5bd59ad5b066613f8571b7683725e091c4e8074f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Implement Object.assign in C++
4         https://bugs.webkit.org/show_bug.cgi?id=173414
5
6         Reviewed by Saam Barati.
7
8         Implementing Object.assign in JS is not so good compared to C++ version because,
9
10         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
11         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
12
13         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
14         So JS's type profile doesn't help well.
15
16         3. We have a chance to introduce various fast path for Object.assign in C++.
17
18         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
19
20         We can see 1.65x improvement in SixSpeed object-assign.es6.
21
22                                     baseline                  patched
23
24         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
25
26         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
27
28         * builtins/ObjectConstructor.js:
29         (entries):
30         (assign): Deleted.
31         * runtime/JSCJSValueInlines.h:
32         (JSC::JSValue::putInline):
33         * runtime/JSCell.h:
34         * runtime/JSCellInlines.h:
35         (JSC::JSCell::putInline):
36         * runtime/JSObject.cpp:
37         (JSC::JSObject::put):
38         * runtime/JSObject.h:
39         * runtime/JSObjectInlines.h:
40         (JSC::JSObject::putInlineForJSObject):
41         (JSC::JSObject::putInline): Deleted.
42         * runtime/ObjectConstructor.cpp:
43         (JSC::objectConstructorAssign):
44
45 2017-06-14  Dan Bernstein  <mitz@apple.com>
46
47         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
48         https://bugs.webkit.org/show_bug.cgi?id=168578
49
50         Reviewed by Geoff Garen.
51
52         * API/JSWrapperMap.mm:
53         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
54         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
55         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
56           it defines conformance to a JSExport-derived protocol and if so, avoid using the
57           superclass as a substitute as we’d normally do.
58
59         * API/ObjcRuntimeExtras.h:
60         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
61           bail out.
62
63         * API/tests/JSExportTests.mm:
64         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
65         (runJSExportTests): Run new test.
66
67 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
68
69         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
70         https://bugs.webkit.org/show_bug.cgi?id=172421
71
72         * dfg/DFGSpeculativeJIT.cpp:
73         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
74
75 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
76
77         REGRESSION: 15 new jsc failures in WPE and GTK+
78         https://bugs.webkit.org/show_bug.cgi?id=173349
79
80         Reviewed by JF Bastien.
81
82         Recent changes to generateWasm.py are not accounted for from
83         CMake, which leads to WasmOps.h not being regenerated in partial
84         builds. Make generateWasm.py an additional dependency.
85         * CMakeLists.txt:
86
87 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
88
89         Debugger has unexpected effect on program correctness
90         https://bugs.webkit.org/show_bug.cgi?id=172683
91
92         Reviewed by Saam Barati.
93
94         * inspector/InjectedScriptSource.js:
95         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
96         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
97         (BasicCommandLineAPI):
98         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
99         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
100
101 2017-06-13  JF Bastien  <jfbastien@apple.com>
102
103         WebAssembly: fix erroneous signature comment
104         https://bugs.webkit.org/show_bug.cgi?id=173334
105
106         Reviewed by Keith Miller.
107
108         * wasm/WasmSignature.h:
109
110 2017-06-13  Michael Saboff  <msaboff@apple.com>
111
112         Refactor AbsenceOfSetter to AbsenceOfSetEffects
113         https://bugs.webkit.org/show_bug.cgi?id=173322
114
115         Reviewed by Filip Pizlo.
116
117         * bytecode/ObjectPropertyCondition.h:
118         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
119         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
120         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
121         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
122         * bytecode/ObjectPropertyConditionSet.cpp:
123         (JSC::generateConditionsForPropertySetterMiss):
124         (JSC::generateConditionsForPropertySetterMissConcurrently):
125         * bytecode/PropertyCondition.cpp:
126         (JSC::PropertyCondition::dumpInContext):
127         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
128         (JSC::PropertyCondition::isStillValid):
129         (WTF::printInternal):
130         * bytecode/PropertyCondition.h:
131         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
132         (JSC::PropertyCondition::absenceOfSetEffect):
133         (JSC::PropertyCondition::hasPrototype):
134         (JSC::PropertyCondition::hash):
135         (JSC::PropertyCondition::operator==):
136         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
137         (JSC::PropertyCondition::absenceOfSetter): Deleted.
138
139 2017-06-13  JF Bastien  <jfbastien@apple.com>
140
141         WebAssembly: import updated spec tests
142         https://bugs.webkit.org/show_bug.cgi?id=173287
143         <rdar://problem/32725975>
144
145         Reviewed by Saam Barati.
146
147         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
148         with a few modifications so things work.
149
150         Fix a bunch of bugs found through this process, and punt a few tests (which I
151         marked as blocked by this bug).
152
153         Fixes:
154
155         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
156         instead of byte alignment. It was also missing memory-alignment.js despite it
157         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
158         pass.
159
160         Tables can be imported or in a section. There can be only one, but sections can
161         be empty. An Elements section can exist if there's no Table, as long as it is
162         also empty.
163
164         Memories can be imported or in a section. There can be only one, but sections
165         can be empty. A Data section can exist if there's no Memory, as long as it is
166         also empty.
167
168         Prototypes: stringify without .prototype. in the string.
169
170         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
171         not a final size, and throws a RangeError on failure, not a TypeError.
172
173         Fix compile / instantiate so the reject the promise if given an argument of the
174         wrong type (instead of failing instantly).
175
176         Fix async on neuter test.
177
178         Element section shouldn't affect any Table if any of the elements are out of
179         bounds. We need to process it in two passes.
180
181         Segment section shouldn't affect any Data if any of the segments are out of
182         bounds. We need to process it in two passes.
183
184         Empty data segments are valid, but only when there is no memory. Their index
185         still gets validated, and has to be zero.
186
187         Punts:
188
189         Error messages with context, the test seems overly restrictive but this is
190         minor.
191
192         compile/instantiate/validate property descriptors.
193
194         UTF-8 bugs.
195
196         Temporarily disable NaN tests. We need to go back and implement the following
197         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
198         much as getting all the other tests passing.
199
200         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
201         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
202         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
203         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
204         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
205         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
206         why they're not allowed.
207
208         * wasm/WasmB3IRGenerator.cpp:
209         * wasm/WasmFunctionParser.h:
210         * wasm/WasmModuleParser.cpp:
211         * wasm/WasmModuleParser.h:
212         * wasm/WasmParser.h:
213         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
214         * wasm/generateWasm.py:
215         (memoryLog2Alignment):
216         * wasm/js/JSWebAssemblyTable.cpp:
217         (JSC::JSWebAssemblyTable::grow):
218         * wasm/js/JSWebAssemblyTable.h:
219         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
220         * wasm/js/WebAssemblyInstancePrototype.cpp:
221         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
222         * wasm/js/WebAssemblyMemoryPrototype.cpp:
223         * wasm/js/WebAssemblyModulePrototype.cpp:
224         * wasm/js/WebAssemblyModuleRecord.cpp:
225         (JSC::WebAssemblyModuleRecord::evaluate):
226         * wasm/js/WebAssemblyPrototype.cpp:
227         (JSC::webAssemblyCompileFunc):
228         (JSC::resolve):
229         (JSC::instantiate):
230         (JSC::compileAndInstantiate):
231         (JSC::webAssemblyInstantiateFunc):
232         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
233         * wasm/js/WebAssemblyTablePrototype.cpp:
234         (JSC::webAssemblyTableProtoFuncGrow):
235
236 2017-06-13  Michael Saboff  <msaboff@apple.com>
237
238         DFG doesn't properly handle a property that is change to read only in a prototype
239         https://bugs.webkit.org/show_bug.cgi?id=173321
240
241         Reviewed by Filip Pizlo.
242
243         We need to check for ReadOnly as well as a not being a Setter when checking
244         an AbsenceOfSetter.
245
246         * bytecode/PropertyCondition.cpp:
247         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
248
249 2017-06-13  Daniel Bates  <dabates@apple.com>
250
251         Implement W3C Secure Contexts Draft Specification
252         https://bugs.webkit.org/show_bug.cgi?id=158121
253         <rdar://problem/26012994>
254
255         Reviewed by Brent Fulgham.
256
257         Part 4
258
259         Adds isSecureContext to the list of common identifiers as needed to support
260         toggling its exposure from a runtime enabled feature flag.
261
262         * runtime/CommonIdentifiers.h:
263
264 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
265
266         [JSC] Remove redundant includes in config.h
267         https://bugs.webkit.org/show_bug.cgi?id=173294
268
269         Reviewed by Alex Christensen.
270
271         * config.h:
272
273 2017-06-12  Saam Barati  <sbarati@apple.com>
274
275         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
276         https://bugs.webkit.org/show_bug.cgi?id=172957
277         <rdar://problem/32602704>
278
279         Reviewed by Filip Pizlo.
280
281         Consider this program:
282         ```
283         block#1:
284         n: GetClosureVar(..., |this|) // this will load empty JSValue()
285         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
286         Branch(#2, #3)
287         
288         Block#3:
289         x: GetLocal(locFoo)
290         y: CheckNotEmpty(@x)
291         ```
292         
293         If we claim that a cell check filters out the empty value, we will
294         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
295         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
296         
297         On 64 bit platforms:
298         - Cell use kind *now allows* the empty value to pass through.
299         - CellOrOther use kind *now allows* for the empty value to pass through
300         - NotCell use kind *no longer allows* the empty value to pass through.
301
302         * assembler/CPU.h:
303         (JSC::isARMv7IDIVSupported):
304         (JSC::isARM64):
305         (JSC::isX86):
306         (JSC::isX86_64):
307         (JSC::is64Bit):
308         (JSC::is32Bit):
309         (JSC::isMIPS):
310         Make these functions constexpr so we can use them in static variable assignment.
311
312         * bytecode/SpeculatedType.h:
313         * dfg/DFGSpeculativeJIT.cpp:
314         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
315         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
316         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
317         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
318         (JSC::DFG::SpeculativeJIT::speculateCell):
319         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
320         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
321         (JSC::DFG::SpeculativeJIT::speculateString):
322         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
323         (JSC::DFG::SpeculativeJIT::speculateSymbol):
324         (JSC::DFG::SpeculativeJIT::speculateNotCell):
325         * dfg/DFGSpeculativeJIT32_64.cpp:
326         * dfg/DFGSpeculativeJIT64.cpp:
327         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
328         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
329         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
330         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
331         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
332         * dfg/DFGUseKind.h:
333         (JSC::DFG::typeFilterFor):
334         * ftl/FTLLowerDFGToB3.cpp:
335         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
336         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
337         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
338         (JSC::FTL::DFG::LowerDFGToB3::boolify):
339         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
340         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
341         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
342         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
343         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
344         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
345         (JSC::FTL::DFG::LowerDFGToB3::isCell):
346         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
347         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
348         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
349         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
350         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
351
352 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
353
354         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
355         https://bugs.webkit.org/show_bug.cgi?id=172421
356
357         * dfg/DFGSpeculativeJIT.cpp:
358         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
359
360 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
361
362         We incorrectly allow escaped characters in keyword tokens
363         https://bugs.webkit.org/show_bug.cgi?id=171310
364
365         Reviewed by Yusuke Suzuki.
366
367         According spec it is not allow to use escaped characters in 
368         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
369         Current patch implements this requirements.
370
371
372         * parser/Lexer.cpp:
373         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
374         * parser/Parser.cpp:
375         (JSC::Parser<LexerType>::printUnexpectedTokenText):
376         * parser/ParserTokens.h:
377
378 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
379
380         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
381         https://bugs.webkit.org/show_bug.cgi?id=172421
382
383         * assembler/MacroAssemblerARM64.h:
384         (JSC::MacroAssemblerARM64::branch64):
385         (JSC::MacroAssemblerARM64::branchPtr):
386
387 2017-06-12  Commit Queue  <commit-queue@webkit.org>
388
389         Unreviewed, rolling out r218093.
390         https://bugs.webkit.org/show_bug.cgi?id=173259
391
392         Break builds (Requested by yusukesuzuki on #webkit).
393
394         Reverted changeset:
395
396         "Unreviewed, build fix for ARM64"
397         https://bugs.webkit.org/show_bug.cgi?id=172421
398         http://trac.webkit.org/changeset/218093
399
400 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
401
402         Unreviewed, build fix for ARM64
403         https://bugs.webkit.org/show_bug.cgi?id=172421
404
405         * dfg/DFGSpeculativeJIT.cpp:
406         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
407
408 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
409
410         [DFG] Add ArrayIndexOf intrinsic
411         https://bugs.webkit.org/show_bug.cgi?id=172421
412
413         Reviewed by Saam Barati.
414
415         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
416         We emit array check and go fast path if the array is Array::Int32, Array::Double
417         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
418         we have inlined fast paths.
419
420         With updated ARES-6 Babylon,
421
422         Before
423             firstIteration:     45.76 +- 3.87 ms
424             averageWorstCase:   24.41 +- 2.17 ms
425             steadyState:        8.01 +- 0.22 ms
426         After
427             firstIteration:     45.64 +- 4.23 ms
428             averageWorstCase:   23.03 +- 3.34 ms
429             steadyState:        7.33 +- 0.34 ms
430
431         In SixSpeed.
432                                          baseline                  patched
433
434             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
435             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
436             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
437
438         * dfg/DFGAbstractInterpreterInlines.h:
439         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
440         * dfg/DFGByteCodeParser.cpp:
441         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
442         * dfg/DFGClobberize.h:
443         (JSC::DFG::clobberize):
444         * dfg/DFGDoesGC.cpp:
445         (JSC::DFG::doesGC):
446         * dfg/DFGFixupPhase.cpp:
447         (JSC::DFG::FixupPhase::fixupNode):
448         * dfg/DFGNode.h:
449         (JSC::DFG::Node::hasArrayMode):
450         * dfg/DFGNodeType.h:
451         * dfg/DFGOperations.cpp:
452         * dfg/DFGOperations.h:
453         * dfg/DFGPredictionPropagationPhase.cpp:
454         * dfg/DFGSafeToExecute.h:
455         (JSC::DFG::safeToExecute):
456         * dfg/DFGSpeculativeJIT.cpp:
457         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
458         (JSC::DFG::SpeculativeJIT::speculateObject):
459         * dfg/DFGSpeculativeJIT.h:
460         (JSC::DFG::SpeculativeJIT::callOperation):
461         * dfg/DFGSpeculativeJIT32_64.cpp:
462         (JSC::DFG::SpeculativeJIT::compile):
463         * dfg/DFGSpeculativeJIT64.cpp:
464         (JSC::DFG::SpeculativeJIT::compile):
465         (JSC::DFG::SpeculativeJIT::speculateInt32):
466         * ftl/FTLCapabilities.cpp:
467         (JSC::FTL::canCompile):
468         * ftl/FTLLowerDFGToB3.cpp:
469         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
470         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
471         * jit/JITOperations.h:
472         * runtime/ArrayPrototype.cpp:
473         (JSC::ArrayPrototype::finishCreation):
474         * runtime/Intrinsic.cpp:
475         (JSC::intrinsicName):
476         * runtime/Intrinsic.h:
477
478 2017-06-11  Keith Miller  <keith_miller@apple.com>
479
480         TypedArray constructor with string shouldn't throw
481         https://bugs.webkit.org/show_bug.cgi?id=173181
482
483         Reviewed by JF Bastien.
484
485         We should be coercing primitive arguments to numbers in the various
486         TypedArray constructors.
487
488         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
489         (JSC::constructGenericTypedArrayViewWithArguments):
490
491 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
492
493         [WTF] Make ThreadMessage portable
494         https://bugs.webkit.org/show_bug.cgi?id=172073
495
496         Reviewed by Keith Miller.
497
498         * runtime/MachineContext.h:
499         (JSC::MachineContext::stackPointer):
500         * tools/CodeProfiling.cpp:
501         (JSC::profilingTimer):
502
503 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
504
505         [JSC] Shrink Structure size
506         https://bugs.webkit.org/show_bug.cgi?id=173239
507
508         Reviewed by Mark Lam.
509
510         We find that the size of our Structure is slightly enlarged due to paddings.
511         By changing the order of members, we can reduce the size from 120 to 112.
512         This is good because 120 and 112 are categorized into different size classes.
513         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
514         We now save 16 bytes per Structure for free.
515
516         * runtime/ConcurrentJSLock.h:
517         * runtime/Structure.cpp:
518         (JSC::Structure::Structure):
519         * runtime/Structure.h:
520
521 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
522
523         Unreviewed, attempt to fix JSC tests on Win after r217771
524
525         * jsc.cpp:
526         (currentWorkingDirectory): buffer is not NULL-terminated
527
528 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
529
530         [WTF] Add RegisteredSymbolImpl
531         https://bugs.webkit.org/show_bug.cgi?id=173230
532
533         Reviewed by Mark Lam.
534
535         * runtime/SymbolConstructor.cpp:
536         (JSC::symbolConstructorKeyFor):
537
538 2017-06-10  Dan Bernstein  <mitz@apple.com>
539
540         Reverted r218056 because it made the IDE reindex constantly.
541
542         * Configurations/DebugRelease.xcconfig:
543
544 2017-06-10  Dan Bernstein  <mitz@apple.com>
545
546         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
547         https://bugs.webkit.org/show_bug.cgi?id=173223
548
549         Reviewed by Sam Weinig.
550
551         The rebuilds were happening due to a difference in the compiler options that the IDE and
552         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
553         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
554         specify an appropriate path in CLANG_INDEX_STORE_PATH.
555
556         * Configurations/DebugRelease.xcconfig:
557
558 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
559
560         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
561         https://bugs.webkit.org/show_bug.cgi?id=173227
562
563         Reviewed by Mark Lam.
564
565         The latest spec introduces slight change to RegExp.prototype.[@@search].
566         This patch applies this change. Basically, this change is done in the slow path of
567         the RegExp.prototype[@@search].
568         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
569
570         * builtins/RegExpPrototype.js:
571         (search):
572
573 2017-06-09  Chris Dumez  <cdumez@apple.com>
574
575         Update Thread::create() to take in a WTF::Function instead of a std::function
576         https://bugs.webkit.org/show_bug.cgi?id=173175
577
578         Reviewed by Mark Lam.
579
580         * API/tests/CompareAndSwapTest.cpp:
581         (testCompareAndSwap):
582
583 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
584
585         [DFG] Add verboseDFGOSRExit
586         https://bugs.webkit.org/show_bug.cgi?id=173156
587
588         Reviewed by Saam Barati.
589
590         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
591
592         * dfg/DFGOSRExitCompiler.cpp:
593         * runtime/Options.h:
594
595 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
596
597         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
598         https://bugs.webkit.org/show_bug.cgi?id=173170
599
600         Reviewed by Yusuke Suzuki.
601
602         MIPS does not build since r217711 because it is missing this
603         implementation. This patch fixes the build.
604
605         * assembler/MacroAssemblerMIPS.h:
606         (JSC::MacroAssemblerMIPS::xor32):
607
608 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
609
610         [JSC] FTL does not require dlfcn
611         https://bugs.webkit.org/show_bug.cgi?id=173143
612
613         Reviewed by Darin Adler.
614
615         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
616         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
617
618         * ftl/FTLLowerDFGToB3.cpp:
619
620 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
621
622         [DFG] Add --verboseDFGFailure
623         https://bugs.webkit.org/show_bug.cgi?id=173155
624
625         Reviewed by Sam Weinig.
626
627         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
628
629         * dfg/DFGCapabilities.cpp:
630         (JSC::DFG::verboseCapabilities):
631         (JSC::DFG::debugFail):
632         * runtime/Options.cpp:
633         (JSC::recomputeDependentOptions):
634         * runtime/Options.h:
635
636 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
639         https://bugs.webkit.org/show_bug.cgi?id=173147
640
641         Reviewed by JF Bastien.
642
643         Because this value becomes -1 in non-Darwin environments.
644         Thus, we do not need to use OS(DARWIN) here.
645
646         * wasm/WasmMemory.cpp:
647
648 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
649
650         Reduce compiler warnings
651         https://bugs.webkit.org/show_bug.cgi?id=172078
652
653         Reviewed by Yusuke Suzuki.
654
655         * runtime/IntlDateTimeFormat.h:
656
657 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
658
659         [Cocoa] JSWrapperMap leaks for all JSContexts
660         https://bugs.webkit.org/show_bug.cgi?id=173110
661         <rdar://problem/32602198>
662
663         Reviewed by Geoffrey Garen.
664
665         * API/JSContext.mm:
666         (-[JSContext ensureWrapperMap]):
667         Ensure this allocation gets released.
668
669 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
670
671         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
672         https://bugs.webkit.org/show_bug.cgi?id=161156
673
674         Reviewed by Saam Barati.
675         
676         Since LLInt does not register impure property watchpoints for self property accesses, it
677         shouldn't try to cache accesses that require a watchpoint.
678         
679         This manifested as a flaky failure because the test would fire the watchpoint after we had
680         usually already tiered up. Without concurrent JIT, we would have always tiered up before
681         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
682         also adds a test that deterministically failed in LLInt without this change; it does so by just
683         running a lot shorter.
684
685         * llint/LLIntSlowPaths.cpp:
686         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
687
688 2017-06-08  Keith Miller  <keith_miller@apple.com>
689
690         WebAssembly: We should only create wrappers for functions that can be exported
691         https://bugs.webkit.org/show_bug.cgi?id=173088
692
693         Reviewed by Saam Barati.
694
695         This patch makes it so we only create wrappers for WebAssembly functions that
696         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
697
698         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
699         Most of the tests were duplicates of ones in the spec-tests directory. The others I
700         have converted to use the normal API.
701
702         * jsc.cpp:
703         (GlobalObject::finishCreation):
704         (valueWithTypeOfWasmValue): Deleted.
705         (box): Deleted.
706         (callWasmFunction): Deleted.
707         (functionTestWasmModuleFunctions): Deleted.
708         * wasm/WasmB3IRGenerator.cpp:
709         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
710         (JSC::Wasm::createJSToWasmWrapper):
711         (JSC::Wasm::parseAndCompile):
712         * wasm/WasmB3IRGenerator.h:
713         * wasm/WasmBBQPlan.cpp:
714         (JSC::Wasm::BBQPlan::prepare):
715         (JSC::Wasm::BBQPlan::compileFunctions):
716         (JSC::Wasm::BBQPlan::complete):
717         * wasm/WasmBBQPlan.h:
718         * wasm/WasmBBQPlanInlines.h:
719         (JSC::Wasm::BBQPlan::initializeCallees):
720         * wasm/WasmCodeBlock.cpp:
721         (JSC::Wasm::CodeBlock::CodeBlock):
722         * wasm/WasmCodeBlock.h:
723         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
724         * wasm/WasmFormat.h:
725         * wasm/WasmOMGPlan.cpp:
726         (JSC::Wasm::OMGPlan::work):
727
728 2017-06-07  JF Bastien  <jfbastien@apple.com>
729
730         WebAssembly: test imports and exports with 16-bit characters
731         https://bugs.webkit.org/show_bug.cgi?id=165977
732         <rdar://problem/29760130>
733
734         Reviewed by Saam Barati.
735
736         Add the missing UTF-8 conversions. Improve import failure error
737         messages, otherwise it's hard to figure out which import is wrong.
738
739         * wasm/js/JSWebAssemblyInstance.cpp:
740         (JSC::JSWebAssemblyInstance::create):
741         * wasm/js/WebAssemblyModuleRecord.cpp:
742         (JSC::WebAssemblyModuleRecord::finishCreation):
743         (JSC::WebAssemblyModuleRecord::link):
744
745 2017-06-07  Devin Rousso  <drousso@apple.com>
746
747         Web Inspector: Add ContextMenu item to log WebSocket object to console
748         https://bugs.webkit.org/show_bug.cgi?id=172878
749
750         Reviewed by Joseph Pecoraro.
751
752         * inspector/protocol/Network.json:
753         Add resolveWebSocket command.
754
755 2017-06-07  Jon Davis  <jond@apple.com>
756
757         Update feature status for features Supported In Preview
758         https://bugs.webkit.org/show_bug.cgi?id=173071
759
760         Reviewed by Darin Adler.
761
762         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
763         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
764
765         * features.json:
766
767 2017-06-07  Saam Barati  <sbarati@apple.com>
768
769         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
770         https://bugs.webkit.org/show_bug.cgi?id=172673
771         <rdar://problem/32250144>
772
773         Reviewed by Mark Lam.
774
775         This patch simply removes this assertion. It's faulty because it
776         races with the main thread when doing concurrent compilation.
777         
778         Consider a program with:
779         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
780         - Structure S2
781         
782         The DFG IR is like so:
783           a: JSConstant(O) // FrozenValue {O, S1}
784           b: CheckStructure(@a, S2)
785           c: ToThis(@a)
786           d: CheckEq(@c, nullConstant)
787           Branch(@d)
788         
789         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
790         When running AI, we'll notice that node @b will OSR exit, so nodes after
791         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
792         Now, when running AI, @a will have Top for its structure set. No longer will
793         we think @b exits.
794         
795         The DFG backend asserts that under such a situation, we should have simplified
796         the CheckEq to false. However, this is a racy thing to assert, since the
797         transition from dfgWatchable() to !dfgWatchable() can happen right before we
798         enter the backend. Hence, this assertion is not valid.
799         
800         (Note, the generated code for the above program will never actually execute.
801         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
802         S1 not transitioning. S1 transitions, so we won't actually run the code that
803         gets compiled.)
804
805         * dfg/DFGSpeculativeJIT64.cpp:
806         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
807
808 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
809
810         [JSC] has_generic_property never accepts non-String
811         https://bugs.webkit.org/show_bug.cgi?id=173057
812
813         Reviewed by Darin Adler.
814
815         We never pass non-String value to has_generic_property bytecode.
816
817         * runtime/CommonSlowPaths.cpp:
818         (JSC::SLOW_PATH_DECL):
819
820 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
821
822         [Win][x86-64] Some callee saved registers aren't preserved
823         https://bugs.webkit.org/show_bug.cgi?id=171266
824
825         Reviewed by Saam Barati.
826
827         * jit/RegisterSet.cpp:
828         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
829
830 2017-06-06  Mark Lam  <mark.lam@apple.com>
831
832         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
833         https://bugs.webkit.org/show_bug.cgi?id=173035
834         <rdar://problem/32554593>
835
836         Reviewed by Geoffrey Garen and Filip Pizlo.
837
838         Also added and fixed up some assertions.
839
840         * runtime/ArrayConventions.h:
841         * runtime/JSArray.cpp:
842         (JSC::JSArray::setLength):
843         * runtime/JSObject.cpp:
844         (JSC::JSObject::createInitialIndexedStorage):
845         (JSC::JSObject::ensureLengthSlow):
846         (JSC::JSObject::reallocateAndShrinkButterfly):
847         * runtime/JSObject.h:
848         (JSC::JSObject::ensureLength):
849         * runtime/RegExpObject.cpp:
850         (JSC::collectMatches):
851         * runtime/RegExpPrototype.cpp:
852         (JSC::regExpProtoFuncSplitFast):
853
854 2017-06-06  Saam Barati  <sbarati@apple.com>
855
856         Make sure we restore SP when doing calls that could be to JS
857         https://bugs.webkit.org/show_bug.cgi?id=172946
858         <rdar://problem/32579026>
859
860         Reviewed by JF Bastien.
861
862         I was worried that there was a bug where we'd call JS, JS would tail call,
863         and we'd end up with a bogus SP. However, this bug does not exist since wasm
864         always calls to JS through a stub, and the stub treats SP as a callee save.
865         
866         I wrote a test for this, and also made a note that this is the needed ABI.
867
868         * wasm/WasmBinding.cpp:
869         (JSC::Wasm::wasmToJs):
870
871 2017-06-06  Keith Miller  <keith_miller@apple.com>
872
873         OMG tier up checks should be a patchpoint
874         https://bugs.webkit.org/show_bug.cgi?id=172944
875
876         Reviewed by Saam Barati.
877
878         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
879         In order to reduce code generated out of line in each function. We generate a single stub
880         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
881
882         * wasm/WasmB3IRGenerator.cpp:
883         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
884         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
885         (JSC::Wasm::B3IRGenerator::addLoop):
886         * wasm/WasmThunks.cpp:
887         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
888         * wasm/WasmThunks.h:
889
890 2017-06-06  Darin Adler  <darin@apple.com>
891
892         Cut down use of WTF_ARRAY_LENGTH
893         https://bugs.webkit.org/show_bug.cgi?id=172997
894
895         Reviewed by Chris Dumez.
896
897         * parser/Lexer.cpp:
898         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
899
900         * runtime/NumberPrototype.cpp:
901         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
902
903 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
904
905         Add missing <functional> includes
906         https://bugs.webkit.org/show_bug.cgi?id=173017
907
908         Patch by Thiago Macieira <thiago.macieira@intel.com>
909         Reviewed by Yusuke Suzuki.
910
911         This patch fixes compilation with GCC 7.
912
913         * inspector/InspectorBackendDispatcher.h:
914
915 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
916
917         Unreviewed, fix 32-bit build.
918
919         * jit/JITOpcodes.cpp:
920         (JSC::JIT::emit_op_unreachable):
921
922 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
923
924         Unreviewed rollout r217807. Caused a test to crash.
925
926         * heap/HeapSnapshotBuilder.cpp:
927         (JSC::HeapSnapshotBuilder::buildSnapshot):
928         (JSC::HeapSnapshotBuilder::json):
929         (): Deleted.
930         * heap/HeapSnapshotBuilder.h:
931         * runtime/JSObject.cpp:
932         (JSC::JSObject::calculatedClassName):
933
934 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
935
936         index out of bound in bytecodebasicblock
937         https://bugs.webkit.org/show_bug.cgi?id=172963
938
939         Reviewed by Saam Barati and Mark Lam.
940         
941         We were leaving an unterminated basic block when generating CodeForCall for a class
942         constructor. This was mostly benign since that unterminated block was not reachable, but it
943         does cause an ASSERT.
944         
945         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
946         this really is the cleanest and most idiomatic way to solve this problem, so even though it
947         makes the change bigger it's probabably worth it.
948
949         * bytecode/BytecodeDumper.cpp:
950         (JSC::BytecodeDumper<Block>::dumpBytecode):
951         * bytecode/BytecodeList.json:
952         * bytecode/BytecodeUseDef.h:
953         (JSC::computeUsesForBytecodeOffset):
954         (JSC::computeDefsForBytecodeOffset):
955         * bytecode/Opcode.h:
956         (JSC::isTerminal):
957         * bytecompiler/BytecodeGenerator.cpp:
958         (JSC::BytecodeGenerator::generate):
959         (JSC::BytecodeGenerator::emitUnreachable):
960         * bytecompiler/BytecodeGenerator.h:
961         * dfg/DFGByteCodeParser.cpp:
962         (JSC::DFG::ByteCodeParser::parseBlock):
963         * dfg/DFGCapabilities.cpp:
964         (JSC::DFG::capabilityLevel):
965         * ftl/FTLLowerDFGToB3.cpp:
966         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
967         * jit/JIT.cpp:
968         (JSC::JIT::privateCompileMainPass):
969         * jit/JIT.h:
970         * jit/JITOpcodes.cpp:
971         (JSC::JIT::emit_op_unreachable):
972         * llint/LowLevelInterpreter.asm:
973         * runtime/CommonSlowPaths.cpp:
974         (JSC::SLOW_PATH_DECL):
975         * runtime/CommonSlowPaths.h:
976
977 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
978
979         Unreviewed, rolling out r217812.
980
981         This change caused test failures on arm64.
982
983         Reverted changeset:
984
985         "OMG tier up checks should be a patchpoint"
986         https://bugs.webkit.org/show_bug.cgi?id=172944
987         http://trac.webkit.org/changeset/217812
988
989 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
990
991         [WPE] Enable remote inspector
992         https://bugs.webkit.org/show_bug.cgi?id=172971
993
994         Reviewed by Žan Doberšek.
995
996         We can just build the current glib remote inspector, without adding a frontend implementation and using a
997         WebKitGTK+ browser as frontend for now.
998
999         * PlatformWPE.cmake: Add remote inspector files to compilation.
1000         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1001         (Inspector::backendCommands): Load the inspector resources library.
1002
1003 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1004
1005         [GLIB] Make remote inspector DBus protocol common to all glib based ports
1006         https://bugs.webkit.org/show_bug.cgi?id=172970
1007
1008         Reviewed by Žan Doberšek.
1009
1010         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
1011         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
1012         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
1013         debug WPE, without having to implement the frontend part in WPE yet.
1014
1015         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
1016         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
1017
1018 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1019
1020         [GTK] Web Process deadlock when closing the remote inspector frontend
1021         https://bugs.webkit.org/show_bug.cgi?id=172973
1022
1023         Reviewed by Žan Doberšek.
1024
1025         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
1026         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
1027         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
1028         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
1029
1030         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1031         (Inspector::RemoteInspector::receivedCloseMessage):
1032
1033 2017-06-05  Saam Barati  <sbarati@apple.com>
1034
1035         Try to fix features.json by adding an ESNext section.
1036
1037         Unreviewed.
1038
1039         * features.json:
1040
1041 2017-06-05  David Kilzer  <ddkilzer@apple.com>
1042
1043         Follow-up: Update JSC's features.json
1044         https://bugs.webkit.org/show_bug.cgi?id=172942
1045
1046         Rubber-stamped by Jon Davis.
1047
1048         * features.json: Change "Supported in preview" to
1049         "Supported" to try to fix <https://webkit.org/status/>.
1050
1051 2017-06-05  Saam Barati  <sbarati@apple.com>
1052
1053         We don't properly parse init_expr when the opcode is an unexpected opcode
1054         https://bugs.webkit.org/show_bug.cgi?id=172945
1055
1056         Reviewed by JF Bastien.
1057
1058         The bug is a simple typo. It should use the constant
1059         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
1060         macro. This failure is already caught by spec tests that fail
1061         on arm64 devices.
1062
1063         * wasm/WasmModuleParser.cpp:
1064
1065 2017-06-05  Keith Miller  <keith_miller@apple.com>
1066
1067         OMG tier up checks should be a patchpoint
1068         https://bugs.webkit.org/show_bug.cgi?id=172944
1069
1070         Reviewed by Saam Barati.
1071
1072         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
1073         In order to reduce code generated out of line in each function. We generate a single stub
1074         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
1075
1076         * wasm/WasmB3IRGenerator.cpp:
1077         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1078         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1079         (JSC::Wasm::B3IRGenerator::addLoop):
1080         * wasm/WasmThunks.cpp:
1081         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1082         * wasm/WasmThunks.h:
1083
1084 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
1085
1086         Remove unused VM members
1087         https://bugs.webkit.org/show_bug.cgi?id=172941
1088
1089         Reviewed by Mark Lam.
1090
1091         * runtime/HashMapImpl.h:
1092         (JSC::HashMapImpl::selectStructure): Deleted.
1093         * runtime/VM.cpp:
1094         (JSC::VM::VM):
1095         * runtime/VM.h:
1096
1097 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
1098
1099         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1100         https://bugs.webkit.org/show_bug.cgi?id=172848
1101         <rdar://problem/25709212>
1102
1103         Reviewed by Saam Barati.
1104
1105         * heap/HeapSnapshotBuilder.h:
1106         * heap/HeapSnapshotBuilder.cpp:
1107         Update the snapshot version. Change the node's 0 | 1 internal value
1108         to be a 32bit bit flag. This is nice in that it is both compatible
1109         with the previous snapshot version and the same size. We can use more
1110         flags in the future.
1111
1112         (JSC::HeapSnapshotBuilder::json):
1113         In cases where the classInfo gives us "Object" check for a better
1114         class name by checking (o).__proto__.constructor.name. We avoid this
1115         check in cases where (o).hasOwnProperty("constructor") which is the
1116         case for most Foo.prototype objects. Otherwise this would get the
1117         name of the Foo superclass for the Foo.prototype object.
1118
1119         * runtime/JSObject.cpp:
1120         (JSC::JSObject::calculatedClassName):
1121         Handle some possible edge cases that were not handled before. Such
1122         as a JSObject without a GlobalObject, and an object which doesn't
1123         have a default getPrototype. Try to make the code a little clearer.
1124
1125 2017-06-05  Saam Barati  <sbarati@apple.com>
1126
1127         Update JSC's features.json
1128         https://bugs.webkit.org/show_bug.cgi?id=172942
1129
1130         Rubber stamped by Mark Lam.
1131
1132         * features.json:
1133
1134 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
1135
1136         Fix build of Windows-specific code with ICU 59.1
1137         https://bugs.webkit.org/show_bug.cgi?id=172729
1138
1139         Reviewed by Darin Adler.
1140
1141         Fix conversions from WTF::String to wchar_t* and vice versa.
1142
1143         * jsc.cpp:
1144         (currentWorkingDirectory):
1145         (fetchModuleFromLocalFileSystem):
1146         * runtime/DateConversion.cpp:
1147         (JSC::formatDateTime):
1148
1149 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1150
1151         [JSC] Drop unnecessary USE(CF) guard for getenv
1152         https://bugs.webkit.org/show_bug.cgi?id=172903
1153
1154         Reviewed by Sam Weinig.
1155
1156         getenv is not related to USE(CF) and OS(UNIX). It seems that this
1157         ifdef only hits in WinCairo, but WinCairo can use getenv.
1158         Moreover, in VM::VM, we already use getenv without any ifdef guard.
1159
1160         This patch just drops it.
1161
1162         * runtime/VM.cpp:
1163         (JSC::enableAssembler):
1164
1165 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1166
1167         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
1168         https://bugs.webkit.org/show_bug.cgi?id=172904
1169
1170         Reviewed by Sam Weinig.
1171
1172         In non-Darwin environment, uintptr_t may have the same type
1173         to uint64_t. We avoided the compile error by using OS(DARWIN).
1174         But, since it depends on cstdint implementaion rather than OS, it is flaky.
1175         Instead, we just use template parameter IntegralType.
1176         And we describe the type constraint in a SFINAE manner.
1177
1178         * dfg/DFGOpInfo.h:
1179         (JSC::DFG::OpInfo::OpInfo):
1180
1181 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
1182
1183         [ARM] Unreviewed buildfix after r217711.
1184
1185         * assembler/MacroAssemblerARM.h:
1186         (JSC::MacroAssemblerARM::xor32):
1187
1188 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1189
1190         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
1191         https://bugs.webkit.org/show_bug.cgi?id=168844
1192
1193         Reviewed by Saam Barati.
1194
1195         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
1196
1197         * parser/Parser.cpp:
1198         (JSC::DepthManager::DepthManager):
1199         (JSC::Parser<LexerType>::parseExportDeclaration):
1200         * parser/Parser.h:
1201         (JSC::Parser::DepthManager::DepthManager): Deleted.
1202         (JSC::Parser::DepthManager::~DepthManager): Deleted.
1203
1204 2017-06-02  Keith Miller  <keith_miller@apple.com>
1205
1206         Defer installing mach breakpoint handler until watchdog is actually called
1207         https://bugs.webkit.org/show_bug.cgi?id=172885
1208
1209         Reviewed by Saam Barati.
1210
1211         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
1212         This hides the issue, so it won't occur as often.
1213
1214         * runtime/VMTraps.cpp:
1215         (JSC::VMTraps::SignalSender::send):
1216         (JSC::VMTraps::VMTraps): Deleted.
1217         * runtime/VMTraps.h:
1218
1219 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
1220
1221         Atomics.load and Atomics.store need to be fully fenced
1222         https://bugs.webkit.org/show_bug.cgi?id=172844
1223
1224         Reviewed by Keith Miller.
1225         
1226         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
1227         AtomicXchg(value, ptr) for the store.
1228         
1229         DFG needed no changes because it implements all atomics using a CAS loop.
1230         
1231         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
1232         
1233         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
1234         is not correct according to my current understanding of the SAB memory model, which requires
1235         that atomic operations are SC with respect to everything not just other atomics.
1236
1237         * ftl/FTLLowerDFGToB3.cpp:
1238         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1239         * ftl/FTLOutput.cpp:
1240         (JSC::FTL::Output::atomicWeakCAS):
1241         * ftl/FTLOutput.h:
1242         * runtime/AtomicsObject.cpp:
1243
1244 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
1245
1246         Unreviewed, attempt to fix the iOS build after r217711.
1247
1248         * assembler/MacroAssemblerARM64.h:
1249         (JSC::MacroAssemblerARM64::xor32):
1250         (JSC::MacroAssemblerARM64::xor64):
1251
1252 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
1253
1254         GC should use scrambled free-lists
1255         https://bugs.webkit.org/show_bug.cgi?id=172793
1256
1257         Reviewed by Mark Lam.
1258         
1259         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
1260         The linked-list would be threaded through free memory, as is the usual convention.
1261         
1262         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
1263         this leads to a more natural fast-path structure and saves one register on ARM64.
1264         
1265         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
1266         every time they do a sweep-to-pop.
1267         
1268         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
1269         quite a bit. Previously, there were four copies of the allocator fast path: two in
1270         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
1271         was obviously different-looking, but the other three were almost identical. This moves all of
1272         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
1273         AssemblyHelpers.h.
1274         
1275         This appears to be just as fast as our previously allocator.
1276
1277         * JavaScriptCore.xcodeproj/project.pbxproj:
1278         * heap/FreeList.cpp:
1279         (JSC::FreeList::FreeList):
1280         (JSC::FreeList::~FreeList):
1281         (JSC::FreeList::clear):
1282         (JSC::FreeList::initializeList):
1283         (JSC::FreeList::initializeBump):
1284         (JSC::FreeList::contains):
1285         (JSC::FreeList::dump):
1286         * heap/FreeList.h:
1287         (JSC::FreeList::allocationWillFail):
1288         (JSC::FreeList::originalSize):
1289         (JSC::FreeList::addressOfList):
1290         (JSC::FreeList::offsetOfBlock):
1291         (JSC::FreeList::offsetOfList):
1292         (JSC::FreeList::offsetOfIndex):
1293         (JSC::FreeList::offsetOfPayloadEnd):
1294         (JSC::FreeList::offsetOfRemaining):
1295         (JSC::FreeList::offsetOfOriginalSize):
1296         (JSC::FreeList::FreeList): Deleted.
1297         (JSC::FreeList::list): Deleted.
1298         (JSC::FreeList::bump): Deleted.
1299         (JSC::FreeList::operator==): Deleted.
1300         (JSC::FreeList::operator!=): Deleted.
1301         (JSC::FreeList::operator bool): Deleted.
1302         * heap/FreeListInlines.h: Added.
1303         (JSC::FreeList::addFreeCell):
1304         (JSC::FreeList::allocate):
1305         (JSC::FreeList::forEach):
1306         (JSC::FreeList::toOffset):
1307         (JSC::FreeList::fromOffset):
1308         * heap/IncrementalSweeper.cpp:
1309         (JSC::IncrementalSweeper::sweepNextBlock):
1310         * heap/MarkedAllocator.cpp:
1311         (JSC::MarkedAllocator::MarkedAllocator):
1312         (JSC::MarkedAllocator::didConsumeFreeList):
1313         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1314         (JSC::MarkedAllocator::tryAllocateIn):
1315         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1316         (JSC::MarkedAllocator::stopAllocating):
1317         (JSC::MarkedAllocator::prepareForAllocation):
1318         (JSC::MarkedAllocator::resumeAllocating):
1319         (JSC::MarkedAllocator::sweep):
1320         (JSC::MarkedAllocator::setFreeList): Deleted.
1321         * heap/MarkedAllocator.h:
1322         (JSC::MarkedAllocator::freeList):
1323         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
1324         * heap/MarkedAllocatorInlines.h:
1325         (JSC::MarkedAllocator::isFreeListedCell):
1326         (JSC::MarkedAllocator::tryAllocate):
1327         (JSC::MarkedAllocator::allocate):
1328         * heap/MarkedBlock.cpp:
1329         (JSC::MarkedBlock::Handle::stopAllocating):
1330         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1331         (JSC::MarkedBlock::Handle::resumeAllocating):
1332         (JSC::MarkedBlock::Handle::zap):
1333         (JSC::MarkedBlock::Handle::sweep):
1334         (JSC::MarkedBlock::Handle::isFreeListedCell):
1335         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
1336         * heap/MarkedBlock.h:
1337         * heap/MarkedBlockInlines.h:
1338         (JSC::MarkedBlock::Handle::specializedSweep):
1339         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1340         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
1341         * heap/Subspace.cpp:
1342         (JSC::Subspace::finishSweep):
1343         * heap/Subspace.h:
1344         * jit/AssemblyHelpers.h:
1345         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1346         * runtime/JSDestructibleObjectSubspace.cpp:
1347         (JSC::JSDestructibleObjectSubspace::finishSweep):
1348         * runtime/JSDestructibleObjectSubspace.h:
1349         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1350         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
1351         * runtime/JSSegmentedVariableObjectSubspace.h:
1352         * runtime/JSStringSubspace.cpp:
1353         (JSC::JSStringSubspace::finishSweep):
1354         * runtime/JSStringSubspace.h:
1355         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1356         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
1357         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1358
1359 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1360
1361         [JSC] Use @globalPrivate for concatSlowPath
1362         https://bugs.webkit.org/show_bug.cgi?id=172802
1363
1364         Reviewed by Darin Adler.
1365
1366         Use @globalPrivate instead of manually putting it to JSGlobalObject.
1367
1368         * builtins/ArrayPrototype.js:
1369         (concatSlowPath): Deleted.
1370         * runtime/JSGlobalObject.cpp:
1371         (JSC::JSGlobalObject::init):
1372
1373 2017-06-01  Andy Estes  <aestes@apple.com>
1374
1375         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
1376         https://bugs.webkit.org/show_bug.cgi?id=172828
1377
1378         Reviewed by Beth Dakin.
1379
1380         * Configurations/FeatureDefines.xcconfig:
1381
1382 2017-06-01  Keith Miller  <keith_miller@apple.com>
1383
1384         Undo rollout in r217638 with bug fix
1385         https://bugs.webkit.org/show_bug.cgi?id=172824
1386
1387         Unreviewed, reland patch with unused set_state code removed.
1388
1389         * API/tests/ExecutionTimeLimitTest.cpp:
1390         (dispatchTermitateCallback):
1391         (testExecutionTimeLimit):
1392         * runtime/JSLock.cpp:
1393         (JSC::JSLock::didAcquireLock):
1394         * runtime/Options.cpp:
1395         (JSC::overrideDefaults):
1396         (JSC::Options::initialize):
1397         * runtime/Options.h:
1398         * runtime/VMTraps.cpp:
1399         (JSC::SignalContext::SignalContext):
1400         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
1401         (JSC::installSignalHandler):
1402         (JSC::VMTraps::SignalSender::send):
1403         * tools/SigillCrashAnalyzer.cpp:
1404         (JSC::SignalContext::SignalContext):
1405         (JSC::SignalContext::dump):
1406         (JSC::installCrashHandler):
1407         * wasm/WasmBBQPlan.cpp:
1408         (JSC::Wasm::BBQPlan::compileFunctions):
1409         * wasm/WasmFaultSignalHandler.cpp:
1410         (JSC::Wasm::trapHandler):
1411         (JSC::Wasm::enableFastMemory):
1412         * wasm/WasmMachineThreads.cpp:
1413         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1414
1415 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
1416
1417         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
1418         https://bugs.webkit.org/show_bug.cgi?id=172800
1419
1420         Reviewed by Saam Barati.
1421
1422         This fixes a static_cast<uint64_t> by making it a cast to int64_t
1423         instead, which looks like the original intent. This fixes the
1424         sampling-profiler tests in JSTests/stress.
1425
1426         * runtime/SamplingProfiler.cpp:
1427         (JSC::SamplingProfiler::timerLoop):
1428
1429 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
1430
1431         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
1432         https://bugs.webkit.org/show_bug.cgi?id=170945
1433
1434         Reviewed by Mark Lam.
1435
1436         Re-define PutByIdFlags as a int32_t enum explicitly because it is
1437         stored as an int32_t value in UnlinkedInstruction.  This prevents
1438         a bug on 64-bit big endian architectures where the word order is
1439         inverted (when we convert the UnlinkedInstruction into a CodeBlock
1440         Instruction), resulting in the PutByIdFlags value not being stored in
1441         the 32-bit word that the rest of the code expects it to be in.
1442
1443         * bytecode/PutByIdFlags.h:
1444
1445 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1446
1447         [JSC] Implement String.prototype.concat in JS builtins
1448         https://bugs.webkit.org/show_bug.cgi?id=172798
1449
1450         Reviewed by Sam Weinig.
1451
1452         Since we have highly effective + operation for strings,
1453         implementing String.prototype.concat in JS simplifies the
1454         implementation and improves performance by using speculated
1455         types.
1456
1457         Added microbenchmarks show performance improvement.
1458
1459         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
1460         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
1461         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
1462         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
1463
1464         * builtins/StringPrototype.js:
1465         (globalPrivate.stringConcatSlowPath):
1466         (concat):
1467         * runtime/StringPrototype.cpp:
1468         (JSC::StringPrototype::finishCreation):
1469         (JSC::stringProtoFuncConcat): Deleted.
1470
1471 2017-05-31  Mark Lam  <mark.lam@apple.com>
1472
1473         Remove overrides of visitChildren() that do not add any functionality.
1474         https://bugs.webkit.org/show_bug.cgi?id=172789
1475         <rdar://problem/32500865>
1476
1477         Reviewed by Andreas Kling.
1478
1479         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1480         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
1481         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1482         * bytecode/UnlinkedProgramCodeBlock.cpp:
1483         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
1484         * bytecode/UnlinkedProgramCodeBlock.h:
1485         * wasm/js/WebAssemblyFunction.cpp:
1486         (JSC::WebAssemblyFunction::visitChildren): Deleted.
1487         * wasm/js/WebAssemblyFunction.h:
1488         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1489         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
1490         * wasm/js/WebAssemblyInstanceConstructor.h:
1491         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1492         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
1493         * wasm/js/WebAssemblyMemoryConstructor.h:
1494         * wasm/js/WebAssemblyModuleConstructor.cpp:
1495         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
1496         * wasm/js/WebAssemblyModuleConstructor.h:
1497         * wasm/js/WebAssemblyTableConstructor.cpp:
1498         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
1499         * wasm/js/WebAssemblyTableConstructor.h:
1500
1501 2017-05-31  Commit Queue  <commit-queue@webkit.org>
1502
1503         Unreviewed, rolling out r217611 and r217631.
1504         https://bugs.webkit.org/show_bug.cgi?id=172785
1505
1506         "caused wasm-hashset-many.html to become flaky." (Requested by
1507         keith_miller on #webkit).
1508
1509         Reverted changesets:
1510
1511         "Reland r216808, underlying lldb bug has been fixed."
1512         https://bugs.webkit.org/show_bug.cgi?id=172759
1513         http://trac.webkit.org/changeset/217611
1514
1515         "Use dispatch queues for mach exceptions"
1516         https://bugs.webkit.org/show_bug.cgi?id=172775
1517         http://trac.webkit.org/changeset/217631
1518
1519 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
1520
1521         Rolling out: Prevent async methods named 'function'
1522         https://bugs.webkit.org/show_bug.cgi?id=172776
1523
1524         Reviewed by Mark Lam.
1525
1526         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
1527         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
1528         PR to spec was closed, so changes need to roll out. See
1529         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
1530
1531         * parser/Parser.cpp:
1532         (JSC::Parser<LexerType>::parseClass):
1533         (JSC::Parser<LexerType>::parsePropertyMethod):
1534
1535 2017-05-31  Andy Estes  <aestes@apple.com>
1536
1537         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
1538         https://bugs.webkit.org/show_bug.cgi?id=172366
1539
1540         Reviewed by Daniel Bates.
1541
1542         * Configurations/FeatureDefines.xcconfig:
1543
1544 2017-05-31  Keith Miller  <keith_miller@apple.com>
1545
1546         Reland r216808, underlying lldb bug has been fixed.
1547         https://bugs.webkit.org/show_bug.cgi?id=172759
1548
1549
1550         Unreviewed, relanding old patch. See: rdar://problem/31183352
1551
1552         * API/tests/ExecutionTimeLimitTest.cpp:
1553         (dispatchTermitateCallback):
1554         (testExecutionTimeLimit):
1555         * runtime/JSLock.cpp:
1556         (JSC::JSLock::didAcquireLock):
1557         * runtime/Options.cpp:
1558         (JSC::overrideDefaults):
1559         (JSC::Options::initialize):
1560         * runtime/Options.h:
1561         * runtime/VMTraps.cpp:
1562         (JSC::SignalContext::SignalContext):
1563         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
1564         (JSC::installSignalHandler):
1565         (JSC::VMTraps::SignalSender::send):
1566         * tools/SigillCrashAnalyzer.cpp:
1567         (JSC::SignalContext::SignalContext):
1568         (JSC::SignalContext::dump):
1569         (JSC::installCrashHandler):
1570         * wasm/WasmBBQPlan.cpp:
1571         (JSC::Wasm::BBQPlan::compileFunctions):
1572         * wasm/WasmFaultSignalHandler.cpp:
1573         (JSC::Wasm::trapHandler):
1574         (JSC::Wasm::enableFastMemory):
1575         * wasm/WasmMachineThreads.cpp:
1576         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1577
1578 2017-05-31  Keith Miller  <keith_miller@apple.com>
1579
1580         Fix leak in PromiseDeferredTimer
1581         https://bugs.webkit.org/show_bug.cgi?id=172755
1582
1583         Reviewed by JF Bastien.
1584
1585         We were not properly freeing the list of dependencies if we were already tracking the promise before.
1586         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
1587         where we were already tracking the promise we append the provided dependency list to the existing list.
1588         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
1589         contents.
1590
1591         * runtime/PromiseDeferredTimer.cpp:
1592         (JSC::PromiseDeferredTimer::addPendingPromise):
1593
1594 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
1595
1596         Prevent async methods named 'function' in Object literal
1597         https://bugs.webkit.org/show_bug.cgi?id=172660
1598
1599         Reviewed by Saam Barati.
1600
1601         Prevent async method named 'function' in object.
1602         https://github.com/tc39/ecma262/pull/884
1603
1604         * parser/Parser.cpp:
1605         (JSC::Parser<LexerType>::parsePropertyMethod):
1606
1607 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
1608
1609         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
1610         https://bugs.webkit.org/show_bug.cgi?id=171274
1611
1612         Reviewed by Saam Barati.
1613
1614         Current patch allow to use async arrow function within constructor,
1615         and allow to access to `this`. Current patch force load 'this' from 
1616         virtual scope each time as we access to `this` in async arrow function
1617         within constructor it is neccessary because async function can be 
1618         suspended and `superCall` can be called and async function resumed. 
1619    
1620         * bytecompiler/BytecodeGenerator.cpp:
1621         (JSC::BytecodeGenerator::emitPutGeneratorFields):
1622         (JSC::BytecodeGenerator::ensureThis):
1623         * bytecompiler/BytecodeGenerator.h:
1624         (JSC::BytecodeGenerator::makeFunction):
1625
1626 2017-05-30  Ali Juma  <ajuma@chromium.org>
1627
1628         [CredentialManagement] Incorporate IDL updates from latest spec
1629         https://bugs.webkit.org/show_bug.cgi?id=172011
1630
1631         Reviewed by Daniel Bates.
1632
1633         * runtime/CommonIdentifiers.h:
1634
1635 2017-05-30  Alex Christensen  <achristensen@webkit.org>
1636
1637         Update libwebrtc configuration
1638         https://bugs.webkit.org/show_bug.cgi?id=172727
1639
1640         Reviewed by Geoffrey Garen.
1641
1642         * Configurations/FeatureDefines.xcconfig:
1643
1644 2017-05-28  Dan Bernstein  <mitz@apple.com>
1645
1646         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
1647         https://bugs.webkit.org/show_bug.cgi?id=172691
1648
1649         Reviewed by Tim Horton.
1650
1651         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
1652         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
1653
1654 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1655
1656         [JSC] Provide better type information of toLength and tighten bytecode
1657         https://bugs.webkit.org/show_bug.cgi?id=172690
1658
1659         Reviewed by Sam Weinig.
1660
1661         In this patch, we carefully leverage operator + in order to
1662
1663         1. tighten bytecode
1664
1665         operator+ emits to_number bytecode. What this bytecode does is the same
1666         to @Number() call. It is more efficient, and it is smaller bytecode
1667         than @Number() call (load global variable @Number, set up arguments, and
1668         call it).
1669
1670         2. offer better type prediction data
1671
1672         Now, we have code like
1673
1674             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
1675
1676         This is not good because DFG prediction propagation phase predicts as Double
1677         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
1678         Usually, the result becomes Int32. This patch leverages to_number in a bit
1679         interesting way: to_number has value profiling to offer better type prediction.
1680         This value profiling can offer a chance to change the prediction to Int32 efficiently.
1681         It is a bit tricky. But it is worth doing to speed up our builtin functions,
1682         which should leverage all the JSC's tricky things to be optimized.
1683
1684         Related microbenchmarks show performance improvement.
1685
1686                                                   baseline                  patched
1687
1688             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
1689             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
1690             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
1691             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
1692             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
1693             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
1694
1695
1696         * builtins/GlobalOperations.js:
1697         (globalPrivate.toInteger):
1698         (globalPrivate.toLength):
1699
1700 2017-05-28  Sam Weinig  <sam@webkit.org>
1701
1702         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
1703         https://bugs.webkit.org/show_bug.cgi?id=172684
1704
1705         Reviewed by Yusuke Suzuki.
1706
1707         * runtime/IteratorOperations.cpp:
1708         (JSC::iteratorMethod):
1709         (JSC::iteratorForIterable):
1710         * runtime/IteratorOperations.h:
1711         (JSC::forEachInIterable):
1712         Add additional iterator helpers to allow union + sequence conversion code
1713         to check for iterability by getting the iterator method, and iterate using
1714         that method later on.
1715
1716 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1717
1718         Unreviewed, build fix for Windows
1719         https://bugs.webkit.org/show_bug.cgi?id=172413
1720
1721         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
1722
1723         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
1724
1725         * runtime/JSMap.h:
1726         (JSC::isJSMap):
1727         (JSC::jsDynamicCast): Deleted.
1728         (JSC::>): Deleted.
1729         * runtime/JSSet.h:
1730         (JSC::isJSSet):
1731         (JSC::jsDynamicCast): Deleted.
1732         (JSC::>): Deleted.
1733         * runtime/MapConstructor.cpp:
1734         (JSC::constructMap):
1735         * runtime/SetConstructor.cpp:
1736         (JSC::constructSet):
1737
1738 2017-05-28  Mark Lam  <mark.lam@apple.com>
1739
1740         Implement a faster Interpreter::getOpcodeID().
1741         https://bugs.webkit.org/show_bug.cgi?id=172669
1742
1743         Reviewed by Saam Barati.
1744
1745         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
1746         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
1747         handler code that executes each opcode.  getOpcodeID() can therefore just read
1748         the 32-bits before the opcode address to get its OpcodeID.
1749
1750         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
1751         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
1752         well, but I'll let the Linux folks turn that on after they have verified that it
1753         works on linux too.
1754
1755         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
1756         1. we only need to initialize it once per process, not once per VM / interpreter
1757            instance.
1758         2. we can initialize it in the Interpreter constructor instead of requiring a
1759            separate call to an initialize() function.
1760
1761         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
1762         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
1763
1764         * bytecode/BytecodeList.json:
1765         * generate-bytecode-files:
1766         * interpreter/Interpreter.cpp:
1767         (JSC::Interpreter::Interpreter):
1768         (JSC::Interpreter::opcodeIDTable):
1769         (JSC::Interpreter::initialize): Deleted.
1770         * interpreter/Interpreter.h:
1771         (JSC::Interpreter::getOpcode):
1772         (JSC::Interpreter::getOpcodeID):
1773         * llint/LowLevelInterpreter.cpp:
1774         * runtime/VM.cpp:
1775         (JSC::VM::VM):
1776
1777 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1778
1779         [JSC] Map and Set constructors should have fast path for cloning
1780         https://bugs.webkit.org/show_bug.cgi?id=172413
1781
1782         Reviewed by Saam Barati.
1783
1784         In this patch, we add a fast path for cloning in Set and Map constructors.
1785
1786         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
1787         At that time, our generic path just iterates the given set object and add
1788         it to the newly created one. It is quite slow because we need to follow
1789         the iterator protocol inside C++ and we need to call set.add() repeatedly
1790         while the given set guarantees the elements are unique.
1791
1792         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
1793         and JSSet are done really fast without invoking any observable JS functions.
1794         To check whether we can use this clone() function in Set and Map constructors,
1795         we set several watchpoints.
1796
1797         In the case of Set,
1798
1799         1. Set.prototype[Symbol.iterator] is not changed.
1800         2. SetIterator.prototype.next is not changed.
1801         3. Set.prototype.add is not changed.
1802         4. The given Set does not have [Symbol.iterator] function in its instance.
1803         5. The given Set's [[Prototype]] is Set.prototype.
1804         6. Newly created set's [[Prototype]] is Set.prototype.
1805
1806         If the above requirements are met, cloning the given Set is not observable to users.
1807         Thus we can take a fast path.
1808
1809         Currently, we do not integrate this optimization into DFG and FTL.
1810         And we do not optimize other iterables. For example, we can optimize Set
1811         constructor taking Int32 Array. And we should optimize generic iterator cases too.
1812         They are planned as part of a separate bug[1].
1813
1814         This change improves ARES-6 Air by 5.3% in steady state.
1815
1816         Baseline:
1817             Running... Air ( 1  to go)
1818             firstIteration:     76.41 +- 15.60 ms
1819             averageWorstCase:   40.63 +- 7.54 ms
1820             steadyState:        9.13 +- 0.51 ms
1821
1822
1823         Patched:
1824             Running... Air ( 1  to go)
1825             firstIteration:     75.00 +- 22.54 ms
1826             averageWorstCase:   39.18 +- 8.45 ms
1827             steadyState:        8.67 +- 0.28 ms
1828
1829         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
1830
1831         * CMakeLists.txt:
1832         * JavaScriptCore.xcodeproj/project.pbxproj:
1833         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
1834         * runtime/HashMapImpl.h:
1835         (JSC::HashMapBucket::extractValue):
1836         (JSC::HashMapImpl::finishCreation):
1837         (JSC::HashMapImpl::add):
1838         (JSC::HashMapImpl::setUpHeadAndTail):
1839         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
1840         (JSC::HashMapImpl::addNormalizedInternal):
1841         * runtime/InternalFunction.cpp:
1842         (JSC::InternalFunction::createSubclassStructureSlow):
1843         (JSC::InternalFunction::createSubclassStructure): Deleted.
1844         * runtime/InternalFunction.h:
1845         (JSC::InternalFunction::createSubclassStructure):
1846         * runtime/JSGlobalObject.cpp:
1847         (JSC::JSGlobalObject::JSGlobalObject):
1848         (JSC::JSGlobalObject::init):
1849         (JSC::JSGlobalObject::visitChildren):
1850         * runtime/JSGlobalObject.h:
1851         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
1852         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
1853         (JSC::JSGlobalObject::mapSetWatchpoint):
1854         (JSC::JSGlobalObject::setAddWatchpoint):
1855         (JSC::JSGlobalObject::mapPrototype):
1856         (JSC::JSGlobalObject::jsSetPrototype):
1857         (JSC::JSGlobalObject::setStructure):
1858         * runtime/JSGlobalObjectInlines.h:
1859         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
1860         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
1861         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
1862         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
1863         * runtime/JSMap.cpp:
1864         (JSC::JSMap::clone):
1865         (JSC::JSMap::canCloneFastAndNonObservable):
1866         * runtime/JSMap.h:
1867         (JSC::jsDynamicCast):
1868         (JSC::>):
1869         (JSC::JSMap::createStructure): Deleted.
1870         (JSC::JSMap::create): Deleted.
1871         (JSC::JSMap::set): Deleted.
1872         (JSC::JSMap::JSMap): Deleted.
1873         * runtime/JSSet.cpp:
1874         (JSC::JSSet::clone):
1875         (JSC::JSSet::canCloneFastAndNonObservable):
1876         * runtime/JSSet.h:
1877         (JSC::jsDynamicCast):
1878         (JSC::>):
1879         (JSC::JSSet::createStructure): Deleted.
1880         (JSC::JSSet::create): Deleted.
1881         (JSC::JSSet::JSSet): Deleted.
1882         * runtime/MapConstructor.cpp:
1883         (JSC::constructMap):
1884         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
1885         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
1886         * runtime/SetConstructor.cpp:
1887         (JSC::constructSet):
1888
1889 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1890
1891         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
1892         https://bugs.webkit.org/show_bug.cgi?id=172260
1893
1894         Reviewed by Filip Pizlo.
1895
1896         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
1897         to be used as a general-purpose injectable compiler over all the JIT tiers.
1898
1899         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
1900
1901         * CMakeLists.txt:
1902         * JavaScriptCore.xcodeproj/project.pbxproj:
1903         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
1904         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1905         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
1906         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
1907         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
1908         * bytecode/GetterSetterAccessCase.cpp:
1909         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1910         * dfg/DFGAbstractInterpreterInlines.h:
1911         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1912         * dfg/DFGByteCodeParser.cpp:
1913         (JSC::DFG::blessCallDOMGetter):
1914         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1915         * dfg/DFGClobberize.h:
1916         (JSC::DFG::clobberize):
1917         * dfg/DFGFixupPhase.cpp:
1918         (JSC::DFG::FixupPhase::fixupNode):
1919         * dfg/DFGGraph.h:
1920         * dfg/DFGNode.h:
1921         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
1922         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
1923         (JSC::DFG::SnippetParams::SnippetParams):
1924         * dfg/DFGSpeculativeJIT.cpp:
1925         (JSC::DFG::allocateTemporaryRegistersForSnippet):
1926         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1927         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1928         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
1929         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
1930         (JSC::DOMJIT::CallDOMGetterSnippet::create):
1931         * domjit/DOMJITGetterSetter.h:
1932         * domjit/DOMJITSignature.h:
1933         * domjit/DOMJITValue.h: Removed.
1934         * ftl/FTLLowerDFGToB3.cpp:
1935         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1936         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1937         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
1938         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
1939         (JSC::FTL::SnippetParams::SnippetParams):
1940         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
1941         (JSC::Snippet::create):
1942         (JSC::Snippet::setGenerator):
1943         (JSC::Snippet::generator):
1944         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
1945         (JSC::SnippetParams::~SnippetParams):
1946         (JSC::SnippetParams::Value::Value):
1947         (JSC::SnippetParams::Value::isGPR):
1948         (JSC::SnippetParams::Value::isFPR):
1949         (JSC::SnippetParams::Value::isJSValueRegs):
1950         (JSC::SnippetParams::Value::gpr):
1951         (JSC::SnippetParams::Value::fpr):
1952         (JSC::SnippetParams::Value::jsValueRegs):
1953         (JSC::SnippetParams::Value::reg):
1954         (JSC::SnippetParams::Value::value):
1955         (JSC::SnippetParams::SnippetParams):
1956         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
1957         (JSC::SnippetReg::SnippetReg):
1958         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
1959         * jsc.cpp:
1960         (WTF::DOMJITNode::checkSubClassSnippet):
1961         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1962         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
1963         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
1964         * runtime/ClassInfo.h:
1965
1966 2017-05-26  Keith Miller  <keith_miller@apple.com>
1967
1968         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
1969         https://bugs.webkit.org/show_bug.cgi?id=172654
1970
1971         Reviewed by Mark Lam.
1972
1973         The test's intent is to assert that an exception has not been
1974         thrown (as indicated by the message string), but the test was
1975         erroneously checking for ! the right condition. This is now fixed.
1976
1977         * API/tests/JSExportTests.mm:
1978         (wrapperForNSObjectisObject):
1979
1980 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
1981
1982         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
1983         https://bugs.webkit.org/show_bug.cgi?id=172664
1984         <rdar://problem/32362933>
1985
1986         Reviewed by Matt Baker.
1987
1988         Automatically pause on connection was triggering a pause before the
1989         frontend may have initialized. Often during frontend initialization
1990         the frontend may perform an action that clears the pause state requested
1991         by the developer. This change defers the pause until after the frontend
1992         has initialized, right before returning to the application's code.
1993
1994         * inspector/remote/RemoteControllableTarget.h:
1995         * inspector/remote/RemoteInspectionTarget.h:
1996         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1997         (Inspector::RemoteConnectionToTarget::setup):
1998         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
1999         (Inspector::RemoteConnectionToTarget::setup):
2000         * runtime/JSGlobalObjectDebuggable.cpp:
2001         (JSC::JSGlobalObjectDebuggable::connect):
2002         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
2003         * runtime/JSGlobalObjectDebuggable.h:
2004         Pass an immediatelyPause boolean on to the controller. Remove
2005         the current path that invokes a pause before initialization.
2006
2007         * inspector/JSGlobalObjectInspectorController.h:
2008         * inspector/JSGlobalObjectInspectorController.cpp:
2009         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2010         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2011         Manage should immediately pause state.
2012
2013         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
2014         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
2015         When initialized, trigger a pause if requested.
2016
2017 2017-05-26  Mark Lam  <mark.lam@apple.com>
2018
2019         Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
2020         https://bugs.webkit.org/show_bug.cgi?id=172655
2021
2022         Reviewed by Saam Barati.
2023
2024         * API/tests/JSExportTests.mm:
2025         (wrapperForNSObjectisObject):
2026
2027 2017-05-26  Mark Lam  <mark.lam@apple.com>
2028
2029         REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
2030         https://bugs.webkit.org/show_bug.cgi?id=172651
2031
2032         Reviewed by Saam Barati.
2033
2034         This is because the assertion utility functions used in testCFStrings() expects
2035         to get the JSGlobalContextRef from the global context variable.  However,
2036         testCFStrings() creates its own JSGlobalContextRef but does not set the global
2037         context variable to it.
2038
2039         The fix is to make testCFStrings() initialize the global context variable properly.
2040
2041         * API/tests/testapi.c:
2042         (testCFStrings):
2043
2044 2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2045
2046         Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
2047         https://bugs.webkit.org/show_bug.cgi?id=167805
2048
2049         Reviewed by Saam Barati.
2050
2051         Since ModuleProgramExecutable is executed only once, we can skip compiling
2052         code unreachable from the current program count. This can skip massive
2053         initialization code.
2054
2055         We already do this for global code in bug#167725. This patch extends it to
2056         module code.
2057
2058         * interpreter/Interpreter.cpp:
2059         (JSC::Interpreter::executeModuleProgram):
2060         * interpreter/Interpreter.h:
2061         * jit/JIT.cpp:
2062         (JSC::JIT::privateCompileMainPass):
2063         * runtime/JSModuleRecord.cpp:
2064         (JSC::JSModuleRecord::evaluate):
2065         * runtime/JSModuleRecord.h:
2066         (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
2067
2068 2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>
2069
2070         Prevent async methods named 'function'
2071         https://bugs.webkit.org/show_bug.cgi?id=172598
2072
2073         Reviewed by Mark Lam.
2074
2075         Prevent async method named 'function' in class.
2076         Link to change in ecma262 specification
2077         https://github.com/tc39/ecma262/pull/884
2078
2079         * parser/Parser.cpp:
2080         (JSC::Parser<LexerType>::parseClass):
2081
2082 2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2083
2084         Unreviewed, build fix for GCC
2085
2086         std::tuple does not have implicit constructor.
2087         Thus, we cannot use implicit construction with initializer brace.
2088         We should specify the name like `GetInst { }`.
2089
2090         * bytecompiler/BytecodeGenerator.h:
2091         (JSC::StructureForInContext::addGetInst):
2092
2093 2017-05-25  Keith Miller  <keith_miller@apple.com>
2094
2095         Cleanup tests after r217240
2096         https://bugs.webkit.org/show_bug.cgi?id=172466
2097
2098         Reviewed by Mark Lam.
2099
2100         I forgot to make my test an actual test. Also, remove second call runJSExportTests()
2101
2102         * API/tests/JSExportTests.mm:
2103         (wrapperForNSObjectisObject):
2104         * API/tests/testapi.mm:
2105         (testObjectiveCAPIMain):
2106
2107 2017-05-25  Michael Saboff  <msaboff@apple.com>
2108
2109         The default setting of Option::criticalGCMemoryThreshold is too high for iOS
2110         https://bugs.webkit.org/show_bug.cgi?id=172617
2111
2112         Reviewed by Mark Lam.
2113
2114         Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
2115         when tested running JetStream.
2116
2117         * runtime/Options.h:
2118
2119 2017-05-25  Saam Barati  <sbarati@apple.com>
2120
2121         Our for-in optimization in the bytecode generator does its static analysis incorrectly
2122         https://bugs.webkit.org/show_bug.cgi?id=172532
2123         <rdar://problem/32369452>
2124
2125         Reviewed by Mark Lam.
2126
2127         Our static analysis for when a for-in induction variable
2128         is written to tried to its analysis as we generate
2129         bytecode. This has issues, since it does not account for
2130         the dynamic execution path of the program. Let's consider
2131         a program where our old analysis worked:
2132         
2133         ```
2134         for (let p in o) {
2135             o[p]; // We can transform this into a fast get_direct_pname
2136             p = 20;
2137             o[p]; // We cannot transform this since p has been changed.
2138         }
2139         ```
2140         
2141         However, our static analysis did not account for loops, which exist
2142         in JavaScript. e.g, it would incorrectly compile this program as:
2143         ```
2144         for (let p in o) {
2145             for (let i = 0; i < 20; ++i) {
2146                 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
2147                 p = 20;
2148                 o[p]; // We correctly do not transform this.
2149             } 
2150         }
2151         ```
2152         
2153         Because of this flaw, I've made the optimization more conservative.
2154         We now optimistically emit code for the optimized access. However,
2155         if a for-in context is *ever* invalidated, before we pop it off
2156         the stack, we rewrite the program's optimized accesses to no longer
2157         be optimized. To do this, each context keeps track of its optimized
2158         accesses.
2159         
2160         This patch also adds a new bytecode, op_nop, which is just a no-op.
2161         It was helpful to add this because reverting get_direct_pname to get_by_val
2162         will leave us with an extra instruction word because get_direct_pname is
2163         has a length of 7 where get_by_val has a length of 6. This leaves us with
2164         an extra slot that we fill with an op_nop.
2165
2166         * bytecode/BytecodeDumper.cpp:
2167         (JSC::BytecodeDumper<Block>::dumpBytecode):
2168         * bytecode/BytecodeList.json:
2169         * bytecode/BytecodeUseDef.h:
2170         (JSC::computeUsesForBytecodeOffset):
2171         (JSC::computeDefsForBytecodeOffset):
2172         * bytecompiler/BytecodeGenerator.cpp:
2173         (JSC::BytecodeGenerator::emitGetByVal):
2174         (JSC::BytecodeGenerator::popIndexedForInScope):
2175         (JSC::BytecodeGenerator::popStructureForInScope):
2176         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2177         (JSC::StructureForInContext::pop):
2178         (JSC::IndexedForInContext::pop):
2179         * bytecompiler/BytecodeGenerator.h:
2180         (JSC::StructureForInContext::addGetInst):
2181         (JSC::IndexedForInContext::addGetInst):
2182         * dfg/DFGByteCodeParser.cpp:
2183         (JSC::DFG::ByteCodeParser::parseBlock):
2184         * dfg/DFGCapabilities.cpp:
2185         (JSC::DFG::capabilityLevel):
2186         * jit/JIT.cpp:
2187         (JSC::JIT::privateCompileMainPass):
2188         * jit/JIT.h:
2189         * jit/JITOpcodes.cpp:
2190         (JSC::JIT::emit_op_nop):
2191         * llint/LowLevelInterpreter.asm:
2192
2193 2017-05-25  Mark Lam  <mark.lam@apple.com>
2194
2195         ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
2196         https://bugs.webkit.org/show_bug.cgi?id=172548
2197         <rdar://problem/31458393>
2198
2199         Reviewed by Filip Pizlo.
2200
2201         Consider the following scenario:
2202
2203         1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
2204            structure transitions, e.g. structure S2 transitioning to structure S3.
2205            In this case, O1 would be installed in S2's watchpoint set.
2206         2. When the structure transition happens, structure S2 will fire watchpoint O1.
2207         3. O1's handler will normally re-install itself in the watchpoint set of the new
2208            "transitioned to" structure S3.
2209         4. "Installation" here requires writing into the StructureRareData SD3 of the new
2210            structure S3.  If SD3 does not exist yet, the installation process will trigger
2211            the allocation of StructureRareData SD3.
2212         5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
2213            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
2214            by the GC, and therefore will be collected soon.
2215         6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
2216            SD1.  This, in turn, triggers the deletion of the
2217            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
2218
2219         After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
2220         AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
2221         structure S3's watchpoint set.  This is obviously incorrect because O1 is already
2222         deleted.  The result is that badness happens later when S3's watchpoint set fires
2223         its watchpoints and accesses the deleted O1.
2224
2225         The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
2226         check if "this" is still valid before proceeding to re-install itself or to
2227         invoke its handleFire() method.
2228
2229         ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
2230         AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
2231         and return false its owner StructureRareData is no longer reachable by the GC.
2232         This ensures that it won't be deleted while it's installed to any watchpoint set.
2233
2234         Additional considerations and notes:
2235         1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
2236            being installed in watchpoint sets.  What actually happens is that
2237            ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
2238            (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
2239            watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
2240            not itself a Watchpoint object.
2241
2242            But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
2243            instead of its Watchpoint members.  The description of the issue is still
2244            accurate given the life-cycle of the Watchpoint members are embedded in the
2245            enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
2246            hence, they share the same life-cycle.
2247
2248         2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
2249            m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
2250            watchpoint sets.  This is safe to do even if the owner StructureRareData is no
2251            longer reachable by the GC.
2252
2253            This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
2254            is if its Watchpoint members are still installed in some watchpoint set that
2255            fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
2256            instance has not been deleted yet, because its destructor will automatically
2257            remove the Watchpoint members from any watchpoint sets.
2258
2259         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2260         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2261         (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
2262         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2263         * heap/FreeList.cpp:
2264         (JSC::FreeList::contains):
2265         * heap/FreeList.h:
2266         * heap/HeapCell.h:
2267         * heap/HeapCellInlines.h:
2268         (JSC::HeapCell::isLive):
2269         * heap/MarkedAllocator.h:
2270         (JSC::MarkedAllocator::isFreeListedCell):
2271         * heap/MarkedBlock.h:
2272         * heap/MarkedBlockInlines.h:
2273         (JSC::MarkedBlock::Handle::isFreeListedCell):
2274         * runtime/StructureRareData.cpp:
2275         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
2276
2277 2017-05-23  Saam Barati  <sbarati@apple.com>
2278
2279         We should not mmap zero bytes for a memory in Wasm
2280         https://bugs.webkit.org/show_bug.cgi?id=172528
2281         <rdar://problem/32257076>
2282
2283         Reviewed by Mark Lam.
2284
2285         This patch fixes a bug where we would call into mmap with zero bytes
2286         when creating a slow WasmMemory with zero initial page size. This fix
2287         is simple: if we don't have any initial bytes, we just call the constructor
2288         in WasmMemory that's meant to handle this case.
2289
2290         * wasm/WasmMemory.cpp:
2291         (JSC::Wasm::Memory::create):
2292
2293 2017-05-23  Brian Burg  <bburg@apple.com>
2294
2295         REGRESSION(r217051): Automation sessions fail to complete bootstrap
2296         https://bugs.webkit.org/show_bug.cgi?id=172513
2297         <rdar://problem/32338354>
2298
2299         Reviewed by Joseph Pecoraro.
2300
2301         The changes to be more strict about typechecking messages were too strict.
2302
2303         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2304         (Inspector::RemoteInspector::receivedSetupMessage):
2305         WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
2306         into an NSDictionary as NSNull if the key isn't present in a forwarded command.
2307         We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
2308         [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
2309
2310 2017-05-23  Myles C. Maxfield  <mmaxfield@apple.com>
2311
2312         Remove dead ENABLE(FONT_LOAD_EVENTS) code
2313         https://bugs.webkit.org/show_bug.cgi?id=172517
2314
2315         Rubber-stamped by Simon Fraser.
2316
2317         * Configurations/FeatureDefines.xcconfig:
2318
2319 2017-05-23  Saam Barati  <sbarati@apple.com>
2320
2321         CFGSimplificationPhase should not merge a block with itself
2322         https://bugs.webkit.org/show_bug.cgi?id=172508
2323         <rdar://problem/28424006>
2324
2325         Reviewed by Keith Miller.
2326
2327         CFGSimplificationPhase can run into or create IR that ends up with a
2328         block that has a Jump to itself, and no other predecessors. It should
2329         gracefully handle such IR. Before this patch, it would not. The only criteria
2330         for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
2331         The code is written in such a way that if we merge a block with itself, we
2332         will infinite loop until we run out of memory.
2333         
2334         Merging a block with itself does not make sense for a few reasons. First,
2335         we're joining the contents of two blocks. What is the definition of joining
2336         a block with itself? I suppose we could simply unroll this self loop
2337         one level, but that would not be wise because this self loop is by definition
2338         unreachable unless it's the root block in the graph (which I think is
2339         invalid IR since we'd never generate bytecode that would do this).
2340         
2341         This patch employs an easy fix: we can't merge a block with itself.
2342
2343         * dfg/DFGCFGSimplificationPhase.cpp:
2344         (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
2345         (JSC::DFG::CFGSimplificationPhase::run):
2346         (JSC::DFG::CFGSimplificationPhase::convertToJump):
2347         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2348
2349 2017-05-22  Brian Burg  <bburg@apple.com>
2350
2351         Web Inspector: webkit reload policy should match default behavior
2352         https://bugs.webkit.org/show_bug.cgi?id=171385
2353         <rdar://problem/31871515>
2354
2355         Reviewed by Joseph Pecoraro.
2356
2357         Add a new option to Page.reload that allows the test harness
2358         to reload its test page using the old reload behavior.
2359
2360         The new behavior of revalidating expired cached subresources only
2361         is the current default, since only the test harness needs the old behavior.
2362
2363         * inspector/protocol/Page.json:
2364
2365 2017-05-22  Keith Miller  <keith_miller@apple.com>
2366
2367         [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
2368         https://bugs.webkit.org/show_bug.cgi?id=167708
2369
2370         Reviewed by Geoffrey Garen.
2371
2372         This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
2373         class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
2374
2375         Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
2376         creating a wrapper for NSObject.
2377
2378         * API/APICast.h:
2379         (toJSGlobalObject):
2380         * API/JSContext.mm:
2381         (-[JSContext ensureWrapperMap]):
2382         (-[JSContext initWithVirtualMachine:]):
2383         (-[JSContext dealloc]):
2384         (-[JSContext wrapperMap]):
2385         (-[JSContext initWithGlobalContextRef:]):
2386         (-[JSContext wrapperForObjCObject:]):
2387         (-[JSContext wrapperForJSObject:]):
2388         * API/JSWrapperMap.h:
2389         * API/JSWrapperMap.mm:
2390         (-[JSObjCClassInfo initForClass:]):
2391         (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
2392         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2393         (-[JSObjCClassInfo constructorInContext:]):
2394         (-[JSObjCClassInfo prototypeInContext:]):
2395         (-[JSWrapperMap initWithGlobalContextRef:]):
2396         (-[JSWrapperMap classInfoForClass:]):
2397         (-[JSWrapperMap jsWrapperForObject:inContext:]):
2398         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
2399         (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
2400         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
2401         (-[JSObjCClassInfo wrapperForObject:]): Deleted.
2402         (-[JSObjCClassInfo constructor]): Deleted.
2403         (-[JSObjCClassInfo prototype]): Deleted.
2404         (-[JSWrapperMap initWithContext:]): Deleted.
2405         (-[JSWrapperMap jsWrapperForObject:]): Deleted.
2406         (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
2407         * API/tests/JSExportTests.mm:
2408         (wrapperLifetimeIsTiedToGlobalObject):
2409         (runJSExportTests):
2410         * API/tests/testapi.mm:
2411         * runtime/JSGlobalObject.h:
2412         (JSC::JSGlobalObject::wrapperMap):
2413         (JSC::JSGlobalObject::setWrapperMap):
2414
2415 2017-05-22  Filip Pizlo  <fpizlo@apple.com>
2416
2417         FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
2418         https://bugs.webkit.org/show_bug.cgi?id=172455
2419
2420         Reviewed by Mark Lam.
2421         
2422         The FTL needs to run B3's callee-save register restoration before it runs the exception
2423         handler's callee-save register restoration.  This exposes B3's callee-save register
2424         algorithm in AssemblyHelpers so that the FTL can call it.
2425
2426         * b3/air/AirGenerate.cpp:
2427         (JSC::B3::Air::generate):
2428         * ftl/FTLLowerDFGToB3.cpp:
2429         (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
2430         * heap/Subspace.cpp: Added some debugging support.
2431         (JSC::Subspace::allocate):
2432         (JSC::Subspace::tryAllocate):
2433         (JSC::Subspace::didAllocate):
2434         * heap/Subspace.h:
2435         * jit/AssemblyHelpers.h:
2436         (JSC::AssemblyHelpers::addressFor):
2437         (JSC::AssemblyHelpers::emitSave):
2438         (JSC::AssemblyHelpers::emitRestore):
2439
2440 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2441
2442         [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
2443         https://bugs.webkit.org/show_bug.cgi?id=172216
2444
2445         Reviewed by Saam Barati.
2446
2447         This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
2448         To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
2449         ArrayStorage and SlowPutArrayStorage, then it produces vector length.
2450         CheckInBounds uses this vector length to perform bound checking for ArrayStorage
2451         and SlowPutArrayStorage.
2452
2453         * dfg/DFGAbstractInterpreterInlines.h:
2454         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2455         * dfg/DFGArrayMode.cpp:
2456         (JSC::DFG::permitsBoundsCheckLowering):
2457         * dfg/DFGClobberize.h:
2458         (JSC::DFG::clobberize):
2459         * dfg/DFGDoesGC.cpp:
2460         (JSC::DFG::doesGC):
2461         * dfg/DFGFixupPhase.cpp:
2462         (JSC::DFG::FixupPhase::fixupNode):
2463         * dfg/DFGHeapLocation.cpp:
2464         (WTF::printInternal):
2465         * dfg/DFGHeapLocation.h:
2466         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2467         * dfg/DFGNode.h:
2468         (JSC::DFG::Node::hasArrayMode):
2469         * dfg/DFGNodeType.h:
2470         * dfg/DFGPredictionPropagationPhase.cpp:
2471         * dfg/DFGSSALoweringPhase.cpp:
2472         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2473         * dfg/DFGSafeToExecute.h:
2474         (JSC::DFG::safeToExecute):
2475         * dfg/DFGSpeculativeJIT32_64.cpp:
2476         (JSC::DFG::SpeculativeJIT::compile):
2477         * dfg/DFGSpeculativeJIT64.cpp:
2478         (JSC::DFG::SpeculativeJIT::compile):
2479         * ftl/FTLAbstractHeapRepository.h:
2480         (JSC::FTL::AbstractHeapRepository::forIndexingType):
2481         (JSC::FTL::AbstractHeapRepository::forArrayType):
2482         * ftl/FTLCapabilities.cpp:
2483         (JSC::FTL::canCompile):
2484         * ftl/FTLLowerDFGToB3.cpp:
2485         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2486         (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
2487         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2488         * jit/JITPropertyAccess.cpp:
2489         (JSC::JIT::emitArrayStoragePutByVal):
2490         * jit/JITPropertyAccess32_64.cpp:
2491         (JSC::JIT::emitArrayStorageLoad):
2492         (JSC::JIT::emitArrayStoragePutByVal):
2493
2494 2017-05-21  Saam Barati  <sbarati@apple.com>
2495
2496         We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
2497         https://bugs.webkit.org/show_bug.cgi?id=171041
2498         <rdar://problem/32082516>
2499
2500         Reviewed by Yusuke Suzuki.
2501
2502         We were treating a for-loop variable declaration potentially as a top
2503         level statement, e.g, in a program like this:
2504         ```
2505         function foo() {
2506             for (let variable of expr) { }
2507         }
2508         ```
2509         But we should not be. This had the consequence of making this type of program
2510         throw a syntax error:
2511         ```
2512         function foo(arg) {
2513             for (let arg of expr) { }
2514         }
2515         ```
2516         even though it should not. The fix is simple, we just need to increment the
2517         statement depth before parsing anything inside the for loop.
2518
2519         * parser/Parser.cpp:
2520         (JSC::Parser<LexerType>::parseForStatement):
2521
2522 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2523
2524         [JSC] Make get_by_val & string "499" to number 499
2525         https://bugs.webkit.org/show_bug.cgi?id=172225
2526
2527         Reviewed by Saam Barati.
2528
2529         Property subscript will be converted by ToString. So JS code is not aware of
2530         the original type of the subscript value. But our get_by_val can leverage
2531         information if the given subscript is number. Thus, passing number instead of
2532         string can improve the performance of get_by_val in all the tiers.
2533
2534         In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
2535         convert the given value to Int32 index constant if the given value is a string
2536         that can be converted to Int32.
2537
2538         This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
2539         appear in some code like accessing the result of JSON.
2540
2541             map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
2542
2543         * bytecompiler/BytecodeGenerator.h:
2544         (JSC::BytecodeGenerator::emitNodeForProperty):
2545         (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
2546         * bytecompiler/NodesCodegen.cpp:
2547         (JSC::TaggedTemplateNode::emitBytecode):
2548         (JSC::BracketAccessorNode::emitBytecode):
2549         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
2550         (JSC::FunctionCallBracketNode::emitBytecode):
2551         (JSC::PostfixNode::emitBracket):
2552         (JSC::PrefixNode::emitBracket):
2553         (JSC::AssignBracketNode::emitBytecode):
2554         (JSC::ReadModifyBracketNode::emitBytecode):
2555         (JSC::ForInNode::emitLoopHeader):
2556         (JSC::ForOfNode::emitBytecode):
2557         (JSC::ObjectPatternNode::bindValue):
2558         (JSC::AssignmentElementNode::bindValue):
2559
2560 2017-05-21  Saam Barati  <sbarati@apple.com>
2561
2562         We overwrite the callee save space on the stack when throwing stack overflow from wasm
2563         https://bugs.webkit.org/show_bug.cgi?id=172316
2564
2565         Reviewed by Mark Lam.
2566
2567         When throwing a stack overflow exception, the overflow
2568         thunk would do the following:
2569           move fp, sp
2570           populate argument registers
2571           call C code
2572         
2573         However, the C function is allowed to clobber our spilled
2574         callee saves that live below fp. The reason I did this move is that
2575         when we jump to this code, we've proven that sp is out of bounds on
2576         the stack. So we're not allowed to just use its value or keep growing
2577         the stack from that point. However, this patch revises this approach
2578         to be the same in spirit, but actually correct. We conservatively assume
2579         the B3 function we're coming from could have saved all callee saves.
2580         So we emit code like this now:
2581           add -maxNumCalleeSaveSpace, fp, sp
2582           populate argument registers
2583           call C code
2584         
2585         This ensures our callee saves will not be overwritten. Note
2586         that fp is still in a valid stack range here, since the thing
2587         calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
2588         is less than our redzone size, so it's safe to decrement sp by 
2589         this amount.
2590         
2591         The previously added wasm stack overflow test is an instance crash
2592         without this change on arm64. It also appears that this test crashed
2593         on some other x86 devices.
2594
2595         * wasm/WasmThunks.cpp:
2596         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2597
2598 2017-05-20  Chris Dumez  <cdumez@apple.com>
2599
2600         Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
2601         https://bugs.webkit.org/show_bug.cgi?id=172418
2602
2603         Reviewed by Youenn Fablet.
2604
2605         Add CommonIdentifiers that are now needed.
2606
2607         * runtime/CommonIdentifiers.h:
2608
2609 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2610
2611         Unreviewed, add scope.release() to propertyIsEnumerable functions.
2612         https://bugs.webkit.org/show_bug.cgi?id=172411
2613
2614         * runtime/JSGlobalObjectFunctions.cpp:
2615         (JSC::globalFuncPropertyIsEnumerable):
2616         * runtime/ObjectPrototype.cpp:
2617         (JSC::objectProtoFuncPropertyIsEnumerable):
2618
2619 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2620
2621         [JSC] Drop MapBase
2622         https://bugs.webkit.org/show_bug.cgi?id=172417
2623
2624         Reviewed by Sam Weinig.
2625
2626         MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
2627         Thus MapBase is unnecessary. This patch drops it.
2628         It is good because we can eliminate one indirection when accessing to map implementation.
2629         Moreover, we can drop one unnecessary allocation per Map and Set.
2630
2631         * CMakeLists.txt:
2632         * JavaScriptCore.xcodeproj/project.pbxproj:
2633         * dfg/DFGSpeculativeJIT64.cpp:
2634         (JSC::DFG::SpeculativeJIT::compile):
2635         * ftl/FTLAbstractHeapRepository.h:
2636         * ftl/FTLLowerDFGToB3.cpp:
2637         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2638         * runtime/HashMapImpl.cpp:
2639         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
2640         (JSC::getHashMapImplKeyClassInfo): Deleted.
2641         (JSC::getHashMapImplKeyValueClassInfo): Deleted.
2642         * runtime/HashMapImpl.h:
2643         (JSC::HashMapImpl::finishCreation):
2644         (JSC::HashMapImpl::get):
2645         (JSC::HashMapImpl::info): Deleted.
2646         (JSC::HashMapImpl::createStructure): Deleted.
2647         (JSC::HashMapImpl::create): Deleted.
2648         * runtime/JSMap.h:
2649         (JSC::JSMap::set):
2650         (JSC::JSMap::get): Deleted.
2651         * runtime/JSMapIterator.cpp:
2652         (JSC::JSMapIterator::finishCreation):
2653         * runtime/JSSet.h:
2654         (JSC::JSSet::add): Deleted.
2655         * runtime/JSSetIterator.cpp:
2656         (JSC::JSSetIterator::finishCreation):
2657         * runtime/MapBase.cpp: Removed.
2658         * runtime/MapBase.h: Removed.
2659         * runtime/MapPrototype.cpp:
2660         (JSC::mapProtoFuncSize):
2661         * runtime/SetConstructor.cpp:
2662         (JSC::constructSet):
2663         * runtime/SetPrototype.cpp:
2664         (JSC::setProtoFuncSize):
2665         * runtime/VM.cpp:
2666         (JSC::VM::VM):
2667
2668 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2669
2670         [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
2671         https://bugs.webkit.org/show_bug.cgi?id=172411
2672
2673         Reviewed by Sam Weinig.
2674
2675         We use @Reflect.@getOwnPropertyDescriptor() to check
2676
2677         1. the descriptor exists,
2678         2. and the descriptor.enumrable is true
2679
2680         But Object::propertyIsEnumerable does the completely same thing without
2681         allocating a new object for property descriptor.
2682
2683         In this patch, we add a new private function @propertyIsEnumerable, and
2684         use it in Object.assign implementation. It does not allocate unnecessary
2685         objects. It is good for GC-pressure and performance.
2686
2687         This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
2688         does not introduce a fast path for objects that do not have accessors,
2689         and it could speed up things further, this patch can speed up the common
2690         slow path cases that is the current implementation of Object.assign.
2691
2692             object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
2693
2694         * builtins/BuiltinNames.h:
2695         * builtins/ObjectConstructor.js:
2696         (globalPrivate.enumerableOwnProperties):
2697         (assign):
2698         * runtime/JSGlobalObject.cpp:
2699         (JSC::JSGlobalObject::init):
2700         * runtime/JSGlobalObjectFunctions.cpp:
2701         (JSC::globalFuncPropertyIsEnumerable):
2702         * runtime/JSGlobalObjectFunctions.h:
2703
2704 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2705
2706         [JSC] Enable testapi on Mac CMake build
2707         https://bugs.webkit.org/show_bug.cgi?id=172354
2708
2709         Reviewed by Alex Christensen.
2710
2711         This patch makes testapi buildable and runnable for Mac CMake port.
2712
2713         * API/tests/DateTests.mm:
2714         (+[DateTests JSDateToNSDateTest]):
2715         (+[DateTests roundTripThroughJSDateTest]):
2716         This test only works with the en_US locale.
2717
2718         * shell/CMakeLists.txt:
2719         * shell/PlatformMac.cmake:
2720         Some of tests rely on ARC. We enable ARC for those files.
2721
2722         * shell/PlatformWin.cmake:
2723         Clean up.
2724
2725 2017-05-19  Mark Lam  <mark.lam@apple.com>
2726
2727         [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
2728         https://bugs.webkit.org/show_bug.cgi?id=172383
2729         <rdar://problem/31418651>
2730
2731         Reviewed by Filip Pizlo.
2732
2733         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
2734         available as a scratch register.  This assumption is wrong if this canTrample
2735         register is used for a silentFill() after an operation that returns a result in
2736         regT0 or regT1.
2737
2738         Turns out the only reason we need the canTrample register is for
2739         SetDoubleConstant.  We can remove the need for this canTrample register by
2740         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
2741         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
2742         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
2743
2744         Update for re-landing: Changed ARM64 to use scratchRegister() as well.
2745         scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
2746         as a scratch register.
2747
2748         * assembler/MacroAssembler.h:
2749         (JSC::MacroAssembler::moveDouble):
2750         * dfg/DFGArrayifySlowPathGenerator.h:
2751         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2752         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
2753         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2754         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2755         * dfg/DFGSlowPathGenerator.h:
2756         (JSC::DFG::CallSlowPathGenerator::tearDown):
2757         * dfg/DFGSpeculativeJIT.cpp:
2758         (JSC::DFG::SpeculativeJIT::silentFill):
2759         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
2760         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2761         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2762         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2763         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2764         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2765         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2766         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2767         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2768         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2769         * dfg/DFGSpeculativeJIT.h:
2770         (JSC::DFG::SpeculativeJIT::silentFill):
2771         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
2772         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
2773         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
2774         * dfg/DFGSpeculativeJIT32_64.cpp:
2775         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2776         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2777         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2778         (JSC::DFG::SpeculativeJIT::emitCall):
2779         (JSC::DFG::SpeculativeJIT::compile):
2780         * dfg/DFGSpeculativeJIT64.cpp:
2781         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2782         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2783         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2784         (JSC::DFG::SpeculativeJIT::emitCall):
2785         (JSC::DFG::SpeculativeJIT::compile):
2786         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2787
2788 2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
2789
2790         Unreviewed, rolling out r217156.
2791
2792         This change broke the iOS build.
2793
2794         Reverted changeset:
2795
2796         "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
2797         result registers."
2798         https://bugs.webkit.org/show_bug.cgi?id=172383
2799         http://trac.webkit.org/changeset/217156
2800
2801 2017-05-19  Mark Lam  <mark.lam@apple.com>
2802
2803         Add missing exception check.
2804         https://bugs.webkit.org/show_bug.cgi?id=172346
2805         <rdar://problem/32289640>
2806
2807         Reviewed by Geoffrey Garen.
2808
2809         * runtime/JSObject.cpp:
2810         (JSC::JSObject::hasInstance):
2811
2812 2017-05-19  Mark Lam  <mark.lam@apple.com>
2813
2814         DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
2815         https://bugs.webkit.org/show_bug.cgi?id=172383
2816         <rdar://problem/31418651>
2817
2818         Reviewed by Filip Pizlo.
2819
2820         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
2821         available as a scratch register.  This assumption is wrong if this canTrample
2822         register is used for a silentFill() after an operation that returns a result in
2823         regT0 or regT1.
2824
2825         Turns out the only reason we need the canTrample register is for
2826         SetDoubleConstant.  We can remove the need for this canTrample register by
2827         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
2828         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
2829         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
2830
2831         * assembler/MacroAssembler.h:
2832         (JSC::MacroAssembler::moveDouble):
2833         * dfg/DFGArrayifySlowPathGenerator.h:
2834         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2835         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
2836         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2837         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2838         * dfg/DFGSlowPathGenerator.h:
2839         (JSC::DFG::CallSlowPathGenerator::tearDown):
2840         * dfg/DFGSpeculativeJIT.cpp:
2841         (JSC::DFG::SpeculativeJIT::silentFill):
2842         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
2843         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2844         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2845         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2846         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2847         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2848         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2849         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2850         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2851         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2852         * dfg/DFGSpeculativeJIT.h:
2853         (JSC::DFG::SpeculativeJIT::silentFill):
2854         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
2855         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
2856         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
2857         * dfg/DFGSpeculativeJIT32_64.cpp:
2858         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2859         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2860         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2861         (JSC::DFG::SpeculativeJIT::emitCall):
2862         (JSC::DFG::SpeculativeJIT::compile):
2863         * dfg/DFGSpeculativeJIT64.cpp:
2864         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2865         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2866         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2867         (JSC::DFG::SpeculativeJIT::emitCall):
2868         (JSC::DFG::SpeculativeJIT::compile):
2869         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2870
2871 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
2872
2873         Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
2874         https://bugs.webkit.org/show_bug.cgi?id=172382
2875
2876         Reviewed by Saam Barati.
2877         
2878         This is just a small clean-up - my last patch here created some unnecessary code duplication.
2879
2880         * runtime/ArrayPrototype.cpp:
2881         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2882
2883 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
2884
2885         arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
2886         https://bugs.webkit.org/show_bug.cgi?id=172369
2887
2888         Reviewed by Mark Lam.
2889
2890         * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
2891         (JSC::Subspace::allocate):
2892         (JSC::Subspace::tryAllocate):
2893         * runtime/ArrayPrototype.cpp:
2894         (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
2895         * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
2896         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2897
2898 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
2899
2900         B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
2901         https://bugs.webkit.org/show_bug.cgi?id=172306
2902
2903         Reviewed by Michael Saboff.
2904         
2905         This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
2906         fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
2907         normal store instructions for fenced stores. That's wrong because then you get reorderings
2908         that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
2909         with respect for each other.
2910         
2911         This is imprecise. If you really just wanted a store-release, then every X86 store does this.
2912         But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
2913         respect to all other fences. If we ever did want to say that something is a store release in
2914         the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
2915         range without the fence flag would mean the traditional store-release, which lowers to a
2916         normal store on x86. But to my knowledge, that traditional store-release is only useful for
2917         unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
2918         and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
2919         an ARM-style store-release on x86 using xchg.
2920         
2921         The implication of this change is that the FTL no longer violates the SAB memory model.
2922
2923         * assembler/MacroAssemblerX86Common.h:
2924         (JSC::MacroAssemblerX86Common::xchg8):
2925         (JSC::MacroAssemblerX86Common::xchg16):
2926         (JSC::MacroAssemblerX86Common::xchg32):
2927         (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
2928         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
2929         (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
2930         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
2931         (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
2932         (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
2933         (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
2934         (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
2935         * assembler/MacroAssemblerX86_64.h:
2936         (JSC::MacroAssemblerX86_64::xchg64):
2937         (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
2938         (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
2939         * b3/B3LowerToAir.cpp:
2940         (JSC::B3::Air::LowerToAir::ArgPromise::inst):
2941         (JSC::B3::Air::LowerToAir::trappingInst):
2942         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2943         (JSC::B3::Air::LowerToAir::createStore):
2944         (JSC::B3::Air::LowerToAir::storeOpcode):
2945         (JSC::B3::Air::LowerToAir::appendStore):
2946         (JSC::B3::Air::LowerToAir::append):
2947         (JSC::B3::Air::LowerToAir::appendTrapping):
2948         (JSC::B3::Air::LowerToAir::fillStackmap):
2949         (JSC::B3::Air::LowerToAir::lower):
2950         * b3/air/AirKind.cpp:
2951         (JSC::B3::Air::Kind::dump):
2952         * b3/air/AirKind.h:
2953         (JSC::B3::Air::Kind::Kind):
2954         (JSC::B3::Air::Kind::operator==):
2955         (JSC::B3::Air::Kind::hash):
2956         * b3/air/AirLowerAfterRegAlloc.cpp:
2957         (JSC::B3::Air::lowerAfterRegAlloc):
2958         * b3/air/AirLowerMacros.cpp:
2959         (JSC::B3::Air::lowerMacros):
2960         * b3/air/AirOpcode.opcodes:
2961         * b3/air/AirValidate.cpp:
2962         * b3/air/opcode_generator.rb:
2963         * b3/testb3.cpp:
2964         (JSC::B3::correctSqrt):
2965         (JSC::B3::testSqrtArg):
2966         (JSC::B3::testSqrtImm):
2967         (JSC::B3::testSqrtMem):
2968         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
2969         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
2970         (JSC::B3::testStoreRelAddLoadAcq32):
2971         (JSC::B3::testTrappingLoad):
2972         (JSC::B3::testTrappingStore):
2973         (JSC::B3::testTrappingLoadAddStore):
2974         (JSC::B3::testTrappingLoadDCE):
2975
2976 2017-05-19  Don Olmstead  <don.olmstead@am.sony.com>
2977
2978         [JSC] Remove PLATFORM(WIN) references
2979         https://bugs.webkit.org/show_bug.cgi?id=172294
2980
2981         Reviewed by Yusuke Suzuki.
2982
2983         * heap/MachineStackMarker.cpp:
2984         (JSC::MachineThreads::removeThread):
2985         * llint/LLIntOfflineAsmConfig.h:
2986         * runtime/ConfigFile.h:
2987         * runtime/VM.cpp:
2988         (JSC::VM::updateStackLimits):
2989
2990 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2991
2992         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
2993         https://bugs.webkit.org/show_bug.cgi?id=172098
2994
2995         Reviewed by Saam Barati.
2996
2997         In this patch, we generalize CheckDOM to CheckSubClass.
2998         It can accept any ClassInfo and perform ClassInfo check
2999         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
3000         checkSubClassPatchpoint. It can create DOMJIT patchpoint
3001         for that ClassInfo. It it natural that ClassInfo holds the
3002         way to emit DOMJIT::Patchpoint to perform CheckSubClass
3003         rather than having it in each DOMJIT getter / function
3004         signature annotation.
3005
3006         One problem is that it enlarges the size of ClassInfo.
3007         But this is the best place to put this function pointer.
3008         By doing so, we can add a patchpoint for CheckSubClass
3009         in an non-intrusive manner: WebCore can inject patchpoints
3010         without interactive JSC.
3011
3012         We still have a way to reduce the size of ClassInfo if
3013         we move ArrayBuffer related methods out to the other places.
3014
3015         This patch touches many files because we add a new function
3016         pointer to ClassInfo. But they are basically mechanical change.
3017
3018         * API/JSAPIWrapperObject.mm:
3019         * API/JSCallbackConstructor.cpp:
3020         * API/JSCallbackFunction.cpp:
3021         * API/JSCallbackObject.cpp:
3022         * API/ObjCCallbackFunction.mm:
3023         * CMakeLists.txt:
3024         * JavaScriptCore.xcodeproj/project.pbxproj:
3025         * bytecode/CodeBlock.cpp:
3026         * bytecode/DOMJITAccessCasePatchpointParams.h:
3027         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
3028         * bytecode/EvalCodeBlock.cpp:
3029         * bytecode/FunctionCodeBlock.cpp:
3030         * bytecode/GetterSetterAccessCase.cpp:
3031         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3032         * bytecode/ModuleProgramCodeBlock.cpp:
3033         * bytecode/ProgramCodeBlock.cpp:
3034         * bytecode/UnlinkedCodeBlock.cpp:
3035         * bytecode/UnlinkedEvalCodeBlock.cpp:
3036         * bytecode/UnlinkedFunctionCodeBlock.cpp:
3037         * bytecode/UnlinkedFunctionExecutable.cpp:
3038         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3039         * bytecode/UnlinkedProgramCodeBlock.cpp:
3040         * debugger/DebuggerScope.cpp:
3041         * dfg/DFGAbstractInterpreterInlines.h:
3042         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3043         * dfg/DFGByteCodeParser.cpp:
3044         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3045         * dfg/DFGClobberize.h:
3046         (JSC::DFG::clobberize):
3047         * dfg/DFGConstantFoldingPhase.cpp:
3048         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3049         * dfg/DFGDOMJITPatchpointParams.h:
3050         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
3051         * dfg/DFGDoesGC.cpp:
3052         (JSC::DFG::doesGC):
3053         * dfg/DFGFixupPhase.cpp:
3054         (JSC::DFG::FixupPhase::fixupNode):
3055         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
3056         (JSC::DFG::FixupPhase::fixupCheckSubClass):
3057         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
3058         * dfg/DFGGraph.cpp:
3059         (JSC::DFG::Graph::dump):
3060         * dfg/DFGNode.h:
3061         (JSC::DFG::Node::hasClassInfo):
3062         (JSC::DFG::Node::classInfo):
3063         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
3064         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
3065         * dfg/DFGNodeType.h:
3066         * dfg/DFGPredictionPropagationPhase.cpp:
3067         * dfg/DFGSafeToExecute.h:
3068         (JSC::DFG::safeToExecute):
3069         * dfg/DFGSpeculativeJIT.cpp:
3070         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3071         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
3072         * dfg/DFGSpeculativeJIT.h:
3073         (JSC::DFG::SpeculativeJIT::vm):
3074         * dfg/DFGSpeculativeJIT32_64.cpp:
3075         (JSC::DFG::SpeculativeJIT::compile):
3076         * dfg/DFGSpeculativeJIT64.cpp:
3077         (JSC::DFG::SpeculativeJIT::compile):
3078         * domjit/DOMJITGetterSetter.h:
3079         * domjit/DOMJITPatchpointParams.h:
3080         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
3081         (JSC::DOMJIT::PatchpointParams::vm):
3082         * domjit/DOMJITSignature.h:
3083         (JSC::DOMJIT::Signature::Signature):
3084         (JSC::DOMJIT::Signature::checkDOM): Deleted.
3085         * ftl/FTLAbstractHeapRepository.h:
3086         * ftl/FTLCapabilities.cpp:
3087         (JSC::FTL::canCompile):
3088         * ftl/FTLDOMJITPatchpointParams.h:
3089         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
3090         * ftl/FTLLowerDFGToB3.cpp:
3091         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3092         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3093         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
3094         * inspector/JSInjectedScriptHost.cpp:
3095         * inspector/JSInjectedScriptHostPrototype.cpp:
3096         * inspector/JSJavaScriptCallFrame.cpp:
3097         * inspector/JSJavaScriptCallFramePrototype.cpp:
3098         * jsc.cpp:
3099         (WTF::DOMJITNode::checkSubClassPatchpoint):
3100         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3101         (WTF::DOMJITFunctionObject::finishCreation):
3102         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3103         (WTF::DOMJITCheckSubClassObject::createStructure):
3104         (WTF::DOMJITCheckSubClassObject::create):
3105         (WTF::DOMJITCheckSubClassObject::safeFunction):
3106         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
3107         (WTF::DOMJITCheckSubClassObject::finishCreation):
3108         (GlobalObject::finishCreation):
3109         (functionCreateDOMJITCheckSubClassObject):
3110         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
3111         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
3112         * runtime/AbstractModuleRecord.cpp:
3113         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3114         * runtime/ArrayConstructor.cpp:
3115         * runtime/ArrayIteratorPrototype.cpp:
3116         * runtime/ArrayPrototype.cpp:
3117         * runtime/AsyncFunctionConstructor.cpp:
3118         * runtime/AsyncFunctionPrototype.cpp:
3119         * runtime/AtomicsObject.cpp:
3120         * runtime/BooleanConstructor.cpp:
3121         * runtime/BooleanObject.cpp:
3122         * runtime/BooleanPrototype.cpp:
3123         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
3124         (JSC::ClassInfo::dump):
3125         * runtime/ClassInfo.h:
3126         (JSC::ClassInfo::offsetOfParentClass):
3127         * runtime/ClonedArguments.cpp:
3128         * runtime/ConsoleObject.cpp:
3129         * runtime/CustomGetterSetter.cpp:
3130         * runtime/DateConstructor.cpp:
3131         * runtime/DateInstance.cpp:
3132         * runtime/DatePrototype.cpp:
3133         * runtime/DirectArguments.cpp:
3134         * runtime/Error.cpp:
3135         * runtime/ErrorConstructor.cpp:
3136         * runtime/ErrorInstance.cpp:
3137         * runtime/ErrorPrototype.cpp:
3138         * runtime/EvalExecutable.cpp:
3139         * runtime/Exception.cpp:
3140         * runtime/ExceptionHelpers.cpp:
3141         * runtime/ExecutableBase.cpp:
3142         * runtime/FunctionConstructor.cpp:
3143         * runtime/FunctionExecutable.cpp:
3144         * runtime/FunctionPrototype.cpp:
3145         * runtime/FunctionRareData.cpp:
3146         * runtime/GeneratorFunctionConstructor.cpp:
3147         * runtime/GeneratorFunctionPrototype.cpp:
3148         * runtime/GeneratorPrototype.cpp:
3149         * runtime/GetterSetter.cpp:
3150         * runtime/HashMapImpl.cpp:
3151         * runtime/HashMapImpl.h:
3152         * runtime/InferredType.cpp:
3153         (JSC::InferredType::create):
3154         * runtime/InferredTypeTable.cpp:
3155         * runtime/InferredValue.cpp:
3156         * runtime/InspectorInstrumentationObject.cpp:
3157         * runtime/InternalFunction.cpp:
3158         * runtime/IntlCollator.cpp:
3159         * runtime/IntlCollatorConstructor.cpp:
3160         * runtime/IntlCollatorPrototype.cpp:
3161         * runtime/IntlDateTimeFormat.cpp:
3162         * runtime/IntlDateTimeFormatConstructor.cpp:
3163         * runtime/IntlDateTimeFormatPrototype.cpp:
3164         * runtime/IntlNumberFormat.cpp:
3165         * runtime/IntlNumberFormatConstructor.cpp:
3166         * runtime/IntlNumberFormatPrototype.cpp:
3167         * runtime/IntlObject.cpp:
3168         * runtime/IteratorPrototype.cpp:
3169         * runtime/JSAPIValueWrapper.cpp:
3170         * runtime/JSArray.cpp:
3171         * runtime/JSArrayBuffer.cpp:
3172         * runtime/JSArrayBufferConstructor.cpp:
3173         * runtime/JSArrayBufferPrototype.cpp:
3174         * runtime/JSArrayBufferView.cpp:
3175         * runtime/JSAsyncFunction.cpp:
3176         * runtime/JSBoundFunction.cpp:
3177         * runtime/JSCallee.cpp:
3178         * runtime/JSCustomGetterSetterFunction.cpp:
3179         * runtime/JSDataView.cpp:
3180         * runtime/JSDataViewPrototype.cpp:
3181         * runtime/JSEnvironmentRecord.cpp:
3182         * runtime/JSFixedArray.cpp:
3183         * runtime/JSFunction.cpp:
3184         * runtime/JSGeneratorFunction.cpp:
3185         * runtime/JSGlobalLexicalEnvironment.cpp:
3186         * runtime/JSGlobalObject.cpp:
3187         * runtime/JSInternalPromise.cpp:
3188         * runtime/JSInternalPromiseConstructor.cpp:
3189         * runtime/JSInternalPromiseDeferred.cpp:
3190         * runtime/JSInternalPromisePrototype.cpp:
3191         * runtime/JSLexicalEnvironment.cpp:
3192         * runtime/JSMap.cpp:
3193         * runtime/JSMapIterator.cpp:
3194         * runtime/JSModuleEnvironment.cpp:
3195         * runtime/JSModuleLoader.cpp:
3196         * runtime/JSModuleNamespaceObject.cpp:
3197         * runtime/JSModuleRecord.cpp:
3198         * runtime/JSNativeStdFunction.cpp:
3199         * runtime/JSONObject.cpp:
3200         * runtime/JSObject.cpp:
3201         * runtime/JSPromise.cpp:
3202         * runtime/JSPromiseConstructor.cpp:
3203         * runtime/JSPromiseDeferred.cpp:
3204         * runtime/JSPromisePrototype.cpp:
3205         * runtime/JSPropertyNameEnumerator.cpp:
3206         * runtime/JSPropertyNameIterator.cpp:
3207         * runtime/JSProxy.cpp:
3208         * runtime/JSScriptFetcher.cpp:
3209         * runtime/JSSet.cpp:
3210         * runtime/JSSetIterator.cpp:
3211         * runtime/JSSourceCode.cpp:
3212         * runtime/JSString.cpp:
3213         * runtime/JSStringIterator.cpp:
3214         * runtime/JSSymbolTableObject.cpp:
3215         * runtime/JSTemplateRegistryKey.cpp:
3216         * runtime/JSTypedArrayConstructors.cpp:
3217         * runtime/JSTypedArrayPrototypes.cpp:
3218         * runtime/JSTypedArrayViewConstructor.cpp:
3219         * runtime/JSTypedArrays.cpp:
3220         * runtime/JSWeakMap.cpp:
3221         * runtime/JSWeakSet.cpp:
3222         * runtime/JSWithScope.cpp:
3223         * runtime/MapConstructor.cpp:
3224         * runtime/MapIteratorPrototype.cpp:
3225         * runtime/MapPrototype.cpp:
3226         * runtime/MathObject.cpp:
3227         * runtime/ModuleLoaderPrototype.cpp:
3228         * runtime/ModuleProgramExecutable.cpp:
3229         * runtime/NativeErrorConstructor.cpp:
3230         * runtime/NativeExecutable.cpp:
3231         * runtime/NativeStdFunctionCell.cpp:
3232         * runtime/NullGetterFunction.cpp:
3233         * runtime/NullSetterFunction.cpp:
3234         * runtime/NumberConstructor.cpp:
3235         * runtime/NumberObject.cpp:
3236         * runtime/NumberPrototype.cpp:
3237         * runtime/ObjectConstructor.cpp:
3238         * runtime/ObjectPrototype.cpp:
3239         * runtime/ProgramExecutable.cpp:
3240         * runtime/PropertyTable.cpp:
3241         * runtime/ProxyConstructor.cpp:
3242         * runtime/ProxyObject.cpp:
3243         * runtime/ProxyRevoke.cpp:
3244         * runtime/ReflectObject.cpp:
3245         * runtime/RegExp.cpp:
3246         * runtime/RegExpConstructor.cpp:
3247         * runtime/RegExpObject.cpp:
3248         * runtime/RegExpPrototype.cpp:
3249         * runtime/ScopedArguments.cpp:
3250         * runtime/ScopedArgumentsTable.cpp:
3251         * runtime/ScriptExecutable.cpp:
3252         * runtime/SetConstructor.cpp:
3253         * runtime/SetIteratorPrototype.cpp:
3254         * runtime/SetPrototype.cpp:
3255         * runtime/SparseArrayValueMap.cpp:
3256         * runtime/StrictEvalActivation.cpp:
3257         * runtime/StringConstructor.cpp:
3258         * runtime/StringIteratorPrototype.cpp:
3259         * runtime/StringObject.cpp:
3260         * runtime/StringPrototype.cpp:
3261         * runtime/Structure.cpp:
3262         * runtime/StructureChain.cpp:
3263         * runtime/StructureRareData.cpp:
3264         * runtime/Symbol.cpp:
3265         * runtime/SymbolConstructor.cpp:
3266         * runtime/SymbolObject.cpp:
3267         * runtime/SymbolPrototype.cpp:
3268         * runtime/SymbolTable.cpp:
3269         * runtime/WeakMapConstructor.cpp:
3270         * runtime/WeakMapData.cpp:
3271         * runtime/WeakMapPrototype.cpp:
3272         * runtime/WeakSetConstructor.cpp:
3273         * runtime/WeakSetPrototype.cpp:
3274         * testRegExp.cpp:
3275         * tools/JSDollarVM.cpp:
3276         * tools/JSDollarVMPrototype.cpp:
3277         * wasm/JSWebAssembly.cpp:
3278         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3279         * wasm/js/JSWebAssemblyCompileError.cpp:
3280         * wasm/js/JSWebAssemblyInstance.cpp:
3281         * wasm/js/JSWebAssemblyLinkError.cpp:
3282         * wasm/js/JSWebAssemblyMemory.cpp:
3283         * wasm/js/JSWebAssemblyModule.cpp:
3284         * wasm/js/JSWebAssemblyRuntimeError.cpp:
3285         * wasm/js/JSWebAssemblyTable.cpp:
3286         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3287         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3288         * wasm/js/WebAssemblyFunction.cpp:
3289         * wasm/js/WebAssemblyFunctionBase.cpp:
3290         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3291         * wasm/js/WebAssemblyInstancePrototype.cpp:
3292         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3293         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3294         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3295         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3296         * wasm/js/WebAssemblyModuleConstructor.cpp:
3297         * wasm/js/WebAssemblyModulePrototype.cpp:
3298         * wasm/js/WebAssemblyModuleRecord.cpp:
3299         * wasm/js/WebAssemblyPrototype.cpp:
3300         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3301         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3302         * wasm/js/WebAssemblyTableConstructor.cpp:
3303         * wasm/js/WebAssemblyTablePrototype.cpp:
3304         * wasm/js/WebAssemblyToJSCallee.cpp:
3305         * wasm/js/WebAssemblyWrapperFunction.cpp:
3306
3307 2017-05-18  JF Bastien  <jfbastien@apple.com>
3308
3309         WebAssembly: exports is a getter
3310         https://bugs.webkit.org/show_bug.cgi?id=172129
3311
3312         Reviewed by Saam Barati.
3313
3314         As updated here: https://github.com/WebAssembly/design/pull/1062
3315
3316         * wasm/js/JSWebAssemblyInstance.cpp:
3317         (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
3318         * wasm/js/JSWebAssemblyInstance.h:
3319         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
3320         * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
3321         * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
3322         (JSC::getInstance): helper, as in surrounding files
3323         (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
3324         * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
3325         (JSC::getMemory):
3326         (JSC::webAssemblyMemoryProtoFuncGrow):
3327         (JSC::webAssemblyMemoryProtoFuncBuffer):
3328         * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
3329         (JSC::webAssemblyTableProtoFuncLength):
3330         (JSC::webAssemblyTableProtoFuncGrow):
3331         (JSC::webAssemblyTableProtoFuncGet):
3332         (JSC::webAssemblyTableProtoFuncSet):
3333
3334 2017-05-18  Saam Barati  <sbarati@apple.com>
3335
3336         Proxy's [[Get]] passes incorrect receiver
3337         https://bugs.webkit.org/show_bug.cgi?id=164849
3338         <rdar://problem/31767058>
3339
3340         Reviewed by Yusuke Suzuki.
3341
3342         * runtime/ProxyObject.cpp:
3343         (JSC::performProxyGet):
3344
3345 2017-05-18  Andy Estes  <aestes@apple.com>
3346
3347         ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
3348         https://bugs.webkit.org/show_bug.cgi?id=172305
3349
3350         Reviewed by Anders Carlsson.
3351
3352         * Configurations/FeatureDefines.xcconfig:
3353
3354 2017-05-18  Saam Barati  <sbarati@apple.com>
3355
3356         We need to destroy worker threads in jsc.cpp
3357         https://bugs.webkit.org/show_bug.cgi?id=170751
3358         <rdar://problem/31800412>
3359
3360         Reviewed by Filip Pizlo.
3361
3362         This patch fixes a bug where a $ agent worker would still
3363         have compilation threads running after the thread the worker
3364         was created on dies. This manifested itself inside DFG AI where
3365         we would notice a string constant is atomic, then the worker
3366         thread would die, destroying its atomic string table, then
3367         we'd notice the same string is no longer atomic, and we'd crash
3368         because we'd fail to see the same speculated type for the same
3369         JSValue.
3370         
3371         This patch makes it so that $ agent workers destroy their VM when
3372         they're done executing. Before a VM gets destroyed, it ensures that
3373         all its compilation threads finish.
3374
3375         * jsc.cpp:
3376         (functionDollarAgentStart):
3377         (runJSC):
3378         (jscmain):
3379
3380 2017-05-18  Michael Saboff  <msaboff@apple.com>
3381
3382         Add FTL whitelist debugging option
3383         https://bugs.webkit.org/show_bug.cgi?id=172321
3384
3385         Reviewed by Saam Barati.
3386
3387         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3388         (JSC::DFG::ensureGlobalFTLWhitelist):
3389         (JSC::DFG::TierUpCheckInjectionPhase::run):
3390         * runtime/Options.h:
3391         * tools/FunctionWhitelist.cpp:
3392         (JSC::FunctionWhitelist::contains):
3393
3394 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3395
3396         Constructor calls set this too early
3397         https://bugs.webkit.org/show_bug.cgi?id=172302
3398
3399         Reviewed by Saam Barati.
3400         
3401         We were setting this before evaluating the arguments, so this code:
3402         
3403             var x = 42;
3404             new x(x = function() { });
3405         
3406         Would crash because we would pass 42 as this, and create_this would treat it as a cell.
3407         Dereferencing a non-cell is guaranteed to crash.
3408
3409         * bytecompiler/BytecodeGenerator.cpp:
3410         (JSC::BytecodeGenerator::emitConstruct):
3411         * bytecompiler/BytecodeGenerator.h:
3412         * bytecompiler/NodesCodegen.cpp:
3413         (JSC::NewExprNode::emitBytecode):
3414         (JSC::FunctionCallValueNode::emitBytecode):
3415
3416 2017-05-18  Saam Barati  <sbarati@apple.com>
3417
3418         WebAssembly: perform stack checks
3419         https://bugs.webkit.org/show_bug.cgi?id=165546
3420         <rdar://problem/29760307>
3421
3422         Reviewed by Filip Pizlo.
3423
3424         This patch adds stack checks to wasm. It implements it by storing the stack
3425         bounds on the Context.
3426         
3427         Stack checking works as normal, except we do a small optimization for terminal
3428         nodes in the call tree (nodes that don't make any calls). These nodes will
3429         only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
3430         it's assumed the parent that called them did their stack check for them.
3431         This is because all things that make calls make sure to do an extra 1024
3432         bytes whenever doing a stack check.
3433         
3434         We also take into account stack size for potential JS calls when doing
3435         stack checks since our JS stubs don't do this on their own. Each frame
3436         will ensure it does a stack check large enough for any potential JS call
3437         stubs it'll execute.
3438         
3439         Surprisingly, this patch is neutral on WasmBench and TitzerBench.
3440
3441         * llint/LLIntData.cpp:
3442         (JSC::LLInt::Data::performAssertions):
3443         * llint/LowLevelInterpreter.asm:
3444         * runtime/Error.cpp:
3445         (JSC::createRangeError):
3446         (JSC::addErrorInfoAndGetBytecodeOffset):
3447         I fixed a bug here where we assumed that the first frame that has line
3448         and column info would be in our stack trace. This is not correct
3449         since we limit our stack trace size. If everything in our limited
3450         size stack trace is Wasm, then we won't have any frames with line
3451         and column info.
3452         * runtime/Error.h:
3453         * runtime/ExceptionHelpers.cpp:
3454         (JSC::createStackOverflowError):
3455         * runtime/ExceptionHelpers.h:
3456         * runtime/JSGlobalObject.cpp:
3457         (JSC::JSGlobalObject::init):
3458         (JSC::JSGlobalObject::visitChildren):
3459         * runtime/JSGlobalObject.h:
3460         (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
3461         * runtime/JSType.h:
3462         * runtime/Options.h: I've added a new option that controls
3463         whether or not we use fast TLS for the wasm context.
3464         * runtime/VM.cpp:
3465         (JSC::VM::VM):
3466         * runtime/VM.h:
3467         * wasm/WasmB3IRGenerator.cpp:
3468         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3469         * wasm/WasmBinding.cpp:
3470         (JSC::Wasm::wasmToWasm):
3471         * wasm/WasmContext.cpp:
3472         (JSC::Wasm::loadContext):
3473         (JSC::Wasm::storeContext):
3474         * wasm/WasmContext.h:
3475         (JSC::Wasm::useFastTLSForContext):
3476         * wasm/WasmExceptionType.h:
3477         * wasm/WasmMemoryInformation.h:
3478         (JSC::Wasm::PinnedRegisterInfo::toSave):
3479         * wasm/WasmThunks.cpp:
3480         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3481         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3482         (JSC::Wasm::Thunks::stub):
3483         * wasm/WasmThunks.h:
3484         * wasm/js/JSWebAssemblyInstance.h:
3485         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
3486         (JSC::JSWebAssemblyInstance::cachedStackLimit):
3487         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
3488         * wasm/js/JSWebAssemblyModule.cpp:
3489         (JSC::JSWebAssemblyModule::finishCreation):
3490         * wasm/js/WebAssemblyFunction.cpp:
3491         (JSC::callWebAssemblyFunction):
3492         * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
3493         This is needed for correctness because we may call into JS,
3494         and then the first JS frame could stack overflow. When it stack
3495         overflows, it rolls back one frame to the wasm->js call stub with
3496         the wasm->js callee. It gets the lexical global object from this
3497         frame, meaning it gets the global object from the callee. Therefore,
3498         we must make it an object since all objects have global objects.
3499         (JSC::WebAssemblyToJSCallee::create):
3500         * wasm/js/WebAssemblyToJSCallee.h:
3501
3502 2017-05-18  Keith Miller  <keith_miller@apple.com>
3503
3504         WebAssembly API: test with neutered inputs
3505         https://bugs.webkit.org/show_bug.cgi?id=163899
3506
3507         Reviewed by JF Bastien.
3508
3509         Add tests to check that we properly throw a type error when
3510         we get a transferred ArrayBuffer. Also, we should make sure
3511         we cannot post message a wasm memory's ArrayBuffer.
3512
3513         * API/JSTypedArray.cpp:
3514         (JSObjectGetArrayBufferBytesPtr):
3515         * runtime/ArrayBuffer.cpp:
3516         (JSC::ArrayBuffer::makeShared):
3517         (JSC::ArrayBuffer::makeWasmMemory):
3518         (JSC::ArrayBuffer::transferTo):
3519         (JSC::ArrayBuffer::neuter):
3520         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
3521         (JSC::errorMesasgeForTransfer):
3522         * runtime/ArrayBuffer.h:
3523         (JSC::ArrayBuffer::isLocked):
3524         (JSC::ArrayBuffer::isWasmMemory):
3525         * wasm/js/JSWebAssemblyMemory.cpp:
3526         (JSC::JSWebAssemblyMemory::buffer):
3527         (JSC::JSWebAssemblyMemory::grow):
3528
3529 2017-05-18  Joseph Pecoraro  <pecoraro@apple.com>
3530
3531         Remote Inspector: Be stricter about checking message types
3532         https://bugs.webkit.org/show_bug.cgi?id=172259
3533         <rdar://problem/32264839>
3534
3535         Reviewed by Brian Burg.
3536
3537         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3538         (Inspector::RemoteInspector::receivedSetupMessage):
3539         (Inspector::RemoteInspector::receivedDataMessage):
3540         (Inspector::RemoteInspector::receivedDidCloseMessage):
3541         (Inspector::RemoteInspector::receivedIndicateMessage):
3542         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3543         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
3544         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
3545         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3546         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3547         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3548         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3549         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3550         Bail if we don't receive the expected types for message data.
3551
3552 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3553
3554         DFG inlining should be hardened for the no-result case
3555         https://bugs.webkit.org/show_bug.cgi?id=172290
3556
3557         Reviewed by Saam Barati.
3558         
3559         Previously, if we were inlining a setter call, we might have a bad time because the setter's
3560         result register is the invalid VirtualRegister(), and much of the intrinsic handling code
3561         assumes that the result register is valid.
3562         
3563         This doesn't usually cause problems because people don't usually point a setter at something
3564         that we recognize as an intrinsic.
3565         
3566         * CMakeLists.txt:
3567         * JavaScriptCore.xcodeproj/project.pbxproj:
3568         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
3569         * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
3570         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
3571         (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
3572         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
3573         * runtime/Intrinsic.cpp: Added. I needed this to debug.
3574         (JSC::intrinsicName):
3575         (WTF::printInternal):
3576         * runtime/Intrinsic.h:
3577
3578 2017-05-18  Commit Queue  <commit-queue@webkit.org>
3579
3580         Unreviewed, rolling out r217031, r217032, and r217037.
3581         https://bugs.webkit.org/show_bug.cgi?id=172293
3582
3583         cause linking errors in Windows (Requested by yusukesuzuki on
3584         #webkit).
3585
3586         Reverted changesets:
3587
3588         "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
3589         https://bugs.webkit.org/show_bug.cgi?id=172098
3590         http://trac.webkit.org/changeset/217031
3591
3592         "Unreviewed, rebaseline for newly added ClassInfo"
3593         https://bugs.webkit.org/show_bug.cgi?id=172098
3594         http://trac.webkit.org/changeset/217032
3595
3596         "Unreviewed, fix debug and non-JIT build"
3597         https://bugs.webkit.org/show_bug.cgi?id=172098
3598         http://trac.webkit.org/changeset/217037
3599
3600 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3601
3602         Unreviewed, fix debug and non-JIT build
3603         https://bugs.webkit.org/show_bug.cgi?id=172098
3604
3605         * jsc.cpp:
3606         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3607
3608 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3609
3610         Unreviewed, rebaseline for newly added ClassInfo
3611         https://bugs.webkit.org/show_bug.cgi?id=172098
3612
3613         * wasm/js/WebAssemblyFunctionBase.cpp:
3614
3615 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3616
3617         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
3618         https://bugs.webkit.org/show_bug.cgi?id=172098
3619
3620         Reviewed by Saam Barati.
3621
3622         In this patch, we generalize CheckDOM to CheckSubClass.
3623         It can accept any ClassInfo and perform ClassInfo check
3624         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
3625         checkSubClassPatchpoint. It can create DOMJIT patchpoint
3626         for that ClassInfo. It it natural that ClassInfo holds the
3627         way to emit DOMJIT::Patchpoint to perform CheckSubClass
3628         rather than having it in each DOMJIT getter / function
3629         signature annotation.
3630
3631         One problem is that it enlarges the size of ClassInfo.
3632         But this is the best place to put this function pointer.
3633         By doing so, we can add a patchpoint for CheckSubClass
3634         in an non-intrusive manner: WebCore can inject patchpoints
3635         without interactive JSC.
3636
3637         We still have a way to reduce the size of ClassInfo if
3638         we move ArrayBuffer related methods out to the other places.
3639
3640         This patch touches many files because we add a new function
3641         pointer to ClassInfo. But they are basically mechanical change.
3642
3643         * API/JSAPIWrapperObject.mm:
3644         * API/JSCallbackConstructor.cpp:
3645         * API/JSCallbackFunction.cpp:
3646         * API/JSCallbackObject.cpp:
3647         * API/ObjCCallbackFunction.mm:
3648         * CMakeLists.txt:
3649         * JavaScriptCore.xcodeproj/project.pbxproj:
3650         * bytecode/CodeBlock.cpp:
3651         * bytecode/DOMJITAccessCasePatchpointParams.h:
3652         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
3653         * bytecode/EvalCodeBlock.cpp:
3654         * bytecode/FunctionCodeBlock.cpp:
3655         * bytecode/GetterSetterAccessCase.cpp:
3656         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3657         * bytecode/ModuleProgramCodeBlock.cpp:
3658         * bytecode/ProgramCodeBlock.cpp:
3659         * bytecode/UnlinkedCodeBlock.cpp:
3660         * bytecode/UnlinkedEvalCodeBlock.cpp:
3661         * bytecode/UnlinkedFunctionCodeBlock.cpp:
3662         * bytecode/UnlinkedFunctionExecutable.cpp:
3663         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3664         * bytecode/UnlinkedProgramCodeBlock.cpp:
3665         * debugger/DebuggerScope.cpp:
3666         * dfg/DFGAbstractInterpreterInlines.h:
3667         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3668         * dfg/DFGByteCodeParser.cpp:
3669         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3670         * dfg/DFGClobberize.h:
3671         (JSC::DFG::clobberize):
3672         * dfg/DFGConstantFoldingPhase.cpp:
3673         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3674         * dfg/DFGDOMJITPatchpointParams.h:
3675         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
3676         * dfg/DFGDoesGC.cpp:
3677         (JSC::DFG::doesGC):
3678         * dfg/DFGFixupPhase.cpp:
3679         (JSC::DFG::FixupPhase::fixupNode):
3680         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
3681         (JSC::DFG::FixupPhase::fixupCheckSubClass):
3682         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
3683         * dfg/DFGGraph.cpp:
3684         (JSC::DFG::Graph::dump):
3685         * dfg/DFGNode.h:
3686         (JSC::DFG::Node::hasClassInfo):
3687         (JSC::DFG::Node::classInfo):
3688         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
3689         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
3690         * dfg/DFGNodeType.h:
3691         * dfg/DFGPredictionPropagationPhase.cpp:
3692         * dfg/DFGSafeToExecute.h:
3693         (JSC::DFG::safeToExecute):
3694         * dfg/DFGSpeculativeJIT.cpp:
3695         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3696         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
3697         * dfg/DFGSpeculativeJIT.h:
3698         (JSC::DFG::SpeculativeJIT::vm):
3699         * dfg/DFGSpeculativeJIT32_64.cpp:
3700         (JSC::DFG::SpeculativeJIT::compile):
3701         In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
3702         And ClassInfo knows how to perform CheckSubClass efficiently.
3703         If ClassInfo does not have a way to perform CheckSubClass efficiently,
3704         we just perform jsDynamicCast thing in ASM.
3705         * dfg/DFGSpeculativeJIT64.cpp:
3706         (JSC::DFG::SpeculativeJIT::compile):
3707         * domjit/DOMJITGetterSetter.h:
3708         * domjit/DOMJITPatchpointParams.h:
3709         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
3710         (JSC::DOMJIT::PatchpointParams::vm):
3711         * domjit/DOMJITSignature.h:
3712         (JSC::DOMJIT::Signature::Signature):
3713         (JSC::DOMJIT::Signature::checkDOM): Deleted.
3714         * ftl/FTLAbstractHeapRepository.h:
3715         * ftl/FTLCapabilities.cpp:
3716         (JSC::FTL::canCompile):
3717         * ftl/FTLDOMJITPatchpointParams.h:
3718         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
3719         * ftl/FTLLowerDFGToB3.cpp:
3720         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3721         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3722         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
3723         * inspector/JSInjectedScriptHost.cpp:
3724         * inspector/JSInjectedScriptHostPrototype.cpp:
3725         * inspector/JSJavaScriptCallFrame.cpp:
3726         * inspector/JSJavaScriptCallFramePrototype.cpp:
3727         * jsc.cpp:
3728         (WTF::DOMJITNode::checkSubClassPatchpoint):
3729         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3730         (WTF::DOMJITFunctionObject::finishCreation):
3731         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3732         (WTF::DOMJITCheckSubClassObject::createStructure):
3733         (WTF::DOMJITCheckSubClassObject::create):
3734         (WTF::DOMJITCheckSubClassObject::safeFunction):
3735         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
3736         (WTF::DOMJITCheckSubClassObject::finishCreation):
3737         (GlobalObject::finishCreation):
3738         (functionCreateDOMJITCheckSubClassObject):
3739         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
3740         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
3741         * runtime/AbstractModuleRecord.cpp:
3742         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3743         * runtime/ArrayConstructor.cpp:
3744         * runtime/ArrayIteratorPrototype.cpp:
3745         * runtime/ArrayPrototype.cpp:
3746         * runtime/AsyncFunctionConstructor.cpp:
3747         * runtime/AsyncFunctionPrototype.cpp:
3748         * runtime/AtomicsObject.cpp:
3749         * runtime/BooleanConstructor.cpp:
3750         * runtime/BooleanObject.cpp:
3751         * runtime/BooleanPrototype.cpp:
3752         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
3753         (JSC::ClassInfo::dump):
3754         * runtime/ClassInfo.h:
3755         (JSC::ClassInfo::offsetOfParentClass):
3756         * runtime/ClonedArguments.cpp:
3757         * runtime/ConsoleObject.cpp:
3758         * runtime/CustomGetterSetter.cpp:
3759         * runtime/DateConstructor.cpp:
3760         * runtime/DateInstance.cpp:
3761         * runtime/DatePrototype.cpp:
3762         * runtime/DirectArguments.cpp:
3763         * runtime/Error.cpp:
3764         * runtime/ErrorConstructor.cpp:
3765         * runtime/ErrorInstance.cpp:
3766         * runtime/ErrorPrototype.cpp:
3767         * runtime/EvalExecutable.cpp:
3768         * runtime/Exception.cpp:
3769         * runtime/ExceptionHelpers.cpp:
3770         * runtime/ExecutableBase.cpp:
3771         * runtime/FunctionConstructor.cpp:
3772         * runtime/FunctionExecutable.cpp:
3773         * runtime/FunctionPrototype.cpp:
3774         * runtime/FunctionRareData.cpp:
3775         * runtime/GeneratorFunctionConstructor.cpp:
3776         * runtime/GeneratorFunctionPrototype.cpp:
3777         * runtime/GeneratorPrototype.cpp:
3778         * runtime/GetterSetter.cpp:
3779         * runtime/HashMapImpl.cpp:
3780         * runtime/HashMapImpl.h:
3781         * runtime/InferredType.cpp:
3782         (JSC::InferredType::create):
3783         * runtime/InferredTypeTable.cpp:
3784         * runtime/InferredValue.cpp:
3785         * runtime/InspectorInstrumentationObject.cpp:
3786         * runtime/InternalFunction.cpp:
3787         * runtime/IntlCollator.cpp:
3788         * runtime/IntlCollatorConstructor.cpp:
3789         * runtime/IntlCollatorPrototype.cpp:
3790         * runtime/IntlDateTimeFormat.cpp:
3791         * runtime/IntlDateTimeFormatConstructor.cpp:
3792         * runtime/IntlDateTimeFormatPrototype.cpp:
3793         * runtime/IntlNumberFormat.cpp:
3794         * runtime/IntlNumberFormatConstructor.cpp:
3795         * runtime/IntlNumberFormatPrototype.cpp:
3796         * runtime/IntlObject.cpp:
3797         * runtime/IteratorPrototype.cpp:
3798         * runtime/JSAPIValueWrapper.cpp:
3799         * runtime/JSArray.cpp:
3800         * runtime/JSArrayBuffer.cpp:
3801         * runtime/JSArrayBufferConstructor.cpp:
3802         * runtime/JSArrayBufferPrototype.cpp:
3803         * runtime/JSArrayBufferView.cpp:
3804         * runtime/JSAsyncFunction.cpp:
3805         * runtime/JSBoundFunction.cpp:
3806         * runtime/JSCallee.cpp:
3807         * runtime/JSCustomGetterSetterFunction.cpp:
3808         * runtime/JSDataView.cpp:
3809         * runtime/JSDataViewPrototype.cpp:
3810         * runtime/JSEnvironmentRecord.cpp:
3811         * runtime/JSFixedArray.cpp:
3812         * runtime/JSFunction.cpp:
3813         * runtime/JSGeneratorFunction.cpp:
3814         * runtime/JSGlobalLexicalEnvironment.cpp:
3815         * runtime/JSGlobalObject.cpp:
3816         * runtime/JSInternalPromise.cpp:
3817         * runtime/JSInternalPromiseConstructor.cpp:
3818         * runtime/JSInternalPromiseDeferred.cpp:
3819         * runtime/JSInternalPromisePrototype.cpp:
3820         * runtime/JSLexicalEnvironment.cpp:
3821         * runtime/JSMap.cpp:
3822         * runtime/JSMapIterator.cpp:
3823         * runtime/JSModuleEnvironment.cpp:
3824         * runtime/JSModuleLoader.cpp:
3825         * runtime/JSModuleNamespaceObject.cpp:
3826         * runtime/JSModuleRecord.cpp:
3827         * runtime/JSNativeStdFunction.cpp:
3828         * runtime/JSONObject.cpp:
3829         * runtime/JSObject.cpp:
3830         * runtime/JSPromise.cpp:
3831         * runtime/JSPromiseConstructor.cpp:
3832         * runtime/JSPromiseDeferred.cpp:
3833         * runtime/JSPromisePrototype.cpp:
3834         * runtime/JSPropertyNameEnumerator.cpp:
3835         * runtime/JSPropertyNameIterator.cpp:
3836         * runtime/JSProxy.cpp:
3837         * runtime/JSScriptFetcher.cpp:
3838         * runtime/JSSet.cpp:
3839         * runtime/JSSetIterator.cpp:
3840         * runtime/JSSourceCode.cpp:
3841         * runtime/JSString.cpp:
3842         * runtime/JSStringIterator.cpp:
3843         * runtime/JSSymbolTableObject.cpp:
3844         * runtime/JSTemplateRegistryKey.cpp:
3845         * runtime/JSTypedArrayConstructors.cpp:
3846         * runtime/JSTypedArrayPrototypes.cpp:
3847         * runtime/JSTypedArrayViewConstructor.cpp:
3848         * runtime/JSTypedArrays.cpp:
3849         * runtime/JSWeakMap.cpp:
3850         * runtime/JSWeakSet.cpp:
3851         * runtime/JSWithScope.cpp:
3852         * runtime/MapConstructor.cpp:
3853         * runtime/MapIteratorPrototype.cpp:
3854         * runtime/MapPrototype.cpp:
3855         * runtime/MathObject.cpp:
3856         * runtime/ModuleLoaderPrototype.cpp:
3857         * runtime/ModuleProgramExecutable.cpp:
3858         * runtime/NativeErrorConstructor.cpp:
3859         * runtime/NativeExecutable.cpp:
3860         * runtime/NativeStdFunctionCell.cpp:
3861         * runtime/NullGetterFunction.cpp:
3862         * runtime/NullSetterFunction.cpp:
3863         * runtime/NumberConstructor.cpp:
3864         * runtime/NumberObject.cpp:
3865         * runtime/NumberPrototype.cpp:
3866         * runtime/ObjectConstructor.cpp:
3867         * runtime/ObjectPrototype.cpp:
3868         * runtime/ProgramExecutable.cpp:
3869         * runtime/PropertyTable.cpp:
3870         * runtime/ProxyConstructor.cpp:
3871         * runtime/ProxyObject.cpp:
3872         * runtime/ProxyRevoke.cpp:
3873         * runtime/ReflectObject.cpp:
3874         * runtime/RegExp.cpp:
3875         * runtime/RegExpConstructor.cpp:
3876         * runtime/RegExpObject.cpp:
3877         * runtime/RegExpPrototype.cpp:
3878         * runtime/ScopedArguments.cpp:
3879         * runtime/ScopedArgumentsTable.cpp:
3880         * runtime/ScriptExecutable.cpp:
3881         * runtime/SetConstructor.cpp:
3882         * runtime/SetIteratorPrototype.cpp:
3883         * runtime/SetPrototype.cpp:
3884         * runtime/SparseArrayValueMap.cpp:
3885         * runtime/StrictEvalActivation.cpp:
3886         * runtime/StringConstructor.cpp:
3887         * runtime/StringIteratorPrototype.cpp:
3888         * runtime/StringObject.cpp:
3889         * runtime/StringPrototype.cpp:
3890         * runtime/Structure.cpp:
3891         * runtime/StructureChain.cpp:
3892         * runtime/StructureRareData.cpp:
3893         * runtime/Symbol.cpp:
3894         * runtime/SymbolConstructor.cpp:
3895         * runtime/SymbolObject.cpp:
3896         * runtime/SymbolPrototype.cpp:
3897         * runtime/SymbolTable.cpp:
3898         * runtime/WeakMapConstructor.cpp:
3899         * runtime/WeakMapData.cpp:
3900         * runtime/WeakMapPrototype.cpp:
3901         * runtime/WeakSetConstructor.cpp:
3902         * runtime/WeakSetPrototype.cpp:
3903         * testRegExp.cpp:
3904         * tools/JSDollarVM.cpp:
3905         * tools/JSDollarVMPrototype.cpp:
3906         * wasm/JSWebAssembly.cpp:
3907         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3908         * wasm/js/JSWebAssemblyCompileError.cpp:
3909         * wasm/js/JSWebAssemblyInstance.cpp:
3910         * wasm/js/JSWebAssemblyLinkError.cpp:
3911         * wasm/js/JSWebAssemblyMemory.cpp:
3912         * wasm/js/JSWebAssemblyModule.cpp:
3913         * wasm/js/JSWebAssemblyRuntimeError.cpp:
3914         * wasm/js/JSWebAssemblyTable.cpp:
3915         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3916         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3917         * wasm/js/WebAssemblyFunction.cpp:
3918         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3919         * wasm/js/WebAssemblyInstancePrototype.cpp:
3920         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3921         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3922         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3923         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3924         * wasm/js/WebAssemblyModuleConstructor.cpp:
3925         * wasm/js/WebAssemblyModulePrototype.cpp:
3926         * wasm/js/WebAssemblyModuleRecord.cpp:
3927         * wasm/js/WebAssemblyPrototype.cpp:
3928         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3929         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3930         * wasm/js/WebAssemblyTableConstructor.cpp:
3931         * wasm/js/WebAssemblyTablePrototype.cpp:
3932         * wasm/js/WebAssemblyToJSCallee.cpp:
3933         * wasm/js/WebAssemblyWrapperFunction.cpp:
3934
3935 2017-05-17  Saam Barati  <sbarati@apple.com>
3936
3937         We don't do context switches for Wasm->Wasm call indirect
3938         https://bugs.webkit.org/show_bug.cgi?id=172188
3939         <rdar://problem/32231828>
3940
3941         Reviewed by Keith Miller.
3942
3943         We did not do a context switch when doing an indirect call. 
3944         This is clearly wrong, since the thing we're making an indirect
3945         call to could be from another instance. This patch fixes this
3946