[CMake] Properly test if compiler supports compiler flags
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
2
3         [CMake] Properly test if compiler supports compiler flags
4         https://bugs.webkit.org/show_bug.cgi?id=174490
5
6         Reviewed by Konstantin Tokarev.
7
8         * API/tests/PingPongStackOverflowTest.cpp:
9         (testPingPongStackOverflow):
10         * API/tests/testapi.c:
11         * b3/testb3.cpp:
12         (JSC::B3::testPatchpointLotsOfLateAnys):
13
14 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         [Linux] Clear WasmMemory with madvice instead of memset
17         https://bugs.webkit.org/show_bug.cgi?id=175150
18
19         Reviewed by Filip Pizlo.
20
21         In Linux, zeroing pages with memset populates backing store.
22         Instead, we should use madvise with MADV_DONTNEED. It discards
23         pages. And if you access these pages, on-demand-zero-pages will
24         be shown.
25
26         We also commit grown pages in all OSes.
27
28         * wasm/WasmMemory.cpp:
29         (JSC::Wasm::commitZeroPages):
30         (JSC::Wasm::Memory::create):
31         (JSC::Wasm::Memory::grow):
32
33 2017-08-07  Robin Morisset  <rmorisset@apple.com>
34
35         GetOwnProperty of TypedArray indexed fields is wrongly configurable
36         https://bugs.webkit.org/show_bug.cgi?id=175307
37
38         Reviewed by Saam Barati.
39
40         ```
41         let a = new Uint8Array(10);
42         let b = Object.getOwnPropertyDescriptor(a, 0);
43         assert(b.configurable === false);
44         ```
45         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
46         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
47         that says that typed arrays are integer indexed exotic objects.
48
49         * runtime/JSGenericTypedArrayViewInlines.h:
50         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
51
52 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
53
54         Baseline JIT should do caging
55         https://bugs.webkit.org/show_bug.cgi?id=175037
56
57         Reviewed by Mark Lam.
58         
59         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
60         
61         Also modifies FTL caging to be more defensive when caging is disabled.
62
63         * ftl/FTLLowerDFGToB3.cpp:
64         (JSC::FTL::DFG::LowerDFGToB3::caged):
65         * jit/AssemblyHelpers.h:
66         (JSC::AssemblyHelpers::cage):
67         (JSC::AssemblyHelpers::cageConditionally):
68         * jit/JITPropertyAccess.cpp:
69         (JSC::JIT::emitDoubleLoad):
70         (JSC::JIT::emitContiguousLoad):
71         (JSC::JIT::emitArrayStorageLoad):
72         (JSC::JIT::emitGenericContiguousPutByVal):
73         (JSC::JIT::emitArrayStoragePutByVal):
74         (JSC::JIT::emit_op_get_from_scope):
75         (JSC::JIT::emit_op_put_to_scope):
76         (JSC::JIT::emitIntTypedArrayGetByVal):
77         (JSC::JIT::emitFloatTypedArrayGetByVal):
78         (JSC::JIT::emitIntTypedArrayPutByVal):
79         (JSC::JIT::emitFloatTypedArrayPutByVal):
80         * jsc.cpp:
81         (jscmain):
82         (primitiveGigacageDisabled): Deleted.
83
84 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
85
86         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
87         https://bugs.webkit.org/show_bug.cgi?id=174919
88
89         Reviewed by Keith Miller.
90         
91         This adapts JSC to there being two gigacages.
92         
93         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
94         singletons. I don't think we were gaining anything by making them be singletons.
95         
96         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
97         gigacages. We'll have one of those allocators per cage.
98         
99         From there, this change teaches everyone who previously knew about cages that there are two cages.
100         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
101         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
102         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
103         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
104         
105         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
106         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
107
108         * JavaScriptCore.xcodeproj/project.pbxproj:
109         * bytecode/AccessCase.cpp:
110         (JSC::AccessCase::generateImpl):
111         * dfg/DFGSpeculativeJIT.cpp:
112         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
113         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
114         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
115         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
116         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
117         * ftl/FTLLowerDFGToB3.cpp:
118         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
119         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
120         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
121         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
122         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
123         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
124         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
125         (JSC::FTL::DFG::LowerDFGToB3::caged):
126         * heap/FastMallocAlignedMemoryAllocator.cpp:
127         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
128         * heap/FastMallocAlignedMemoryAllocator.h:
129         * heap/GigacageAlignedMemoryAllocator.cpp:
130         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
131         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
132         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
133         (JSC::GigacageAlignedMemoryAllocator::dump const):
134         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
135         * heap/GigacageAlignedMemoryAllocator.h:
136         * jsc.cpp:
137         (primitiveGigacageDisabled):
138         (jscmain):
139         (gigacageDisabled): Deleted.
140         * llint/LowLevelInterpreter64.asm:
141         * runtime/ArrayBuffer.cpp:
142         (JSC::ArrayBufferContents::tryAllocate):
143         (JSC::ArrayBuffer::createAdopted):
144         (JSC::ArrayBuffer::createFromBytes):
145         * runtime/AuxiliaryBarrier.h:
146         * runtime/ButterflyInlines.h:
147         (JSC::Butterfly::createUninitialized):
148         (JSC::Butterfly::tryCreate):
149         (JSC::Butterfly::growArrayRight):
150         * runtime/CagedBarrierPtr.h: Added.
151         (JSC::CagedBarrierPtr::CagedBarrierPtr):
152         (JSC::CagedBarrierPtr::clear):
153         (JSC::CagedBarrierPtr::set):
154         (JSC::CagedBarrierPtr::get const):
155         (JSC::CagedBarrierPtr::getMayBeNull const):
156         (JSC::CagedBarrierPtr::operator== const):
157         (JSC::CagedBarrierPtr::operator!= const):
158         (JSC::CagedBarrierPtr::operator bool const):
159         (JSC::CagedBarrierPtr::setWithoutBarrier):
160         (JSC::CagedBarrierPtr::operator* const):
161         (JSC::CagedBarrierPtr::operator-> const):
162         (JSC::CagedBarrierPtr::operator[] const):
163         * runtime/DirectArguments.cpp:
164         (JSC::DirectArguments::overrideThings):
165         (JSC::DirectArguments::unmapArgument):
166         * runtime/DirectArguments.h:
167         (JSC::DirectArguments::isMappedArgument const):
168         * runtime/GenericArguments.h:
169         * runtime/GenericArgumentsInlines.h:
170         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
171         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
172         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
173         * runtime/HashMapImpl.cpp:
174         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
175         * runtime/HashMapImpl.h:
176         (JSC::HashMapBuffer::create):
177         (JSC::HashMapImpl::buffer const):
178         (JSC::HashMapImpl::rehash):
179         * runtime/JSArray.cpp:
180         (JSC::JSArray::tryCreateUninitializedRestricted):
181         (JSC::JSArray::unshiftCountSlowCase):
182         (JSC::JSArray::setLength):
183         (JSC::JSArray::pop):
184         (JSC::JSArray::push):
185         (JSC::JSArray::fastSlice):
186         (JSC::JSArray::shiftCountWithArrayStorage):
187         (JSC::JSArray::shiftCountWithAnyIndexingType):
188         (JSC::JSArray::unshiftCountWithAnyIndexingType):
189         (JSC::JSArray::fillArgList):
190         (JSC::JSArray::copyToArguments):
191         * runtime/JSArray.h:
192         (JSC::JSArray::tryCreate):
193         * runtime/JSArrayBufferView.cpp:
194         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
195         (JSC::JSArrayBufferView::finalize):
196         * runtime/JSLock.cpp:
197         (JSC::JSLock::didAcquireLock):
198         * runtime/JSObject.cpp:
199         (JSC::JSObject::heapSnapshot):
200         (JSC::JSObject::getOwnPropertySlotByIndex):
201         (JSC::JSObject::putByIndex):
202         (JSC::JSObject::enterDictionaryIndexingMode):
203         (JSC::JSObject::createInitialIndexedStorage):
204         (JSC::JSObject::createArrayStorage):
205         (JSC::JSObject::convertUndecidedToInt32):
206         (JSC::JSObject::convertUndecidedToDouble):
207         (JSC::JSObject::convertUndecidedToContiguous):
208         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
209         (JSC::JSObject::convertUndecidedToArrayStorage):
210         (JSC::JSObject::convertInt32ToDouble):
211         (JSC::JSObject::convertInt32ToContiguous):
212         (JSC::JSObject::convertInt32ToArrayStorage):
213         (JSC::JSObject::convertDoubleToContiguous):
214         (JSC::JSObject::convertDoubleToArrayStorage):
215         (JSC::JSObject::convertContiguousToArrayStorage):
216         (JSC::JSObject::setIndexQuicklyToUndecided):
217         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
218         (JSC::JSObject::deletePropertyByIndex):
219         (JSC::JSObject::getOwnPropertyNames):
220         (JSC::JSObject::putIndexedDescriptor):
221         (JSC::JSObject::defineOwnIndexedProperty):
222         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
223         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
224         (JSC::JSObject::getNewVectorLength):
225         (JSC::JSObject::ensureLengthSlow):
226         (JSC::JSObject::reallocateAndShrinkButterfly):
227         (JSC::JSObject::allocateMoreOutOfLineStorage):
228         (JSC::JSObject::getEnumerableLength):
229         * runtime/JSObject.h:
230         (JSC::JSObject::getArrayLength const):
231         (JSC::JSObject::getVectorLength):
232         (JSC::JSObject::putDirectIndex):
233         (JSC::JSObject::canGetIndexQuickly):
234         (JSC::JSObject::getIndexQuickly):
235         (JSC::JSObject::tryGetIndexQuickly const):
236         (JSC::JSObject::canSetIndexQuickly):
237         (JSC::JSObject::setIndexQuickly):
238         (JSC::JSObject::initializeIndex):
239         (JSC::JSObject::initializeIndexWithoutBarrier):
240         (JSC::JSObject::hasSparseMap):
241         (JSC::JSObject::inSparseIndexingMode):
242         (JSC::JSObject::butterfly const):
243         (JSC::JSObject::butterfly):
244         (JSC::JSObject::outOfLineStorage const):
245         (JSC::JSObject::outOfLineStorage):
246         (JSC::JSObject::ensureInt32):
247         (JSC::JSObject::ensureDouble):
248         (JSC::JSObject::ensureContiguous):
249         (JSC::JSObject::ensureArrayStorage):
250         (JSC::JSObject::arrayStorage):
251         (JSC::JSObject::arrayStorageOrNull):
252         (JSC::JSObject::ensureLength):
253         * runtime/RegExpMatchesArray.h:
254         (JSC::tryCreateUninitializedRegExpMatchesArray):
255         * runtime/VM.cpp:
256         (JSC::VM::VM):
257         (JSC::VM::~VM):
258         (JSC::VM::primitiveGigacageDisabledCallback):
259         (JSC::VM::primitiveGigacageDisabled):
260         (JSC::VM::gigacageDisabledCallback): Deleted.
261         (JSC::VM::gigacageDisabled): Deleted.
262         * runtime/VM.h:
263         (JSC::VM::gigacageAuxiliarySpace):
264         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
265         (JSC::VM::primitiveGigacageEnabled):
266         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
267         (JSC::VM::gigacageEnabled): Deleted.
268         * wasm/WasmMemory.cpp:
269         (JSC::Wasm::Memory::create):
270         (JSC::Wasm::Memory::~Memory):
271         (JSC::Wasm::Memory::grow):
272
273 2017-08-07  Commit Queue  <commit-queue@webkit.org>
274
275         Unreviewed, rolling out r220144.
276         https://bugs.webkit.org/show_bug.cgi?id=175276
277
278         "It did not actually speed things up in the way I expected"
279         (Requested by saamyjoon on #webkit).
280
281         Reverted changeset:
282
283         "On memory-constrained iOS devices, reduce the rate at which
284         the JS heap grows before a GC to try to keep more memory
285         available for the system"
286         https://bugs.webkit.org/show_bug.cgi?id=175041
287         http://trac.webkit.org/changeset/220144
288
289 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
290
291         Unreviewed, rolling out r220299.
292
293         This change caused LayoutTest inspector/dom-debugger/dom-
294         breakpoints.html to fail.
295
296         Reverted changeset:
297
298         "Web Inspector: capture async stack trace when workers/main
299         context posts a message"
300         https://bugs.webkit.org/show_bug.cgi?id=167084
301         http://trac.webkit.org/changeset/220299
302
303 2017-08-07  Brian Burg  <bburg@apple.com>
304
305         Remove CANVAS_PATH compilation guard
306         https://bugs.webkit.org/show_bug.cgi?id=175207
307
308         Reviewed by Sam Weinig.
309
310         * Configurations/FeatureDefines.xcconfig:
311
312 2017-08-07  Keith Miller  <keith_miller@apple.com>
313
314         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
315         https://bugs.webkit.org/show_bug.cgi?id=175256
316
317         Reviewed by Saam Barati.
318
319         The check in createFromBytes just needed to check that the buffer was not null before
320         calling isCaged.
321
322         * runtime/ArrayBuffer.cpp:
323         (JSC::ArrayBuffer::createFromBytes):
324
325 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
326
327         [GTK][WPE] Add API to provide browser information required by automation
328         https://bugs.webkit.org/show_bug.cgi?id=175130
329
330         Reviewed by Brian Burg.
331
332         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
333         get them.
334
335         * inspector/remote/RemoteInspector.cpp:
336         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
337         * inspector/remote/RemoteInspector.h:
338         * inspector/remote/glib/RemoteInspectorGlib.cpp:
339         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
340         requested to ensure they are updated before StartAutomationSession reply is sent.
341         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
342         StartAutomationSession mesasage.
343
344 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
345
346         Promise resolve and reject function should have length = 1
347         https://bugs.webkit.org/show_bug.cgi?id=175242
348
349         Reviewed by Saam Barati.
350
351         Previously we have separate system for "length" and "name" for builtin functions.
352         The builtin functions do not use lazy reifying system. Instead, they have direct
353         properties when instantiating it. While the function created for properties (like
354         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
355         these builtin functions are just created by JSFunction::create(). Since it does
356         not set any values for "length", these functions do not have "length" property.
357         So, the resolve and reject functions passed to Promise's executor do not have
358         "length" property.
359
360         This patch make builtin functions use standard lazy reifying system for "length".
361         So, "length" property of the builtin function just works as if the normal functions
362         do.
363
364         * runtime/JSFunction.cpp:
365         (JSC::JSFunction::createBuiltinFunction):
366         (JSC::JSFunction::getOwnPropertySlot):
367         (JSC::JSFunction::getOwnNonIndexPropertyNames):
368         (JSC::JSFunction::put):
369         (JSC::JSFunction::deleteProperty):
370         (JSC::JSFunction::defineOwnProperty):
371         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
372         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
373         (JSC::JSFunction::reifyLazyLengthIfNeeded):
374         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
375         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
376         * runtime/JSFunction.h:
377
378 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
379
380         [ESNext] Async iteration - Implement Async Generator - parser
381         https://bugs.webkit.org/show_bug.cgi?id=175210
382
383         Reviewed by Yusuke Suzuki.
384
385         Current implementation is draft version of Async Iteration. 
386         Link to spec https://tc39.github.io/proposal-async-iteration/
387
388         Current patch implement only parser part of the Async generator
389         Runtime part will be in next ptches
390
391         * parser/ASTBuilder.h:
392         (JSC::ASTBuilder::createFunctionMetadata):
393         * parser/Parser.cpp:
394         (JSC::getAsynFunctionBodyParseMode):
395         (JSC::Parser<LexerType>::parseInner):
396         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
397         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
398         (JSC::stringArticleForFunctionMode):
399         (JSC::stringForFunctionMode):
400         (JSC::Parser<LexerType>::parseFunctionInfo):
401         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
402         (JSC::Parser<LexerType>::parseClass):
403         (JSC::Parser<LexerType>::parseProperty):
404         (JSC::Parser<LexerType>::parsePropertyMethod):
405         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
406         * parser/Parser.h:
407         (JSC::Scope::setSourceParseMode):
408         * parser/ParserModes.h:
409         (JSC::isFunctionParseMode):
410         (JSC::isAsyncFunctionParseMode):
411         (JSC::isAsyncArrowFunctionParseMode):
412         (JSC::isAsyncGeneratorFunctionParseMode):
413         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
414         (JSC::isAsyncFunctionWrapperParseMode):
415         (JSC::isAsyncFunctionBodyParseMode):
416         (JSC::isGeneratorMethodParseMode):
417         (JSC::isAsyncMethodParseMode):
418         (JSC::isAsyncGeneratorMethodParseMode):
419         (JSC::isMethodParseMode):
420         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
421         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
422
423 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
424
425         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
426         https://bugs.webkit.org/show_bug.cgi?id=175083
427
428         Reviewed by Oliver Hunt.
429         
430         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
431         even if we are using the pop path.
432         
433         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
434         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
435         the world just because we changed it.
436         
437         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
438         easier to debug leaks.
439
440         * bytecode/AccessCase.cpp:
441         * bytecode/PolymorphicAccess.cpp:
442         * heap/HeapCell.cpp:
443         (JSC::HeapCell::isLive):
444         * heap/HeapCellInlines.h:
445         (JSC::HeapCell::isLive): Deleted.
446         * heap/MarkedAllocator.cpp:
447         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
448         (JSC::MarkedAllocator::endMarking):
449         * heap/MarkedBlockInlines.h:
450         (JSC::MarkedBlock::Handle::specializedSweep):
451         * jit/AssemblyHelpers.cpp:
452         * jit/Repatch.cpp:
453         * runtime/TestRunnerUtils.h:
454         * runtime/VM.cpp:
455         (JSC::waitForVMDestruction):
456         (JSC::VM::~VM):
457
458 2017-08-05  Mark Lam  <mark.lam@apple.com>
459
460         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
461         https://bugs.webkit.org/show_bug.cgi?id=175228
462         <rdar://problem/33735737>
463
464         Reviewed by Saam Barati.
465
466         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
467         delete OSRExit32_64.cpp.
468
469         * CMakeLists.txt:
470         * JavaScriptCore.xcodeproj/project.pbxproj:
471         * dfg/DFGOSRExit.cpp:
472         (JSC::DFG::OSRExit::compileExit):
473         * dfg/DFGOSRExit32_64.cpp: Removed.
474         * jit/GPRInfo.h:
475         (JSC::JSValueSource::payloadGPR const):
476
477 2017-08-04  Youenn Fablet  <youenn@apple.com>
478
479         [Cache API] Add Cache and CacheStorage IDL definitions
480         https://bugs.webkit.org/show_bug.cgi?id=175201
481
482         Reviewed by Brady Eidson.
483
484         * runtime/CommonIdentifiers.h:
485
486 2017-08-04  Mark Lam  <mark.lam@apple.com>
487
488         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
489         https://bugs.webkit.org/show_bug.cgi?id=175230
490         <rdar://problem/33735857>
491
492         Reviewed by Saam Barati.
493
494         * assembler/testmasm.cpp:
495         (JSC::testProbeReadsArgumentRegisters):
496         (JSC::testProbeWritesArgumentRegisters):
497
498 2017-08-04  Mark Lam  <mark.lam@apple.com>
499
500         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
501         https://bugs.webkit.org/show_bug.cgi?id=175214
502         <rdar://problem/33733308>
503
504         Rubber-stamped by Michael Saboff.
505
506         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
507         DFGOSRExitCompiler files.
508
509         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
510
511         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
512         used by compileOSRExit(), and will be changed to not be a DFG operation function
513         when we use JIT probes for DFG OSR exits later in
514         https://bugs.webkit.org/show_bug.cgi?id=175144.
515
516         * CMakeLists.txt:
517         * JavaScriptCore.xcodeproj/project.pbxproj:
518         * dfg/DFGJITCompiler.cpp:
519         * dfg/DFGOSRExit.cpp:
520         (JSC::DFG::OSRExit::emitRestoreArguments):
521         (JSC::DFG::OSRExit::compileOSRExit):
522         (JSC::DFG::OSRExit::compileExit):
523         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
524         * dfg/DFGOSRExit.h:
525         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
526         * dfg/DFGOSRExitCompiler.cpp: Removed.
527         * dfg/DFGOSRExitCompiler.h: Removed.
528         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
529         * dfg/DFGOSRExitCompiler64.cpp: Removed.
530         * dfg/DFGOperations.cpp:
531         * dfg/DFGOperations.h:
532         * dfg/DFGThunks.cpp:
533
534 2017-08-04  Matt Baker  <mattbaker@apple.com>
535
536         Web Inspector: capture async stack trace when workers/main context posts a message
537         https://bugs.webkit.org/show_bug.cgi?id=167084
538         <rdar://problem/30033673>
539
540         Reviewed by Brian Burg.
541
542         * inspector/agents/InspectorDebuggerAgent.h:
543         Add `PostMessage` async call type.
544
545 2017-08-04  Mark Lam  <mark.lam@apple.com>
546
547         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
548         https://bugs.webkit.org/show_bug.cgi?id=175208
549         <rdar://problem/33732402>
550
551         Reviewed by Saam Barati.
552
553         This will minimize the code diff and make it easier to review the patch for
554         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
555         steps:
556
557         1. Do the code changes to move methods into OSRExit.
558         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
559         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
560
561         Splitting this refactoring into these 3 steps also makes it easier to review this
562         patch and understand what is being changed.
563
564         * dfg/DFGOSRExit.h:
565         * dfg/DFGOSRExitCompiler.cpp:
566         (JSC::DFG::OSRExit::emitRestoreArguments):
567         (JSC::DFG::OSRExit::compileOSRExit):
568         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
569         (): Deleted.
570         * dfg/DFGOSRExitCompiler.h:
571         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
572         (): Deleted.
573         * dfg/DFGOSRExitCompiler32_64.cpp:
574         (JSC::DFG::OSRExit::compileExit):
575         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
576         * dfg/DFGOSRExitCompiler64.cpp:
577         (JSC::DFG::OSRExit::compileExit):
578         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
579         * dfg/DFGThunks.cpp:
580         (JSC::DFG::osrExitGenerationThunkGenerator):
581
582 2017-08-04  Devin Rousso  <drousso@apple.com>
583
584         Web Inspector: add source view for WebGL shader programs
585         https://bugs.webkit.org/show_bug.cgi?id=138593
586         <rdar://problem/18936194>
587
588         Reviewed by Matt Baker.
589
590         * inspector/protocol/Canvas.json:
591          - Add `ShaderType` enum that contains "vertex" and "fragment".
592          - Add `requestShaderSource` command that will return the original source code for a given
593            shader program and shader type.
594
595 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
596
597         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
598         https://bugs.webkit.org/show_bug.cgi?id=175141
599
600         Reviewed by Mark Lam.
601         
602         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
603         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
604         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
605         determined by the AlignedMemoryAllocator object.
606         
607         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
608         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
609         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
610         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
611         they use the same AlignedMemoryAllocator.
612
613         * CMakeLists.txt:
614         * JavaScriptCore.xcodeproj/project.pbxproj:
615         * heap/AlignedMemoryAllocator.cpp: Added.
616         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
617         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
618         * heap/AlignedMemoryAllocator.h: Added.
619         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
620         (JSC::FastMallocAlignedMemoryAllocator::singleton):
621         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
622         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
623         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
624         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
625         (JSC::FastMallocAlignedMemoryAllocator::dump const):
626         * heap/FastMallocAlignedMemoryAllocator.h: Added.
627         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
628         (JSC::GigacageAlignedMemoryAllocator::singleton):
629         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
630         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
631         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
632         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
633         (JSC::GigacageAlignedMemoryAllocator::dump const):
634         * heap/GigacageAlignedMemoryAllocator.h: Added.
635         * heap/GigacageSubspace.cpp: Removed.
636         * heap/GigacageSubspace.h: Removed.
637         * heap/LargeAllocation.cpp:
638         (JSC::LargeAllocation::tryCreate):
639         (JSC::LargeAllocation::destroy):
640         * heap/MarkedAllocator.cpp:
641         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
642         * heap/MarkedBlock.cpp:
643         (JSC::MarkedBlock::tryCreate):
644         (JSC::MarkedBlock::Handle::Handle):
645         (JSC::MarkedBlock::Handle::~Handle):
646         (JSC::MarkedBlock::Handle::didAddToAllocator):
647         (JSC::MarkedBlock::Handle::subspace const):
648         * heap/MarkedBlock.h:
649         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
650         (JSC::MarkedBlock::Handle::subspace const): Deleted.
651         * heap/Subspace.cpp:
652         (JSC::Subspace::Subspace):
653         (JSC::Subspace::findEmptyBlockToSteal):
654         (JSC::Subspace::canTradeBlocksWith): Deleted.
655         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
656         (JSC::Subspace::freeAlignedMemory): Deleted.
657         * heap/Subspace.h:
658         (JSC::Subspace::name const):
659         (JSC::Subspace::alignedMemoryAllocator const):
660         * runtime/JSDestructibleObjectSubspace.cpp:
661         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
662         * runtime/JSDestructibleObjectSubspace.h:
663         * runtime/JSSegmentedVariableObjectSubspace.cpp:
664         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
665         * runtime/JSSegmentedVariableObjectSubspace.h:
666         * runtime/JSStringSubspace.cpp:
667         (JSC::JSStringSubspace::JSStringSubspace):
668         * runtime/JSStringSubspace.h:
669         * runtime/VM.cpp:
670         (JSC::VM::VM):
671         * runtime/VM.h:
672         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
673         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
674         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
675
676 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
677
678         [ESNext] Async iteration - update feature.json
679         https://bugs.webkit.org/show_bug.cgi?id=175197
680
681         Reviewed by Yusuke Suzuki.
682
683         Update feature.json to add status of the Async Iteration
684
685         * features.json:
686
687 2017-08-04  Matt Lewis  <jlewis3@apple.com>
688
689         Unreviewed, rolling out r220271.
690
691         Rolling out due to Layout Test failing on iOS Simulator.
692
693         Reverted changeset:
694
695         "Remove STREAMS_API compilation guard"
696         https://bugs.webkit.org/show_bug.cgi?id=175165
697         http://trac.webkit.org/changeset/220271
698
699 2017-08-04  Youenn Fablet  <youenn@apple.com>
700
701         Remove STREAMS_API compilation guard
702         https://bugs.webkit.org/show_bug.cgi?id=175165
703
704         Reviewed by Darin Adler.
705
706         * Configurations/FeatureDefines.xcconfig:
707
708 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
709
710         [EsNext] Async iteration - Add feature flag
711         https://bugs.webkit.org/show_bug.cgi?id=166694
712
713         Reviewed by Yusuke Suzuki.
714
715         Add feature flag to JSC to switch on/off Async Iterator
716
717         * runtime/Options.h:
718
719 2017-08-03  Brian Burg  <bburg@apple.com>
720
721         Remove ENABLE(WEB_SOCKET) guards
722         https://bugs.webkit.org/show_bug.cgi?id=167044
723
724         Reviewed by Joseph Pecoraro.
725
726         * Configurations/FeatureDefines.xcconfig:
727
728 2017-08-03  Youenn Fablet  <youenn@apple.com>
729
730         Remove FETCH_API compilation guard
731         https://bugs.webkit.org/show_bug.cgi?id=175154
732
733         Reviewed by Chris Dumez.
734
735         * Configurations/FeatureDefines.xcconfig:
736
737 2017-08-03  Matt Baker  <mattbaker@apple.com>
738
739         Web Inspector: Instrument WebGLProgram created/deleted
740         https://bugs.webkit.org/show_bug.cgi?id=175059
741
742         Reviewed by Devin Rousso.
743
744         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
745
746         * inspector/protocol/Canvas.json:
747
748 2017-08-03  Brady Eidson  <beidson@apple.com>
749
750         Add SW IDLs and stub out basic functionality.
751         https://bugs.webkit.org/show_bug.cgi?id=175115
752
753         Reviewed by Chris Dumez.
754
755         * Configurations/FeatureDefines.xcconfig:
756
757         * runtime/CommonIdentifiers.h:
758
759 2017-08-03  Mark Lam  <mark.lam@apple.com>
760
761         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
762         https://bugs.webkit.org/show_bug.cgi?id=175142
763         <rdar://problem/33704528>
764
765         Reviewed by Filip Pizlo.
766
767         The convention in the rest of of JSC for such methods which return the address of
768         a field is to name them "addressOf<field name>".  We'll rename
769         ScratchBuffer::activeLengthPtr to be consistent with this convention.
770
771         * dfg/DFGSpeculativeJIT.cpp:
772         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
773         * dfg/DFGSpeculativeJIT32_64.cpp:
774         (JSC::DFG::SpeculativeJIT::compile):
775         * dfg/DFGSpeculativeJIT64.cpp:
776         (JSC::DFG::SpeculativeJIT::compile):
777         * dfg/DFGThunks.cpp:
778         (JSC::DFG::osrExitGenerationThunkGenerator):
779         * ftl/FTLLowerDFGToB3.cpp:
780         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
781         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
782         * ftl/FTLThunks.cpp:
783         (JSC::FTL::genericGenerationThunkGenerator):
784         * jit/AssemblyHelpers.cpp:
785         (JSC::AssemblyHelpers::debugCall):
786         * jit/ScratchRegisterAllocator.cpp:
787         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
788         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
789         * runtime/VM.h:
790         (JSC::ScratchBuffer::addressOfActiveLength):
791         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
792         * wasm/WasmBinding.cpp:
793         (JSC::Wasm::wasmToJs):
794
795 2017-08-02  Devin Rousso  <drousso@apple.com>
796
797         Web Inspector: add stack trace information for each RecordingAction
798         https://bugs.webkit.org/show_bug.cgi?id=174663
799
800         Reviewed by Joseph Pecoraro.
801
802         * inspector/ScriptCallFrame.h:
803         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
804         with an existing value doesn't need require a functor and can use existing code.
805
806         * interpreter/StackVisitor.h:
807         * interpreter/StackVisitor.cpp:
808         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
809
810 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
811
812         Merge WTFThreadData to Thread::current
813         https://bugs.webkit.org/show_bug.cgi?id=174716
814
815         Reviewed by Mark Lam.
816
817         Use Thread::current() instead.
818
819         * API/JSContext.mm:
820         (+[JSContext currentContext]):
821         (+[JSContext currentThis]):
822         (+[JSContext currentCallee]):
823         (+[JSContext currentArguments]):
824         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
825         (-[JSContext endCallbackWithData:]):
826         * heap/Heap.cpp:
827         (JSC::Heap::requestCollection):
828         * runtime/Completion.cpp:
829         (JSC::checkSyntax):
830         (JSC::checkModuleSyntax):
831         (JSC::evaluate):
832         (JSC::loadAndEvaluateModule):
833         (JSC::loadModule):
834         (JSC::linkAndEvaluateModule):
835         (JSC::importModule):
836         * runtime/Identifier.cpp:
837         (JSC::Identifier::checkCurrentAtomicStringTable):
838         * runtime/InitializeThreading.cpp:
839         (JSC::initializeThreading):
840         * runtime/JSLock.cpp:
841         (JSC::JSLock::didAcquireLock):
842         (JSC::JSLock::willReleaseLock):
843         (JSC::JSLock::dropAllLocks):
844         (JSC::JSLock::grabAllLocks):
845         * runtime/JSLock.h:
846         * runtime/VM.cpp:
847         (JSC::VM::VM):
848         (JSC::VM::updateStackLimits):
849         (JSC::VM::committedStackByteCount):
850         * runtime/VM.h:
851         (JSC::VM::isSafeToRecurse const):
852         * runtime/VMEntryScope.cpp:
853         (JSC::VMEntryScope::VMEntryScope):
854         * runtime/VMInlines.h:
855         (JSC::VM::ensureStackCapacityFor):
856         * yarr/YarrPattern.cpp:
857         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
858
859 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
860
861         LLInt should do pointer caging
862         https://bugs.webkit.org/show_bug.cgi?id=175036
863
864         Reviewed by Keith Miller.
865
866         Implementing this in the LLInt was challenging because offlineasm did not previously know
867         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
868         to be where the Gigacage is enabled right now.
869
870         * llint/LLIntOfflineAsmConfig.h:
871         * llint/LowLevelInterpreter64.asm:
872         * offlineasm/ast.rb:
873         * offlineasm/x86.rb:
874
875 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
876
877         Sweeping should only scribble when sweeping to free list
878         https://bugs.webkit.org/show_bug.cgi?id=175105
879
880         Reviewed by Saam Barati.
881         
882         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
883         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
884         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
885         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
886         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
887         when it doesn't matter anyway because we're building a free list.
888         
889         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
890         zap.
891
892         * heap/MarkedBlockInlines.h:
893         (JSC::MarkedBlock::Handle::specializedSweep):
894
895 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
896
897         All C++ accesses to JSObject::m_butterfly should do caging
898         https://bugs.webkit.org/show_bug.cgi?id=175039
899
900         Reviewed by Keith Miller.
901         
902         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
903         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
904         outside the gigacage.
905
906         * runtime/JSArray.cpp:
907         (JSC::JSArray::setLength):
908         (JSC::JSArray::pop):
909         (JSC::JSArray::push):
910         (JSC::JSArray::shiftCountWithAnyIndexingType):
911         (JSC::JSArray::unshiftCountWithAnyIndexingType):
912         (JSC::JSArray::fillArgList):
913         (JSC::JSArray::copyToArguments):
914         * runtime/JSObject.cpp:
915         (JSC::JSObject::heapSnapshot):
916         (JSC::JSObject::createInitialIndexedStorage):
917         (JSC::JSObject::createArrayStorage):
918         (JSC::JSObject::convertUndecidedToInt32):
919         (JSC::JSObject::convertUndecidedToDouble):
920         (JSC::JSObject::convertUndecidedToContiguous):
921         (JSC::JSObject::convertInt32ToDouble):
922         (JSC::JSObject::convertInt32ToArrayStorage):
923         (JSC::JSObject::convertDoubleToContiguous):
924         (JSC::JSObject::convertDoubleToArrayStorage):
925         (JSC::JSObject::convertContiguousToArrayStorage):
926         (JSC::JSObject::defineOwnIndexedProperty):
927         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
928         (JSC::JSObject::ensureLengthSlow):
929         (JSC::JSObject::allocateMoreOutOfLineStorage):
930         * runtime/JSObject.h:
931         (JSC::JSObject::canGetIndexQuickly):
932         (JSC::JSObject::getIndexQuickly):
933         (JSC::JSObject::tryGetIndexQuickly const):
934         (JSC::JSObject::canSetIndexQuickly):
935         (JSC::JSObject::setIndexQuickly):
936         (JSC::JSObject::initializeIndex):
937         (JSC::JSObject::initializeIndexWithoutBarrier):
938         (JSC::JSObject::butterfly const):
939         (JSC::JSObject::butterfly):
940
941 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
942
943         We should be OK with the gigacage being disabled on gmalloc
944         https://bugs.webkit.org/show_bug.cgi?id=175082
945
946         Reviewed by Michael Saboff.
947
948         * jsc.cpp:
949         (jscmain):
950
951 2017-08-02  Saam Barati  <sbarati@apple.com>
952
953         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
954         https://bugs.webkit.org/show_bug.cgi?id=175041
955         <rdar://problem/33659370>
956
957         Reviewed by Filip Pizlo.
958
959         The testing I have done shows that this new function is a ~10%
960         progression running JetStream on 1GB iOS devices. I've also tried
961         this on a few > 1GB iOS devices, and the testing shows this is either neutral
962         or a regression. Right now, we'll just enable this for <= 1GB devices
963         since it's a win. In the future, we might want to either look into
964         tweaking these parameters or coming up with a new function for > 1GB
965         devices.
966
967         * heap/Heap.cpp:
968         * runtime/Options.h:
969
970 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
971
972         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
973         https://bugs.webkit.org/show_bug.cgi?id=174727
974
975         Reviewed by Mark Lam.
976         
977         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
978         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
979         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
980         
981         This is neutral on JetStream.
982
983         * CMakeLists.txt:
984         * JavaScriptCore.xcodeproj/project.pbxproj:
985         * b3/B3InsertionSet.cpp:
986         (JSC::B3::InsertionSet::execute):
987         * dfg/DFGAbstractInterpreterInlines.h:
988         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
989         * dfg/DFGArgumentsEliminationPhase.cpp:
990         * dfg/DFGClobberize.cpp:
991         (JSC::DFG::readsOverlap):
992         * dfg/DFGClobberize.h:
993         (JSC::DFG::clobberize):
994         * dfg/DFGDoesGC.cpp:
995         (JSC::DFG::doesGC):
996         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
997         (JSC::DFG::performFixedButterflyAccessUncaging):
998         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
999         * dfg/DFGFixupPhase.cpp:
1000         (JSC::DFG::FixupPhase::fixupNode):
1001         * dfg/DFGHeapLocation.cpp:
1002         (WTF::printInternal):
1003         * dfg/DFGHeapLocation.h:
1004         * dfg/DFGNodeType.h:
1005         * dfg/DFGPlan.cpp:
1006         (JSC::DFG::Plan::compileInThreadImpl):
1007         * dfg/DFGPredictionPropagationPhase.cpp:
1008         * dfg/DFGSafeToExecute.h:
1009         (JSC::DFG::safeToExecute):
1010         * dfg/DFGSpeculativeJIT.cpp:
1011         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1012         * dfg/DFGSpeculativeJIT32_64.cpp:
1013         (JSC::DFG::SpeculativeJIT::compile):
1014         * dfg/DFGSpeculativeJIT64.cpp:
1015         (JSC::DFG::SpeculativeJIT::compile):
1016         * dfg/DFGTypeCheckHoistingPhase.cpp:
1017         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1018         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1019         * ftl/FTLCapabilities.cpp:
1020         (JSC::FTL::canCompile):
1021         * ftl/FTLLowerDFGToB3.cpp:
1022         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1023         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1024         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1025         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1026         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1027         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1028         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1029         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1030         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1031         (JSC::FTL::DFG::LowerDFGToB3::caged):
1032         * heap/GigacageSubspace.cpp: Added.
1033         (JSC::GigacageSubspace::GigacageSubspace):
1034         (JSC::GigacageSubspace::~GigacageSubspace):
1035         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1036         (JSC::GigacageSubspace::freeAlignedMemory):
1037         (JSC::GigacageSubspace::canTradeBlocksWith):
1038         * heap/GigacageSubspace.h: Added.
1039         * heap/Heap.cpp:
1040         (JSC::Heap::Heap):
1041         (JSC::Heap::lastChanceToFinalize):
1042         (JSC::Heap::finalize):
1043         (JSC::Heap::sweepInFinalize):
1044         (JSC::Heap::updateAllocationLimits):
1045         (JSC::Heap::shouldDoFullCollection):
1046         (JSC::Heap::collectIfNecessaryOrDefer):
1047         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1048         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1049         (JSC::Heap::sweepLargeAllocations): Deleted.
1050         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1051         * heap/Heap.h:
1052         * heap/LargeAllocation.cpp:
1053         (JSC::LargeAllocation::tryCreate):
1054         (JSC::LargeAllocation::destroy):
1055         * heap/MarkedAllocator.cpp:
1056         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1057         (JSC::MarkedAllocator::tryAllocateBlock):
1058         * heap/MarkedBlock.cpp:
1059         (JSC::MarkedBlock::tryCreate):
1060         (JSC::MarkedBlock::Handle::Handle):
1061         (JSC::MarkedBlock::Handle::~Handle):
1062         (JSC::MarkedBlock::Handle::didAddToAllocator):
1063         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1064         * heap/MarkedBlock.h:
1065         (JSC::MarkedBlock::Handle::subspace const):
1066         * heap/MarkedSpace.cpp:
1067         (JSC::MarkedSpace::~MarkedSpace):
1068         (JSC::MarkedSpace::freeMemory):
1069         (JSC::MarkedSpace::prepareForAllocation):
1070         (JSC::MarkedSpace::addMarkedAllocator):
1071         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1072         * heap/MarkedSpace.h:
1073         (JSC::MarkedSpace::firstAllocator const):
1074         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1075         * heap/Subspace.cpp:
1076         (JSC::Subspace::Subspace):
1077         (JSC::Subspace::canTradeBlocksWith):
1078         (JSC::Subspace::tryAllocateAlignedMemory):
1079         (JSC::Subspace::freeAlignedMemory):
1080         (JSC::Subspace::prepareForAllocation):
1081         (JSC::Subspace::findEmptyBlockToSteal):
1082         * heap/Subspace.h:
1083         (JSC::Subspace::didCreateFirstAllocator):
1084         * heap/SubspaceInlines.h:
1085         (JSC::Subspace::forEachAllocator):
1086         (JSC::Subspace::forEachMarkedBlock):
1087         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1088         * jit/JITPropertyAccess.cpp:
1089         (JSC::JIT::emitDoubleLoad):
1090         (JSC::JIT::emitContiguousLoad):
1091         (JSC::JIT::emitArrayStorageLoad):
1092         (JSC::JIT::emitGenericContiguousPutByVal):
1093         (JSC::JIT::emitArrayStoragePutByVal):
1094         (JSC::JIT::emit_op_get_from_scope):
1095         (JSC::JIT::emit_op_put_to_scope):
1096         (JSC::JIT::emitIntTypedArrayGetByVal):
1097         (JSC::JIT::emitFloatTypedArrayGetByVal):
1098         (JSC::JIT::emitIntTypedArrayPutByVal):
1099         (JSC::JIT::emitFloatTypedArrayPutByVal):
1100         * jsc.cpp:
1101         (fillBufferWithContentsOfFile):
1102         (functionReadFile):
1103         (gigacageDisabled):
1104         (jscmain):
1105         * llint/LowLevelInterpreter64.asm:
1106         * runtime/ArrayBuffer.cpp:
1107         (JSC::ArrayBufferContents::tryAllocate):
1108         (JSC::ArrayBuffer::createAdopted):
1109         (JSC::ArrayBuffer::createFromBytes):
1110         (JSC::ArrayBuffer::tryCreate):
1111         * runtime/IndexingHeader.h:
1112         * runtime/InitializeThreading.cpp:
1113         (JSC::initializeThreading):
1114         * runtime/JSArrayBuffer.cpp:
1115         * runtime/JSArrayBufferView.cpp:
1116         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1117         (JSC::JSArrayBufferView::finalize):
1118         * runtime/JSLock.cpp:
1119         (JSC::JSLock::didAcquireLock):
1120         * runtime/JSObject.h:
1121         * runtime/Options.cpp:
1122         (JSC::recomputeDependentOptions):
1123         * runtime/Options.h:
1124         * runtime/ScopedArgumentsTable.h:
1125         * runtime/VM.cpp:
1126         (JSC::VM::VM):
1127         (JSC::VM::~VM):
1128         (JSC::VM::gigacageDisabledCallback):
1129         (JSC::VM::gigacageDisabled):
1130         * runtime/VM.h:
1131         (JSC::VM::fireGigacageEnabledIfNecessary):
1132         (JSC::VM::gigacageEnabled):
1133         * wasm/WasmB3IRGenerator.cpp:
1134         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1135         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1136         * wasm/WasmCodeBlock.cpp:
1137         (JSC::Wasm::CodeBlock::isSafeToRun):
1138         * wasm/WasmMemory.cpp:
1139         (JSC::Wasm::makeString):
1140         (JSC::Wasm::Memory::create):
1141         (JSC::Wasm::Memory::~Memory):
1142         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1143         (JSC::Wasm::Memory::grow):
1144         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1145         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1146         * wasm/WasmMemory.h:
1147         * wasm/js/JSWebAssemblyInstance.cpp:
1148         (JSC::JSWebAssemblyInstance::create):
1149         * wasm/js/JSWebAssemblyMemory.cpp:
1150         (JSC::JSWebAssemblyMemory::grow):
1151         (JSC::JSWebAssemblyMemory::finishCreation):
1152         * wasm/js/JSWebAssemblyMemory.h:
1153         (JSC::JSWebAssemblyMemory::subspaceFor):
1154
1155 2017-07-31  Mark Lam  <mark.lam@apple.com>
1156
1157         Added some UNLIKELYs to operationOptimize().
1158         https://bugs.webkit.org/show_bug.cgi?id=174976
1159
1160         Reviewed by JF Bastien.
1161
1162         * jit/JITOperations.cpp:
1163
1164 2017-07-31  Keith Miller  <keith_miller@apple.com>
1165
1166         Make more things LLInt constexprs
1167         https://bugs.webkit.org/show_bug.cgi?id=174994
1168
1169         Reviewed by Saam Barati.
1170
1171         This patch makes more const values in the LLInt constexprs.
1172         It also deletes all of the no longer necessary static_asserts in
1173         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1174
1175         * interpreter/ShadowChicken.h:
1176         (JSC::ShadowChicken::Packet::tailMarker):
1177         * llint/LLIntData.cpp:
1178         (JSC::LLInt::Data::performAssertions):
1179         * llint/LowLevelInterpreter.asm:
1180         * offlineasm/generate_offset_extractor.rb:
1181         * offlineasm/parser.rb:
1182
1183 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1184
1185         Unreviewed, rolling out r220060.
1186
1187         This broke our internal builds. Contact reviewer of patch for
1188         more information.
1189
1190         Reverted changeset:
1191
1192         "Merge WTFThreadData to Thread::current"
1193         https://bugs.webkit.org/show_bug.cgi?id=174716
1194         http://trac.webkit.org/changeset/220060
1195
1196 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1197
1198         [JSC] Support optional catch binding
1199         https://bugs.webkit.org/show_bug.cgi?id=174981
1200
1201         Reviewed by Saam Barati.
1202
1203         This patch implements optional catch binding proposal[1], which is now stage 3.
1204         This proposal adds a new `catch` brace with no error value binding.
1205
1206             ```
1207                 try {
1208                     ...
1209                 } catch {
1210                     ...
1211                 }
1212             ```
1213
1214         Sometimes we do not need to get error value actually. For example, the function returns
1215         boolean which means whether the function succeeds.
1216
1217             ```
1218             function parse(result) // -> bool
1219             {
1220                  try {
1221                      parseInner(result);
1222                  } catch {
1223                      return false;
1224                  }
1225                  return true;
1226             }
1227             ```
1228
1229         In the above case, we are not interested in the actual error value. Without this syntax,
1230         we always need to introduce a binding for an error value that is just ignored.
1231
1232         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1233
1234         * bytecompiler/NodesCodegen.cpp:
1235         (JSC::TryNode::emitBytecode):
1236         * parser/Parser.cpp:
1237         (JSC::Parser<LexerType>::parseTryStatement):
1238
1239 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1240
1241         Merge WTFThreadData to Thread::current
1242         https://bugs.webkit.org/show_bug.cgi?id=174716
1243
1244         Reviewed by Sam Weinig.
1245
1246         Use Thread::current() instead.
1247
1248         * API/JSContext.mm:
1249         (+[JSContext currentContext]):
1250         (+[JSContext currentThis]):
1251         (+[JSContext currentCallee]):
1252         (+[JSContext currentArguments]):
1253         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1254         (-[JSContext endCallbackWithData:]):
1255         * heap/Heap.cpp:
1256         (JSC::Heap::requestCollection):
1257         * runtime/Completion.cpp:
1258         (JSC::checkSyntax):
1259         (JSC::checkModuleSyntax):
1260         (JSC::evaluate):
1261         (JSC::loadAndEvaluateModule):
1262         (JSC::loadModule):
1263         (JSC::linkAndEvaluateModule):
1264         (JSC::importModule):
1265         * runtime/Identifier.cpp:
1266         (JSC::Identifier::checkCurrentAtomicStringTable):
1267         * runtime/InitializeThreading.cpp:
1268         (JSC::initializeThreading):
1269         * runtime/JSLock.cpp:
1270         (JSC::JSLock::didAcquireLock):
1271         (JSC::JSLock::willReleaseLock):
1272         (JSC::JSLock::dropAllLocks):
1273         (JSC::JSLock::grabAllLocks):
1274         * runtime/JSLock.h:
1275         * runtime/VM.cpp:
1276         (JSC::VM::VM):
1277         (JSC::VM::updateStackLimits):
1278         (JSC::VM::committedStackByteCount):
1279         * runtime/VM.h:
1280         (JSC::VM::isSafeToRecurse const):
1281         * runtime/VMEntryScope.cpp:
1282         (JSC::VMEntryScope::VMEntryScope):
1283         * runtime/VMInlines.h:
1284         (JSC::VM::ensureStackCapacityFor):
1285         * yarr/YarrPattern.cpp:
1286         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1287
1288 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1289
1290         [WTF] Introduce Private Symbols
1291         https://bugs.webkit.org/show_bug.cgi?id=174935
1292
1293         Reviewed by Darin Adler.
1294
1295         Use SymbolImpl::isPrivate().
1296
1297         * builtins/BuiltinNames.cpp:
1298         * builtins/BuiltinNames.h:
1299         (JSC::BuiltinNames::isPrivateName): Deleted.
1300         * builtins/BuiltinUtils.h:
1301         * bytecode/BytecodeIntrinsicRegistry.cpp:
1302         (JSC::BytecodeIntrinsicRegistry::lookup):
1303         * runtime/CommonIdentifiers.cpp:
1304         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1305         * runtime/CommonIdentifiers.h:
1306         * runtime/ExceptionHelpers.cpp:
1307         (JSC::createUndefinedVariableError):
1308         * runtime/Identifier.h:
1309         (JSC::Identifier::isPrivateName):
1310         * runtime/IdentifierInlines.h:
1311         (JSC::identifierToSafePublicJSValue):
1312         * runtime/ObjectConstructor.cpp:
1313         (JSC::objectConstructorAssign):
1314         (JSC::defineProperties):
1315         (JSC::setIntegrityLevel):
1316         (JSC::testIntegrityLevel):
1317         (JSC::ownPropertyKeys):
1318         * runtime/PrivateName.h:
1319         (JSC::PrivateName::PrivateName):
1320         * runtime/PropertyName.h:
1321         (JSC::PropertyName::isPrivateName):
1322         * runtime/ProxyObject.cpp:
1323         (JSC::performProxyGet):
1324         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1325         (JSC::ProxyObject::performHasProperty):
1326         (JSC::ProxyObject::performPut):
1327         (JSC::ProxyObject::performDelete):
1328         (JSC::ProxyObject::performDefineOwnProperty):
1329
1330 2017-07-29  Keith Miller  <keith_miller@apple.com>
1331
1332         LLInt offsets extractor should be able to handle C++ constexprs
1333         https://bugs.webkit.org/show_bug.cgi?id=174964
1334
1335         Reviewed by Saam Barati.
1336
1337         This patch adds new syntax to the offline asm language. The new keyword,
1338         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1339         expression. Additionally, if the value is not an identifier you can wrap it in
1340         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1341         which will get converted into:
1342         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1343
1344         This patch also changes the data format the LLIntOffsetsExtractor
1345         binary produces.  Previously, it would produce unsigned values,
1346         after this patch every value is an int64_t.  Using an int64_t is
1347         useful because it means that we can represent any constant needed.
1348         int32_t masks are sign extended then passed then converted to a
1349         negative literal sting in the assembler so it will be the constant
1350         expected.
1351
1352         * llint/LLIntOffsetsExtractor.cpp:
1353         (JSC::LLIntOffsetsExtractor::dummy):
1354         * llint/LowLevelInterpreter.asm:
1355         * llint/LowLevelInterpreter64.asm:
1356         * offlineasm/asm.rb:
1357         * offlineasm/ast.rb:
1358         * offlineasm/generate_offset_extractor.rb:
1359         * offlineasm/offsets.rb:
1360         * offlineasm/parser.rb:
1361         * offlineasm/transform.rb:
1362
1363 2017-07-28  Matt Baker  <mattbaker@apple.com>
1364
1365         Web Inspector: capture an async stack trace when web content calls addEventListener
1366         https://bugs.webkit.org/show_bug.cgi?id=174739
1367         <rdar://problem/33468197>
1368
1369         Reviewed by Brian Burg.
1370
1371         Allow debugger agents to perform custom logic when asynchronous stack
1372         trace data is cleared. For example, the PageDebuggerAgent would clear
1373         its list of registered listeners for which call stacks have been recorded.
1374
1375         * inspector/agents/InspectorDebuggerAgent.cpp:
1376         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1377         * inspector/agents/InspectorDebuggerAgent.h:
1378
1379 2017-07-28  Mark Lam  <mark.lam@apple.com>
1380
1381         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1382         https://bugs.webkit.org/show_bug.cgi?id=174948
1383         <rdar://problem/33495680>
1384
1385         Reviewed by Filip Pizlo.
1386
1387         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1388         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1389         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1390         requests to fire this watchpoint.
1391
1392         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1393         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1394         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1395
1396         But since the watchpoint hasn't been destructed yet, it still remains on the
1397         WatchpointSet and needs to guard against being fired in this state.  The fix is
1398         to simply return early if its owner StructureRareData is not live.  This has the
1399         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1400         not firing as we would expect.
1401
1402         This patch also removes some cargo cult copying of watchpoint code which
1403         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1404         used.  This patch removes these unnecessary instantiations.
1405
1406         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1407         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1408         * runtime/StructureRareData.cpp:
1409         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1410         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1411
1412 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1413
1414         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1415         https://bugs.webkit.org/show_bug.cgi?id=174900
1416
1417         Reviewed by Saam Barati.
1418
1419         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1420         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1421         The problem is that even transforming phase also checks this pseudo terminals.
1422
1423             BB1
1424             1: ForceOSRExit
1425             2: CreateDirectArguments
1426
1427             BB2
1428             3: GetButterfly(@2)
1429             4: ForceOSRExit
1430
1431         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1432
1433         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1434
1435         * dfg/DFGArgumentsEliminationPhase.cpp:
1436
1437 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1438
1439         [ES] Add support finally to Promise
1440         https://bugs.webkit.org/show_bug.cgi?id=174503
1441
1442         Reviewed by Yusuke Suzuki.
1443
1444         Add support `finally` method to Promise according
1445         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1446         Current spec on STAGE 3 
1447         https://github.com/tc39/proposal-promise-finally
1448
1449         * builtins/PromisePrototype.js:
1450         (finally):
1451         (const.valueThunk):
1452         (globalPrivate.getThenFinally):
1453         (const.thrower):
1454         (globalPrivate.getCatchFinally):
1455         * runtime/JSPromisePrototype.cpp:
1456
1457 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1458
1459         Unreviewed, build fix for CLoop
1460         https://bugs.webkit.org/show_bug.cgi?id=171637
1461
1462         * domjit/DOMJITGetterSetter.h:
1463
1464 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1465
1466         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1467         https://bugs.webkit.org/show_bug.cgi?id=171637
1468
1469         Reviewed by Darin Adler.
1470
1471         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1472         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1473
1474         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1475         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1476
1477         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1478         op_get_by_id_with_this case yet.
1479         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1480
1481         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1482         ClassInfo check.
1483
1484         * CMakeLists.txt:
1485         * JavaScriptCore.xcodeproj/project.pbxproj:
1486         * bytecode/AccessCase.cpp:
1487         (JSC::AccessCase::generateImpl):
1488         * bytecode/GetByIdStatus.cpp:
1489         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1490         * bytecode/GetByIdVariant.cpp:
1491         (JSC::GetByIdVariant::GetByIdVariant):
1492         (JSC::GetByIdVariant::operator=):
1493         (JSC::GetByIdVariant::attemptToMerge):
1494         (JSC::GetByIdVariant::dumpInContext):
1495         * bytecode/GetByIdVariant.h:
1496         (JSC::GetByIdVariant::customAccessorGetter):
1497         (JSC::GetByIdVariant::domAttribute):
1498         (JSC::GetByIdVariant::domJIT): Deleted.
1499         * bytecode/GetterSetterAccessCase.cpp:
1500         (JSC::GetterSetterAccessCase::create):
1501         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1502         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1503         * bytecode/GetterSetterAccessCase.h:
1504         (JSC::GetterSetterAccessCase::domAttribute):
1505         (JSC::GetterSetterAccessCase::customAccessor):
1506         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1507         * bytecompiler/BytecodeGenerator.cpp:
1508         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1509         * create_hash_table:
1510         * dfg/DFGAbstractInterpreterInlines.h:
1511         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1512         * dfg/DFGByteCodeParser.cpp:
1513         (JSC::DFG::blessCallDOMGetter):
1514         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1515         (JSC::DFG::ByteCodeParser::handleGetById):
1516         * dfg/DFGClobberize.h:
1517         (JSC::DFG::clobberize):
1518         * dfg/DFGFixupPhase.cpp:
1519         (JSC::DFG::FixupPhase::fixupNode):
1520         * dfg/DFGNode.h:
1521         * dfg/DFGSpeculativeJIT.cpp:
1522         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1523         * dfg/DFGSpeculativeJIT.h:
1524         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1525         * domjit/DOMJITGetterSetter.h:
1526         (JSC::DOMJIT::GetterSetter::GetterSetter):
1527         (JSC::DOMJIT::GetterSetter::getter):
1528         (JSC::DOMJIT::GetterSetter::compiler):
1529         (JSC::DOMJIT::GetterSetter::resultType):
1530         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1531         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1532         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1533         * ftl/FTLLowerDFGToB3.cpp:
1534         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1535         * jit/Repatch.cpp:
1536         (JSC::tryCacheGetByID):
1537         * jsc.cpp:
1538         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1539         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1540         (WTF::DOMJITGetter::customGetter):
1541         (WTF::DOMJITGetter::finishCreation):
1542         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1543         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1544         (WTF::DOMJITGetterComplex::customGetter):
1545         (WTF::DOMJITGetterComplex::finishCreation):
1546         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1547         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1548         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1549         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1550         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1551         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1552         * runtime/CustomGetterSetter.h:
1553         (JSC::CustomGetterSetter::create):
1554         (JSC::CustomGetterSetter::setter):
1555         (JSC::CustomGetterSetter::CustomGetterSetter):
1556         (): Deleted.
1557         * runtime/DOMAnnotation.h: Added.
1558         (JSC::operator==):
1559         (JSC::operator!=):
1560         * runtime/DOMAttributeGetterSetter.cpp: Added.
1561         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1562         (JSC::isDOMAttributeGetterSetter):
1563         * runtime/Error.cpp:
1564         (JSC::throwDOMAttributeGetterTypeError):
1565         * runtime/Error.h:
1566         (JSC::throwVMDOMAttributeGetterTypeError):
1567         * runtime/JSCustomGetterSetterFunction.cpp:
1568         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1569         * runtime/JSObject.cpp:
1570         (JSC::JSObject::putInlineSlow):
1571         (JSC::JSObject::deleteProperty):
1572         (JSC::JSObject::getOwnStaticPropertySlot):
1573         (JSC::JSObject::reifyAllStaticProperties):
1574         (JSC::JSObject::fillGetterPropertySlot):
1575         (JSC::JSObject::findPropertyHashEntry): Deleted.
1576         * runtime/JSObject.h:
1577         (JSC::JSObject::getOwnNonIndexPropertySlot):
1578         (JSC::JSObject::fillCustomGetterPropertySlot):
1579         * runtime/Lookup.cpp:
1580         (JSC::setUpStaticFunctionSlot):
1581         * runtime/Lookup.h:
1582         (JSC::HashTableValue::domJIT):
1583         (JSC::getStaticPropertySlotFromTable):
1584         (JSC::putEntry):
1585         (JSC::lookupPut):
1586         (JSC::reifyStaticProperty):
1587         (JSC::reifyStaticProperties):
1588         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1589         this static property table requires.
1590
1591         * runtime/ProgramExecutable.cpp:
1592         (JSC::ProgramExecutable::initializeGlobalProperties):
1593         * runtime/PropertyName.h:
1594         * runtime/PropertySlot.cpp:
1595         (JSC::PropertySlot::customGetter):
1596         (JSC::PropertySlot::customAccessorGetter):
1597         * runtime/PropertySlot.h:
1598         (JSC::PropertySlot::domAttribute):
1599         (JSC::PropertySlot::setCustom):
1600         (JSC::PropertySlot::setCacheableCustom):
1601         (JSC::PropertySlot::getValue):
1602         (JSC::PropertySlot::domJIT): Deleted.
1603         * runtime/VM.cpp:
1604         (JSC::VM::VM):
1605         * runtime/VM.h:
1606
1607 2017-07-26  Devin Rousso  <drousso@apple.com>
1608
1609         Web Inspector: create protocol for recording Canvas contexts
1610         https://bugs.webkit.org/show_bug.cgi?id=174481
1611
1612         Reviewed by Joseph Pecoraro.
1613
1614         * inspector/protocol/Canvas.json:
1615          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1616          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1617          - Add `recordingFinished` event that is fired once a recording is finished.
1618
1619         * CMakeLists.txt:
1620         * DerivedSources.make:
1621         * inspector/protocol/Recording.json: Added.
1622          - Add `Type` enum that lists the types of recordings
1623          - Add `InitialState` type that contains information about the canvas context at the
1624            beginning of the recording.
1625          - Add `Frame` type that holds a list of actions that were recorded.
1626          - Add `Recording` type as the container object of recording data.
1627
1628         * inspector/scripts/codegen/generate_js_backend_commands.py:
1629         (JSBackendCommandsGenerator.generate_domain):
1630         Create an agent for domains with no events or commands.
1631
1632         * inspector/InspectorValues.h:
1633         Make Array `get` public so that values can be retrieved if needed.
1634
1635 2017-07-26  Brian Burg  <bburg@apple.com>
1636
1637         Remove WEB_TIMING feature flag
1638         https://bugs.webkit.org/show_bug.cgi?id=174795
1639
1640         Reviewed by Alex Christensen.
1641
1642         * Configurations/FeatureDefines.xcconfig:
1643
1644 2017-07-26  Mark Lam  <mark.lam@apple.com>
1645
1646         Add the ability to change sp and pc to the ARM64 JIT probe.
1647         https://bugs.webkit.org/show_bug.cgi?id=174697
1648         <rdar://problem/33436965>
1649
1650         Reviewed by JF Bastien.
1651
1652         This patch implements the following:
1653
1654         1. The ARM64 probe now supports modifying the pc and sp.
1655
1656            However, lr is not preserved when modifying the pc because it is used as the
1657            scratch register for the indirect jump. Hence, the probe handler function
1658            may not modify both lr and pc in the same probe invocation.
1659
1660         2. Fix probe tests to use bitwise comparison when comparing double register
1661            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1662
1663         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1664            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1665            instructions which require 16 byte alignment for their memory access.
1666
1667         * assembler/MacroAssemblerARM64.cpp:
1668         (JSC::arm64ProbeError):
1669         (JSC::MacroAssembler::probe):
1670         (JSC::arm64ProbeTrampoline): Deleted.
1671         * assembler/testmasm.cpp:
1672         (JSC::isSpecialGPR):
1673         (JSC::testProbeReadsArgumentRegisters):
1674         (JSC::testProbeWritesArgumentRegisters):
1675         (JSC::testProbePreservesGPRS):
1676         (JSC::testProbeModifiesStackPointer):
1677         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1678         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1679
1680 2017-07-25  JF Bastien  <jfbastien@apple.com>
1681
1682         WebAssembly: generate smaller binaries
1683         https://bugs.webkit.org/show_bug.cgi?id=174818
1684
1685         Reviewed by Filip Pizlo.
1686
1687         This patch reduces generated code size for WebAssembly in 2 ways:
1688
1689         1. Use the ZR register when storing zero on ARM64.
1690         2. Synthesize wasm context lazily.
1691
1692         This leads to a modest size reduction on both x86-64 and ARM64 for
1693         large WebAssembly games, without any performance loss on WasmBench
1694         and TitzerBench.
1695
1696         The reason this works is that these games, using Emscripten,
1697         generate 100k+ tiny functions, and our JIT allocation granule
1698         rounds all allocations up to 32 bytes. There are plenty of other
1699         simple gains to be had, I've filed a follow-up bug at
1700         webkit.org/b/174819
1701
1702         We should further avoid the per-function cost of tiering, which
1703         represents the bulk of code generated for small functions.
1704
1705         * assembler/MacroAssemblerARM64.h:
1706         (JSC::MacroAssemblerARM64::storeZero64):
1707         * assembler/MacroAssemblerX86_64.h:
1708         (JSC::MacroAssemblerX86_64::storeZero64):
1709         * b3/B3LowerToAir.cpp:
1710         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1711         for x86 because it constrains register reuse and codegen in a way
1712         that doesn't affect ARM64 because it has a dedicated zero
1713         register.
1714         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1715         * wasm/WasmB3IRGenerator.cpp:
1716         (JSC::Wasm::B3IRGenerator::instanceValue):
1717         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1718         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1719         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1720
1721 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1722
1723         B3 should do LICM
1724         https://bugs.webkit.org/show_bug.cgi?id=174750
1725
1726         Reviewed by Keith Miller and Saam Barati.
1727         
1728         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1729         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1730         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1731         change templatizes DFG::NaturalLoops so that we can just use it.
1732         
1733         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1734         the relationship between control dependence and side exits.
1735         
1736         Also added a bunch of tests.
1737         
1738         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1739         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1740         so it doesn't hurt to have it.
1741         
1742         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1743         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1744         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1745         eventually.
1746
1747         * CMakeLists.txt:
1748         * JavaScriptCore.xcodeproj/project.pbxproj:
1749         * b3/B3BackwardsCFG.h: Added.
1750         (JSC::B3::BackwardsCFG::BackwardsCFG):
1751         * b3/B3BackwardsDominators.h: Added.
1752         (JSC::B3::BackwardsDominators::BackwardsDominators):
1753         * b3/B3BasicBlock.cpp:
1754         (JSC::B3::BasicBlock::appendNonTerminal):
1755         * b3/B3Effects.h:
1756         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1757         (JSC::B3::ensureLoopPreHeaders):
1758         * b3/B3EnsureLoopPreHeaders.h: Added.
1759         * b3/B3Generate.cpp:
1760         (JSC::B3::generateToAir):
1761         * b3/B3HoistLoopInvariantValues.cpp: Added.
1762         (JSC::B3::hoistLoopInvariantValues):
1763         * b3/B3HoistLoopInvariantValues.h: Added.
1764         * b3/B3NaturalLoops.h: Added.
1765         (JSC::B3::NaturalLoops::NaturalLoops):
1766         * b3/B3Procedure.cpp:
1767         (JSC::B3::Procedure::invalidateCFG):
1768         (JSC::B3::Procedure::naturalLoops):
1769         (JSC::B3::Procedure::backwardsCFG):
1770         (JSC::B3::Procedure::backwardsDominators):
1771         * b3/B3Procedure.h:
1772         * b3/testb3.cpp:
1773         (JSC::B3::generateLoop):
1774         (JSC::B3::makeArrayForLoops):
1775         (JSC::B3::generateLoopNotBackwardsDominant):
1776         (JSC::B3::oneFunction):
1777         (JSC::B3::noOpFunction):
1778         (JSC::B3::testLICMPure):
1779         (JSC::B3::testLICMPureSideExits):
1780         (JSC::B3::testLICMPureWritesPinned):
1781         (JSC::B3::testLICMPureWrites):
1782         (JSC::B3::testLICMReadsLocalState):
1783         (JSC::B3::testLICMReadsPinned):
1784         (JSC::B3::testLICMReads):
1785         (JSC::B3::testLICMPureNotBackwardsDominant):
1786         (JSC::B3::testLICMPureFoiledByChild):
1787         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1788         (JSC::B3::testLICMExitsSideways):
1789         (JSC::B3::testLICMWritesLocalState):
1790         (JSC::B3::testLICMWrites):
1791         (JSC::B3::testLICMFence):
1792         (JSC::B3::testLICMWritesPinned):
1793         (JSC::B3::testLICMControlDependent):
1794         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1795         (JSC::B3::testLICMControlDependentSideExits):
1796         (JSC::B3::testLICMReadsPinnedWritesPinned):
1797         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1798         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1799         (JSC::B3::testLICMDefaultCall):
1800         (JSC::B3::run):
1801         * dfg/DFGBasicBlock.h:
1802         * dfg/DFGCFG.h:
1803         * dfg/DFGNaturalLoops.cpp: Removed.
1804         * dfg/DFGNaturalLoops.h:
1805         (JSC::DFG::NaturalLoops::NaturalLoops):
1806         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1807         (JSC::DFG::NaturalLoop::header): Deleted.
1808         (JSC::DFG::NaturalLoop::size): Deleted.
1809         (JSC::DFG::NaturalLoop::at): Deleted.
1810         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1811         (JSC::DFG::NaturalLoop::contains): Deleted.
1812         (JSC::DFG::NaturalLoop::index): Deleted.
1813         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1814         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1815         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1816         (JSC::DFG::NaturalLoops::loop): Deleted.
1817         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1818         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1819         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1820         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1821         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1822
1823 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1824
1825         GC should be fine with trading blocks between destructor and non-destructor blocks
1826         https://bugs.webkit.org/show_bug.cgi?id=174811
1827
1828         Reviewed by Mark Lam.
1829         
1830         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1831         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1832         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1833         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1834         set.
1835         
1836         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1837         is empty if:
1838         
1839         A) It has no live objects and its a non-destructor block, or
1840         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1841         C) We just stole it from another allocator (so it also has no destructors), or
1842         D) We just swept the block and ran all destructors.
1843         
1844         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1845         block that could be stolen.
1846
1847         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1848         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1849         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1850         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1851         
1852         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1853         
1854         If we tried to enable trading of blocks between allocators without making any changes to how
1855         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1856         live objects in order for those bits to be candidates for trading. But if we do that, then our
1857         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1858         our destructors won't run and we'll leak memory.
1859         
1860         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1861         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1862         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1863         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1864         are (empty & ~destructible).
1865         
1866         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1867         remove destructor-oriented special-casing of block trading.
1868
1869         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1870         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1871         pathological cases.
1872         
1873         * heap/MarkedAllocator.cpp:
1874         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1875         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1876         (JSC::MarkedAllocator::endMarking):
1877         (JSC::MarkedAllocator::shrink):
1878         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1879         * heap/MarkedAllocator.h:
1880         * heap/MarkedBlock.cpp:
1881         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1882         (JSC::MarkedBlock::Handle::sweep):
1883         * heap/MarkedBlockInlines.h:
1884         (JSC::MarkedBlock::Handle::specializedSweep):
1885         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1886         (JSC::MarkedBlock::Handle::emptyMode):
1887
1888 2017-07-25  Keith Miller  <keith_miller@apple.com>
1889
1890         Remove Broken CompareEq constant folding phase.
1891         https://bugs.webkit.org/show_bug.cgi?id=174846
1892         <rdar://problem/32978808>
1893
1894         Reviewed by Saam Barati.
1895
1896         This bug happened when we would get code like the following:
1897
1898         a: JSConst(Undefined)
1899         b: GetLocal(SomeObjectOrUndefined)
1900         ...
1901         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1902
1903         constant folding will turn this into:
1904
1905         a: JSConst(Undefined)
1906         b: GetLocal(SomeObjectOrUndefined)
1907         ...
1908         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1909
1910         But the SpeculativeJIT/FTL lowering will fail to check b
1911         properly which leads to an assertion failure in the AI.
1912
1913         I'll follow up with a more robust fix later. For now, I'll remove the
1914         case that generates the code. Removing the code appears to be perf
1915         neutral.
1916
1917         * dfg/DFGConstantFoldingPhase.cpp:
1918         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1919
1920 2017-07-25  Matt Baker  <mattbaker@apple.com>
1921
1922         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1923         https://bugs.webkit.org/show_bug.cgi?id=174738
1924
1925         Reviewed by Brian Burg.
1926
1927         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1928         stack traces. This preserves the call type in JSC, makes the range of
1929         possible call types explicit, and is safer than passing ints.
1930
1931         * inspector/agents/InspectorDebuggerAgent.cpp:
1932         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1933         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1934         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1935         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1936         * inspector/agents/InspectorDebuggerAgent.h:
1937
1938 2017-07-25  Mark Lam  <mark.lam@apple.com>
1939
1940         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1941         https://bugs.webkit.org/show_bug.cgi?id=174809
1942         <rdar://problem/33504759>
1943
1944         Reviewed by Filip Pizlo.
1945
1946         1. When the probe handler function changes the sp register to point to the
1947            region of stack in the middle of the ProbeContext on the stack, there is a
1948            bug where the ProbeContext's register values to be restored can be over-written
1949            before they can be restored.  This is now fixed.
1950
1951         2. Added more robust probe tests for changing the sp register.
1952
1953         3. Made existing probe tests to ensure that probe handlers were actually called.
1954
1955         4. Added some verification to testProbePreservesGPRS().
1956
1957         5. Change all the probe tests to fail early on discovering an error instead of
1958            batching till the end of the test.  This helps point a finger to the failing
1959            issue earlier.
1960
1961         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1962         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1963
1964         * assembler/MacroAssemblerARM.cpp:
1965         * assembler/MacroAssemblerARMv7.cpp:
1966         * assembler/MacroAssemblerX86Common.cpp:
1967         * assembler/testmasm.cpp:
1968         (JSC::testProbeReadsArgumentRegisters):
1969         (JSC::testProbeWritesArgumentRegisters):
1970         (JSC::testProbePreservesGPRS):
1971         (JSC::testProbeModifiesStackPointer):
1972         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1973         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1974         (JSC::testProbeModifiesProgramCounter):
1975         (JSC::run):
1976
1977 2017-07-25  Brian Burg  <bburg@apple.com>
1978
1979         Web Automation: add support for uploading files
1980         https://bugs.webkit.org/show_bug.cgi?id=174797
1981         <rdar://problem/28485063>
1982
1983         Reviewed by Joseph Pecoraro.
1984
1985         * inspector/scripts/generate-inspector-protocol-bindings.py:
1986         (generate_from_specification):
1987         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1988
1989         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1990         (CppFrontendDispatcherImplementationGenerator.generate_output):
1991         Use a framework include for InspectorFrontendRouter.h since this generated code
1992         will be compiled outside of WebCore.framework.
1993
1994         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1995         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1996         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1997         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1998         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1999         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2000         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2001         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2002         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2003         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2004         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2005         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2006         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2007         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2008         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2009         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2010         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2011         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2012         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2013         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2014         Rebaseline code generator tests.
2015
2016 2017-07-24  Mark Lam  <mark.lam@apple.com>
2017
2018         Gardening: fixed C Loop build after r219790.
2019         https://bugs.webkit.org/show_bug.cgi?id=174696
2020
2021         Not reviewed.
2022
2023         * assembler/testmasm.cpp:
2024
2025 2017-07-23  Mark Lam  <mark.lam@apple.com>
2026
2027         Create regression tests for the JIT probe.
2028         https://bugs.webkit.org/show_bug.cgi?id=174696
2029         <rdar://problem/33436922>
2030
2031         Reviewed by Saam Barati.
2032
2033         The new testmasm will test the following:
2034         1. the probe is able to read the value of CPU registers.
2035         2. the probe is able to write the value of CPU registers.
2036         3. the probe is able to preserve all CPU registers.
2037         4. special case of (2): the probe is able to change the value of the stack pointer.
2038         5. special case of (2): the probe is able to change the value of the program counter
2039            i.e. the probe can change where the code continues executing upon returning from
2040            the probe.
2041
2042         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2043         because it does not support changing the sp and pc yet.  The ARM64 probe
2044         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2045         later.
2046
2047         * Configurations/ToolExecutable.xcconfig:
2048         * JavaScriptCore.xcodeproj/project.pbxproj:
2049         * assembler/MacroAssembler.h:
2050         (JSC::MacroAssembler::CPUState::pc):
2051         (JSC::MacroAssembler::CPUState::fp):
2052         (JSC::MacroAssembler::CPUState::sp):
2053         (JSC::ProbeContext::pc):
2054         (JSC::ProbeContext::fp):
2055         (JSC::ProbeContext::sp):
2056         * assembler/MacroAssemblerARM64.cpp:
2057         (JSC::arm64ProbeTrampoline):
2058         * assembler/MacroAssemblerPrinter.cpp:
2059         (JSC::Printer::printPCRegister):
2060         * assembler/testmasm.cpp: Added.
2061         (hiddenTruthBecauseNoReturnIsStupid):
2062         (usage):
2063         (JSC::nextID):
2064         (JSC::isPC):
2065         (JSC::isSP):
2066         (JSC::isFP):
2067         (JSC::compile):
2068         (JSC::invoke):
2069         (JSC::compileAndRun):
2070         (JSC::testSimple):
2071         (JSC::testProbeReadsArgumentRegisters):
2072         (JSC::testProbeWritesArgumentRegisters):
2073         (JSC::testFunctionToTrashRegisters):
2074         (JSC::testProbePreservesGPRS):
2075         (JSC::testProbeModifiesStackPointer):
2076         (JSC::testProbeModifiesProgramCounter):
2077         (JSC::run):
2078         (run):
2079         (main):
2080         * b3/air/testair.cpp:
2081         (usage):
2082         * shell/CMakeLists.txt:
2083
2084 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2085
2086         It should be easy to decide how WebKit yields
2087         https://bugs.webkit.org/show_bug.cgi?id=174298
2088
2089         Reviewed by Saam Barati.
2090         
2091         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2092
2093         * heap/Heap.cpp:
2094         (JSC::Heap::resumeThePeriphery):
2095         * heap/VisitingTimeout.h:
2096         * runtime/JSCell.cpp:
2097         (JSC::JSCell::lockSlow):
2098         (JSC::JSCell::unlockSlow):
2099         * runtime/JSCell.h:
2100         * runtime/JSCellInlines.h:
2101         (JSC::JSCell::lock):
2102         (JSC::JSCell::unlock):
2103         * runtime/JSLock.cpp:
2104         (JSC::JSLock::grabAllLocks):
2105         * runtime/SamplingProfiler.cpp:
2106
2107 2017-07-21  Mark Lam  <mark.lam@apple.com>
2108
2109         Refactor MASM probe CPUState to use arrays for register storage.
2110         https://bugs.webkit.org/show_bug.cgi?id=174694
2111
2112         Reviewed by Keith Miller.
2113
2114         Using arrays for register storage in CPUState allows us to do away with the
2115         huge switch statements to decode each register id.  We can now simply index into
2116         the arrays.
2117
2118         With this patch, we now:
2119
2120         1. Remove the need for macros for defining the list of CPU registers.
2121            We can go back to simple enums.  This makes the code easier to read.
2122
2123         2. Make the assembler the authority on register names.
2124            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2125            GPRInfo and FPRInfo now forwards to the assembler.
2126
2127         3. Make the assembler the authority on the number of registers of each type.
2128
2129         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2130            This is inconsistent with how every other CPU architecture implements
2131            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2132            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2133
2134         * assembler/ARM64Assembler.h:
2135         (JSC::ARM64Assembler::numberOfRegisters):
2136         (JSC::ARM64Assembler::firstSPRegister):
2137         (JSC::ARM64Assembler::lastSPRegister):
2138         (JSC::ARM64Assembler::numberOfSPRegisters):
2139         (JSC::ARM64Assembler::numberOfFPRegisters):
2140         (JSC::ARM64Assembler::gprName):
2141         (JSC::ARM64Assembler::sprName):
2142         (JSC::ARM64Assembler::fprName):
2143         * assembler/ARMAssembler.h:
2144         (JSC::ARMAssembler::numberOfRegisters):
2145         (JSC::ARMAssembler::firstSPRegister):
2146         (JSC::ARMAssembler::lastSPRegister):
2147         (JSC::ARMAssembler::numberOfSPRegisters):
2148         (JSC::ARMAssembler::numberOfFPRegisters):
2149         (JSC::ARMAssembler::gprName):
2150         (JSC::ARMAssembler::sprName):
2151         (JSC::ARMAssembler::fprName):
2152         * assembler/ARMv7Assembler.h:
2153         (JSC::ARMv7Assembler::lastRegister):
2154         (JSC::ARMv7Assembler::numberOfRegisters):
2155         (JSC::ARMv7Assembler::firstSPRegister):
2156         (JSC::ARMv7Assembler::lastSPRegister):
2157         (JSC::ARMv7Assembler::numberOfSPRegisters):
2158         (JSC::ARMv7Assembler::numberOfFPRegisters):
2159         (JSC::ARMv7Assembler::gprName):
2160         (JSC::ARMv7Assembler::sprName):
2161         (JSC::ARMv7Assembler::fprName):
2162         * assembler/AbstractMacroAssembler.h:
2163         (JSC::AbstractMacroAssembler::numberOfRegisters):
2164         (JSC::AbstractMacroAssembler::gprName):
2165         (JSC::AbstractMacroAssembler::firstSPRegister):
2166         (JSC::AbstractMacroAssembler::lastSPRegister):
2167         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2168         (JSC::AbstractMacroAssembler::sprName):
2169         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2170         (JSC::AbstractMacroAssembler::fprName):
2171         * assembler/MIPSAssembler.h:
2172         (JSC::MIPSAssembler::numberOfRegisters):
2173         (JSC::MIPSAssembler::firstSPRegister):
2174         (JSC::MIPSAssembler::lastSPRegister):
2175         (JSC::MIPSAssembler::numberOfSPRegisters):
2176         (JSC::MIPSAssembler::numberOfFPRegisters):
2177         (JSC::MIPSAssembler::gprName):
2178         (JSC::MIPSAssembler::sprName):
2179         (JSC::MIPSAssembler::fprName):
2180         * assembler/MacroAssembler.h:
2181         (JSC::MacroAssembler::CPUState::gprName):
2182         (JSC::MacroAssembler::CPUState::sprName):
2183         (JSC::MacroAssembler::CPUState::fprName):
2184         (JSC::MacroAssembler::CPUState::gpr):
2185         (JSC::MacroAssembler::CPUState::spr):
2186         (JSC::MacroAssembler::CPUState::fpr):
2187         (JSC::MacroAssembler::CPUState::pc):
2188         (JSC::MacroAssembler::CPUState::fp):
2189         (JSC::MacroAssembler::CPUState::sp):
2190         (JSC::ProbeContext::gpr):
2191         (JSC::ProbeContext::spr):
2192         (JSC::ProbeContext::fpr):
2193         (JSC::ProbeContext::gprName):
2194         (JSC::ProbeContext::sprName):
2195         (JSC::ProbeContext::fprName):
2196         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2197         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2198         * assembler/MacroAssemblerARM.cpp:
2199         * assembler/MacroAssemblerARM64.cpp:
2200         (JSC::arm64ProbeTrampoline):
2201         * assembler/MacroAssemblerARMv7.cpp:
2202         * assembler/MacroAssemblerPrinter.cpp:
2203         (JSC::Printer::nextID):
2204         (JSC::Printer::printAllRegisters):
2205         (JSC::Printer::printPCRegister):
2206         (JSC::Printer::printRegisterID):
2207         (JSC::Printer::printAddress):
2208         * assembler/MacroAssemblerX86Common.cpp:
2209         * assembler/X86Assembler.h:
2210         (JSC::X86Assembler::numberOfRegisters):
2211         (JSC::X86Assembler::firstSPRegister):
2212         (JSC::X86Assembler::lastSPRegister):
2213         (JSC::X86Assembler::numberOfSPRegisters):
2214         (JSC::X86Assembler::numberOfFPRegisters):
2215         (JSC::X86Assembler::gprName):
2216         (JSC::X86Assembler::sprName):
2217         (JSC::X86Assembler::fprName):
2218         * jit/FPRInfo.h:
2219         (JSC::FPRInfo::debugName):
2220         * jit/GPRInfo.h:
2221         (JSC::GPRInfo::debugName):
2222         * jit/RegisterSet.cpp:
2223         (JSC::RegisterSet::reservedHardwareRegisters):
2224
2225 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2226
2227         [JSC] Introduce static symbols
2228         https://bugs.webkit.org/show_bug.cgi?id=158863
2229
2230         Reviewed by Darin Adler.
2231
2232         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2233         As a result, we can share the same Symbol values between VMs and threads.
2234         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2235
2236         * CMakeLists.txt:
2237         * JavaScriptCore.xcodeproj/project.pbxproj:
2238         * builtins/BuiltinNames.cpp: Added.
2239         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2240
2241         * builtins/BuiltinNames.h:
2242         (JSC::BuiltinNames::BuiltinNames):
2243         * builtins/BuiltinUtils.h:
2244
2245 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2246
2247         [FTL] Arguments elimination is suppressed by unreachable blocks
2248         https://bugs.webkit.org/show_bug.cgi?id=174352
2249
2250         Reviewed by Filip Pizlo.
2251
2252         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2253         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2254         Since GetById without information can escape arguments if it is specified, non-executed code including
2255         op_get_by_id with arguments can escape arguments.
2256
2257         For example,
2258
2259             function test(flag)
2260             {
2261                 if (flag) {
2262                     // This is not executed, but emits GetById with arguments.
2263                     // It prevents us from eliminating materialization.
2264                     return arguments.length;
2265                 }
2266                 return arguments.length;
2267             }
2268             noInline(test);
2269             while (true)
2270                 test(false);
2271
2272         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2273         So this GetById exists and escapes arguments.
2274
2275         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2276         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2277         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2278
2279         * dfg/DFGArgumentsEliminationPhase.cpp:
2280         * dfg/DFGNode.h:
2281         (JSC::DFG::Node::isPseudoTerminal):
2282         * dfg/DFGValidate.cpp:
2283
2284 2017-07-20  Chris Dumez  <cdumez@apple.com>
2285
2286         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2287         https://bugs.webkit.org/show_bug.cgi?id=174660
2288
2289         Reviewed by Geoffrey Garen.
2290
2291         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2292         This essentially replaces a branch to figure out if the new size is less or greater than the
2293         current size by an assertion.
2294
2295         * b3/B3BasicBlockUtils.h:
2296         (JSC::B3::clearPredecessors):
2297         * b3/B3InferSwitches.cpp:
2298         * b3/B3LowerToAir.cpp:
2299         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2300         * b3/B3ReduceStrength.cpp:
2301         * b3/B3SparseCollection.h:
2302         (JSC::B3::SparseCollection::packIndices):
2303         * b3/B3UseCounts.cpp:
2304         (JSC::B3::UseCounts::UseCounts):
2305         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2306         * b3/air/AirEmitShuffle.cpp:
2307         (JSC::B3::Air::emitShuffle):
2308         * b3/air/AirLowerAfterRegAlloc.cpp:
2309         (JSC::B3::Air::lowerAfterRegAlloc):
2310         * b3/air/AirOptimizeBlockOrder.cpp:
2311         (JSC::B3::Air::optimizeBlockOrder):
2312         * bytecode/Operands.h:
2313         (JSC::Operands::ensureLocals):
2314         * bytecode/PreciseJumpTargets.cpp:
2315         (JSC::computePreciseJumpTargetsInternal):
2316         * dfg/DFGBlockInsertionSet.cpp:
2317         (JSC::DFG::BlockInsertionSet::execute):
2318         * dfg/DFGBlockMapInlines.h:
2319         (JSC::DFG::BlockMap<T>::BlockMap):
2320         * dfg/DFGByteCodeParser.cpp:
2321         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2322         (JSC::DFG::ByteCodeParser::clearCaches):
2323         * dfg/DFGDisassembler.cpp:
2324         (JSC::DFG::Disassembler::Disassembler):
2325         * dfg/DFGFlowIndexing.cpp:
2326         (JSC::DFG::FlowIndexing::recompute):
2327         * dfg/DFGGraph.cpp:
2328         (JSC::DFG::Graph::registerFrozenValues):
2329         * dfg/DFGInPlaceAbstractState.cpp:
2330         (JSC::DFG::setLiveValues):
2331         * dfg/DFGLICMPhase.cpp:
2332         (JSC::DFG::LICMPhase::run):
2333         * dfg/DFGLivenessAnalysisPhase.cpp:
2334         * dfg/DFGNaturalLoops.cpp:
2335         (JSC::DFG::NaturalLoops::NaturalLoops):
2336         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2337         * ftl/FTLLowerDFGToB3.cpp:
2338         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2339         * heap/CodeBlockSet.cpp:
2340         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2341         * heap/MarkedSpace.cpp:
2342         (JSC::MarkedSpace::sweepLargeAllocations):
2343         * inspector/ContentSearchUtilities.cpp:
2344         (Inspector::ContentSearchUtilities::findMagicComment):
2345         * interpreter/ShadowChicken.cpp:
2346         (JSC::ShadowChicken::update):
2347         * parser/ASTBuilder.h:
2348         (JSC::ASTBuilder::shrinkOperandStackBy):
2349         * parser/Lexer.h:
2350         (JSC::Lexer::setOffset):
2351         * runtime/RegExpInlines.h:
2352         (JSC::RegExp::matchInline):
2353         * runtime/RegExpPrototype.cpp:
2354         (JSC::genericSplit):
2355         * yarr/RegularExpression.cpp:
2356         (JSC::Yarr::RegularExpression::match):
2357
2358 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2359
2360         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2361         https://bugs.webkit.org/show_bug.cgi?id=174678
2362
2363         Reviewed by Mark Lam.
2364
2365         Use Thread& instead.
2366
2367         * runtime/JSLock.cpp:
2368         (JSC::JSLock::didAcquireLock):
2369
2370 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2371
2372         [WTF] Implement WTF::ThreadGroup
2373         https://bugs.webkit.org/show_bug.cgi?id=174081
2374
2375         Reviewed by Mark Lam.
2376
2377         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2378         And SamplingProfiler and others interact with WTF::Thread directly.
2379
2380         * API/tests/ExecutionTimeLimitTest.cpp:
2381         * heap/MachineStackMarker.cpp:
2382         (JSC::MachineThreads::MachineThreads):
2383         (JSC::captureStack):
2384         (JSC::MachineThreads::tryCopyOtherThreadStack):
2385         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2386         (JSC::MachineThreads::gatherConservativeRoots):
2387         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2388         (JSC::ActiveMachineThreadsManager::add): Deleted.
2389         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2390         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2391         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2392         (JSC::activeMachineThreadsManager): Deleted.
2393         (JSC::MachineThreads::~MachineThreads): Deleted.
2394         (JSC::MachineThreads::addCurrentThread): Deleted.
2395         (): Deleted.
2396         (JSC::MachineThreads::removeThread): Deleted.
2397         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2398         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2399         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2400         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2401         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2402         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2403         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2404         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2405         * heap/MachineStackMarker.h:
2406         (JSC::MachineThreads::addCurrentThread):
2407         (JSC::MachineThreads::getLock):
2408         (JSC::MachineThreads::threads):
2409         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2410         (JSC::MachineThreads::MachineThread::resume): Deleted.
2411         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2412         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2413         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2414         (JSC::MachineThreads::threadsListHead): Deleted.
2415         * runtime/SamplingProfiler.cpp:
2416         (JSC::FrameWalker::isValidFramePointer):
2417         (JSC::SamplingProfiler::SamplingProfiler):
2418         (JSC::SamplingProfiler::takeSample):
2419         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2420         * runtime/SamplingProfiler.h:
2421         * wasm/WasmMachineThreads.cpp:
2422         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2423
2424 2017-07-18  Andy Estes  <aestes@apple.com>
2425
2426         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2427         https://bugs.webkit.org/show_bug.cgi?id=174631
2428
2429         Reviewed by Tim Horton.
2430
2431         * Configurations/Base.xcconfig:
2432         * b3/B3FoldPathConstants.cpp:
2433         * b3/B3LowerMacros.cpp:
2434         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2435         * dfg/DFGByteCodeParser.cpp:
2436         (JSC::DFG::ByteCodeParser::check):
2437         (JSC::DFG::ByteCodeParser::planLoad):
2438
2439 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2440
2441         WTF::Thread should have the threads stack bounds.
2442         https://bugs.webkit.org/show_bug.cgi?id=173975
2443
2444         Reviewed by Mark Lam.
2445
2446         There is a site in JSC that try to walk another thread's stack.
2447         Currently, stack bounds are stored in WTFThreadData which is located
2448         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2449         We workaround this situation by holding StackBounds in MachineThread in JSC,
2450         but StackBounds should be put in WTF::Thread instead.
2451
2452         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2453         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2454
2455         * heap/MachineStackMarker.cpp:
2456         (JSC::MachineThreads::MachineThread::MachineThread):
2457         (JSC::MachineThreads::MachineThread::captureStack):
2458         * heap/MachineStackMarker.h:
2459         (JSC::MachineThreads::MachineThread::stackBase):
2460         (JSC::MachineThreads::MachineThread::stackEnd):
2461         * runtime/VMTraps.cpp:
2462
2463 2017-07-18  Andy Estes  <aestes@apple.com>
2464
2465         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2466         https://bugs.webkit.org/show_bug.cgi?id=174631
2467
2468         Reviewed by Sam Weinig.
2469
2470         * Configurations/Base.xcconfig:
2471
2472 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2473
2474         Web Inspector: Modernize InjectedScriptSource
2475         https://bugs.webkit.org/show_bug.cgi?id=173890
2476
2477         Reviewed by Brian Burg.
2478
2479         * inspector/InjectedScript.h:
2480         Reorder functions to be slightly better.
2481
2482         * inspector/InjectedScriptSource.js:
2483         - Convert to classes named InjectedScript and RemoteObject
2484         - Align InjectedScript's API with the wrapper C++ interfaces
2485         - Move some code to RemoteObject where appropriate (subtype, describe)
2486         - Move some code to helper functions (isPrimitiveValue, isDefined)
2487         - Refactor for readability and modern features
2488         - Remove some unused / unnecessary code
2489
2490 2017-07-18  Mark Lam  <mark.lam@apple.com>
2491
2492         Butterfly storage need not be initialized for indexing type Undecided.
2493         https://bugs.webkit.org/show_bug.cgi?id=174516
2494
2495         Reviewed by Saam Barati.
2496
2497         While it's not incorrect to initialize the butterfly storage when the
2498         indexingType is Undecided, it is inefficient as we'll end up initializing
2499         it again later when we convert the storage to a different indexingType.
2500         Some of our code already skips initializing Undecided butterflies.
2501         This patch makes it the consistent behavior everywhere.
2502
2503         * dfg/DFGSpeculativeJIT.cpp:
2504         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2505         * runtime/JSArray.cpp:
2506         (JSC::JSArray::tryCreateUninitializedRestricted):
2507         * runtime/JSArray.h:
2508         (JSC::JSArray::tryCreate):
2509         * runtime/JSObject.cpp:
2510         (JSC::JSObject::ensureLengthSlow):
2511
2512 2017-07-18  Saam Barati  <sbarati@apple.com>
2513
2514         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2515         https://bugs.webkit.org/show_bug.cgi?id=174515
2516         <rdar://problem/33358092>
2517
2518         Reviewed by Filip Pizlo.
2519
2520         AirLowerAfterRegAlloc was computing the set of available scratch
2521         registers incorrectly. It was always excluding callee save registers
2522         from the set of live registers. It did not guarantee that live callee save
2523         registers were not in the set of scratch registers that could
2524         get clobbered. That's incorrect as the shuffling code is free
2525         to overwrite whatever is in the scratch register it gets passed.
2526
2527         * b3/air/AirLowerAfterRegAlloc.cpp:
2528         (JSC::B3::Air::lowerAfterRegAlloc):
2529         * b3/testb3.cpp:
2530         (JSC::B3::functionNineArgs):
2531         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2532         (JSC::B3::run):
2533         * jit/RegisterSet.h:
2534
2535 2017-07-18  Andy Estes  <aestes@apple.com>
2536
2537         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2538         https://bugs.webkit.org/show_bug.cgi?id=174631
2539
2540         Reviewed by Dan Bernstein.
2541
2542         * Configurations/Base.xcconfig:
2543
2544 2017-07-18  Devin Rousso  <drousso@apple.com>
2545
2546         Web Inspector: Add memoryCost to Inspector Protocol objects
2547         https://bugs.webkit.org/show_bug.cgi?id=174478
2548
2549         Reviewed by Joseph Pecoraro.
2550
2551         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2552         plus the memoryCost of the data if it is a string.
2553
2554         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2555
2556         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2557         key plus the memoryCost of the InspectorValue for each entry.
2558
2559         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2560
2561         * inspector/InspectorValues.h:
2562         * inspector/InspectorValues.cpp:
2563         (Inspector::InspectorValue::memoryCost):
2564         (Inspector::InspectorObjectBase::memoryCost):
2565         (Inspector::InspectorArrayBase::memoryCost):
2566
2567 2017-07-18  Andy Estes  <aestes@apple.com>
2568
2569         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2570         https://bugs.webkit.org/show_bug.cgi?id=174631
2571
2572         Reviewed by Darin Adler.
2573
2574         * Configurations/Base.xcconfig:
2575
2576 2017-07-18  Michael Saboff  <msaboff@apple.com>
2577
2578         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2579         https://bugs.webkit.org/show_bug.cgi?id=174601
2580
2581         Reviewed by Alex Christensen.
2582
2583         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2584         objects after a regular expression has been compiled.
2585
2586         * runtime/Options.h:
2587         * yarr/YarrPattern.cpp:
2588         (JSC::Yarr::YarrPattern::compile):
2589         (JSC::Yarr::indentForNestingLevel):
2590         (JSC::Yarr::dumpUChar32):
2591         (JSC::Yarr::PatternAlternative::dump):
2592         (JSC::Yarr::PatternTerm::dumpQuantifier):
2593         (JSC::Yarr::PatternTerm::dump):
2594         (JSC::Yarr::PatternDisjunction::dump):
2595         (JSC::Yarr::YarrPattern::dumpPattern):
2596         * yarr/YarrPattern.h:
2597         (JSC::Yarr::YarrPattern::global):
2598
2599 2017-07-17  Darin Adler  <darin@apple.com>
2600
2601         Improve use of NeverDestroyed
2602         https://bugs.webkit.org/show_bug.cgi?id=174348
2603
2604         Reviewed by Sam Weinig.
2605
2606         * heap/MachineStackMarker.cpp:
2607         * wasm/WasmMemory.cpp:
2608         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2609         of NeverDestroyed.
2610
2611 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2612
2613         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2614         https://bugs.webkit.org/show_bug.cgi?id=174547
2615
2616         Reviewed by Alex Christensen.
2617
2618         * CMakeLists.txt:
2619         * shell/CMakeLists.txt:
2620
2621 2017-07-17  Saam Barati  <sbarati@apple.com>
2622
2623         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2624         https://bugs.webkit.org/show_bug.cgi?id=174584
2625
2626         Rubber stamped by Keith Miller.
2627
2628         I used it to diagnose a bug. The bug is now fixed. This custom
2629         RELEASE_ASSERT is no longer needed.
2630
2631         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2632
2633 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2634
2635         -Wformat-truncation warning in ConfigFile.cpp
2636         https://bugs.webkit.org/show_bug.cgi?id=174506
2637
2638         Reviewed by Darin Adler.
2639
2640         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2641         return ParseError.
2642
2643         * runtime/ConfigFile.cpp:
2644         (JSC::ConfigFile::parse):
2645
2646 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2647
2648         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2649         https://bugs.webkit.org/show_bug.cgi?id=174557
2650
2651         Reviewed by Michael Catanzaro.
2652
2653         * CMakeLists.txt:
2654
2655 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2656
2657         [WTF] Use std::unique_ptr for StackTrace
2658         https://bugs.webkit.org/show_bug.cgi?id=174495
2659
2660         Reviewed by Alex Christensen.
2661
2662         * runtime/ExceptionScope.cpp:
2663         (JSC::ExceptionScope::unexpectedExceptionMessage):
2664         * runtime/VM.cpp:
2665         (JSC::VM::throwException):
2666
2667 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2668
2669         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2670         https://bugs.webkit.org/show_bug.cgi?id=174423
2671
2672         Reviewed by Saam Barati.
2673
2674         * dfg/DFGAvailabilityMap.cpp:
2675         (JSC::DFG::AvailabilityMap::pruneHeap):
2676         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2677
2678 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2679
2680         Fix compiler warnings when building with GCC 7
2681         https://bugs.webkit.org/show_bug.cgi?id=174463
2682
2683         Reviewed by Darin Adler.
2684
2685         * disassembler/udis86/udis86_decode.c:
2686         (decode_operand):
2687
2688 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2689
2690         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2691         https://bugs.webkit.org/show_bug.cgi?id=174467
2692
2693         Reviewed by Saam Barati.
2694
2695         * bytecode/CallLinkInfo.cpp:
2696         (JSC::CallLinkInfo::callTypeFor):
2697
2698 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2699
2700         Web Inspector: Remove unused and untested Page domain commands
2701         https://bugs.webkit.org/show_bug.cgi?id=174429
2702
2703         Reviewed by Timothy Hatcher.
2704
2705         * inspector/protocol/Page.json:
2706
2707 2017-07-13  Saam Barati  <sbarati@apple.com>
2708
2709         Missing exception check in JSObject::hasInstance
2710         https://bugs.webkit.org/show_bug.cgi?id=174455
2711         <rdar://problem/31384608>
2712
2713         Reviewed by Mark Lam.
2714
2715         * runtime/JSObject.cpp:
2716         (JSC::JSObject::hasInstance):
2717
2718 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2719
2720         [ESnext] Implement Object Spread
2721         https://bugs.webkit.org/show_bug.cgi?id=167963
2722
2723         Reviewed by Saam Barati.
2724
2725         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2726         It's implemented using CopyDataPropertiesNoExclusions to copy
2727         all enumerable keys from object being spreaded. The implementation of
2728         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2729         implementation, however we don't receive excludedNames as parameter.
2730
2731         [1] - https://github.com/tc39/proposal-object-rest-spread
2732
2733         * builtins/GlobalOperations.js:
2734         (globalPrivate.copyDataPropertiesNoExclusions):
2735         * bytecompiler/BytecodeGenerator.cpp:
2736         (JSC::BytecodeGenerator::emitLoad):
2737         * bytecompiler/NodesCodegen.cpp:
2738         (JSC::PropertyListNode::emitBytecode):
2739         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2740         * parser/ASTBuilder.h:
2741         (JSC::ASTBuilder::createObjectSpreadExpression):
2742         (JSC::ASTBuilder::createProperty):
2743         * parser/NodeConstructors.h:
2744         (JSC::PropertyNode::PropertyNode):
2745         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2746         * parser/Nodes.h:
2747         (JSC::ObjectSpreadExpressionNode::expression):
2748         * parser/Parser.cpp:
2749         (JSC::Parser<LexerType>::parseProperty):
2750         * parser/SyntaxChecker.h:
2751         (JSC::SyntaxChecker::createObjectSpreadExpression):
2752         (JSC::SyntaxChecker::createProperty):
2753
2754 2017-07-12  Mark Lam  <mark.lam@apple.com>
2755
2756         Gardening: build fix after r219434.
2757         https://bugs.webkit.org/show_bug.cgi?id=174441
2758
2759         Not reviewed.
2760
2761         Make public some MacroAssembler functions that are needed by the probe implementationq.
2762
2763         * assembler/MacroAssemblerARM.h:
2764         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2765         * assembler/MacroAssemblerARMv7.h:
2766         (JSC::MacroAssemblerARMv7::linkCall):
2767
2768 2017-07-12  Mark Lam  <mark.lam@apple.com>
2769
2770         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2771         https://bugs.webkit.org/show_bug.cgi?id=174441
2772
2773         Reviewed by Saam Barati.
2774
2775         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2776         to MacroAssembler.  There is no code behavior change.
2777
2778         * assembler/AbstractMacroAssembler.h:
2779         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2780         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2781         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2782         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2783         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2784         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2785         * assembler/MacroAssembler.h:
2786         (JSC::MacroAssembler::CPUState::gprName):
2787         (JSC::MacroAssembler::CPUState::fprName):
2788         (JSC::MacroAssembler::CPUState::gpr):
2789         (JSC::MacroAssembler::CPUState::fpr):
2790         * assembler/MacroAssemblerARM.cpp:
2791         (JSC::MacroAssembler::probe):
2792         (JSC::MacroAssemblerARM::probe): Deleted.
2793         * assembler/MacroAssemblerARM.h:
2794         * assembler/MacroAssemblerARM64.cpp:
2795         (JSC::MacroAssembler::probe):
2796         (JSC::MacroAssemblerARM64::probe): Deleted.
2797         * assembler/MacroAssemblerARM64.h:
2798         * assembler/MacroAssemblerARMv7.cpp:
2799         (JSC::MacroAssembler::probe):
2800         (JSC::MacroAssemblerARMv7::probe): Deleted.
2801         * assembler/MacroAssemblerARMv7.h:
2802         * assembler/MacroAssemblerMIPS.h:
2803         * assembler/MacroAssemblerX86Common.cpp:
2804         (JSC::MacroAssembler::probe):
2805         (JSC::MacroAssemblerX86Common::probe): Deleted.
2806         * assembler/MacroAssemblerX86Common.h:
2807
2808 2017-07-12  Saam Barati  <sbarati@apple.com>
2809
2810         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2811         https://bugs.webkit.org/show_bug.cgi?id=174411
2812         <rdar://problem/31696186>
2813
2814         Reviewed by Mark Lam.
2815
2816         The code for deleting an argument was incorrectly referencing state
2817         when it decided if it should unmap or mark a property as having its
2818         descriptor modified. This patch fixes the bug where if we delete a
2819         property, we would sometimes not unmap an argument when deleting it.
2820
2821         * runtime/GenericArgumentsInlines.h:
2822         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2823         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2824         (JSC::GenericArguments<Type>::deleteProperty):
2825         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2826
2827 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2828
2829         Unreviewed, rolling out r219176.
2830         https://bugs.webkit.org/show_bug.cgi?id=174436
2831
2832         "Can cause infinite recursion on iOS" (Requested by mlam on
2833         #webkit).
2834
2835         Reverted changeset:
2836
2837         "WTF::Thread should have the threads stack bounds."
2838         https://bugs.webkit.org/show_bug.cgi?id=173975
2839         http://trac.webkit.org/changeset/219176
2840
2841 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2842
2843         Unreviewed, rolling out r219401.
2844
2845         This revision rolled out the previous patch, but after talking
2846         with reviewer, a rebaseline is what was needed.Rolling back in
2847         before rebaseline.
2848
2849         Reverted changeset:
2850
2851         "Unreviewed, rolling out r219379."
2852         https://bugs.webkit.org/show_bug.cgi?id=174400
2853         http://trac.webkit.org/changeset/219401
2854
2855 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2856
2857         Unreviewed, rolling out r219379.
2858
2859         This revision caused a consistent failure in the test
2860         fast/dom/Window/property-access-on-cached-window-after-frame-
2861         removed.html.
2862
2863         Reverted changeset:
2864
2865         "Remove NAVIGATOR_HWCONCURRENCY"
2866         https://bugs.webkit.org/show_bug.cgi?id=174400
2867         http://trac.webkit.org/changeset/219379
2868
2869 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2870
2871         Wrong radix used in Unicode Escape in invalid character error message
2872         https://bugs.webkit.org/show_bug.cgi?id=174419
2873
2874         Reviewed by Alex Christensen.
2875
2876         * parser/Lexer.cpp:
2877         (JSC::Lexer<T>::invalidCharacterMessage):
2878
2879 2017-07-11  Dean Jackson  <dino@apple.com>
2880
2881         Remove NAVIGATOR_HWCONCURRENCY
2882         https://bugs.webkit.org/show_bug.cgi?id=174400
2883
2884         Reviewed by Sam Weinig.
2885
2886         * Configurations/FeatureDefines.xcconfig:
2887
2888 2017-07-11  Dean Jackson  <dino@apple.com>
2889
2890         Rolling out r219372.
2891
2892         * Configurations/FeatureDefines.xcconfig:
2893
2894 2017-07-11  Dean Jackson  <dino@apple.com>
2895
2896         Remove NAVIGATOR_HWCONCURRENCY
2897         https://bugs.webkit.org/show_bug.cgi?id=174400
2898
2899         Reviewed by Sam Weinig.
2900
2901         * Configurations/FeatureDefines.xcconfig:
2902
2903 2017-07-11  Saam Barati  <sbarati@apple.com>
2904
2905         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2906         https://bugs.webkit.org/show_bug.cgi?id=174397
2907
2908         Rubber stamped by David Kilzer.
2909
2910         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2911         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2912
2913 2017-07-10  Saam Barati  <sbarati@apple.com>
2914
2915         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2916         https://bugs.webkit.org/show_bug.cgi?id=174321
2917         <rdar://problem/32604963>
2918
2919         Reviewed by Filip Pizlo.
2920
2921         When the allocation sinking phase was generating stores to materialize
2922         objects in a cycle with each other, it would assume that each materialized
2923         object had a valid, non empty, set of structures. This is an OK assumption for
2924         the phase to make because how do you materialize an object with no structure?
2925         
2926         The abstract interpretation part of the phase will model what's in the heap.
2927         However, it would sometimes model that a CheckStructure would fail. The phase
2928         did nothing special for this; it just stored the empty set of structures for
2929         its representation of a particular allocation. However, what the phase proved
2930         in such a scenario is that, had the CheckStructure executed, it would have exited.
2931         
2932         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2933         This will cause the allocation in question to be materialized just before
2934         the CheckStructure, and then at execution time, the CheckStructure will exit.
2935         
2936         I wasn't able to write a test case for this. However, I was able to reproduce
2937         this crash by manually editing the IR. I've opened a separate bug to help us
2938         create a testing framework for writing tests for hard to reproduce bugs like this:
2939         https://bugs.webkit.org/show_bug.cgi?id=174322
2940
2941         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2942
2943 2017-07-10  Devin Rousso  <drousso@apple.com>
2944
2945         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2946         https://bugs.webkit.org/show_bug.cgi?id=174279
2947
2948         Reviewed by Matt Baker.
2949
2950         * inspector/protocol/DOM.json:
2951         Add `highlightNodeList` command that will highlight each node in the given list.
2952
2953 2017-07-03  Brian Burg  <bburg@apple.com>
2954
2955         Web Replay: remove some unused code
2956         https://bugs.webkit.org/show_bug.cgi?id=173903
2957
2958         Rubber-stamped by Joseph Pecoraro.
2959
2960         * CMakeLists.txt:
2961         * Configurations/FeatureDefines.xcconfig:
2962         * DerivedSources.make:
2963         * JavaScriptCore.xcodeproj/project.pbxproj:
2964         * inspector/protocol/Replay.json: Removed.
2965         * replay/EmptyInputCursor.h: Removed.
2966         * replay/EncodedValue.cpp: Removed.
2967         * replay/EncodedValue.h: Removed.
2968         * replay/InputCursor.h: Removed.
2969         * replay/JSInputs.json: Removed.
2970         * replay/NondeterministicInput.h: Removed.
2971         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2972         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2973         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2974         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2975         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2976         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2977         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2978         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2979         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2980         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2981         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2982         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2983         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2984         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2985         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2986         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2987         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2988         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2989         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2990         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2991         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2992         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2993         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2994         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2995         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2996         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2997         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2998         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2999         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
3000         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
3001         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
3002         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
3003         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
3004         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
3005         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
3006         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
3007         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
3008         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
3009         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
3010         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
3011         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
3012         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
3013         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
3014         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
3015         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
3016         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
3017         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
3018         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
3019         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
3020         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
3021         * replay/scripts/tests/generate-input-with-guard.json: Removed.
3022         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
3023         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
3024         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
3025         * runtime/DateConstructor.cpp:
3026         (JSC::constructDate):
3027         (JSC::dateNow):
3028         (JSC::deterministicCurrentTime): Deleted.
3029         * runtime/JSGlobalObject.cpp:
3030         (JSC::JSGlobalObject::JSGlobalObject):
3031         (JSC::JSGlobalObject::setInputCursor): Deleted.
3032         * runtime/JSGlobalObject.h:
3033         (JSC::JSGlobalObject::inputCursor): Deleted.
3034
3035 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3036
3037         Move make-js-file-arrays.py from WebCore to JavaScriptCore
3038         https://bugs.webkit.org/show_bug.cgi?id=174024
3039
3040         Reviewed by Michael Catanzaro.
3041
3042         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
3043         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
3044         Added command line option to pass the namespace to use instead of using WebCore.
3045
3046         * JavaScriptCore.xcodeproj/project.pbxproj:
3047         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
3048         (main):
3049
3050 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3051
3052         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
3053         https://bugs.webkit.org/show_bug.cgi?id=174296
3054
3055         Reviewed by Mark Lam.
3056
3057         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
3058         It caused a problem in scanning template literals. While template literals normalize
3059         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
3060         To handle it correctly, LineNumberAdder is introduced.
3061
3062         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
3063         LineNumberAdder. Let's just use shiftLineTerminator() instead.
3064
3065         * parser/Lexer.cpp:
3066         (JSC::Lexer<T>::parseTemplateLiteral):
3067         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
3068         (JSC::LineNumberAdder::clear): Deleted.
3069         (JSC::LineNumberAdder::add): Deleted.
3070
3071 2017-07-09  Dan Bernstein  <mitz@apple.com>
3072
3073         [Xcode] ICU headers aren’t treated as system headers after r219155
3074         https://bugs.webkit.org/show_bug.cgi?id=174299
3075
3076         Reviewed by Sam Weinig.
3077
3078         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
3079           C++ compilers.
3080
3081 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
3082         * runtime/IntlDateTimeFormat.cpp: Ditto.
3083         * runtime/JSGlobalObject.cpp: Ditto.
3084         * runtime/StringPrototype.cpp: Ditto.
3085
3086 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3087
3088         [JSC] Use fastMalloc / fastFree for STL containers
3089         https://bugs.webkit.org/show_bug.cgi?id=174297
3090
3091         Reviewed by Sam Weinig.
3092
3093         In some places, we intentionally use STL containers over WTF containers.
3094         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
3095         because we do not have effective empty / deleted representations in the space of key's value.
3096         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
3097
3098         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
3099         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
3100
3101         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
3102         without compromising memory allocation throughput.
3103
3104         * dfg/DFGGraph.h:
3105         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3106         * ftl/FTLLowerDFGToB3.cpp:
3107         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3108         * runtime/FunctionHasExecutedCache.h:
3109         * runtime/TypeLocationCache.h:
3110
3111 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3112
3113         Drop NOSNIFF compile flag
3114         https://bugs.webkit.org/show_bug.cgi?id=174289
3115
3116         Reviewed by Michael Catanzaro.
3117
3118         * Configurations/FeatureDefines.xcconfig:
3119
3120 2017-07-07  AJ Ringer  <aringer@apple.com>
3121
3122         Lower the max_protection for the separated heap
3123         https://bugs.webkit.org/show_bug.cgi?id=174281
3124
3125         Reviewed by Oliver Hunt.
3126
3127         Switch to vm_protect so we can set maximum page protection.
3128
3129         * jit/ExecutableAllocator.cpp:
3130         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3131         (JSC::ExecutableAllocator::allocate):
3132
3133 2017-07-07  Devin Rousso  <drousso@apple.com>
3134
3135         Web Inspector: Show all elements currently using a given CSS Canvas
3136         https://bugs.webkit.org/show_bug.cgi?id=173965
3137
3138         Reviewed by Joseph Pecoraro.
3139
3140         * inspector/protocol/Canvas.json:
3141          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
3142            canvas via -webkit-canvas.
3143          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
3144            added/removed from the list of -webkit-canvas clients.
3145
3146 2017-07-07  Mark Lam  <mark.lam@apple.com>
3147
3148         \n\r is not the same as \r\n.
3149         https://bugs.webkit.org/show_bug.cgi?id=173053
3150
3151         Reviewed by Keith Miller.
3152
3153         * parser/Lexer.cpp:
3154         (JSC::Lexer<T>::shiftLineTerminator):
3155         (JSC::LineNumberAdder::add):
3156
3157 2017-07-07  Commit Queue  <commit-queue@webkit.org>
3158
3159         Unreviewed, rolling out r219238, r219239, and r219241.
3160         https://bugs.webkit.org/show_bug.cgi?id=174265
3161
3162         "fast/workers/dedicated-worker-lifecycle.html is flaky"
3163         (Requested by yusukesuzuki on #webkit).
3164
3165         Reverted changesets:
3166
3167         "[WTF] Implement WTF::ThreadGroup"
3168         https://bugs.webkit.org/show_bug.cgi?id=174081
3169         http://trac.webkit.org/changeset/219238
3170
3171         "Unreviewed, build fix after r219238"
3172         https://bugs.webkit.org/show_bug.cgi?id=174081
3173         http://trac.webkit.org/changeset/219239
3174
3175         "Unreviewed, CLoop build fix after r219238"
3176         https://bugs.webkit.org/show_bug.cgi?id=174081
3177         http://trac.webkit.org/changeset/219241
3178
3179 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3180
3181         Unreviewed, CLoop build fix after r219238
3182         https://bugs.webkit.org/show_bug.cgi?id=174081
3183
3184         * heap/MachineStackMarker.cpp:
3185
3186 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3187
3188         [WTF] Implement WTF::ThreadGroup
3189         https://bugs.webkit.org/show_bug.cgi?id=174081
3190
3191         Reviewed by Mark Lam.
3192
3193         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3194         And SamplingProfiler and others interact with WTF::Thread directly.
3195
3196         * API/tests/ExecutionTimeLimitTest.cpp:
3197         * heap/MachineStackMarker.cpp:
3198         (JSC::MachineThreads::MachineThreads):
3199         (JSC::captureStack):
3200         (JSC::MachineThreads::tryCopyOtherThreadStack):
3201         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3202         (JSC::MachineThreads::gatherConservativeRoots):
3203         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3204         (JSC::ActiveMachineThreadsManager::add): Deleted.
3205         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3206         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3207         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3208         (JSC::activeMachineThreadsManager): Deleted.
3209         (JSC::MachineThreads::~MachineThreads): Deleted.
3210         (JSC::MachineThreads::addCurrentThread): Deleted.
3211         (): Deleted.
3212         (JSC::MachineThreads::removeThread): Deleted.
3213         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3214         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3215         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3216         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3217         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3218         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3219         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3220         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3221         * heap/MachineStackMarker.h:
3222         (JSC::MachineThreads::addCurrentThread):
3223         (JSC::MachineThreads::getLock):
3224         (JSC::MachineThreads::threads):
3225         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3226         (JSC::MachineThreads::MachineThread::resume): Deleted.
3227         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3228         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3229         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3230         (JSC::MachineThreads::threadsListHead): Deleted.
3231         * runtime/SamplingProfiler.cpp:
3232         (JSC::FrameWalker::isValidFramePointer):
3233         (JSC::SamplingProfiler::SamplingProfiler):
3234         (JSC::SamplingProfiler::takeSample):
3235         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3236         * runtime/SamplingProfiler.h:
3237         * wasm/WasmMachineThreads.cpp:
3238         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3239
3240 2017-07-06  Saam Barati  <sbarati@apple.com>
3241
3242         We are missing places where we invalidate the for-in context
3243         https://bugs.webkit.org/show_bug.cgi?id=174184
3244
3245         Reviewed by Geoffrey Garen.
3246
3247         * bytecompiler/BytecodeGenerator.cpp:
3248         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3249         * bytecompiler/NodesCodegen.cpp:
3250         (JSC::EmptyLetExpression::emitBytecode):
3251         (JSC::ForInNode::emitLoopHeader):
3252         (JSC::ForOfNode::emitBytecode):
3253         (JSC::BindingNode::bindValue):
3254
3255 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3256
3257         Unreviewed, suppress warnings in GCC environment
3258
3259         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3260         * runtime/IntlCollator.cpp:
3261         * runtime/IntlDateTimeFormat.cpp:
3262         * runtime/JSGlobalObject.cpp:
3263         * runtime/StringPrototype.cpp:
3264
3265 2017-07-05  Saam Barati  <sbarati@apple.com>
3266
3267         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
3268         https://bugs.webkit.org/show_bug.cgi?id=174188
3269         <rdar://problem/30581423>
3270
3271         Reviewed by Mark Lam.
3272
3273         We were calling lowJSValue(edge) when we were speculating the
3274         edge as double. This isn't allowed. We should have been using
3275         lowDouble.
3276         
3277         This patch also adds a new option, called useArrayAllocationProfiling,
3278         which defaults to true. When false, it will make the array allocation
3279         profile not actually sample seen arrays. It'll force the allocation
3280         profile's predicted indexing type to be ArrayWithUndecided. Adding
3281         this option made it trivial to write a test for this bug.
3282
3283         * bytecode/ArrayAllocationProfile.cpp:
3284         (JSC::ArrayAllocationProfile::updateIndexingType):
3285         * ftl/FTLLowerDFGToB3.cpp:
3286         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3287         * runtime/Options.h:
3288
3289 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3290
3291         WTF::Thread should have the threads stack bounds.
3292         https://bugs.webkit.org/show_bug.cgi?id=173975
3293
3294         Reviewed by Keith Miller.
3295
3296         There is a site in JSC that try to walk another thread's stack.
3297         Currently, stack bounds are stored in WTFThreadData which is located
3298         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3299         We workaround this situation by holding StackBounds in MachineThread in JSC,
3300         but StackBounds should be put in WTF::Thread instead.
3301
3302         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3303         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3304         is natural choice.
3305
3306         * heap/MachineStackMarker.cpp:
3307         (JSC::MachineThreads::MachineThread::MachineThread):
3308         (JSC::MachineThreads::MachineThread::captureStack):
3309         * heap/MachineStackMarker.h:
3310         (JSC::MachineThreads::MachineThread::stackBase):
3311         (JSC::MachineThreads::MachineThread::stackEnd):
3312         * runtime/InitializeThreading.cpp:
3313         (JSC::initializeThreading):
3314         * runtime/VM.cpp:
3315         (JSC::VM::VM):
3316         (JSC::VM::updateStackLimits):
3317         (JSC::VM::committedStackByteCount):
3318         * runtime/VM.h:
3319         (JSC::VM::isSafeToRecurse):
3320         * runtime/VMEntryScope.cpp:
3321         (JSC::VMEntryScope::VMEntryScope):
3322         * runtime/VMInlines.h:
3323         (JSC::VM::ensureStackCapacityFor):
3324         * runtime/VMTraps.cpp:
3325         * yarr/YarrPattern.cpp:
3326         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3327
3328 2017-07-05  Keith Miller  <keith_miller@apple.com>
3329
3330         Crashing with information should have an abort reason
3331         https://bugs.webkit.org/show_bug.cgi?id=174185
3332
3333         Reviewed by Saam Barati.
3334
3335         Add crash information for the abstract interpreter and add an enum
3336         value for object allocation sinking.
3337
3338         * assembler/AbortReason.h:
3339         * dfg/DFGAbstractInterpreterInlines.h:
3340         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3341         * dfg/DFGGraph.cpp:
3342         (JSC::DFG::logDFGAssertionFailure):
3343         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3344
3345 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3346
3347         Remove copy of ICU headers from WebKit
3348         https://bugs.webkit.org/show_bug.cgi?id=116407
3349
3350         Reviewed by Alex Christensen.
3351
3352         Use WTF's copy of ICU headers.
3353
3354         * Configurations/Base.xcconfig:
3355         * icu/unicode/localpointer.h: Removed.
3356         * icu/unicode/parseerr.h: Removed.
3357         * icu/unicode/platform.h: Removed.
3358         * icu/unicode/ptypes.h: Removed.
3359         * icu/unicode/putil.h: Removed.
3360         * icu/unicode/uchar.h: Removed.
3361         * icu/unicode/ucnv.h: Removed.
3362         * icu/unicode/ucnv_err.h: Removed.
3363         * icu/unicode/ucol.h: Removed.
3364         * icu/unicode/uconfig.h: Removed.
3365         * icu/unicode/ucurr.h: Removed.
3366         * icu/unicode/uenum.h: Removed.
3367         * icu/unicode/uiter.h: Removed.
3368         * icu/unicode/uloc.h: Removed.
3369         * icu/unicode/umachine.h: Removed.
3370         * icu/unicode/unorm.h: Removed.
3371         * icu/unicode/unorm2.h: Removed.
3372         * icu/unicode/urename.h: Removed.
3373         * icu/unicode/uscript.h: Removed.
3374         * icu/unicode/uset.h: Removed.
3375         * icu/unicode/ustring.h: Removed.
3376         * icu/unicode/utf.h: Removed.
3377         * icu/unicode/utf16.h: Removed.
3378         * icu/unicode/utf8.h: Removed.
3379         * icu/unicode/utf_old.h: Removed.
3380         * icu/unicode/utypes.h: Removed.
3381         * icu/unicode/uvernum.h: Removed.
3382         * icu/unicode/uversion.h: Removed.
3383         * runtime/IntlCollator.cpp:
3384         * runtime/IntlDateTimeFormat.cpp:
3385         (JSC::IntlDateTimeFormat::partTypeString):
3386         * runtime/JSGlobalObject.cpp:
3387         * runtime/StringPrototype.cpp:
3388         (JSC::normalize):
3389         (JSC::stringProtoFuncNormalize):
3390
3391 2017-07-05  Devin Rousso  <drousso@apple.com>
3392
3393         Web Inspector: Allow users to log any tracked canvas context
3394      &n