emitBytecode):
1611         (JSC::ForOfNode::emitBytecode):
1612         (JSC::SwitchNode::emitBytecode):
1613         Insert an undefined to handle cases where code may break out of an
1614         if/else or with statement (break/continue).
1615
1616         (JSC::TryNode::emitBytecode):
1617         Same handling for break cases. Also, finally block statement completion
1618         values are always ignored for the try statement result.
1619
1620         (JSC::ClassDeclNode::emitBytecode):
1621         Class declarations, like function declarations, produce an empty result.
1622
1623         * parser/Nodes.cpp:
1624         (JSC::SourceElements::lastStatement):
1625         (JSC::SourceElements::hasCompletionValue):
1626         (JSC::SourceElements::hasEarlyBreakOrContinue):
1627         (JSC::BlockNode::lastStatement):
1628         (JSC::BlockNode::singleStatement):
1629         (JSC::BlockNode::hasCompletionValue):
1630         (JSC::BlockNode::hasEarlyBreakOrContinue):
1631         (JSC::ScopeNode::singleStatement):
1632         (JSC::ScopeNode::hasCompletionValue):
1633         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1634         The only non-trivial cases need to loop through their list of statements
1635         to determine if this has a completion value or not. Likewise for
1636         determining if there is an early break / continue, meaning a break or
1637         continue statement with no preceding statement that has a completion value.
1638
1639         * parser/Nodes.h:
1640         (JSC::StatementNode::next):
1641         (JSC::StatementNode::hasCompletionValue):
1642         Helper to check if a statement nodes produces a completion value or not.
1643
1644 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
1645
1646         Missing <functional> includes make builds fail with GCC 7.x
1647         https://bugs.webkit.org/show_bug.cgi?id=173544
1648
1649         Unreviewed gardening.
1650
1651         Fix compilation with GCC 7.
1652
1653         * API/tests/CompareAndSwapTest.cpp:
1654         * runtime/VMEntryScope.h:
1655
1656 2017-06-17  Keith Miller  <keith_miller@apple.com>
1657
1658         ArrayBuffer constructor needs to create subclass structures before its buffer
1659         https://bugs.webkit.org/show_bug.cgi?id=173510
1660
1661         Reviewed by Yusuke Suzuki.
1662
1663         * runtime/JSArrayBufferConstructor.cpp:
1664         (JSC::constructArrayBuffer):
1665
1666 2017-06-17  Keith Miller  <keith_miller@apple.com>
1667
1668         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
1669         https://bugs.webkit.org/show_bug.cgi?id=173506
1670
1671         Reviewed by Ryosuke Niwa.
1672
1673         This patch changes the result of unshift if old length +
1674         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
1675         the getLength function, which was always incorrect to use, has
1676         been removed. Additionally, some cases where we were using a
1677         constant for (2 ** 53) - 1 have been replaced with
1678         maxSafeInteger()
1679
1680         * interpreter/Interpreter.cpp:
1681         (JSC::sizeOfVarargs):
1682         * runtime/ArrayPrototype.cpp:
1683         (JSC::arrayProtoFuncToLocaleString):
1684         (JSC::arrayProtoFuncPop):
1685         (JSC::arrayProtoFuncPush):
1686         (JSC::arrayProtoFuncReverse):
1687         (JSC::arrayProtoFuncShift):
1688         (JSC::arrayProtoFuncSlice):
1689         (JSC::arrayProtoFuncSplice):
1690         (JSC::arrayProtoFuncUnShift):
1691         (JSC::arrayProtoFuncIndexOf):
1692         (JSC::arrayProtoFuncLastIndexOf):
1693         * runtime/JSArrayInlines.h:
1694         (JSC::getLength): Deleted.
1695         * runtime/JSCJSValue.cpp:
1696         (JSC::JSValue::toLength):
1697         * runtime/NumberConstructor.cpp:
1698         (JSC::numberConstructorFuncIsSafeInteger):
1699
1700 2017-06-16  Matt Baker  <mattbaker@apple.com>
1701
1702         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1703         https://bugs.webkit.org/show_bug.cgi?id=172623
1704         <rdar://problem/32415986>
1705
1706         Reviewed by Devin Rousso and Joseph Pecoraro.
1707
1708         This patch adds a basic Canvas protocol. It includes Canvas and related
1709         types and events for monitoring the lifetime of canvases in the page.
1710
1711         * CMakeLists.txt:
1712         * DerivedSources.make:
1713         * inspector/protocol/Canvas.json: Added.
1714
1715         * inspector/scripts/codegen/generator.py:
1716         (Generator.stylized_name_for_enum_value):
1717         Add special handling for Canvas.ContextType protocol enumeration,
1718         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1719
1720 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
1721
1722         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
1723         https://bugs.webkit.org/show_bug.cgi?id=173366
1724         <rdar://problem/32767014>
1725
1726         Reviewed by Tim Horton.
1727
1728         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
1729
1730         * Configurations/FeatureDefines.xcconfig:
1731
1732 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1733
1734         [JSC] Add fast path for Object.assign
1735         https://bugs.webkit.org/show_bug.cgi?id=173416
1736
1737         Reviewed by Mark Lam.
1738
1739         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
1740         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
1741         check in the face of Proxy. Proxy can observe that this check is done correctly.
1742
1743         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
1744         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
1745         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
1746         value by calling `slot.getValue()`.
1747
1748         This further improves performance of Object.assign.
1749
1750                                         baseline                  patched
1751
1752             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
1753
1754         * runtime/ObjectConstructor.cpp:
1755         (JSC::objectConstructorAssign):
1756
1757 2017-06-16  Michael Saboff  <msaboff@apple.com>
1758
1759         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
1760         https://bugs.webkit.org/show_bug.cgi?id=173488
1761
1762         Reviewed by Filip Pizlo.
1763
1764         ClonedArguments lazily sets its callee and interator properties and it used its own inline
1765         code to initialize its butterfly.  This means that these lazily set properties can have
1766         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
1767         to create the butterfly as it clears out of line properties.
1768
1769         * runtime/ClonedArguments.cpp:
1770         (JSC::ClonedArguments::createEmpty):
1771
1772 2017-06-16  Mark Lam  <mark.lam@apple.com>
1773
1774         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
1775         https://bugs.webkit.org/show_bug.cgi?id=173491
1776
1777         Reviewed by Keith Miller.
1778
1779         The implementation are based on static data. There's no need to get the
1780         interpreter instance. Hence, we can make these methods static and avoid doing
1781         unnecessary work to compute the interpreter this pointer.
1782
1783         Also removed the unused isCallBytecode method.
1784
1785         * bytecode/BytecodeBasicBlock.cpp:
1786         (JSC::BytecodeBasicBlock::computeImpl):
1787         * bytecode/BytecodeDumper.cpp:
1788         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1789         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1790         (JSC::BytecodeDumper<Block>::dumpBytecode):
1791         (JSC::BytecodeDumper<Block>::dumpBlock):
1792         * bytecode/BytecodeLivenessAnalysis.cpp:
1793         (JSC::BytecodeLivenessAnalysis::dumpResults):
1794         * bytecode/BytecodeLivenessAnalysisInlines.h:
1795         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1796         * bytecode/BytecodeRewriter.cpp:
1797         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1798         * bytecode/CallLinkStatus.cpp:
1799         (JSC::CallLinkStatus::computeFromLLInt):
1800         * bytecode/CodeBlock.cpp:
1801         (JSC::CodeBlock::finishCreation):
1802         (JSC::CodeBlock::propagateTransitions):
1803         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1804         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1805         (JSC::CodeBlock::usesOpcode):
1806         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1807         (JSC::CodeBlock::arithProfileForPC):
1808         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1809         * bytecode/PreciseJumpTargets.cpp:
1810         (JSC::getJumpTargetsForBytecodeOffset):
1811         (JSC::computePreciseJumpTargetsInternal):
1812         (JSC::findJumpTargetsForBytecodeOffset):
1813         * bytecode/PreciseJumpTargetsInlines.h:
1814         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1815         * bytecode/UnlinkedCodeBlock.cpp:
1816         (JSC::UnlinkedCodeBlock::applyModification):
1817         * dfg/DFGByteCodeParser.cpp:
1818         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1819         (JSC::DFG::ByteCodeParser::parseBlock):
1820         * dfg/DFGCapabilities.cpp:
1821         (JSC::DFG::capabilityLevel):
1822         * interpreter/Interpreter.cpp:
1823         (JSC::Interpreter::Interpreter):
1824         (JSC::Interpreter::isOpcode):
1825         (): Deleted.
1826         * interpreter/Interpreter.h:
1827         (JSC::Interpreter::getOpcode): Deleted.
1828         (JSC::Interpreter::getOpcodeID): Deleted.
1829         (JSC::Interpreter::isCallBytecode): Deleted.
1830         * interpreter/InterpreterInlines.h:
1831         (JSC::Interpreter::getOpcode):
1832         (JSC::Interpreter::getOpcodeID):
1833         * jit/JIT.cpp:
1834         (JSC::JIT::privateCompileMainPass):
1835         (JSC::JIT::privateCompileSlowCases):
1836         * jit/JITOpcodes.cpp:
1837         (JSC::JIT::emitNewFuncCommon):
1838         (JSC::JIT::emitNewFuncExprCommon):
1839         * jit/JITPropertyAccess.cpp:
1840         (JSC::JIT::emitSlow_op_put_by_val):
1841         (JSC::JIT::privateCompilePutByVal):
1842         * jit/JITPropertyAccess32_64.cpp:
1843         (JSC::JIT::emitSlow_op_put_by_val):
1844         * llint/LLIntSlowPaths.cpp:
1845         (JSC::LLInt::llint_trace_operand):
1846         (JSC::LLInt::llint_trace_value):
1847         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1848         * profiler/ProfilerBytecodeSequence.cpp:
1849         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1850
1851 2017-06-16  Matt Lewis  <jlewis3@apple.com>
1852
1853         Unreviewed, rolling out r218376.
1854
1855         The patch cause multiple Layout Test Crashes.
1856
1857         Reverted changeset:
1858
1859         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
1860         backend"
1861         https://bugs.webkit.org/show_bug.cgi?id=172623
1862         http://trac.webkit.org/changeset/218376
1863
1864 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
1865
1866         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
1867         https://bugs.webkit.org/show_bug.cgi?id=173470
1868
1869         Reviewed by Joseph Pecoraro.
1870
1871         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
1872         const char* overload of StringBuilder::append() that assummes Latin1
1873         encoding, not UTF8.
1874
1875         * runtime/ConsoleClient.cpp:
1876         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1877
1878 2017-06-15  Mark Lam  <mark.lam@apple.com>
1879
1880         Add a JSRunLoopTimer registry in VM.
1881         https://bugs.webkit.org/show_bug.cgi?id=173429
1882         <rdar://problem/31287961>
1883
1884         Reviewed by Filip Pizlo.
1885
1886         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
1887         need to change their run loop (e.g. when setting to the WebThread's run loop).
1888
1889         * heap/Heap.cpp:
1890         (JSC::Heap::Heap):
1891         (JSC::Heap::setRunLoop): Deleted.
1892         * heap/Heap.h:
1893         (JSC::Heap::runLoop): Deleted.
1894         * runtime/JSRunLoopTimer.cpp:
1895         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1896         (JSC::JSRunLoopTimer::setRunLoop):
1897         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
1898         * runtime/VM.cpp:
1899         (JSC::VM::VM):
1900         (JSC::VM::registerRunLoopTimer):
1901         (JSC::VM::unregisterRunLoopTimer):
1902         (JSC::VM::setRunLoop):
1903         * runtime/VM.h:
1904         (JSC::VM::runLoop):
1905
1906 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
1907
1908         [Cocoa] Modernize some internal initializers to use instancetype instead of id
1909         https://bugs.webkit.org/show_bug.cgi?id=173112
1910
1911         Reviewed by Wenson Hsieh.
1912
1913         * API/JSContextInternal.h:
1914         * API/JSWrapperMap.h:
1915         * API/JSWrapperMap.mm:
1916         (-[JSObjCClassInfo initForClass:]):
1917         (-[JSWrapperMap initWithGlobalContextRef:]):
1918
1919 2017-06-15  Matt Baker  <mattbaker@apple.com>
1920
1921         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1922         https://bugs.webkit.org/show_bug.cgi?id=172623
1923         <rdar://problem/32415986>
1924
1925         Reviewed by Devin Rousso.
1926
1927         This patch adds a basic Canvas protocol. It includes Canvas and related
1928         types and events for monitoring the lifetime of canvases in the page.
1929
1930         * CMakeLists.txt:
1931         * DerivedSources.make:
1932         * inspector/protocol/Canvas.json: Added.
1933
1934         * inspector/scripts/codegen/generator.py:
1935         (Generator.stylized_name_for_enum_value):
1936         Add special handling for Canvas.ContextType protocol enumeration,
1937         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1938
1939 2017-06-15  Keith Miller  <keith_miller@apple.com>
1940
1941         Add logging to MachineStackMarker to try to diagnose crashes in the wild
1942         https://bugs.webkit.org/show_bug.cgi?id=173427
1943
1944         Reviewed by Mark Lam.
1945
1946         This patch adds some logging to the MachineStackMarker constructor
1947         to help figure out where we are seeing crashes. Since macOS does
1948         not support os_log_info my hope is that if we set all the callee
1949         save registers before making any calls in the C++ code we can
1950         figure out which calls is the source of the crash. We also, set
1951         all the caller save registers before returning in case some
1952         weirdness is happening in the Heap constructor.
1953
1954         This logging should not matter from a performance perspective. We
1955         only create MachineStackMarkers when we are creating a new VM,
1956         which is already expensive.
1957
1958         * heap/MachineStackMarker.cpp:
1959         (JSC::MachineThreads::MachineThreads):
1960
1961 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1962
1963         [JSC] Implement Object.assign in C++
1964         https://bugs.webkit.org/show_bug.cgi?id=173414
1965
1966         Reviewed by Saam Barati.
1967
1968         Implementing Object.assign in JS is not so good compared to C++ version because,
1969
1970         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
1971         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
1972
1973         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
1974         So JS's type profile doesn't help well.
1975
1976         3. We have a chance to introduce various fast path for Object.assign in C++.
1977
1978         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
1979
1980         We can see 1.65x improvement in SixSpeed object-assign.es6.
1981
1982                                     baseline                  patched
1983
1984         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
1985
1986         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
1987
1988         * builtins/ObjectConstructor.js:
1989         (entries):
1990         (assign): Deleted.
1991         * runtime/JSCJSValueInlines.h:
1992         (JSC::JSValue::putInline):
1993         * runtime/JSCell.h:
1994         * runtime/JSCellInlines.h:
1995         (JSC::JSCell::putInline):
1996         * runtime/JSObject.cpp:
1997         (JSC::JSObject::put):
1998         * runtime/JSObject.h:
1999         * runtime/JSObjectInlines.h:
2000         (JSC::JSObject::putInlineForJSObject):
2001         (JSC::JSObject::putInline): Deleted.
2002         * runtime/ObjectConstructor.cpp:
2003         (JSC::objectConstructorAssign):
2004
2005 2017-06-14  Dan Bernstein  <mitz@apple.com>
2006
2007         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
2008         https://bugs.webkit.org/show_bug.cgi?id=168578
2009
2010         Reviewed by Geoff Garen.
2011
2012         * API/JSWrapperMap.mm:
2013         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
2014         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
2015         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
2016           it defines conformance to a JSExport-derived protocol and if so, avoid using the
2017           superclass as a substitute as we’d normally do.
2018
2019         * API/ObjcRuntimeExtras.h:
2020         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
2021           bail out.
2022
2023         * API/tests/JSExportTests.mm:
2024         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
2025         (runJSExportTests): Run new test.
2026
2027 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2028
2029         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
2030         https://bugs.webkit.org/show_bug.cgi?id=172421
2031
2032         * dfg/DFGSpeculativeJIT.cpp:
2033         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2034
2035 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
2036
2037         REGRESSION: 15 new jsc failures in WPE and GTK+
2038         https://bugs.webkit.org/show_bug.cgi?id=173349
2039
2040         Reviewed by JF Bastien.
2041
2042         Recent changes to generateWasm.py are not accounted for from
2043         CMake, which leads to WasmOps.h not being regenerated in partial
2044         builds. Make generateWasm.py an additional dependency.
2045         * CMakeLists.txt:
2046
2047 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
2048
2049         Debugger has unexpected effect on program correctness
2050         https://bugs.webkit.org/show_bug.cgi?id=172683
2051
2052         Reviewed by Saam Barati.
2053
2054         * inspector/InjectedScriptSource.js:
2055         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2056         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
2057         (BasicCommandLineAPI):
2058         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
2059         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
2060
2061 2017-06-13  JF Bastien  <jfbastien@apple.com>
2062
2063         WebAssembly: fix erroneous signature comment
2064         https://bugs.webkit.org/show_bug.cgi?id=173334
2065
2066         Reviewed by Keith Miller.
2067
2068         * wasm/WasmSignature.h:
2069
2070 2017-06-13  Michael Saboff  <msaboff@apple.com>
2071
2072         Refactor AbsenceOfSetter to AbsenceOfSetEffects
2073         https://bugs.webkit.org/show_bug.cgi?id=173322
2074
2075         Reviewed by Filip Pizlo.
2076
2077         * bytecode/ObjectPropertyCondition.h:
2078         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
2079         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
2080         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2081         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
2082         * bytecode/ObjectPropertyConditionSet.cpp:
2083         (JSC::generateConditionsForPropertySetterMiss):
2084         (JSC::generateConditionsForPropertySetterMissConcurrently):
2085         * bytecode/PropertyCondition.cpp:
2086         (JSC::PropertyCondition::dumpInContext):
2087         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2088         (JSC::PropertyCondition::isStillValid):
2089         (WTF::printInternal):
2090         * bytecode/PropertyCondition.h:
2091         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2092         (JSC::PropertyCondition::absenceOfSetEffect):
2093         (JSC::PropertyCondition::hasPrototype):
2094         (JSC::PropertyCondition::hash):
2095         (JSC::PropertyCondition::operator==):
2096         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2097         (JSC::PropertyCondition::absenceOfSetter): Deleted.
2098
2099 2017-06-13  JF Bastien  <jfbastien@apple.com>
2100
2101         WebAssembly: import updated spec tests
2102         https://bugs.webkit.org/show_bug.cgi?id=173287
2103         <rdar://problem/32725975>
2104
2105         Reviewed by Saam Barati.
2106
2107         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
2108         with a few modifications so things work.
2109
2110         Fix a bunch of bugs found through this process, and punt a few tests (which I
2111         marked as blocked by this bug).
2112
2113         Fixes:
2114
2115         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
2116         instead of byte alignment. It was also missing memory-alignment.js despite it
2117         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
2118         pass.
2119
2120         Tables can be imported or in a section. There can be only one, but sections can
2121         be empty. An Elements section can exist if there's no Table, as long as it is
2122         also empty.
2123
2124         Memories can be imported or in a section. There can be only one, but sections
2125         can be empty. A Data section can exist if there's no Memory, as long as it is
2126         also empty.
2127
2128         Prototypes: stringify without .prototype. in the string.
2129
2130         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
2131         not a final size, and throws a RangeError on failure, not a TypeError.
2132
2133         Fix compile / instantiate so the reject the promise if given an argument of the
2134         wrong type (instead of failing instantly).
2135
2136         Fix async on neuter test.
2137
2138         Element section shouldn't affect any Table if any of the elements are out of
2139         bounds. We need to process it in two passes.
2140
2141         Segment section shouldn't affect any Data if any of the segments are out of
2142         bounds. We need to process it in two passes.
2143
2144         Empty data segments are valid, but only when there is no memory. Their index
2145         still gets validated, and has to be zero.
2146
2147         Punts:
2148
2149         Error messages with context, the test seems overly restrictive but this is
2150         minor.
2151
2152         compile/instantiate/validate property descriptors.
2153
2154         UTF-8 bugs.
2155
2156         Temporarily disable NaN tests. We need to go back and implement the following
2157         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
2158         much as getting all the other tests passing.
2159
2160         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
2161         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
2162         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
2163         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
2164         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
2165         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
2166         why they're not allowed.
2167
2168         * wasm/WasmB3IRGenerator.cpp:
2169         * wasm/WasmFunctionParser.h:
2170         * wasm/WasmModuleParser.cpp:
2171         * wasm/WasmModuleParser.h:
2172         * wasm/WasmParser.h:
2173         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2174         * wasm/generateWasm.py:
2175         (memoryLog2Alignment):
2176         * wasm/js/JSWebAssemblyTable.cpp:
2177         (JSC::JSWebAssemblyTable::grow):
2178         * wasm/js/JSWebAssemblyTable.h:
2179         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2180         * wasm/js/WebAssemblyInstancePrototype.cpp:
2181         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2182         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2183         * wasm/js/WebAssemblyModulePrototype.cpp:
2184         * wasm/js/WebAssemblyModuleRecord.cpp:
2185         (JSC::WebAssemblyModuleRecord::evaluate):
2186         * wasm/js/WebAssemblyPrototype.cpp:
2187         (JSC::webAssemblyCompileFunc):
2188         (JSC::resolve):
2189         (JSC::instantiate):
2190         (JSC::compileAndInstantiate):
2191         (JSC::webAssemblyInstantiateFunc):
2192         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2193         * wasm/js/WebAssemblyTablePrototype.cpp:
2194         (JSC::webAssemblyTableProtoFuncGrow):
2195
2196 2017-06-13  Michael Saboff  <msaboff@apple.com>
2197
2198         DFG doesn't properly handle a property that is change to read only in a prototype
2199         https://bugs.webkit.org/show_bug.cgi?id=173321
2200
2201         Reviewed by Filip Pizlo.
2202
2203         We need to check for ReadOnly as well as a not being a Setter when checking
2204         an AbsenceOfSetter.
2205
2206         * bytecode/PropertyCondition.cpp:
2207         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2208
2209 2017-06-13  Daniel Bates  <dabates@apple.com>
2210
2211         Implement W3C Secure Contexts Draft Specification
2212         https://bugs.webkit.org/show_bug.cgi?id=158121
2213         <rdar://problem/26012994>
2214
2215         Reviewed by Brent Fulgham.
2216
2217         Part 4
2218
2219         Adds isSecureContext to the list of common identifiers as needed to support
2220         toggling its exposure from a runtime enabled feature flag.
2221
2222         * runtime/CommonIdentifiers.h:
2223
2224 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
2225
2226         [JSC] Remove redundant includes in config.h
2227         https://bugs.webkit.org/show_bug.cgi?id=173294
2228
2229         Reviewed by Alex Christensen.
2230
2231         * config.h:
2232
2233 2017-06-12  Saam Barati  <sbarati@apple.com>
2234
2235         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
2236         https://bugs.webkit.org/show_bug.cgi?id=172957
2237         <rdar://problem/32602704>
2238
2239         Reviewed by Filip Pizlo.
2240
2241         Consider this program:
2242         ```
2243         block#1:
2244         n: GetClosureVar(..., |this|) // this will load empty JSValue()
2245         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
2246         Branch(#2, #3)
2247         
2248         Block#3:
2249         x: GetLocal(locFoo)
2250         y: CheckNotEmpty(@x)
2251         ```
2252         
2253         If we claim that a cell check filters out the empty value, we will
2254         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
2255         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
2256         
2257         On 64 bit platforms:
2258         - Cell use kind *now allows* the empty value to pass through.
2259         - CellOrOther use kind *now allows* for the empty value to pass through
2260         - NotCell use kind *no longer allows* the empty value to pass through.
2261
2262         * assembler/CPU.h:
2263         (JSC::isARMv7IDIVSupported):
2264         (JSC::isARM64):
2265         (JSC::isX86):
2266         (JSC::isX86_64):
2267         (JSC::is64Bit):
2268         (JSC::is32Bit):
2269         (JSC::isMIPS):
2270         Make these functions constexpr so we can use them in static variable assignment.
2271
2272         * bytecode/SpeculatedType.h:
2273         * dfg/DFGSpeculativeJIT.cpp:
2274         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2275         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2276         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2277         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2278         (JSC::DFG::SpeculativeJIT::speculateCell):
2279         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2280         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2281         (JSC::DFG::SpeculativeJIT::speculateString):
2282         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2283         (JSC::DFG::SpeculativeJIT::speculateSymbol):
2284         (JSC::DFG::SpeculativeJIT::speculateNotCell):
2285         * dfg/DFGSpeculativeJIT32_64.cpp:
2286         * dfg/DFGSpeculativeJIT64.cpp:
2287         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2288         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2289         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2290         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2291         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2292         * dfg/DFGUseKind.h:
2293         (JSC::DFG::typeFilterFor):
2294         * ftl/FTLLowerDFGToB3.cpp:
2295         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2296         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2297         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2298         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2299         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2300         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2301         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
2302         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2303         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
2304         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
2305         (JSC::FTL::DFG::LowerDFGToB3::isCell):
2306         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2307         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
2308         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
2309         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2310         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
2311
2312 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2313
2314         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
2315         https://bugs.webkit.org/show_bug.cgi?id=172421
2316
2317         * dfg/DFGSpeculativeJIT.cpp:
2318         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2319
2320 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
2321
2322         We incorrectly allow escaped characters in keyword tokens
2323         https://bugs.webkit.org/show_bug.cgi?id=171310
2324
2325         Reviewed by Yusuke Suzuki.
2326
2327         According spec it is not allow to use escaped characters in 
2328         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
2329         Current patch implements this requirements.
2330
2331
2332         * parser/Lexer.cpp:
2333         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2334         * parser/Parser.cpp:
2335         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2336         * parser/ParserTokens.h:
2337
2338 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2339
2340         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
2341         https://bugs.webkit.org/show_bug.cgi?id=172421
2342
2343         * assembler/MacroAssemblerARM64.h:
2344         (JSC::MacroAssemblerARM64::branch64):
2345         (JSC::MacroAssemblerARM64::branchPtr):
2346
2347 2017-06-12  Commit Queue  <commit-queue@webkit.org>
2348
2349         Unreviewed, rolling out r218093.
2350         https://bugs.webkit.org/show_bug.cgi?id=173259
2351
2352         Break builds (Requested by yusukesuzuki on #webkit).
2353
2354         Reverted changeset:
2355
2356         "Unreviewed, build fix for ARM64"
2357         https://bugs.webkit.org/show_bug.cgi?id=172421
2358         http://trac.webkit.org/changeset/218093
2359
2360 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2361
2362         Unreviewed, build fix for ARM64
2363         https://bugs.webkit.org/show_bug.cgi?id=172421
2364
2365         * dfg/DFGSpeculativeJIT.cpp:
2366         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2367
2368 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2369
2370         [DFG] Add ArrayIndexOf intrinsic
2371         https://bugs.webkit.org/show_bug.cgi?id=172421
2372
2373         Reviewed by Saam Barati.
2374
2375         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
2376         We emit array check and go fast path if the array is Array::Int32, Array::Double
2377         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
2378         we have inlined fast paths.
2379
2380         With updated ARES-6 Babylon,
2381
2382         Before
2383             firstIteration:     45.76 +- 3.87 ms
2384             averageWorstCase:   24.41 +- 2.17 ms
2385             steadyState:        8.01 +- 0.22 ms
2386         After
2387             firstIteration:     45.64 +- 4.23 ms
2388             averageWorstCase:   23.03 +- 3.34 ms
2389             steadyState:        7.33 +- 0.34 ms
2390
2391         In SixSpeed.
2392                                          baseline                  patched
2393
2394             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
2395             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
2396             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
2397
2398         * dfg/DFGAbstractInterpreterInlines.h:
2399         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2400         * dfg/DFGByteCodeParser.cpp:
2401         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2402         * dfg/DFGClobberize.h:
2403         (JSC::DFG::clobberize):
2404         * dfg/DFGDoesGC.cpp:
2405         (JSC::DFG::doesGC):
2406         * dfg/DFGFixupPhase.cpp:
2407         (JSC::DFG::FixupPhase::fixupNode):
2408         * dfg/DFGNode.h:
2409         (JSC::DFG::Node::hasArrayMode):
2410         * dfg/DFGNodeType.h:
2411         * dfg/DFGOperations.cpp:
2412         * dfg/DFGOperations.h:
2413         * dfg/DFGPredictionPropagationPhase.cpp:
2414         * dfg/DFGSafeToExecute.h:
2415         (JSC::DFG::safeToExecute):
2416         * dfg/DFGSpeculativeJIT.cpp:
2417         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2418         (JSC::DFG::SpeculativeJIT::speculateObject):
2419         * dfg/DFGSpeculativeJIT.h:
2420         (JSC::DFG::SpeculativeJIT::callOperation):
2421         * dfg/DFGSpeculativeJIT32_64.cpp:
2422         (JSC::DFG::SpeculativeJIT::compile):
2423         * dfg/DFGSpeculativeJIT64.cpp:
2424         (JSC::DFG::SpeculativeJIT::compile):
2425         (JSC::DFG::SpeculativeJIT::speculateInt32):
2426         * ftl/FTLCapabilities.cpp:
2427         (JSC::FTL::canCompile):
2428         * ftl/FTLLowerDFGToB3.cpp:
2429         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2430         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2431         * jit/JITOperations.h:
2432         * runtime/ArrayPrototype.cpp:
2433         (JSC::ArrayPrototype::finishCreation):
2434         * runtime/Intrinsic.cpp:
2435         (JSC::intrinsicName):
2436         * runtime/Intrinsic.h:
2437
2438 2017-06-11  Keith Miller  <keith_miller@apple.com>
2439
2440         TypedArray constructor with string shouldn't throw
2441         https://bugs.webkit.org/show_bug.cgi?id=173181
2442
2443         Reviewed by JF Bastien.
2444
2445         We should be coercing primitive arguments to numbers in the various
2446         TypedArray constructors.
2447
2448         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2449         (JSC::constructGenericTypedArrayViewWithArguments):
2450
2451 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2452
2453         [WTF] Make ThreadMessage portable
2454         https://bugs.webkit.org/show_bug.cgi?id=172073
2455
2456         Reviewed by Keith Miller.
2457
2458         * runtime/MachineContext.h:
2459         (JSC::MachineContext::stackPointer):
2460         * tools/CodeProfiling.cpp:
2461         (JSC::profilingTimer):
2462
2463 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2464
2465         [JSC] Shrink Structure size
2466         https://bugs.webkit.org/show_bug.cgi?id=173239
2467
2468         Reviewed by Mark Lam.
2469
2470         We find that the size of our Structure is slightly enlarged due to paddings.
2471         By changing the order of members, we can reduce the size from 120 to 112.
2472         This is good because 120 and 112 are categorized into different size classes.
2473         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
2474         We now save 16 bytes per Structure for free.
2475
2476         * runtime/ConcurrentJSLock.h:
2477         * runtime/Structure.cpp:
2478         (JSC::Structure::Structure):
2479         * runtime/Structure.h:
2480
2481 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
2482
2483         Unreviewed, attempt to fix JSC tests on Win after r217771
2484
2485         * jsc.cpp:
2486         (currentWorkingDirectory): buffer is not NULL-terminated
2487
2488 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2489
2490         [WTF] Add RegisteredSymbolImpl
2491         https://bugs.webkit.org/show_bug.cgi?id=173230
2492
2493         Reviewed by Mark Lam.
2494
2495         * runtime/SymbolConstructor.cpp:
2496         (JSC::symbolConstructorKeyFor):
2497
2498 2017-06-10  Dan Bernstein  <mitz@apple.com>
2499
2500         Reverted r218056 because it made the IDE reindex constantly.
2501
2502         * Configurations/DebugRelease.xcconfig:
2503
2504 2017-06-10  Dan Bernstein  <mitz@apple.com>
2505
2506         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
2507         https://bugs.webkit.org/show_bug.cgi?id=173223
2508
2509         Reviewed by Sam Weinig.
2510
2511         The rebuilds were happening due to a difference in the compiler options that the IDE and
2512         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
2513         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
2514         specify an appropriate path in CLANG_INDEX_STORE_PATH.
2515
2516         * Configurations/DebugRelease.xcconfig:
2517
2518 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2519
2520         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
2521         https://bugs.webkit.org/show_bug.cgi?id=173227
2522
2523         Reviewed by Mark Lam.
2524
2525         The latest spec introduces slight change to RegExp.prototype.[@@search].
2526         This patch applies this change. Basically, this change is done in the slow path of
2527         the RegExp.prototype[@@search].
2528         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
2529
2530         * builtins/RegExpPrototype.js:
2531         (search):
2532
2533 2017-06-09  Chris Dumez  <cdumez@apple.com>
2534
2535         Update Thread::create() to take in a WTF::Function instead of a std::function
2536         https://bugs.webkit.org/show_bug.cgi?id=173175
2537
2538         Reviewed by Mark Lam.
2539
2540         * API/tests/CompareAndSwapTest.cpp:
2541         (testCompareAndSwap):
2542
2543 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2544
2545         [DFG] Add verboseDFGOSRExit
2546         https://bugs.webkit.org/show_bug.cgi?id=173156
2547
2548         Reviewed by Saam Barati.
2549
2550         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
2551
2552         * dfg/DFGOSRExitCompiler.cpp:
2553         * runtime/Options.h:
2554
2555 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
2556
2557         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
2558         https://bugs.webkit.org/show_bug.cgi?id=173170
2559
2560         Reviewed by Yusuke Suzuki.
2561
2562         MIPS does not build since r217711 because it is missing this
2563         implementation. This patch fixes the build.
2564
2565         * assembler/MacroAssemblerMIPS.h:
2566         (JSC::MacroAssemblerMIPS::xor32):
2567
2568 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2569
2570         [JSC] FTL does not require dlfcn
2571         https://bugs.webkit.org/show_bug.cgi?id=173143
2572
2573         Reviewed by Darin Adler.
2574
2575         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
2576         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
2577
2578         * ftl/FTLLowerDFGToB3.cpp:
2579
2580 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2581
2582         [DFG] Add --verboseDFGFailure
2583         https://bugs.webkit.org/show_bug.cgi?id=173155
2584
2585         Reviewed by Sam Weinig.
2586
2587         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
2588
2589         * dfg/DFGCapabilities.cpp:
2590         (JSC::DFG::verboseCapabilities):
2591         (JSC::DFG::debugFail):
2592         * runtime/Options.cpp:
2593         (JSC::recomputeDependentOptions):
2594         * runtime/Options.h:
2595
2596 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2597
2598         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
2599         https://bugs.webkit.org/show_bug.cgi?id=173147
2600
2601         Reviewed by JF Bastien.
2602
2603         Because this value becomes -1 in non-Darwin environments.
2604         Thus, we do not need to use OS(DARWIN) here.
2605
2606         * wasm/WasmMemory.cpp:
2607
2608 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
2609
2610         Reduce compiler warnings
2611         https://bugs.webkit.org/show_bug.cgi?id=172078
2612
2613         Reviewed by Yusuke Suzuki.
2614
2615         * runtime/IntlDateTimeFormat.h:
2616
2617 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
2618
2619         [Cocoa] JSWrapperMap leaks for all JSContexts
2620         https://bugs.webkit.org/show_bug.cgi?id=173110
2621         <rdar://problem/32602198>
2622
2623         Reviewed by Geoffrey Garen.
2624
2625         * API/JSContext.mm:
2626         (-[JSContext ensureWrapperMap]):
2627         Ensure this allocation gets released.
2628
2629 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
2630
2631         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
2632         https://bugs.webkit.org/show_bug.cgi?id=161156
2633
2634         Reviewed by Saam Barati.
2635         
2636         Since LLInt does not register impure property watchpoints for self property accesses, it
2637         shouldn't try to cache accesses that require a watchpoint.
2638         
2639         This manifested as a flaky failure because the test would fire the watchpoint after we had
2640         usually already tiered up. Without concurrent JIT, we would have always tiered up before
2641         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
2642         also adds a test that deterministically failed in LLInt without this change; it does so by just
2643         running a lot shorter.
2644
2645         * llint/LLIntSlowPaths.cpp:
2646         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2647
2648 2017-06-08  Keith Miller  <keith_miller@apple.com>
2649
2650         WebAssembly: We should only create wrappers for functions that can be exported
2651         https://bugs.webkit.org/show_bug.cgi?id=173088
2652
2653         Reviewed by Saam Barati.
2654
2655         This patch makes it so we only create wrappers for WebAssembly functions that
2656         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
2657
2658         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
2659         Most of the tests were duplicates of ones in the spec-tests directory. The others I
2660         have converted to use the normal API.
2661
2662         * jsc.cpp:
2663         (GlobalObject::finishCreation):
2664         (valueWithTypeOfWasmValue): Deleted.
2665         (box): Deleted.
2666         (callWasmFunction): Deleted.
2667         (functionTestWasmModuleFunctions): Deleted.
2668         * wasm/WasmB3IRGenerator.cpp:
2669         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2670         (JSC::Wasm::createJSToWasmWrapper):
2671         (JSC::Wasm::parseAndCompile):
2672         * wasm/WasmB3IRGenerator.h:
2673         * wasm/WasmBBQPlan.cpp:
2674         (JSC::Wasm::BBQPlan::prepare):
2675         (JSC::Wasm::BBQPlan::compileFunctions):
2676         (JSC::Wasm::BBQPlan::complete):
2677         * wasm/WasmBBQPlan.h:
2678         * wasm/WasmBBQPlanInlines.h:
2679         (JSC::Wasm::BBQPlan::initializeCallees):
2680         * wasm/WasmCodeBlock.cpp:
2681         (JSC::Wasm::CodeBlock::CodeBlock):
2682         * wasm/WasmCodeBlock.h:
2683         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2684         * wasm/WasmFormat.h:
2685         * wasm/WasmOMGPlan.cpp:
2686         (JSC::Wasm::OMGPlan::work):
2687
2688 2017-06-07  JF Bastien  <jfbastien@apple.com>
2689
2690         WebAssembly: test imports and exports with 16-bit characters
2691         https://bugs.webkit.org/show_bug.cgi?id=165977
2692         <rdar://problem/29760130>
2693
2694         Reviewed by Saam Barati.
2695
2696         Add the missing UTF-8 conversions. Improve import failure error
2697         messages, otherwise it's hard to figure out which import is wrong.
2698
2699         * wasm/js/JSWebAssemblyInstance.cpp:
2700         (JSC::JSWebAssemblyInstance::create):
2701         * wasm/js/WebAssemblyModuleRecord.cpp:
2702         (JSC::WebAssemblyModuleRecord::finishCreation):
2703         (JSC::WebAssemblyModuleRecord::link):
2704
2705 2017-06-07  Devin Rousso  <drousso@apple.com>
2706
2707         Web Inspector: Add ContextMenu item to log WebSocket object to console
2708         https://bugs.webkit.org/show_bug.cgi?id=172878
2709
2710         Reviewed by Joseph Pecoraro.
2711
2712         * inspector/protocol/Network.json:
2713         Add resolveWebSocket command.
2714
2715 2017-06-07  Jon Davis  <jond@apple.com>
2716
2717         Update feature status for features Supported In Preview
2718         https://bugs.webkit.org/show_bug.cgi?id=173071
2719
2720         Reviewed by Darin Adler.
2721
2722         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
2723         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
2724
2725         * features.json:
2726
2727 2017-06-07  Saam Barati  <sbarati@apple.com>
2728
2729         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
2730         https://bugs.webkit.org/show_bug.cgi?id=172673
2731         <rdar://problem/32250144>
2732
2733         Reviewed by Mark Lam.
2734
2735         This patch simply removes this assertion. It's faulty because it
2736         races with the main thread when doing concurrent compilation.
2737         
2738         Consider a program with:
2739         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
2740         - Structure S2
2741         
2742         The DFG IR is like so:
2743           a: JSConstant(O) // FrozenValue {O, S1}
2744           b: CheckStructure(@a, S2)
2745           c: ToThis(@a)
2746           d: CheckEq(@c, nullConstant)
2747           Branch(@d)
2748         
2749         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
2750         When running AI, we'll notice that node @b will OSR exit, so nodes after
2751         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
2752         Now, when running AI, @a will have Top for its structure set. No longer will
2753         we think @b exits.
2754         
2755         The DFG backend asserts that under such a situation, we should have simplified
2756         the CheckEq to false. However, this is a racy thing to assert, since the
2757         transition from dfgWatchable() to !dfgWatchable() can happen right before we
2758         enter the backend. Hence, this assertion is not valid.
2759         
2760         (Note, the generated code for the above program will never actually execute.
2761         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
2762         S1 not transitioning. S1 transitions, so we won't actually run the code that
2763         gets compiled.)
2764
2765         * dfg/DFGSpeculativeJIT64.cpp:
2766         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2767
2768 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2769
2770         [JSC] has_generic_property never accepts non-String
2771         https://bugs.webkit.org/show_bug.cgi?id=173057
2772
2773         Reviewed by Darin Adler.
2774
2775         We never pass non-String value to has_generic_property bytecode.
2776
2777         * runtime/CommonSlowPaths.cpp:
2778         (JSC::SLOW_PATH_DECL):
2779
2780 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
2781
2782         [Win][x86-64] Some callee saved registers aren't preserved
2783         https://bugs.webkit.org/show_bug.cgi?id=171266
2784
2785         Reviewed by Saam Barati.
2786
2787         * jit/RegisterSet.cpp:
2788         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
2789
2790 2017-06-06  Mark Lam  <mark.lam@apple.com>
2791
2792         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
2793         https://bugs.webkit.org/show_bug.cgi?id=173035
2794         <rdar://problem/32554593>
2795
2796         Reviewed by Geoffrey Garen and Filip Pizlo.
2797
2798         Also added and fixed up some assertions.
2799
2800         * runtime/ArrayConventions.h:
2801         * runtime/JSArray.cpp:
2802         (JSC::JSArray::setLength):
2803         * runtime/JSObject.cpp:
2804         (JSC::JSObject::createInitialIndexedStorage):
2805         (JSC::JSObject::ensureLengthSlow):
2806         (JSC::JSObject::reallocateAndShrinkButterfly):
2807         * runtime/JSObject.h:
2808         (JSC::JSObject::ensureLength):
2809         * runtime/RegExpObject.cpp:
2810         (JSC::collectMatches):
2811         * runtime/RegExpPrototype.cpp:
2812         (JSC::regExpProtoFuncSplitFast):
2813
2814 2017-06-06  Saam Barati  <sbarati@apple.com>
2815
2816         Make sure we restore SP when doing calls that could be to JS
2817         https://bugs.webkit.org/show_bug.cgi?id=172946
2818         <rdar://problem/32579026>
2819
2820         Reviewed by JF Bastien.
2821
2822         I was worried that there was a bug where we'd call JS, JS would tail call,
2823         and we'd end up with a bogus SP. However, this bug does not exist since wasm
2824         always calls to JS through a stub, and the stub treats SP as a callee save.
2825         
2826         I wrote a test for this, and also made a note that this is the needed ABI.
2827
2828         * wasm/WasmBinding.cpp:
2829         (JSC::Wasm::wasmToJs):
2830
2831 2017-06-06  Keith Miller  <keith_miller@apple.com>
2832
2833         OMG tier up checks should be a patchpoint
2834         https://bugs.webkit.org/show_bug.cgi?id=172944
2835
2836         Reviewed by Saam Barati.
2837
2838         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
2839         In order to reduce code generated out of line in each function. We generate a single stub
2840         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
2841
2842         * wasm/WasmB3IRGenerator.cpp:
2843         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2844         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2845         (JSC::Wasm::B3IRGenerator::addLoop):
2846         * wasm/WasmThunks.cpp:
2847         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2848         * wasm/WasmThunks.h:
2849
2850 2017-06-06  Darin Adler  <darin@apple.com>
2851
2852         Cut down use of WTF_ARRAY_LENGTH
2853         https://bugs.webkit.org/show_bug.cgi?id=172997
2854
2855         Reviewed by Chris Dumez.
2856
2857         * parser/Lexer.cpp:
2858         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
2859
2860         * runtime/NumberPrototype.cpp:
2861         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
2862
2863 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
2864
2865         Add missing <functional> includes
2866         https://bugs.webkit.org/show_bug.cgi?id=173017
2867
2868         Patch by Thiago Macieira <thiago.macieira@intel.com>
2869         Reviewed by Yusuke Suzuki.
2870
2871         This patch fixes compilation with GCC 7.
2872
2873         * inspector/InspectorBackendDispatcher.h:
2874
2875 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2876
2877         Unreviewed, fix 32-bit build.
2878
2879         * jit/JITOpcodes.cpp:
2880         (JSC::JIT::emit_op_unreachable):
2881
2882 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
2883
2884         Unreviewed rollout r217807. Caused a test to crash.
2885
2886         * heap/HeapSnapshotBuilder.cpp:
2887         (JSC::HeapSnapshotBuilder::buildSnapshot):
2888         (JSC::HeapSnapshotBuilder::json):
2889         (): Deleted.
2890         * heap/HeapSnapshotBuilder.h:
2891         * runtime/JSObject.cpp:
2892         (JSC::JSObject::calculatedClassName):
2893
2894 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2895
2896         index out of bound in bytecodebasicblock
2897         https://bugs.webkit.org/show_bug.cgi?id=172963
2898
2899         Reviewed by Saam Barati and Mark Lam.
2900         
2901         We were leaving an unterminated basic block when generating CodeForCall for a class
2902         constructor. This was mostly benign since that unterminated block was not reachable, but it
2903         does cause an ASSERT.
2904         
2905         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
2906         this really is the cleanest and most idiomatic way to solve this problem, so even though it
2907         makes the change bigger it's probabably worth it.
2908
2909         * bytecode/BytecodeDumper.cpp:
2910         (JSC::BytecodeDumper<Block>::dumpBytecode):
2911         * bytecode/BytecodeList.json:
2912         * bytecode/BytecodeUseDef.h:
2913         (JSC::computeUsesForBytecodeOffset):
2914         (JSC::computeDefsForBytecodeOffset):
2915         * bytecode/Opcode.h:
2916         (JSC::isTerminal):
2917         * bytecompiler/BytecodeGenerator.cpp:
2918         (JSC::BytecodeGenerator::generate):
2919         (JSC::BytecodeGenerator::emitUnreachable):
2920         * bytecompiler/BytecodeGenerator.h:
2921         * dfg/DFGByteCodeParser.cpp:
2922         (JSC::DFG::ByteCodeParser::parseBlock):
2923         * dfg/DFGCapabilities.cpp:
2924         (JSC::DFG::capabilityLevel):
2925         * ftl/FTLLowerDFGToB3.cpp:
2926         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
2927         * jit/JIT.cpp:
2928         (JSC::JIT::privateCompileMainPass):
2929         * jit/JIT.h:
2930         * jit/JITOpcodes.cpp:
2931         (JSC::JIT::emit_op_unreachable):
2932         * llint/LowLevelInterpreter.asm:
2933         * runtime/CommonSlowPaths.cpp:
2934         (JSC::SLOW_PATH_DECL):
2935         * runtime/CommonSlowPaths.h:
2936
2937 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
2938
2939         Unreviewed, rolling out r217812.
2940
2941         This change caused test failures on arm64.
2942
2943         Reverted changeset:
2944
2945         "OMG tier up checks should be a patchpoint"
2946         https://bugs.webkit.org/show_bug.cgi?id=172944
2947         http://trac.webkit.org/changeset/217812
2948
2949 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2950
2951         [WPE] Enable remote inspector
2952         https://bugs.webkit.org/show_bug.cgi?id=172971
2953
2954         Reviewed by Žan Doberšek.
2955
2956         We can just build the current glib remote inspector, without adding a frontend implementation and using a
2957         WebKitGTK+ browser as frontend for now.
2958
2959         * PlatformWPE.cmake: Add remote inspector files to compilation.
2960         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2961         (Inspector::backendCommands): Load the inspector resources library.
2962
2963 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2964
2965         [GLIB] Make remote inspector DBus protocol common to all glib based ports
2966         https://bugs.webkit.org/show_bug.cgi?id=172970
2967
2968         Reviewed by Žan Doberšek.
2969
2970         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
2971         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
2972         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
2973         debug WPE, without having to implement the frontend part in WPE yet.
2974
2975         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
2976         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
2977
2978 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2979
2980         [GTK] Web Process deadlock when closing the remote inspector frontend
2981         https://bugs.webkit.org/show_bug.cgi?id=172973
2982
2983         Reviewed by Žan Doberšek.
2984
2985         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
2986         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
2987         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
2988         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
2989
2990         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2991         (Inspector::RemoteInspector::receivedCloseMessage):
2992
2993 2017-06-05  Saam Barati  <sbarati@apple.com>
2994
2995         Try to fix features.json by adding an ESNext section.
2996
2997         Unreviewed.
2998
2999         * features.json:
3000
3001 2017-06-05  David Kilzer  <ddkilzer@apple.com>
3002
3003         Follow-up: Update JSC's features.json
3004         https://bugs.webkit.org/show_bug.cgi?id=172942
3005
3006         Rubber-stamped by Jon Davis.
3007
3008         * features.json: Change "Supported in preview" to
3009         "Supported" to try to fix <https://webkit.org/status/>.
3010
3011 2017-06-05  Saam Barati  <sbarati@apple.com>
3012
3013         We don't properly parse init_expr when the opcode is an unexpected opcode
3014         https://bugs.webkit.org/show_bug.cgi?id=172945
3015
3016         Reviewed by JF Bastien.
3017
3018         The bug is a simple typo. It should use the constant
3019         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
3020         macro. This failure is already caught by spec tests that fail
3021         on arm64 devices.
3022
3023         * wasm/WasmModuleParser.cpp:
3024
3025 2017-06-05  Keith Miller  <keith_miller@apple.com>
3026
3027         OMG tier up checks should be a patchpoint
3028         https://bugs.webkit.org/show_bug.cgi?id=172944
3029
3030         Reviewed by Saam Barati.
3031
3032         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
3033         In order to reduce code generated out of line in each function. We generate a single stub
3034         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
3035
3036         * wasm/WasmB3IRGenerator.cpp:
3037         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3038         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3039         (JSC::Wasm::B3IRGenerator::addLoop):
3040         * wasm/WasmThunks.cpp:
3041         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3042         * wasm/WasmThunks.h:
3043
3044 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3045
3046         Remove unused VM members
3047         https://bugs.webkit.org/show_bug.cgi?id=172941
3048
3049         Reviewed by Mark Lam.
3050
3051         * runtime/HashMapImpl.h:
3052         (JSC::HashMapImpl::selectStructure): Deleted.
3053         * runtime/VM.cpp:
3054         (JSC::VM::VM):
3055         * runtime/VM.h:
3056
3057 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3058
3059         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3060         https://bugs.webkit.org/show_bug.cgi?id=172848
3061         <rdar://problem/25709212>
3062
3063         Reviewed by Saam Barati.
3064
3065         * heap/HeapSnapshotBuilder.h:
3066         * heap/HeapSnapshotBuilder.cpp:
3067         Update the snapshot version. Change the node's 0 | 1 internal value
3068         to be a 32bit bit flag. This is nice in that it is both compatible
3069         with the previous snapshot version and the same size. We can use more
3070         flags in the future.
3071
3072         (JSC::HeapSnapshotBuilder::json):
3073         In cases where the classInfo gives us "Object" check for a better
3074         class name by checking (o).__proto__.constructor.name. We avoid this
3075         check in cases where (o).hasOwnProperty("constructor") which is the
3076         case for most Foo.prototype objects. Otherwise this would get the
3077         name of the Foo superclass for the Foo.prototype object.
3078
3079         * runtime/JSObject.cpp:
3080         (JSC::JSObject::calculatedClassName):
3081         Handle some possible edge cases that were not handled before. Such
3082         as a JSObject without a GlobalObject, and an object which doesn't
3083         have a default getPrototype. Try to make the code a little clearer.
3084
3085 2017-06-05  Saam Barati  <sbarati@apple.com>
3086
3087         Update JSC's features.json
3088         https://bugs.webkit.org/show_bug.cgi?id=172942
3089
3090         Rubber stamped by Mark Lam.
3091
3092         * features.json:
3093
3094 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
3095
3096         Fix build of Windows-specific code with ICU 59.1
3097         https://bugs.webkit.org/show_bug.cgi?id=172729
3098
3099         Reviewed by Darin Adler.
3100
3101         Fix conversions from WTF::String to wchar_t* and vice versa.
3102
3103         * jsc.cpp:
3104         (currentWorkingDirectory):
3105         (fetchModuleFromLocalFileSystem):
3106         * runtime/DateConversion.cpp:
3107         (JSC::formatDateTime):
3108
3109 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3110
3111         [JSC] Drop unnecessary USE(CF) guard for getenv
3112         https://bugs.webkit.org/show_bug.cgi?id=172903
3113
3114         Reviewed by Sam Weinig.
3115
3116         getenv is not related to USE(CF) and OS(UNIX). It seems that this
3117         ifdef only hits in WinCairo, but WinCairo can use getenv.
3118         Moreover, in VM::VM, we already use getenv without any ifdef guard.
3119
3120         This patch just drops it.
3121
3122         * runtime/VM.cpp:
3123         (JSC::enableAssembler):
3124
3125 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3126
3127         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
3128         https://bugs.webkit.org/show_bug.cgi?id=172904
3129
3130         Reviewed by Sam Weinig.
3131
3132         In non-Darwin environment, uintptr_t may have the same type
3133         to uint64_t. We avoided the compile error by using OS(DARWIN).
3134         But, since it depends on cstdint implementaion rather than OS, it is flaky.
3135         Instead, we just use template parameter IntegralType.
3136         And we describe the type constraint in a SFINAE manner.
3137
3138         * dfg/DFGOpInfo.h:
3139         (JSC::DFG::OpInfo::OpInfo):
3140
3141 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
3142
3143         [ARM] Unreviewed buildfix after r217711.
3144
3145         * assembler/MacroAssemblerARM.h:
3146         (JSC::MacroAssemblerARM::xor32):
3147
3148 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3149
3150         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
3151         https://bugs.webkit.org/show_bug.cgi?id=168844
3152
3153         Reviewed by Saam Barati.
3154
3155         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
3156
3157         * parser/Parser.cpp:
3158         (JSC::DepthManager::DepthManager):
3159         (JSC::Parser<LexerType>::parseExportDeclaration):
3160         * parser/Parser.h:
3161         (JSC::Parser::DepthManager::DepthManager): Deleted.
3162         (JSC::Parser::DepthManager::~DepthManager): Deleted.
3163
3164 2017-06-02  Keith Miller  <keith_miller@apple.com>
3165
3166         Defer installing mach breakpoint handler until watchdog is actually called
3167         https://bugs.webkit.org/show_bug.cgi?id=172885
3168
3169         Reviewed by Saam Barati.
3170
3171         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
3172         This hides the issue, so it won't occur as often.
3173
3174         * runtime/VMTraps.cpp:
3175         (JSC::VMTraps::SignalSender::send):
3176         (JSC::VMTraps::VMTraps): Deleted.
3177         * runtime/VMTraps.h:
3178
3179 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
3180
3181         Atomics.load and Atomics.store need to be fully fenced
3182         https://bugs.webkit.org/show_bug.cgi?id=172844
3183
3184         Reviewed by Keith Miller.
3185         
3186         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
3187         AtomicXchg(value, ptr) for the store.
3188         
3189         DFG needed no changes because it implements all atomics using a CAS loop.
3190         
3191         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
3192         
3193         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
3194         is not correct according to my current understanding of the SAB memory model, which requires
3195         that atomic operations are SC with respect to everything not just other atomics.
3196
3197         * ftl/FTLLowerDFGToB3.cpp:
3198         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3199         * ftl/FTLOutput.cpp:
3200         (JSC::FTL::Output::atomicWeakCAS):
3201         * ftl/FTLOutput.h:
3202         * runtime/AtomicsObject.cpp:
3203
3204 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
3205
3206         Unreviewed, attempt to fix the iOS build after r217711.
3207
3208         * assembler/MacroAssemblerARM64.h:
3209         (JSC::MacroAssemblerARM64::xor32):
3210         (JSC::MacroAssemblerARM64::xor64):
3211
3212 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
3213
3214         GC should use scrambled free-lists
3215         https://bugs.webkit.org/show_bug.cgi?id=172793
3216
3217         Reviewed by Mark Lam.
3218         
3219         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
3220         The linked-list would be threaded through free memory, as is the usual convention.
3221         
3222         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
3223         this leads to a more natural fast-path structure and saves one register on ARM64.
3224         
3225         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
3226         every time they do a sweep-to-pop.
3227         
3228         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
3229         quite a bit. Previously, there were four copies of the allocator fast path: two in
3230         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
3231         was obviously different-looking, but the other three were almost identical. This moves all of
3232         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
3233         AssemblyHelpers.h.
3234         
3235         This appears to be just as fast as our previously allocator.
3236
3237         * JavaScriptCore.xcodeproj/project.pbxproj:
3238         * heap/FreeList.cpp:
3239         (JSC::FreeList::FreeList):
3240         (JSC::FreeList::~FreeList):
3241         (JSC::FreeList::clear):
3242         (JSC::FreeList::initializeList):
3243         (JSC::FreeList::initializeBump):
3244         (JSC::FreeList::contains):
3245         (JSC::FreeList::dump):
3246         * heap/FreeList.h:
3247         (JSC::FreeList::allocationWillFail):
3248         (JSC::FreeList::originalSize):
3249         (JSC::FreeList::addressOfList):
3250         (JSC::FreeList::offsetOfBlock):
3251         (JSC::FreeList::offsetOfList):
3252         (JSC::FreeList::offsetOfIndex):
3253         (JSC::FreeList::offsetOfPayloadEnd):
3254         (JSC::FreeList::offsetOfRemaining):
3255         (JSC::FreeList::offsetOfOriginalSize):
3256         (JSC::FreeList::FreeList): Deleted.
3257         (JSC::FreeList::list): Deleted.
3258         (JSC::FreeList::bump): Deleted.
3259         (JSC::FreeList::operator==): Deleted.
3260         (JSC::FreeList::operator!=): Deleted.
3261         (JSC::FreeList::operator bool): Deleted.
3262         * heap/FreeListInlines.h: Added.
3263         (JSC::FreeList::addFreeCell):
3264         (JSC::FreeList::allocate):
3265         (JSC::FreeList::forEach):
3266         (JSC::FreeList::toOffset):
3267         (JSC::FreeList::fromOffset):
3268         * heap/IncrementalSweeper.cpp:
3269         (JSC::IncrementalSweeper::sweepNextBlock):
3270         * heap/MarkedAllocator.cpp:
3271         (JSC::MarkedAllocator::MarkedAllocator):
3272         (JSC::MarkedAllocator::didConsumeFreeList):
3273         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3274         (JSC::MarkedAllocator::tryAllocateIn):
3275         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3276         (JSC::MarkedAllocator::stopAllocating):
3277         (JSC::MarkedAllocator::prepareForAllocation):
3278         (JSC::MarkedAllocator::resumeAllocating):
3279         (JSC::MarkedAllocator::sweep):
3280         (JSC::MarkedAllocator::setFreeList): Deleted.
3281         * heap/MarkedAllocator.h:
3282         (JSC::MarkedAllocator::freeList):
3283         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
3284         * heap/MarkedAllocatorInlines.h:
3285         (JSC::MarkedAllocator::isFreeListedCell):
3286         (JSC::MarkedAllocator::tryAllocate):
3287         (JSC::MarkedAllocator::allocate):
3288         * heap/MarkedBlock.cpp:
3289         (JSC::MarkedBlock::Handle::stopAllocating):
3290         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3291         (JSC::MarkedBlock::Handle::resumeAllocating):
3292         (JSC::MarkedBlock::Handle::zap):
3293         (JSC::MarkedBlock::Handle::sweep):
3294         (JSC::MarkedBlock::Handle::isFreeListedCell):
3295         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
3296         * heap/MarkedBlock.h:
3297         * heap/MarkedBlockInlines.h:
3298         (JSC::MarkedBlock::Handle::specializedSweep):
3299         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3300         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
3301         * heap/Subspace.cpp:
3302         (JSC::Subspace::finishSweep):
3303         * heap/Subspace.h:
3304         * jit/AssemblyHelpers.h:
3305         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3306         * runtime/JSDestructibleObjectSubspace.cpp:
3307         (JSC::JSDestructibleObjectSubspace::finishSweep):
3308         * runtime/JSDestructibleObjectSubspace.h:
3309         * runtime/JSSegmentedVariableObjectSubspace.cpp:
3310         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
3311         * runtime/JSSegmentedVariableObjectSubspace.h:
3312         * runtime/JSStringSubspace.cpp:
3313         (JSC::JSStringSubspace::finishSweep):
3314         * runtime/JSStringSubspace.h:
3315         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
3316         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
3317         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
3318
3319 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3320
3321         [JSC] Use @globalPrivate for concatSlowPath
3322         https://bugs.webkit.org/show_bug.cgi?id=172802
3323
3324         Reviewed by Darin Adler.
3325
3326         Use @globalPrivate instead of manually putting it to JSGlobalObject.
3327
3328         * builtins/ArrayPrototype.js:
3329         (concatSlowPath): Deleted.
3330         * runtime/JSGlobalObject.cpp:
3331         (JSC::JSGlobalObject::init):
3332
3333 2017-06-01  Andy Estes  <aestes@apple.com>
3334
3335         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
3336         https://bugs.webkit.org/show_bug.cgi?id=172828
3337
3338         Reviewed by Beth Dakin.
3339
3340         * Configurations/FeatureDefines.xcconfig:
3341
3342 2017-06-01  Keith Miller  <keith_miller@apple.com>
3343
3344         Undo rollout in r217638 with bug fix
3345         https://bugs.webkit.org/show_bug.cgi?id=172824
3346
3347         Unreviewed, reland patch with unused set_state code removed.
3348
3349         * API/tests/ExecutionTimeLimitTest.cpp:
3350         (dispatchTermitateCallback):
3351         (testExecutionTimeLimit):
3352         * runtime/JSLock.cpp:
3353         (JSC::JSLock::didAcquireLock):
3354         * runtime/Options.cpp:
3355         (JSC::overrideDefaults):
3356         (JSC::Options::initialize):
3357         * runtime/Options.h:
3358         * runtime/VMTraps.cpp:
3359         (JSC::SignalContext::SignalContext):
3360         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3361         (JSC::installSignalHandler):
3362         (JSC::VMTraps::SignalSender::send):
3363         * tools/SigillCrashAnalyzer.cpp:
3364         (JSC::SignalContext::SignalContext):
3365         (JSC::SignalContext::dump):
3366         (JSC::installCrashHandler):
3367         * wasm/WasmBBQPlan.cpp:
3368         (JSC::Wasm::BBQPlan::compileFunctions):
3369         * wasm/WasmFaultSignalHandler.cpp:
3370         (JSC::Wasm::trapHandler):
3371         (JSC::Wasm::enableFastMemory):
3372         * wasm/WasmMachineThreads.cpp:
3373         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3374
3375 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
3376
3377         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
3378         https://bugs.webkit.org/show_bug.cgi?id=172800
3379
3380         Reviewed by Saam Barati.
3381
3382         This fixes a static_cast<uint64_t> by making it a cast to int64_t
3383         instead, which looks like the original intent. This fixes the
3384         sampling-profiler tests in JSTests/stress.
3385
3386         * runtime/SamplingProfiler.cpp:
3387         (JSC::SamplingProfiler::timerLoop):
3388
3389 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
3390
3391         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
3392         https://bugs.webkit.org/show_bug.cgi?id=170945
3393
3394         Reviewed by Mark Lam.
3395
3396         Re-define PutByIdFlags as a int32_t enum explicitly because it is
3397         stored as an int32_t value in UnlinkedInstruction.  This prevents
3398         a bug on 64-bit big endian architectures where the word order is
3399         inverted (when we convert the UnlinkedInstruction into a CodeBlock
3400         Instruction), resulting in the PutByIdFlags value not being stored in
3401         the 32-bit word that the rest of the code expects it to be in.
3402
3403         * bytecode/PutByIdFlags.h:
3404
3405 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3406
3407         [JSC] Implement String.prototype.concat in JS builtins
3408         https://bugs.webkit.org/show_bug.cgi?id=172798
3409
3410         Reviewed by Sam Weinig.
3411
3412         Since we have highly effective + operation for strings,
3413         implementing String.prototype.concat in JS simplifies the
3414         implementation and improves performance by using speculated
3415         types.
3416
3417         Added microbenchmarks show performance improvement.
3418
3419         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
3420         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
3421         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
3422         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
3423
3424         * builtins/StringPrototype.js:
3425         (globalPrivate.stringConcatSlowPath):
3426         (concat):
3427         * runtime/StringPrototype.cpp:
3428         (JSC::StringPrototype::finishCreation):
3429         (JSC::stringProtoFuncConcat): Deleted.
3430
3431 2017-05-31  Mark Lam  <mark.lam@apple.com>
3432
3433         Remove overrides of visitChildren() that do not add any functionality.
3434         https://bugs.webkit.org/show_bug.cgi?id=172789
3435         <rdar://problem/32500865>
3436
3437         Reviewed by Andreas Kling.
3438
3439         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3440         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3441         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3442         * bytecode/UnlinkedProgramCodeBlock.cpp:
3443         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3444         * bytecode/UnlinkedProgramCodeBlock.h:
3445         * wasm/js/WebAssemblyFunction.cpp:
3446         (JSC::WebAssemblyFunction::visitChildren): Deleted.
3447         * wasm/js/WebAssemblyFunction.h:
3448         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3449         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
3450         * wasm/js/WebAssemblyInstanceConstructor.h:
3451         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3452         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
3453         * wasm/js/WebAssemblyMemoryConstructor.h:
3454         * wasm/js/WebAssemblyModuleConstructor.cpp:
3455         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
3456         * wasm/js/WebAssemblyModuleConstructor.h:
3457         * wasm/js/WebAssemblyTableConstructor.cpp:
3458         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
3459         * wasm/js/WebAssemblyTableConstructor.h:
3460
3461 2017-05-31  Commit Queue  <commit-queue@webkit.org>
3462
3463         Unreviewed, rolling out r217611 and r217631.
3464         https://bugs.webkit.org/show_bug.cgi?id=172785
3465
3466         "caused wasm-hashset-many.html to become flaky." (Requested by
3467         keith_miller on #webkit).
3468
3469         Reverted changesets:
3470
3471         "Reland r216808, underlying lldb bug has been fixed."
3472         https://bugs.webkit.org/show_bug.cgi?id=172759
3473         http://trac.webkit.org/changeset/217611
3474
3475         "Use dispatch queues for mach exceptions"
3476         https://bugs.webkit.org/show_bug.cgi?id=172775
3477         http://trac.webkit.org/changeset/217631
3478
3479 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
3480
3481         Rolling out: Prevent async methods named 'function'
3482         https://bugs.webkit.org/show_bug.cgi?id=172776
3483
3484         Reviewed by Mark Lam.
3485
3486         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
3487         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
3488         PR to spec was closed, so changes need to roll out. See
3489         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
3490
3491         * parser/Parser.cpp:
3492         (JSC::Parser<LexerType>::parseClass):
3493         (JSC::Parser<LexerType>::parsePropertyMethod):
3494
3495 2017-05-31  Andy Estes  <aestes@apple.com>
3496
3497         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
3498         https://bugs.webkit.org/show_bug.cgi?id=172366
3499
3500         Reviewed by Daniel Bates.
3501
3502         * Configurations/FeatureDefines.xcconfig:
3503
3504 2017-05-31  Keith Miller  <keith_miller@apple.com>
3505
3506         Reland r216808, underlying lldb bug has been fixed.
3507         https://bugs.webkit.org/show_bug.cgi?id=172759
3508
3509
3510         Unreviewed, relanding old patch. See: rdar://problem/31183352
3511
3512         * API/tests/ExecutionTimeLimitTest.cpp:
3513         (dispatchTermitateCallback):
3514         (testExecutionTimeLimit):
3515         * runtime/JSLock.cpp:
3516         (JSC::JSLock::didAcquireLock):
3517         * runtime/Options.cpp:
3518         (JSC::overrideDefaults):
3519         (JSC::Options::initialize):
3520         * runtime/Options.h:
3521         * runtime/VMTraps.cpp:
3522         (JSC::SignalContext::SignalContext):
3523         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3524         (JSC::installSignalHandler):
3525         (JSC::VMTraps::SignalSender::send):
3526         * tools/SigillCrashAnalyzer.cpp:
3527         (JSC::SignalContext::SignalContext):
3528         (JSC::SignalContext::dump):
3529         (JSC::installCrashHandler):
3530         * wasm/WasmBBQPlan.cpp:
3531         (JSC::Wasm::BBQPlan::compileFunctions):
3532         * wasm/WasmFaultSignalHandler.cpp:
3533         (JSC::Wasm::trapHandler):
3534         (JSC::Wasm::enableFastMemory):
3535         * wasm/WasmMachineThreads.cpp:
3536         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3537
3538 2017-05-31  Keith Miller  <keith_miller@apple.com>
3539
3540         Fix leak in PromiseDeferredTimer
3541         https://bugs.webkit.org/show_bug.cgi?id=172755
3542
3543         Reviewed by JF Bastien.
3544
3545         We were not properly freeing the list of dependencies if we were already tracking the promise before.
3546         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
3547         where we were already tracking the promise we append the provided dependency list to the existing list.
3548         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
3549         contents.
3550
3551         * runtime/PromiseDeferredTimer.cpp:
3552         (JSC::PromiseDeferredTimer::addPendingPromise):
3553
3554 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3555
3556         Prevent async methods named 'function' in Object literal
3557         https://bugs.webkit.org/show_bug.cgi?id=172660
3558
3559         Reviewed by Saam Barati.
3560
3561         Prevent async method named 'function' in object.
3562         https://github.com/tc39/ecma262/pull/884
3563
3564         * parser/Parser.cpp:
3565         (JSC::Parser<LexerType>::parsePropertyMethod):
3566
3567 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3568
3569         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
3570         https://bugs.webkit.org/show_bug.cgi?id=171274
3571
3572         Reviewed by Saam Barati.
3573
3574         Current patch allow to use async arrow function within constructor,
3575         and allow to access to `this`. Current patch force load 'this' from 
3576         virtual scope each time as we access to `this` in async arrow function
3577         within constructor it is neccessary because async function can be 
3578         suspended and `superCall` can be called and async function resumed. 
3579    
3580         * bytecompiler/BytecodeGenerator.cpp:
3581         (JSC::BytecodeGenerator::emitPutGeneratorFields):
3582         (JSC::BytecodeGenerator::ensureThis):
3583         * bytecompiler/BytecodeGenerator.h:
3584         (JSC::BytecodeGenerator::makeFunction):
3585
3586 2017-05-30  Ali Juma  <ajuma@chromium.org>
3587
3588         [CredentialManagement] Incorporate IDL updates from latest spec
3589         https://bugs.webkit.org/show_bug.cgi?id=172011
3590
3591         Reviewed by Daniel Bates.
3592
3593         * runtime/CommonIdentifiers.h:
3594
3595 2017-05-30  Alex Christensen  <achristensen@webkit.org>
3596
3597         Update libwebrtc configuration
3598         https://bugs.webkit.org/show_bug.cgi?id=172727
3599
3600         Reviewed by Geoffrey Garen.
3601
3602         * Configurations/FeatureDefines.xcconfig:
3603
3604 2017-05-28  Dan Bernstein  <mitz@apple.com>
3605
3606         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
3607         https://bugs.webkit.org/show_bug.cgi?id=172691
3608
3609         Reviewed by Tim Horton.
3610
3611         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
3612         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
3613
3614 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3615
3616         [JSC] Provide better type information of toLength and tighten bytecode
3617         https://bugs.webkit.org/show_bug.cgi?id=172690
3618
3619         Reviewed by Sam Weinig.
3620
3621         In this patch, we carefully leverage operator + in order to
3622
3623         1. tighten bytecode
3624
3625         operator+ emits to_number bytecode. What this bytecode does is the same
3626         to @Number() call. It is more efficient, and it is smaller bytecode
3627         than @Number() call (load global variable @Number, set up arguments, and
3628         call it).
3629
3630         2. offer better type prediction data
3631
3632         Now, we have code like
3633
3634             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
3635
3636         This is not good because DFG prediction propagation phase predicts as Double
3637         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
3638         Usually, the result becomes Int32. This patch leverages to_number in a bit
3639         interesting way: to_number has value profiling to offer better type prediction.
3640         This value profiling can offer a chance to change the prediction to Int32 efficiently.
3641         It is a bit tricky. But it is worth doing to speed up our builtin functions,
3642         which should leverage all the JSC's tricky things to be optimized.
3643
3644         Related microbenchmarks show performance improvement.
3645
3646                                                   baseline                  patched
3647
3648             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
3649             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
3650             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
3651             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
3652             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
3653             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
3654
3655
3656         * builtins/GlobalOperations.js:
3657         (globalPrivate.toInteger):
3658         (globalPrivate.toLength):
3659
3660 2017-05-28  Sam Weinig  <sam@webkit.org>
3661
3662         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
3663         https://bugs.webkit.org/show_bug.cgi?id=172684
3664
3665         Reviewed by Yusuke Suzuki.
3666
3667         * runtime/IteratorOperations.cpp:
3668         (JSC::iteratorMethod):
3669         (JSC::iteratorForIterable):
3670         * runtime/IteratorOperations.h:
3671         (JSC::forEachInIterable):
3672         Add additional iterator helpers to allow union + sequence conversion code
3673         to check for iterability by getting the iterator method, and iterate using
3674         that method later on.
3675
3676 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3677
3678         Unreviewed, build fix for Windows
3679         https://bugs.webkit.org/show_bug.cgi?id=172413
3680
3681         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
3682
3683         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
3684
3685         * runtime/JSMap.h:
3686         (JSC::isJSMap):
3687         (JSC::jsDynamicCast): Deleted.
3688         (JSC::>): Deleted.
3689         * runtime/JSSet.h:
3690         (JSC::isJSSet):
3691         (JSC::jsDynamicCast): Deleted.
3692         (JSC::>): Deleted.
3693         * runtime/MapConstructor.cpp:
3694         (JSC::constructMap):
3695         * runtime/SetConstructor.cpp:
3696         (JSC::constructSet):
3697
3698 2017-05-28  Mark Lam  <mark.lam@apple.com>
3699
3700         Implement a faster Interpreter::getOpcodeID().
3701         https://bugs.webkit.org/show_bug.cgi?id=172669
3702
3703         Reviewed by Saam Barati.
3704
3705         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
3706         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
3707         handler code that executes each opcode.  getOpcodeID() can therefore just read
3708         the 32-bits before the opcode address to get its OpcodeID.
3709
3710         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
3711         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
3712         well, but I'll let the Linux folks turn that on after they have verified that it
3713         works on linux too.
3714
3715         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
3716         1. we only need to initialize it once per process, not once per VM / interpreter
3717            instance.
3718         2. we can initialize it in the Interpreter constructor instead of requiring a
3719            separate call to an initialize() function.
3720
3721         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
3722         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
3723
3724         * bytecode/BytecodeList.json:
3725         * generate-bytecode-files:
3726         * interpreter/Interpreter.cpp:
3727         (JSC::Interpreter::Interpreter):
3728         (JSC::Interpreter::opcodeIDTable):
3729         (JSC::Interpreter::initialize): Deleted.
3730         * interpreter/Interpreter.h:
3731         (JSC::Interpreter::getOpcode):
3732         (JSC::Interpreter::getOpcodeID):
3733         * llint/LowLevelInterpreter.cpp:
3734         * runtime/VM.cpp:
3735         (JSC::VM::VM):
3736
3737 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3738
3739         [JSC] Map and Set constructors should have fast path for cloning
3740         https://bugs.webkit.org/show_bug.cgi?id=172413
3741
3742         Reviewed by Saam Barati.
3743
3744         In this patch, we add a fast path for cloning in Set and Map constructors.
3745
3746         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
3747         At that time, our generic path just iterates the given set object and add
3748         it to the newly created one. It is quite slow because we need to follow
3749         the iterator protocol inside C++ and we need to call set.add() repeatedly
3750         while the given set guarantees the elements are unique.
3751
3752         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
3753         and JSSet are done really fast without invoking any observable JS functions.
3754         To check whether we can use this clone() function in Set and Map constructors,
3755         we set several watchpoints.
3756
3757         In the case of Set,
3758
3759         1. Set.prototype[Symbol.iterator] is not changed.
3760         2. SetIterator.prototype.next is not changed.
3761         3. Set.prototype.add is not changed.
3762         4. The given Set does not have [Symbol.iterator] function in its instance.
3763         5. The given Set's [[Prototype]] is Set.prototype.
3764         6. Newly created set's [[Prototype]] is Set.prototype.
3765
3766         If the above requirements are met, cloning the given Set is not observable to users.
3767         Thus we can take a fast path.
3768
3769         Currently, we do not integrate this optimization into DFG and FTL.
3770         And we do not optimize other iterables. For example, we can optimize Set
3771         constructor taking Int32 Array. And we should optimize generic iterator cases too.
3772         They are planned as part of a separate bug[1].
3773
3774         This change improves ARES-6 Air by 5.3% in steady state.
3775
3776         Baseline:
3777             Running... Air ( 1  to go)
3778             firstIteration:     76.41 +- 15.60 ms
3779             averageWorstCase:   40.63 +- 7.54 ms
3780             steadyState:        9.13 +- 0.51 ms
3781
3782
3783         Patched:
3784             Running... Air ( 1  to go)
3785             firstIteration:     75.00 +- 22.54 ms
3786             averageWorstCase:   39.18 +- 8.45 ms
3787             steadyState:        8.67 +- 0.28 ms
3788
3789         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
3790
3791         * CMakeLists.txt:
3792         * JavaScriptCore.xcodeproj/project.pbxproj:
3793         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
3794         * runtime/HashMapImpl.h:
3795         (JSC::HashMapBucket::extractValue):
3796         (JSC::HashMapImpl::finishCreation):
3797         (JSC::HashMapImpl::add):
3798         (JSC::HashMapImpl::setUpHeadAndTail):
3799         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
3800         (JSC::HashMapImpl::addNormalizedInternal):
3801         * runtime/InternalFunction.cpp:
3802         (JSC::InternalFunction::createSubclassStructureSlow):
3803         (JSC::InternalFunction::createSubclassStructure): Deleted.
3804         * runtime/InternalFunction.h:
3805         (JSC::InternalFunction::createSubclassStructure):
3806         * runtime/JSGlobalObject.cpp:
3807         (JSC::JSGlobalObject::JSGlobalObject):
3808         (JSC::JSGlobalObject::init):
3809         (JSC::JSGlobalObject::visitChildren):
3810         * runtime/JSGlobalObject.h:
3811         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
3812         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
3813         (JSC::JSGlobalObject::mapSetWatchpoint):
3814         (JSC::JSGlobalObject::setAddWatchpoint):
3815         (JSC::JSGlobalObject::mapPrototype):
3816         (JSC::JSGlobalObject::jsSetPrototype):
3817         (JSC::JSGlobalObject::setStructure):
3818         * runtime/JSGlobalObjectInlines.h:
3819         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
3820         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
3821         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
3822         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
3823         * runtime/JSMap.cpp:
3824         (JSC::JSMap::clone):
3825         (JSC::JSMap::canCloneFastAndNonObservable):
3826         * runtime/JSMap.h:
3827         (JSC::jsDynamicCast):
3828         (JSC::>):
3829         (JSC::JSMap::createStructure): Deleted.
3830         (JSC::JSMap::create): Deleted.
3831         (JSC::JSMap::set): Deleted.
3832         (JSC::JSMap::JSMap): Deleted.
3833         * runtime/JSSet.cpp:
3834         (JSC::JSSet::clone):
3835         (JSC::JSSet::canCloneFastAndNonObservable):
3836         * runtime/JSSet.h:
3837         (JSC::jsDynamicCast):
3838         (JSC::>):
3839         (JSC::JSSet::createStructure): Deleted.
3840         (JSC::JSSet::create): Deleted.
3841         (JSC::JSSet::JSSet): Deleted.
3842         * runtime/MapConstructor.cpp:
3843         (JSC::constructMap):
3844         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
3845         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
3846         * runtime/SetConstructor.cpp:
3847         (JSC::constructSet):
3848
3849 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3850
3851         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
3852         https://bugs.webkit.org/show_bug.cgi?id=172260
3853
3854         Reviewed by Filip Pizlo.
3855
3856         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
3857         to be used as a general-purpose injectable compiler over all the JIT tiers.
3858
3859         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
3860
3861         * CMakeLists.txt:
3862         * JavaScriptCore.xcodeproj/project.pbxproj:
3863         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
3864         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3865         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
3866         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
3867         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
3868         * bytecode/GetterSetterAccessCase.cpp:
3869         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3870         * dfg/DFGAbstractInterpreterInlines.h:
3871         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3872         * dfg/DFGByteCodeParser.cpp:
3873         (JSC::DFG::blessCallDOMGetter):
3874         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3875         * dfg/DFGClobberize.h:
3876         (JSC::DFG::clobberize):
3877         * dfg/DFGFixupPhase.cpp:
3878         (JSC::DFG::FixupPhase::fixupNode):
3879         * dfg/DFGGraph.h:
3880         * dfg/DFGNode.h:
3881         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
3882         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
3883         (JSC::DFG::SnippetParams::SnippetParams):
3884         * dfg/DFGSpeculativeJIT.cpp:
3885         (JSC::DFG::allocateTemporaryRegistersForSnippet):
3886         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3887         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3888         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
3889         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
3890         (JSC::DOMJIT::CallDOMGetterSnippet::create):
3891         * domjit/DOMJITGetterSetter.h:
3892         * domjit/DOMJITSignature.h:
3893         * domjit/DOMJITValue.h: Removed.
3894         * ftl/FTLLowerDFGToB3.cpp:
3895         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3896         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3897         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
3898         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
3899         (JSC::FTL::SnippetParams::SnippetParams):
3900         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
3901         (JSC::Snippet::create):
3902         (JSC::Snippet::setGenerator):
3903         (JSC::Snippet::generator):
3904         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
3905         (JSC::SnippetParams::~SnippetParams):
3906         (JSC::SnippetParams::Value::Value):
3907         (JSC::SnippetParams::Value::isGPR):
3908         (JSC::SnippetParams::Value::isFPR):
3909         (JSC::SnippetParams::Value::isJSValueRegs):
3910         (JSC::SnippetParams::Value::gpr):
3911         (JSC::SnippetParams::Value::fpr):
3912         (JSC::SnippetParams::Value::jsValueRegs):
3913         (JSC::SnippetParams::Value::reg):
3914         (JSC::SnippetParams::Value::value):
3915         (JSC::SnippetParams::SnippetParams):
3916         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
3917         (JSC::SnippetReg::SnippetReg):
3918         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
3919         * jsc.cpp:
3920         (WTF::DOMJITNode::checkSubClassSnippet):
3921         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
3922         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
3923         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
3924         * runtime/ClassInfo.h:
3925
3926 2017-05-26  Keith Miller  <keith_miller@apple.com>
3927
3928         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
3929         https://bugs.webkit.org/show_bug.cgi?id=172654
3930
3931         Reviewed by Mark Lam.
3932
3933         The test's intent is to assert that an exception has not been
3934         thrown (as indicated by the message string), but the test was
3935         erroneously checking for ! the right condition. This is now fixed.
3936
3937         * API/tests/JSExportTests.mm:
3938         (wrapperForNSObjectisObject):
3939
3940 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
3941
3942         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
3943         https://bugs.webkit.org/show_bug.cgi?id=172664
3944         <rdar://problem/32362933>
3945
3946         Reviewed by Matt Baker.
3947
3948         Automatically pause on connection was triggering a pause before the
3949         frontend may have initialized. Often during frontend initialization
3950         the frontend may perform an action that clears the pause state requested
3951         by the developer. This change defers the pause until after the frontend
3952         has initialized, right before returning to the application's code.
3953
3954         * inspector/remote/RemoteControllableTarget.h:
3955         * inspector/remote/RemoteInspectionTarget.h:
3956         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3957         (Inspector::RemoteConnectionToTarget::setup):
3958         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
3959         (Inspector::RemoteConnectionToTarget::setup):
3960         * runtime/JSGlobalObjectDebuggable.cpp:
3961         (JSC::JSGlobalObjectDebuggable::connect):
3962         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
3963         * runtime/JSGlobalObjectDebuggable.h:
3964         Pass an immediatelyPause boolean on to the controller. Remove
3965         the current path that invokes a pause before initialization.
3966
3967         * inspector/JSGlobalObjectInspectorController.h:
3968         * inspector/JSGlobalObjectInspectorController.cpp:
3969         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3970         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
3971         Manage should immediately pause state.
3972
3973         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3974         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.