Web Inspector: Instrument active pixel memory used by canvases
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-28  Devin Rousso  <drousso@apple.com>
2
3         Web Inspector: Instrument active pixel memory used by canvases
4         https://bugs.webkit.org/show_bug.cgi?id=173087
5         <rdar://problem/32719261>
6
7         Reviewed by Joseph Pecoraro.
8
9         * inspector/protocol/Canvas.json:
10          - Add optional `memoryCost` attribute to the `Canvas` type.
11          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
12
13 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
14
15         Web Inspector: Cleanup Protocol JSON files
16         https://bugs.webkit.org/show_bug.cgi?id=173934
17
18         Reviewed by Matt Baker.
19
20         * inspector/protocol/ApplicationCache.json:
21         * inspector/protocol/CSS.json:
22         * inspector/protocol/Console.json:
23         * inspector/protocol/DOM.json:
24         * inspector/protocol/DOMDebugger.json:
25         * inspector/protocol/Debugger.json:
26         * inspector/protocol/LayerTree.json:
27         * inspector/protocol/Network.json:
28         * inspector/protocol/Page.json:
29         * inspector/protocol/Runtime.json:
30         Be more consistent about placement of `description` property.
31
32 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
33
34         Web Inspector: Remove unused Inspector domain events
35         https://bugs.webkit.org/show_bug.cgi?id=173905
36
37         Reviewed by Matt Baker.
38
39         * inspector/protocol/Inspector.json:
40
41 2017-06-28  JF Bastien  <jfbastien@apple.com>
42
43         Ensure that computed new stack pointer values do not underflow.
44         https://bugs.webkit.org/show_bug.cgi?id=173700
45         <rdar://problem/32926032>
46
47         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
48
49         Patch by Mark Lam, with the following fix:
50
51         Re-apply this patch, it originally broke the ARM build because the llint code
52         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
53         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
54         and operands to emit valid code (because the second operand can be SP).
55
56         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
57            m_numCalleeLocals is sane.
58
59         2. Added underflow checks in LLInt code and VarargsFrame code.
60
61         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
62            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
63            Ensure that Options::softReservedZoneSize() is at least greater than
64            Options::reservedZoneSize() by minimumReservedZoneSize.
65
66         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
67            and only if the max size of the frame is greater than Options::reservedZoneSize().
68
69            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
70            of memory at the bottom (end) of the stack.  This means that, at any time, the
71            frame pointer must be at least Options::reservedZoneSize() bytes away from the
72            end of the stack.  Hence, if the max frame size is less than
73            Options::reservedZoneSize(), there's no way that frame pointer - max
74            frame size can underflow, and we can elide the underflow check.
75
76            Note that we use Options::reservedZoneSize() instead of
77            Options::softReservedZoneSize() for determine if we need an underflow check.
78            This is because the softStackLimit that is used for stack checks can be set
79            based on Options::reservedZoneSize() during error handling (e.g. when creating
80            strings for instantiating the Error object).  Hence, the guaranteed minimum of
81            distance between the frame pointer and the end of the stack is
82            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
83
84            Note also that we ensure that Options::reservedZoneSize() is at least
85            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
86            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
87            instead of minimumReservedZoneSize gives us more chances to elide underflow
88            checks.
89
90         * JavaScriptCore.xcodeproj/project.pbxproj:
91         * bytecompiler/BytecodeGenerator.cpp:
92         (JSC::BytecodeGenerator::generate):
93         * dfg/DFGGraph.cpp:
94         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
95         * dfg/DFGJITCompiler.cpp:
96         (JSC::DFG::emitStackOverflowCheck):
97         (JSC::DFG::JITCompiler::compile):
98         (JSC::DFG::JITCompiler::compileFunction):
99         * ftl/FTLLowerDFGToB3.cpp:
100         (JSC::FTL::DFG::LowerDFGToB3::lower):
101         * jit/JIT.cpp:
102         (JSC::JIT::compileWithoutLinking):
103         * jit/SetupVarargsFrame.cpp:
104         (JSC::emitSetupVarargsFrameFastCase):
105         * llint/LLIntSlowPaths.cpp:
106         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
107         * llint/LowLevelInterpreter.asm:
108         * llint/LowLevelInterpreter32_64.asm:
109         * llint/LowLevelInterpreter64.asm:
110         * runtime/MinimumReservedZoneSize.h: Added.
111         * runtime/Options.cpp:
112         (JSC::recomputeDependentOptions):
113         * runtime/VM.cpp:
114         (JSC::VM::updateStackLimits):
115         * wasm/WasmB3IRGenerator.cpp:
116         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
117         * wasm/js/WebAssemblyFunction.cpp:
118         (JSC::callWebAssemblyFunction):
119
120 2017-06-28  Chris Dumez  <cdumez@apple.com>
121
122         Unreviewed, rolling out r218869.
123
124         Broke the iOS build
125
126         Reverted changeset:
127
128         "Ensure that computed new stack pointer values do not
129         underflow."
130         https://bugs.webkit.org/show_bug.cgi?id=173700
131         http://trac.webkit.org/changeset/218869
132
133 2017-06-28  Chris Dumez  <cdumez@apple.com>
134
135         Unreviewed, rolling out r218873.
136
137         Broke the iOS build
138
139         Reverted changeset:
140
141         "Gardening: CLoop build fix."
142         https://bugs.webkit.org/show_bug.cgi?id=173700
143         http://trac.webkit.org/changeset/218873
144
145 2017-06-28  Mark Lam  <mark.lam@apple.com>
146
147         Gardening: CLoop build fix.
148         https://bugs.webkit.org/show_bug.cgi?id=173700
149         <rdar://problem/32926032>
150
151         Not reviewed.
152
153         * llint/LLIntSlowPaths.cpp:
154         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
155
156 2017-06-28  Mark Lam  <mark.lam@apple.com>
157
158         Ensure that computed new stack pointer values do not underflow.
159         https://bugs.webkit.org/show_bug.cgi?id=173700
160         <rdar://problem/32926032>
161
162         Reviewed by Filip Pizlo and Saam Barati.
163
164         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
165            m_numCalleeLocals is sane.
166
167         2. Added underflow checks in LLInt code and VarargsFrame code.
168
169         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
170            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
171            Ensure that Options::softReservedZoneSize() is at least greater than
172            Options::reservedZoneSize() by minimumReservedZoneSize.
173
174         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
175            and only if the max size of the frame is greater than Options::reservedZoneSize().
176
177            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
178            of memory at the bottom (end) of the stack.  This means that, at any time, the
179            frame pointer must be at least Options::reservedZoneSize() bytes away from the
180            end of the stack.  Hence, if the max frame size is less than
181            Options::reservedZoneSize(), there's no way that frame pointer - max
182            frame size can underflow, and we can elide the underflow check.
183
184            Note that we use Options::reservedZoneSize() instead of
185            Options::softReservedZoneSize() for determine if we need an underflow check.
186            This is because the softStackLimit that is used for stack checks can be set
187            based on Options::reservedZoneSize() during error handling (e.g. when creating
188            strings for instantiating the Error object).  Hence, the guaranteed minimum of
189            distance between the frame pointer and the end of the stack is
190            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
191
192            Note also that we ensure that Options::reservedZoneSize() is at least
193            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
194            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
195            instead of minimumReservedZoneSize gives us more chances to elide underflow
196            checks.
197
198         * JavaScriptCore.xcodeproj/project.pbxproj:
199         * bytecompiler/BytecodeGenerator.cpp:
200         (JSC::BytecodeGenerator::generate):
201         * dfg/DFGGraph.cpp:
202         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
203         * dfg/DFGJITCompiler.cpp:
204         (JSC::DFG::JITCompiler::compile):
205         (JSC::DFG::JITCompiler::compileFunction):
206         * ftl/FTLLowerDFGToB3.cpp:
207         (JSC::FTL::DFG::LowerDFGToB3::lower):
208         * jit/JIT.cpp:
209         (JSC::JIT::compileWithoutLinking):
210         * jit/SetupVarargsFrame.cpp:
211         (JSC::emitSetupVarargsFrameFastCase):
212         * llint/LLIntSlowPaths.cpp:
213         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
214         * llint/LowLevelInterpreter.asm:
215         * llint/LowLevelInterpreter32_64.asm:
216         * llint/LowLevelInterpreter64.asm:
217         * runtime/MinimumReservedZoneSize.h: Added.
218         * runtime/Options.cpp:
219         (JSC::recomputeDependentOptions):
220         * runtime/VM.cpp:
221         (JSC::VM::updateStackLimits):
222         * wasm/WasmB3IRGenerator.cpp:
223         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
224         * wasm/js/WebAssemblyFunction.cpp:
225         (JSC::callWebAssemblyFunction):
226
227 2017-06-27  JF Bastien  <jfbastien@apple.com>
228
229         WebAssembly: running out of executable memory should throw OoM
230         https://bugs.webkit.org/show_bug.cgi?id=171537
231         <rdar://problem/32963338>
232
233         Reviewed by Saam Barati.
234
235         Both on first compile with BBQ as well as on tier-up with OMG,
236         running out of X memory shouldn't cause the entire program to
237         terminate. An exception will do when compiling initial code (since
238         we don't have any other fallback at the moment), and refusal to
239         tier up will do as well (it'll just be slower).
240
241         This is useful because programs which generate huge amounts of
242         code simply look like crashes, which developers report to
243         us. Getting a JavaScript exception instead is much clearer.
244
245         * jit/ExecutableAllocator.cpp:
246         (JSC::ExecutableAllocator::allocate):
247         * llint/LLIntSlowPaths.cpp:
248         (JSC::LLInt::shouldJIT):
249         * runtime/Options.h:
250         * wasm/WasmBBQPlan.cpp:
251         (JSC::Wasm::BBQPlan::prepare):
252         (JSC::Wasm::BBQPlan::complete):
253         * wasm/WasmBinding.cpp:
254         (JSC::Wasm::wasmToJs):
255         (JSC::Wasm::wasmToWasm):
256         * wasm/WasmBinding.h:
257         * wasm/WasmOMGPlan.cpp:
258         (JSC::Wasm::OMGPlan::work):
259         * wasm/js/JSWebAssemblyCodeBlock.cpp:
260         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
261         * wasm/js/JSWebAssemblyCodeBlock.h:
262         * wasm/js/JSWebAssemblyInstance.cpp:
263         (JSC::JSWebAssemblyInstance::finalizeCreation):
264
265 2017-06-27  Saam Barati  <sbarati@apple.com>
266
267         JITStubRoutine::passesFilter should use isJITPC
268         https://bugs.webkit.org/show_bug.cgi?id=173906
269
270         Reviewed by JF Bastien.
271
272         This patch makes JITStubRoutine use the isJITPC abstraction defined
273         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
274         hardcoded platform size constant. This means it'd do the wrong thing
275         if Options::jitMemoryReservationSize() was larger than the defined
276         constant for that platform. This patch also removes a bunch of
277         dead code in that file.
278
279         * jit/ExecutableAllocator.cpp:
280         * jit/ExecutableAllocator.h:
281         * jit/JITStubRoutine.h:
282         (JSC::JITStubRoutine::passesFilter):
283         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
284         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
285         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
286
287 2017-06-27  Saam Barati  <sbarati@apple.com>
288
289         Fix some stale comments in Wasm code base
290         https://bugs.webkit.org/show_bug.cgi?id=173814
291
292         Reviewed by Mark Lam.
293
294         * wasm/WasmBinding.cpp:
295         (JSC::Wasm::wasmToJs):
296         * wasm/WasmOMGPlan.cpp:
297         (JSC::Wasm::runOMGPlanForIndex):
298
299 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
300
301         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
302         https://bugs.webkit.org/show_bug.cgi?id=167962
303
304         Reviewed by Saam Barati.
305
306         Object Rest/Spread Destructing proposal is in stage 3[1] and this
307         Patch is a prototype implementation of it. A simple change over the
308         parser was necessary to support the new '...' token on Object Pattern
309         destruction rule. In the bytecode generator side, We changed the
310         bytecode generated on ObjectPatternNode::bindValue to store in an
311         set the identifiers of already destructured properties, following spec draft
312         section[2], and then pass it as excludedNames to CopyDataProperties.
313         The rest destructuring calls copyDataProperties to perform the
314         copy of rest properties in rhs.
315
316         We also implemented CopyDataProperties as private JS global operation
317         on builtins/GlobalOperations.js following it's specification on [3].
318         It is implemented using Set object to verify if a property is on
319         excludedNames to keep this algorithm with O(n + m) complexity, where n
320         = number of source's own properties and m = excludedNames.length.
321
322         In this implementation we aren't using excludeList as constant if
323         destructuring pattern contains computed property, i.e. we can
324         just determine the key to be excluded at runtime. If we can define all
325         identifiers in the pattern in compile time, we then create a
326         constant JSSet. This approach gives a good performance improvement,
327         since we allocate the excludeSet just once, reducing GC pressure.
328
329         [1] - https://github.com/tc39/proposal-object-rest-spread
330         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
331         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
332
333         * builtins/BuiltinNames.h:
334         * builtins/GlobalOperations.js:
335         (globalPrivate.copyDataProperties):
336         * bytecode/CodeBlock.cpp:
337         (JSC::CodeBlock::finishCreation):
338         * bytecompiler/NodesCodegen.cpp:
339         (JSC::ObjectPatternNode::bindValue):
340         * parser/ASTBuilder.h:
341         (JSC::ASTBuilder::appendObjectPatternEntry):
342         (JSC::ASTBuilder::appendObjectPatternRestEntry):
343         (JSC::ASTBuilder::setContainsObjectRestElement):
344         * parser/Nodes.h:
345         (JSC::ObjectPatternNode::appendEntry):
346         (JSC::ObjectPatternNode::setContainsRestElement):
347         * parser/Parser.cpp:
348         (JSC::Parser<LexerType>::parseDestructuringPattern):
349         (JSC::Parser<LexerType>::parseProperty):
350         * parser/SyntaxChecker.h:
351         (JSC::SyntaxChecker::operatorStackPop):
352         * runtime/JSGlobalObject.cpp:
353         (JSC::JSGlobalObject::init):
354         * runtime/JSGlobalObject.h:
355         (JSC::JSGlobalObject::asyncFunctionStructure):
356         (JSC::JSGlobalObject::setStructure): Deleted.
357         * runtime/JSGlobalObjectFunctions.cpp:
358         (JSC::privateToObject):
359         * runtime/JSGlobalObjectFunctions.h:
360         * runtime/ObjectConstructor.cpp:
361         (JSC::ObjectConstructor::finishCreation):
362         * runtime/SetPrototype.cpp:
363         (JSC::SetPrototype::finishCreation):
364
365 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
366
367         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
368         https://bugs.webkit.org/show_bug.cgi?id=173888
369
370         Reviewed by Saam Barati.
371
372         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
373         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
374         This causes occasional SEGV / assertion failures in workers/bomb test.
375
376         * dfg/DFGWorklist.cpp:
377
378 2017-06-27  Saam Barati  <sbarati@apple.com>
379
380         Remove an inaccurate comment inside DFGClobberize.h
381         https://bugs.webkit.org/show_bug.cgi?id=163874
382
383         Reviewed by Filip Pizlo.
384
385         The comment said that Clobberize may or may not be sound if run prior to
386         doing type inference. This is not correct, though. Clobberize *must* be sound
387         prior do doing type inference since we use it inside the BytecodeParser, which
388         is the very first thing the DFG does.
389
390         * dfg/DFGClobberize.h:
391         (JSC::DFG::clobberize):
392
393 2017-06-27  Saam Barati  <sbarati@apple.com>
394
395         Function constructor needs to follow the spec and validate parameters and body independently
396         https://bugs.webkit.org/show_bug.cgi?id=173303
397         <rdar://problem/32732526>
398
399         Reviewed by Keith Miller.
400
401         The Function constructor must check the arguments and body strings
402         independently for syntax errors. People rely on this specified behavior
403         to verify that a particular string is a valid function body. We used
404         to check these things strings concatenated together, instead of
405         independently. For example, this used to be valid: `Function("/*", "*/){")`.
406         However, we should throw a syntax error here since "(/*)" is not a valid
407         parameter list, and "*/){" is not a valid body.
408         
409         To implement the specified behavior, we check the syntax independently of
410         both the body and the parameter list. To check that the parameter list has
411         valid syntax, we check that it is valid if in a function with an empty body.
412         To check that the body has valid syntax, we check it is valid in a function
413         with an empty parameter list.
414
415         * runtime/FunctionConstructor.cpp:
416         (JSC::constructFunctionSkippingEvalEnabledCheck):
417
418 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
419
420         Add missing includes to fix compilation error on FreeBSD
421         https://bugs.webkit.org/show_bug.cgi?id=172919
422
423         Reviewed by Mark Lam.
424
425         * API/JSRemoteInspector.h:
426         * API/tests/GlobalContextWithFinalizerTest.cpp:
427         * API/tests/TypedArrayCTest.cpp:
428
429 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
430
431         Web Inspector: Crash generating object preview for ArrayIterator
432         https://bugs.webkit.org/show_bug.cgi?id=173754
433         <rdar://problem/32859012>
434
435         Reviewed by Saam Barati.
436
437         When Inspector generates an object preview for an ArrayIterator instance it made
438         a "clone" of the original ArrayIterator instance by constructing a new object with
439         the instance's structure. However, user code could have modified that instance's
440         structure, such as adding / removing properties. The `return` property had special
441         meaning, and our clone did not fill that slot. This approach is brittle in that
442         we weren't satisfying the expectations of an object with a particular Structure,
443         and the original goal of having Web Inspector peek values of built-in Iterators
444         was to avoid observable behavior.
445
446         This tightens Web Inspector's Iterator preview to only peek values if the
447         Iterators would actually be non-observable. It also builds an ArrayIterator
448         clone like a regular object construction.
449
450         * inspector/JSInjectedScriptHost.cpp:
451         (Inspector::cloneArrayIteratorObject):
452         Build up the Object from scratch with a new ArrayIterator prototype.
453
454         (Inspector::JSInjectedScriptHost::iteratorEntries):
455         Only clone and peek iterators if it would not be observable.
456         Also update iteration to be more in line with IterationOperations, such as when
457         we call iteratorClose.
458
459         * runtime/JSGlobalObject.cpp:
460         (JSC::JSGlobalObject::JSGlobalObject):
461         (JSC::JSGlobalObject::init):
462         * runtime/JSGlobalObject.h:
463         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
464         * runtime/JSGlobalObjectInlines.h:
465         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
466         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
467
468         * runtime/JSMap.cpp:
469         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
470         (JSC::JSMap::canCloneFastAndNonObservable):
471         * runtime/JSMap.h:
472         * runtime/JSSet.cpp:
473         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
474         (JSC::JSSet::canCloneFastAndNonObservable):
475         * runtime/JSSet.h:
476         Promote isIteratorProtocolFastAndNonObservable to a method.
477
478         * runtime/JSObject.cpp:
479         (JSC::canDoFastPutDirectIndex):
480         * runtime/JSTypeInfo.h:
481         (JSC::TypeInfo::isArgumentsType):
482         Helper to detect if an Object is an Arguments type.
483
484 2017-06-26  Saam Barati  <sbarati@apple.com>
485
486         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
487         https://bugs.webkit.org/show_bug.cgi?id=173740
488
489         Reviewed by Mark Lam.
490
491         The builtin was using for-of iteration to iterate over an internal
492         list in its algorithm. For-of iteration is observable via user code
493         in the global object, so this approach was wrong as it would break if
494         a user changed the Array iteration protocol in some way.
495
496         * builtins/RegExpPrototype.js:
497         (replace):
498
499 2017-06-26  Mark Lam  <mark.lam@apple.com>
500
501         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
502         https://bugs.webkit.org/show_bug.cgi?id=173848
503
504         Reviewed by JF Bastien.
505
506         This functor only dumps the return VirtualPC.
507
508         * interpreter/Interpreter.cpp:
509         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
510         (JSC::Interpreter::dumpRegisters):
511         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
512         (JSC::DumpRegisterFunctor::operator()): Deleted.
513
514 2017-06-26  Saam Barati  <sbarati@apple.com>
515
516         Crash in JSC::Lexer<unsigned char>::setCode
517         https://bugs.webkit.org/show_bug.cgi?id=172754
518
519         Reviewed by Mark Lam.
520
521         The lexer was asking one of its buffers to reserve initial space that
522         was O(text size in bytes). For large sources, this would end up causing
523         the vector to overflow and crash. This patch changes this code be like
524         the Lexer's other buffers and to only reserve a small starting buffer.
525
526         * parser/Lexer.cpp:
527         (JSC::Lexer<T>::setCode):
528
529 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
530
531         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
532         https://bugs.webkit.org/show_bug.cgi?id=173825
533
534         Reviewed by Saam Barati.
535
536         * jsc.cpp:
537         (startTimeoutThreadIfNeeded):
538         (timeoutThreadMain): Deleted.
539
540 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
541
542         Unreviewed, add missing header for CLoop
543
544         * runtime/SymbolTable.cpp:
545
546 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
547
548         Unreviewed, add missing header icncludes
549
550         * parser/Lexer.h:
551
552 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
553
554         Remove excessive headers from JavaScriptCore
555         https://bugs.webkit.org/show_bug.cgi?id=173812
556
557         Reviewed by Darin Adler.
558
559         * API/APIUtils.h:
560         * assembler/LinkBuffer.cpp:
561         * assembler/MacroAssemblerCodeRef.cpp:
562         * b3/air/AirLiveness.h:
563         * b3/air/AirLowerAfterRegAlloc.cpp:
564         * bindings/ScriptValue.cpp:
565         * bindings/ScriptValue.h:
566         * bytecode/AccessCase.cpp:
567         * bytecode/AccessCase.h:
568         * bytecode/ArrayProfile.h:
569         * bytecode/BytecodeDumper.h:
570         * bytecode/BytecodeIntrinsicRegistry.cpp:
571         * bytecode/BytecodeKills.h:
572         * bytecode/BytecodeLivenessAnalysis.h:
573         * bytecode/BytecodeUseDef.h:
574         * bytecode/CallLinkStatus.h:
575         * bytecode/CodeBlock.h:
576         * bytecode/CodeOrigin.h:
577         * bytecode/ComplexGetStatus.h:
578         * bytecode/GetByIdStatus.h:
579         * bytecode/GetByIdVariant.h:
580         * bytecode/InlineCallFrame.h:
581         * bytecode/InlineCallFrameSet.h:
582         * bytecode/Instruction.h:
583         * bytecode/InternalFunctionAllocationProfile.h:
584         * bytecode/JumpTable.h:
585         * bytecode/MethodOfGettingAValueProfile.h:
586         * bytecode/ObjectPropertyConditionSet.h:
587         * bytecode/Operands.h:
588         * bytecode/PolymorphicAccess.h:
589         * bytecode/PutByIdStatus.h:
590         * bytecode/SpeculatedType.cpp:
591         * bytecode/StructureSet.h:
592         * bytecode/StructureStubInfo.h:
593         * bytecode/UnlinkedCodeBlock.h:
594         * bytecode/UnlinkedFunctionExecutable.h:
595         * bytecode/ValueProfile.h:
596         * bytecompiler/BytecodeGenerator.cpp:
597         * bytecompiler/BytecodeGenerator.h:
598         * bytecompiler/Label.h:
599         * bytecompiler/StaticPropertyAnalysis.h:
600         * debugger/DebuggerCallFrame.cpp:
601         * dfg/DFGAbstractInterpreter.h:
602         * dfg/DFGAdjacencyList.h:
603         * dfg/DFGArgumentsUtilities.h:
604         * dfg/DFGArrayMode.h:
605         * dfg/DFGArrayifySlowPathGenerator.h:
606         * dfg/DFGBackwardsPropagationPhase.h:
607         * dfg/DFGBasicBlock.h:
608         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
609         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
610         * dfg/DFGCapabilities.h:
611         * dfg/DFGCommon.h:
612         * dfg/DFGCommonData.h:
613         * dfg/DFGDesiredIdentifiers.h:
614         * dfg/DFGDesiredWatchpoints.h:
615         * dfg/DFGDisassembler.cpp:
616         * dfg/DFGDominators.h:
617         * dfg/DFGDriver.cpp:
618         * dfg/DFGDriver.h:
619         * dfg/DFGEdgeDominates.h:
620         * dfg/DFGFinalizer.h:
621         * dfg/DFGGenerationInfo.h:
622         * dfg/DFGJITCompiler.cpp:
623         * dfg/DFGJITCompiler.h:
624         * dfg/DFGJITFinalizer.h:
625         * dfg/DFGLivenessAnalysisPhase.h:
626         * dfg/DFGMinifiedNode.h:
627         * dfg/DFGMultiGetByOffsetData.h:
628         * dfg/DFGNaturalLoops.cpp:
629         * dfg/DFGNaturalLoops.h:
630         * dfg/DFGNode.h:
631         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
632         * dfg/DFGOSRExit.h:
633         * dfg/DFGOSRExitCompilationInfo.h:
634         * dfg/DFGOSRExitCompiler.cpp:
635         * dfg/DFGOSRExitCompiler.h:
636         * dfg/DFGOSRExitJumpPlaceholder.h:
637         * dfg/DFGOperations.cpp:
638         * dfg/DFGOperations.h:
639         * dfg/DFGPlan.h:
640         * dfg/DFGPreciseLocalClobberize.h:
641         * dfg/DFGPromotedHeapLocation.h:
642         * dfg/DFGRegisteredStructure.h:
643         * dfg/DFGRegisteredStructureSet.h:
644         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
645         * dfg/DFGSlowPathGenerator.h:
646         * dfg/DFGSnippetParams.h:
647         * dfg/DFGSpeculativeJIT.h:
648         * dfg/DFGToFTLDeferredCompilationCallback.h:
649         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
650         * dfg/DFGValidate.h:
651         * dfg/DFGValueSource.h:
652         * dfg/DFGVariableEvent.h:
653         * dfg/DFGVariableEventStream.h:
654         * dfg/DFGWorklist.h:
655         * domjit/DOMJITCallDOMGetterSnippet.h:
656         * domjit/DOMJITEffect.h:
657         * ftl/FTLLink.cpp:
658         * ftl/FTLLowerDFGToB3.cpp:
659         * ftl/FTLPatchpointExceptionHandle.h:
660         * heap/AllocatorAttributes.h:
661         * heap/CodeBlockSet.h:
662         * heap/DeferGC.h:
663         * heap/GCSegmentedArray.h:
664         * heap/Heap.cpp:
665         * heap/Heap.h:
666         * heap/IncrementalSweeper.h:
667         * heap/ListableHandler.h:
668         * heap/MachineStackMarker.h:
669         * heap/MarkedAllocator.h:
670         * heap/MarkedBlock.cpp:
671         * heap/MarkedBlock.h:
672         * heap/MarkingConstraint.h:
673         * heap/SlotVisitor.cpp:
674         * heap/SlotVisitor.h:
675         * inspector/ConsoleMessage.cpp:
676         * inspector/ConsoleMessage.h:
677         * inspector/InjectedScript.h:
678         * inspector/InjectedScriptHost.h:
679         * inspector/InjectedScriptManager.cpp:
680         * inspector/JSGlobalObjectInspectorController.cpp:
681         * inspector/JavaScriptCallFrame.h:
682         * inspector/ScriptCallStack.h:
683         * inspector/ScriptCallStackFactory.cpp:
684         * inspector/ScriptDebugServer.h:
685         * inspector/agents/InspectorConsoleAgent.h:
686         * inspector/agents/InspectorDebuggerAgent.cpp:
687         * inspector/agents/InspectorDebuggerAgent.h:
688         * inspector/agents/InspectorHeapAgent.cpp:
689         * inspector/agents/InspectorHeapAgent.h:
690         * inspector/agents/InspectorRuntimeAgent.h:
691         * inspector/agents/InspectorScriptProfilerAgent.cpp:
692         * inspector/agents/InspectorScriptProfilerAgent.h:
693         * inspector/agents/JSGlobalObjectConsoleAgent.h:
694         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
695         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
696         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
697         * inspector/augmentable/AlternateDispatchableAgent.h:
698         * interpreter/CLoopStack.h:
699         * interpreter/CachedCall.h:
700         * interpreter/CallFrame.h:
701         * interpreter/Interpreter.cpp:
702         * interpreter/Interpreter.h:
703         * jit/AssemblyHelpers.cpp:
704         * jit/AssemblyHelpers.h:
705         * jit/CCallHelpers.h:
706         * jit/CallFrameShuffler.h:
707         * jit/ExecutableAllocator.h:
708         * jit/GCAwareJITStubRoutine.h:
709         * jit/HostCallReturnValue.h:
710         * jit/ICStats.h:
711         * jit/JIT.cpp:
712         * jit/JIT.h:
713         * jit/JITAddGenerator.h:
714         * jit/JITCall32_64.cpp:
715         * jit/JITCode.h:
716         * jit/JITDisassembler.cpp:
717         * jit/JITExceptions.cpp:
718         * jit/JITMathIC.h:
719         * jit/JITOpcodes.cpp:
720         * jit/JITOperations.cpp:
721         * jit/JITOperations.h:
722         * jit/JITThunks.cpp:
723         * jit/JITThunks.h:
724         * jit/JSInterfaceJIT.h:
725         * jit/PCToCodeOriginMap.h:
726         * jit/PolymorphicCallStubRoutine.h:
727         * jit/RegisterSet.h:
728         * jit/Repatch.h:
729         * jit/SetupVarargsFrame.h:
730         * jit/Snippet.h:
731         * jit/SnippetParams.h:
732         * jit/ThunkGenerators.h:
733         * jsc.cpp:
734         * llint/LLIntCLoop.h:
735         * llint/LLIntEntrypoint.h:
736         * llint/LLIntExceptions.h:
737         * llint/LLIntOfflineAsmConfig.h:
738         * llint/LLIntSlowPaths.cpp:
739         * parser/NodeConstructors.h:
740         * parser/Nodes.cpp:
741         * parser/Nodes.h:
742         * parser/Parser.cpp:
743         * parser/Parser.h:
744         * parser/ParserTokens.h:
745         * parser/SourceProviderCacheItem.h:
746         * profiler/ProfilerBytecodeSequence.h:
747         * profiler/ProfilerDatabase.cpp:
748         * profiler/ProfilerDatabase.h:
749         * profiler/ProfilerOrigin.h:
750         * profiler/ProfilerOriginStack.h:
751         * profiler/ProfilerProfiledBytecodes.h:
752         * profiler/ProfilerUID.h:
753         * runtime/AbstractModuleRecord.h:
754         * runtime/ArrayConstructor.h:
755         * runtime/ArrayConventions.h:
756         * runtime/ArrayIteratorPrototype.h:
757         * runtime/ArrayPrototype.h:
758         * runtime/BasicBlockLocation.h:
759         * runtime/Butterfly.h:
760         * runtime/CallData.cpp:
761         * runtime/CodeCache.h:
762         * runtime/CommonSlowPaths.cpp:
763         * runtime/CommonSlowPaths.h:
764         * runtime/CommonSlowPathsExceptions.cpp:
765         * runtime/Completion.cpp:
766         * runtime/ControlFlowProfiler.h:
767         * runtime/DateInstanceCache.h:
768         * runtime/ErrorConstructor.h:
769         * runtime/ErrorInstance.h:
770         * runtime/ExceptionHelpers.cpp:
771         * runtime/ExceptionHelpers.h:
772         * runtime/ExecutableBase.h:
773         * runtime/FunctionExecutable.h:
774         * runtime/HasOwnPropertyCache.h:
775         * runtime/Identifier.h:
776         * runtime/InternalFunction.h:
777         * runtime/IntlCollator.cpp:
778         * runtime/IntlCollatorPrototype.h:
779         * runtime/IntlDateTimeFormatPrototype.h:
780         * runtime/IntlNumberFormat.cpp:
781         * runtime/IntlNumberFormatPrototype.h:
782         * runtime/IteratorOperations.cpp:
783         * runtime/JSArray.h:
784         * runtime/JSArrayBufferPrototype.h:
785         * runtime/JSCJSValue.h:
786         * runtime/JSCJSValueInlines.h:
787         * runtime/JSCell.h:
788         * runtime/JSFunction.cpp:
789         * runtime/JSFunction.h:
790         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
791         * runtime/JSGlobalObject.cpp:
792         * runtime/JSGlobalObject.h:
793         * runtime/JSGlobalObjectDebuggable.cpp:
794         * runtime/JSGlobalObjectDebuggable.h:
795         * runtime/JSGlobalObjectFunctions.cpp:
796         * runtime/JSGlobalObjectFunctions.h:
797         * runtime/JSJob.cpp:
798         * runtime/JSLock.h:
799         * runtime/JSModuleLoader.cpp:
800         * runtime/JSModuleNamespaceObject.h:
801         * runtime/JSModuleRecord.h:
802         * runtime/JSObject.cpp:
803         * runtime/JSObject.h:
804         * runtime/JSRunLoopTimer.h:
805         * runtime/JSTemplateRegistryKey.h:
806         * runtime/JSTypedArrayPrototypes.cpp:
807         * runtime/JSTypedArrayPrototypes.h:
808         * runtime/JSTypedArrays.h:
809         * runtime/LiteralParser.h:
810         * runtime/MatchResult.h:
811         * runtime/MemoryStatistics.h:
812         * runtime/PrivateName.h:
813         * runtime/PromiseDeferredTimer.h:
814         * runtime/ProxyObject.h:
815         * runtime/RegExp.h:
816         * runtime/SamplingProfiler.cpp:
817         * runtime/SmallStrings.h:
818         * runtime/StringPrototype.cpp:
819         * runtime/StringRecursionChecker.h:
820         * runtime/Structure.h:
821         * runtime/SymbolConstructor.h:
822         * runtime/SymbolPrototype.cpp:
823         * runtime/SymbolPrototype.h:
824         * runtime/TypeProfiler.h:
825         * runtime/TypeProfilerLog.h:
826         * runtime/TypedArrayType.h:
827         * runtime/VM.cpp:
828         * runtime/VM.h:
829         * runtime/VMEntryScope.h:
830         * runtime/WeakMapData.h:
831         * runtime/WriteBarrier.h:
832         * tools/FunctionOverrides.cpp:
833         * tools/FunctionOverrides.h:
834         * wasm/WasmBinding.cpp:
835         * wasm/js/JSWebAssemblyCodeBlock.h:
836         * wasm/js/WebAssemblyPrototype.cpp:
837         * yarr/Yarr.h:
838         * yarr/YarrJIT.cpp:
839         * yarr/YarrJIT.h:
840         * yarr/YarrParser.h:
841
842 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
843
844         [JSC] Clean up Object.entries implementation
845         https://bugs.webkit.org/show_bug.cgi?id=173759
846
847         Reviewed by Sam Weinig.
848
849         This patch cleans up Object.entries implementation.
850         We drop unused private functions. And we merge the
851         implementation into Object.entries.
852
853         It slightly speeds up Object.entries speed.
854
855                                      baseline                  patched
856
857             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
858
859
860         * builtins/BuiltinNames.h:
861         * builtins/ObjectConstructor.js:
862         (entries):
863         (globalPrivate.enumerableOwnProperties): Deleted.
864         * runtime/JSGlobalObject.cpp:
865         (JSC::JSGlobalObject::init):
866         * runtime/ObjectConstructor.cpp:
867         (JSC::ownEnumerablePropertyKeys): Deleted.
868         * runtime/ObjectConstructor.h:
869
870 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
871
872         Remove Reflect.enumerate
873         https://bugs.webkit.org/show_bug.cgi?id=173806
874
875         Reviewed by Yusuke Suzuki.
876
877         * CMakeLists.txt:
878         * JavaScriptCore.xcodeproj/project.pbxproj:
879         * inspector/JSInjectedScriptHost.cpp:
880         (Inspector::JSInjectedScriptHost::subtype):
881         (Inspector::JSInjectedScriptHost::getInternalProperties):
882         (Inspector::JSInjectedScriptHost::iteratorEntries):
883         * runtime/JSGlobalObject.cpp:
884         (JSC::JSGlobalObject::init):
885         (JSC::JSGlobalObject::visitChildren):
886         * runtime/JSPropertyNameIterator.cpp: Removed.
887         * runtime/JSPropertyNameIterator.h: Removed.
888         * runtime/ReflectObject.cpp:
889         (JSC::reflectObjectEnumerate): Deleted.
890
891 2017-06-23  Keith Miller  <keith_miller@apple.com>
892
893         Switch VMTraps to use halt instructions rather than breakpoint instructions
894         https://bugs.webkit.org/show_bug.cgi?id=173677
895         <rdar://problem/32178892>
896
897         Reviewed by JF Bastien.
898
899         Using the breakpoint instruction for VMTraps caused issues with lldb.
900         Since we only need some way to stop execution we can, in theory, use
901         any exceptioning instruction we want. I went with the halt instruction
902         on X86 since that is the only one byte instruction that does not
903         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
904         On ARM we use the data cache clearing instruction with the zero register,
905         which triggers a segmentation fault.
906
907         Also, update the platform code to only use signaling VMTraps
908         on where we have an appropriate instruction (x86 and ARM64).
909
910         * API/tests/ExecutionTimeLimitTest.cpp:
911         (testExecutionTimeLimit):
912         * assembler/ARM64Assembler.h:
913         (JSC::ARM64Assembler::replaceWithVMHalt):
914         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
915         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
916         * assembler/ARMAssembler.h:
917         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
918         * assembler/ARMv7Assembler.h:
919         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
920         * assembler/MIPSAssembler.h:
921         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
922         * assembler/MacroAssemblerARM.h:
923         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
924         * assembler/MacroAssemblerARM64.h:
925         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
926         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
927         * assembler/MacroAssemblerARMv7.h:
928         (JSC::MacroAssemblerARMv7::storeFence):
929         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
930         * assembler/MacroAssemblerMIPS.h:
931         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
932         * assembler/MacroAssemblerX86Common.h:
933         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
934         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
935         * assembler/X86Assembler.h:
936         (JSC::X86Assembler::replaceWithHlt):
937         (JSC::X86Assembler::replaceWithInt3): Deleted.
938         * dfg/DFGJumpReplacement.cpp:
939         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
940         * runtime/VMTraps.cpp:
941         (JSC::SignalContext::SignalContext):
942         (JSC::installSignalHandler):
943         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
944         * wasm/WasmFaultSignalHandler.cpp:
945         (JSC::Wasm::enableFastMemory):
946
947 2017-06-22  Saam Barati  <sbarati@apple.com>
948
949         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
950         https://bugs.webkit.org/show_bug.cgi?id=173743
951         <rdar://problem/32932536>
952
953         Reviewed by Mark Lam.
954
955         The code always manually speculates, however, we weren't specifying
956         ManualOperandSpeculation when creating a JSValueOperand. This would
957         fire an assertion in JSValueOperand construction for a node like:
958         Identity(String:@otherNode)
959         
960         I spent about 45 minutes trying to craft a test and came up
961         empty. However, this fixes a debug assertion on an internal
962         Apple website.
963
964         * dfg/DFGSpeculativeJIT32_64.cpp:
965         (JSC::DFG::SpeculativeJIT::compile):
966         * dfg/DFGSpeculativeJIT64.cpp:
967         (JSC::DFG::SpeculativeJIT::compile):
968
969 2017-06-22  Saam Barati  <sbarati@apple.com>
970
971         ValueRep(DoubleRep(@v)) can not simply convert to @v
972         https://bugs.webkit.org/show_bug.cgi?id=173687
973         <rdar://problem/32855563>
974
975         Reviewed by Mark Lam.
976
977         Consider this IR:
978          block#x
979           p: Phi() // int32 and double flows into this phi from various control flow
980           d: DoubleRep(@p)
981           some uses of @d here
982           v: ValueRep(DoubleRepUse:@d)
983           a: NewArrayWithSize(Int32:@v)
984           some more nodes here ...
985         
986         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
987         AI proves that the Int32 check will fail. Constant folding phase removes
988         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
989         
990         The IR then looks like this:
991         block#x
992           p: Phi() // int32 and double flows into this phi from various control flow
993           d: DoubleRep(@p)
994           some uses of @d here
995           v: ValueRep(DoubleRepUse:@d)
996           a: NewArrayWithSize(Int32:@v)
997           Unreachable
998         
999         However, there was a strength reduction rule that tries eliminate redundant
1000         conversions. It used to convert the program to:
1001         block#x
1002           p: Phi() // int32 and double flows into this phi from various control flow
1003           d: DoubleRep(@p)
1004           some uses of @d here
1005           a: NewArrayWithSize(Int32:@p)
1006           Unreachable
1007         
1008         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
1009         and we'll crash. This patch removes this strength reduction rule since it
1010         does not maintain what would have happened if we executed the program before
1011         the rule.
1012         
1013         This rule is also wrong for other types of programs (I'm not sure we'd
1014         actually emit this code, but if such IR were generated, we would previously
1015         optimize it incorrectly):
1016         @a: Constant(JSTrue)
1017         @b: DoubleRep(@a)
1018         @c: ValueRep(@b)
1019         @d: use(@c)
1020         
1021         However, the strength reduction rule would've transformed this into:
1022         @a: Constant(JSTrue)
1023         @d: use(@a)
1024         
1025         And this would be wrong because node @c before the transformation would
1026         have produced the JSValue jsNumber(1.0).
1027         
1028         This patch was neutral in the benchmark run I did.
1029
1030         * dfg/DFGStrengthReductionPhase.cpp:
1031         (JSC::DFG::StrengthReductionPhase::handleNode):
1032
1033 2017-06-22  JF Bastien  <jfbastien@apple.com>
1034
1035         ARM64: doubled executable memory limit from 32MiB to 64MiB
1036         https://bugs.webkit.org/show_bug.cgi?id=173734
1037         <rdar://problem/32932407>
1038
1039         Reviewed by Oliver Hunt.
1040
1041         Some WebAssembly programs stress the amount of memory we have
1042         available, especially when we consider tiering (BBQ never dies,
1043         and is bigger that OMG). Tiering to OMG just piles on more memory,
1044         and we're also competing with JavaScript.
1045
1046         * jit/ExecutableAllocator.h:
1047
1048 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1049
1050         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
1051         https://bugs.webkit.org/show_bug.cgi?id=173698
1052
1053         Reviewed by Matt Baker.
1054
1055         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
1056         when preparing Inspector pause information is spent generating object previews for
1057         the `thisObject` of each of the call frames. In some cases, this could be more
1058         than 95% of the time generating pause information. In the common case, only one of
1059         these (the top frame) will ever be seen by users. This change avoids eagerly
1060         generating object previews up front and let the frontend request previews if they
1061         are needed.
1062
1063         This introduces the `Runtime.getPreview` protocol command. This can be used to:
1064
1065             - Get a preview for a RemoteObject that did not have a preview but could.
1066             - Update a preview for a RemoteObject that had a preview.
1067
1068         This patch only uses it for the first case, but the second is valid and may be
1069         something we want to do in the future.
1070
1071         * inspector/protocol/Runtime.json:
1072         A new command to get an up to date preview for an object.
1073
1074         * inspector/InjectedScript.h:
1075         * inspector/InjectedScript.cpp:
1076         (Inspector::InjectedScript::getPreview):
1077         * inspector/agents/InspectorRuntimeAgent.cpp:
1078         (Inspector::InspectorRuntimeAgent::getPreview):
1079         * inspector/agents/InspectorRuntimeAgent.h:
1080         Plumbing for the new command.
1081
1082         * inspector/InjectedScriptSource.js:
1083         (InjectedScript.prototype.getPreview):
1084         Implementation just uses the existing helper.
1085
1086         (InjectedScript.CallFrameProxy):
1087         Do not generate a preview for the this object as it may not be shown.
1088         Let the frontend request a preview if it wants or needs one.
1089
1090 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1091
1092         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
1093         https://bugs.webkit.org/show_bug.cgi?id=173686
1094
1095         Reviewed by Mark Lam.
1096
1097         * inspector/InjectedScript.cpp:
1098         (Inspector::InjectedScript::functionDetails):
1099         * inspector/InjectedScriptSource.js:
1100         (InjectedScript.prototype.functionDetails):
1101         * inspector/JSInjectedScriptHost.cpp:
1102         (Inspector::JSInjectedScriptHost::functionDetails):
1103
1104 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1105
1106         [JSC] Object.values should be implemented in C++
1107         https://bugs.webkit.org/show_bug.cgi?id=173703
1108
1109         Reviewed by Sam Weinig.
1110
1111         As the same to Object.assign, Object.values() is also inherently polymorphic.
1112         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
1113         result is costly.
1114
1115         In this patch, we implement Object.values() in C++. It can avoid above allocations.
1116         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
1117         non-observable JSObject::get() calls.
1118
1119         This improves performance by 2.49x. And also now Object.values() beats
1120         Object.keys(object).map(key => object[key]) implementation.
1121
1122                                              baseline                  patched
1123
1124             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
1125             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
1126
1127         * builtins/ObjectConstructor.js:
1128         (values): Deleted.
1129         * runtime/ObjectConstructor.cpp:
1130         (JSC::objectConstructorValues):
1131
1132 2017-06-21  Saam Barati  <sbarati@apple.com>
1133
1134         ArrayPrototype.map builtin declares a var it does not use
1135         https://bugs.webkit.org/show_bug.cgi?id=173685
1136
1137         Reviewed by Keith Miller.
1138
1139         * builtins/ArrayPrototype.js:
1140         (map):
1141
1142 2017-06-21  Saam Barati  <sbarati@apple.com>
1143
1144         eval virtual call is incorrect in the baseline JIT
1145         https://bugs.webkit.org/show_bug.cgi?id=173587
1146         <rdar://problem/32867897>
1147
1148         Reviewed by Michael Saboff.
1149
1150         When making a virtual call for call_eval, e.g, when the thing
1151         we're calling isn't actually eval, we end up calling the caller
1152         instead of the callee. This is clearly wrong. The code ends up
1153         issuing a load for the Callee in the callers frame instead of
1154         the callee we're calling. The fix is simple, we just need to
1155         load the real callee. Only the 32-bit baseline JIT had this bug.
1156
1157         * jit/JITCall32_64.cpp:
1158         (JSC::JIT::compileCallEvalSlowCase):
1159
1160 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
1161
1162         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
1163         https://bugs.webkit.org/show_bug.cgi?id=172432
1164         <rdar://problem/29870873>
1165
1166         Reviewed by Saam Barati.
1167
1168         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
1169         We will proceed to improve debugging of these cases in the follow-up bugs.
1170
1171         * debugger/Debugger.cpp:
1172         (JSC::Debugger::exception):
1173         Ignore pausing on these errors.
1174
1175         * runtime/ErrorInstance.h:
1176         (JSC::ErrorInstance::setStackOverflowError):
1177         (JSC::ErrorInstance::isStackOverflowError):
1178         (JSC::ErrorInstance::setOutOfMemoryError):
1179         (JSC::ErrorInstance::isOutOfMemoryError):
1180         * runtime/ExceptionHelpers.cpp:
1181         (JSC::createStackOverflowError):
1182         * runtime/Error.cpp:
1183         (JSC::createOutOfMemoryError):
1184         Mark these kinds of errors.
1185
1186 2017-06-21  Saam Barati  <sbarati@apple.com>
1187
1188         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
1189         https://bugs.webkit.org/show_bug.cgi?id=173609
1190
1191         Reviewed by Keith Miller.
1192
1193         This patch makes many of the IC generating functions require a locker as
1194         a parameter. We do this in other places in JSC to indicate that
1195         a particular API is only valid while a particular lock is held.
1196         This is the case when generating ICs. This patch just makes it
1197         explicit in the IC generating interface.
1198
1199         * bytecode/PolymorphicAccess.cpp:
1200         (JSC::PolymorphicAccess::addCases):
1201         (JSC::PolymorphicAccess::addCase):
1202         (JSC::PolymorphicAccess::commit):
1203         (JSC::PolymorphicAccess::regenerate):
1204         * bytecode/PolymorphicAccess.h:
1205         * bytecode/StructureStubInfo.cpp:
1206         (JSC::StructureStubInfo::addAccessCase):
1207         (JSC::StructureStubInfo::initStub): Deleted.
1208         * bytecode/StructureStubInfo.h:
1209         * jit/Repatch.cpp:
1210         (JSC::tryCacheGetByID):
1211         (JSC::repatchGetByID):
1212         (JSC::tryCachePutByID):
1213         (JSC::repatchPutByID):
1214         (JSC::tryRepatchIn):
1215         (JSC::repatchIn):
1216
1217 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
1218
1219         Disable font variations on macOS Sierra and iOS 10
1220         https://bugs.webkit.org/show_bug.cgi?id=173618
1221         <rdar://problem/32879164>
1222
1223         Reviewed by Jon Lee.
1224
1225         * Configurations/FeatureDefines.xcconfig:
1226
1227 2017-06-20  Keith Miller  <keith_miller@apple.com>
1228
1229         Fix leak of ModuleInformations in BBQPlan constructors.
1230         https://bugs.webkit.org/show_bug.cgi?id=173577
1231
1232         Reviewed by Saam Barati.
1233
1234         This patch fixes a leak in the BBQPlan constructiors. Previously,
1235         the plans were calling makeRef on the newly constructed objects.
1236         This patch fixes the issue and uses adoptRef instead. Additionally,
1237         an old, incorrect, attempt to fix the leak is removed.
1238
1239         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1240         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1241         * jit/JITWorklist.cpp:
1242         (JSC::JITWorklist::Thread::Thread):
1243         * runtime/PromiseDeferredTimer.cpp:
1244         (JSC::PromiseDeferredTimer::addPendingPromise):
1245         * runtime/VM.cpp:
1246         (JSC::VM::VM):
1247         * wasm/WasmBBQPlan.cpp:
1248         (JSC::Wasm::BBQPlan::BBQPlan):
1249         * wasm/WasmPlan.cpp:
1250         (JSC::Wasm::Plan::Plan):
1251
1252 2017-06-20  Devin Rousso  <drousso@apple.com>
1253
1254         Web Inspector: Send context attributes for tracked canvases
1255         https://bugs.webkit.org/show_bug.cgi?id=173327
1256
1257         Reviewed by Joseph Pecoraro.
1258
1259         * inspector/protocol/Canvas.json:
1260         Add ContextAttributes object type that is optionally used for WebGL canvases.
1261
1262 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
1263
1264         Remove excessive include directives from WTF
1265         https://bugs.webkit.org/show_bug.cgi?id=173553
1266
1267         Reviewed by Saam Barati.
1268
1269         * profiler/ProfilerDatabase.cpp: Added missing include directive.
1270         * runtime/SamplingProfiler.cpp: Ditto.
1271
1272 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
1273
1274         Revert changes in bug#160417 about extending `null` not being a derived class
1275         https://bugs.webkit.org/show_bug.cgi?id=169293
1276
1277         Reviewed by Saam Barati.
1278
1279         Reverted changes in bug#160417 about extending `null` not being a derived class 
1280         according to changes in spec:
1281         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
1282
1283         * builtins/BuiltinNames.h:
1284         * bytecompiler/BytecodeGenerator.cpp:
1285         (JSC::BytecodeGenerator::BytecodeGenerator):
1286         (JSC::BytecodeGenerator::emitReturn):
1287         * bytecompiler/NodesCodegen.cpp:
1288         (JSC::ClassExprNode::emitBytecode):
1289
1290 2017-06-20  Saam Barati  <sbarati@apple.com>
1291
1292         repatchIn needs to lock the CodeBlock's lock
1293         https://bugs.webkit.org/show_bug.cgi?id=173573
1294
1295         Reviewed by Yusuke Suzuki.
1296
1297         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
1298         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
1299         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
1300         with the marking thread. repatchIn was not grabbing the lock. I haven't been
1301         able to get it to crash, but this is needed for the same reasons that get and put IC
1302         regeneration grab the lock.
1303
1304         * jit/Repatch.cpp:
1305         (JSC::repatchIn):
1306
1307 2017-06-19  Devin Rousso  <drousso@apple.com>
1308
1309         Web Inspector: create canvas content view and details sidebar panel
1310         https://bugs.webkit.org/show_bug.cgi?id=138941
1311         <rdar://problem/19051672>
1312
1313         Reviewed by Joseph Pecoraro.
1314
1315         * inspector/protocol/Canvas.json:
1316          - Add an optional `nodeId` attribute to the `Canvas` type.
1317          - Add `requestNode` command for getting the node id of the backing canvas element.
1318          - Add `requestContent` command for getting the current image content of the canvas.
1319
1320 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1321
1322         Unreviewed, build fix for ARM
1323
1324         * assembler/MacroAssemblerARM.h:
1325         (JSC::MacroAssemblerARM::internalCompare32):
1326
1327 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         [DFG] More ArrayIndexOf fixups for various types
1330         https://bugs.webkit.org/show_bug.cgi?id=173176
1331
1332         Reviewed by Saam Barati.
1333
1334         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
1335
1336         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
1337         never contains the given search value.
1338
1339         2. We support Symbol and Other specialization additionally. Especially, Other is
1340         useful because null/undefined can be used as a sentinel value.
1341
1342         One interesting thing is that Array.prototype.indexOf does not consider holes as
1343         undefineds. Thus,
1344
1345             var array = [,,,,,,,];
1346             array.indexOf(undefined); // => -1
1347
1348         This can be trivially achieved in JSC because Empty and Undefined are different values.
1349
1350         * dfg/DFGFixupPhase.cpp:
1351         (JSC::DFG::FixupPhase::fixupNode):
1352         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
1353         * dfg/DFGSpeculativeJIT.cpp:
1354         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1355         (JSC::DFG::SpeculativeJIT::speculateOther):
1356         * dfg/DFGSpeculativeJIT.h:
1357         * ftl/FTLLowerDFGToB3.cpp:
1358         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1359
1360 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
1361
1362         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
1363         https://bugs.webkit.org/show_bug.cgi?id=172972
1364
1365         Reviewed by Mark Lam.
1366
1367         We are changing internalCompare32 implementation in ARM
1368         MacroAssembler to emit "cmp" when the "right.value" is 0.
1369         It is generating wrong comparison cases, since the
1370         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
1371         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
1372         resulting in following assembly code:
1373
1374         ```
1375         cmn $r0, #0
1376         bhi <address>
1377         ```
1378
1379         However, as cmn is similar to "adds", it will never take the branch
1380         when $r0 > 0. In that case, the correct opcode is "cmp". With this
1381         patch we will fix current broken tests that uses
1382         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
1383         such as ForwardVarargs, Spread and GetRestLength.
1384
1385         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
1386
1387         * assembler/MacroAssemblerARM.h:
1388         (JSC::MacroAssemblerARM::internalCompare32):
1389
1390 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1391
1392         test262: Completion values for control flow do not match the spec
1393         https://bugs.webkit.org/show_bug.cgi?id=171265
1394
1395         Reviewed by Saam Barati.
1396
1397         * bytecompiler/BytecodeGenerator.h:
1398         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1399         When we care about having proper completion values (global code
1400         in programs, modules, and eval) insert undefined results for
1401         control flow statements.
1402
1403         * bytecompiler/NodesCodegen.cpp:
1404         (JSC::SourceElements::emitBytecode):
1405         Reduce writing a default `undefined` value to the completion result to
1406         only once before the last statement we know will produce a value.
1407
1408         (JSC::IfElseNode::emitBytecode):
1409         (JSC::WithNode::emitBytecode):
1410         (JSC::WhileNode::emitBytecode):
1411         (JSC::ForNode::emitBytecode):
1412         (JSC::ForInNode::emitBytecode):
1413         (JSC::ForOfNode::emitBytecode):
1414         (JSC::SwitchNode::emitBytecode):
1415         Insert an undefined to handle cases where code may break out of an
1416         if/else or with statement (break/continue).
1417
1418         (JSC::TryNode::emitBytecode):
1419         Same handling for break cases. Also, finally block statement completion
1420         values are always ignored for the try statement result.
1421
1422         (JSC::ClassDeclNode::emitBytecode):
1423         Class declarations, like function declarations, produce an empty result.
1424
1425         * parser/Nodes.cpp:
1426         (JSC::SourceElements::lastStatement):
1427         (JSC::SourceElements::hasCompletionValue):
1428         (JSC::SourceElements::hasEarlyBreakOrContinue):
1429         (JSC::BlockNode::lastStatement):
1430         (JSC::BlockNode::singleStatement):
1431         (JSC::BlockNode::hasCompletionValue):
1432         (JSC::BlockNode::hasEarlyBreakOrContinue):
1433         (JSC::ScopeNode::singleStatement):
1434         (JSC::ScopeNode::hasCompletionValue):
1435         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1436         The only non-trivial cases need to loop through their list of statements
1437         to determine if this has a completion value or not. Likewise for
1438         determining if there is an early break / continue, meaning a break or
1439         continue statement with no preceding statement that has a completion value.
1440
1441         * parser/Nodes.h:
1442         (JSC::StatementNode::next):
1443         (JSC::StatementNode::hasCompletionValue):
1444         Helper to check if a statement nodes produces a completion value or not.
1445
1446 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
1447
1448         Missing <functional> includes make builds fail with GCC 7.x
1449         https://bugs.webkit.org/show_bug.cgi?id=173544
1450
1451         Unreviewed gardening.
1452
1453         Fix compilation with GCC 7.
1454
1455         * API/tests/CompareAndSwapTest.cpp:
1456         * runtime/VMEntryScope.h:
1457
1458 2017-06-17  Keith Miller  <keith_miller@apple.com>
1459
1460         ArrayBuffer constructor needs to create subclass structures before its buffer
1461         https://bugs.webkit.org/show_bug.cgi?id=173510
1462
1463         Reviewed by Yusuke Suzuki.
1464
1465         * runtime/JSArrayBufferConstructor.cpp:
1466         (JSC::constructArrayBuffer):
1467
1468 2017-06-17  Keith Miller  <keith_miller@apple.com>
1469
1470         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
1471         https://bugs.webkit.org/show_bug.cgi?id=173506
1472
1473         Reviewed by Ryosuke Niwa.
1474
1475         This patch changes the result of unshift if old length +
1476         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
1477         the getLength function, which was always incorrect to use, has
1478         been removed. Additionally, some cases where we were using a
1479         constant for (2 ** 53) - 1 have been replaced with
1480         maxSafeInteger()
1481
1482         * interpreter/Interpreter.cpp:
1483         (JSC::sizeOfVarargs):
1484         * runtime/ArrayPrototype.cpp:
1485         (JSC::arrayProtoFuncToLocaleString):
1486         (JSC::arrayProtoFuncPop):
1487         (JSC::arrayProtoFuncPush):
1488         (JSC::arrayProtoFuncReverse):
1489         (JSC::arrayProtoFuncShift):
1490         (JSC::arrayProtoFuncSlice):
1491         (JSC::arrayProtoFuncSplice):
1492         (JSC::arrayProtoFuncUnShift):
1493         (JSC::arrayProtoFuncIndexOf):
1494         (JSC::arrayProtoFuncLastIndexOf):
1495         * runtime/JSArrayInlines.h:
1496         (JSC::getLength): Deleted.
1497         * runtime/JSCJSValue.cpp:
1498         (JSC::JSValue::toLength):
1499         * runtime/NumberConstructor.cpp:
1500         (JSC::numberConstructorFuncIsSafeInteger):
1501
1502 2017-06-16  Matt Baker  <mattbaker@apple.com>
1503
1504         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1505         https://bugs.webkit.org/show_bug.cgi?id=172623
1506         <rdar://problem/32415986>
1507
1508         Reviewed by Devin Rousso and Joseph Pecoraro.
1509
1510         This patch adds a basic Canvas protocol. It includes Canvas and related
1511         types and events for monitoring the lifetime of canvases in the page.
1512
1513         * CMakeLists.txt:
1514         * DerivedSources.make:
1515         * inspector/protocol/Canvas.json: Added.
1516
1517         * inspector/scripts/codegen/generator.py:
1518         (Generator.stylized_name_for_enum_value):
1519         Add special handling for Canvas.ContextType protocol enumeration,
1520         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1521
1522 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
1523
1524         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
1525         https://bugs.webkit.org/show_bug.cgi?id=173366
1526         <rdar://problem/32767014>
1527
1528         Reviewed by Tim Horton.
1529
1530         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
1531
1532         * Configurations/FeatureDefines.xcconfig:
1533
1534 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1535
1536         [JSC] Add fast path for Object.assign
1537         https://bugs.webkit.org/show_bug.cgi?id=173416
1538
1539         Reviewed by Mark Lam.
1540
1541         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
1542         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
1543         check in the face of Proxy. Proxy can observe that this check is done correctly.
1544
1545         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
1546         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
1547         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
1548         value by calling `slot.getValue()`.
1549
1550         This further improves performance of Object.assign.
1551
1552                                         baseline                  patched
1553
1554             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
1555
1556         * runtime/ObjectConstructor.cpp:
1557         (JSC::objectConstructorAssign):
1558
1559 2017-06-16  Michael Saboff  <msaboff@apple.com>
1560
1561         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
1562         https://bugs.webkit.org/show_bug.cgi?id=173488
1563
1564         Reviewed by Filip Pizlo.
1565
1566         ClonedArguments lazily sets its callee and interator properties and it used its own inline
1567         code to initialize its butterfly.  This means that these lazily set properties can have
1568         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
1569         to create the butterfly as it clears out of line properties.
1570
1571         * runtime/ClonedArguments.cpp:
1572         (JSC::ClonedArguments::createEmpty):
1573
1574 2017-06-16  Mark Lam  <mark.lam@apple.com>
1575
1576         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
1577         https://bugs.webkit.org/show_bug.cgi?id=173491
1578
1579         Reviewed by Keith Miller.
1580
1581         The implementation are based on static data. There's no need to get the
1582         interpreter instance. Hence, we can make these methods static and avoid doing
1583         unnecessary work to compute the interpreter this pointer.
1584
1585         Also removed the unused isCallBytecode method.
1586
1587         * bytecode/BytecodeBasicBlock.cpp:
1588         (JSC::BytecodeBasicBlock::computeImpl):
1589         * bytecode/BytecodeDumper.cpp:
1590         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1591         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1592         (JSC::BytecodeDumper<Block>::dumpBytecode):
1593         (JSC::BytecodeDumper<Block>::dumpBlock):
1594         * bytecode/BytecodeLivenessAnalysis.cpp:
1595         (JSC::BytecodeLivenessAnalysis::dumpResults):
1596         * bytecode/BytecodeLivenessAnalysisInlines.h:
1597         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1598         * bytecode/BytecodeRewriter.cpp:
1599         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1600         * bytecode/CallLinkStatus.cpp:
1601         (JSC::CallLinkStatus::computeFromLLInt):
1602         * bytecode/CodeBlock.cpp:
1603         (JSC::CodeBlock::finishCreation):
1604         (JSC::CodeBlock::propagateTransitions):
1605         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1606         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1607         (JSC::CodeBlock::usesOpcode):
1608         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1609         (JSC::CodeBlock::arithProfileForPC):
1610         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1611         * bytecode/PreciseJumpTargets.cpp:
1612         (JSC::getJumpTargetsForBytecodeOffset):
1613         (JSC::computePreciseJumpTargetsInternal):
1614         (JSC::findJumpTargetsForBytecodeOffset):
1615         * bytecode/PreciseJumpTargetsInlines.h:
1616         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1617         * bytecode/UnlinkedCodeBlock.cpp:
1618         (JSC::UnlinkedCodeBlock::applyModification):
1619         * dfg/DFGByteCodeParser.cpp:
1620         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1621         (JSC::DFG::ByteCodeParser::parseBlock):
1622         * dfg/DFGCapabilities.cpp:
1623         (JSC::DFG::capabilityLevel):
1624         * interpreter/Interpreter.cpp:
1625         (JSC::Interpreter::Interpreter):
1626         (JSC::Interpreter::isOpcode):
1627         (): Deleted.
1628         * interpreter/Interpreter.h:
1629         (JSC::Interpreter::getOpcode): Deleted.
1630         (JSC::Interpreter::getOpcodeID): Deleted.
1631         (JSC::Interpreter::isCallBytecode): Deleted.
1632         * interpreter/InterpreterInlines.h:
1633         (JSC::Interpreter::getOpcode):
1634         (JSC::Interpreter::getOpcodeID):
1635         * jit/JIT.cpp:
1636         (JSC::JIT::privateCompileMainPass):
1637         (JSC::JIT::privateCompileSlowCases):
1638         * jit/JITOpcodes.cpp:
1639         (JSC::JIT::emitNewFuncCommon):
1640         (JSC::JIT::emitNewFuncExprCommon):
1641         * jit/JITPropertyAccess.cpp:
1642         (JSC::JIT::emitSlow_op_put_by_val):
1643         (JSC::JIT::privateCompilePutByVal):
1644         * jit/JITPropertyAccess32_64.cpp:
1645         (JSC::JIT::emitSlow_op_put_by_val):
1646         * llint/LLIntSlowPaths.cpp:
1647         (JSC::LLInt::llint_trace_operand):
1648         (JSC::LLInt::llint_trace_value):
1649         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1650         * profiler/ProfilerBytecodeSequence.cpp:
1651         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1652
1653 2017-06-16  Matt Lewis  <jlewis3@apple.com>
1654
1655         Unreviewed, rolling out r218376.
1656
1657         The patch cause multiple Layout Test Crashes.
1658
1659         Reverted changeset:
1660
1661         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
1662         backend"
1663         https://bugs.webkit.org/show_bug.cgi?id=172623
1664         http://trac.webkit.org/changeset/218376
1665
1666 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
1667
1668         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
1669         https://bugs.webkit.org/show_bug.cgi?id=173470
1670
1671         Reviewed by Joseph Pecoraro.
1672
1673         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
1674         const char* overload of StringBuilder::append() that assummes Latin1
1675         encoding, not UTF8.
1676
1677         * runtime/ConsoleClient.cpp:
1678         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1679
1680 2017-06-15  Mark Lam  <mark.lam@apple.com>
1681
1682         Add a JSRunLoopTimer registry in VM.
1683         https://bugs.webkit.org/show_bug.cgi?id=173429
1684         <rdar://problem/31287961>
1685
1686         Reviewed by Filip Pizlo.
1687
1688         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
1689         need to change their run loop (e.g. when setting to the WebThread's run loop).
1690
1691         * heap/Heap.cpp:
1692         (JSC::Heap::Heap):
1693         (JSC::Heap::setRunLoop): Deleted.
1694         * heap/Heap.h:
1695         (JSC::Heap::runLoop): Deleted.
1696         * runtime/JSRunLoopTimer.cpp:
1697         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1698         (JSC::JSRunLoopTimer::setRunLoop):
1699         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
1700         * runtime/VM.cpp:
1701         (JSC::VM::VM):
1702         (JSC::VM::registerRunLoopTimer):
1703         (JSC::VM::unregisterRunLoopTimer):
1704         (JSC::VM::setRunLoop):
1705         * runtime/VM.h:
1706         (JSC::VM::runLoop):
1707
1708 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
1709
1710         [Cocoa] Modernize some internal initializers to use instancetype instead of id
1711         https://bugs.webkit.org/show_bug.cgi?id=173112
1712
1713         Reviewed by Wenson Hsieh.
1714
1715         * API/JSContextInternal.h:
1716         * API/JSWrapperMap.h:
1717         * API/JSWrapperMap.mm:
1718         (-[JSObjCClassInfo initForClass:]):
1719         (-[JSWrapperMap initWithGlobalContextRef:]):
1720
1721 2017-06-15  Matt Baker  <mattbaker@apple.com>
1722
1723         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1724         https://bugs.webkit.org/show_bug.cgi?id=172623
1725         <rdar://problem/32415986>
1726
1727         Reviewed by Devin Rousso.
1728
1729         This patch adds a basic Canvas protocol. It includes Canvas and related
1730         types and events for monitoring the lifetime of canvases in the page.
1731
1732         * CMakeLists.txt:
1733         * DerivedSources.make:
1734         * inspector/protocol/Canvas.json: Added.
1735
1736         * inspector/scripts/codegen/generator.py:
1737         (Generator.stylized_name_for_enum_value):
1738         Add special handling for Canvas.ContextType protocol enumeration,
1739         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1740
1741 2017-06-15  Keith Miller  <keith_miller@apple.com>
1742
1743         Add logging to MachineStackMarker to try to diagnose crashes in the wild
1744         https://bugs.webkit.org/show_bug.cgi?id=173427
1745
1746         Reviewed by Mark Lam.
1747
1748         This patch adds some logging to the MachineStackMarker constructor
1749         to help figure out where we are seeing crashes. Since macOS does
1750         not support os_log_info my hope is that if we set all the callee
1751         save registers before making any calls in the C++ code we can
1752         figure out which calls is the source of the crash. We also, set
1753         all the caller save registers before returning in case some
1754         weirdness is happening in the Heap constructor.
1755
1756         This logging should not matter from a performance perspective. We
1757         only create MachineStackMarkers when we are creating a new VM,
1758         which is already expensive.
1759
1760         * heap/MachineStackMarker.cpp:
1761         (JSC::MachineThreads::MachineThreads):
1762
1763 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1764
1765         [JSC] Implement Object.assign in C++
1766         https://bugs.webkit.org/show_bug.cgi?id=173414
1767
1768         Reviewed by Saam Barati.
1769
1770         Implementing Object.assign in JS is not so good compared to C++ version because,
1771
1772         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
1773         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
1774
1775         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
1776         So JS's type profile doesn't help well.
1777
1778         3. We have a chance to introduce various fast path for Object.assign in C++.
1779
1780         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
1781
1782         We can see 1.65x improvement in SixSpeed object-assign.es6.
1783
1784                                     baseline                  patched
1785
1786         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
1787
1788         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
1789
1790         * builtins/ObjectConstructor.js:
1791         (entries):
1792         (assign): Deleted.
1793         * runtime/JSCJSValueInlines.h:
1794         (JSC::JSValue::putInline):
1795         * runtime/JSCell.h:
1796         * runtime/JSCellInlines.h:
1797         (JSC::JSCell::putInline):
1798         * runtime/JSObject.cpp:
1799         (JSC::JSObject::put):
1800         * runtime/JSObject.h:
1801         * runtime/JSObjectInlines.h:
1802         (JSC::JSObject::putInlineForJSObject):
1803         (JSC::JSObject::putInline): Deleted.
1804         * runtime/ObjectConstructor.cpp:
1805         (JSC::objectConstructorAssign):
1806
1807 2017-06-14  Dan Bernstein  <mitz@apple.com>
1808
1809         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
1810         https://bugs.webkit.org/show_bug.cgi?id=168578
1811
1812         Reviewed by Geoff Garen.
1813
1814         * API/JSWrapperMap.mm:
1815         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
1816         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
1817         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
1818           it defines conformance to a JSExport-derived protocol and if so, avoid using the
1819           superclass as a substitute as we’d normally do.
1820
1821         * API/ObjcRuntimeExtras.h:
1822         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
1823           bail out.
1824
1825         * API/tests/JSExportTests.mm:
1826         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
1827         (runJSExportTests): Run new test.
1828
1829 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1830
1831         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
1832         https://bugs.webkit.org/show_bug.cgi?id=172421
1833
1834         * dfg/DFGSpeculativeJIT.cpp:
1835         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1836
1837 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
1838
1839         REGRESSION: 15 new jsc failures in WPE and GTK+
1840         https://bugs.webkit.org/show_bug.cgi?id=173349
1841
1842         Reviewed by JF Bastien.
1843
1844         Recent changes to generateWasm.py are not accounted for from
1845         CMake, which leads to WasmOps.h not being regenerated in partial
1846         builds. Make generateWasm.py an additional dependency.
1847         * CMakeLists.txt:
1848
1849 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
1850
1851         Debugger has unexpected effect on program correctness
1852         https://bugs.webkit.org/show_bug.cgi?id=172683
1853
1854         Reviewed by Saam Barati.
1855
1856         * inspector/InjectedScriptSource.js:
1857         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1858         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
1859         (BasicCommandLineAPI):
1860         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
1861         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
1862
1863 2017-06-13  JF Bastien  <jfbastien@apple.com>
1864
1865         WebAssembly: fix erroneous signature comment
1866         https://bugs.webkit.org/show_bug.cgi?id=173334
1867
1868         Reviewed by Keith Miller.
1869
1870         * wasm/WasmSignature.h:
1871
1872 2017-06-13  Michael Saboff  <msaboff@apple.com>
1873
1874         Refactor AbsenceOfSetter to AbsenceOfSetEffects
1875         https://bugs.webkit.org/show_bug.cgi?id=173322
1876
1877         Reviewed by Filip Pizlo.
1878
1879         * bytecode/ObjectPropertyCondition.h:
1880         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
1881         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
1882         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
1883         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
1884         * bytecode/ObjectPropertyConditionSet.cpp:
1885         (JSC::generateConditionsForPropertySetterMiss):
1886         (JSC::generateConditionsForPropertySetterMissConcurrently):
1887         * bytecode/PropertyCondition.cpp:
1888         (JSC::PropertyCondition::dumpInContext):
1889         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
1890         (JSC::PropertyCondition::isStillValid):
1891         (WTF::printInternal):
1892         * bytecode/PropertyCondition.h:
1893         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1894         (JSC::PropertyCondition::absenceOfSetEffect):
1895         (JSC::PropertyCondition::hasPrototype):
1896         (JSC::PropertyCondition::hash):
1897         (JSC::PropertyCondition::operator==):
1898         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
1899         (JSC::PropertyCondition::absenceOfSetter): Deleted.
1900
1901 2017-06-13  JF Bastien  <jfbastien@apple.com>
1902
1903         WebAssembly: import updated spec tests
1904         https://bugs.webkit.org/show_bug.cgi?id=173287
1905         <rdar://problem/32725975>
1906
1907         Reviewed by Saam Barati.
1908
1909         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
1910         with a few modifications so things work.
1911
1912         Fix a bunch of bugs found through this process, and punt a few tests (which I
1913         marked as blocked by this bug).
1914
1915         Fixes:
1916
1917         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
1918         instead of byte alignment. It was also missing memory-alignment.js despite it
1919         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
1920         pass.
1921
1922         Tables can be imported or in a section. There can be only one, but sections can
1923         be empty. An Elements section can exist if there's no Table, as long as it is
1924         also empty.
1925
1926         Memories can be imported or in a section. There can be only one, but sections
1927         can be empty. A Data section can exist if there's no Memory, as long as it is
1928         also empty.
1929
1930         Prototypes: stringify without .prototype. in the string.
1931
1932         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
1933         not a final size, and throws a RangeError on failure, not a TypeError.
1934
1935         Fix compile / instantiate so the reject the promise if given an argument of the
1936         wrong type (instead of failing instantly).
1937
1938         Fix async on neuter test.
1939
1940         Element section shouldn't affect any Table if any of the elements are out of
1941         bounds. We need to process it in two passes.
1942
1943         Segment section shouldn't affect any Data if any of the segments are out of
1944         bounds. We need to process it in two passes.
1945
1946         Empty data segments are valid, but only when there is no memory. Their index
1947         still gets validated, and has to be zero.
1948
1949         Punts:
1950
1951         Error messages with context, the test seems overly restrictive but this is
1952         minor.
1953
1954         compile/instantiate/validate property descriptors.
1955
1956         UTF-8 bugs.
1957
1958         Temporarily disable NaN tests. We need to go back and implement the following
1959         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
1960         much as getting all the other tests passing.
1961
1962         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
1963         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
1964         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
1965         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
1966         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
1967         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
1968         why they're not allowed.
1969
1970         * wasm/WasmB3IRGenerator.cpp:
1971         * wasm/WasmFunctionParser.h:
1972         * wasm/WasmModuleParser.cpp:
1973         * wasm/WasmModuleParser.h:
1974         * wasm/WasmParser.h:
1975         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
1976         * wasm/generateWasm.py:
1977         (memoryLog2Alignment):
1978         * wasm/js/JSWebAssemblyTable.cpp:
1979         (JSC::JSWebAssemblyTable::grow):
1980         * wasm/js/JSWebAssemblyTable.h:
1981         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1982         * wasm/js/WebAssemblyInstancePrototype.cpp:
1983         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1984         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1985         * wasm/js/WebAssemblyModulePrototype.cpp:
1986         * wasm/js/WebAssemblyModuleRecord.cpp:
1987         (JSC::WebAssemblyModuleRecord::evaluate):
1988         * wasm/js/WebAssemblyPrototype.cpp:
1989         (JSC::webAssemblyCompileFunc):
1990         (JSC::resolve):
1991         (JSC::instantiate):
1992         (JSC::compileAndInstantiate):
1993         (JSC::webAssemblyInstantiateFunc):
1994         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1995         * wasm/js/WebAssemblyTablePrototype.cpp:
1996         (JSC::webAssemblyTableProtoFuncGrow):
1997
1998 2017-06-13  Michael Saboff  <msaboff@apple.com>
1999
2000         DFG doesn't properly handle a property that is change to read only in a prototype
2001         https://bugs.webkit.org/show_bug.cgi?id=173321
2002
2003         Reviewed by Filip Pizlo.
2004
2005         We need to check for ReadOnly as well as a not being a Setter when checking
2006         an AbsenceOfSetter.
2007
2008         * bytecode/PropertyCondition.cpp:
2009         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2010
2011 2017-06-13  Daniel Bates  <dabates@apple.com>
2012
2013         Implement W3C Secure Contexts Draft Specification
2014         https://bugs.webkit.org/show_bug.cgi?id=158121
2015         <rdar://problem/26012994>
2016
2017         Reviewed by Brent Fulgham.
2018
2019         Part 4
2020
2021         Adds isSecureContext to the list of common identifiers as needed to support
2022         toggling its exposure from a runtime enabled feature flag.
2023
2024         * runtime/CommonIdentifiers.h:
2025
2026 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
2027
2028         [JSC] Remove redundant includes in config.h
2029         https://bugs.webkit.org/show_bug.cgi?id=173294
2030
2031         Reviewed by Alex Christensen.
2032
2033         * config.h:
2034
2035 2017-06-12  Saam Barati  <sbarati@apple.com>
2036
2037         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
2038         https://bugs.webkit.org/show_bug.cgi?id=172957
2039         <rdar://problem/32602704>
2040
2041         Reviewed by Filip Pizlo.
2042
2043         Consider this program:
2044         ```
2045         block#1:
2046         n: GetClosureVar(..., |this|) // this will load empty JSValue()
2047         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
2048         Branch(#2, #3)
2049         
2050         Block#3:
2051         x: GetLocal(locFoo)
2052         y: CheckNotEmpty(@x)
2053         ```
2054         
2055         If we claim that a cell check filters out the empty value, we will
2056         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
2057         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
2058         
2059         On 64 bit platforms:
2060         - Cell use kind *now allows* the empty value to pass through.
2061         - CellOrOther use kind *now allows* for the empty value to pass through
2062         - NotCell use kind *no longer allows* the empty value to pass through.
2063
2064         * assembler/CPU.h:
2065         (JSC::isARMv7IDIVSupported):
2066         (JSC::isARM64):
2067         (JSC::isX86):
2068         (JSC::isX86_64):
2069         (JSC::is64Bit):
2070         (JSC::is32Bit):
2071         (JSC::isMIPS):
2072         Make these functions constexpr so we can use them in static variable assignment.
2073
2074         * bytecode/SpeculatedType.h:
2075         * dfg/DFGSpeculativeJIT.cpp:
2076         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2077         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2078         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2079         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2080         (JSC::DFG::SpeculativeJIT::speculateCell):
2081         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2082         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2083         (JSC::DFG::SpeculativeJIT::speculateString):
2084         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2085         (JSC::DFG::SpeculativeJIT::speculateSymbol):
2086         (JSC::DFG::SpeculativeJIT::speculateNotCell):
2087         * dfg/DFGSpeculativeJIT32_64.cpp:
2088         * dfg/DFGSpeculativeJIT64.cpp:
2089         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2090         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2091         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2092         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2093         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2094         * dfg/DFGUseKind.h:
2095         (JSC::DFG::typeFilterFor):
2096         * ftl/FTLLowerDFGToB3.cpp:
2097         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2098         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2099         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2100         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2101         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2102         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2103         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
2104         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2105         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
2106         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
2107         (JSC::FTL::DFG::LowerDFGToB3::isCell):
2108         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2109         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
2110         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
2111         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2112         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
2113
2114 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2115
2116         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
2117         https://bugs.webkit.org/show_bug.cgi?id=172421
2118
2119         * dfg/DFGSpeculativeJIT.cpp:
2120         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2121
2122 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
2123
2124         We incorrectly allow escaped characters in keyword tokens
2125         https://bugs.webkit.org/show_bug.cgi?id=171310
2126
2127         Reviewed by Yusuke Suzuki.
2128
2129         According spec it is not allow to use escaped characters in 
2130         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
2131         Current patch implements this requirements.
2132
2133
2134         * parser/Lexer.cpp:
2135         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2136         * parser/Parser.cpp:
2137         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2138         * parser/ParserTokens.h:
2139
2140 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2141
2142         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
2143         https://bugs.webkit.org/show_bug.cgi?id=172421
2144
2145         * assembler/MacroAssemblerARM64.h:
2146         (JSC::MacroAssemblerARM64::branch64):
2147         (JSC::MacroAssemblerARM64::branchPtr):
2148
2149 2017-06-12  Commit Queue  <commit-queue@webkit.org>
2150
2151         Unreviewed, rolling out r218093.
2152         https://bugs.webkit.org/show_bug.cgi?id=173259
2153
2154         Break builds (Requested by yusukesuzuki on #webkit).
2155
2156         Reverted changeset:
2157
2158         "Unreviewed, build fix for ARM64"
2159         https://bugs.webkit.org/show_bug.cgi?id=172421
2160         http://trac.webkit.org/changeset/218093
2161
2162 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2163
2164         Unreviewed, build fix for ARM64
2165         https://bugs.webkit.org/show_bug.cgi?id=172421
2166
2167         * dfg/DFGSpeculativeJIT.cpp:
2168         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2169
2170 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2171
2172         [DFG] Add ArrayIndexOf intrinsic
2173         https://bugs.webkit.org/show_bug.cgi?id=172421
2174
2175         Reviewed by Saam Barati.
2176
2177         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
2178         We emit array check and go fast path if the array is Array::Int32, Array::Double
2179         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
2180         we have inlined fast paths.
2181
2182         With updated ARES-6 Babylon,
2183
2184         Before
2185             firstIteration:     45.76 +- 3.87 ms
2186             averageWorstCase:   24.41 +- 2.17 ms
2187             steadyState:        8.01 +- 0.22 ms
2188         After
2189             firstIteration:     45.64 +- 4.23 ms
2190             averageWorstCase:   23.03 +- 3.34 ms
2191             steadyState:        7.33 +- 0.34 ms
2192
2193         In SixSpeed.
2194                                          baseline                  patched
2195
2196             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
2197             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
2198             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
2199
2200         * dfg/DFGAbstractInterpreterInlines.h:
2201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2202         * dfg/DFGByteCodeParser.cpp:
2203         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2204         * dfg/DFGClobberize.h:
2205         (JSC::DFG::clobberize):
2206         * dfg/DFGDoesGC.cpp:
2207         (JSC::DFG::doesGC):
2208         * dfg/DFGFixupPhase.cpp:
2209         (JSC::DFG::FixupPhase::fixupNode):
2210         * dfg/DFGNode.h:
2211         (JSC::DFG::Node::hasArrayMode):
2212         * dfg/DFGNodeType.h:
2213         * dfg/DFGOperations.cpp:
2214         * dfg/DFGOperations.h:
2215         * dfg/DFGPredictionPropagationPhase.cpp:
2216         * dfg/DFGSafeToExecute.h:
2217         (JSC::DFG::safeToExecute):
2218         * dfg/DFGSpeculativeJIT.cpp:
2219         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2220         (JSC::DFG::SpeculativeJIT::speculateObject):
2221         * dfg/DFGSpeculativeJIT.h:
2222         (JSC::DFG::SpeculativeJIT::callOperation):
2223         * dfg/DFGSpeculativeJIT32_64.cpp:
2224         (JSC::DFG::SpeculativeJIT::compile):
2225         * dfg/DFGSpeculativeJIT64.cpp:
2226         (JSC::DFG::SpeculativeJIT::compile):
2227         (JSC::DFG::SpeculativeJIT::speculateInt32):
2228         * ftl/FTLCapabilities.cpp:
2229         (JSC::FTL::canCompile):
2230         * ftl/FTLLowerDFGToB3.cpp:
2231         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2232         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2233         * jit/JITOperations.h:
2234         * runtime/ArrayPrototype.cpp:
2235         (JSC::ArrayPrototype::finishCreation):
2236         * runtime/Intrinsic.cpp:
2237         (JSC::intrinsicName):
2238         * runtime/Intrinsic.h:
2239
2240 2017-06-11  Keith Miller  <keith_miller@apple.com>
2241
2242         TypedArray constructor with string shouldn't throw
2243         https://bugs.webkit.org/show_bug.cgi?id=173181
2244
2245         Reviewed by JF Bastien.
2246
2247         We should be coercing primitive arguments to numbers in the various
2248         TypedArray constructors.
2249
2250         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2251         (JSC::constructGenericTypedArrayViewWithArguments):
2252
2253 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2254
2255         [WTF] Make ThreadMessage portable
2256         https://bugs.webkit.org/show_bug.cgi?id=172073
2257
2258         Reviewed by Keith Miller.
2259
2260         * runtime/MachineContext.h:
2261         (JSC::MachineContext::stackPointer):
2262         * tools/CodeProfiling.cpp:
2263         (JSC::profilingTimer):
2264
2265 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2266
2267         [JSC] Shrink Structure size
2268         https://bugs.webkit.org/show_bug.cgi?id=173239
2269
2270         Reviewed by Mark Lam.
2271
2272         We find that the size of our Structure is slightly enlarged due to paddings.
2273         By changing the order of members, we can reduce the size from 120 to 112.
2274         This is good because 120 and 112 are categorized into different size classes.
2275         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
2276         We now save 16 bytes per Structure for free.
2277
2278         * runtime/ConcurrentJSLock.h:
2279         * runtime/Structure.cpp:
2280         (JSC::Structure::Structure):
2281         * runtime/Structure.h:
2282
2283 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
2284
2285         Unreviewed, attempt to fix JSC tests on Win after r217771
2286
2287         * jsc.cpp:
2288         (currentWorkingDirectory): buffer is not NULL-terminated
2289
2290 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2291
2292         [WTF] Add RegisteredSymbolImpl
2293         https://bugs.webkit.org/show_bug.cgi?id=173230
2294
2295         Reviewed by Mark Lam.
2296
2297         * runtime/SymbolConstructor.cpp:
2298         (JSC::symbolConstructorKeyFor):
2299
2300 2017-06-10  Dan Bernstein  <mitz@apple.com>
2301
2302         Reverted r218056 because it made the IDE reindex constantly.
2303
2304         * Configurations/DebugRelease.xcconfig:
2305
2306 2017-06-10  Dan Bernstein  <mitz@apple.com>
2307
2308         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
2309         https://bugs.webkit.org/show_bug.cgi?id=173223
2310
2311         Reviewed by Sam Weinig.
2312
2313         The rebuilds were happening due to a difference in the compiler options that the IDE and
2314         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
2315         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
2316         specify an appropriate path in CLANG_INDEX_STORE_PATH.
2317
2318         * Configurations/DebugRelease.xcconfig:
2319
2320 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2321
2322         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
2323         https://bugs.webkit.org/show_bug.cgi?id=173227
2324
2325         Reviewed by Mark Lam.
2326
2327         The latest spec introduces slight change to RegExp.prototype.[@@search].
2328         This patch applies this change. Basically, this change is done in the slow path of
2329         the RegExp.prototype[@@search].
2330         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
2331
2332         * builtins/RegExpPrototype.js:
2333         (search):
2334
2335 2017-06-09  Chris Dumez  <cdumez@apple.com>
2336
2337         Update Thread::create() to take in a WTF::Function instead of a std::function
2338         https://bugs.webkit.org/show_bug.cgi?id=173175
2339
2340         Reviewed by Mark Lam.
2341
2342         * API/tests/CompareAndSwapTest.cpp:
2343         (testCompareAndSwap):
2344
2345 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         [DFG] Add verboseDFGOSRExit
2348         https://bugs.webkit.org/show_bug.cgi?id=173156
2349
2350         Reviewed by Saam Barati.
2351
2352         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
2353
2354         * dfg/DFGOSRExitCompiler.cpp:
2355         * runtime/Options.h:
2356
2357 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
2358
2359         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
2360         https://bugs.webkit.org/show_bug.cgi?id=173170
2361
2362         Reviewed by Yusuke Suzuki.
2363
2364         MIPS does not build since r217711 because it is missing this
2365         implementation. This patch fixes the build.
2366
2367         * assembler/MacroAssemblerMIPS.h:
2368         (JSC::MacroAssemblerMIPS::xor32):
2369
2370 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2371
2372         [JSC] FTL does not require dlfcn
2373         https://bugs.webkit.org/show_bug.cgi?id=173143
2374
2375         Reviewed by Darin Adler.
2376
2377         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
2378         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
2379
2380         * ftl/FTLLowerDFGToB3.cpp:
2381
2382 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2383
2384         [DFG] Add --verboseDFGFailure
2385         https://bugs.webkit.org/show_bug.cgi?id=173155
2386
2387         Reviewed by Sam Weinig.
2388
2389         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
2390
2391         * dfg/DFGCapabilities.cpp:
2392         (JSC::DFG::verboseCapabilities):
2393         (JSC::DFG::debugFail):
2394         * runtime/Options.cpp:
2395         (JSC::recomputeDependentOptions):
2396         * runtime/Options.h:
2397
2398 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2399
2400         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
2401         https://bugs.webkit.org/show_bug.cgi?id=173147
2402
2403         Reviewed by JF Bastien.
2404
2405         Because this value becomes -1 in non-Darwin environments.
2406         Thus, we do not need to use OS(DARWIN) here.
2407
2408         * wasm/WasmMemory.cpp:
2409
2410 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
2411
2412         Reduce compiler warnings
2413         https://bugs.webkit.org/show_bug.cgi?id=172078
2414
2415         Reviewed by Yusuke Suzuki.
2416
2417         * runtime/IntlDateTimeFormat.h:
2418
2419 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
2420
2421         [Cocoa] JSWrapperMap leaks for all JSContexts
2422         https://bugs.webkit.org/show_bug.cgi?id=173110
2423         <rdar://problem/32602198>
2424
2425         Reviewed by Geoffrey Garen.
2426
2427         * API/JSContext.mm:
2428         (-[JSContext ensureWrapperMap]):
2429         Ensure this allocation gets released.
2430
2431 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
2432
2433         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
2434         https://bugs.webkit.org/show_bug.cgi?id=161156
2435
2436         Reviewed by Saam Barati.
2437         
2438         Since LLInt does not register impure property watchpoints for self property accesses, it
2439         shouldn't try to cache accesses that require a watchpoint.
2440         
2441         This manifested as a flaky failure because the test would fire the watchpoint after we had
2442         usually already tiered up. Without concurrent JIT, we would have always tiered up before
2443         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
2444         also adds a test that deterministically failed in LLInt without this change; it does so by just
2445         running a lot shorter.
2446
2447         * llint/LLIntSlowPaths.cpp:
2448         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2449
2450 2017-06-08  Keith Miller  <keith_miller@apple.com>
2451
2452         WebAssembly: We should only create wrappers for functions that can be exported
2453         https://bugs.webkit.org/show_bug.cgi?id=173088
2454
2455         Reviewed by Saam Barati.
2456
2457         This patch makes it so we only create wrappers for WebAssembly functions that
2458         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
2459
2460         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
2461         Most of the tests were duplicates of ones in the spec-tests directory. The others I
2462         have converted to use the normal API.
2463
2464         * jsc.cpp:
2465         (GlobalObject::finishCreation):
2466         (valueWithTypeOfWasmValue): Deleted.
2467         (box): Deleted.
2468         (callWasmFunction): Deleted.
2469         (functionTestWasmModuleFunctions): Deleted.
2470         * wasm/WasmB3IRGenerator.cpp:
2471         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2472         (JSC::Wasm::createJSToWasmWrapper):
2473         (JSC::Wasm::parseAndCompile):
2474         * wasm/WasmB3IRGenerator.h:
2475         * wasm/WasmBBQPlan.cpp:
2476         (JSC::Wasm::BBQPlan::prepare):
2477         (JSC::Wasm::BBQPlan::compileFunctions):
2478         (JSC::Wasm::BBQPlan::complete):
2479         * wasm/WasmBBQPlan.h:
2480         * wasm/WasmBBQPlanInlines.h:
2481         (JSC::Wasm::BBQPlan::initializeCallees):
2482         * wasm/WasmCodeBlock.cpp:
2483         (JSC::Wasm::CodeBlock::CodeBlock):
2484         * wasm/WasmCodeBlock.h:
2485         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2486         * wasm/WasmFormat.h:
2487         * wasm/WasmOMGPlan.cpp:
2488         (JSC::Wasm::OMGPlan::work):
2489
2490 2017-06-07  JF Bastien  <jfbastien@apple.com>
2491
2492         WebAssembly: test imports and exports with 16-bit characters
2493         https://bugs.webkit.org/show_bug.cgi?id=165977
2494         <rdar://problem/29760130>
2495
2496         Reviewed by Saam Barati.
2497
2498         Add the missing UTF-8 conversions. Improve import failure error
2499         messages, otherwise it's hard to figure out which import is wrong.
2500
2501         * wasm/js/JSWebAssemblyInstance.cpp:
2502         (JSC::JSWebAssemblyInstance::create):
2503         * wasm/js/WebAssemblyModuleRecord.cpp:
2504         (JSC::WebAssemblyModuleRecord::finishCreation):
2505         (JSC::WebAssemblyModuleRecord::link):
2506
2507 2017-06-07  Devin Rousso  <drousso@apple.com>
2508
2509         Web Inspector: Add ContextMenu item to log WebSocket object to console
2510         https://bugs.webkit.org/show_bug.cgi?id=172878
2511
2512         Reviewed by Joseph Pecoraro.
2513
2514         * inspector/protocol/Network.json:
2515         Add resolveWebSocket command.
2516
2517 2017-06-07  Jon Davis  <jond@apple.com>
2518
2519         Update feature status for features Supported In Preview
2520         https://bugs.webkit.org/show_bug.cgi?id=173071
2521
2522         Reviewed by Darin Adler.
2523
2524         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
2525         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
2526
2527         * features.json:
2528
2529 2017-06-07  Saam Barati  <sbarati@apple.com>
2530
2531         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
2532         https://bugs.webkit.org/show_bug.cgi?id=172673
2533         <rdar://problem/32250144>
2534
2535         Reviewed by Mark Lam.
2536
2537         This patch simply removes this assertion. It's faulty because it
2538         races with the main thread when doing concurrent compilation.
2539         
2540         Consider a program with:
2541         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
2542         - Structure S2
2543         
2544         The DFG IR is like so:
2545           a: JSConstant(O) // FrozenValue {O, S1}
2546           b: CheckStructure(@a, S2)
2547           c: ToThis(@a)
2548           d: CheckEq(@c, nullConstant)
2549           Branch(@d)
2550         
2551         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
2552         When running AI, we'll notice that node @b will OSR exit, so nodes after
2553         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
2554         Now, when running AI, @a will have Top for its structure set. No longer will
2555         we think @b exits.
2556         
2557         The DFG backend asserts that under such a situation, we should have simplified
2558         the CheckEq to false. However, this is a racy thing to assert, since the
2559         transition from dfgWatchable() to !dfgWatchable() can happen right before we
2560         enter the backend. Hence, this assertion is not valid.
2561         
2562         (Note, the generated code for the above program will never actually execute.
2563         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
2564         S1 not transitioning. S1 transitions, so we won't actually run the code that
2565         gets compiled.)
2566
2567         * dfg/DFGSpeculativeJIT64.cpp:
2568         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2569
2570 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2571
2572         [JSC] has_generic_property never accepts non-String
2573         https://bugs.webkit.org/show_bug.cgi?id=173057
2574
2575         Reviewed by Darin Adler.
2576
2577         We never pass non-String value to has_generic_property bytecode.
2578
2579         * runtime/CommonSlowPaths.cpp:
2580         (JSC::SLOW_PATH_DECL):
2581
2582 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
2583
2584         [Win][x86-64] Some callee saved registers aren't preserved
2585         https://bugs.webkit.org/show_bug.cgi?id=171266
2586
2587         Reviewed by Saam Barati.
2588
2589         * jit/RegisterSet.cpp:
2590         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
2591
2592 2017-06-06  Mark Lam  <mark.lam@apple.com>
2593
2594         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
2595         https://bugs.webkit.org/show_bug.cgi?id=173035
2596         <rdar://problem/32554593>
2597
2598         Reviewed by Geoffrey Garen and Filip Pizlo.
2599
2600         Also added and fixed up some assertions.
2601
2602         * runtime/ArrayConventions.h:
2603         * runtime/JSArray.cpp:
2604         (JSC::JSArray::setLength):
2605         * runtime/JSObject.cpp:
2606         (JSC::JSObject::createInitialIndexedStorage):
2607         (JSC::JSObject::ensureLengthSlow):
2608         (JSC::JSObject::reallocateAndShrinkButterfly):
2609         * runtime/JSObject.h:
2610         (JSC::JSObject::ensureLength):
2611         * runtime/RegExpObject.cpp:
2612         (JSC::collectMatches):
2613         * runtime/RegExpPrototype.cpp:
2614         (JSC::regExpProtoFuncSplitFast):
2615
2616 2017-06-06  Saam Barati  <sbarati@apple.com>
2617
2618         Make sure we restore SP when doing calls that could be to JS
2619         https://bugs.webkit.org/show_bug.cgi?id=172946
2620         <rdar://problem/32579026>
2621
2622         Reviewed by JF Bastien.
2623
2624         I was worried that there was a bug where we'd call JS, JS would tail call,
2625         and we'd end up with a bogus SP. However, this bug does not exist since wasm
2626         always calls to JS through a stub, and the stub treats SP as a callee save.
2627         
2628         I wrote a test for this, and also made a note that this is the needed ABI.
2629
2630         * wasm/WasmBinding.cpp:
2631         (JSC::Wasm::wasmToJs):
2632
2633 2017-06-06  Keith Miller  <keith_miller@apple.com>
2634
2635         OMG tier up checks should be a patchpoint
2636         https://bugs.webkit.org/show_bug.cgi?id=172944
2637
2638         Reviewed by Saam Barati.
2639
2640         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
2641         In order to reduce code generated out of line in each function. We generate a single stub
2642         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
2643
2644         * wasm/WasmB3IRGenerator.cpp:
2645         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2646         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2647         (JSC::Wasm::B3IRGenerator::addLoop):
2648         * wasm/WasmThunks.cpp:
2649         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2650         * wasm/WasmThunks.h:
2651
2652 2017-06-06  Darin Adler  <darin@apple.com>
2653
2654         Cut down use of WTF_ARRAY_LENGTH
2655         https://bugs.webkit.org/show_bug.cgi?id=172997
2656
2657         Reviewed by Chris Dumez.
2658
2659         * parser/Lexer.cpp:
2660         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
2661
2662         * runtime/NumberPrototype.cpp:
2663         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
2664
2665 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
2666
2667         Add missing <functional> includes
2668         https://bugs.webkit.org/show_bug.cgi?id=173017
2669
2670         Patch by Thiago Macieira <thiago.macieira@intel.com>
2671         Reviewed by Yusuke Suzuki.
2672
2673         This patch fixes compilation with GCC 7.
2674
2675         * inspector/InspectorBackendDispatcher.h:
2676
2677 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2678
2679         Unreviewed, fix 32-bit build.
2680
2681         * jit/JITOpcodes.cpp:
2682         (JSC::JIT::emit_op_unreachable):
2683
2684 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
2685
2686         Unreviewed rollout r217807. Caused a test to crash.
2687
2688         * heap/HeapSnapshotBuilder.cpp:
2689         (JSC::HeapSnapshotBuilder::buildSnapshot):
2690         (JSC::HeapSnapshotBuilder::json):
2691         (): Deleted.
2692         * heap/HeapSnapshotBuilder.h:
2693         * runtime/JSObject.cpp:
2694         (JSC::JSObject::calculatedClassName):
2695
2696 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2697
2698         index out of bound in bytecodebasicblock
2699         https://bugs.webkit.org/show_bug.cgi?id=172963
2700
2701         Reviewed by Saam Barati and Mark Lam.
2702         
2703         We were leaving an unterminated basic block when generating CodeForCall for a class
2704         constructor. This was mostly benign since that unterminated block was not reachable, but it
2705         does cause an ASSERT.
2706         
2707         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
2708         this really is the cleanest and most idiomatic way to solve this problem, so even though it
2709         makes the change bigger it's probabably worth it.
2710
2711         * bytecode/BytecodeDumper.cpp:
2712         (JSC::BytecodeDumper<Block>::dumpBytecode):
2713         * bytecode/BytecodeList.json:
2714         * bytecode/BytecodeUseDef.h:
2715         (JSC::computeUsesForBytecodeOffset):
2716         (JSC::computeDefsForBytecodeOffset):
2717         * bytecode/Opcode.h:
2718         (JSC::isTerminal):
2719         * bytecompiler/BytecodeGenerator.cpp:
2720         (JSC::BytecodeGenerator::generate):
2721         (JSC::BytecodeGenerator::emitUnreachable):
2722         * bytecompiler/BytecodeGenerator.h:
2723         * dfg/DFGByteCodeParser.cpp:
2724         (JSC::DFG::ByteCodeParser::parseBlock):
2725         * dfg/DFGCapabilities.cpp:
2726         (JSC::DFG::capabilityLevel):
2727         * ftl/FTLLowerDFGToB3.cpp:
2728         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
2729         * jit/JIT.cpp:
2730         (JSC::JIT::privateCompileMainPass):
2731         * jit/JIT.h:
2732         * jit/JITOpcodes.cpp:
2733         (JSC::JIT::emit_op_unreachable):
2734         * llint/LowLevelInterpreter.asm:
2735         * runtime/CommonSlowPaths.cpp:
2736         (JSC::SLOW_PATH_DECL):
2737         * runtime/CommonSlowPaths.h:
2738
2739 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
2740
2741         Unreviewed, rolling out r217812.
2742
2743         This change caused test failures on arm64.
2744
2745         Reverted changeset:
2746
2747         "OMG tier up checks should be a patchpoint"
2748         https://bugs.webkit.org/show_bug.cgi?id=172944
2749         http://trac.webkit.org/changeset/217812
2750
2751 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2752
2753         [WPE] Enable remote inspector
2754         https://bugs.webkit.org/show_bug.cgi?id=172971
2755
2756         Reviewed by Žan Doberšek.
2757
2758         We can just build the current glib remote inspector, without adding a frontend implementation and using a
2759         WebKitGTK+ browser as frontend for now.
2760
2761         * PlatformWPE.cmake: Add remote inspector files to compilation.
2762         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2763         (Inspector::backendCommands): Load the inspector resources library.
2764
2765 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2766
2767         [GLIB] Make remote inspector DBus protocol common to all glib based ports
2768         https://bugs.webkit.org/show_bug.cgi?id=172970
2769
2770         Reviewed by Žan Doberšek.
2771
2772         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
2773         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
2774         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
2775         debug WPE, without having to implement the frontend part in WPE yet.
2776
2777         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
2778         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
2779
2780 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2781
2782         [GTK] Web Process deadlock when closing the remote inspector frontend
2783         https://bugs.webkit.org/show_bug.cgi?id=172973
2784
2785         Reviewed by Žan Doberšek.
2786
2787         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
2788         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
2789         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
2790         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
2791
2792         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2793         (Inspector::RemoteInspector::receivedCloseMessage):
2794
2795 2017-06-05  Saam Barati  <sbarati@apple.com>
2796
2797         Try to fix features.json by adding an ESNext section.
2798
2799         Unreviewed.
2800
2801         * features.json:
2802
2803 2017-06-05  David Kilzer  <ddkilzer@apple.com>
2804
2805         Follow-up: Update JSC's features.json
2806         https://bugs.webkit.org/show_bug.cgi?id=172942
2807
2808         Rubber-stamped by Jon Davis.
2809
2810         * features.json: Change "Supported in preview" to
2811         "Supported" to try to fix <https://webkit.org/status/>.
2812
2813 2017-06-05  Saam Barati  <sbarati@apple.com>
2814
2815         We don't properly parse init_expr when the opcode is an unexpected opcode
2816         https://bugs.webkit.org/show_bug.cgi?id=172945
2817
2818         Reviewed by JF Bastien.
2819
2820         The bug is a simple typo. It should use the constant
2821         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
2822         macro. This failure is already caught by spec tests that fail
2823         on arm64 devices.
2824
2825         * wasm/WasmModuleParser.cpp:
2826
2827 2017-06-05  Keith Miller  <keith_miller@apple.com>
2828
2829         OMG tier up checks should be a patchpoint
2830         https://bugs.webkit.org/show_bug.cgi?id=172944
2831
2832         Reviewed by Saam Barati.
2833
2834         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
2835         In order to reduce code generated out of line in each function. We generate a single stub
2836         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
2837
2838         * wasm/WasmB3IRGenerator.cpp:
2839         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2840         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2841         (JSC::Wasm::B3IRGenerator::addLoop):
2842         * wasm/WasmThunks.cpp:
2843         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2844         * wasm/WasmThunks.h:
2845
2846 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
2847
2848         Remove unused VM members
2849         https://bugs.webkit.org/show_bug.cgi?id=172941
2850
2851         Reviewed by Mark Lam.
2852
2853         * runtime/HashMapImpl.h:
2854         (JSC::HashMapImpl::selectStructure): Deleted.
2855         * runtime/VM.cpp:
2856         (JSC::VM::VM):
2857         * runtime/VM.h:
2858
2859 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
2860
2861         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2862         https://bugs.webkit.org/show_bug.cgi?id=172848
2863         <rdar://problem/25709212>
2864
2865         Reviewed by Saam Barati.
2866
2867         * heap/HeapSnapshotBuilder.h:
2868         * heap/HeapSnapshotBuilder.cpp:
2869         Update the snapshot version. Change the node's 0 | 1 internal value
2870         to be a 32bit bit flag. This is nice in that it is both compatible
2871         with the previous snapshot version and the same size. We can use more
2872         flags in the future.
2873
2874         (JSC::HeapSnapshotBuilder::json):
2875         In cases where the classInfo gives us "Object" check for a better
2876         class name by checking (o).__proto__.constructor.name. We avoid this
2877         check in cases where (o).hasOwnProperty("constructor") which is the
2878         case for most Foo.prototype objects. Otherwise this would get the
2879         name of the Foo superclass for the Foo.prototype object.
2880
2881         * runtime/JSObject.cpp:
2882         (JSC::JSObject::calculatedClassName):
2883         Handle some possible edge cases that were not handled before. Such
2884         as a JSObject without a GlobalObject, and an object which doesn't
2885         have a default getPrototype. Try to make the code a little clearer.
2886
2887 2017-06-05  Saam Barati  <sbarati@apple.com>
2888
2889         Update JSC's features.json
2890         https://bugs.webkit.org/show_bug.cgi?id=172942
2891
2892         Rubber stamped by Mark Lam.
2893
2894         * features.json:
2895
2896 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
2897
2898         Fix build of Windows-specific code with ICU 59.1
2899         https://bugs.webkit.org/show_bug.cgi?id=172729
2900
2901         Reviewed by Darin Adler.
2902
2903         Fix conversions from WTF::String to wchar_t* and vice versa.
2904
2905         * jsc.cpp:
2906         (currentWorkingDirectory):
2907         (fetchModuleFromLocalFileSystem):
2908         * runtime/DateConversion.cpp:
2909         (JSC::formatDateTime):
2910
2911 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2912
2913         [JSC] Drop unnecessary USE(CF) guard for getenv
2914         https://bugs.webkit.org/show_bug.cgi?id=172903
2915
2916         Reviewed by Sam Weinig.
2917
2918         getenv is not related to USE(CF) and OS(UNIX). It seems that this
2919         ifdef only hits in WinCairo, but WinCairo can use getenv.
2920         Moreover, in VM::VM, we already use getenv without any ifdef guard.
2921
2922         This patch just drops it.
2923
2924         * runtime/VM.cpp:
2925         (JSC::enableAssembler):
2926
2927 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2928
2929         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
2930         https://bugs.webkit.org/show_bug.cgi?id=172904
2931
2932         Reviewed by Sam Weinig.
2933
2934         In non-Darwin environment, uintptr_t may have the same type
2935         to uint64_t. We avoided the compile error by using OS(DARWIN).
2936         But, since it depends on cstdint implementaion rather than OS, it is flaky.
2937         Instead, we just use template parameter IntegralType.
2938         And we describe the type constraint in a SFINAE manner.
2939
2940         * dfg/DFGOpInfo.h:
2941         (JSC::DFG::OpInfo::OpInfo):
2942
2943 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
2944
2945         [ARM] Unreviewed buildfix after r217711.
2946
2947         * assembler/MacroAssemblerARM.h:
2948         (JSC::MacroAssemblerARM::xor32):
2949
2950 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2951
2952         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
2953         https://bugs.webkit.org/show_bug.cgi?id=168844
2954
2955         Reviewed by Saam Barati.
2956
2957         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
2958
2959         * parser/Parser.cpp:
2960         (JSC::DepthManager::DepthManager):
2961         (JSC::Parser<LexerType>::parseExportDeclaration):
2962         * parser/Parser.h:
2963         (JSC::Parser::DepthManager::DepthManager): Deleted.
2964         (JSC::Parser::DepthManager::~DepthManager): Deleted.
2965
2966 2017-06-02  Keith Miller  <keith_miller@apple.com>
2967
2968         Defer installing mach breakpoint handler until watchdog is actually called
2969         https://bugs.webkit.org/show_bug.cgi?id=172885
2970
2971         Reviewed by Saam Barati.
2972
2973         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
2974         This hides the issue, so it won't occur as often.
2975
2976         * runtime/VMTraps.cpp:
2977         (JSC::VMTraps::SignalSender::send):
2978         (JSC::VMTraps::VMTraps): Deleted.
2979         * runtime/VMTraps.h:
2980
2981 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
2982
2983         Atomics.load and Atomics.store need to be fully fenced
2984         https://bugs.webkit.org/show_bug.cgi?id=172844
2985
2986         Reviewed by Keith Miller.
2987         
2988         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
2989         AtomicXchg(value, ptr) for the store.
2990         
2991         DFG needed no changes because it implements all atomics using a CAS loop.
2992         
2993         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
2994         
2995         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
2996         is not correct according to my current understanding of the SAB memory model, which requires
2997         that atomic operations are SC with respect to everything not just other atomics.
2998
2999         * ftl/FTLLowerDFGToB3.cpp:
3000         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3001         * ftl/FTLOutput.cpp:
3002         (JSC::FTL::Output::atomicWeakCAS):
3003         * ftl/FTLOutput.h:
3004         * runtime/AtomicsObject.cpp:
3005
3006 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
3007
3008         Unreviewed, attempt to fix the iOS build after r217711.
3009
3010         * assembler/MacroAssemblerARM64.h:
3011         (JSC::MacroAssemblerARM64::xor32):
3012         (JSC::MacroAssemblerARM64::xor64):
3013
3014 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
3015
3016         GC should use scrambled free-lists
3017         https://bugs.webkit.org/show_bug.cgi?id=172793
3018
3019         Reviewed by Mark Lam.
3020         
3021         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
3022         The linked-list would be threaded through free memory, as is the usual convention.
3023         
3024         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
3025         this leads to a more natural fast-path structure and saves one register on ARM64.
3026         
3027         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
3028         every time they do a sweep-to-pop.
3029         
3030         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
3031         quite a bit. Previously, there were four copies of the allocator fast path: two in
3032         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
3033         was obviously different-looking, but the other three were almost identical. This moves all of
3034         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
3035         AssemblyHelpers.h.
3036         
3037         This appears to be just as fast as our previously allocator.
3038
3039         * JavaScriptCore.xcodeproj/project.pbxproj:
3040         * heap/FreeList.cpp:
3041         (JSC::FreeList::FreeList):
3042         (JSC::FreeList::~FreeList):
3043         (JSC::FreeList::clear):
3044         (JSC::FreeList::initializeList):
3045         (JSC::FreeList::initializeBump):
3046         (JSC::FreeList::contains):
3047         (JSC::FreeList::dump):
3048         * heap/FreeList.h:
3049         (JSC::FreeList::allocationWillFail):
3050         (JSC::FreeList::originalSize):
3051         (JSC::FreeList::addressOfList):
3052         (JSC::FreeList::offsetOfBlock):
3053         (JSC::FreeList::offsetOfList):
3054         (JSC::FreeList::offsetOfIndex):
3055         (JSC::FreeList::offsetOfPayloadEnd):
3056         (JSC::FreeList::offsetOfRemaining):
3057         (JSC::FreeList::offsetOfOriginalSize):
3058         (JSC::FreeList::FreeList): Deleted.
3059         (JSC::FreeList::list): Deleted.
3060         (JSC::FreeList::bump): Deleted.
3061         (JSC::FreeList::operator==): Deleted.
3062         (JSC::FreeList::operator!=): Deleted.
3063         (JSC::FreeList::operator bool): Deleted.
3064         * heap/FreeListInlines.h: Added.
3065         (JSC::FreeList::addFreeCell):
3066         (JSC::FreeList::allocate):
3067         (JSC::FreeList::forEach):
3068         (JSC::FreeList::toOffset):
3069         (JSC::FreeList::fromOffset):
3070         * heap/IncrementalSweeper.cpp:
3071         (JSC::IncrementalSweeper::sweepNextBlock):
3072         * heap/MarkedAllocator.cpp:
3073         (JSC::MarkedAllocator::MarkedAllocator):
3074         (JSC::MarkedAllocator::didConsumeFreeList):
3075         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3076         (JSC::MarkedAllocator::tryAllocateIn):
3077         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3078         (JSC::MarkedAllocator::stopAllocating):
3079         (JSC::MarkedAllocator::prepareForAllocation):
3080         (JSC::MarkedAllocator::resumeAllocating):
3081         (JSC::MarkedAllocator::sweep):
3082         (JSC::MarkedAllocator::setFreeList): Deleted.
3083         * heap/MarkedAllocator.h:
3084         (JSC::MarkedAllocator::freeList):
3085         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
3086         * heap/MarkedAllocatorInlines.h:
3087         (JSC::MarkedAllocator::isFreeListedCell):
3088         (JSC::MarkedAllocator::tryAllocate):
3089         (JSC::MarkedAllocator::allocate):
3090         * heap/MarkedBlock.cpp:
3091         (JSC::MarkedBlock::Handle::stopAllocating):
3092         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3093         (JSC::MarkedBlock::Handle::resumeAllocating):
3094         (JSC::MarkedBlock::Handle::zap):
3095         (JSC::MarkedBlock::Handle::sweep):
3096         (JSC::MarkedBlock::Handle::isFreeListedCell):
3097         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
3098         * heap/MarkedBlock.h:
3099         * heap/MarkedBlockInlines.h:
3100         (JSC::MarkedBlock::Handle::specializedSweep):
3101         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3102         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
3103         * heap/Subspace.cpp:
3104         (JSC::Subspace::finishSweep):
3105         * heap/Subspace.h:
3106         * jit/AssemblyHelpers.h:
3107         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3108         * runtime/JSDestructibleObjectSubspace.cpp:
3109         (JSC::JSDestructibleObjectSubspace::finishSweep):
3110         * runtime/JSDestructibleObjectSubspace.h:
3111         * runtime/JSSegmentedVariableObjectSubspace.cpp:
3112         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
3113         * runtime/JSSegmentedVariableObjectSubspace.h:
3114         * runtime/JSStringSubspace.cpp:
3115         (JSC::JSStringSubspace::finishSweep):
3116         * runtime/JSStringSubspace.h:
3117         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
3118         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
3119         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
3120
3121 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         [JSC] Use @globalPrivate for concatSlowPath
3124         https://bugs.webkit.org/show_bug.cgi?id=172802
3125
3126         Reviewed by Darin Adler.
3127
3128         Use @globalPrivate instead of manually putting it to JSGlobalObject.
3129
3130         * builtins/ArrayPrototype.js:
3131         (concatSlowPath): Deleted.
3132         * runtime/JSGlobalObject.cpp:
3133         (JSC::JSGlobalObject::init):
3134
3135 2017-06-01  Andy Estes  <aestes@apple.com>
3136
3137         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
3138         https://bugs.webkit.org/show_bug.cgi?id=172828
3139
3140         Reviewed by Beth Dakin.
3141
3142         * Configurations/FeatureDefines.xcconfig:
3143
3144 2017-06-01  Keith Miller  <keith_miller@apple.com>
3145
3146         Undo rollout in r217638 with bug fix
3147         https://bugs.webkit.org/show_bug.cgi?id=172824
3148
3149         Unreviewed, reland patch with unused set_state code removed.
3150
3151         * API/tests/ExecutionTimeLimitTest.cpp:
3152         (dispatchTermitateCallback):
3153         (testExecutionTimeLimit):
3154         * runtime/JSLock.cpp:
3155         (JSC::JSLock::didAcquireLock):
3156         * runtime/Options.cpp:
3157         (JSC::overrideDefaults):
3158         (JSC::Options::initialize):
3159         * runtime/Options.h:
3160         * runtime/VMTraps.cpp:
3161         (JSC::SignalContext::SignalContext):
3162         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3163         (JSC::installSignalHandler):
3164         (JSC::VMTraps::SignalSender::send):
3165         * tools/SigillCrashAnalyzer.cpp:
3166         (JSC::SignalContext::SignalContext):
3167         (JSC::SignalContext::dump):
3168         (JSC::installCrashHandler):
3169         * wasm/WasmBBQPlan.cpp:
3170         (JSC::Wasm::BBQPlan::compileFunctions):
3171         * wasm/WasmFaultSignalHandler.cpp:
3172         (JSC::Wasm::trapHandler):
3173         (JSC::Wasm::enableFastMemory):
3174         * wasm/WasmMachineThreads.cpp:
3175         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3176
3177 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
3178
3179         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
3180         https://bugs.webkit.org/show_bug.cgi?id=172800
3181
3182         Reviewed by Saam Barati.
3183
3184         This fixes a static_cast<uint64_t> by making it a cast to int64_t
3185         instead, which looks like the original intent. This fixes the
3186         sampling-profiler tests in JSTests/stress.
3187
3188         * runtime/SamplingProfiler.cpp:
3189         (JSC::SamplingProfiler::timerLoop):
3190
3191 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
3192
3193         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
3194         https://bugs.webkit.org/show_bug.cgi?id=170945
3195
3196         Reviewed by Mark Lam.
3197
3198         Re-define PutByIdFlags as a int32_t enum explicitly because it is
3199         stored as an int32_t value in UnlinkedInstruction.  This prevents
3200         a bug on 64-bit big endian architectures where the word order is
3201         inverted (when we convert the UnlinkedInstruction into a CodeBlock
3202         Instruction), resulting in the PutByIdFlags value not being stored in
3203         the 32-bit word that the rest of the code expects it to be in.
3204
3205         * bytecode/PutByIdFlags.h:
3206
3207 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3208
3209         [JSC] Implement String.prototype.concat in JS builtins
3210         https://bugs.webkit.org/show_bug.cgi?id=172798
3211
3212         Reviewed by Sam Weinig.
3213
3214         Since we have highly effective + operation for strings,
3215         implementing String.prototype.concat in JS simplifies the
3216         implementation and improves performance by using speculated
3217         types.
3218
3219         Added microbenchmarks show performance improvement.
3220
3221         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
3222         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
3223         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
3224         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
3225
3226         * builtins/StringPrototype.js:
3227         (globalPrivate.stringConcatSlowPath):
3228         (concat):
3229         * runtime/StringPrototype.cpp:
3230         (JSC::StringPrototype::finishCreation):
3231         (JSC::stringProtoFuncConcat): Deleted.
3232
3233 2017-05-31  Mark Lam  <mark.lam@apple.com>
3234
3235         Remove overrides of visitChildren() that do not add any functionality.
3236         https://bugs.webkit.org/show_bug.cgi?id=172789
3237         <rdar://problem/32500865>
3238
3239         Reviewed by Andreas Kling.
3240
3241         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3242         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3243         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3244         * bytecode/UnlinkedProgramCodeBlock.cpp:
3245         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3246         * bytecode/UnlinkedProgramCodeBlock.h:
3247         * wasm/js/WebAssemblyFunction.cpp:
3248         (JSC::WebAssemblyFunction::visitChildren): Deleted.
3249         * wasm/js/WebAssemblyFunction.h:
3250         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3251         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
3252         * wasm/js/WebAssemblyInstanceConstructor.h:
3253         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3254         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
3255         * wasm/js/WebAssemblyMemoryConstructor.h:
3256         * wasm/js/WebAssemblyModuleConstructor.cpp:
3257         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
3258         * wasm/js/WebAssemblyModuleConstructor.h:
3259         * wasm/js/WebAssemblyTableConstructor.cpp:
3260         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
3261         * wasm/js/WebAssemblyTableConstructor.h:
3262
3263 2017-05-31  Commit Queue  <commit-queue@webkit.org>
3264
3265         Unreviewed, rolling out r217611 and r217631.
3266         https://bugs.webkit.org/show_bug.cgi?id=172785
3267
3268         "caused wasm-hashset-many.html to become flaky." (Requested by
3269         keith_miller on #webkit).
3270
3271         Reverted changesets:
3272
3273         "Reland r216808, underlying lldb bug has been fixed."
3274         https://bugs.webkit.org/show_bug.cgi?id=172759
3275         http://trac.webkit.org/changeset/217611
3276
3277         "Use dispatch queues for mach exceptions"
3278         https://bugs.webkit.org/show_bug.cgi?id=172775
3279         http://trac.webkit.org/changeset/217631
3280
3281 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
3282
3283         Rolling out: Prevent async methods named 'function'
3284         https://bugs.webkit.org/show_bug.cgi?id=172776
3285
3286         Reviewed by Mark Lam.
3287
3288         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
3289         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
3290         PR to spec was closed, so changes need to roll out. See
3291         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
3292
3293         * parser/Parser.cpp:
3294         (JSC::Parser<LexerType>::parseClass):
3295         (JSC::Parser<LexerType>::parsePropertyMethod):
3296
3297 2017-05-31  Andy Estes  <aestes@apple.com>
3298
3299         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
3300         https://bugs.webkit.org/show_bug.cgi?id=172366
3301
3302         Reviewed by Daniel Bates.
3303
3304         * Configurations/FeatureDefines.xcconfig:
3305
3306 2017-05-31  Keith Miller  <keith_miller@apple.com>
3307
3308         Reland r216808, underlying lldb bug has been fixed.
3309         https://bugs.webkit.org/show_bug.cgi?id=172759
3310
3311
3312         Unreviewed, relanding old patch. See: rdar://problem/31183352
3313
3314         * API/tests/ExecutionTimeLimitTest.cpp:
3315         (dispatchTermitateCallback):
3316         (testExecutionTimeLimit):
3317         * runtime/JSLock.cpp:
3318         (JSC::JSLock::didAcquireLock):
3319         * runtime/Options.cpp:
3320         (JSC::overrideDefaults):
3321         (JSC::Options::initialize):
3322         * runtime/Options.h:
3323         * runtime/VMTraps.cpp:
3324         (JSC::SignalContext::SignalContext):
3325         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3326         (JSC::installSignalHandler):
3327         (JSC::VMTraps::SignalSender::send):
3328         * tools/SigillCrashAnalyzer.cpp:
3329         (JSC::SignalContext::SignalContext):
3330         (JSC::SignalContext::dump):
3331         (JSC::installCrashHandler):
3332         * wasm/WasmBBQPlan.cpp:
3333         (JSC::Wasm::BBQPlan::compileFunctions):
3334         * wasm/WasmFaultSignalHandler.cpp:
3335         (JSC::Wasm::trapHandler):
3336         (JSC::Wasm::enableFastMemory):
3337         * wasm/WasmMachineThreads.cpp:
3338         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3339
3340 2017-05-31  Keith Miller  <keith_miller@apple.com>
3341
3342         Fix leak in PromiseDeferredTimer
3343         https://bugs.webkit.org/show_bug.cgi?id=172755
3344
3345         Reviewed by JF Bastien.
3346
3347         We were not properly freeing the list of dependencies if we were already tracking the promise before.
3348         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
3349         where we were already tracking the promise we append the provided dependency list to the existing list.
3350         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
3351         contents.
3352
3353         * runtime/PromiseDeferredTimer.cpp:
3354         (JSC::PromiseDeferredTimer::addPendingPromise):
3355
3356 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3357
3358         Prevent async methods named 'function' in Object literal
3359         https://bugs.webkit.org/show_bug.cgi?id=172660
3360
3361         Reviewed by Saam Barati.
3362
3363         Prevent async method named 'function' in object.
3364         https://github.com/tc39/ecma262/pull/884
3365
3366         * parser/Parser.cpp:
3367         (JSC::Parser<LexerType>::parsePropertyMethod):
3368
3369 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3370
3371         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
3372         https://bugs.webkit.org/show_bug.cgi?id=171274
3373
3374         Reviewed by Saam Barati.
3375
3376         Current patch allow to use async arrow function within constructor,
3377         and allow to access to `this`. Current patch force load 'this' from 
3378         virtual scope each time as we access to `this` in async arrow function
3379         within constructor it is neccessary because async function can be 
3380         suspended and `superCall` can be called and async function resumed. 
3381    
3382         * bytecompiler/BytecodeGenerator.cpp:
3383         (JSC::BytecodeGenerator::emitPutGeneratorFields):
3384         (JSC::BytecodeGenerator::ensureThis):
3385         * bytecompiler/BytecodeGenerator.h:
3386         (JSC::BytecodeGenerator::makeFunction):
3387
3388 2017-05-30  Ali Juma  <ajuma@chromium.org>
3389
3390         [CredentialManagement] Incorporate IDL updates from latest spec
3391         https://bugs.webkit.org/show_bug.cgi?id=172011
3392
3393         Reviewed by Daniel Bates.
3394
3395         * runtime/CommonIdentifiers.h:
3396
3397 2017-05-30  Alex Christensen  <achristensen@webkit.org>
3398
3399         Update libwebrtc configuration
3400         https://bugs.webkit.org/show_bug.cgi?id=172727
3401
3402         Reviewed by Geoffrey Garen.
3403
3404         * Configurations/FeatureDefines.xcconfig:
3405
3406 2017-05-28  Dan Bernstein  <mitz@apple.com>
3407
3408         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
3409         https://bugs.webkit.org/show_bug.cgi?id=172691
3410
3411         Reviewed by Tim Horton.
3412
3413         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
3414         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
3415
3416 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3417
3418         [JSC] Provide better type information of toLength and tighten bytecode