[JSC] Implement String.prototype.concat in JS builtins
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Implement String.prototype.concat in JS builtins
4         https://bugs.webkit.org/show_bug.cgi?id=172798
5
6         Reviewed by Sam Weinig.
7
8         Since we have highly effective + operation for strings,
9         implementing String.prototype.concat in JS simplifies the
10         implementation and improves performance by using speculated
11         types.
12
13         Added microbenchmarks show performance improvement.
14
15         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
16         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
17         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
18         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
19
20         * builtins/StringPrototype.js:
21         (globalPrivate.stringConcatSlowPath):
22         (concat):
23         * runtime/StringPrototype.cpp:
24         (JSC::StringPrototype::finishCreation):
25         (JSC::stringProtoFuncConcat): Deleted.
26
27 2017-05-31  Mark Lam  <mark.lam@apple.com>
28
29         Remove overrides of visitChildren() that do not add any functionality.
30         https://bugs.webkit.org/show_bug.cgi?id=172789
31         <rdar://problem/32500865>
32
33         Reviewed by Andreas Kling.
34
35         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
36         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
37         * bytecode/UnlinkedModuleProgramCodeBlock.h:
38         * bytecode/UnlinkedProgramCodeBlock.cpp:
39         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
40         * bytecode/UnlinkedProgramCodeBlock.h:
41         * wasm/js/WebAssemblyFunction.cpp:
42         (JSC::WebAssemblyFunction::visitChildren): Deleted.
43         * wasm/js/WebAssemblyFunction.h:
44         * wasm/js/WebAssemblyInstanceConstructor.cpp:
45         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
46         * wasm/js/WebAssemblyInstanceConstructor.h:
47         * wasm/js/WebAssemblyMemoryConstructor.cpp:
48         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
49         * wasm/js/WebAssemblyMemoryConstructor.h:
50         * wasm/js/WebAssemblyModuleConstructor.cpp:
51         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
52         * wasm/js/WebAssemblyModuleConstructor.h:
53         * wasm/js/WebAssemblyTableConstructor.cpp:
54         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
55         * wasm/js/WebAssemblyTableConstructor.h:
56
57 2017-05-31  Commit Queue  <commit-queue@webkit.org>
58
59         Unreviewed, rolling out r217611 and r217631.
60         https://bugs.webkit.org/show_bug.cgi?id=172785
61
62         "caused wasm-hashset-many.html to become flaky." (Requested by
63         keith_miller on #webkit).
64
65         Reverted changesets:
66
67         "Reland r216808, underlying lldb bug has been fixed."
68         https://bugs.webkit.org/show_bug.cgi?id=172759
69         http://trac.webkit.org/changeset/217611
70
71         "Use dispatch queues for mach exceptions"
72         https://bugs.webkit.org/show_bug.cgi?id=172775
73         http://trac.webkit.org/changeset/217631
74
75 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
76
77         Rolling out: Prevent async methods named 'function'
78         https://bugs.webkit.org/show_bug.cgi?id=172776
79
80         Reviewed by Mark Lam.
81
82         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
83         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
84         PR to spec was closed, so changes need to roll out. See
85         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
86
87         * parser/Parser.cpp:
88         (JSC::Parser<LexerType>::parseClass):
89         (JSC::Parser<LexerType>::parsePropertyMethod):
90
91 2017-05-31  Andy Estes  <aestes@apple.com>
92
93         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
94         https://bugs.webkit.org/show_bug.cgi?id=172366
95
96         Reviewed by Daniel Bates.
97
98         * Configurations/FeatureDefines.xcconfig:
99
100 2017-05-31  Keith Miller  <keith_miller@apple.com>
101
102         Reland r216808, underlying lldb bug has been fixed.
103         https://bugs.webkit.org/show_bug.cgi?id=172759
104
105
106         Unreviewed, relanding old patch. See: rdar://problem/31183352
107
108         * API/tests/ExecutionTimeLimitTest.cpp:
109         (dispatchTermitateCallback):
110         (testExecutionTimeLimit):
111         * runtime/JSLock.cpp:
112         (JSC::JSLock::didAcquireLock):
113         * runtime/Options.cpp:
114         (JSC::overrideDefaults):
115         (JSC::Options::initialize):
116         * runtime/Options.h:
117         * runtime/VMTraps.cpp:
118         (JSC::SignalContext::SignalContext):
119         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
120         (JSC::installSignalHandler):
121         (JSC::VMTraps::SignalSender::send):
122         * tools/SigillCrashAnalyzer.cpp:
123         (JSC::SignalContext::SignalContext):
124         (JSC::SignalContext::dump):
125         (JSC::installCrashHandler):
126         * wasm/WasmBBQPlan.cpp:
127         (JSC::Wasm::BBQPlan::compileFunctions):
128         * wasm/WasmFaultSignalHandler.cpp:
129         (JSC::Wasm::trapHandler):
130         (JSC::Wasm::enableFastMemory):
131         * wasm/WasmMachineThreads.cpp:
132         (JSC::Wasm::resetInstructionCacheOnAllThreads):
133
134 2017-05-31  Keith Miller  <keith_miller@apple.com>
135
136         Fix leak in PromiseDeferredTimer
137         https://bugs.webkit.org/show_bug.cgi?id=172755
138
139         Reviewed by JF Bastien.
140
141         We were not properly freeing the list of dependencies if we were already tracking the promise before.
142         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
143         where we were already tracking the promise we append the provided dependency list to the existing list.
144         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
145         contents.
146
147         * runtime/PromiseDeferredTimer.cpp:
148         (JSC::PromiseDeferredTimer::addPendingPromise):
149
150 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
151
152         Prevent async methods named 'function' in Object literal
153         https://bugs.webkit.org/show_bug.cgi?id=172660
154
155         Reviewed by Saam Barati.
156
157         Prevent async method named 'function' in object.
158         https://github.com/tc39/ecma262/pull/884
159
160         * parser/Parser.cpp:
161         (JSC::Parser<LexerType>::parsePropertyMethod):
162
163 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
164
165         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
166         https://bugs.webkit.org/show_bug.cgi?id=171274
167
168         Reviewed by Saam Barati.
169
170         Current patch allow to use async arrow function within constructor,
171         and allow to access to `this`. Current patch force load 'this' from 
172         virtual scope each time as we access to `this` in async arrow function
173         within constructor it is neccessary because async function can be 
174         suspended and `superCall` can be called and async function resumed. 
175    
176         * bytecompiler/BytecodeGenerator.cpp:
177         (JSC::BytecodeGenerator::emitPutGeneratorFields):
178         (JSC::BytecodeGenerator::ensureThis):
179         * bytecompiler/BytecodeGenerator.h:
180         (JSC::BytecodeGenerator::makeFunction):
181
182 2017-05-30  Ali Juma  <ajuma@chromium.org>
183
184         [CredentialManagement] Incorporate IDL updates from latest spec
185         https://bugs.webkit.org/show_bug.cgi?id=172011
186
187         Reviewed by Daniel Bates.
188
189         * runtime/CommonIdentifiers.h:
190
191 2017-05-30  Alex Christensen  <achristensen@webkit.org>
192
193         Update libwebrtc configuration
194         https://bugs.webkit.org/show_bug.cgi?id=172727
195
196         Reviewed by Geoffrey Garen.
197
198         * Configurations/FeatureDefines.xcconfig:
199
200 2017-05-28  Dan Bernstein  <mitz@apple.com>
201
202         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
203         https://bugs.webkit.org/show_bug.cgi?id=172691
204
205         Reviewed by Tim Horton.
206
207         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
208         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
209
210 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [JSC] Provide better type information of toLength and tighten bytecode
213         https://bugs.webkit.org/show_bug.cgi?id=172690
214
215         Reviewed by Sam Weinig.
216
217         In this patch, we carefully leverage operator + in order to
218
219         1. tighten bytecode
220
221         operator+ emits to_number bytecode. What this bytecode does is the same
222         to @Number() call. It is more efficient, and it is smaller bytecode
223         than @Number() call (load global variable @Number, set up arguments, and
224         call it).
225
226         2. offer better type prediction data
227
228         Now, we have code like
229
230             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
231
232         This is not good because DFG prediction propagation phase predicts as Double
233         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
234         Usually, the result becomes Int32. This patch leverages to_number in a bit
235         interesting way: to_number has value profiling to offer better type prediction.
236         This value profiling can offer a chance to change the prediction to Int32 efficiently.
237         It is a bit tricky. But it is worth doing to speed up our builtin functions,
238         which should leverage all the JSC's tricky things to be optimized.
239
240         Related microbenchmarks show performance improvement.
241
242                                                   baseline                  patched
243
244             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
245             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
246             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
247             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
248             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
249             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
250
251
252         * builtins/GlobalOperations.js:
253         (globalPrivate.toInteger):
254         (globalPrivate.toLength):
255
256 2017-05-28  Sam Weinig  <sam@webkit.org>
257
258         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
259         https://bugs.webkit.org/show_bug.cgi?id=172684
260
261         Reviewed by Yusuke Suzuki.
262
263         * runtime/IteratorOperations.cpp:
264         (JSC::iteratorMethod):
265         (JSC::iteratorForIterable):
266         * runtime/IteratorOperations.h:
267         (JSC::forEachInIterable):
268         Add additional iterator helpers to allow union + sequence conversion code
269         to check for iterability by getting the iterator method, and iterate using
270         that method later on.
271
272 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
273
274         Unreviewed, build fix for Windows
275         https://bugs.webkit.org/show_bug.cgi?id=172413
276
277         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
278
279         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
280
281         * runtime/JSMap.h:
282         (JSC::isJSMap):
283         (JSC::jsDynamicCast): Deleted.
284         (JSC::>): Deleted.
285         * runtime/JSSet.h:
286         (JSC::isJSSet):
287         (JSC::jsDynamicCast): Deleted.
288         (JSC::>): Deleted.
289         * runtime/MapConstructor.cpp:
290         (JSC::constructMap):
291         * runtime/SetConstructor.cpp:
292         (JSC::constructSet):
293
294 2017-05-28  Mark Lam  <mark.lam@apple.com>
295
296         Implement a faster Interpreter::getOpcodeID().
297         https://bugs.webkit.org/show_bug.cgi?id=172669
298
299         Reviewed by Saam Barati.
300
301         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
302         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
303         handler code that executes each opcode.  getOpcodeID() can therefore just read
304         the 32-bits before the opcode address to get its OpcodeID.
305
306         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
307         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
308         well, but I'll let the Linux folks turn that on after they have verified that it
309         works on linux too.
310
311         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
312         1. we only need to initialize it once per process, not once per VM / interpreter
313            instance.
314         2. we can initialize it in the Interpreter constructor instead of requiring a
315            separate call to an initialize() function.
316
317         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
318         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
319
320         * bytecode/BytecodeList.json:
321         * generate-bytecode-files:
322         * interpreter/Interpreter.cpp:
323         (JSC::Interpreter::Interpreter):
324         (JSC::Interpreter::opcodeIDTable):
325         (JSC::Interpreter::initialize): Deleted.
326         * interpreter/Interpreter.h:
327         (JSC::Interpreter::getOpcode):
328         (JSC::Interpreter::getOpcodeID):
329         * llint/LowLevelInterpreter.cpp:
330         * runtime/VM.cpp:
331         (JSC::VM::VM):
332
333 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
334
335         [JSC] Map and Set constructors should have fast path for cloning
336         https://bugs.webkit.org/show_bug.cgi?id=172413
337
338         Reviewed by Saam Barati.
339
340         In this patch, we add a fast path for cloning in Set and Map constructors.
341
342         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
343         At that time, our generic path just iterates the given set object and add
344         it to the newly created one. It is quite slow because we need to follow
345         the iterator protocol inside C++ and we need to call set.add() repeatedly
346         while the given set guarantees the elements are unique.
347
348         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
349         and JSSet are done really fast without invoking any observable JS functions.
350         To check whether we can use this clone() function in Set and Map constructors,
351         we set several watchpoints.
352
353         In the case of Set,
354
355         1. Set.prototype[Symbol.iterator] is not changed.
356         2. SetIterator.prototype.next is not changed.
357         3. Set.prototype.add is not changed.
358         4. The given Set does not have [Symbol.iterator] function in its instance.
359         5. The given Set's [[Prototype]] is Set.prototype.
360         6. Newly created set's [[Prototype]] is Set.prototype.
361
362         If the above requirements are met, cloning the given Set is not observable to users.
363         Thus we can take a fast path.
364
365         Currently, we do not integrate this optimization into DFG and FTL.
366         And we do not optimize other iterables. For example, we can optimize Set
367         constructor taking Int32 Array. And we should optimize generic iterator cases too.
368         They are planned as part of a separate bug[1].
369
370         This change improves ARES-6 Air by 5.3% in steady state.
371
372         Baseline:
373             Running... Air ( 1  to go)
374             firstIteration:     76.41 +- 15.60 ms
375             averageWorstCase:   40.63 +- 7.54 ms
376             steadyState:        9.13 +- 0.51 ms
377
378
379         Patched:
380             Running... Air ( 1  to go)
381             firstIteration:     75.00 +- 22.54 ms
382             averageWorstCase:   39.18 +- 8.45 ms
383             steadyState:        8.67 +- 0.28 ms
384
385         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
386
387         * CMakeLists.txt:
388         * JavaScriptCore.xcodeproj/project.pbxproj:
389         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
390         * runtime/HashMapImpl.h:
391         (JSC::HashMapBucket::extractValue):
392         (JSC::HashMapImpl::finishCreation):
393         (JSC::HashMapImpl::add):
394         (JSC::HashMapImpl::setUpHeadAndTail):
395         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
396         (JSC::HashMapImpl::addNormalizedInternal):
397         * runtime/InternalFunction.cpp:
398         (JSC::InternalFunction::createSubclassStructureSlow):
399         (JSC::InternalFunction::createSubclassStructure): Deleted.
400         * runtime/InternalFunction.h:
401         (JSC::InternalFunction::createSubclassStructure):
402         * runtime/JSGlobalObject.cpp:
403         (JSC::JSGlobalObject::JSGlobalObject):
404         (JSC::JSGlobalObject::init):
405         (JSC::JSGlobalObject::visitChildren):
406         * runtime/JSGlobalObject.h:
407         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
408         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
409         (JSC::JSGlobalObject::mapSetWatchpoint):
410         (JSC::JSGlobalObject::setAddWatchpoint):
411         (JSC::JSGlobalObject::mapPrototype):
412         (JSC::JSGlobalObject::jsSetPrototype):
413         (JSC::JSGlobalObject::setStructure):
414         * runtime/JSGlobalObjectInlines.h:
415         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
416         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
417         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
418         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
419         * runtime/JSMap.cpp:
420         (JSC::JSMap::clone):
421         (JSC::JSMap::canCloneFastAndNonObservable):
422         * runtime/JSMap.h:
423         (JSC::jsDynamicCast):
424         (JSC::>):
425         (JSC::JSMap::createStructure): Deleted.
426         (JSC::JSMap::create): Deleted.
427         (JSC::JSMap::set): Deleted.
428         (JSC::JSMap::JSMap): Deleted.
429         * runtime/JSSet.cpp:
430         (JSC::JSSet::clone):
431         (JSC::JSSet::canCloneFastAndNonObservable):
432         * runtime/JSSet.h:
433         (JSC::jsDynamicCast):
434         (JSC::>):
435         (JSC::JSSet::createStructure): Deleted.
436         (JSC::JSSet::create): Deleted.
437         (JSC::JSSet::JSSet): Deleted.
438         * runtime/MapConstructor.cpp:
439         (JSC::constructMap):
440         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
441         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
442         * runtime/SetConstructor.cpp:
443         (JSC::constructSet):
444
445 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
446
447         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
448         https://bugs.webkit.org/show_bug.cgi?id=172260
449
450         Reviewed by Filip Pizlo.
451
452         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
453         to be used as a general-purpose injectable compiler over all the JIT tiers.
454
455         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
456
457         * CMakeLists.txt:
458         * JavaScriptCore.xcodeproj/project.pbxproj:
459         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
460         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
461         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
462         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
463         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
464         * bytecode/GetterSetterAccessCase.cpp:
465         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
466         * dfg/DFGAbstractInterpreterInlines.h:
467         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
468         * dfg/DFGByteCodeParser.cpp:
469         (JSC::DFG::blessCallDOMGetter):
470         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
471         * dfg/DFGClobberize.h:
472         (JSC::DFG::clobberize):
473         * dfg/DFGFixupPhase.cpp:
474         (JSC::DFG::FixupPhase::fixupNode):
475         * dfg/DFGGraph.h:
476         * dfg/DFGNode.h:
477         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
478         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
479         (JSC::DFG::SnippetParams::SnippetParams):
480         * dfg/DFGSpeculativeJIT.cpp:
481         (JSC::DFG::allocateTemporaryRegistersForSnippet):
482         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
483         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
484         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
485         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
486         (JSC::DOMJIT::CallDOMGetterSnippet::create):
487         * domjit/DOMJITGetterSetter.h:
488         * domjit/DOMJITSignature.h:
489         * domjit/DOMJITValue.h: Removed.
490         * ftl/FTLLowerDFGToB3.cpp:
491         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
492         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
493         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
494         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
495         (JSC::FTL::SnippetParams::SnippetParams):
496         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
497         (JSC::Snippet::create):
498         (JSC::Snippet::setGenerator):
499         (JSC::Snippet::generator):
500         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
501         (JSC::SnippetParams::~SnippetParams):
502         (JSC::SnippetParams::Value::Value):
503         (JSC::SnippetParams::Value::isGPR):
504         (JSC::SnippetParams::Value::isFPR):
505         (JSC::SnippetParams::Value::isJSValueRegs):
506         (JSC::SnippetParams::Value::gpr):
507         (JSC::SnippetParams::Value::fpr):
508         (JSC::SnippetParams::Value::jsValueRegs):
509         (JSC::SnippetParams::Value::reg):
510         (JSC::SnippetParams::Value::value):
511         (JSC::SnippetParams::SnippetParams):
512         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
513         (JSC::SnippetReg::SnippetReg):
514         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
515         * jsc.cpp:
516         (WTF::DOMJITNode::checkSubClassSnippet):
517         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
518         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
519         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
520         * runtime/ClassInfo.h:
521
522 2017-05-26  Keith Miller  <keith_miller@apple.com>
523
524         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
525         https://bugs.webkit.org/show_bug.cgi?id=172654
526
527         Reviewed by Mark Lam.
528
529         The test's intent is to assert that an exception has not been
530         thrown (as indicated by the message string), but the test was
531         erroneously checking for ! the right condition. This is now fixed.
532
533         * API/tests/JSExportTests.mm:
534         (wrapperForNSObjectisObject):
535
536 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
537
538         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
539         https://bugs.webkit.org/show_bug.cgi?id=172664
540         <rdar://problem/32362933>
541
542         Reviewed by Matt Baker.
543
544         Automatically pause on connection was triggering a pause before the
545         frontend may have initialized. Often during frontend initialization
546         the frontend may perform an action that clears the pause state requested
547         by the developer. This change defers the pause until after the frontend
548         has initialized, right before returning to the application's code.
549
550         * inspector/remote/RemoteControllableTarget.h:
551         * inspector/remote/RemoteInspectionTarget.h:
552         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
553         (Inspector::RemoteConnectionToTarget::setup):
554         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
555         (Inspector::RemoteConnectionToTarget::setup):
556         * runtime/JSGlobalObjectDebuggable.cpp:
557         (JSC::JSGlobalObjectDebuggable::connect):
558         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
559         * runtime/JSGlobalObjectDebuggable.h:
560         Pass an immediatelyPause boolean on to the controller. Remove
561         the current path that invokes a pause before initialization.
562
563         * inspector/JSGlobalObjectInspectorController.h:
564         * inspector/JSGlobalObjectInspectorController.cpp:
565         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
566         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
567         Manage should immediately pause state.
568
569         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
570         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
571         When initialized, trigger a pause if requested.
572
573 2017-05-26  Mark Lam  <mark.lam@apple.com>
574
575         Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
576         https://bugs.webkit.org/show_bug.cgi?id=172655
577
578         Reviewed by Saam Barati.
579
580         * API/tests/JSExportTests.mm:
581         (wrapperForNSObjectisObject):
582
583 2017-05-26  Mark Lam  <mark.lam@apple.com>
584
585         REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
586         https://bugs.webkit.org/show_bug.cgi?id=172651
587
588         Reviewed by Saam Barati.
589
590         This is because the assertion utility functions used in testCFStrings() expects
591         to get the JSGlobalContextRef from the global context variable.  However,
592         testCFStrings() creates its own JSGlobalContextRef but does not set the global
593         context variable to it.
594
595         The fix is to make testCFStrings() initialize the global context variable properly.
596
597         * API/tests/testapi.c:
598         (testCFStrings):
599
600 2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
601
602         Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
603         https://bugs.webkit.org/show_bug.cgi?id=167805
604
605         Reviewed by Saam Barati.
606
607         Since ModuleProgramExecutable is executed only once, we can skip compiling
608         code unreachable from the current program count. This can skip massive
609         initialization code.
610
611         We already do this for global code in bug#167725. This patch extends it to
612         module code.
613
614         * interpreter/Interpreter.cpp:
615         (JSC::Interpreter::executeModuleProgram):
616         * interpreter/Interpreter.h:
617         * jit/JIT.cpp:
618         (JSC::JIT::privateCompileMainPass):
619         * runtime/JSModuleRecord.cpp:
620         (JSC::JSModuleRecord::evaluate):
621         * runtime/JSModuleRecord.h:
622         (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
623
624 2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>
625
626         Prevent async methods named 'function'
627         https://bugs.webkit.org/show_bug.cgi?id=172598
628
629         Reviewed by Mark Lam.
630
631         Prevent async method named 'function' in class.
632         Link to change in ecma262 specification
633         https://github.com/tc39/ecma262/pull/884
634
635         * parser/Parser.cpp:
636         (JSC::Parser<LexerType>::parseClass):
637
638 2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>
639
640         Unreviewed, build fix for GCC
641
642         std::tuple does not have implicit constructor.
643         Thus, we cannot use implicit construction with initializer brace.
644         We should specify the name like `GetInst { }`.
645
646         * bytecompiler/BytecodeGenerator.h:
647         (JSC::StructureForInContext::addGetInst):
648
649 2017-05-25  Keith Miller  <keith_miller@apple.com>
650
651         Cleanup tests after r217240
652         https://bugs.webkit.org/show_bug.cgi?id=172466
653
654         Reviewed by Mark Lam.
655
656         I forgot to make my test an actual test. Also, remove second call runJSExportTests()
657
658         * API/tests/JSExportTests.mm:
659         (wrapperForNSObjectisObject):
660         * API/tests/testapi.mm:
661         (testObjectiveCAPIMain):
662
663 2017-05-25  Michael Saboff  <msaboff@apple.com>
664
665         The default setting of Option::criticalGCMemoryThreshold is too high for iOS
666         https://bugs.webkit.org/show_bug.cgi?id=172617
667
668         Reviewed by Mark Lam.
669
670         Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
671         when tested running JetStream.
672
673         * runtime/Options.h:
674
675 2017-05-25  Saam Barati  <sbarati@apple.com>
676
677         Our for-in optimization in the bytecode generator does its static analysis incorrectly
678         https://bugs.webkit.org/show_bug.cgi?id=172532
679         <rdar://problem/32369452>
680
681         Reviewed by Mark Lam.
682
683         Our static analysis for when a for-in induction variable
684         is written to tried to its analysis as we generate
685         bytecode. This has issues, since it does not account for
686         the dynamic execution path of the program. Let's consider
687         a program where our old analysis worked:
688         
689         ```
690         for (let p in o) {
691             o[p]; // We can transform this into a fast get_direct_pname
692             p = 20;
693             o[p]; // We cannot transform this since p has been changed.
694         }
695         ```
696         
697         However, our static analysis did not account for loops, which exist
698         in JavaScript. e.g, it would incorrectly compile this program as:
699         ```
700         for (let p in o) {
701             for (let i = 0; i < 20; ++i) {
702                 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
703                 p = 20;
704                 o[p]; // We correctly do not transform this.
705             } 
706         }
707         ```
708         
709         Because of this flaw, I've made the optimization more conservative.
710         We now optimistically emit code for the optimized access. However,
711         if a for-in context is *ever* invalidated, before we pop it off
712         the stack, we rewrite the program's optimized accesses to no longer
713         be optimized. To do this, each context keeps track of its optimized
714         accesses.
715         
716         This patch also adds a new bytecode, op_nop, which is just a no-op.
717         It was helpful to add this because reverting get_direct_pname to get_by_val
718         will leave us with an extra instruction word because get_direct_pname is
719         has a length of 7 where get_by_val has a length of 6. This leaves us with
720         an extra slot that we fill with an op_nop.
721
722         * bytecode/BytecodeDumper.cpp:
723         (JSC::BytecodeDumper<Block>::dumpBytecode):
724         * bytecode/BytecodeList.json:
725         * bytecode/BytecodeUseDef.h:
726         (JSC::computeUsesForBytecodeOffset):
727         (JSC::computeDefsForBytecodeOffset):
728         * bytecompiler/BytecodeGenerator.cpp:
729         (JSC::BytecodeGenerator::emitGetByVal):
730         (JSC::BytecodeGenerator::popIndexedForInScope):
731         (JSC::BytecodeGenerator::popStructureForInScope):
732         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
733         (JSC::StructureForInContext::pop):
734         (JSC::IndexedForInContext::pop):
735         * bytecompiler/BytecodeGenerator.h:
736         (JSC::StructureForInContext::addGetInst):
737         (JSC::IndexedForInContext::addGetInst):
738         * dfg/DFGByteCodeParser.cpp:
739         (JSC::DFG::ByteCodeParser::parseBlock):
740         * dfg/DFGCapabilities.cpp:
741         (JSC::DFG::capabilityLevel):
742         * jit/JIT.cpp:
743         (JSC::JIT::privateCompileMainPass):
744         * jit/JIT.h:
745         * jit/JITOpcodes.cpp:
746         (JSC::JIT::emit_op_nop):
747         * llint/LowLevelInterpreter.asm:
748
749 2017-05-25  Mark Lam  <mark.lam@apple.com>
750
751         ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
752         https://bugs.webkit.org/show_bug.cgi?id=172548
753         <rdar://problem/31458393>
754
755         Reviewed by Filip Pizlo.
756
757         Consider the following scenario:
758
759         1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
760            structure transitions, e.g. structure S2 transitioning to structure S3.
761            In this case, O1 would be installed in S2's watchpoint set.
762         2. When the structure transition happens, structure S2 will fire watchpoint O1.
763         3. O1's handler will normally re-install itself in the watchpoint set of the new
764            "transitioned to" structure S3.
765         4. "Installation" here requires writing into the StructureRareData SD3 of the new
766            structure S3.  If SD3 does not exist yet, the installation process will trigger
767            the allocation of StructureRareData SD3.
768         5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
769            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
770            by the GC, and therefore will be collected soon.
771         6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
772            SD1.  This, in turn, triggers the deletion of the
773            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
774
775         After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
776         AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
777         structure S3's watchpoint set.  This is obviously incorrect because O1 is already
778         deleted.  The result is that badness happens later when S3's watchpoint set fires
779         its watchpoints and accesses the deleted O1.
780
781         The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
782         check if "this" is still valid before proceeding to re-install itself or to
783         invoke its handleFire() method.
784
785         ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
786         AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
787         and return false its owner StructureRareData is no longer reachable by the GC.
788         This ensures that it won't be deleted while it's installed to any watchpoint set.
789
790         Additional considerations and notes:
791         1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
792            being installed in watchpoint sets.  What actually happens is that
793            ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
794            (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
795            watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
796            not itself a Watchpoint object.
797
798            But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
799            instead of its Watchpoint members.  The description of the issue is still
800            accurate given the life-cycle of the Watchpoint members are embedded in the
801            enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
802            hence, they share the same life-cycle.
803
804         2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
805            m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
806            watchpoint sets.  This is safe to do even if the owner StructureRareData is no
807            longer reachable by the GC.
808
809            This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
810            is if its Watchpoint members are still installed in some watchpoint set that
811            fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
812            instance has not been deleted yet, because its destructor will automatically
813            remove the Watchpoint members from any watchpoint sets.
814
815         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
816         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
817         (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
818         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
819         * heap/FreeList.cpp:
820         (JSC::FreeList::contains):
821         * heap/FreeList.h:
822         * heap/HeapCell.h:
823         * heap/HeapCellInlines.h:
824         (JSC::HeapCell::isLive):
825         * heap/MarkedAllocator.h:
826         (JSC::MarkedAllocator::isFreeListedCell):
827         * heap/MarkedBlock.h:
828         * heap/MarkedBlockInlines.h:
829         (JSC::MarkedBlock::Handle::isFreeListedCell):
830         * runtime/StructureRareData.cpp:
831         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
832
833 2017-05-23  Saam Barati  <sbarati@apple.com>
834
835         We should not mmap zero bytes for a memory in Wasm
836         https://bugs.webkit.org/show_bug.cgi?id=172528
837         <rdar://problem/32257076>
838
839         Reviewed by Mark Lam.
840
841         This patch fixes a bug where we would call into mmap with zero bytes
842         when creating a slow WasmMemory with zero initial page size. This fix
843         is simple: if we don't have any initial bytes, we just call the constructor
844         in WasmMemory that's meant to handle this case.
845
846         * wasm/WasmMemory.cpp:
847         (JSC::Wasm::Memory::create):
848
849 2017-05-23  Brian Burg  <bburg@apple.com>
850
851         REGRESSION(r217051): Automation sessions fail to complete bootstrap
852         https://bugs.webkit.org/show_bug.cgi?id=172513
853         <rdar://problem/32338354>
854
855         Reviewed by Joseph Pecoraro.
856
857         The changes to be more strict about typechecking messages were too strict.
858
859         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
860         (Inspector::RemoteInspector::receivedSetupMessage):
861         WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
862         into an NSDictionary as NSNull if the key isn't present in a forwarded command.
863         We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
864         [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
865
866 2017-05-23  Myles C. Maxfield  <mmaxfield@apple.com>
867
868         Remove dead ENABLE(FONT_LOAD_EVENTS) code
869         https://bugs.webkit.org/show_bug.cgi?id=172517
870
871         Rubber-stamped by Simon Fraser.
872
873         * Configurations/FeatureDefines.xcconfig:
874
875 2017-05-23  Saam Barati  <sbarati@apple.com>
876
877         CFGSimplificationPhase should not merge a block with itself
878         https://bugs.webkit.org/show_bug.cgi?id=172508
879         <rdar://problem/28424006>
880
881         Reviewed by Keith Miller.
882
883         CFGSimplificationPhase can run into or create IR that ends up with a
884         block that has a Jump to itself, and no other predecessors. It should
885         gracefully handle such IR. Before this patch, it would not. The only criteria
886         for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
887         The code is written in such a way that if we merge a block with itself, we
888         will infinite loop until we run out of memory.
889         
890         Merging a block with itself does not make sense for a few reasons. First,
891         we're joining the contents of two blocks. What is the definition of joining
892         a block with itself? I suppose we could simply unroll this self loop
893         one level, but that would not be wise because this self loop is by definition
894         unreachable unless it's the root block in the graph (which I think is
895         invalid IR since we'd never generate bytecode that would do this).
896         
897         This patch employs an easy fix: we can't merge a block with itself.
898
899         * dfg/DFGCFGSimplificationPhase.cpp:
900         (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
901         (JSC::DFG::CFGSimplificationPhase::run):
902         (JSC::DFG::CFGSimplificationPhase::convertToJump):
903         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
904
905 2017-05-22  Brian Burg  <bburg@apple.com>
906
907         Web Inspector: webkit reload policy should match default behavior
908         https://bugs.webkit.org/show_bug.cgi?id=171385
909         <rdar://problem/31871515>
910
911         Reviewed by Joseph Pecoraro.
912
913         Add a new option to Page.reload that allows the test harness
914         to reload its test page using the old reload behavior.
915
916         The new behavior of revalidating expired cached subresources only
917         is the current default, since only the test harness needs the old behavior.
918
919         * inspector/protocol/Page.json:
920
921 2017-05-22  Keith Miller  <keith_miller@apple.com>
922
923         [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
924         https://bugs.webkit.org/show_bug.cgi?id=167708
925
926         Reviewed by Geoffrey Garen.
927
928         This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
929         class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
930
931         Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
932         creating a wrapper for NSObject.
933
934         * API/APICast.h:
935         (toJSGlobalObject):
936         * API/JSContext.mm:
937         (-[JSContext ensureWrapperMap]):
938         (-[JSContext initWithVirtualMachine:]):
939         (-[JSContext dealloc]):
940         (-[JSContext wrapperMap]):
941         (-[JSContext initWithGlobalContextRef:]):
942         (-[JSContext wrapperForObjCObject:]):
943         (-[JSContext wrapperForJSObject:]):
944         * API/JSWrapperMap.h:
945         * API/JSWrapperMap.mm:
946         (-[JSObjCClassInfo initForClass:]):
947         (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
948         (-[JSObjCClassInfo wrapperForObject:inContext:]):
949         (-[JSObjCClassInfo constructorInContext:]):
950         (-[JSObjCClassInfo prototypeInContext:]):
951         (-[JSWrapperMap initWithGlobalContextRef:]):
952         (-[JSWrapperMap classInfoForClass:]):
953         (-[JSWrapperMap jsWrapperForObject:inContext:]):
954         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
955         (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
956         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
957         (-[JSObjCClassInfo wrapperForObject:]): Deleted.
958         (-[JSObjCClassInfo constructor]): Deleted.
959         (-[JSObjCClassInfo prototype]): Deleted.
960         (-[JSWrapperMap initWithContext:]): Deleted.
961         (-[JSWrapperMap jsWrapperForObject:]): Deleted.
962         (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
963         * API/tests/JSExportTests.mm:
964         (wrapperLifetimeIsTiedToGlobalObject):
965         (runJSExportTests):
966         * API/tests/testapi.mm:
967         * runtime/JSGlobalObject.h:
968         (JSC::JSGlobalObject::wrapperMap):
969         (JSC::JSGlobalObject::setWrapperMap):
970
971 2017-05-22  Filip Pizlo  <fpizlo@apple.com>
972
973         FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
974         https://bugs.webkit.org/show_bug.cgi?id=172455
975
976         Reviewed by Mark Lam.
977         
978         The FTL needs to run B3's callee-save register restoration before it runs the exception
979         handler's callee-save register restoration.  This exposes B3's callee-save register
980         algorithm in AssemblyHelpers so that the FTL can call it.
981
982         * b3/air/AirGenerate.cpp:
983         (JSC::B3::Air::generate):
984         * ftl/FTLLowerDFGToB3.cpp:
985         (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
986         * heap/Subspace.cpp: Added some debugging support.
987         (JSC::Subspace::allocate):
988         (JSC::Subspace::tryAllocate):
989         (JSC::Subspace::didAllocate):
990         * heap/Subspace.h:
991         * jit/AssemblyHelpers.h:
992         (JSC::AssemblyHelpers::addressFor):
993         (JSC::AssemblyHelpers::emitSave):
994         (JSC::AssemblyHelpers::emitRestore):
995
996 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
997
998         [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
999         https://bugs.webkit.org/show_bug.cgi?id=172216
1000
1001         Reviewed by Saam Barati.
1002
1003         This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
1004         To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
1005         ArrayStorage and SlowPutArrayStorage, then it produces vector length.
1006         CheckInBounds uses this vector length to perform bound checking for ArrayStorage
1007         and SlowPutArrayStorage.
1008
1009         * dfg/DFGAbstractInterpreterInlines.h:
1010         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1011         * dfg/DFGArrayMode.cpp:
1012         (JSC::DFG::permitsBoundsCheckLowering):
1013         * dfg/DFGClobberize.h:
1014         (JSC::DFG::clobberize):
1015         * dfg/DFGDoesGC.cpp:
1016         (JSC::DFG::doesGC):
1017         * dfg/DFGFixupPhase.cpp:
1018         (JSC::DFG::FixupPhase::fixupNode):
1019         * dfg/DFGHeapLocation.cpp:
1020         (WTF::printInternal):
1021         * dfg/DFGHeapLocation.h:
1022         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1023         * dfg/DFGNode.h:
1024         (JSC::DFG::Node::hasArrayMode):
1025         * dfg/DFGNodeType.h:
1026         * dfg/DFGPredictionPropagationPhase.cpp:
1027         * dfg/DFGSSALoweringPhase.cpp:
1028         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1029         * dfg/DFGSafeToExecute.h:
1030         (JSC::DFG::safeToExecute):
1031         * dfg/DFGSpeculativeJIT32_64.cpp:
1032         (JSC::DFG::SpeculativeJIT::compile):
1033         * dfg/DFGSpeculativeJIT64.cpp:
1034         (JSC::DFG::SpeculativeJIT::compile):
1035         * ftl/FTLAbstractHeapRepository.h:
1036         (JSC::FTL::AbstractHeapRepository::forIndexingType):
1037         (JSC::FTL::AbstractHeapRepository::forArrayType):
1038         * ftl/FTLCapabilities.cpp:
1039         (JSC::FTL::canCompile):
1040         * ftl/FTLLowerDFGToB3.cpp:
1041         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1042         (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
1043         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1044         * jit/JITPropertyAccess.cpp:
1045         (JSC::JIT::emitArrayStoragePutByVal):
1046         * jit/JITPropertyAccess32_64.cpp:
1047         (JSC::JIT::emitArrayStorageLoad):
1048         (JSC::JIT::emitArrayStoragePutByVal):
1049
1050 2017-05-21  Saam Barati  <sbarati@apple.com>
1051
1052         We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
1053         https://bugs.webkit.org/show_bug.cgi?id=171041
1054         <rdar://problem/32082516>
1055
1056         Reviewed by Yusuke Suzuki.
1057
1058         We were treating a for-loop variable declaration potentially as a top
1059         level statement, e.g, in a program like this:
1060         ```
1061         function foo() {
1062             for (let variable of expr) { }
1063         }
1064         ```
1065         But we should not be. This had the consequence of making this type of program
1066         throw a syntax error:
1067         ```
1068         function foo(arg) {
1069             for (let arg of expr) { }
1070         }
1071         ```
1072         even though it should not. The fix is simple, we just need to increment the
1073         statement depth before parsing anything inside the for loop.
1074
1075         * parser/Parser.cpp:
1076         (JSC::Parser<LexerType>::parseForStatement):
1077
1078 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1079
1080         [JSC] Make get_by_val & string "499" to number 499
1081         https://bugs.webkit.org/show_bug.cgi?id=172225
1082
1083         Reviewed by Saam Barati.
1084
1085         Property subscript will be converted by ToString. So JS code is not aware of
1086         the original type of the subscript value. But our get_by_val can leverage
1087         information if the given subscript is number. Thus, passing number instead of
1088         string can improve the performance of get_by_val in all the tiers.
1089
1090         In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
1091         convert the given value to Int32 index constant if the given value is a string
1092         that can be converted to Int32.
1093
1094         This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
1095         appear in some code like accessing the result of JSON.
1096
1097             map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
1098
1099         * bytecompiler/BytecodeGenerator.h:
1100         (JSC::BytecodeGenerator::emitNodeForProperty):
1101         (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
1102         * bytecompiler/NodesCodegen.cpp:
1103         (JSC::TaggedTemplateNode::emitBytecode):
1104         (JSC::BracketAccessorNode::emitBytecode):
1105         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1106         (JSC::FunctionCallBracketNode::emitBytecode):
1107         (JSC::PostfixNode::emitBracket):
1108         (JSC::PrefixNode::emitBracket):
1109         (JSC::AssignBracketNode::emitBytecode):
1110         (JSC::ReadModifyBracketNode::emitBytecode):
1111         (JSC::ForInNode::emitLoopHeader):
1112         (JSC::ForOfNode::emitBytecode):
1113         (JSC::ObjectPatternNode::bindValue):
1114         (JSC::AssignmentElementNode::bindValue):
1115
1116 2017-05-21  Saam Barati  <sbarati@apple.com>
1117
1118         We overwrite the callee save space on the stack when throwing stack overflow from wasm
1119         https://bugs.webkit.org/show_bug.cgi?id=172316
1120
1121         Reviewed by Mark Lam.
1122
1123         When throwing a stack overflow exception, the overflow
1124         thunk would do the following:
1125           move fp, sp
1126           populate argument registers
1127           call C code
1128         
1129         However, the C function is allowed to clobber our spilled
1130         callee saves that live below fp. The reason I did this move is that
1131         when we jump to this code, we've proven that sp is out of bounds on
1132         the stack. So we're not allowed to just use its value or keep growing
1133         the stack from that point. However, this patch revises this approach
1134         to be the same in spirit, but actually correct. We conservatively assume
1135         the B3 function we're coming from could have saved all callee saves.
1136         So we emit code like this now:
1137           add -maxNumCalleeSaveSpace, fp, sp
1138           populate argument registers
1139           call C code
1140         
1141         This ensures our callee saves will not be overwritten. Note
1142         that fp is still in a valid stack range here, since the thing
1143         calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
1144         is less than our redzone size, so it's safe to decrement sp by 
1145         this amount.
1146         
1147         The previously added wasm stack overflow test is an instance crash
1148         without this change on arm64. It also appears that this test crashed
1149         on some other x86 devices.
1150
1151         * wasm/WasmThunks.cpp:
1152         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1153
1154 2017-05-20  Chris Dumez  <cdumez@apple.com>
1155
1156         Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
1157         https://bugs.webkit.org/show_bug.cgi?id=172418
1158
1159         Reviewed by Youenn Fablet.
1160
1161         Add CommonIdentifiers that are now needed.
1162
1163         * runtime/CommonIdentifiers.h:
1164
1165 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1166
1167         Unreviewed, add scope.release() to propertyIsEnumerable functions.
1168         https://bugs.webkit.org/show_bug.cgi?id=172411
1169
1170         * runtime/JSGlobalObjectFunctions.cpp:
1171         (JSC::globalFuncPropertyIsEnumerable):
1172         * runtime/ObjectPrototype.cpp:
1173         (JSC::objectProtoFuncPropertyIsEnumerable):
1174
1175 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1176
1177         [JSC] Drop MapBase
1178         https://bugs.webkit.org/show_bug.cgi?id=172417
1179
1180         Reviewed by Sam Weinig.
1181
1182         MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
1183         Thus MapBase is unnecessary. This patch drops it.
1184         It is good because we can eliminate one indirection when accessing to map implementation.
1185         Moreover, we can drop one unnecessary allocation per Map and Set.
1186
1187         * CMakeLists.txt:
1188         * JavaScriptCore.xcodeproj/project.pbxproj:
1189         * dfg/DFGSpeculativeJIT64.cpp:
1190         (JSC::DFG::SpeculativeJIT::compile):
1191         * ftl/FTLAbstractHeapRepository.h:
1192         * ftl/FTLLowerDFGToB3.cpp:
1193         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1194         * runtime/HashMapImpl.cpp:
1195         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1196         (JSC::getHashMapImplKeyClassInfo): Deleted.
1197         (JSC::getHashMapImplKeyValueClassInfo): Deleted.
1198         * runtime/HashMapImpl.h:
1199         (JSC::HashMapImpl::finishCreation):
1200         (JSC::HashMapImpl::get):
1201         (JSC::HashMapImpl::info): Deleted.
1202         (JSC::HashMapImpl::createStructure): Deleted.
1203         (JSC::HashMapImpl::create): Deleted.
1204         * runtime/JSMap.h:
1205         (JSC::JSMap::set):
1206         (JSC::JSMap::get): Deleted.
1207         * runtime/JSMapIterator.cpp:
1208         (JSC::JSMapIterator::finishCreation):
1209         * runtime/JSSet.h:
1210         (JSC::JSSet::add): Deleted.
1211         * runtime/JSSetIterator.cpp:
1212         (JSC::JSSetIterator::finishCreation):
1213         * runtime/MapBase.cpp: Removed.
1214         * runtime/MapBase.h: Removed.
1215         * runtime/MapPrototype.cpp:
1216         (JSC::mapProtoFuncSize):
1217         * runtime/SetConstructor.cpp:
1218         (JSC::constructSet):
1219         * runtime/SetPrototype.cpp:
1220         (JSC::setProtoFuncSize):
1221         * runtime/VM.cpp:
1222         (JSC::VM::VM):
1223
1224 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1225
1226         [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
1227         https://bugs.webkit.org/show_bug.cgi?id=172411
1228
1229         Reviewed by Sam Weinig.
1230
1231         We use @Reflect.@getOwnPropertyDescriptor() to check
1232
1233         1. the descriptor exists,
1234         2. and the descriptor.enumrable is true
1235
1236         But Object::propertyIsEnumerable does the completely same thing without
1237         allocating a new object for property descriptor.
1238
1239         In this patch, we add a new private function @propertyIsEnumerable, and
1240         use it in Object.assign implementation. It does not allocate unnecessary
1241         objects. It is good for GC-pressure and performance.
1242
1243         This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
1244         does not introduce a fast path for objects that do not have accessors,
1245         and it could speed up things further, this patch can speed up the common
1246         slow path cases that is the current implementation of Object.assign.
1247
1248             object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
1249
1250         * builtins/BuiltinNames.h:
1251         * builtins/ObjectConstructor.js:
1252         (globalPrivate.enumerableOwnProperties):
1253         (assign):
1254         * runtime/JSGlobalObject.cpp:
1255         (JSC::JSGlobalObject::init):
1256         * runtime/JSGlobalObjectFunctions.cpp:
1257         (JSC::globalFuncPropertyIsEnumerable):
1258         * runtime/JSGlobalObjectFunctions.h:
1259
1260 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1261
1262         [JSC] Enable testapi on Mac CMake build
1263         https://bugs.webkit.org/show_bug.cgi?id=172354
1264
1265         Reviewed by Alex Christensen.
1266
1267         This patch makes testapi buildable and runnable for Mac CMake port.
1268
1269         * API/tests/DateTests.mm:
1270         (+[DateTests JSDateToNSDateTest]):
1271         (+[DateTests roundTripThroughJSDateTest]):
1272         This test only works with the en_US locale.
1273
1274         * shell/CMakeLists.txt:
1275         * shell/PlatformMac.cmake:
1276         Some of tests rely on ARC. We enable ARC for those files.
1277
1278         * shell/PlatformWin.cmake:
1279         Clean up.
1280
1281 2017-05-19  Mark Lam  <mark.lam@apple.com>
1282
1283         [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
1284         https://bugs.webkit.org/show_bug.cgi?id=172383
1285         <rdar://problem/31418651>
1286
1287         Reviewed by Filip Pizlo.
1288
1289         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
1290         available as a scratch register.  This assumption is wrong if this canTrample
1291         register is used for a silentFill() after an operation that returns a result in
1292         regT0 or regT1.
1293
1294         Turns out the only reason we need the canTrample register is for
1295         SetDoubleConstant.  We can remove the need for this canTrample register by
1296         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
1297         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
1298         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
1299
1300         Update for re-landing: Changed ARM64 to use scratchRegister() as well.
1301         scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
1302         as a scratch register.
1303
1304         * assembler/MacroAssembler.h:
1305         (JSC::MacroAssembler::moveDouble):
1306         * dfg/DFGArrayifySlowPathGenerator.h:
1307         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1308         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1309         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1310         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1311         * dfg/DFGSlowPathGenerator.h:
1312         (JSC::DFG::CallSlowPathGenerator::tearDown):
1313         * dfg/DFGSpeculativeJIT.cpp:
1314         (JSC::DFG::SpeculativeJIT::silentFill):
1315         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1316         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1317         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1318         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1319         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1320         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1321         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1322         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1323         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1324         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1325         * dfg/DFGSpeculativeJIT.h:
1326         (JSC::DFG::SpeculativeJIT::silentFill):
1327         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1328         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
1329         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
1330         * dfg/DFGSpeculativeJIT32_64.cpp:
1331         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1332         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1333         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1334         (JSC::DFG::SpeculativeJIT::emitCall):
1335         (JSC::DFG::SpeculativeJIT::compile):
1336         * dfg/DFGSpeculativeJIT64.cpp:
1337         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1338         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1339         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1340         (JSC::DFG::SpeculativeJIT::emitCall):
1341         (JSC::DFG::SpeculativeJIT::compile):
1342         (JSC::DFG::SpeculativeJIT::convertAnyInt):
1343
1344 2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
1345
1346         Unreviewed, rolling out r217156.
1347
1348         This change broke the iOS build.
1349
1350         Reverted changeset:
1351
1352         "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
1353         result registers."
1354         https://bugs.webkit.org/show_bug.cgi?id=172383
1355         http://trac.webkit.org/changeset/217156
1356
1357 2017-05-19  Mark Lam  <mark.lam@apple.com>
1358
1359         Add missing exception check.
1360         https://bugs.webkit.org/show_bug.cgi?id=172346
1361         <rdar://problem/32289640>
1362
1363         Reviewed by Geoffrey Garen.
1364
1365         * runtime/JSObject.cpp:
1366         (JSC::JSObject::hasInstance):
1367
1368 2017-05-19  Mark Lam  <mark.lam@apple.com>
1369
1370         DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
1371         https://bugs.webkit.org/show_bug.cgi?id=172383
1372         <rdar://problem/31418651>
1373
1374         Reviewed by Filip Pizlo.
1375
1376         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
1377         available as a scratch register.  This assumption is wrong if this canTrample
1378         register is used for a silentFill() after an operation that returns a result in
1379         regT0 or regT1.
1380
1381         Turns out the only reason we need the canTrample register is for
1382         SetDoubleConstant.  We can remove the need for this canTrample register by
1383         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
1384         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
1385         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
1386
1387         * assembler/MacroAssembler.h:
1388         (JSC::MacroAssembler::moveDouble):
1389         * dfg/DFGArrayifySlowPathGenerator.h:
1390         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1391         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1392         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1393         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1394         * dfg/DFGSlowPathGenerator.h:
1395         (JSC::DFG::CallSlowPathGenerator::tearDown):
1396         * dfg/DFGSpeculativeJIT.cpp:
1397         (JSC::DFG::SpeculativeJIT::silentFill):
1398         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1399         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1400         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1401         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1402         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1403         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1404         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1405         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1406         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1407         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1408         * dfg/DFGSpeculativeJIT.h:
1409         (JSC::DFG::SpeculativeJIT::silentFill):
1410         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1411         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
1412         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
1413         * dfg/DFGSpeculativeJIT32_64.cpp:
1414         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1415         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1416         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1417         (JSC::DFG::SpeculativeJIT::emitCall):
1418         (JSC::DFG::SpeculativeJIT::compile):
1419         * dfg/DFGSpeculativeJIT64.cpp:
1420         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1421         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1422         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1423         (JSC::DFG::SpeculativeJIT::emitCall):
1424         (JSC::DFG::SpeculativeJIT::compile):
1425         (JSC::DFG::SpeculativeJIT::convertAnyInt):
1426
1427 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
1428
1429         Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
1430         https://bugs.webkit.org/show_bug.cgi?id=172382
1431
1432         Reviewed by Saam Barati.
1433         
1434         This is just a small clean-up - my last patch here created some unnecessary code duplication.
1435
1436         * runtime/ArrayPrototype.cpp:
1437         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1438
1439 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
1440
1441         arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
1442         https://bugs.webkit.org/show_bug.cgi?id=172369
1443
1444         Reviewed by Mark Lam.
1445
1446         * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
1447         (JSC::Subspace::allocate):
1448         (JSC::Subspace::tryAllocate):
1449         * runtime/ArrayPrototype.cpp:
1450         (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
1451         * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
1452         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1453
1454 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
1455
1456         B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
1457         https://bugs.webkit.org/show_bug.cgi?id=172306
1458
1459         Reviewed by Michael Saboff.
1460         
1461         This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
1462         fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
1463         normal store instructions for fenced stores. That's wrong because then you get reorderings
1464         that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
1465         with respect for each other.
1466         
1467         This is imprecise. If you really just wanted a store-release, then every X86 store does this.
1468         But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
1469         respect to all other fences. If we ever did want to say that something is a store release in
1470         the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
1471         range without the fence flag would mean the traditional store-release, which lowers to a
1472         normal store on x86. But to my knowledge, that traditional store-release is only useful for
1473         unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
1474         and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
1475         an ARM-style store-release on x86 using xchg.
1476         
1477         The implication of this change is that the FTL no longer violates the SAB memory model.
1478
1479         * assembler/MacroAssemblerX86Common.h:
1480         (JSC::MacroAssemblerX86Common::xchg8):
1481         (JSC::MacroAssemblerX86Common::xchg16):
1482         (JSC::MacroAssemblerX86Common::xchg32):
1483         (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
1484         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
1485         (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
1486         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
1487         (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
1488         (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
1489         (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
1490         (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
1491         * assembler/MacroAssemblerX86_64.h:
1492         (JSC::MacroAssemblerX86_64::xchg64):
1493         (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
1494         (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
1495         * b3/B3LowerToAir.cpp:
1496         (JSC::B3::Air::LowerToAir::ArgPromise::inst):
1497         (JSC::B3::Air::LowerToAir::trappingInst):
1498         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1499         (JSC::B3::Air::LowerToAir::createStore):
1500         (JSC::B3::Air::LowerToAir::storeOpcode):
1501         (JSC::B3::Air::LowerToAir::appendStore):
1502         (JSC::B3::Air::LowerToAir::append):
1503         (JSC::B3::Air::LowerToAir::appendTrapping):
1504         (JSC::B3::Air::LowerToAir::fillStackmap):
1505         (JSC::B3::Air::LowerToAir::lower):
1506         * b3/air/AirKind.cpp:
1507         (JSC::B3::Air::Kind::dump):
1508         * b3/air/AirKind.h:
1509         (JSC::B3::Air::Kind::Kind):
1510         (JSC::B3::Air::Kind::operator==):
1511         (JSC::B3::Air::Kind::hash):
1512         * b3/air/AirLowerAfterRegAlloc.cpp:
1513         (JSC::B3::Air::lowerAfterRegAlloc):
1514         * b3/air/AirLowerMacros.cpp:
1515         (JSC::B3::Air::lowerMacros):
1516         * b3/air/AirOpcode.opcodes:
1517         * b3/air/AirValidate.cpp:
1518         * b3/air/opcode_generator.rb:
1519         * b3/testb3.cpp:
1520         (JSC::B3::correctSqrt):
1521         (JSC::B3::testSqrtArg):
1522         (JSC::B3::testSqrtImm):
1523         (JSC::B3::testSqrtMem):
1524         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
1525         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
1526         (JSC::B3::testStoreRelAddLoadAcq32):
1527         (JSC::B3::testTrappingLoad):
1528         (JSC::B3::testTrappingStore):
1529         (JSC::B3::testTrappingLoadAddStore):
1530         (JSC::B3::testTrappingLoadDCE):
1531
1532 2017-05-19  Don Olmstead  <don.olmstead@am.sony.com>
1533
1534         [JSC] Remove PLATFORM(WIN) references
1535         https://bugs.webkit.org/show_bug.cgi?id=172294
1536
1537         Reviewed by Yusuke Suzuki.
1538
1539         * heap/MachineStackMarker.cpp:
1540         (JSC::MachineThreads::removeThread):
1541         * llint/LLIntOfflineAsmConfig.h:
1542         * runtime/ConfigFile.h:
1543         * runtime/VM.cpp:
1544         (JSC::VM::updateStackLimits):
1545
1546 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1547
1548         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
1549         https://bugs.webkit.org/show_bug.cgi?id=172098
1550
1551         Reviewed by Saam Barati.
1552
1553         In this patch, we generalize CheckDOM to CheckSubClass.
1554         It can accept any ClassInfo and perform ClassInfo check
1555         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
1556         checkSubClassPatchpoint. It can create DOMJIT patchpoint
1557         for that ClassInfo. It it natural that ClassInfo holds the
1558         way to emit DOMJIT::Patchpoint to perform CheckSubClass
1559         rather than having it in each DOMJIT getter / function
1560         signature annotation.
1561
1562         One problem is that it enlarges the size of ClassInfo.
1563         But this is the best place to put this function pointer.
1564         By doing so, we can add a patchpoint for CheckSubClass
1565         in an non-intrusive manner: WebCore can inject patchpoints
1566         without interactive JSC.
1567
1568         We still have a way to reduce the size of ClassInfo if
1569         we move ArrayBuffer related methods out to the other places.
1570
1571         This patch touches many files because we add a new function
1572         pointer to ClassInfo. But they are basically mechanical change.
1573
1574         * API/JSAPIWrapperObject.mm:
1575         * API/JSCallbackConstructor.cpp:
1576         * API/JSCallbackFunction.cpp:
1577         * API/JSCallbackObject.cpp:
1578         * API/ObjCCallbackFunction.mm:
1579         * CMakeLists.txt:
1580         * JavaScriptCore.xcodeproj/project.pbxproj:
1581         * bytecode/CodeBlock.cpp:
1582         * bytecode/DOMJITAccessCasePatchpointParams.h:
1583         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
1584         * bytecode/EvalCodeBlock.cpp:
1585         * bytecode/FunctionCodeBlock.cpp:
1586         * bytecode/GetterSetterAccessCase.cpp:
1587         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1588         * bytecode/ModuleProgramCodeBlock.cpp:
1589         * bytecode/ProgramCodeBlock.cpp:
1590         * bytecode/UnlinkedCodeBlock.cpp:
1591         * bytecode/UnlinkedEvalCodeBlock.cpp:
1592         * bytecode/UnlinkedFunctionCodeBlock.cpp:
1593         * bytecode/UnlinkedFunctionExecutable.cpp:
1594         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1595         * bytecode/UnlinkedProgramCodeBlock.cpp:
1596         * debugger/DebuggerScope.cpp:
1597         * dfg/DFGAbstractInterpreterInlines.h:
1598         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1599         * dfg/DFGByteCodeParser.cpp:
1600         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1601         * dfg/DFGClobberize.h:
1602         (JSC::DFG::clobberize):
1603         * dfg/DFGConstantFoldingPhase.cpp:
1604         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1605         * dfg/DFGDOMJITPatchpointParams.h:
1606         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
1607         * dfg/DFGDoesGC.cpp:
1608         (JSC::DFG::doesGC):
1609         * dfg/DFGFixupPhase.cpp:
1610         (JSC::DFG::FixupPhase::fixupNode):
1611         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
1612         (JSC::DFG::FixupPhase::fixupCheckSubClass):
1613         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
1614         * dfg/DFGGraph.cpp:
1615         (JSC::DFG::Graph::dump):
1616         * dfg/DFGNode.h:
1617         (JSC::DFG::Node::hasClassInfo):
1618         (JSC::DFG::Node::classInfo):
1619         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
1620         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
1621         * dfg/DFGNodeType.h:
1622         * dfg/DFGPredictionPropagationPhase.cpp:
1623         * dfg/DFGSafeToExecute.h:
1624         (JSC::DFG::safeToExecute):
1625         * dfg/DFGSpeculativeJIT.cpp:
1626         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1627         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
1628         * dfg/DFGSpeculativeJIT.h:
1629         (JSC::DFG::SpeculativeJIT::vm):
1630         * dfg/DFGSpeculativeJIT32_64.cpp:
1631         (JSC::DFG::SpeculativeJIT::compile):
1632         * dfg/DFGSpeculativeJIT64.cpp:
1633         (JSC::DFG::SpeculativeJIT::compile):
1634         * domjit/DOMJITGetterSetter.h:
1635         * domjit/DOMJITPatchpointParams.h:
1636         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
1637         (JSC::DOMJIT::PatchpointParams::vm):
1638         * domjit/DOMJITSignature.h:
1639         (JSC::DOMJIT::Signature::Signature):
1640         (JSC::DOMJIT::Signature::checkDOM): Deleted.
1641         * ftl/FTLAbstractHeapRepository.h:
1642         * ftl/FTLCapabilities.cpp:
1643         (JSC::FTL::canCompile):
1644         * ftl/FTLDOMJITPatchpointParams.h:
1645         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
1646         * ftl/FTLLowerDFGToB3.cpp:
1647         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1648         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1649         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
1650         * inspector/JSInjectedScriptHost.cpp:
1651         * inspector/JSInjectedScriptHostPrototype.cpp:
1652         * inspector/JSJavaScriptCallFrame.cpp:
1653         * inspector/JSJavaScriptCallFramePrototype.cpp:
1654         * jsc.cpp:
1655         (WTF::DOMJITNode::checkSubClassPatchpoint):
1656         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
1657         (WTF::DOMJITFunctionObject::finishCreation):
1658         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1659         (WTF::DOMJITCheckSubClassObject::createStructure):
1660         (WTF::DOMJITCheckSubClassObject::create):
1661         (WTF::DOMJITCheckSubClassObject::safeFunction):
1662         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1663         (WTF::DOMJITCheckSubClassObject::finishCreation):
1664         (GlobalObject::finishCreation):
1665         (functionCreateDOMJITCheckSubClassObject):
1666         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
1667         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
1668         * runtime/AbstractModuleRecord.cpp:
1669         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1670         * runtime/ArrayConstructor.cpp:
1671         * runtime/ArrayIteratorPrototype.cpp:
1672         * runtime/ArrayPrototype.cpp:
1673         * runtime/AsyncFunctionConstructor.cpp:
1674         * runtime/AsyncFunctionPrototype.cpp:
1675         * runtime/AtomicsObject.cpp:
1676         * runtime/BooleanConstructor.cpp:
1677         * runtime/BooleanObject.cpp:
1678         * runtime/BooleanPrototype.cpp:
1679         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
1680         (JSC::ClassInfo::dump):
1681         * runtime/ClassInfo.h:
1682         (JSC::ClassInfo::offsetOfParentClass):
1683         * runtime/ClonedArguments.cpp:
1684         * runtime/ConsoleObject.cpp:
1685         * runtime/CustomGetterSetter.cpp:
1686         * runtime/DateConstructor.cpp:
1687         * runtime/DateInstance.cpp:
1688         * runtime/DatePrototype.cpp:
1689         * runtime/DirectArguments.cpp:
1690         * runtime/Error.cpp:
1691         * runtime/ErrorConstructor.cpp:
1692         * runtime/ErrorInstance.cpp:
1693         * runtime/ErrorPrototype.cpp:
1694         * runtime/EvalExecutable.cpp:
1695         * runtime/Exception.cpp:
1696         * runtime/ExceptionHelpers.cpp:
1697         * runtime/ExecutableBase.cpp:
1698         * runtime/FunctionConstructor.cpp:
1699         * runtime/FunctionExecutable.cpp:
1700         * runtime/FunctionPrototype.cpp:
1701         * runtime/FunctionRareData.cpp:
1702         * runtime/GeneratorFunctionConstructor.cpp:
1703         * runtime/GeneratorFunctionPrototype.cpp:
1704         * runtime/GeneratorPrototype.cpp:
1705         * runtime/GetterSetter.cpp:
1706         * runtime/HashMapImpl.cpp:
1707         * runtime/HashMapImpl.h:
1708         * runtime/InferredType.cpp:
1709         (JSC::InferredType::create):
1710         * runtime/InferredTypeTable.cpp:
1711         * runtime/InferredValue.cpp:
1712         * runtime/InspectorInstrumentationObject.cpp:
1713         * runtime/InternalFunction.cpp:
1714         * runtime/IntlCollator.cpp:
1715         * runtime/IntlCollatorConstructor.cpp:
1716         * runtime/IntlCollatorPrototype.cpp:
1717         * runtime/IntlDateTimeFormat.cpp:
1718         * runtime/IntlDateTimeFormatConstructor.cpp:
1719         * runtime/IntlDateTimeFormatPrototype.cpp:
1720         * runtime/IntlNumberFormat.cpp:
1721         * runtime/IntlNumberFormatConstructor.cpp:
1722         * runtime/IntlNumberFormatPrototype.cpp:
1723         * runtime/IntlObject.cpp:
1724         * runtime/IteratorPrototype.cpp:
1725         * runtime/JSAPIValueWrapper.cpp:
1726         * runtime/JSArray.cpp:
1727         * runtime/JSArrayBuffer.cpp:
1728         * runtime/JSArrayBufferConstructor.cpp:
1729         * runtime/JSArrayBufferPrototype.cpp:
1730         * runtime/JSArrayBufferView.cpp:
1731         * runtime/JSAsyncFunction.cpp:
1732         * runtime/JSBoundFunction.cpp:
1733         * runtime/JSCallee.cpp:
1734         * runtime/JSCustomGetterSetterFunction.cpp:
1735         * runtime/JSDataView.cpp:
1736         * runtime/JSDataViewPrototype.cpp:
1737         * runtime/JSEnvironmentRecord.cpp:
1738         * runtime/JSFixedArray.cpp:
1739         * runtime/JSFunction.cpp:
1740         * runtime/JSGeneratorFunction.cpp:
1741         * runtime/JSGlobalLexicalEnvironment.cpp:
1742         * runtime/JSGlobalObject.cpp:
1743         * runtime/JSInternalPromise.cpp:
1744         * runtime/JSInternalPromiseConstructor.cpp:
1745         * runtime/JSInternalPromiseDeferred.cpp:
1746         * runtime/JSInternalPromisePrototype.cpp:
1747         * runtime/JSLexicalEnvironment.cpp:
1748         * runtime/JSMap.cpp:
1749         * runtime/JSMapIterator.cpp:
1750         * runtime/JSModuleEnvironment.cpp:
1751         * runtime/JSModuleLoader.cpp:
1752         * runtime/JSModuleNamespaceObject.cpp:
1753         * runtime/JSModuleRecord.cpp:
1754         * runtime/JSNativeStdFunction.cpp:
1755         * runtime/JSONObject.cpp:
1756         * runtime/JSObject.cpp:
1757         * runtime/JSPromise.cpp:
1758         * runtime/JSPromiseConstructor.cpp:
1759         * runtime/JSPromiseDeferred.cpp:
1760         * runtime/JSPromisePrototype.cpp:
1761         * runtime/JSPropertyNameEnumerator.cpp:
1762         * runtime/JSPropertyNameIterator.cpp:
1763         * runtime/JSProxy.cpp:
1764         * runtime/JSScriptFetcher.cpp:
1765         * runtime/JSSet.cpp:
1766         * runtime/JSSetIterator.cpp:
1767         * runtime/JSSourceCode.cpp:
1768         * runtime/JSString.cpp:
1769         * runtime/JSStringIterator.cpp:
1770         * runtime/JSSymbolTableObject.cpp:
1771         * runtime/JSTemplateRegistryKey.cpp:
1772         * runtime/JSTypedArrayConstructors.cpp:
1773         * runtime/JSTypedArrayPrototypes.cpp:
1774         * runtime/JSTypedArrayViewConstructor.cpp:
1775         * runtime/JSTypedArrays.cpp:
1776         * runtime/JSWeakMap.cpp:
1777         * runtime/JSWeakSet.cpp:
1778         * runtime/JSWithScope.cpp:
1779         * runtime/MapConstructor.cpp:
1780         * runtime/MapIteratorPrototype.cpp:
1781         * runtime/MapPrototype.cpp:
1782         * runtime/MathObject.cpp:
1783         * runtime/ModuleLoaderPrototype.cpp:
1784         * runtime/ModuleProgramExecutable.cpp:
1785         * runtime/NativeErrorConstructor.cpp:
1786         * runtime/NativeExecutable.cpp:
1787         * runtime/NativeStdFunctionCell.cpp:
1788         * runtime/NullGetterFunction.cpp:
1789         * runtime/NullSetterFunction.cpp:
1790         * runtime/NumberConstructor.cpp:
1791         * runtime/NumberObject.cpp:
1792         * runtime/NumberPrototype.cpp:
1793         * runtime/ObjectConstructor.cpp:
1794         * runtime/ObjectPrototype.cpp:
1795         * runtime/ProgramExecutable.cpp:
1796         * runtime/PropertyTable.cpp:
1797         * runtime/ProxyConstructor.cpp:
1798         * runtime/ProxyObject.cpp:
1799         * runtime/ProxyRevoke.cpp:
1800         * runtime/ReflectObject.cpp:
1801         * runtime/RegExp.cpp:
1802         * runtime/RegExpConstructor.cpp:
1803         * runtime/RegExpObject.cpp:
1804         * runtime/RegExpPrototype.cpp:
1805         * runtime/ScopedArguments.cpp:
1806         * runtime/ScopedArgumentsTable.cpp:
1807         * runtime/ScriptExecutable.cpp:
1808         * runtime/SetConstructor.cpp:
1809         * runtime/SetIteratorPrototype.cpp:
1810         * runtime/SetPrototype.cpp:
1811         * runtime/SparseArrayValueMap.cpp:
1812         * runtime/StrictEvalActivation.cpp:
1813         * runtime/StringConstructor.cpp:
1814         * runtime/StringIteratorPrototype.cpp:
1815         * runtime/StringObject.cpp:
1816         * runtime/StringPrototype.cpp:
1817         * runtime/Structure.cpp:
1818         * runtime/StructureChain.cpp:
1819         * runtime/StructureRareData.cpp:
1820         * runtime/Symbol.cpp:
1821         * runtime/SymbolConstructor.cpp:
1822         * runtime/SymbolObject.cpp:
1823         * runtime/SymbolPrototype.cpp:
1824         * runtime/SymbolTable.cpp:
1825         * runtime/WeakMapConstructor.cpp:
1826         * runtime/WeakMapData.cpp:
1827         * runtime/WeakMapPrototype.cpp:
1828         * runtime/WeakSetConstructor.cpp:
1829         * runtime/WeakSetPrototype.cpp:
1830         * testRegExp.cpp:
1831         * tools/JSDollarVM.cpp:
1832         * tools/JSDollarVMPrototype.cpp:
1833         * wasm/JSWebAssembly.cpp:
1834         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1835         * wasm/js/JSWebAssemblyCompileError.cpp:
1836         * wasm/js/JSWebAssemblyInstance.cpp:
1837         * wasm/js/JSWebAssemblyLinkError.cpp:
1838         * wasm/js/JSWebAssemblyMemory.cpp:
1839         * wasm/js/JSWebAssemblyModule.cpp:
1840         * wasm/js/JSWebAssemblyRuntimeError.cpp:
1841         * wasm/js/JSWebAssemblyTable.cpp:
1842         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1843         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1844         * wasm/js/WebAssemblyFunction.cpp:
1845         * wasm/js/WebAssemblyFunctionBase.cpp:
1846         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1847         * wasm/js/WebAssemblyInstancePrototype.cpp:
1848         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1849         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1850         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1851         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1852         * wasm/js/WebAssemblyModuleConstructor.cpp:
1853         * wasm/js/WebAssemblyModulePrototype.cpp:
1854         * wasm/js/WebAssemblyModuleRecord.cpp:
1855         * wasm/js/WebAssemblyPrototype.cpp:
1856         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1857         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1858         * wasm/js/WebAssemblyTableConstructor.cpp:
1859         * wasm/js/WebAssemblyTablePrototype.cpp:
1860         * wasm/js/WebAssemblyToJSCallee.cpp:
1861         * wasm/js/WebAssemblyWrapperFunction.cpp:
1862
1863 2017-05-18  JF Bastien  <jfbastien@apple.com>
1864
1865         WebAssembly: exports is a getter
1866         https://bugs.webkit.org/show_bug.cgi?id=172129
1867
1868         Reviewed by Saam Barati.
1869
1870         As updated here: https://github.com/WebAssembly/design/pull/1062
1871
1872         * wasm/js/JSWebAssemblyInstance.cpp:
1873         (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
1874         * wasm/js/JSWebAssemblyInstance.h:
1875         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
1876         * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
1877         * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
1878         (JSC::getInstance): helper, as in surrounding files
1879         (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
1880         * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
1881         (JSC::getMemory):
1882         (JSC::webAssemblyMemoryProtoFuncGrow):
1883         (JSC::webAssemblyMemoryProtoFuncBuffer):
1884         * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
1885         (JSC::webAssemblyTableProtoFuncLength):
1886         (JSC::webAssemblyTableProtoFuncGrow):
1887         (JSC::webAssemblyTableProtoFuncGet):
1888         (JSC::webAssemblyTableProtoFuncSet):
1889
1890 2017-05-18  Saam Barati  <sbarati@apple.com>
1891
1892         Proxy's [[Get]] passes incorrect receiver
1893         https://bugs.webkit.org/show_bug.cgi?id=164849
1894         <rdar://problem/31767058>
1895
1896         Reviewed by Yusuke Suzuki.
1897
1898         * runtime/ProxyObject.cpp:
1899         (JSC::performProxyGet):
1900
1901 2017-05-18  Andy Estes  <aestes@apple.com>
1902
1903         ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
1904         https://bugs.webkit.org/show_bug.cgi?id=172305
1905
1906         Reviewed by Anders Carlsson.
1907
1908         * Configurations/FeatureDefines.xcconfig:
1909
1910 2017-05-18  Saam Barati  <sbarati@apple.com>
1911
1912         We need to destroy worker threads in jsc.cpp
1913         https://bugs.webkit.org/show_bug.cgi?id=170751
1914         <rdar://problem/31800412>
1915
1916         Reviewed by Filip Pizlo.
1917
1918         This patch fixes a bug where a $ agent worker would still
1919         have compilation threads running after the thread the worker
1920         was created on dies. This manifested itself inside DFG AI where
1921         we would notice a string constant is atomic, then the worker
1922         thread would die, destroying its atomic string table, then
1923         we'd notice the same string is no longer atomic, and we'd crash
1924         because we'd fail to see the same speculated type for the same
1925         JSValue.
1926         
1927         This patch makes it so that $ agent workers destroy their VM when
1928         they're done executing. Before a VM gets destroyed, it ensures that
1929         all its compilation threads finish.
1930
1931         * jsc.cpp:
1932         (functionDollarAgentStart):
1933         (runJSC):
1934         (jscmain):
1935
1936 2017-05-18  Michael Saboff  <msaboff@apple.com>
1937
1938         Add FTL whitelist debugging option
1939         https://bugs.webkit.org/show_bug.cgi?id=172321
1940
1941         Reviewed by Saam Barati.
1942
1943         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1944         (JSC::DFG::ensureGlobalFTLWhitelist):
1945         (JSC::DFG::TierUpCheckInjectionPhase::run):
1946         * runtime/Options.h:
1947         * tools/FunctionWhitelist.cpp:
1948         (JSC::FunctionWhitelist::contains):
1949
1950 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
1951
1952         Constructor calls set this too early
1953         https://bugs.webkit.org/show_bug.cgi?id=172302
1954
1955         Reviewed by Saam Barati.
1956         
1957         We were setting this before evaluating the arguments, so this code:
1958         
1959             var x = 42;
1960             new x(x = function() { });
1961         
1962         Would crash because we would pass 42 as this, and create_this would treat it as a cell.
1963         Dereferencing a non-cell is guaranteed to crash.
1964
1965         * bytecompiler/BytecodeGenerator.cpp:
1966         (JSC::BytecodeGenerator::emitConstruct):
1967         * bytecompiler/BytecodeGenerator.h:
1968         * bytecompiler/NodesCodegen.cpp:
1969         (JSC::NewExprNode::emitBytecode):
1970         (JSC::FunctionCallValueNode::emitBytecode):
1971
1972 2017-05-18  Saam Barati  <sbarati@apple.com>
1973
1974         WebAssembly: perform stack checks
1975         https://bugs.webkit.org/show_bug.cgi?id=165546
1976         <rdar://problem/29760307>
1977
1978         Reviewed by Filip Pizlo.
1979
1980         This patch adds stack checks to wasm. It implements it by storing the stack
1981         bounds on the Context.
1982         
1983         Stack checking works as normal, except we do a small optimization for terminal
1984         nodes in the call tree (nodes that don't make any calls). These nodes will
1985         only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
1986         it's assumed the parent that called them did their stack check for them.
1987         This is because all things that make calls make sure to do an extra 1024
1988         bytes whenever doing a stack check.
1989         
1990         We also take into account stack size for potential JS calls when doing
1991         stack checks since our JS stubs don't do this on their own. Each frame
1992         will ensure it does a stack check large enough for any potential JS call
1993         stubs it'll execute.
1994         
1995         Surprisingly, this patch is neutral on WasmBench and TitzerBench.
1996
1997         * llint/LLIntData.cpp:
1998         (JSC::LLInt::Data::performAssertions):
1999         * llint/LowLevelInterpreter.asm:
2000         * runtime/Error.cpp:
2001         (JSC::createRangeError):
2002         (JSC::addErrorInfoAndGetBytecodeOffset):
2003         I fixed a bug here where we assumed that the first frame that has line
2004         and column info would be in our stack trace. This is not correct
2005         since we limit our stack trace size. If everything in our limited
2006         size stack trace is Wasm, then we won't have any frames with line
2007         and column info.
2008         * runtime/Error.h:
2009         * runtime/ExceptionHelpers.cpp:
2010         (JSC::createStackOverflowError):
2011         * runtime/ExceptionHelpers.h:
2012         * runtime/JSGlobalObject.cpp:
2013         (JSC::JSGlobalObject::init):
2014         (JSC::JSGlobalObject::visitChildren):
2015         * runtime/JSGlobalObject.h:
2016         (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
2017         * runtime/JSType.h:
2018         * runtime/Options.h: I've added a new option that controls
2019         whether or not we use fast TLS for the wasm context.
2020         * runtime/VM.cpp:
2021         (JSC::VM::VM):
2022         * runtime/VM.h:
2023         * wasm/WasmB3IRGenerator.cpp:
2024         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2025         * wasm/WasmBinding.cpp:
2026         (JSC::Wasm::wasmToWasm):
2027         * wasm/WasmContext.cpp:
2028         (JSC::Wasm::loadContext):
2029         (JSC::Wasm::storeContext):
2030         * wasm/WasmContext.h:
2031         (JSC::Wasm::useFastTLSForContext):
2032         * wasm/WasmExceptionType.h:
2033         * wasm/WasmMemoryInformation.h:
2034         (JSC::Wasm::PinnedRegisterInfo::toSave):
2035         * wasm/WasmThunks.cpp:
2036         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2037         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2038         (JSC::Wasm::Thunks::stub):
2039         * wasm/WasmThunks.h:
2040         * wasm/js/JSWebAssemblyInstance.h:
2041         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
2042         (JSC::JSWebAssemblyInstance::cachedStackLimit):
2043         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
2044         * wasm/js/JSWebAssemblyModule.cpp:
2045         (JSC::JSWebAssemblyModule::finishCreation):
2046         * wasm/js/WebAssemblyFunction.cpp:
2047         (JSC::callWebAssemblyFunction):
2048         * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
2049         This is needed for correctness because we may call into JS,
2050         and then the first JS frame could stack overflow. When it stack
2051         overflows, it rolls back one frame to the wasm->js call stub with
2052         the wasm->js callee. It gets the lexical global object from this
2053         frame, meaning it gets the global object from the callee. Therefore,
2054         we must make it an object since all objects have global objects.
2055         (JSC::WebAssemblyToJSCallee::create):
2056         * wasm/js/WebAssemblyToJSCallee.h:
2057
2058 2017-05-18  Keith Miller  <keith_miller@apple.com>
2059
2060         WebAssembly API: test with neutered inputs
2061         https://bugs.webkit.org/show_bug.cgi?id=163899
2062
2063         Reviewed by JF Bastien.
2064
2065         Add tests to check that we properly throw a type error when
2066         we get a transferred ArrayBuffer. Also, we should make sure
2067         we cannot post message a wasm memory's ArrayBuffer.
2068
2069         * API/JSTypedArray.cpp:
2070         (JSObjectGetArrayBufferBytesPtr):
2071         * runtime/ArrayBuffer.cpp:
2072         (JSC::ArrayBuffer::makeShared):
2073         (JSC::ArrayBuffer::makeWasmMemory):
2074         (JSC::ArrayBuffer::transferTo):
2075         (JSC::ArrayBuffer::neuter):
2076         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2077         (JSC::errorMesasgeForTransfer):
2078         * runtime/ArrayBuffer.h:
2079         (JSC::ArrayBuffer::isLocked):
2080         (JSC::ArrayBuffer::isWasmMemory):
2081         * wasm/js/JSWebAssemblyMemory.cpp:
2082         (JSC::JSWebAssemblyMemory::buffer):
2083         (JSC::JSWebAssemblyMemory::grow):
2084
2085 2017-05-18  Joseph Pecoraro  <pecoraro@apple.com>
2086
2087         Remote Inspector: Be stricter about checking message types
2088         https://bugs.webkit.org/show_bug.cgi?id=172259
2089         <rdar://problem/32264839>
2090
2091         Reviewed by Brian Burg.
2092
2093         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2094         (Inspector::RemoteInspector::receivedSetupMessage):
2095         (Inspector::RemoteInspector::receivedDataMessage):
2096         (Inspector::RemoteInspector::receivedDidCloseMessage):
2097         (Inspector::RemoteInspector::receivedIndicateMessage):
2098         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2099         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2100         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2101         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2102         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2103         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2104         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2105         (Inspector::RemoteInspectorXPCConnection::sendMessage):
2106         Bail if we don't receive the expected types for message data.
2107
2108 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
2109
2110         DFG inlining should be hardened for the no-result case
2111         https://bugs.webkit.org/show_bug.cgi?id=172290
2112
2113         Reviewed by Saam Barati.
2114         
2115         Previously, if we were inlining a setter call, we might have a bad time because the setter's
2116         result register is the invalid VirtualRegister(), and much of the intrinsic handling code
2117         assumes that the result register is valid.
2118         
2119         This doesn't usually cause problems because people don't usually point a setter at something
2120         that we recognize as an intrinsic.
2121         
2122         * CMakeLists.txt:
2123         * JavaScriptCore.xcodeproj/project.pbxproj:
2124         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
2125         * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
2126         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
2127         (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
2128         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
2129         * runtime/Intrinsic.cpp: Added. I needed this to debug.
2130         (JSC::intrinsicName):
2131         (WTF::printInternal):
2132         * runtime/Intrinsic.h:
2133
2134 2017-05-18  Commit Queue  <commit-queue@webkit.org>
2135
2136         Unreviewed, rolling out r217031, r217032, and r217037.
2137         https://bugs.webkit.org/show_bug.cgi?id=172293
2138
2139         cause linking errors in Windows (Requested by yusukesuzuki on
2140         #webkit).
2141
2142         Reverted changesets:
2143
2144         "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
2145         https://bugs.webkit.org/show_bug.cgi?id=172098
2146         http://trac.webkit.org/changeset/217031
2147
2148         "Unreviewed, rebaseline for newly added ClassInfo"
2149         https://bugs.webkit.org/show_bug.cgi?id=172098
2150         http://trac.webkit.org/changeset/217032
2151
2152         "Unreviewed, fix debug and non-JIT build"
2153         https://bugs.webkit.org/show_bug.cgi?id=172098
2154         http://trac.webkit.org/changeset/217037
2155
2156 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2157
2158         Unreviewed, fix debug and non-JIT build
2159         https://bugs.webkit.org/show_bug.cgi?id=172098
2160
2161         * jsc.cpp:
2162         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2163
2164 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2165
2166         Unreviewed, rebaseline for newly added ClassInfo
2167         https://bugs.webkit.org/show_bug.cgi?id=172098
2168
2169         * wasm/js/WebAssemblyFunctionBase.cpp:
2170
2171 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2172
2173         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
2174         https://bugs.webkit.org/show_bug.cgi?id=172098
2175
2176         Reviewed by Saam Barati.
2177
2178         In this patch, we generalize CheckDOM to CheckSubClass.
2179         It can accept any ClassInfo and perform ClassInfo check
2180         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
2181         checkSubClassPatchpoint. It can create DOMJIT patchpoint
2182         for that ClassInfo. It it natural that ClassInfo holds the
2183         way to emit DOMJIT::Patchpoint to perform CheckSubClass
2184         rather than having it in each DOMJIT getter / function
2185         signature annotation.
2186
2187         One problem is that it enlarges the size of ClassInfo.
2188         But this is the best place to put this function pointer.
2189         By doing so, we can add a patchpoint for CheckSubClass
2190         in an non-intrusive manner: WebCore can inject patchpoints
2191         without interactive JSC.
2192
2193         We still have a way to reduce the size of ClassInfo if
2194         we move ArrayBuffer related methods out to the other places.
2195
2196         This patch touches many files because we add a new function
2197         pointer to ClassInfo. But they are basically mechanical change.
2198
2199         * API/JSAPIWrapperObject.mm:
2200         * API/JSCallbackConstructor.cpp:
2201         * API/JSCallbackFunction.cpp:
2202         * API/JSCallbackObject.cpp:
2203         * API/ObjCCallbackFunction.mm:
2204         * CMakeLists.txt:
2205         * JavaScriptCore.xcodeproj/project.pbxproj:
2206         * bytecode/CodeBlock.cpp:
2207         * bytecode/DOMJITAccessCasePatchpointParams.h:
2208         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
2209         * bytecode/EvalCodeBlock.cpp:
2210         * bytecode/FunctionCodeBlock.cpp:
2211         * bytecode/GetterSetterAccessCase.cpp:
2212         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2213         * bytecode/ModuleProgramCodeBlock.cpp:
2214         * bytecode/ProgramCodeBlock.cpp:
2215         * bytecode/UnlinkedCodeBlock.cpp:
2216         * bytecode/UnlinkedEvalCodeBlock.cpp:
2217         * bytecode/UnlinkedFunctionCodeBlock.cpp:
2218         * bytecode/UnlinkedFunctionExecutable.cpp:
2219         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
2220         * bytecode/UnlinkedProgramCodeBlock.cpp:
2221         * debugger/DebuggerScope.cpp:
2222         * dfg/DFGAbstractInterpreterInlines.h:
2223         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2224         * dfg/DFGByteCodeParser.cpp:
2225         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2226         * dfg/DFGClobberize.h:
2227         (JSC::DFG::clobberize):
2228         * dfg/DFGConstantFoldingPhase.cpp:
2229         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2230         * dfg/DFGDOMJITPatchpointParams.h:
2231         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
2232         * dfg/DFGDoesGC.cpp:
2233         (JSC::DFG::doesGC):
2234         * dfg/DFGFixupPhase.cpp:
2235         (JSC::DFG::FixupPhase::fixupNode):
2236         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2237         (JSC::DFG::FixupPhase::fixupCheckSubClass):
2238         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
2239         * dfg/DFGGraph.cpp:
2240         (JSC::DFG::Graph::dump):
2241         * dfg/DFGNode.h:
2242         (JSC::DFG::Node::hasClassInfo):
2243         (JSC::DFG::Node::classInfo):
2244         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
2245         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
2246         * dfg/DFGNodeType.h:
2247         * dfg/DFGPredictionPropagationPhase.cpp:
2248         * dfg/DFGSafeToExecute.h:
2249         (JSC::DFG::safeToExecute):
2250         * dfg/DFGSpeculativeJIT.cpp:
2251         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2252         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
2253         * dfg/DFGSpeculativeJIT.h:
2254         (JSC::DFG::SpeculativeJIT::vm):
2255         * dfg/DFGSpeculativeJIT32_64.cpp:
2256         (JSC::DFG::SpeculativeJIT::compile):
2257         In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
2258         And ClassInfo knows how to perform CheckSubClass efficiently.
2259         If ClassInfo does not have a way to perform CheckSubClass efficiently,
2260         we just perform jsDynamicCast thing in ASM.
2261         * dfg/DFGSpeculativeJIT64.cpp:
2262         (JSC::DFG::SpeculativeJIT::compile):
2263         * domjit/DOMJITGetterSetter.h:
2264         * domjit/DOMJITPatchpointParams.h:
2265         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
2266         (JSC::DOMJIT::PatchpointParams::vm):
2267         * domjit/DOMJITSignature.h:
2268         (JSC::DOMJIT::Signature::Signature):
2269         (JSC::DOMJIT::Signature::checkDOM): Deleted.
2270         * ftl/FTLAbstractHeapRepository.h:
2271         * ftl/FTLCapabilities.cpp:
2272         (JSC::FTL::canCompile):
2273         * ftl/FTLDOMJITPatchpointParams.h:
2274         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
2275         * ftl/FTLLowerDFGToB3.cpp:
2276         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2277         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2278         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
2279         * inspector/JSInjectedScriptHost.cpp:
2280         * inspector/JSInjectedScriptHostPrototype.cpp:
2281         * inspector/JSJavaScriptCallFrame.cpp:
2282         * inspector/JSJavaScriptCallFramePrototype.cpp:
2283         * jsc.cpp:
2284         (WTF::DOMJITNode::checkSubClassPatchpoint):
2285         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2286         (WTF::DOMJITFunctionObject::finishCreation):
2287         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2288         (WTF::DOMJITCheckSubClassObject::createStructure):
2289         (WTF::DOMJITCheckSubClassObject::create):
2290         (WTF::DOMJITCheckSubClassObject::safeFunction):
2291         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2292         (WTF::DOMJITCheckSubClassObject::finishCreation):
2293         (GlobalObject::finishCreation):
2294         (functionCreateDOMJITCheckSubClassObject):
2295         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
2296         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
2297         * runtime/AbstractModuleRecord.cpp:
2298         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2299         * runtime/ArrayConstructor.cpp:
2300         * runtime/ArrayIteratorPrototype.cpp:
2301         * runtime/ArrayPrototype.cpp:
2302         * runtime/AsyncFunctionConstructor.cpp:
2303         * runtime/AsyncFunctionPrototype.cpp:
2304         * runtime/AtomicsObject.cpp:
2305         * runtime/BooleanConstructor.cpp:
2306         * runtime/BooleanObject.cpp:
2307         * runtime/BooleanPrototype.cpp:
2308         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
2309         (JSC::ClassInfo::dump):
2310         * runtime/ClassInfo.h:
2311         (JSC::ClassInfo::offsetOfParentClass):
2312         * runtime/ClonedArguments.cpp:
2313         * runtime/ConsoleObject.cpp:
2314         * runtime/CustomGetterSetter.cpp:
2315         * runtime/DateConstructor.cpp:
2316         * runtime/DateInstance.cpp:
2317         * runtime/DatePrototype.cpp:
2318         * runtime/DirectArguments.cpp:
2319         * runtime/Error.cpp:
2320         * runtime/ErrorConstructor.cpp:
2321         * runtime/ErrorInstance.cpp:
2322         * runtime/ErrorPrototype.cpp:
2323         * runtime/EvalExecutable.cpp:
2324         * runtime/Exception.cpp:
2325         * runtime/ExceptionHelpers.cpp:
2326         * runtime/ExecutableBase.cpp:
2327         * runtime/FunctionConstructor.cpp:
2328         * runtime/FunctionExecutable.cpp:
2329         * runtime/FunctionPrototype.cpp:
2330         * runtime/FunctionRareData.cpp:
2331         * runtime/GeneratorFunctionConstructor.cpp:
2332         * runtime/GeneratorFunctionPrototype.cpp:
2333         * runtime/GeneratorPrototype.cpp:
2334         * runtime/GetterSetter.cpp:
2335         * runtime/HashMapImpl.cpp:
2336         * runtime/HashMapImpl.h:
2337         * runtime/InferredType.cpp:
2338         (JSC::InferredType::create):
2339         * runtime/InferredTypeTable.cpp:
2340         * runtime/InferredValue.cpp:
2341         * runtime/InspectorInstrumentationObject.cpp:
2342         * runtime/InternalFunction.cpp:
2343         * runtime/IntlCollator.cpp:
2344         * runtime/IntlCollatorConstructor.cpp:
2345         * runtime/IntlCollatorPrototype.cpp:
2346         * runtime/IntlDateTimeFormat.cpp:
2347         * runtime/IntlDateTimeFormatConstructor.cpp:
2348         * runtime/IntlDateTimeFormatPrototype.cpp:
2349         * runtime/IntlNumberFormat.cpp:
2350         * runtime/IntlNumberFormatConstructor.cpp:
2351         * runtime/IntlNumberFormatPrototype.cpp:
2352         * runtime/IntlObject.cpp:
2353         * runtime/IteratorPrototype.cpp:
2354         * runtime/JSAPIValueWrapper.cpp:
2355         * runtime/JSArray.cpp:
2356         * runtime/JSArrayBuffer.cpp:
2357         * runtime/JSArrayBufferConstructor.cpp:
2358         * runtime/JSArrayBufferPrototype.cpp:
2359         * runtime/JSArrayBufferView.cpp:
2360         * runtime/JSAsyncFunction.cpp:
2361         * runtime/JSBoundFunction.cpp:
2362         * runtime/JSCallee.cpp:
2363         * runtime/JSCustomGetterSetterFunction.cpp:
2364         * runtime/JSDataView.cpp:
2365         * runtime/JSDataViewPrototype.cpp:
2366         * runtime/JSEnvironmentRecord.cpp:
2367         * runtime/JSFixedArray.cpp:
2368         * runtime/JSFunction.cpp:
2369         * runtime/JSGeneratorFunction.cpp:
2370         * runtime/JSGlobalLexicalEnvironment.cpp:
2371         * runtime/JSGlobalObject.cpp:
2372         * runtime/JSInternalPromise.cpp:
2373         * runtime/JSInternalPromiseConstructor.cpp:
2374         * runtime/JSInternalPromiseDeferred.cpp:
2375         * runtime/JSInternalPromisePrototype.cpp:
2376         * runtime/JSLexicalEnvironment.cpp:
2377         * runtime/JSMap.cpp:
2378         * runtime/JSMapIterator.cpp:
2379         * runtime/JSModuleEnvironment.cpp:
2380         * runtime/JSModuleLoader.cpp:
2381         * runtime/JSModuleNamespaceObject.cpp:
2382         * runtime/JSModuleRecord.cpp:
2383         * runtime/JSNativeStdFunction.cpp:
2384         * runtime/JSONObject.cpp:
2385         * runtime/JSObject.cpp:
2386         * runtime/JSPromise.cpp:
2387         * runtime/JSPromiseConstructor.cpp:
2388         * runtime/JSPromiseDeferred.cpp:
2389         * runtime/JSPromisePrototype.cpp:
2390         * runtime/JSPropertyNameEnumerator.cpp:
2391         * runtime/JSPropertyNameIterator.cpp:
2392         * runtime/JSProxy.cpp:
2393         * runtime/JSScriptFetcher.cpp:
2394         * runtime/JSSet.cpp:
2395         * runtime/JSSetIterator.cpp:
2396         * runtime/JSSourceCode.cpp:
2397         * runtime/JSString.cpp:
2398         * runtime/JSStringIterator.cpp:
2399         * runtime/JSSymbolTableObject.cpp:
2400         * runtime/JSTemplateRegistryKey.cpp:
2401         * runtime/JSTypedArrayConstructors.cpp:
2402         * runtime/JSTypedArrayPrototypes.cpp:
2403         * runtime/JSTypedArrayViewConstructor.cpp:
2404         * runtime/JSTypedArrays.cpp:
2405         * runtime/JSWeakMap.cpp:
2406         * runtime/JSWeakSet.cpp:
2407         * runtime/JSWithScope.cpp:
2408         * runtime/MapConstructor.cpp:
2409         * runtime/MapIteratorPrototype.cpp:
2410         * runtime/MapPrototype.cpp:
2411         * runtime/MathObject.cpp:
2412         * runtime/ModuleLoaderPrototype.cpp:
2413         * runtime/ModuleProgramExecutable.cpp:
2414         * runtime/NativeErrorConstructor.cpp:
2415         * runtime/NativeExecutable.cpp:
2416         * runtime/NativeStdFunctionCell.cpp:
2417         * runtime/NullGetterFunction.cpp:
2418         * runtime/NullSetterFunction.cpp:
2419         * runtime/NumberConstructor.cpp:
2420         * runtime/NumberObject.cpp:
2421         * runtime/NumberPrototype.cpp:
2422         * runtime/ObjectConstructor.cpp:
2423         * runtime/ObjectPrototype.cpp:
2424         * runtime/ProgramExecutable.cpp:
2425         * runtime/PropertyTable.cpp:
2426         * runtime/ProxyConstructor.cpp:
2427         * runtime/ProxyObject.cpp:
2428         * runtime/ProxyRevoke.cpp:
2429         * runtime/ReflectObject.cpp:
2430         * runtime/RegExp.cpp:
2431         * runtime/RegExpConstructor.cpp:
2432         * runtime/RegExpObject.cpp:
2433         * runtime/RegExpPrototype.cpp:
2434         * runtime/ScopedArguments.cpp:
2435         * runtime/ScopedArgumentsTable.cpp:
2436         * runtime/ScriptExecutable.cpp:
2437         * runtime/SetConstructor.cpp:
2438         * runtime/SetIteratorPrototype.cpp:
2439         * runtime/SetPrototype.cpp:
2440         * runtime/SparseArrayValueMap.cpp:
2441         * runtime/StrictEvalActivation.cpp:
2442         * runtime/StringConstructor.cpp:
2443         * runtime/StringIteratorPrototype.cpp:
2444         * runtime/StringObject.cpp:
2445         * runtime/StringPrototype.cpp:
2446         * runtime/Structure.cpp:
2447         * runtime/StructureChain.cpp:
2448         * runtime/StructureRareData.cpp:
2449         * runtime/Symbol.cpp:
2450         * runtime/SymbolConstructor.cpp:
2451         * runtime/SymbolObject.cpp:
2452         * runtime/SymbolPrototype.cpp:
2453         * runtime/SymbolTable.cpp:
2454         * runtime/WeakMapConstructor.cpp:
2455         * runtime/WeakMapData.cpp:
2456         * runtime/WeakMapPrototype.cpp:
2457         * runtime/WeakSetConstructor.cpp:
2458         * runtime/WeakSetPrototype.cpp:
2459         * testRegExp.cpp:
2460         * tools/JSDollarVM.cpp:
2461         * tools/JSDollarVMPrototype.cpp:
2462         * wasm/JSWebAssembly.cpp:
2463         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2464         * wasm/js/JSWebAssemblyCompileError.cpp:
2465         * wasm/js/JSWebAssemblyInstance.cpp:
2466         * wasm/js/JSWebAssemblyLinkError.cpp:
2467         * wasm/js/JSWebAssemblyMemory.cpp:
2468         * wasm/js/JSWebAssemblyModule.cpp:
2469         * wasm/js/JSWebAssemblyRuntimeError.cpp:
2470         * wasm/js/JSWebAssemblyTable.cpp:
2471         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2472         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2473         * wasm/js/WebAssemblyFunction.cpp:
2474         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2475         * wasm/js/WebAssemblyInstancePrototype.cpp:
2476         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2477         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2478         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2479         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2480         * wasm/js/WebAssemblyModuleConstructor.cpp:
2481         * wasm/js/WebAssemblyModulePrototype.cpp:
2482         * wasm/js/WebAssemblyModuleRecord.cpp:
2483         * wasm/js/WebAssemblyPrototype.cpp:
2484         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2485         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2486         * wasm/js/WebAssemblyTableConstructor.cpp:
2487         * wasm/js/WebAssemblyTablePrototype.cpp:
2488         * wasm/js/WebAssemblyToJSCallee.cpp:
2489         * wasm/js/WebAssemblyWrapperFunction.cpp:
2490
2491 2017-05-17  Saam Barati  <sbarati@apple.com>
2492
2493         We don't do context switches for Wasm->Wasm call indirect
2494         https://bugs.webkit.org/show_bug.cgi?id=172188
2495         <rdar://problem/32231828>
2496
2497         Reviewed by Keith Miller.
2498
2499         We did not do a context switch when doing an indirect call. 
2500         This is clearly wrong, since the thing we're making an indirect
2501         call to could be from another instance. This patch fixes this
2502         oversight by doing a very simple context switch. I've also opened
2503         a bug to make indirect calls fast: https://bugs.webkit.org/show_bug.cgi?id=172197
2504         since this patch adds yet another branch to the indirect call path.
2505         I've also added tests that either throw or crash before this change.
2506
2507         * CMakeLists.txt:
2508         * JavaScriptCore.xcodeproj/project.pbxproj:
2509         * wasm/WasmB3IRGenerator.cpp:
2510         * wasm/js/JSWebAssemblyTable.h:
2511         (JSC::JSWebAssemblyTable::offsetOfJSFunctions):
2512         * wasm/js/WebAssemblyFunction.cpp:
2513         (JSC::WebAssemblyFunction::visitChildren):
2514         (JSC::WebAssemblyFunction::finishCreation): Deleted.
2515         * wasm/js/WebAssemblyFunction.h:
2516         (JSC::WebAssemblyFunction::instance): Deleted.
2517         (JSC::WebAssemblyFunction::offsetOfInstance): Deleted.
2518         * wasm/js/WebAssemblyFunctionBase.cpp: Added.
2519         (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
2520         (JSC::WebAssemblyFunctionBase::visitChildren):
2521         (JSC::WebAssemblyFunctionBase::finishCreation):
2522         * wasm/js/WebAssemblyFunctionBase.h: Added.
2523         (JSC::WebAssemblyFunctionBase::instance):
2524         (JSC::WebAssemblyFunctionBase::offsetOfInstance):
2525         * wasm/js/WebAssemblyModuleRecord.cpp:
2526         (JSC::WebAssemblyModuleRecord::link):
2527         (JSC::WebAssemblyModuleRecord::evaluate):
2528         * wasm/js/WebAssemblyWrapperFunction.cpp:
2529         (JSC::WebAssemblyWrapperFunction::create):
2530         (JSC::WebAssemblyWrapperFunction::finishCreation):
2531         (JSC::WebAssemblyWrapperFunction::visitChildren):
2532         * wasm/js/WebAssemblyWrapperFunction.h:
2533
2534 2017-05-17  Filip Pizlo  <fpizlo@apple.com>
2535
2536         JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
2537         https://bugs.webkit.org/show_bug.cgi?id=172208
2538
2539         Reviewed by Saam Barati.
2540
2541         * dfg/DFGArgumentsEliminationPhase.cpp:
2542
2543 2017-05-17  Don Olmstead  <don.olmstead@am.sony.com>
2544
2545         [Win] Support $vm.getpid()
2546         https://bugs.webkit.org/show_bug.cgi?id=172248
2547
2548         Reviewed by Mark Lam.
2549
2550         * tools/JSDollarVMPrototype.cpp:
2551         (JSC::functionGetPID):
2552         (JSC::JSDollarVMPrototype::finishCreation):
2553
2554 2017-05-17  Michael Saboff  <msaboff@apple.com>
2555
2556         [iOS] The Garbage Collector shouldn't rely on the bmalloc scavenger for up to date memory footprint info
2557         https://bugs.webkit.org/show_bug.cgi?id=172186
2558
2559         Reviewed by Geoffrey Garen.
2560
2561         The calls to bmalloc::api::memoryFootprint() and ::percentAvailableMemoryInUse() now call
2562         the OS to get up to date values.  In overCriticalMemoryThreshold(), we get the current value every
2563         100th call and use a cached value the rest of the time.  When colleciton is done, we start with
2564         a new overCriticalMemoryThreshold value for the next cycle.
2565
2566         The choice of 1 out of 100 calls was validated by using JetStream and verifying that it didn't impact
2567         performance and still provides timely memory footprint data.  With additional debug logging, I
2568         determined that we call overCriticalMemoryThreshold() over 20,000 times/second running JetStream.
2569         Other logging showed that there were over 1700 calls to overCriticalMemoryThreshold() on average per
2570         GC cycle.  Dividing both of these numbers by 100 seems reasonable.
2571
2572         * heap/Heap.cpp:
2573         (JSC::Heap::overCriticalMemoryThreshold):
2574         (JSC::Heap::updateAllocationLimits):
2575         (JSC::Heap::shouldDoFullCollection):
2576         * heap/Heap.h:
2577
2578 2017-05-17  Saam Barati  <sbarati@apple.com>
2579
2580         PinnedRegisters should be better modeled in IRC/Briggs
2581         https://bugs.webkit.org/show_bug.cgi?id=171955
2582
2583         Reviewed by Filip Pizlo.
2584
2585         This patch fixes a bug in Briggs/IRC with respect to pinned registers.
2586         Pinned registers were not part of the assignable register file in IRC/Briggs,
2587         and this would lead to an asymmetry because they were modeled in the
2588         interference graph. The bug is that we use registerCount() to move various
2589         Tmps between various lists in the different allocators, and if a Tmp
2590         interfered with a pinned register (usually via a Patchpoint's clobbered set),
2591         we'd have an interference edge modeled in the degree for that Tmp, but the registerCount()
2592         would make us think that this particular Tmp is not assignable. This would
2593         lead us to fail to color a colorable graph. Specifically, this happened in
2594         our various patchpoint tests that stress the register allocator by forcing
2595         the entire register file into arguments for the patchpoint and then doing
2596         interesting things with the result, arguments, etc.
2597         
2598         This patch fixes the bug by coming up with an more natural way to model pinned
2599         registers. Pinned registers are now part of the register file. However,
2600         pinned registers are live at every point in the program (this is a defining
2601         property of a pinned register). In practice, this means that the only Tmps 
2602         that can be assigned to pinned registers are ones that are coalescing
2603         candidates. This means the program has some number of defs for a Tmp T like:
2604         MoveType pinnedReg, T
2605         
2606         Note, if any other defs for T happen, like:
2607         Add32, t1, t2, T
2608         T will have an interference edge with pinnedReg, since pinnedReg is live
2609         at every point in the program. Modeling pinned registers this way allows
2610         IRC/Briggs to have no special casing for them. It treats it like any other
2611         precolored Tmp. This allows us to do coalescing, biased coloring, etc, which
2612         could all lead to a Tmp being assigned to a pinned register.
2613         
2614         Interestingly, we used to have special handling for the frame pointer
2615         register, which in many ways, acts like a pinned register, since FP is
2616         always live, and we wanted it to take place in coalescing. The allocator
2617         had a side-table interference graph with FP. Interestingly, we didn't even
2618         handle this properly everywhere since we could rely on a patchpoint never
2619         claiming to clobber FP (this would be illegal). So the code only handled
2620         the pseudo-pinned register properties of FP in various places. This patch
2621         drops this special casing and pins FP since all pinned registers can take
2622         part in coalescing.
2623
2624         * b3/B3PatchpointSpecial.h:
2625         * b3/B3Procedure.cpp:
2626         (JSC::B3::Procedure::mutableGPRs):
2627         (JSC::B3::Procedure::mutableFPRs):
2628         * b3/B3Procedure.h:
2629         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2630         * b3/air/AirCode.cpp:
2631         (JSC::B3::Air::Code::Code):
2632         (JSC::B3::Air::Code::pinRegister):
2633         (JSC::B3::Air::Code::mutableGPRs):
2634         (JSC::B3::Air::Code::mutableFPRs):
2635         * b3/air/AirCode.h:
2636         (JSC::B3::Air::Code::pinnedRegisters):
2637         * b3/air/AirSpecial.h:
2638         * b3/air/testair.cpp:
2639         * b3/testb3.cpp:
2640         (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
2641         (JSC::B3::testSpillDefSmallerThanUse):
2642         (JSC::B3::testLateRegister):
2643         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
2644         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
2645         (JSC::B3::testMoveConstants):
2646
2647 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2648
2649         [DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String)
2650         https://bugs.webkit.org/show_bug.cgi?id=172115
2651
2652         Reviewed by Saam Barati.
2653
2654         In Fixup phase, we attempt to fold MakeRope to Identity (or reduce arguments) by dropping
2655         empty strings. However, when we are in Fixup phase, we do not have much information about
2656         constant values.
2657
2658         In ARES-6 Babylon, we find that we can constant-fold MakeRope by using constants figured
2659         out by CFA. Without it, Babylon repeatedly produces rope strings. To fix this, we introduce
2660         MakeRope handling in constant folding phase.
2661
2662         It shows 7.5% performance improvement in ARES-6 Babylon steadyState.
2663
2664             Before:
2665
2666             firstIteration:     50.02 +- 14.56 ms
2667             averageWorstCase:   26.52 +- 4.52 ms
2668             steadyState:        8.15 +- 0.23 ms
2669
2670             After:
2671
2672             firstIteration:     49.08 +- 12.90 ms
2673             averageWorstCase:   25.16 +- 3.82 ms
2674             steadyState:        7.58 +- 0.21 ms
2675
2676         * dfg/DFGAbstractInterpreterInlines.h:
2677         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2678         * dfg/DFGConstantFoldingPhase.cpp:
2679         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2680
2681 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2682
2683         Unreviewed, add Objective C files to CMake Mac port
2684         https://bugs.webkit.org/show_bug.cgi?id=172103
2685
2686         * shell/PlatformMac.cmake: Added.
2687
2688 2017-05-16  JF Bastien  <jfbastien@apple.com>
2689
2690         WebAssembly: enforce size limits
2691         https://bugs.webkit.org/show_bug.cgi?id=165833
2692         <rdar://problem/29760219>
2693
2694         Reviewed by Keith Miller.
2695
2696         Use the same limits as V8.
2697
2698         * JavaScriptCore.xcodeproj/project.pbxproj:
2699         * wasm/WasmLimits.h: Added.
2700         * wasm/WasmModuleParser.cpp:
2701         * wasm/WasmParser.h:
2702         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2703
2704 2017-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2705
2706         [JSC] Build testapi in non Apple ports
2707         https://bugs.webkit.org/show_bug.cgi?id=172103
2708
2709         Reviewed by Filip Pizlo.
2710
2711         This patch makes JSC testapi buildable in non-Apple ports.
2712         We isolate CF related tests in testapi.c. If we do not use
2713         CF, we include JavaScript.h instead of JavaScriptCore.h.
2714
2715         By running the testapi in Linux, we found that contraints
2716         test have a bug: If constraint marker runs after WeakRefs
2717         are destroyed, it accesses destroyed WeakRef. This patch
2718         also fixes it.
2719
2720         * API/tests/CurrentThisInsideBlockGetterTest.h:
2721         * API/tests/CustomGlobalObjectClassTest.c:
2722         * API/tests/ExecutionTimeLimitTest.cpp:
2723         * API/tests/FunctionOverridesTest.cpp:
2724         * API/tests/GlobalContextWithFinalizerTest.cpp:
2725         * API/tests/JSObjectGetProxyTargetTest.cpp:
2726         * API/tests/MultithreadedMultiVMExecutionTest.cpp:
2727         * API/tests/PingPongStackOverflowTest.cpp:
2728         * API/tests/TypedArrayCTest.cpp:
2729         * API/tests/testapi.c:
2730         (assertEqualsAsCharactersPtr):
2731         (markingConstraint):
2732         (testMarkingConstraintsAndHeapFinalizers):
2733         (testCFStrings):
2734         (main):
2735         * shell/CMakeLists.txt:
2736
2737 2017-05-16  JF Bastien  <jfbastien@apple.com>
2738
2739         WebAssembly: report Memory usage to GC
2740         https://bugs.webkit.org/show_bug.cgi?id=170690
2741         <rdar://problem/31965310>
2742
2743         Reviewed by Keith Miller.
2744
2745         * wasm/js/JSWebAssemblyMemory.cpp:
2746         (JSC::JSWebAssemblyMemory::grow):
2747         (JSC::JSWebAssemblyMemory::finishCreation):
2748         (JSC::JSWebAssemblyMemory::visitChildren):
2749
2750 2017-05-16  JF Bastien  <jfbastien@apple.com>
2751
2752         WebAssembly: validate load / store alignment
2753         https://bugs.webkit.org/show_bug.cgi?id=168836
2754         <rdar://problem/31965349>
2755
2756         Reviewed by Keith Miller.
2757
2758         * wasm/WasmFunctionParser.h: check the alignment
2759         * wasm/generateWasm.py: generate the log2 alignment helper
2760         (Wasm):
2761         (isSimple):
2762         (memoryLog2Alignment):
2763         * wasm/generateWasmOpsHeader.py:
2764         (memoryLog2AlignmentGenerator):
2765         * wasm/wasm.json: fix formatting
2766
2767 2017-05-15  Mark Lam  <mark.lam@apple.com>
2768
2769         Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
2770         https://bugs.webkit.org/show_bug.cgi?id=172147
2771
2772         Rubber-stamped by Saam Barati.
2773
2774         I rolled out every thing in those 2 patches except for the change to make
2775         CodeBlock::finishCreation() return a bool plus its clients that depend on this.
2776         I made this exception because r214931 relies on this change, and this part of
2777         the change looks correct.
2778
2779         * builtins/BuiltinNames.h:
2780         * builtins/GlobalOperations.js:
2781         (globalPrivate.speciesConstructor):
2782         (globalPrivate.copyDataProperties): Deleted.
2783         * bytecode/CodeBlock.cpp:
2784         (JSC::CodeBlock::finishCreation):
2785         (JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.
2786         * bytecode/CodeBlock.h:
2787         * bytecode/UnlinkedCodeBlock.h:
2788         (JSC::UnlinkedCodeBlock::addBitVector):
2789         (JSC::UnlinkedCodeBlock::constantRegisters):
2790         (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
2791         (JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.
2792         * bytecompiler/BytecodeGenerator.cpp:
2793         * bytecompiler/BytecodeGenerator.h:
2794         * bytecompiler/NodesCodegen.cpp:
2795         (JSC::PropertyListNode::emitBytecode):
2796         (JSC::ObjectPatternNode::bindValue):
2797         (JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.
2798         * parser/ASTBuilder.h:
2799         (JSC::ASTBuilder::createProperty):
2800         (JSC::ASTBuilder::appendObjectPatternEntry):
2801         (JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
2802         (JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
2803         (JSC::ASTBuilder::setContainsObjectRestElement): Deleted.
2804         * parser/NodeConstructors.h:
2805         (JSC::PropertyNode::PropertyNode):
2806         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2807         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.
2808         * parser/Nodes.h:
2809         (JSC::ObjectPatternNode::appendEntry):
2810         (JSC::ObjectSpreadExpressionNode::expression): Deleted.
2811         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
2812         * parser/Parser.cpp:
2813         (JSC::Parser<LexerType>::parseDestructuringPattern):
2814         (JSC::Parser<LexerType>::parseProperty):
2815         * parser/SyntaxChecker.h:
2816         (JSC::SyntaxChecker::createSpreadExpression):
2817         (JSC::SyntaxChecker::createProperty):
2818         (JSC::SyntaxChecker::operatorStackPop):
2819         (JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.
2820         * runtime/ObjectConstructor.cpp:
2821         (JSC::ObjectConstructor::finishCreation):
2822         * runtime/SetPrototype.cpp:
2823         (JSC::SetPrototype::finishCreation):
2824
2825 2017-05-15  David Kilzer  <ddkilzer@apple.com>
2826
2827         JSEnvironmentRecord::allocationSizeForScopeSize() and offsetOfVariable(ScopeOffset) should used checked arithmetic
2828         <https://webkit.org/b/172134>
2829
2830         Reviewed by Saam Barati.
2831
2832         * runtime/JSEnvironmentRecord.h:
2833         (JSC::JSEnvironmentRecord::offsetOfVariable): Change to return
2834         size_t and use checked arithmetic.
2835         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize): Change
2836         to use checked arithmetic.
2837
2838 2017-05-15  Mark Lam  <mark.lam@apple.com>
2839
2840         WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
2841         https://bugs.webkit.org/show_bug.cgi?id=171775
2842         <rdar://problem/30975761>
2843
2844         Reviewed by Filip Pizlo.
2845
2846         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
2847         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
2848         for our debugging needs.
2849
2850         Also added VM::throwingThread() to track which thread an exception was thrown in.
2851         This may be useful if the client is entering the VM from different threads.
2852
2853         * runtime/ExceptionScope.cpp:
2854         (JSC::ExceptionScope::unexpectedExceptionMessage):
2855         * runtime/ExceptionScope.h:
2856         (JSC::ExceptionScope::exception):
2857         (JSC::ExceptionScope::unexpectedExceptionMessage):
2858         * runtime/Options.h:
2859         - Added the unexpectedExceptionStackTraceLimit option.
2860         * runtime/VM.cpp:
2861         (JSC::VM::throwException):
2862         * runtime/VM.h:
2863         (JSC::VM::throwingThread):
2864         (JSC::VM::clearException):
2865
2866 2017-05-13  David Kilzer  <ddkilzer@apple.com>
2867
2868         Unused lambda capture in JSContextGroupAddMarkingConstraint()
2869         <https://webkit.org/b/172084>
2870
2871         Reviewed by Saam Barati.
2872
2873         Fixes the following warning with newer clang:
2874
2875             Source/JavaScriptCore/API/JSMarkingConstraintPrivate.cpp:78:11: error: lambda capture 'vm' is not used [-Werror,-Wunused-lambda-capture]
2876                     [&vm, constraintCallback, userData]
2877                       ^
2878
2879         * API/JSMarkingConstraintPrivate.cpp:
2880         (JSContextGroupAddMarkingConstraint): Remove unused lambda
2881         capture for '&vm'.
2882
2883 2017-05-13  David Kilzer  <ddkilzer@apple.com>
2884
2885         [JSC] config.rb fails when checking some clang versions
2886         <https://webkit.org/b/172082>
2887
2888         Reviewed by Mark Lam.
2889
2890         * offlineasm/config.rb:
2891         - Add support for quad-dotted version of Apple clang (800.0.12.1).
2892         - Add support for checking open source clang version (5.0.0).
2893
2894 2017-05-13  Commit Queue  <commit-queue@webkit.org>
2895
2896         Unreviewed, rolling out r216808.
2897         https://bugs.webkit.org/show_bug.cgi?id=172075
2898
2899         caused lldb to hang when debugging (Requested by smfr on
2900         #webkit).
2901
2902         Reverted changeset:
2903
2904         "Use Mach exceptions instead of signals where possible"
2905         https://bugs.webkit.org/show_bug.cgi?id=171865
2906         http://trac.webkit.org/changeset/216808
2907
2908 2017-05-13  Commit Queue  <commit-queue@webkit.org>
2909
2910         Unreviewed, rolling out r216801.
2911         https://bugs.webkit.org/show_bug.cgi?id=172072
2912
2913         Many memory corruption crashes on worker threads (Requested by
2914         ap on #webkit).
2915
2916         Reverted changeset:
2917
2918         "WorkerRunLoop::Task::performTask() should check
2919         !scriptController->isTerminatingExecution()."
2920         https://bugs.webkit.org/show_bug.cgi?id=171775
2921         http://trac.webkit.org/changeset/216801
2922
2923 2017-05-12  Geoffrey Garen  <ggaren@apple.com>
2924
2925         [JSC] DFG::Node should not have its own allocator
2926         https://bugs.webkit.org/show_bug.cgi?id=160098
2927
2928         Reviewed by Saam Barati.
2929
2930         I just rebased the patch from <http://trac.webkit.org/changeset/203808>.
2931
2932         I ran Octane and JetStream locally on a MacBook Air and I wasn't able to
2933         reproduce a regression. Let's land this again and see what the bots say.
2934
2935         * JavaScriptCore.xcodeproj/project.pbxproj:
2936         * b3/B3SparseCollection.h:
2937         (JSC::B3::SparseCollection::packIndices):
2938         * dfg/DFGAllocator.h: Removed.
2939         * dfg/DFGDriver.cpp:
2940         (JSC::DFG::compileImpl):
2941         * dfg/DFGGraph.cpp:
2942         (JSC::DFG::Graph::Graph):
2943         (JSC::DFG::Graph::~Graph):
2944         (JSC::DFG::Graph::deleteNode):
2945         (JSC::DFG::Graph::packNodeIndices):
2946         (JSC::DFG::Graph::addNodeToMapByIndex): Deleted.
2947         * dfg/DFGGraph.h:
2948         (JSC::DFG::Graph::addNode):
2949         (JSC::DFG::Graph::maxNodeCount):
2950         (JSC::DFG::Graph::nodeAt):
2951         * dfg/DFGLongLivedState.cpp: Removed.
2952         * dfg/DFGLongLivedState.h: Removed.
2953         * dfg/DFGNode.h:
2954         * dfg/DFGNodeAllocator.h:
2955         * dfg/DFGPlan.cpp:
2956         (JSC::DFG::Plan::compileInThread):
2957         (JSC::DFG::Plan::compileInThreadImpl):
2958         * dfg/DFGPlan.h:
2959         * dfg/DFGWorklist.cpp:
2960         * runtime/VM.cpp:
2961         (JSC::VM::VM):
2962         * runtime/VM.h:
2963
2964 2017-05-12  Keith Miller  <keith_miller@apple.com>
2965
2966         Use Mach exceptions instead of signals where possible
2967         https://bugs.webkit.org/show_bug.cgi?id=171865
2968
2969         Reviewed by Mark Lam.
2970
2971         This patch adds some new JSC options. The first is an option that
2972         enables or disables web assembly tier up. The second controls
2973         whether or not we use mach exceptions (where available).
2974
2975         * API/tests/ExecutionTimeLimitTest.cpp:
2976         (dispatchTermitateCallback):
2977         (testExecutionTimeLimit):
2978         * runtime/JSLock.cpp:
2979         (JSC::JSLock::didAcquireLock):
2980         * runtime/Options.cpp:
2981         (JSC::overrideDefaults):
2982         (JSC::Options::initialize):
2983         * runtime/Options.h:
2984         * runtime/VMTraps.cpp:
2985         (JSC::SignalContext::SignalContext):
2986         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
2987         (JSC::installSignalHandler):
2988         (JSC::VMTraps::SignalSender::send):
2989         * tools/SigillCrashAnalyzer.cpp:
2990         (JSC::SignalContext::SignalContext):
2991         (JSC::SignalContext::dump):
2992         (JSC::installCrashHandler):
2993         * wasm/WasmBBQPlan.cpp:
2994         (JSC::Wasm::BBQPlan::compileFunctions):
2995         * wasm/WasmFaultSignalHandler.cpp:
2996         (JSC::Wasm::trapHandler):
2997         (JSC::Wasm::enableFastMemory):
2998         * wasm/WasmMachineThreads.cpp:
2999         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3000
3001 2017-05-12  Mark Lam  <mark.lam@apple.com>
3002
3003         WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
3004         https://bugs.webkit.org/show_bug.cgi?id=171775
3005         <rdar://problem/30975761>
3006
3007         Reviewed by Saam Barati.
3008
3009         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3010         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
3011         for our debugging needs.
3012
3013         Also added VM::throwingThread() to track which thread an exception was thrown in.
3014         This may be useful if the client is entering the VM from different threads.
3015
3016         * runtime/ExceptionScope.cpp:
3017         (JSC::ExceptionScope::unexpectedExceptionMessage):
3018         * runtime/ExceptionScope.h:
3019         (JSC::ExceptionScope::exception):
3020         (JSC::ExceptionScope::unexpectedExceptionMessage):
3021         * runtime/Options.h:
3022         - Added the unexpectedExceptionStackTraceLimit option.
3023         * runtime/VM.cpp:
3024         (JSC::VM::throwException):
3025         * runtime/VM.h:
3026         (JSC::VM::throwingThread):
3027         (JSC::VM::clearException):
3028
3029 2017-05-12  Daniel Bates  <dabates@apple.com>
3030
3031         Cleanup: Make QueueTaskToEventLoopFunctionPtr take JSGlobalObject&
3032         https://bugs.webkit.org/show_bug.cgi?id=172021
3033
3034         Reviewed by Mark Lam.
3035
3036         Change the function alias for QueueTaskToEventLoopFunctionPtr to take JSGlobalObject&
3037         instead of a const JSGlobalObject* as all implementations expect to be passed a non-
3038         const, non-null JSGlobalObject object.
3039
3040         * runtime/JSGlobalObject.cpp:
3041         (JSC::JSGlobalObject::queueMicrotask):
3042         * runtime/JSGlobalObject.h:
3043         * runtime/VM.cpp:
3044         (JSC::VM::queueMicrotask):
3045         * runtime/VM.h: Remove JS_EXPORT_PRIVATE annotation from queueMicrotask() as
3046         it is only called from JavaScriptCore code.
3047
3048 2017-05-12  Michael Saboff  <msaboff@apple.com>
3049
3050         [iOS] Use memory footprint to dynamically adjust behavior of allocators
3051         https://bugs.webkit.org/show_bug.cgi?id=171944
3052
3053         Reviewed by Filip Pizlo.
3054
3055         This change is iOS only.
3056
3057         Added the ability to react to when memory usage is critical.  This is defined as memory
3058         usage being above the newly added option criticalGCMemoryThreshold.  When we are in this
3059         critical state, all collections are Full and we limit the amount of memory we allocate
3060         between collections to 1/4th the memory above the critical threshold.
3061
3062         Changed the calculation of proportionalHeapSize to be based on process memory footprint
3063         and not how big the heap is.  Also, the values of Options::smallHeapRAMFraction and
3064         Options::mediumHeapRAMFraction are overriden so that most of the heap growth is happens
3065         using the more agressive Options::smallHeapGrowthFactor.
3066
3067         * heap/Heap.cpp:
3068         (JSC::Heap::Heap):
3069         (JSC::Heap::overCriticalMemoryThreshold):
3070         (JSC::Heap::shouldDoFullCollection):
3071         (JSC::Heap::collectIfNecessaryOrDefer):
3072         * heap/Heap.h:
3073         * runtime/Options.cpp:
3074         (JSC::overrideDefaults):
3075         (JSC::Options::initialize):
3076         * runtime/Options.h:
3077
3078 2017-05-11  Saam Barati  <sbarati@apple.com>
3079
3080         Computing optionalDefArgWidth in CheckSpecial should not consider Scratch roles
3081         https://bugs.webkit.org/show_bug.cgi?id=171962
3082
3083         Reviewed by Filip Pizlo.
3084
3085         The purpose of getting the result width is to get the width of
3086         the result of the arithmetic. It does not care about that the
3087         Check happens to define scratches.
3088
3089         * b3/B3CheckSpecial.cpp:
3090         (JSC::B3::CheckSpecial::forEachArg):
3091         * b3/testb3.cpp:
3092         (JSC::B3::testCheckMul):
3093         (JSC::B3::testCheckMulMemory):
3094         (JSC::B3::testCheckMul64):
3095         (JSC::B3::testCheckMulFold):
3096         (JSC::B3::testCheckMulFoldFail):
3097         (JSC::B3::testCheckMulArgumentAliasing64):
3098         (JSC::B3::testCheckMulArgumentAliasing32):
3099         (JSC::B3::testCheckMul64SShr):
3100
3101 2017-05-11  Saam Barati  <sbarati@apple.com>
3102
3103         isValidForm for SimpleAddr should use ptr() instead of tmp()
3104         https://bugs.webkit.org/show_bug.cgi?id=171992
3105
3106         Reviewed by Filip Pizlo.
3107
3108         Arg::tmp() asserts that its kind is Tmp. Inst::isValidForm for
3109         SimpleAddr was using Arg::tmp() instead of ptr() to check
3110         if the address Tmp isGP(). It should be using Arg::ptr() instead
3111         of Arg::tmp() since Arg::ptr() is designed for SimpleAddr.
3112         
3113         This patch also fixes an incorrect assertion in the ARM64
3114         macro assembler. We were asserting various atomic ops were
3115         only over 32/64 bit operations. However, the code was properly handling
3116         8/16/32/64 bit ops. I changed the assertion to reflect what is
3117         actually going on.
3118
3119         * assembler/ARM64Assembler.h:
3120         (JSC::ARM64Assembler::ldar):
3121         (JSC::ARM64Assembler::ldxr):
3122         (JSC::ARM64Assembler::ldaxr):
3123         (JSC::ARM64Assembler::stxr):
3124         (JSC::ARM64Assembler::stlr):
3125         (JSC::ARM64Assembler::stlxr):
3126         * b3/air/opcode_generator.rb:
3127         * b3/testb3.cpp:
3128         (JSC::B3::testLoadAcq42):
3129         (JSC::B3::testStoreRelAddLoadAcq32):
3130         (JSC::B3::testStoreRelAddLoadAcq8):
3131         (JSC::B3::testStoreRelAddFenceLoadAcq8):
3132         (JSC::B3::testStoreRelAddLoadAcq16):
3133         (JSC::B3::testStoreRelAddLoadAcq64):
3134         (JSC::B3::testAtomicWeakCAS):
3135         (JSC::B3::testAtomicStrongCAS):
3136         (JSC::B3::testAtomicXchg):
3137
3138 2017-05-11  Matt Lewis  <jlewis3@apple.com>
3139
3140         Unreviewed, rolling out r216677.
3141
3142         Patch caused layout test crashes.
3143
3144         Reverted changeset:
3145
3146         "WorkerThread::stop() should call
3147         scheduleExecutionTermination() last."
3148         https://bugs.webkit.org/show_bug.cgi?id=171775
3149         http://trac.webkit.org/changeset/216677
3150
3151 2017-05-11  Don Olmstead  <don.olmstead@am.sony.com>
3152
3153         [CMake] Add HAVE check for regex.h
3154         https://bugs.webkit.org/show_bug.cgi?id=171950
3155
3156         Reviewed by Michael Catanzaro.
3157
3158         * runtime/ConfigFile.cpp:
3159         (JSC::ConfigFile::parse):
3160
3161 2017-05-11  Filip Pizlo  <fpizlo@apple.com>
3162
3163         Callers of JSString::unsafeView() should check exceptions
3164         https://bugs.webkit.org/show_bug.cgi?id=171995
3165
3166         Reviewed by Mark Lam.
3167         
3168         unsafeView() can throw OOME. So, callers of unsafeView() should check for exceptions before trying
3169         to access the view.
3170
3171         Also, I made the functions surrounding unsafeView() take ExecState* not ExecState&, to comply with
3172         the rest of JSC.
3173
3174         * dfg/DFGOperations.cpp:
3175         * jsc.cpp:
3176         (printInternal):
3177         (functionDebug):
3178         * runtime/ArrayPrototype.cpp:
3179         (JSC::arrayProtoFuncJoin):
3180         * runtime/FunctionConstructor.cpp:
3181         (JSC::constructFunctionSkippingEvalEnabledCheck):
3182         * runtime/IntlCollatorPrototype.cpp:
3183         (JSC::IntlCollatorFuncCompare):
3184         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3185         (JSC::genericTypedArrayViewProtoFuncJoin):
3186         * runtime/JSGlobalObjectFunctions.cpp:
3187         (JSC::globalFuncParseFloat):
3188         * runtime/JSONObject.cpp:
3189         (JSC::JSONProtoFuncParse):
3190         * runtime/JSString.cpp:
3191         (JSC::JSString::getPrimitiveNumber):
3192         (JSC::JSString::toNumber):
3193         * runtime/JSString.h:
3194         (JSC::JSString::getIndex):
3195         (JSC::JSRopeString::unsafeView):
3196         (JSC::JSRopeString::viewWithUnderlyingString):
3197         (JSC::JSString::unsafeView):
3198         (JSC::JSString::viewWithUnderlyingString):
3199         * runtime/JSStringJoiner.h:
3200         (JSC::JSStringJoiner::appendWithoutSideEffects):
3201         (JSC::JSStringJoiner::append):
3202         * runtime/ParseInt.h:
3203         (JSC::toStringView):
3204         * runtime/StringPrototype.cpp:
3205         (JSC::stringProtoFuncRepeatCharacter):
3206         (JSC::stringProtoFuncCharAt):
3207         (JSC::stringProtoFuncCharCodeAt):
3208         (JSC::stringProtoFuncIndexOf):
3209         (JSC::stringProtoFuncNormalize):
3210
3211 2017-05-11  Filip Pizlo  <fpizlo@apple.com>
3212
3213         Offer SPI to notify clients that GC has happened
3214         https://bugs.webkit.org/show_bug.cgi?id=171980
3215
3216         Reviewed by Geoffrey Garen.
3217         
3218         Sometimes when you're programming with weak references, it's most convenient if the GC tells
3219         you when it finishes. This adds exactly such an API. This API is called at the *flip*: the
3220         moment when the GC knows for sure which objects are dead and has definitely not allocated any
3221         new objects or executed any JS code. The finalization part of the flip, which is where this
3222         callback gets called, runs on the "main" thread - i.e. some thread that is attempting to
3223         execute JS code and holds the JS lock. This will usually run as a side-effect of some
3224         allocation or from the runloop.
3225         
3226         This means, for example, that if you implemented a vector of weak references and registered a
3227         callback to prune the vector of null weak references, then aside from the callback, nobody
3228         would ever see a null weak reference in the vector.
3229
3230         * API/JSHeapFinalizerPrivate.cpp: Added.
3231         (JSContextGroupAddHeapFinalizer):
3232         (JSContextGroupRemoveHeapFinalizer):
3233         * API/JSHeapFinalizerPrivate.h: Added.
3234         * API/tests/testapi.c:
3235         (heapFinalizer):
3236         (testMarkingConstraintsAndHeapFinalizers):
3237         (main):
3238         (testMarkingConstraints): Deleted.
3239         * CMakeLists.txt:
3240         * JavaScriptCore.xcodeproj/project.pbxproj:
3241         * heap/Heap.cpp:
3242         (JSC::Heap::finalize):
3243         (JSC::Heap::addHeapFinalizerCallback):
3244         (JSC::Heap::removeHeapFinalizerCallback):
3245         * heap/Heap.h:
3246         * heap/HeapFinalizerCallback.cpp: Added.
3247         (JSC::HeapFinalizerCallback::dump):
3248         * heap/HeapFinalizerCallback.h: Added.
3249         (JSC::HeapFinalizerCallback::HeapFinalizerCallback):
3250         (JSC::HeapFinalizerCallback::operator==):
3251         (JSC::HeapFinalizerCallback::operator!=):
3252         (JSC::HeapFinalizerCallback::operator bool):
3253         (JSC::HeapFinalizerCallback::run):
3254
3255 2017-05-11  Filip Pizlo  <fpizlo@apple.com>
3256
3257         JSWeakCreate/Retain/Release should take a JSContextGroupRef and not a JSContextRef
3258         https://bugs.webkit.org/show_bug.cgi?id=171979
3259
3260         Reviewed by Mark Lam.
3261         
3262         Functions that don't execute arbitrary JS but just need access to the VM should take a
3263         JSContextGroupRef, not a JSContextRef.
3264
3265         * API/JSWeakPrivate.cpp:
3266         (JSWeakCreate):
3267         (JSWeakRetain):
3268         (JSWeakRelease):
3269         * API/JSWeakPrivate.h:
3270         * API/tests/testapi.c:
3271         (testMarkingConstraints):
3272
3273 2017-05-11  Mark Lam  <mark.lam@apple.com>
3274
3275         WorkerThread::stop() should call scheduleExecutionTermination() last.
3276         https://bugs.webkit.org/show_bug.cgi?id=171775
3277         <rdar://problem/30975761>
3278
3279         Reviewed by Geoffrey Garen.
3280
3281         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3282         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
3283         for our debugging needs.
3284
3285         Also added VM::throwingThread() to track which thread an exception was thrown in.
3286         This may be useful if the client is entering the VM from different threads.
3287
3288         * runtime/ExceptionScope.cpp:
3289         (JSC::ExceptionScope::unexpectedExceptionMessage):
3290         (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
3291         * runtime/ExceptionScope.h:
3292         (JSC::ExceptionScope::exception):
3293         (JSC::ExceptionScope::unexpectedExceptionMessage):
3294         * runtime/VM.cpp:
3295         (JSC::VM::throwException):
3296         * runtime/VM.h:
3297         (JSC::VM::throwingThread):
3298         (JSC::VM::clearException):
3299
3300 2017-05-11  JF Bastien  <jfbastien@apple.com>
3301
3302         WebAssembly: stop supporting 0xD
3303         https://bugs.webkit.org/show_bug.cgi?id=168788
3304         <rdar://problem/31880922>
3305
3306         Reviewed by Saam Barati.
3307
3308         Only version 1 is supported by other browsers, and there shouldn't
3309         be any 0xD binaries in the wild anymore.
3310
3311         * wasm/WasmModuleParser.cpp:
3312
3313 2017-05-09  Sam Weinig  <sam@webkit.org>
3314
3315         Remove support for legacy Notifications
3316         https://bugs.webkit.org/show_bug.cgi?id=171487
3317
3318         Reviewed by Jon Lee.
3319
3320         * Configurations/FeatureDefines.xcconfig:
3321         Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
3322
3323 2017-05-10  Commit Queue  <commit-queue@webkit.org>
3324
3325         Unreviewed, rolling out r216635.
3326         https://bugs.webkit.org/show_bug.cgi?id=171953
3327
3328         "Some worker tests are failing". (Requested by mlam on #webkit).
3329
3330         Reverted changeset:
3331
3332         "WorkerThread::stop() should call
3333         scheduleExecutionTermination() last."
3334         https://bugs.webkit.org/show_bug.cgi?id=171775
3335         http://trac.webkit.org/changeset/216635
3336
3337 2017-05-10  Mark Lam  <mark.lam@apple.com>
3338
3339         Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
3340         https://bugs.webkit.org/show_bug.cgi?id=160337
3341         <rdar://problem/27611733>
3342
3343         Not reviewed.
3344
3345         Updated a comment per Geoff's suggestion.
3346
3347         * heap/MachineStackMarker.cpp:
3348         (JSC::MachineThreads::tryCopyOtherThreadStack):
3349
3350 2017-05-10  Mark Lam  <mark.lam@apple.com>
3351
3352         WorkerThread::stop() should call scheduleExecutionTermination() last.
3353         https://bugs.webkit.org/show_bug.cgi?id=171775
3354         <rdar://problem/30975761>
3355
3356         Reviewed by Geoffrey Garen.
3357
3358         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3359         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
3360         for