64d9efc9bd0d69225de8cc44f1a65bb939b56b8c
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-04  JF Bastien  <jfbastien@apple.com>
2
3         Math: don't redundantly check for exceptions, just release scope
4         https://bugs.webkit.org/show_bug.cgi?id=180395
5
6         Rubber stamped by Mark Lam.
7
8         Two of the exceptions checks could just have been exception scope
9         releases before the return, which is ever-so-slightly more
10         efficient. The same technically applies where we have loops over
11         parameters, but doing the scope release there isn't really more
12         efficient and is way harder to read.
13
14         * runtime/MathObject.cpp:
15         (JSC::mathProtoFuncATan2):
16         (JSC::mathProtoFuncPow):
17
18 2017-12-04  David Quesada  <david_quesada@apple.com>
19
20         Add a class for parsing application manifests
21         https://bugs.webkit.org/show_bug.cgi?id=177973
22         rdar://problem/34747949
23
24         Reviewed by Geoffrey Garen.
25
26         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
27
28 2017-12-04  JF Bastien  <jfbastien@apple.com>
29
30         Update std::expected to match libc++ coding style
31         https://bugs.webkit.org/show_bug.cgi?id=180264
32
33         Reviewed by Alex Christensen.
34
35         Update various uses of Expected.
36
37         * wasm/WasmModule.h:
38         * wasm/WasmModuleParser.cpp:
39         (JSC::Wasm::ModuleParser::parseImport):
40         (JSC::Wasm::ModuleParser::parseTableHelper):
41         (JSC::Wasm::ModuleParser::parseTable):
42         (JSC::Wasm::ModuleParser::parseMemoryHelper):
43         * wasm/WasmParser.h:
44         * wasm/generateWasmValidateInlinesHeader.py:
45         (loadMacro):
46         (storeMacro):
47         * wasm/js/JSWebAssemblyModule.cpp:
48         (JSC::JSWebAssemblyModule::createStub):
49         * wasm/js/JSWebAssemblyModule.h:
50
51 2017-12-04  Saam Barati  <sbarati@apple.com>
52
53         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
54         https://bugs.webkit.org/show_bug.cgi?id=180366
55         <rdar://problem/35685877>
56
57         Reviewed by Michael Saboff.
58
59         On the TailCall slow path, the CallFrameShuffler will build the frame with
60         respect to SP instead of FP. However, this may overwrite slots on the stack
61         that are needed if the slow path C call does a stack walk. The slow path
62         C call does a stack walk when it throws an exception. This patch fixes
63         this bug by ensuring that the top of the stack in the FTL always has enough
64         space to allow CallFrameShuffler to build a frame without overwriting any
65         items on the stack that are needed when doing a stack walk.
66
67         * ftl/FTLLowerDFGToB3.cpp:
68         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
69
70 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
71
72         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
73         https://bugs.webkit.org/show_bug.cgi?id=175166
74         <rdar://problem/34040740>
75
76         Reviewed by Joseph Pecoraro.
77
78         * inspector/protocol/Recording.json:
79         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
80
81         * inspector/JSGlobalObjectConsoleClient.h:
82         * inspector/JSGlobalObjectConsoleClient.cpp:
83         (Inspector::JSGlobalObjectConsoleClient::record):
84         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
85
86         * runtime/ConsoleClient.h:
87         * runtime/ConsoleObject.cpp:
88         (JSC::ConsoleObject::finishCreation):
89         (JSC::consoleProtoFuncRecord):
90         (JSC::consoleProtoFuncRecordEnd):
91
92 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
93
94         WTF shouldn't have both Thread and ThreadIdentifier
95         https://bugs.webkit.org/show_bug.cgi?id=180308
96
97         Reviewed by Darin Adler.
98
99         * heap/MachineStackMarker.cpp:
100         (JSC::MachineThreads::tryCopyOtherThreadStacks):
101         * llint/LLIntSlowPaths.cpp:
102         (JSC::LLInt::llint_trace_operand):
103         (JSC::LLInt::llint_trace_value):
104         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
105         (JSC::LLInt::traceFunctionPrologue):
106         * runtime/ExceptionScope.cpp:
107         (JSC::ExceptionScope::unexpectedExceptionMessage):
108         * runtime/JSLock.h:
109         (JSC::JSLock::currentThreadIsHoldingLock):
110         * runtime/VM.cpp:
111         (JSC::VM::throwException):
112         * runtime/VM.h:
113         (JSC::VM::throwingThread const):
114         (JSC::VM::clearException):
115         * tools/HeapVerifier.cpp:
116         (JSC::HeapVerifier::printVerificationHeader):
117
118 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
119
120         Rename DestroyFunc to avoid redefinition on unified build
121         https://bugs.webkit.org/show_bug.cgi?id=180335
122
123         Reviewed by Filip Pizlo.
124
125         Changing DestroyFunc structures to more specific names to avoid
126         conflits on unified builds.
127
128         * heap/HeapCellType.cpp:
129         (JSC::HeapCellType::finishSweep):
130         (JSC::HeapCellType::destroy):
131         * runtime/JSDestructibleObjectHeapCellType.cpp:
132         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
133         (JSC::JSDestructibleObjectHeapCellType::destroy):
134         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
135         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
136         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
137         * runtime/JSStringHeapCellType.cpp:
138         (JSC::JSStringHeapCellType::finishSweep):
139         (JSC::JSStringHeapCellType::destroy):
140         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
141         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
142         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
143
144 2017-12-01  JF Bastien  <jfbastien@apple.com>
145
146         JavaScriptCore: missing exception checks in Math functions that take more than one argument
147         https://bugs.webkit.org/show_bug.cgi?id=180297
148         <rdar://problem/35745556>
149
150         Reviewed by Mark Lam.
151
152         * runtime/MathObject.cpp:
153         (JSC::mathProtoFuncATan2):
154         (JSC::mathProtoFuncMax):
155         (JSC::mathProtoFuncMin):
156         (JSC::mathProtoFuncPow):
157
158 2017-12-01  Mark Lam  <mark.lam@apple.com>
159
160         Let's scramble ClassInfo pointers in cells.
161         https://bugs.webkit.org/show_bug.cgi?id=180291
162         <rdar://problem/35807620>
163
164         Reviewed by JF Bastien.
165
166         * API/JSCallbackObject.h:
167         * API/JSObjectRef.cpp:
168         (classInfoPrivate):
169         * JavaScriptCore.xcodeproj/project.pbxproj:
170         * Sources.txt:
171         * assembler/MacroAssemblerCodeRef.cpp:
172         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
173         * assembler/MacroAssemblerCodeRef.h:
174         (JSC::MacroAssemblerCodePtr:: const):
175         (JSC::MacroAssemblerCodePtr::hash const):
176         * dfg/DFGSpeculativeJIT.cpp:
177         (JSC::DFG::SpeculativeJIT::checkArray):
178         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
179         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
180         * ftl/FTLLowerDFGToB3.cpp:
181         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
182         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
183         * jit/AssemblyHelpers.h:
184         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
185         * jit/SpecializedThunkJIT.h:
186         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
187         * runtime/InitializeThreading.cpp:
188         (JSC::initializeThreading):
189         * runtime/JSCScrambledPtr.cpp: Added.
190         (JSC::initializeScrambledPtrKeys):
191         * runtime/JSCScrambledPtr.h: Added.
192         * runtime/JSDestructibleObject.h:
193         (JSC::JSDestructibleObject::classInfo const):
194         * runtime/JSSegmentedVariableObject.h:
195         (JSC::JSSegmentedVariableObject::classInfo const):
196         * runtime/Structure.h:
197         * runtime/VM.h:
198
199 2017-12-01  Brian Burg  <bburg@apple.com>
200
201         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
202         https://bugs.webkit.org/show_bug.cgi?id=173662
203
204         Reviewed by Joseph Pecoraro.
205
206         Adopt new type names. Fix protocol generator to use correct type names.
207
208         * inspector/ConsoleMessage.cpp:
209         (Inspector::ConsoleMessage::addToFrontend):
210         Improve namings and use 'auto' when the type is obvious and repeated.
211
212         * inspector/ContentSearchUtilities.cpp:
213         (Inspector::ContentSearchUtilities::searchInTextByLines):
214         * inspector/ContentSearchUtilities.h:
215         * inspector/InjectedScript.cpp:
216         (Inspector::InjectedScript::getProperties):
217         (Inspector::InjectedScript::getDisplayableProperties):
218         (Inspector::InjectedScript::getInternalProperties):
219         (Inspector::InjectedScript::getCollectionEntries):
220         (Inspector::InjectedScript::wrapCallFrames const):
221         * inspector/InjectedScript.h:
222         * inspector/InspectorProtocolTypes.h:
223         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
224         (Inspector::Protocol::Array::Array): Deleted.
225         (Inspector::Protocol::Array::openAccessors): Deleted.
226         (Inspector::Protocol::Array::addItem): Deleted.
227         (Inspector::Protocol::Array::create): Deleted.
228         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
229         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
230         Move the implementation out of this file.
231
232         * inspector/ScriptCallStack.cpp:
233         (Inspector::ScriptCallStack::buildInspectorArray const):
234         * inspector/ScriptCallStack.h:
235         * inspector/agents/InspectorAgent.cpp:
236         (Inspector::InspectorAgent::activateExtraDomain):
237         (Inspector::InspectorAgent::activateExtraDomains):
238         * inspector/agents/InspectorAgent.h:
239         * inspector/agents/InspectorConsoleAgent.cpp:
240         (Inspector::InspectorConsoleAgent::getLoggingChannels):
241         * inspector/agents/InspectorConsoleAgent.h:
242         * inspector/agents/InspectorDebuggerAgent.cpp:
243         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
244         (Inspector::InspectorDebuggerAgent::searchInContent):
245         (Inspector::InspectorDebuggerAgent::currentCallFrames):
246         * inspector/agents/InspectorDebuggerAgent.h:
247         * inspector/agents/InspectorRuntimeAgent.cpp:
248         (Inspector::InspectorRuntimeAgent::getProperties):
249         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
250         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
251         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
252         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
253         * inspector/agents/InspectorRuntimeAgent.h:
254         * inspector/agents/InspectorScriptProfilerAgent.cpp:
255         (Inspector::buildSamples):
256         Use more 'auto' and rename a variable.
257
258         * inspector/scripts/codegen/cpp_generator.py:
259         (CppGenerator.cpp_protocol_type_for_type):
260         Adopt new type names. This exposed a latent bug where we should have been
261         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
262         type may be an array, in which case we would have generated the wrong type.
263
264         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
265         (_generate_typedefs_for_domain.JSON):
266         (_generate_typedefs_for_domain.Inspector): Deleted.
267         * inspector/scripts/codegen/objc_generator.py:
268         (ObjCGenerator.protocol_type_for_type):
269         (ObjCGenerator.objc_protocol_export_expression_for_variable):
270         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
271         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
272         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
273         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
274         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
275         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
276         Rebaseline.
277
278         * runtime/TypeSet.cpp:
279         (JSC::TypeSet::allStructureRepresentations const):
280         (JSC::StructureShape::inspectorRepresentation):
281         * runtime/TypeSet.h:
282
283 2017-12-01  Saam Barati  <sbarati@apple.com>
284
285         Having a bad time needs to handle ArrayClass indexing type as well
286         https://bugs.webkit.org/show_bug.cgi?id=180274
287         <rdar://problem/35667869>
288
289         Reviewed by Keith Miller and Mark Lam.
290
291         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
292         Otherwise, we'll end up with the wrong Structure, which will lead us to not
293         adhere to the spec. The bug was that we were not considering ArrayClass inside 
294         hasBrokenIndexing. This patch rewrites that function to automatically opt
295         in non-empty indexing types as broken, instead of having to opt out all
296         non-empty indexing types besides SlowPutArrayStorage.
297
298         * runtime/IndexingType.h:
299         (JSC::hasSlowPutArrayStorage):
300         (JSC::shouldUseSlowPut):
301         * runtime/JSGlobalObject.cpp:
302         * runtime/JSObject.cpp:
303         (JSC::JSObject::switchToSlowPutArrayStorage):
304
305 2017-12-01  JF Bastien  <jfbastien@apple.com>
306
307         WebAssembly: stack trace improvement follow-ups
308         https://bugs.webkit.org/show_bug.cgi?id=180273
309
310         Reviewed by Saam Barati.
311
312         * wasm/WasmIndexOrName.cpp:
313         (JSC::Wasm::makeString):
314         * wasm/WasmIndexOrName.h:
315         (JSC::Wasm::IndexOrName::nameSection const):
316         * wasm/WasmNameSection.h:
317         (JSC::Wasm::NameSection::NameSection):
318         (JSC::Wasm::NameSection::get):
319
320 2017-12-01  JF Bastien  <jfbastien@apple.com>
321
322         WebAssembly: restore cached stack limit after out-call
323         https://bugs.webkit.org/show_bug.cgi?id=179106
324         <rdar://problem/35337525>
325
326         Reviewed by Saam Barati.
327
328         We cache the stack limit on the Instance so that we can do fast
329         stack checks where required. In regular usage the stack limit
330         never changes because we always run on the same thread, but in
331         rare cases an API user can totally migrate which thread (and
332         therefore stack) is used for execution between WebAssembly
333         traces. For that reason we set the cached stack limit to
334         UINTPTR_MAX on the outgoing Instance when transitioning back into
335         a different Instance. We usually restore the cached stack limit in
336         Context::store, but this wasn't called on all code paths. We had a
337         bug where an Instance calling into itself indirectly would
338         therefore fail to restore its cached stack limit properly.
339
340         This patch therefore restores the cached stack limit after direct
341         calls which could be to imports (both wasm->wasm and
342         wasm->embedder). We have to do all of them because we have no way
343         of knowing what imports will do (they're known at instantiation
344         time, not compilation time, and different instances can have
345         different imports). To make this efficient we also add a pointer
346         to the canonical location of the stack limit (i.e. the extra
347         indirection we're trying to save by caching the stack limit on the
348         Instance in the first place). This is potentially a small perf hit
349         on imported direct calls.
350
351         It's hard to say what the performance cost will be because we
352         haven't seen much code in the wild which does this. We're adding
353         two dependent loads and a store of the loaded value, which is
354         unlikely to get used soon after. It's more code, but on an
355         out-of-order processor it doesn't contribute to the critical path.
356
357         * wasm/WasmB3IRGenerator.cpp:
358         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
359         (JSC::Wasm::B3IRGenerator::addGrowMemory):
360         (JSC::Wasm::B3IRGenerator::addCall):
361         (JSC::Wasm::B3IRGenerator::addCallIndirect):
362         * wasm/WasmInstance.cpp:
363         (JSC::Wasm::Instance::Instance):
364         (JSC::Wasm::Instance::create):
365         * wasm/WasmInstance.h:
366         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
367         (JSC::Wasm::Instance::cachedStackLimit const):
368         (JSC::Wasm::Instance::setCachedStackLimit):
369         * wasm/js/JSWebAssemblyInstance.cpp:
370         (JSC::JSWebAssemblyInstance::create):
371         * wasm/js/WebAssemblyFunction.cpp:
372         (JSC::callWebAssemblyFunction):
373
374 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
375
376         [JSC] Use JSFixedArray for op_new_array_buffer
377         https://bugs.webkit.org/show_bug.cgi?id=180084
378
379         Reviewed by Saam Barati.
380
381         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
382         But using JSFixedArray is better because,
383
384         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
385            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
386
387         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
388            has JSFixedArray, we can just emit a held JSFixedArray.
389
390         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
391
392         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
393
394         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
395            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
396            will be introduced in [1].
397
398         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
399
400         * bytecode/BytecodeDumper.cpp:
401         (JSC::BytecodeDumper<Block>::dumpBytecode):
402         * bytecode/BytecodeList.json:
403         * bytecode/BytecodeUseDef.h:
404         (JSC::computeUsesForBytecodeOffset):
405         * bytecode/CodeBlock.cpp:
406         (JSC::CodeBlock::finishCreation):
407         * bytecode/CodeBlock.h:
408         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
409         (JSC::CodeBlock::addConstantBuffer): Deleted.
410         (JSC::CodeBlock::constantBufferAsVector): Deleted.
411         (JSC::CodeBlock::constantBuffer): Deleted.
412         * bytecode/UnlinkedCodeBlock.cpp:
413         (JSC::UnlinkedCodeBlock::shrinkToFit):
414         * bytecode/UnlinkedCodeBlock.h:
415         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
416         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
417         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
418         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
419         * bytecompiler/BytecodeGenerator.cpp:
420         (JSC::BytecodeGenerator::emitNewArray):
421         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
422         * bytecompiler/BytecodeGenerator.h:
423         * dfg/DFGByteCodeParser.cpp:
424         (JSC::DFG::ByteCodeParser::parseBlock):
425         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
426         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
427         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
428         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
429         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
430         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
431         (JSC::DFG::ConstantBufferKey::index const): Deleted.
432         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
433         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
434         * dfg/DFGClobberize.h:
435         (JSC::DFG::clobberize):
436         * dfg/DFGGraph.cpp:
437         (JSC::DFG::Graph::dump):
438         * dfg/DFGGraph.h:
439         * dfg/DFGNode.h:
440         (JSC::DFG::Node::hasNewArrayBufferData):
441         (JSC::DFG::Node::newArrayBufferData):
442         (JSC::DFG::Node::hasVectorLengthHint):
443         (JSC::DFG::Node::vectorLengthHint):
444         (JSC::DFG::Node::indexingType):
445         (JSC::DFG::Node::hasCellOperand):
446         (JSC::DFG::Node::OpInfoWrapper::operator=):
447         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
448         (JSC::DFG::Node::hasConstantBuffer): Deleted.
449         (JSC::DFG::Node::startConstant): Deleted.
450         (JSC::DFG::Node::numConstants): Deleted.
451         * dfg/DFGOperations.cpp:
452         * dfg/DFGOperations.h:
453         * dfg/DFGSpeculativeJIT.h:
454         (JSC::DFG::SpeculativeJIT::callOperation):
455         * dfg/DFGSpeculativeJIT32_64.cpp:
456         (JSC::DFG::SpeculativeJIT::compile):
457         * dfg/DFGSpeculativeJIT64.cpp:
458         (JSC::DFG::SpeculativeJIT::compile):
459         * ftl/FTLLowerDFGToB3.cpp:
460         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
461         * jit/JIT.cpp:
462         (JSC::JIT::privateCompileMainPass):
463         * jit/JIT.h:
464         * jit/JITOpcodes.cpp:
465         (JSC::JIT::emit_op_new_array_buffer): Deleted.
466         * jit/JITOperations.cpp:
467         * jit/JITOperations.h:
468         * llint/LLIntSlowPaths.cpp:
469         * llint/LLIntSlowPaths.h:
470         * llint/LowLevelInterpreter.asm:
471         * runtime/CommonSlowPaths.cpp:
472         (JSC::SLOW_PATH_DECL):
473         * runtime/CommonSlowPaths.h:
474         * runtime/JSFixedArray.cpp:
475         (JSC::JSFixedArray::dumpToStream):
476         * runtime/JSFixedArray.h:
477         (JSC::JSFixedArray::create):
478         (JSC::JSFixedArray::get const):
479         (JSC::JSFixedArray::set):
480         (JSC::JSFixedArray::buffer const):
481         (JSC::JSFixedArray::values const):
482         (JSC::JSFixedArray::length const):
483         (JSC::JSFixedArray::get): Deleted.
484
485 2017-11-30  JF Bastien  <jfbastien@apple.com>
486
487         WebAssembly: improve stack trace
488         https://bugs.webkit.org/show_bug.cgi?id=179343
489
490         Reviewed by Saam Barati.
491
492         Stack traces now include:
493
494           - Module name, if provided by the name section.
495           - Module SHA1 hash if no name was provided
496           - Stub identification, to differentiate from user code
497           - Slightly different naming to match design from:
498               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
499
500         * interpreter/StackVisitor.cpp:
501         (JSC::StackVisitor::Frame::functionName const):
502         * runtime/StackFrame.cpp:
503         (JSC::StackFrame::functionName const):
504         (JSC::StackFrame::visitChildren):
505         * wasm/WasmIndexOrName.cpp:
506         (JSC::Wasm::IndexOrName::IndexOrName):
507         (JSC::Wasm::makeString):
508         * wasm/WasmIndexOrName.h:
509         (JSC::Wasm::IndexOrName::nameSection const):
510         * wasm/WasmModuleInformation.cpp:
511         (JSC::Wasm::ModuleInformation::ModuleInformation):
512         * wasm/WasmModuleInformation.h:
513         * wasm/WasmNameSection.h:
514         (JSC::Wasm::NameSection::NameSection):
515         (JSC::Wasm::NameSection::get):
516         * wasm/WasmNameSectionParser.cpp:
517         (JSC::Wasm::NameSectionParser::parse):
518
519 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
520
521         Make LegacyCustomProtocolManager optional for network process
522         https://bugs.webkit.org/show_bug.cgi?id=176230
523
524         Reviewed by Alex Christensen.
525
526         * Configurations/FeatureDefines.xcconfig:
527
528 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
529
530         [JSC] Remove easy toRemove & map.remove() use in OAS phase
531         https://bugs.webkit.org/show_bug.cgi?id=180208
532
533         Reviewed by Mark Lam.
534
535         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
536         to optimize this common pattern. This patch only modifies apparent ones.
537         But we can apply this refactoring further to OAS phase in the future.
538
539         One thing we should care is that predicate of removeIf should not touch the
540         removing set itself. In this patch, we apply this change to (1) apparently
541         correct one and (2) things in DFG OAS phase since it is very slow.
542
543         * b3/B3MoveConstants.cpp:
544         * dfg/DFGObjectAllocationSinkingPhase.cpp:
545
546 2017-11-30  Commit Queue  <commit-queue@webkit.org>
547
548         Unreviewed, rolling out r225362.
549         https://bugs.webkit.org/show_bug.cgi?id=180225
550
551         removeIf predicate function can touch remove target set
552         (Requested by yusukesuzuki on #webkit).
553
554         Reverted changeset:
555
556         "[JSC] Remove easy toRemove & map.remove() use"
557         https://bugs.webkit.org/show_bug.cgi?id=180208
558         https://trac.webkit.org/changeset/225362
559
560 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
561
562         [JSC] Use AllocatorIfExists for MaterializeNewObject
563         https://bugs.webkit.org/show_bug.cgi?id=180189
564
565         Reviewed by Filip Pizlo.
566
567         I don't think anyone guarantees this allocator exists at this phase.
568         And nullptr allocator just works here. We change AllocatorForMode
569         to AllocatorIfExists to accept nullptr for allocator.
570
571         * ftl/FTLLowerDFGToB3.cpp:
572         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
573
574 2017-11-30  Mark Lam  <mark.lam@apple.com>
575
576         Let's scramble MacroAssemblerCodePtr values.
577         https://bugs.webkit.org/show_bug.cgi?id=180169
578         <rdar://problem/35758340>
579
580         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
581
582         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
583
584         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
585            template argument type that will be used to cast the result.  This makes the
586            client code that uses these functions a little less verbose.
587
588         3. Change the code base in general to minimize passing void* code pointers around.
589            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
590            at the last moment when we need the underlying code pointer.
591
592         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
593            default.  I'm leaving them in because they are instrumental in finding bugs
594            where not all MacroAssemblerCodePtr values were not scrambled as expected.
595            I expect them to be useful in the near future as we add more scrambling.
596
597         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
598            explicit casts to a boolean).  This ensures that clients will always explicitly
599            use scrambledBits() or executableAddress() to get a value based on which value
600            they actually need.
601
602         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
603            This was helpful when debugging tests that ran multiple VMs concurrently on
604            different threads.
605
606         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
607         CLoop).  It is not yet supported in 32-bit and Windows because we don't
608         currently have a way to read a global variable from their LLInt code.
609
610         * assembler/AbstractMacroAssembler.h:
611         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
612         (JSC::AbstractMacroAssembler::linkPointer):
613         * assembler/CodeLocation.h:
614         (JSC::CodeLocationCommon::instructionAtOffset):
615         (JSC::CodeLocationCommon::labelAtOffset):
616         (JSC::CodeLocationCommon::jumpAtOffset):
617         (JSC::CodeLocationCommon::callAtOffset):
618         (JSC::CodeLocationCommon::nearCallAtOffset):
619         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
620         (JSC::CodeLocationCommon::dataLabel32AtOffset):
621         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
622         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
623         * assembler/LinkBuffer.cpp:
624         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
625         * assembler/LinkBuffer.h:
626         (JSC::LinkBuffer::link):
627         (JSC::LinkBuffer::patch):
628         * assembler/MacroAssemblerCodeRef.cpp:
629         (JSC::MacroAssemblerCodePtr::initialize):
630         * assembler/MacroAssemblerCodeRef.h:
631         (JSC::FunctionPtr::FunctionPtr):
632         (JSC::FunctionPtr::value const):
633         (JSC::FunctionPtr::executableAddress const):
634         (JSC::ReturnAddressPtr::ReturnAddressPtr):
635         (JSC::ReturnAddressPtr::value const):
636         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
637         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
638         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
639         (JSC::MacroAssemblerCodePtr:: const):
640         (JSC::MacroAssemblerCodePtr::operator! const):
641         (JSC::MacroAssemblerCodePtr::operator bool const):
642         (JSC::MacroAssemblerCodePtr::operator== const):
643         (JSC::MacroAssemblerCodePtr::hash const):
644         (JSC::MacroAssemblerCodePtr::emptyValue):
645         (JSC::MacroAssemblerCodePtr::deletedValue):
646         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
647         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
648         * b3/B3LowerMacros.cpp:
649         * b3/testb3.cpp:
650         (JSC::B3::testInterpreter):
651         * dfg/DFGDisassembler.cpp:
652         (JSC::DFG::Disassembler::dumpDisassembly):
653         * dfg/DFGJITCompiler.cpp:
654         (JSC::DFG::JITCompiler::link):
655         (JSC::DFG::JITCompiler::compileFunction):
656         * dfg/DFGOperations.cpp:
657         * dfg/DFGSpeculativeJIT.cpp:
658         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
659         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
660         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
661         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
662         * dfg/DFGSpeculativeJIT.h:
663         * disassembler/Disassembler.cpp:
664         (JSC::disassemble):
665         * disassembler/UDis86Disassembler.cpp:
666         (JSC::tryToDisassembleWithUDis86):
667         * ftl/FTLCompile.cpp:
668         (JSC::FTL::compile):
669         * ftl/FTLJITCode.cpp:
670         (JSC::FTL::JITCode::executableAddressAtOffset):
671         * ftl/FTLLink.cpp:
672         (JSC::FTL::link):
673         * ftl/FTLLowerDFGToB3.cpp:
674         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
675         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
676         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
677         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
678         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
679         * interpreter/InterpreterInlines.h:
680         (JSC::Interpreter::getOpcodeID):
681         * jit/JITArithmetic.cpp:
682         (JSC::JIT::emitMathICFast):
683         (JSC::JIT::emitMathICSlow):
684         * jit/JITCode.cpp:
685         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
686         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
687         (JSC::JITCodeWithCodeRef::offsetOf):
688         * jit/JITDisassembler.cpp:
689         (JSC::JITDisassembler::dumpDisassembly):
690         * jit/PCToCodeOriginMap.cpp:
691         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
692         * jit/Repatch.cpp:
693         (JSC::ftlThunkAwareRepatchCall):
694         * jit/ThunkGenerators.cpp:
695         (JSC::virtualThunkFor):
696         (JSC::boundThisNoArgsFunctionCallGenerator):
697         * llint/LLIntSlowPaths.cpp:
698         (JSC::LLInt::llint_trace_operand):
699         (JSC::LLInt::llint_trace_value):
700         (JSC::LLInt::handleHostCall):
701         (JSC::LLInt::setUpCall):
702         * llint/LowLevelInterpreter64.asm:
703         * offlineasm/cloop.rb:
704         * runtime/InitializeThreading.cpp:
705         (JSC::initializeThreading):
706         * wasm/WasmBBQPlan.cpp:
707         (JSC::Wasm::BBQPlan::complete):
708         * wasm/WasmCallee.h:
709         (JSC::Wasm::Callee::entrypoint const):
710         * wasm/WasmCodeBlock.cpp:
711         (JSC::Wasm::CodeBlock::CodeBlock):
712         * wasm/WasmOMGPlan.cpp:
713         (JSC::Wasm::OMGPlan::work):
714         * wasm/js/WasmToJS.cpp:
715         (JSC::Wasm::wasmToJS):
716         * wasm/js/WebAssemblyFunction.cpp:
717         (JSC::callWebAssemblyFunction):
718         * wasm/js/WebAssemblyFunction.h:
719         * wasm/js/WebAssemblyWrapperFunction.cpp:
720         (JSC::WebAssemblyWrapperFunction::create):
721
722 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
723
724         [JSC] Remove easy toRemove & map.remove() use
725         https://bugs.webkit.org/show_bug.cgi?id=180208
726
727         Reviewed by Mark Lam.
728
729         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
730         to optimize this common pattern. This patch only modifies apparent ones.
731         But we can apply this refactoring further to OAS phase in the future.
732
733         * b3/B3MoveConstants.cpp:
734         * dfg/DFGArgumentsEliminationPhase.cpp:
735         * dfg/DFGObjectAllocationSinkingPhase.cpp:
736         * wasm/WasmSignature.cpp:
737         (JSC::Wasm::SignatureInformation::tryCleanup):
738
739 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
740
741         [JSC] Use getEffectiveAddress more in JSC
742         https://bugs.webkit.org/show_bug.cgi?id=180154
743
744         Reviewed by Mark Lam.
745
746         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
747         And we also add MacroAssembler::negPtr(src, dest) variation.
748
749         * assembler/MacroAssembler.h:
750         (JSC::MacroAssembler::negPtr):
751         * assembler/MacroAssemblerARM.h:
752         (JSC::MacroAssemblerARM::neg32):
753         * assembler/MacroAssemblerARM64.h:
754         (JSC::MacroAssemblerARM64::neg32):
755         (JSC::MacroAssemblerARM64::neg64):
756         * assembler/MacroAssemblerARMv7.h:
757         (JSC::MacroAssemblerARMv7::neg32):
758         * assembler/MacroAssemblerMIPS.h:
759         (JSC::MacroAssemblerMIPS::neg32):
760         * assembler/MacroAssemblerX86Common.h:
761         (JSC::MacroAssemblerX86Common::neg32):
762         * assembler/MacroAssemblerX86_64.h:
763         (JSC::MacroAssemblerX86_64::neg64):
764         * dfg/DFGThunks.cpp:
765         (JSC::DFG::osrEntryThunkGenerator):
766         * ftl/FTLLowerDFGToB3.cpp:
767         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
768         * jit/SetupVarargsFrame.cpp:
769         (JSC::emitSetVarargsFrame):
770
771 2017-11-30  Mark Lam  <mark.lam@apple.com>
772
773         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
774         https://bugs.webkit.org/show_bug.cgi?id=180219
775         <rdar://problem/35696536>
776
777         Reviewed by Filip Pizlo.
778
779         * jsc.cpp:
780         (functionFlashHeapAccess):
781
782 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
783
784         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
785         https://bugs.webkit.org/show_bug.cgi?id=180190
786
787         Reviewed by Mark Lam.
788
789         If DFG HasIndexedProperty node observes negative index, it goes to a slow
790         path by calling operationHasIndexedProperty. The problem is that
791         operationHasIndexedProperty does not account negative index. Negative index
792         was used as uint32 array index.
793
794         In this patch we add a path for negative index in operationHasIndexedProperty.
795         And rename it to operationHasIndexedPropertyByInt to make intension clear.
796         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
797         since it is only used in DFG and FTL.
798
799         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
800         This causes repeated OSR exit and significantly regresses the performance. We opened
801         a bug to track this issue[1].
802
803         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
804
805         * dfg/DFGOperations.cpp:
806         * dfg/DFGOperations.h:
807         * dfg/DFGSpeculativeJIT32_64.cpp:
808         (JSC::DFG::SpeculativeJIT::compile):
809         * dfg/DFGSpeculativeJIT64.cpp:
810         (JSC::DFG::SpeculativeJIT::compile):
811         * ftl/FTLLowerDFGToB3.cpp:
812         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
813         * jit/JITOperations.cpp:
814         * jit/JITOperations.h:
815
816 2017-11-30  Michael Saboff  <msaboff@apple.com>
817
818         Allow JSC command line tool to accept UTF8
819         https://bugs.webkit.org/show_bug.cgi?id=180205
820
821         Reviewed by Keith Miller.
822
823         This unifies the UTF8 handling of interactive mode with that of source files.
824
825         * jsc.cpp:
826         (runInteractive):
827
828 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
829
830         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
831         https://bugs.webkit.org/show_bug.cgi?id=180185
832
833         Reviewed by Carlos Garcia Campos.
834
835         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
836         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
837         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
838         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
839         DFG node can be emitted if we see untaken path includes String + String code.
840
841         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
842         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
843         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
844         original code used before r225314.
845
846         * dfg/DFGSpeculativeJIT.cpp:
847         (JSC::DFG::SpeculativeJIT::compileMakeRope):
848         * ftl/FTLLowerDFGToB3.cpp:
849         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
850
851 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
852
853         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
854         https://bugs.webkit.org/show_bug.cgi?id=180108
855
856         Reviewed by Saam Barati.
857         
858         This was creating a vector of things to remove and then removing them. I think I remember writing
859         this code, and I did that because at the time we did not have removeAllMatching, which is
860         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
861         obvious improvement before I did more fundamental things to this code.
862
863         * heap/CodeBlockSet.cpp:
864         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
865
866 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
867
868         GC should support isoheaps
869         https://bugs.webkit.org/show_bug.cgi?id=179288
870
871         Reviewed by Saam Barati.
872         
873         This expands the power of the Subspace API in JSC:
874         
875         - Everything associated with describing the types of objects is now part of the HeapCellType class.
876           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
877           HeapCellType; these are orthogonal things.
878         
879         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
880           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
881           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
882           pages but releases the physical pages as part of the respective allocator's scavenging policy
883           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
884           IsoSubspace).
885         
886         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
887         for more things.
888         
889         This does not have any effect on JetStream (0.18% faster with p = 0.69).
890
891         * JavaScriptCore.xcodeproj/project.pbxproj:
892         * Sources.txt:
893         * bytecode/AccessCase.cpp:
894         (JSC::AccessCase::generateImpl):
895         * bytecode/ObjectAllocationProfileInlines.h:
896         (JSC::ObjectAllocationProfile::initializeProfile):
897         * dfg/DFGSpeculativeJIT.cpp:
898         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
899         (JSC::DFG::SpeculativeJIT::compileMakeRope):
900         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
901         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
902         * dfg/DFGSpeculativeJIT64.cpp:
903         (JSC::DFG::SpeculativeJIT::compile):
904         * ftl/FTLAbstractHeapRepository.h:
905         * ftl/FTLLowerDFGToB3.cpp:
906         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
907         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
908         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
909         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
910         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
911         * heap/AlignedMemoryAllocator.cpp:
912         (JSC::AlignedMemoryAllocator::registerAllocator):
913         (JSC::AlignedMemoryAllocator::registerSubspace):
914         * heap/AlignedMemoryAllocator.h:
915         (JSC::AlignedMemoryAllocator::firstAllocator const):
916         * heap/AllocationFailureMode.h: Added.
917         * heap/CompleteSubspace.cpp: Added.
918         (JSC::CompleteSubspace::CompleteSubspace):
919         (JSC::CompleteSubspace::~CompleteSubspace):
920         (JSC::CompleteSubspace::allocatorFor):
921         (JSC::CompleteSubspace::allocate):
922         (JSC::CompleteSubspace::allocateNonVirtual):
923         (JSC::CompleteSubspace::allocatorForSlow):
924         (JSC::CompleteSubspace::allocateSlow):
925         (JSC::CompleteSubspace::tryAllocateSlow):
926         * heap/CompleteSubspace.h: Added.
927         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
928         (JSC::CompleteSubspace::allocatorForSizeStep):
929         (JSC::CompleteSubspace::allocatorForNonVirtual):
930         * heap/HeapCellType.cpp: Added.
931         (JSC::HeapCellType::HeapCellType):
932         (JSC::HeapCellType::~HeapCellType):
933         (JSC::HeapCellType::finishSweep):
934         (JSC::HeapCellType::destroy):
935         * heap/HeapCellType.h: Added.
936         (JSC::HeapCellType::attributes const):
937         * heap/IsoAlignedMemoryAllocator.cpp: Added.
938         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
939         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
940         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
941         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
942         (JSC::IsoAlignedMemoryAllocator::dump const):
943         * heap/IsoAlignedMemoryAllocator.h: Added.
944         * heap/IsoSubspace.cpp: Added.
945         (JSC::IsoSubspace::IsoSubspace):
946         (JSC::IsoSubspace::~IsoSubspace):
947         (JSC::IsoSubspace::allocatorFor):
948         (JSC::IsoSubspace::allocatorForNonVirtual):
949         (JSC::IsoSubspace::allocate):
950         (JSC::IsoSubspace::allocateNonVirtual):
951         * heap/IsoSubspace.h: Added.
952         (JSC::IsoSubspace::size const):
953         * heap/MarkedAllocator.cpp:
954         (JSC::MarkedAllocator::MarkedAllocator):
955         (JSC::MarkedAllocator::setSubspace):
956         (JSC::MarkedAllocator::allocateSlowCase):
957         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
958         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
959         * heap/MarkedAllocator.h:
960         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
961         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
962         * heap/MarkedAllocatorInlines.h:
963         (JSC::MarkedAllocator::allocate):
964         (JSC::MarkedAllocator::tryAllocate): Deleted.
965         * heap/MarkedBlock.h:
966         * heap/MarkedBlockInlines.h:
967         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
968         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
969         * heap/MarkedSpace.cpp:
970         (JSC::MarkedSpace::addMarkedAllocator):
971         * heap/MarkedSpace.h:
972         * heap/Subspace.cpp:
973         (JSC::Subspace::Subspace):
974         (JSC::Subspace::initialize):
975         (JSC::Subspace::finishSweep):
976         (JSC::Subspace::destroy):
977         (JSC::Subspace::prepareForAllocation):
978         (JSC::Subspace::findEmptyBlockToSteal):
979         (): Deleted.
980         (JSC::Subspace::allocate): Deleted.
981         (JSC::Subspace::tryAllocate): Deleted.
982         (JSC::Subspace::allocatorForSlow): Deleted.
983         (JSC::Subspace::allocateSlow): Deleted.
984         (JSC::Subspace::tryAllocateSlow): Deleted.
985         (JSC::Subspace::didAllocate): Deleted.
986         * heap/Subspace.h:
987         (JSC::Subspace::heapCellType const):
988         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
989         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
990         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
991         (JSC::Subspace::allocatorForSizeStep): Deleted.
992         (JSC::Subspace::tryAllocatorFor): Deleted.
993         (JSC::Subspace::allocatorFor): Deleted.
994         * jit/AssemblyHelpers.h:
995         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
996         (JSC::AssemblyHelpers::emitAllocateVariableSized):
997         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
998         * jit/JITOpcodes.cpp:
999         (JSC::JIT::emit_op_new_object):
1000         * runtime/ButterflyInlines.h:
1001         (JSC::Butterfly::createUninitialized):
1002         (JSC::Butterfly::tryCreate):
1003         (JSC::Butterfly::growArrayRight):
1004         * runtime/DirectArguments.cpp:
1005         (JSC::DirectArguments::overrideThings):
1006         * runtime/DirectArguments.h:
1007         (JSC::DirectArguments::subspaceFor):
1008         * runtime/DirectEvalExecutable.h:
1009         * runtime/EvalExecutable.h:
1010         * runtime/ExecutableBase.h:
1011         (JSC::ExecutableBase::subspaceFor):
1012         * runtime/FunctionExecutable.h:
1013         * runtime/GenericArgumentsInlines.h:
1014         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1015         * runtime/HashMapImpl.h:
1016         (JSC::HashMapBuffer::create):
1017         * runtime/IndirectEvalExecutable.h:
1018         * runtime/JSArray.cpp:
1019         (JSC::JSArray::tryCreateUninitializedRestricted):
1020         (JSC::JSArray::unshiftCountSlowCase):
1021         * runtime/JSArray.h:
1022         (JSC::JSArray::tryCreate):
1023         * runtime/JSArrayBufferView.cpp:
1024         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1025         * runtime/JSCell.h:
1026         (JSC::subspaceFor):
1027         * runtime/JSCellInlines.h:
1028         (JSC::JSCell::subspaceFor):
1029         (JSC::tryAllocateCellHelper):
1030         (JSC::allocateCell):
1031         (JSC::tryAllocateCell):
1032         * runtime/JSDestructibleObject.h:
1033         (JSC::JSDestructibleObject::subspaceFor):
1034         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
1035         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1036         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
1037         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
1038         (JSC::JSDestructibleObjectHeapCellType::destroy):
1039         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
1040         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
1041         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
1042         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
1043         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
1044         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
1045         * runtime/JSDestructibleObjectSubspace.h: Removed.
1046         * runtime/JSLexicalEnvironment.h:
1047         (JSC::JSLexicalEnvironment::subspaceFor):
1048         * runtime/JSSegmentedVariableObject.h:
1049         (JSC::JSSegmentedVariableObject::subspaceFor):
1050         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
1051         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1052         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
1053         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
1054         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
1055         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
1056         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
1057         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
1058         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
1059         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
1060         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
1061         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
1062         * runtime/JSString.h:
1063         (JSC::JSString::subspaceFor):
1064         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
1065         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1066         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
1067         (JSC::JSStringHeapCellType::finishSweep):
1068         (JSC::JSStringHeapCellType::destroy):
1069         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
1070         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
1071         (JSC::JSStringSubspace::finishSweep): Deleted.
1072         (JSC::JSStringSubspace::destroy): Deleted.
1073         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
1074         * runtime/JSStringSubspace.cpp: Removed.
1075         * runtime/JSStringSubspace.h: Removed.
1076         * runtime/ModuleProgramExecutable.h:
1077         * runtime/NativeExecutable.h:
1078         * runtime/ProgramExecutable.h:
1079         * runtime/RegExpMatchesArray.h:
1080         (JSC::tryCreateUninitializedRegExpMatchesArray):
1081         * runtime/ScopedArguments.h:
1082         (JSC::ScopedArguments::subspaceFor):
1083         * runtime/VM.cpp:
1084         (JSC::VM::VM):
1085         * runtime/VM.h:
1086         (JSC::VM::gigacageAuxiliarySpace):
1087         * wasm/js/JSWebAssemblyCodeBlock.h:
1088         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
1089         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1090         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
1091         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
1092         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
1093         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
1094         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
1095         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
1096         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
1097         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
1098         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
1099         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
1100         * wasm/js/JSWebAssemblyMemory.h:
1101         (JSC::JSWebAssemblyMemory::subspaceFor):
1102
1103 2017-11-29  Saam Barati  <sbarati@apple.com>
1104
1105         Remove pointer caging for double arrays
1106         https://bugs.webkit.org/show_bug.cgi?id=180163
1107
1108         Reviewed by Mark Lam.
1109
1110         This patch removes pointer caging from double arrays. Like
1111         my previous removals of pointer caging, this is a security vs
1112         performance tradeoff. We believe that butterflies being allocated
1113         in the cage and with a 32GB runway gives us enough security that
1114         pointer caging the butterfly just for double arrays does not add
1115         enough security benefit for the performance hit it incurs.
1116         
1117         This patch also removes the GetButterflyWithoutCaging node and
1118         the FixedButterflyAccessUncaging phase. The node is no longer needed
1119         because now all GetButterfly nodes are not caged. The phase is removed
1120         since we no longer have two nodes.
1121
1122         * dfg/DFGAbstractInterpreterInlines.h:
1123         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1124         * dfg/DFGArgumentsEliminationPhase.cpp:
1125         * dfg/DFGClobberize.h:
1126         (JSC::DFG::clobberize):
1127         * dfg/DFGDoesGC.cpp:
1128         (JSC::DFG::doesGC):
1129         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
1130         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
1131         * dfg/DFGFixupPhase.cpp:
1132         (JSC::DFG::FixupPhase::fixupNode):
1133         * dfg/DFGHeapLocation.cpp:
1134         (WTF::printInternal):
1135         * dfg/DFGHeapLocation.h:
1136         * dfg/DFGNodeType.h:
1137         * dfg/DFGPlan.cpp:
1138         (JSC::DFG::Plan::compileInThreadImpl):
1139         * dfg/DFGPredictionPropagationPhase.cpp:
1140         * dfg/DFGSafeToExecute.h:
1141         (JSC::DFG::safeToExecute):
1142         * dfg/DFGSpeculativeJIT.cpp:
1143         (JSC::DFG::SpeculativeJIT::compileSpread):
1144         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1145         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1146         * dfg/DFGSpeculativeJIT32_64.cpp:
1147         (JSC::DFG::SpeculativeJIT::compile):
1148         * dfg/DFGSpeculativeJIT64.cpp:
1149         (JSC::DFG::SpeculativeJIT::compile):
1150         * dfg/DFGTypeCheckHoistingPhase.cpp:
1151         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1152         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1153         * ftl/FTLCapabilities.cpp:
1154         (JSC::FTL::canCompile):
1155         * ftl/FTLLowerDFGToB3.cpp:
1156         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1157         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1158         * jit/JITPropertyAccess.cpp:
1159         (JSC::JIT::emitDoubleLoad):
1160         (JSC::JIT::emitGenericContiguousPutByVal):
1161         * runtime/Butterfly.h:
1162         (JSC::Butterfly::pointer):
1163         (JSC::Butterfly::contiguousDouble):
1164         (JSC::Butterfly::caged): Deleted.
1165         * runtime/ButterflyInlines.h:
1166         (JSC::Butterfly::createOrGrowPropertyStorage):
1167         * runtime/JSObject.cpp:
1168         (JSC::JSObject::ensureLengthSlow):
1169         (JSC::JSObject::reallocateAndShrinkButterfly):
1170
1171 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1172
1173         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1174         https://bugs.webkit.org/show_bug.cgi?id=175447
1175
1176         Reviewed by Carlos Alberto Lopez Perez.
1177
1178         This patch allows DFG JIT to be enabled on MIPS platforms.
1179
1180         * Sources.txt:
1181         * assembler/MIPSAssembler.h:
1182         (JSC::MIPSAssembler::lastSPRegister):
1183         (JSC::MIPSAssembler::numberOfSPRegisters):
1184         (JSC::MIPSAssembler::sprName):
1185         * assembler/MacroAssemblerMIPS.cpp: Added.
1186         (JSC::MacroAssembler::probe):
1187         * assembler/ProbeContext.cpp:
1188         (JSC::Probe::executeProbe):
1189         * assembler/ProbeContext.h:
1190         (JSC::Probe::CPUState::pc):
1191         * assembler/testmasm.cpp:
1192         (JSC::isSpecialGPR):
1193         (JSC::testProbePreservesGPRS):
1194         (JSC::testProbeModifiesStackPointer):
1195         (JSC::testProbeModifiesStackValues):
1196
1197 2017-11-29  Matt Lewis  <jlewis3@apple.com>
1198
1199         Unreviewed, rolling out r225286.
1200
1201         The source files within this patch have been marked as
1202         executable.
1203
1204         Reverted changeset:
1205
1206         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
1207         https://bugs.webkit.org/show_bug.cgi?id=175447
1208         https://trac.webkit.org/changeset/225286
1209
1210 2017-11-29  Alex Christensen  <achristensen@webkit.org>
1211
1212         Fix Mac CMake build.
1213
1214         * PlatformMac.cmake:
1215
1216 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1217
1218         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1219         https://bugs.webkit.org/show_bug.cgi?id=175447
1220
1221         Reviewed by Carlos Alberto Lopez Perez.
1222
1223         This patch allows DFG JIT to be enabled on MIPS platforms.
1224
1225         * Sources.txt:
1226         * assembler/MIPSAssembler.h:
1227         (JSC::MIPSAssembler::lastSPRegister):
1228         (JSC::MIPSAssembler::numberOfSPRegisters):
1229         (JSC::MIPSAssembler::sprName):
1230         * assembler/MacroAssemblerMIPS.cpp: Added.
1231         (JSC::MacroAssembler::probe):
1232         * assembler/ProbeContext.cpp:
1233         (JSC::Probe::executeProbe):
1234         * assembler/ProbeContext.h:
1235         (JSC::Probe::CPUState::pc):
1236         * assembler/testmasm.cpp:
1237         (JSC::isSpecialGPR):
1238         (JSC::testProbePreservesGPRS):
1239         (JSC::testProbeModifiesStackPointer):
1240         (JSC::testProbeModifiesStackValues):
1241
1242 2017-11-28  JF Bastien  <jfbastien@apple.com>
1243
1244         Strict and sloppy functions shouldn't share structure
1245         https://bugs.webkit.org/show_bug.cgi?id=180103
1246         <rdar://problem/35667847>
1247
1248         Reviewed by Saam Barati.
1249
1250         Sloppy and strict functions don't act the same when it comes to
1251         arguments, caller, and callee. Sharing a structure means that
1252         anything that is cached gets shared, and that's incorrect.
1253
1254         * dfg/DFGAbstractInterpreterInlines.h:
1255         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1256         * dfg/DFGSpeculativeJIT.cpp:
1257         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1258         * ftl/FTLLowerDFGToB3.cpp:
1259         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1260         * runtime/FunctionConstructor.cpp:
1261         (JSC::constructFunctionSkippingEvalEnabledCheck):
1262         * runtime/JSFunction.cpp:
1263         (JSC::JSFunction::create): the second ::create is always strict
1264         because it applies to native functions.
1265         * runtime/JSFunctionInlines.h:
1266         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1267         * runtime/JSGlobalObject.cpp:
1268         (JSC::JSGlobalObject::init):
1269         (JSC::JSGlobalObject::visitChildren):
1270         * runtime/JSGlobalObject.h:
1271         (JSC::JSGlobalObject::strictFunctionStructure const):
1272         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1273         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
1274         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
1275         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
1276
1277 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1278
1279         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
1280         https://bugs.webkit.org/show_bug.cgi?id=180070
1281
1282         Reviewed by Saam Barati.
1283
1284         This patch adds getEffectiveAddress in all JIT platforms.
1285         This is abstracted version of x86 lea.
1286
1287         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
1288
1289         * assembler/MacroAssemblerARM.h:
1290         (JSC::MacroAssemblerARM::getEffectiveAddress):
1291         * assembler/MacroAssemblerARM64.h:
1292         (JSC::MacroAssemblerARM64::getEffectiveAddress):
1293         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
1294         * assembler/MacroAssemblerARMv7.h:
1295         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
1296         * assembler/MacroAssemblerMIPS.h:
1297         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1298         * assembler/MacroAssemblerX86.h:
1299         (JSC::MacroAssemblerX86::getEffectiveAddress):
1300         * assembler/MacroAssemblerX86_64.h:
1301         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
1302         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
1303         * assembler/testmasm.cpp:
1304         (JSC::testGetEffectiveAddress):
1305         (JSC::run):
1306         * dfg/DFGSpeculativeJIT.cpp:
1307         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1308         * yarr/YarrJIT.cpp:
1309         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1310         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1311
1312 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1313
1314         The recursive tail call optimisation is wrong on closures
1315         https://bugs.webkit.org/show_bug.cgi?id=179835
1316
1317         Reviewed by Saam Barati.
1318
1319         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
1320         As a stopgap measure this patch just does not do the optimisation for closures.
1321
1322         * dfg/DFGByteCodeParser.cpp:
1323         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1324
1325 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1326
1327         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
1328         https://bugs.webkit.org/show_bug.cgi?id=180119
1329
1330         Reviewed by Devin Rousso.
1331
1332         * inspector/InjectedScriptManager.h:
1333         * inspector/JSGlobalObjectScriptDebugServer.h:
1334         * inspector/agents/InspectorHeapAgent.h:
1335         * inspector/agents/InspectorRuntimeAgent.h:
1336         * inspector/agents/InspectorScriptProfilerAgent.h:
1337         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1338
1339 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1340
1341         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
1342         https://bugs.webkit.org/show_bug.cgi?id=179642
1343         <rdar://problem/35517704>
1344
1345         Reviewed by Brian Burg.
1346
1347         * inspector/protocol/Network.json:
1348         Expose the NetworkAgent for a Service Worker inspector.
1349
1350  2017-11-28  Brian Burg  <bburg@apple.com>
1351
1352         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
1353         https://bugs.webkit.org/show_bug.cgi?id=179696
1354
1355         Reviewed by Timothy Hatcher.
1356
1357         * inspector/scripts/codegen/generate_objc_header.py:
1358         (ObjCHeaderGenerator._generate_type_interface):
1359         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1360         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1361         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
1362         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
1363         * inspector/scripts/codegen/objc_generator.py:
1364         (ObjCGenerator.protocol_type_for_raw_name):
1365         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1366         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
1367         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1368         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
1369         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
1370         (ObjCGenerator.objc_to_protocol_expression_for_member):
1371         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
1372         (ObjCGenerator.protocol_to_objc_expression_for_member):
1373         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
1374         (ObjCGenerator.objc_setter_method_for_member_internal):
1375         (ObjCGenerator.objc_getter_method_for_member_internal):
1376         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1377         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1378         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1379         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1380         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1381         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1382         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1383         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1384         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1385         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1386
1387 2017-11-27  JF Bastien  <jfbastien@apple.com>
1388
1389         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1390         https://bugs.webkit.org/show_bug.cgi?id=180051
1391         <rdar://problem/35614371>
1392
1393         Reviewed by Saam Barati.
1394
1395         Checking for int32 isn't sufficient when uint32 is expected
1396         afterwards. While we're here, also use Checked<>.
1397
1398         * dfg/DFGAbstractInterpreterInlines.h:
1399         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1400
1401 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1402
1403         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1404         https://bugs.webkit.org/show_bug.cgi?id=173793
1405
1406         Reviewed by Joseph Pecoraro.
1407
1408         Based on patch by Brian Burg.
1409
1410         * JavaScriptCore.xcodeproj/project.pbxproj:
1411         * Sources.txt:
1412         * bindings/ScriptValue.cpp:
1413         (Inspector::jsToInspectorValue):
1414         (Inspector::toInspectorValue):
1415         (Deprecated::ScriptValue::toInspectorValue const):
1416         * bindings/ScriptValue.h:
1417         * inspector/AsyncStackTrace.cpp:
1418         * inspector/ConsoleMessage.cpp:
1419         * inspector/ContentSearchUtilities.cpp:
1420         * inspector/DeprecatedInspectorValues.cpp: Added.
1421         * inspector/DeprecatedInspectorValues.h: Added.
1422         Keep the old symbols around in JavaScriptCore so that builds with the
1423         public iOS SDK continue to work. These older SDKs include a version of
1424         WebInspector.framework that expects to find InspectorArray and other
1425         symbols in JavaScriptCore.framework.
1426
1427         * inspector/InjectedScript.cpp:
1428         (Inspector::InjectedScript::getFunctionDetails):
1429         (Inspector::InjectedScript::functionDetails):
1430         (Inspector::InjectedScript::getPreview):
1431         (Inspector::InjectedScript::getProperties):
1432         (Inspector::InjectedScript::getDisplayableProperties):
1433         (Inspector::InjectedScript::getInternalProperties):
1434         (Inspector::InjectedScript::getCollectionEntries):
1435         (Inspector::InjectedScript::saveResult):
1436         (Inspector::InjectedScript::wrapCallFrames const):
1437         (Inspector::InjectedScript::wrapObject const):
1438         (Inspector::InjectedScript::wrapTable const):
1439         (Inspector::InjectedScript::previewValue const):
1440         (Inspector::InjectedScript::setExceptionValue):
1441         (Inspector::InjectedScript::clearExceptionValue):
1442         (Inspector::InjectedScript::inspectObject):
1443         (Inspector::InjectedScript::releaseObject):
1444         * inspector/InjectedScriptBase.cpp:
1445         (Inspector::InjectedScriptBase::makeCall):
1446         (Inspector::InjectedScriptBase::makeEvalCall):
1447         * inspector/InjectedScriptBase.h:
1448         * inspector/InjectedScriptManager.cpp:
1449         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1450         * inspector/InspectorBackendDispatcher.cpp:
1451         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1452         (Inspector::BackendDispatcher::dispatch):
1453         (Inspector::BackendDispatcher::sendResponse):
1454         (Inspector::BackendDispatcher::sendPendingErrors):
1455         (Inspector::BackendDispatcher::getPropertyValue):
1456         (Inspector::castToInteger):
1457         (Inspector::castToNumber):
1458         (Inspector::BackendDispatcher::getInteger):
1459         (Inspector::BackendDispatcher::getDouble):
1460         (Inspector::BackendDispatcher::getString):
1461         (Inspector::BackendDispatcher::getBoolean):
1462         (Inspector::BackendDispatcher::getObject):
1463         (Inspector::BackendDispatcher::getArray):
1464         (Inspector::BackendDispatcher::getValue):
1465         * inspector/InspectorBackendDispatcher.h:
1466         We need to keep around the sendResponse() variant with a parameter that
1467         has the InspectorObject type, as older WebInspector.framework versions
1468         expect this symbol to exist. Introduce a variant with arity 3 that can
1469         be used in TOT so as to avoid having two methods with the same name, arity, and
1470         different parameter types.
1471
1472         When system WebInspector.framework is updated, we can remove the legacy
1473         method variant that uses the InspectorObject type. At that point, we can
1474         transition TOT to use the 2-arity variant, and delete the 3-arity variant
1475         when system WebInspector.framework is updated once more to use the 2-arity one.
1476
1477         * inspector/InspectorProtocolTypes.h:
1478         (Inspector::Protocol::Array::openAccessors):
1479         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1480         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1481         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1482         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1483         * inspector/ScriptCallFrame.cpp:
1484         * inspector/ScriptCallStack.cpp:
1485         * inspector/agents/InspectorAgent.cpp:
1486         (Inspector::InspectorAgent::inspect):
1487         * inspector/agents/InspectorAgent.h:
1488         * inspector/agents/InspectorDebuggerAgent.cpp:
1489         (Inspector::buildAssertPauseReason):
1490         (Inspector::buildCSPViolationPauseReason):
1491         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1492         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1493         (Inspector::buildObjectForBreakpointCookie):
1494         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1495         (Inspector::parseLocation):
1496         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1497         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1498         (Inspector::InspectorDebuggerAgent::continueToLocation):
1499         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1500         (Inspector::InspectorDebuggerAgent::didParseSource):
1501         (Inspector::InspectorDebuggerAgent::breakProgram):
1502         * inspector/agents/InspectorDebuggerAgent.h:
1503         * inspector/agents/InspectorRuntimeAgent.cpp:
1504         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1505         (Inspector::InspectorRuntimeAgent::saveResult):
1506         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1507         * inspector/agents/InspectorRuntimeAgent.h:
1508         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1509         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1510         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1511         (CppBackendDispatcherImplementationGenerator.generate_output):
1512         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1513         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1514         (CppFrontendDispatcherHeaderGenerator.generate_output):
1515         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1516         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1517         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1518         (_generate_unchecked_setter_for_member):
1519         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1520         (CppProtocolTypesImplementationGenerator):
1521         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1522         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1523         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1524         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1525         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1526         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1527         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1528         * inspector/scripts/codegen/generate_objc_internal_header.py:
1529         (ObjCInternalHeaderGenerator.generate_output):
1530         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1531         (ObjCProtocolTypesImplementationGenerator.generate_output):
1532         * inspector/scripts/codegen/generator.py:
1533         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1534         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1535         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1536         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1537         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1538         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1539         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1540         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1541         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1542         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1543         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1544         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1545         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1546         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1547         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1548         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1549         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1550         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1551         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1552         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1553
1554 2017-11-28  Robin Morisset  <rmorisset@apple.com>
1555
1556         Support recursive tail call optimization for polymorphic calls
1557         https://bugs.webkit.org/show_bug.cgi?id=178390
1558
1559         Reviewed by Saam Barati.
1560
1561         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
1562         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
1563
1564         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
1565
1566         * dfg/DFGByteCodeParser.cpp:
1567         (JSC::DFG::ByteCodeParser::handleCall):
1568         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1569         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1570         (JSC::DFG::ByteCodeParser::inlineCall):
1571         (JSC::DFG::ByteCodeParser::handleCallVariant):
1572         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1573         (JSC::DFG::ByteCodeParser::getInliningBalance):
1574         (JSC::DFG::ByteCodeParser::handleInlining):
1575         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
1576
1577 2017-11-27  Saam Barati  <sbarati@apple.com>
1578
1579         Spread can escape when CreateRest does not
1580         https://bugs.webkit.org/show_bug.cgi?id=180057
1581         <rdar://problem/35676119>
1582
1583         Reviewed by JF Bastien.
1584
1585         We previously did not handle Spread(PhantomCreateRest) only because I did not
1586         think it was possible to generate this IR. I was wrong. We can generate
1587         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
1588         This IR is rare to generate since we normally don't PutStack(Spread) because
1589         the SetLocal almost always gets eliminated because of how our bytecode generates
1590         op_spread. However, there exists a test case showing it is possible. Supporting
1591         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
1592         the Validation rule for Spread.
1593
1594         * dfg/DFGOperations.cpp:
1595         * dfg/DFGOperations.h:
1596         * dfg/DFGValidate.cpp:
1597         * ftl/FTLLowerDFGToB3.cpp:
1598         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1599         * runtime/JSFixedArray.h:
1600         (JSC::JSFixedArray::tryCreate):
1601
1602 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
1603
1604         [CMake][Win] Conditionally select DLL CRT or static CRT
1605         https://bugs.webkit.org/show_bug.cgi?id=170594
1606
1607         Reviewed by Alex Christensen.
1608
1609         * shell/PlatformWin.cmake:
1610
1611 2017-11-27  Saam Barati  <sbarati@apple.com>
1612
1613         Having a bad time watchpoint firing during compilation revealed a racy assertion
1614         https://bugs.webkit.org/show_bug.cgi?id=180048
1615         <rdar://problem/35700009>
1616
1617         Reviewed by Mark Lam.
1618
1619         While a DFG compilation is watching the having a bad time watchpoint, it was
1620         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
1621         However, if the having a bad time watchpoint fires during the compilation,
1622         this particular structure will no longer have ArrayWithContiguous indexing type.
1623         This patch fixes this racy assertion to be aware that the watchpoint may fire
1624         during compilation.
1625
1626         * dfg/DFGSpeculativeJIT.cpp:
1627         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1628         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1629
1630 2017-11-27  Tim Horton  <timothy_horton@apple.com>
1631
1632         One too many zeroes in macOS version number in FeatureDefines
1633         https://bugs.webkit.org/show_bug.cgi?id=180011
1634
1635         Reviewed by Dan Bernstein.
1636
1637         * Configurations/FeatureDefines.xcconfig:
1638
1639 2017-11-27  Robin Morisset  <rmorisset@apple.com>
1640
1641         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
1642         https://bugs.webkit.org/show_bug.cgi?id=179821
1643
1644         Reviewed by Saam Barati.
1645
1646         * dfg/DFGSafeToExecute.h:
1647         (JSC::DFG::safeToExecute):
1648
1649 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1650
1651         [DFG] Add NormalizeMapKey DFG IR
1652         https://bugs.webkit.org/show_bug.cgi?id=179912
1653
1654         Reviewed by Saam Barati.
1655
1656         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
1657         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
1658         do not need to call normalizeMapKey conservatively in DFG operations.
1659         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
1660
1661         * dfg/DFGAbstractInterpreterInlines.h:
1662         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1663         * dfg/DFGByteCodeParser.cpp:
1664         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1665         * dfg/DFGClobberize.h:
1666         (JSC::DFG::clobberize):
1667         * dfg/DFGDoesGC.cpp:
1668         (JSC::DFG::doesGC):
1669         * dfg/DFGFixupPhase.cpp:
1670         (JSC::DFG::FixupPhase::fixupNode):
1671         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
1672         * dfg/DFGNodeType.h:
1673         * dfg/DFGOperations.cpp:
1674         * dfg/DFGPredictionPropagationPhase.cpp:
1675         * dfg/DFGSafeToExecute.h:
1676         (JSC::DFG::safeToExecute):
1677         * dfg/DFGSpeculativeJIT.cpp:
1678         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1679         * dfg/DFGSpeculativeJIT.h:
1680         * dfg/DFGSpeculativeJIT32_64.cpp:
1681         (JSC::DFG::SpeculativeJIT::compile):
1682         * dfg/DFGSpeculativeJIT64.cpp:
1683         (JSC::DFG::SpeculativeJIT::compile):
1684         * ftl/FTLCapabilities.cpp:
1685         (JSC::FTL::canCompile):
1686         * ftl/FTLLowerDFGToB3.cpp:
1687         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1688         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1689         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1690         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1691         * runtime/HashMapImpl.h:
1692
1693 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1694
1695         [FTL] Support DeleteById and DeleteByVal
1696         https://bugs.webkit.org/show_bug.cgi?id=180022
1697
1698         Reviewed by Saam Barati.
1699
1700         We should increase the coverage of FTL. Even if the code includes DeleteById,
1701         it does not mean that remaining part of the code should not be optimized in FTL.
1702         Right now, even CallEval and `with` scope are handled in FTL.
1703
1704         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
1705         code including them.
1706
1707         * ftl/FTLCapabilities.cpp:
1708         (JSC::FTL::canCompile):
1709         * ftl/FTLLowerDFGToB3.cpp:
1710         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1711         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1712         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1713
1714 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1715
1716         [DFG] Introduce {Set,Map,WeakMap}Fields
1717         https://bugs.webkit.org/show_bug.cgi?id=179925
1718
1719         Reviewed by Saam Barati.
1720
1721         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
1722         writes readonly MiscFields which is used by various nodes and make optimization
1723         conservative.
1724
1725         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
1726
1727         * dfg/DFGAbstractHeap.h:
1728         * dfg/DFGByteCodeParser.cpp:
1729         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1730         * dfg/DFGClobberize.h:
1731         (JSC::DFG::clobberize):
1732         * dfg/DFGHeapLocation.cpp:
1733         (WTF::printInternal):
1734         * dfg/DFGHeapLocation.h:
1735         * dfg/DFGNode.h:
1736         (JSC::DFG::Node::hasBucketOwnerType):
1737
1738 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1739
1740         [JSC] Remove JSStringBuilder
1741         https://bugs.webkit.org/show_bug.cgi?id=180016
1742
1743         Reviewed by Saam Barati.
1744
1745         JSStringBuilder is replaced with WTF::StringBuilder.
1746         This patch removes remaning uses and drop JSStringBuilder.
1747
1748         * JavaScriptCore.xcodeproj/project.pbxproj:
1749         * runtime/ArrayPrototype.cpp:
1750         * runtime/AsyncFunctionPrototype.cpp:
1751         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1752         * runtime/ErrorPrototype.cpp:
1753         * runtime/FunctionPrototype.cpp:
1754         * runtime/GeneratorFunctionPrototype.cpp:
1755         * runtime/JSGlobalObjectFunctions.cpp:
1756         (JSC::decode):
1757         (JSC::globalFuncEscape):
1758         * runtime/JSStringBuilder.h: Removed.
1759         * runtime/JSStringInlines.h:
1760         (JSC::jsMakeNontrivialString):
1761         * runtime/RegExpPrototype.cpp:
1762         * runtime/StringPrototype.cpp:
1763
1764 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1765
1766         [DFG] Remove GetLocalUnlinked
1767         https://bugs.webkit.org/show_bug.cgi?id=180017
1768
1769         Reviewed by Saam Barati.
1770
1771         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
1772         This patch just removes it.
1773
1774         * dfg/DFGAbstractInterpreterInlines.h:
1775         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1776         * dfg/DFGClobberize.h:
1777         (JSC::DFG::clobberize):
1778         * dfg/DFGCommon.h:
1779         * dfg/DFGDoesGC.cpp:
1780         (JSC::DFG::doesGC):
1781         * dfg/DFGFixupPhase.cpp:
1782         (JSC::DFG::FixupPhase::fixupNode):
1783         * dfg/DFGGraph.cpp:
1784         (JSC::DFG::Graph::dump):
1785         * dfg/DFGNode.h:
1786         (JSC::DFG::Node::hasUnlinkedLocal):
1787         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
1788         (JSC::DFG::Node::convertToGetLocal): Deleted.
1789         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
1790         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
1791         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
1792         * dfg/DFGNodeType.h:
1793         * dfg/DFGPredictionPropagationPhase.cpp:
1794         * dfg/DFGSafeToExecute.h:
1795         (JSC::DFG::safeToExecute):
1796         * dfg/DFGSpeculativeJIT32_64.cpp:
1797         (JSC::DFG::SpeculativeJIT::compile):
1798         * dfg/DFGSpeculativeJIT64.cpp:
1799         (JSC::DFG::SpeculativeJIT::compile):
1800         * dfg/DFGStackLayoutPhase.cpp:
1801         (JSC::DFG::StackLayoutPhase::run):
1802         * dfg/DFGValidate.cpp:
1803
1804 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1805
1806         Make ArgList::data() private again when we can remove callWasmFunction().
1807         https://bugs.webkit.org/show_bug.cgi?id=168582
1808
1809         Reviewed by JF Bastien.
1810
1811         Make ArgList::data() private since we already removed callWasmFunction.
1812
1813         * runtime/ArgList.h:
1814
1815 2016-08-05  Darin Adler  <darin@apple.com>
1816
1817         Fix some minor problems in the StringImpl header
1818         https://bugs.webkit.org/show_bug.cgi?id=160630
1819
1820         Reviewed by Brent Fulgham.
1821
1822         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
1823         Yarr namespacing since we use "using namespace" in this file.
1824
1825 2017-11-24  Mark Lam  <mark.lam@apple.com>
1826
1827         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
1828         https://bugs.webkit.org/show_bug.cgi?id=179936
1829         <rdar://problem/35623998>
1830
1831         Reviewed by Saam Barati.
1832
1833         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
1834         See https://bugs.webkit.org/show_bug.cgi?id=179684.
1835
1836         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
1837         was allocating stack space to stash arguments (to be forwarded) and new frame
1838         info.  The location of this new stash space happens to lie beyond the top of frame
1839         of the tail call caller frame.  After stashing the arguments, the code proceeded
1840         to load the callee codeBlock.  This triggered an allocation, which in turn,
1841         triggered stack sanitization.  The CLoop stack sanitizer was relying on
1842         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
1843         that turned out to be inadequate.  As a result, part of the stashed data was
1844         zeroed out, and subsequently led to a crash.
1845
1846         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
1847         1. JIT builds do stack sanitization in the LLInt code itself (different from the
1848            CLoop implementation), and the sanitizer there is aware of the true top of
1849            stack value (i.e. the stack pointer).
1850         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
1851            parallel stack is one condition necessary for reproducing this issue.
1852
1853         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
1854         every time before it calls out to native C++ code.  This also brings the CLoop's
1855         behavior closer to hardware behavior where we can know where the stack pointer
1856         is after calling from JS back into native C++ code, which makes it easier to
1857         reason about correctness.       
1858
1859         Also simplified the various stack boundary calculations (removed the +1 and -1
1860         adjustments).  The CLoopStack bounds are now:
1861
1862             reservationTop(): the lowest reserved address that can be within stack bounds.
1863             m_commitTop: the lowest address within stack bounds that has been committed.
1864             lowAddress() aka m_end: the lowest stack address that JS code can use.
1865             m_lastStackPointer: cache of the last m_currentStackPointer value.
1866             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
1867             highAddress(): the highest address just beyond the bounds of the stack.
1868
1869         Also deleted some unneeded code.
1870
1871         * interpreter/CLoopStack.cpp:
1872         (JSC::CLoopStack::CLoopStack):
1873         (JSC::CLoopStack::gatherConservativeRoots):
1874         (JSC::CLoopStack::sanitizeStack):
1875         (JSC::CLoopStack::setSoftReservedZoneSize):
1876         * interpreter/CLoopStack.h:
1877         (JSC::CLoopStack::setCurrentStackPointer):
1878         (JSC::CLoopStack::lowAddress const):
1879
1880         (JSC::CLoopStack::baseOfStack const): Deleted.
1881         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
1882           Now, it has the exact same value as highAddress() and can be removed.
1883
1884         * interpreter/CLoopStackInlines.h:
1885         (JSC::CLoopStack::ensureCapacityFor):
1886         (JSC::CLoopStack::currentStackPointer):
1887         (JSC::CLoopStack::setCLoopStackLimit):
1888
1889         (JSC::CLoopStack::topOfFrameFor): Deleted.
1890         - Not needed.
1891
1892         (JSC::CLoopStack::topOfStack): Deleted.
1893         - Supplanted by currentStackPointer().
1894
1895         (JSC::CLoopStack::shrink): Deleted.
1896         - This is unused.
1897
1898         * llint/LowLevelInterpreter.cpp:
1899         (JSC::CLoop::execute):
1900         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
1901           upon exitting the interpreter loop.
1902
1903         * offlineasm/cloop.rb:
1904         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
1905           call from JS into C++ code.
1906
1907         * tools/VMInspector.h:
1908         - Added some default argument values. These were being used while debugging this
1909           issue.
1910
1911 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1912
1913         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
1914         https://bugs.webkit.org/show_bug.cgi?id=179923
1915
1916         Reviewed by Darin Adler.
1917
1918         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
1919         So we can use it as a marker of deleted bucket.
1920
1921         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
1922         It shrinks the size of HashMapBucket much.
1923
1924         * dfg/DFGSpeculativeJIT.cpp:
1925         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1926         * ftl/FTLAbstractHeapRepository.h:
1927         * ftl/FTLLowerDFGToB3.cpp:
1928         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1929         * runtime/HashMapImpl.h:
1930         (JSC::HashMapBucket::createSentinel):
1931         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
1932         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
1933         flag of sentinel bucket is not used.
1934
1935         (JSC::HashMapBucket::HashMapBucket):
1936         (JSC::HashMapBucket::deleted const):
1937         (JSC::HashMapBucket::makeDeleted):
1938         (JSC::HashMapImpl::remove):
1939         (JSC::HashMapImpl::clear):
1940         (JSC::HashMapImpl::setUpHeadAndTail):
1941         (JSC::HashMapImpl::addNormalizedInternal):
1942         (JSC::HashMapBucket::setDeleted): Deleted.
1943         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
1944         (): Deleted.
1945
1946 2017-11-24  Mark Lam  <mark.lam@apple.com>
1947
1948         Move unsafe jsc shell test functions to the $vm object.
1949         https://bugs.webkit.org/show_bug.cgi?id=179980
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         Also removed setElementRoot() which was not used.
1954
1955         * jsc.cpp:
1956         (GlobalObject::finishCreation):
1957         (WTF::Element::Element): Deleted.
1958         (WTF::Element::root const): Deleted.
1959         (WTF::Element::setRoot): Deleted.
1960         (WTF::Element::create): Deleted.
1961         (WTF::Element::visitChildren): Deleted.
1962         (WTF::Element::createStructure): Deleted.
1963         (WTF::Root::Root): Deleted.
1964         (WTF::Root::element): Deleted.
1965         (WTF::Root::setElement): Deleted.
1966         (WTF::Root::create): Deleted.
1967         (WTF::Root::createStructure): Deleted.
1968         (WTF::Root::visitChildren): Deleted.
1969         (WTF::ImpureGetter::ImpureGetter): Deleted.
1970         (WTF::ImpureGetter::createStructure): Deleted.
1971         (WTF::ImpureGetter::create): Deleted.
1972         (WTF::ImpureGetter::finishCreation): Deleted.
1973         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
1974         (WTF::ImpureGetter::visitChildren): Deleted.
1975         (WTF::ImpureGetter::setDelegate): Deleted.
1976         (WTF::CustomGetter::CustomGetter): Deleted.
1977         (WTF::CustomGetter::createStructure): Deleted.
1978         (WTF::CustomGetter::create): Deleted.
1979         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
1980         (WTF::CustomGetter::customGetter): Deleted.
1981         (WTF::CustomGetter::customGetterAcessor): Deleted.
1982         (WTF::RuntimeArray::create): Deleted.
1983         (WTF::RuntimeArray::~RuntimeArray): Deleted.
1984         (WTF::RuntimeArray::destroy): Deleted.
1985         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
1986         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
1987         (WTF::RuntimeArray::put): Deleted.
1988         (WTF::RuntimeArray::deleteProperty): Deleted.
1989         (WTF::RuntimeArray::getLength const): Deleted.
1990         (WTF::RuntimeArray::createPrototype): Deleted.
1991         (WTF::RuntimeArray::createStructure): Deleted.
1992         (WTF::RuntimeArray::finishCreation): Deleted.
1993         (WTF::RuntimeArray::RuntimeArray): Deleted.
1994         (WTF::RuntimeArray::lengthGetter): Deleted.
1995         (WTF::SimpleObject::SimpleObject): Deleted.
1996         (WTF::SimpleObject::create): Deleted.
1997         (WTF::SimpleObject::visitChildren): Deleted.
1998         (WTF::SimpleObject::createStructure): Deleted.
1999         (WTF::SimpleObject::hiddenValue): Deleted.
2000         (WTF::SimpleObject::setHiddenValue): Deleted.
2001         (WTF::DOMJITNode::DOMJITNode): Deleted.
2002         (WTF::DOMJITNode::createStructure): Deleted.
2003         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
2004         (WTF::DOMJITNode::create): Deleted.
2005         (WTF::DOMJITNode::value const): Deleted.
2006         (WTF::DOMJITNode::offsetOfValue): Deleted.
2007         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
2008         (WTF::DOMJITGetter::createStructure): Deleted.
2009         (WTF::DOMJITGetter::create): Deleted.
2010         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
2011         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
2012         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
2013         (WTF::DOMJITGetter::customGetter): Deleted.
2014         (WTF::DOMJITGetter::finishCreation): Deleted.
2015         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
2016         (WTF::DOMJITGetterComplex::createStructure): Deleted.
2017         (WTF::DOMJITGetterComplex::create): Deleted.
2018         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
2019         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
2020         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
2021         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
2022         (WTF::DOMJITGetterComplex::customGetter): Deleted.
2023         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
2024         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
2025         (WTF::DOMJITFunctionObject::createStructure): Deleted.
2026         (WTF::DOMJITFunctionObject::create): Deleted.
2027         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
2028         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
2029         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
2030         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
2031         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
2032         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
2033         (WTF::DOMJITCheckSubClassObject::create): Deleted.
2034         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
2035         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
2036         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
2037         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
2038         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
2039         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
2040         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
2041         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
2042         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
2043         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
2044         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
2045         (WTF::Element::handleOwner): Deleted.
2046         (WTF::Element::finishCreation): Deleted.
2047         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
2048         (JSTestCustomGetterSetter::create): Deleted.
2049         (JSTestCustomGetterSetter::createStructure): Deleted.
2050         (customGetAccessor): Deleted.
2051         (customGetValue): Deleted.
2052         (customSetAccessor): Deleted.
2053         (customSetValue): Deleted.
2054         (JSTestCustomGetterSetter::finishCreation): Deleted.
2055         (GlobalObject::addConstructableFunction): Deleted.
2056         (functionCreateRoot): Deleted.
2057         (functionCreateElement): Deleted.
2058         (functionGetElement): Deleted.
2059         (functionSetElementRoot): Deleted.
2060         (functionCreateSimpleObject): Deleted.
2061         (functionGetHiddenValue): Deleted.
2062         (functionSetHiddenValue): Deleted.
2063         (functionCreateProxy): Deleted.
2064         (functionCreateRuntimeArray): Deleted.
2065         (functionCreateImpureGetter): Deleted.
2066         (functionCreateCustomGetterObject): Deleted.
2067         (functionCreateDOMJITNodeObject): Deleted.
2068         (functionCreateDOMJITGetterObject): Deleted.
2069         (functionCreateDOMJITGetterComplexObject): Deleted.
2070         (functionCreateDOMJITFunctionObject): Deleted.
2071         (functionCreateDOMJITCheckSubClassObject): Deleted.
2072         (functionCreateDOMJITGetterBaseJSObject): Deleted.
2073         (functionSetImpureGetterDelegate): Deleted.
2074         (functionGetGetterSetter): Deleted.
2075         (functionShadowChickenFunctionsOnStack): Deleted.
2076         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
2077         (functionGlobalObjectForObject): Deleted.
2078         (functionLoadGetterFromGetterSetter): Deleted.
2079         (functionCreateCustomTestGetterSetter): Deleted.
2080         (functionAbort): Deleted.
2081         (functionFindTypeForExpression): Deleted.
2082         (functionReturnTypeFor): Deleted.
2083         (functionDumpBasicBlockExecutionRanges): Deleted.
2084         (functionHasBasicBlockExecuted): Deleted.
2085         (functionBasicBlockExecutionCount): Deleted.
2086         (functionEnableExceptionFuzz): Deleted.
2087         (functionCreateBuiltin): Deleted.
2088         * runtime/JSGlobalObject.cpp:
2089         (JSC::JSGlobalObject::init):
2090         * tools/JSDollarVM.cpp:
2091         (WTF::Element::Element):
2092         (WTF::Element::root const):
2093         (WTF::Element::setRoot):
2094         (WTF::Element::create):
2095         (WTF::Element::visitChildren):
2096         (WTF::Element::createStructure):
2097         (WTF::Root::Root):
2098         (WTF::Root::element):
2099         (WTF::Root::setElement):
2100         (WTF::Root::create):
2101         (WTF::Root::createStructure):
2102         (WTF::Root::visitChildren):
2103         (WTF::SimpleObject::SimpleObject):
2104         (WTF::SimpleObject::create):
2105         (WTF::SimpleObject::visitChildren):
2106         (WTF::SimpleObject::createStructure):
2107         (WTF::SimpleObject::hiddenValue):
2108         (WTF::SimpleObject::setHiddenValue):
2109         (WTF::ImpureGetter::ImpureGetter):
2110         (WTF::ImpureGetter::createStructure):
2111         (WTF::ImpureGetter::create):
2112         (WTF::ImpureGetter::finishCreation):
2113         (WTF::ImpureGetter::getOwnPropertySlot):
2114         (WTF::ImpureGetter::visitChildren):
2115         (WTF::ImpureGetter::setDelegate):
2116         (WTF::CustomGetter::CustomGetter):
2117         (WTF::CustomGetter::createStructure):
2118         (WTF::CustomGetter::create):
2119         (WTF::CustomGetter::getOwnPropertySlot):
2120         (WTF::CustomGetter::customGetter):
2121         (WTF::CustomGetter::customGetterAcessor):
2122         (WTF::RuntimeArray::create):
2123         (WTF::RuntimeArray::~RuntimeArray):
2124         (WTF::RuntimeArray::destroy):
2125         (WTF::RuntimeArray::getOwnPropertySlot):
2126         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2127         (WTF::RuntimeArray::put):
2128         (WTF::RuntimeArray::deleteProperty):
2129         (WTF::RuntimeArray::getLength const):
2130         (WTF::RuntimeArray::createPrototype):
2131         (WTF::RuntimeArray::createStructure):
2132         (WTF::RuntimeArray::finishCreation):
2133         (WTF::RuntimeArray::RuntimeArray):
2134         (WTF::RuntimeArray::lengthGetter):
2135         (WTF::DOMJITNode::DOMJITNode):
2136         (WTF::DOMJITNode::createStructure):
2137         (WTF::DOMJITNode::checkSubClassSnippet):
2138         (WTF::DOMJITNode::create):
2139         (WTF::DOMJITNode::value const):
2140         (WTF::DOMJITNode::offsetOfValue):
2141         (WTF::DOMJITGetter::DOMJITGetter):
2142         (WTF::DOMJITGetter::createStructure):
2143         (WTF::DOMJITGetter::create):
2144         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2145         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2146         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2147         (WTF::DOMJITGetter::customGetter):
2148         (WTF::DOMJITGetter::finishCreation):
2149         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
2150         (WTF::DOMJITGetterComplex::createStructure):
2151         (WTF::DOMJITGetterComplex::create):
2152         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2153         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2154         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2155         (WTF::DOMJITGetterComplex::functionEnableException):
2156         (WTF::DOMJITGetterComplex::customGetter):
2157         (WTF::DOMJITGetterComplex::finishCreation):
2158         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2159         (WTF::DOMJITFunctionObject::createStructure):
2160         (WTF::DOMJITFunctionObject::create):
2161         (WTF::DOMJITFunctionObject::safeFunction):
2162         (WTF::DOMJITFunctionObject::unsafeFunction):
2163         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2164         (WTF::DOMJITFunctionObject::finishCreation):
2165         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2166         (WTF::DOMJITCheckSubClassObject::createStructure):
2167         (WTF::DOMJITCheckSubClassObject::create):
2168         (WTF::DOMJITCheckSubClassObject::safeFunction):
2169         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2170         (WTF::DOMJITCheckSubClassObject::finishCreation):
2171         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2172         (WTF::DOMJITGetterBaseJSObject::createStructure):
2173         (WTF::DOMJITGetterBaseJSObject::create):
2174         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2175         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2176         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2177         (WTF::DOMJITGetterBaseJSObject::customGetter):
2178         (WTF::DOMJITGetterBaseJSObject::finishCreation):
2179         (WTF::Message::releaseContents):
2180         (WTF::Message::index const):
2181         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2182         (WTF::JSTestCustomGetterSetter::create):
2183         (WTF::JSTestCustomGetterSetter::createStructure):
2184         (WTF::customGetAccessor):
2185         (WTF::customGetValue):
2186         (WTF::customSetAccessor):
2187         (WTF::customSetValue):
2188         (WTF::JSTestCustomGetterSetter::finishCreation):
2189         (WTF::Element::handleOwner):
2190         (WTF::Element::finishCreation):
2191         (JSC::functionCrash):
2192         (JSC::functionCreateProxy):
2193         (JSC::functionCreateRuntimeArray):
2194         (JSC::functionCreateImpureGetter):
2195         (JSC::functionCreateCustomGetterObject):
2196         (JSC::functionCreateDOMJITNodeObject):
2197         (JSC::functionCreateDOMJITGetterObject):
2198         (JSC::functionCreateDOMJITGetterComplexObject):
2199         (JSC::functionCreateDOMJITFunctionObject):
2200         (JSC::functionCreateDOMJITCheckSubClassObject):
2201         (JSC::functionCreateDOMJITGetterBaseJSObject):
2202         (JSC::functionSetImpureGetterDelegate):
2203         (JSC::functionCreateBuiltin):
2204         (JSC::functionCreateRoot):
2205         (JSC::functionCreateElement):
2206         (JSC::functionGetElement):
2207         (JSC::functionCreateSimpleObject):
2208         (JSC::functionGetHiddenValue):
2209         (JSC::functionSetHiddenValue):
2210         (JSC::functionShadowChickenFunctionsOnStack):
2211         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2212         (JSC::functionFindTypeForExpression):
2213         (JSC::functionReturnTypeFor):
2214         (JSC::functionDumpBasicBlockExecutionRanges):
2215         (JSC::functionHasBasicBlockExecuted):
2216         (JSC::functionBasicBlockExecutionCount):
2217         (JSC::functionEnableExceptionFuzz):
2218         (JSC::functionGlobalObjectForObject):
2219         (JSC::functionGetGetterSetter):
2220         (JSC::functionLoadGetterFromGetterSetter):
2221         (JSC::functionCreateCustomTestGetterSetter):
2222         (JSC::JSDollarVM::finishCreation):
2223         (JSC::JSDollarVM::addFunction):
2224         (JSC::JSDollarVM::addConstructibleFunction):
2225         * tools/JSDollarVM.h:
2226         (JSC::JSDollarVM::create):
2227
2228 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
2229
2230         Minor ArrayBufferView cleanup
2231         https://bugs.webkit.org/show_bug.cgi?id=179966
2232
2233         Reviewed by Darin Adler.
2234         
2235         Use void* for data pointers when we don't need to do offset math. Use const for
2236         source pointers.
2237         
2238         Prefer uint8_t* to char*.
2239         
2240         Add comments noting that the assertions should not be made release assertions
2241         as recommended by the style checker, since the point is to avoid the virtual byteLength()
2242         call in release.
2243
2244         * runtime/ArrayBufferView.h:
2245         (JSC::ArrayBufferView::setImpl):
2246         (JSC::ArrayBufferView::setRangeImpl):
2247         (JSC::ArrayBufferView::getRangeImpl):
2248         (JSC::ArrayBufferView::zeroRangeImpl):
2249
2250 2017-11-23  Darin Adler  <darin@apple.com>
2251
2252         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
2253         https://bugs.webkit.org/show_bug.cgi?id=179907
2254
2255         Reviewed by Sam Weinig.
2256
2257         * inspector/agents/InspectorDebuggerAgent.cpp:
2258         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
2259         defaults to that.
2260
2261         * runtime/StringPrototype.cpp:
2262         (JSC::stringIncludesImpl): Use String::find since there is no overload of
2263         String::contains that takes a start offset now that we removed the one that took a
2264         caseSensitive boolean. We can add one later if we like, but this should do for now.
2265
2266         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
2267         the StringImpl.h header because it is only used here.
2268
2269 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
2270
2271         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
2272         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
2273         
2274         Also name the argument to zeroRange() to 'count' since it's an item count.
2275
2276         * runtime/GenericTypedArrayView.h:
2277         (JSC::GenericTypedArrayView::zeroRange):
2278         (JSC::GenericTypedArrayView::getRange):
2279
2280 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
2281
2282         Allow for more efficient use of GenericTypedArrayView
2283         https://bugs.webkit.org/show_bug.cgi?id=179899
2284
2285         Reviewed by Sam Weinig.
2286         
2287         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
2288         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
2289         in a length.
2290
2291         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
2292         byteLength() calls.
2293         
2294         Renamed 'dataLength' to 'count' in setRange() to be clearer.
2295         
2296         Added setNative() for callers who don't need clamping of doubles.
2297
2298         * runtime/ArrayBufferView.h:
2299         (JSC::ArrayBufferView::setRangeImpl):
2300         (JSC::ArrayBufferView::getRangeImpl):
2301         * runtime/GenericTypedArrayView.h:
2302         (JSC::GenericTypedArrayView::setRange):
2303         (JSC::GenericTypedArrayView::setNative const):
2304         (JSC::GenericTypedArrayView::getRange):
2305         (JSC::GenericTypedArrayView::checkInboundData const):
2306         (JSC::GenericTypedArrayView::internalByteLength const):
2307
2308 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2309
2310         [DFG][FTL] Support MapSet / SetAdd intrinsics
2311         https://bugs.webkit.org/show_bug.cgi?id=179858
2312
2313         Reviewed by Saam Barati.
2314
2315         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
2316         By handling them as MapSet and SetAdd DFG nodes and decoupling
2317         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
2318         remove duplicate MapHash calculation for the same key.
2319
2320         One story is *set-if-not-exists*.
2321
2322             if (!map.has(key))
2323                 map.set(key, value);
2324
2325         In the above code, both `has` and `set` require hash value for `key`.
2326         If we can change `set` to the series of DFG nodes:
2327
2328             1: MapHash(key)
2329             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
2330
2331         we can remove duplicate @1 produced by `has` operation.
2332
2333         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
2334
2335                                          baseline                  patched
2336
2337             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
2338             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
2339
2340         Microbenchmarks
2341
2342             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
2343
2344         * dfg/DFGAbstractInterpreterInlines.h:
2345         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2346         * dfg/DFGByteCodeParser.cpp:
2347         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2348         * dfg/DFGClobberize.h:
2349         (JSC::DFG::clobberize):
2350         * dfg/DFGDoesGC.cpp:
2351         (JSC::DFG::doesGC):
2352         * dfg/DFGFixupPhase.cpp:
2353         (JSC::DFG::FixupPhase::fixupNode):
2354         * dfg/DFGNodeType.h:
2355         * dfg/DFGOperations.cpp:
2356         * dfg/DFGOperations.h:
2357         * dfg/DFGPredictionPropagationPhase.cpp:
2358         * dfg/DFGSafeToExecute.h:
2359         (JSC::DFG::safeToExecute):
2360         * dfg/DFGSpeculativeJIT.cpp:
2361         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2362         (JSC::DFG::SpeculativeJIT::compileMapSet):
2363         * dfg/DFGSpeculativeJIT.h:
2364         (JSC::DFG::SpeculativeJIT::callOperation):
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * ftl/FTLCapabilities.cpp:
2370         (JSC::FTL::canCompile):
2371         * ftl/FTLLowerDFGToB3.cpp:
2372         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2373         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2374         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2375         * jit/JITOperations.h:
2376         * runtime/HashMapImpl.h:
2377         (JSC::HashMapImpl::addNormalized):
2378         (JSC::HashMapImpl::addNormalizedInternal):
2379         * runtime/Intrinsic.cpp:
2380         (JSC::intrinsicName):
2381         * runtime/Intrinsic.h:
2382         * runtime/MapPrototype.cpp:
2383         (JSC::MapPrototype::finishCreation):
2384         * runtime/SetPrototype.cpp:
2385         (JSC::SetPrototype::finishCreation):
2386
2387 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2388
2389         [JSC] Allow poly proto for intrinsic getters
2390         https://bugs.webkit.org/show_bug.cgi?id=179550
2391
2392         Reviewed by Saam Barati.
2393
2394         This patch allows intrinsic getters to accept poly proto.
2395         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
2396         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
2397         code for poly proto case.
2398
2399         * bytecode/IntrinsicGetterAccessCase.cpp:
2400         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2401         (JSC::IntrinsicGetterAccessCase::create):
2402         * bytecode/IntrinsicGetterAccessCase.h:
2403         * jit/IntrinsicEmitter.cpp:
2404         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2405         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2406         * jit/Repatch.cpp:
2407         (JSC::tryCacheGetByID):
2408
2409 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
2410
2411         Detect __declspec within JSBase.h
2412         https://bugs.webkit.org/show_bug.cgi?id=179892
2413
2414         Reviewed by Darin Adler.
2415
2416         * API/JSBase.h:
2417
2418 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2419
2420         Remove unused TOUCH_ICON_LOADING feature flag
2421         https://bugs.webkit.org/show_bug.cgi?id=179873
2422
2423         Reviewed by Simon Fraser.
2424
2425         * Configurations/FeatureDefines.xcconfig:
2426
2427 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2428
2429         Add CPU(UNKNOWN) to cover all the unknown CPU types
2430         https://bugs.webkit.org/show_bug.cgi?id=179243
2431
2432         Reviewed by JF Bastien.
2433
2434         * CMakeLists.txt:
2435
2436 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2437
2438         Remove unused LEGACY_VENDOR_PREFIXES feature flag
2439         https://bugs.webkit.org/show_bug.cgi?id=179872
2440
2441         Reviewed by Darin Adler.
2442
2443         * Configurations/FeatureDefines.xcconfig:
2444
2445 2017-11-18  Tim Horton  <timothy_horton@apple.com>
2446
2447         Fix typos in closing ENABLE() comments
2448         https://bugs.webkit.org/show_bug.cgi?id=179869
2449
2450         Unreviewed.
2451
2452         * wasm/WasmMemory.h:
2453         * wasm/WasmMemoryMode.h:
2454
2455 2017-11-17  JF Bastien  <jfbastien@apple.com>
2456
2457         NFC update ClassInfo to C++14
2458         https://bugs.webkit.org/show_bug.cgi?id=179783
2459
2460         Reviewed by Mark Lam.
2461
2462         Forked from #179734, use `using` instead of `typedef`. It's easier
2463         to read.
2464
2465         * runtime/ClassInfo.h:
2466
2467 2017-11-17  JF Bastien  <jfbastien@apple.com>
2468
2469         WebAssembly JS API: throw when a promise can't be created
2470         https://bugs.webkit.org/show_bug.cgi?id=179826
2471         <rdar://problem/35455813>
2472
2473         Reviewed by Mark Lam.
2474
2475         Failure *in* a promise causes rejection, but failure to create a
2476         promise (because of stack overflow) isn't really spec'd (as all
2477         stack things JS). This applies to WebAssembly.compile and
2478         WebAssembly.instantiate.
2479
2480         Dan's current proposal says:
2481
2482             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
2483
2484             Whenever a stack overflow occurs in WebAssembly code, the same
2485             class of exception is thrown as for a stack overflow in
2486             JavaScript. The particular exception here is
2487             implementation-defined in both cases.
2488
2489             Note: ECMAScript doesn’t specify any sort of behavior on stack
2490             overflow; implementations have been observed to throw RangeError,
2491             InternalError or Error. Any is valid here.
2492
2493         This is for general stack overflow within WebAssembly, not
2494         specifically for promise creation within JavaScript, but it seems
2495         like a stack overflow in promise creation should follow the same
2496         rule instead of, say, swallowing the overflow and returning
2497         undefined.
2498
2499         * wasm/js/WebAssemblyPrototype.cpp:
2500         (JSC::webAssemblyCompileFunc):
2501         (JSC::webAssemblyInstantiateFunc):
2502
2503 2017-11-16  Daniel Bates  <dabates@apple.com>
2504
2505         Add feature define for alternative presentation button element
2506         https://bugs.webkit.org/show_bug.cgi?id=179692
2507         Part of <rdar://problem/34917108>
2508
2509         Reviewed by Andy Estes.
2510
2511         Only enabled on Cocoa platforms by default.
2512
2513         * Configurations/FeatureDefines.xcconfig:
2514
2515 2017-11-16  Saam Barati  <sbarati@apple.com>
2516
2517         Fix a bug with cpuid in the FTL.
2518
2519         Rubber stamped by Mark Lam.
2520
2521         Before uploading the previous patch, I tried to condense the code. I
2522         accidentally removed a crucial line saying that CPUID clobbers various
2523         registers.
2524
2525         * ftl/FTLLowerDFGToB3.cpp:
2526         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2527
2528 2017-11-16  Saam Barati  <sbarati@apple.com>
2529
2530         Add some X86 intrinsics to $vm to help with some perf testing
2531         https://bugs.webkit.org/show_bug.cgi?id=179693
2532
2533         Reviewed by Mark Lam.
2534
2535         I've been doing some local perf testing of various ideas and have
2536         had these come in handy. I'm going to land them to dollarVM to prevent
2537         having to add them to my local build every time I do perf testing.
2538
2539         * assembler/MacroAssemblerX86Common.h:
2540         (JSC::MacroAssemblerX86Common::mfence):
2541         (JSC::MacroAssemblerX86Common::rdtsc):
2542         (JSC::MacroAssemblerX86Common::pause):
2543         (JSC::MacroAssemblerX86Common::cpuid):
2544         * assembler/X86Assembler.h:
2545         (JSC::X86Assembler::rdtsc):
2546         (JSC::X86Assembler::pause):
2547         (JSC::X86Assembler::cpuid):
2548         * dfg/DFGAbstractInterpreterInlines.h:
2549         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2550         * dfg/DFGByteCodeParser.cpp:
2551         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2552         * dfg/DFGClobberize.h:
2553         (JSC::DFG::clobberize):
2554         * dfg/DFGDoesGC.cpp:
2555         (JSC::DFG::doesGC):
2556         * dfg/DFGFixupPhase.cpp:
2557         (JSC::DFG::FixupPhase::fixupNode):
2558         * dfg/DFGGraph.cpp:
2559         (JSC::DFG::Graph::dump):
2560         * dfg/DFGNode.h:
2561         (JSC::DFG::Node::intrinsic):
2562         * dfg/DFGNodeType.h:
2563         * dfg/DFGPredictionPropagationPhase.cpp:
2564         * dfg/DFGSafeToExecute.h:
2565         (JSC::DFG::safeToExecute):
2566         * dfg/DFGSpeculativeJIT32_64.cpp:
2567         (JSC::DFG::SpeculativeJIT::compile):
2568         * dfg/DFGSpeculativeJIT64.cpp:
2569         (JSC::DFG::SpeculativeJIT::compile):
2570         * dfg/DFGValidate.cpp:
2571         * ftl/FTLCapabilities.cpp:
2572         (JSC::FTL::canCompile):
2573         * ftl/FTLLowerDFGToB3.cpp:
2574         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2575         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2576         * runtime/Intrinsic.cpp:
2577         (JSC::intrinsicName):
2578         * runtime/Intrinsic.h:
2579         * tools/JSDollarVM.cpp:
2580         (JSC::functionCpuMfence):
2581         (JSC::functionCpuRdtsc):
2582         (JSC::functionCpuCpuid):
2583         (JSC::functionCpuPause):
2584         (JSC::functionCpuClflush):
2585         (JSC::JSDollarVM::finishCreation):
2586
2587 2017-11-16  JF Bastien  <jfbastien@apple.com>
2588
2589         It should be easier to reify lazy property names
2590         https://bugs.webkit.org/show_bug.cgi?id=179734
2591         <rdar://problem/35492521>
2592
2593         Reviewed by Keith Miller.
2594
2595         We reify lazy property names in a few different ways, each
2596         specific to the JSCell implementation, in put() instead of having
2597         a special function to do reification. Let's make that simpler.
2598
2599         This patch makes it easier to reify property names in a uniform
2600         manner, and does so in JSFunction. As a follow up I'll use the
2601         same mechanics for:
2602
2603         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
2604         ErrorConstructor  stackTraceLimit
2605         ErrorInstance     line, column, sourceURL, stack
2606         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
2607         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
2608         JSArray           length
2609         RegExpObject      lastIndex
2610         StringObject      length
2611
2612         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
2613         * runtime/JSCell.cpp:
2614         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
2615         * runtime/JSCell.h:
2616         * runtime/JSFunction.cpp: `name` and `length` can be reified.
2617         (JSC::JSFunction::reifyPropertyNameIfNeeded):
2618         (JSC::JSFunction::put):
2619         (JSC::JSFunction::reifyLength):
2620         (JSC::JSFunction::reifyName):
2621         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2622         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2623         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2624         (JSC::JSFunction::reifyLazyNameIfNeeded):
2625         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2626         * runtime/JSFunction.h:
2627         (JSC::JSFunction::isLazy):
2628         (JSC::JSFunction::isReified):
2629         * runtime/JSObjectInlines.h:
2630         (JSC::JSObject::putDirectInternal): do the reification here.
2631
2632 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2633
2634         Provide a runtime option for disabling the optimization of recursive tail calls
2635         https://bugs.webkit.org/show_bug.cgi?id=179765
2636
2637         Reviewed by Mark Lam.
2638
2639         * bytecode/PreciseJumpTargets.cpp:
2640         (JSC::getJumpTargetsForBytecodeOffset):
2641         * bytecompiler/BytecodeGenerator.cpp:
2642         (JSC::BytecodeGenerator::emitEnter):
2643         * dfg/DFGByteCodeParser.cpp:
2644         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2645         * runtime/Options.h:
2646
2647 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2648
2649         Fix null pointer dereference in bytecodeDumper
2650         https://bugs.webkit.org/show_bug.cgi?id=179764
2651
2652         Reviewed by Mark Lam.
2653
2654         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
2655
2656         * bytecode/BytecodeDumper.cpp:
2657         (JSC::BytecodeDumper<Block>::printCallOp):
2658
2659 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2660
2661         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2662         https://bugs.webkit.org/show_bug.cgi?id=179763
2663         <rdar://problem/35550513>
2664
2665         Reviewed by Keith Miller.
2666
2667         Fix null pointer dereference caused by an eliminated tdz_check
2668
2669         The problem was when doing an OSR entry in DFG while |this| was null
2670         (because super() had not yet been called in the constructor of this
2671         subclass), it would be marked as non-null, and the tdz_check eliminated.
2672
2673         * dfg/DFGInPlaceAbstractState.cpp:
2674         (JSC::DFG::InPlaceAbstractState::initialize):
2675
2676 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
2677
2678         Unreviewed, rolling out r224863.
2679
2680         Introduced LayoutTest crashes on iOS Simulator.
2681
2682         Reverted changeset:
2683
2684         "Move JSONValues to WTF and convert uses of InspectorValues.h
2685         to JSONValues.h"
2686         https://bugs.webkit.org/show_bug.cgi?id=173793
2687         https://trac.webkit.org/changeset/224863
2688
2689 2017-11-14  Mark Lam  <mark.lam@apple.com>
2690
2691         Gardening: CLoop build fix after r224862.
2692         https://bugs.webkit.org/show_bug.cgi?id=179699
2693
2694         Not reviewed..
2695
2696         * bytecode/CodeBlock.h:
2697         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2698
2699 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2700
2701         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2702         https://bugs.webkit.org/show_bug.cgi?id=173793
2703
2704         Reviewed by Brian Burg.
2705
2706         Based on patch by Brian Burg.
2707
2708         * JavaScriptCore.xcodeproj/project.pbxproj:
2709         * Sources.txt:
2710         * bindings/ScriptValue.cpp:
2711         (Inspector::jsToInspectorValue):
2712         (Inspector::toInspectorValue):
2713         (Deprecated::ScriptValue::toInspectorValue const):
2714         * bindings/ScriptValue.h:
2715         * inspector/AsyncStackTrace.cpp:
2716         * inspector/ConsoleMessage.cpp:
2717         * inspector/ContentSearchUtilities.cpp:
2718         * inspector/InjectedScript.cpp:
2719         (Inspector::InjectedScript::getFunctionDetails):
2720         (Inspector::InjectedScript::functionDetails):
2721         (Inspector::InjectedScript::getPreview):
2722         (Inspector::InjectedScript::getProperties):
2723         (Inspector::InjectedScript::getDisplayableProperties):
2724         (Inspector::InjectedScript::getInternalProperties):
2725         (Inspector::InjectedScript::getCollectionEntries):
2726         (Inspector::InjectedScript::saveResult):
2727         (Inspector::InjectedScript::wrapCallFrames const):
2728         (Inspector::InjectedScript::wrapObject const):
2729         (Inspector::InjectedScript::wrapTable const):
2730         (Inspector::InjectedScript::previewValue const):
2731         (Inspector::InjectedScript::setExceptionValue):
2732         (Inspector::InjectedScript::clearExceptionValue):
2733         (Inspector::InjectedScript::inspectObject):
2734         (Inspector::InjectedScript::releaseObject):
2735         * inspector/InjectedScriptBase.cpp:
2736         (Inspector::InjectedScriptBase::makeCall):
2737         (Inspector::InjectedScriptBase::makeEvalCall):
2738         * inspector/InjectedScriptBase.h:
2739         * inspector/InjectedScriptManager.cpp:
2740         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2741         * inspector/InspectorBackendDispatcher.cpp:
2742         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
2743         (Inspector::BackendDispatcher::dispatch):
2744         (Inspector::BackendDispatcher::sendResponse):
2745         (Inspector::BackendDispatcher::sendPendingErrors):
2746         (Inspector::BackendDispatcher::getPropertyValue):
2747         (Inspector::castToInteger):
2748         (Inspector::castToNumber):
2749         (Inspector::BackendDispatcher::getInteger):
2750         (Inspector::BackendDispatcher::getDouble):
2751         (Inspector::BackendDispatcher::getString):
2752         (Inspector::BackendDispatcher::getBoolean):
2753         (Inspector::BackendDispatcher::getObject):
2754         (Inspector::BackendDispatcher::getArray):
2755         (Inspector::BackendDispatcher::getValue):
2756         * inspector/InspectorBackendDispatcher.h:
2757         * inspector/InspectorProtocolTypes.h:
2758         (Inspector::Protocol::Array::openAccessors):
2759         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
2760         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
2761         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
2762         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
2763         * inspector/ScriptCallFrame.cpp:
2764         * inspector/ScriptCallStack.cpp:
2765         * inspector/agents/InspectorAgent.cpp:
2766         (Inspector::InspectorAgent::inspect):
2767         * inspector/agents/InspectorAgent.h:
2768         * inspector/agents/InspectorDebuggerAgent.cpp:
2769         (Inspector::buildAssertPauseReason):
2770         (Inspector::buildCSPViolationPauseReason):
2771         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2772         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
2773         (Inspector::buildObjectForBreakpointCookie):
2774         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2775         (Inspector::parseLocation):
2776         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2777         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2778         (Inspector::InspectorDebuggerAgent::continueToLocation):
2779         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2780         (Inspector::InspectorDebuggerAgent::didParseSource):
2781         (Inspector::InspectorDebuggerAgent::breakProgram):
2782         * inspector/agents/InspectorDebuggerAgent.h:
2783         * inspector/agents/InspectorRuntimeAgent.cpp:
2784         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2785         (Inspector::InspectorRuntimeAgent::saveResult):
2786         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2787         * inspector/agents/InspectorRuntimeAgent.h:
2788         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2789         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2790         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2791         (CppBackendDispatcherImplementationGenerator.generate_output):
2792         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2793         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2794         (CppFrontendDispatcherHeaderGenerator.generate_output):
2795         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2796         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2797         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2798         (_generate_unchecked_setter_for_member):
2799         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2800         (CppProtocolTypesImplementationGenerator):
2801         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2802         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2803         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2804         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2805         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2806         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2807         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2808         * inspector/scripts/codegen/generate_objc_internal_header.py:
2809         (ObjCInternalHeaderGenerator.generate_output):
2810         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2811         (ObjCProtocolTypesImplementationGenerator.generate_output):
2812         * inspector/scripts/codegen/generator.py:
2813         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2814         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2815         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2816         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2817         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2818         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2819         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2820         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2821         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2822         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2823         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2824         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2825         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2826         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2827         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2828         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2829         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2830         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2831         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2832         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2833
2834 2017-11-14  Mark Lam  <mark.lam@apple.com>
2835
2836         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
2837         https://bugs.webkit.org/show_bug.cgi?id=179699
2838         <rdar://problem/35462346>
2839
2840         Reviewed by Michael Saboff.
2841
2842         * interpreter/Interpreter.cpp:
2843         (JSC::Interpreter::dumpRegisters):
2844         - Need to skip the callee saved registers
2845
2846 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
2847
2848         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
2849         https://bugs.webkit.org/show_bug.cgi?id=179563
2850
2851         Reviewed by Carlos Alberto Lopez Perez.
2852
2853         When run with BranchIfTruncateSuccessful,
2854         branchTruncateDoubleToInt32() should set the destination register
2855         before branching.
2856         This change also removes branchTruncateDoubleToUInt32() as it is
2857         deprecated (see r160205), merges branchOnTruncateResult() into
2858         branchTruncateDoubleToInt32() and adds test cases in testmasm.
2859
2860         * assembler/MacroAssemblerMIPS.h:
2861         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
2862         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2863         Properly set dest before branching.
2864         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
2865         * assembler/testmasm.cpp:
2866         (JSC::testBranchTruncateDoubleToInt32):
2867         (JSC::run):
2868         Add tests for branchTruncateDoubleToInt32().
2869
2870 2017-11-14  Daniel Bates  <dabates@apple.com>
2871
2872         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
2873         for feature defines
2874
2875         Following r195498 and r201917 the Visual Studio property files for feature defines have
2876         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
2877         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
2878         files.
2879
2880         * Configurations/FeatureDefines.xcconfig:
2881
2882 2017-11-14  Mark Lam  <mark.lam@apple.com>
2883
2884         Remove JSDollarVMPrototype.
2885         https://bugs.webkit.org/show_bug.cgi?id=179685
2886
2887         Reviewed by Saam Barati.
2888
2889         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
2890
2891            This allows us to call these functions during lldb debugging sessions using
2892            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
2893            VMInspector provides VM debugging utility methods.  It doesn't make sense to
2894            have a JSDollarVMPrototype object provide these methods.
2895
2896            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
2897
2898         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
2899
2900            JSDollarVM is a special object used only for debugging purposes.  There's no
2901            gain in requiring its methods to be stored in a prototype object other than to
2902            conform to typical JS convention.  We can remove this complexity.
2903
2904         * JavaScriptCore.xcodeproj/project.pbxproj:
2905         * Sources.txt:
2906         * runtime/JSGlobalObject.cpp:
2907         (JSC::JSGlobalObject::init):
2908         * tools/JSDollarVM.cpp:
2909         (JSC::JSDollarVM::addFunction):
2910         (JSC::functionCrash):
2911         (JSC::functionDFGTrue):
2912         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2913         (JSC::CallerFrameJITTypeFunctor::operator() const):
2914         (JSC::CallerFrameJITTypeFunctor::jitType):
2915         (JSC::functionLLintTrue):
2916         (JSC::functionJITTrue):
2917         (JSC::functionGC):
2918         (JSC::functionEdenGC):
2919         (JSC::functionCodeBlockForFrame):
2920         (JSC::codeBlockFromArg):
2921         (JSC::functionCodeBlockFor):
2922         (JSC::functionPrintSourceFor):
2923         (JSC::functionPrintBytecodeFor):
2924         (JSC::functionPrint):
2925         (JSC::functionPrintCallFrame):
2926         (JSC::functionPrintStack):
2927         (JSC::functionValue):
2928         (JSC::functionGetPID):
2929         (JSC::JSDollarVM::finishCreation):
2930         * tools/JSDollarVM.h:
2931         (JSC::JSDollarVM::create):
2932         * tools/JSDollarVMPrototype.cpp: Removed.
2933         * tools/JSDollarVMPrototype.h: Removed.
2934         * tools/VMInspector.cpp:
2935         (JSC::VMInspector::currentThreadOwnsJSLock):
2936         (JSC::ensureCurrentThreadOwnsJSLock):
2937         (JSC::VMInspector::gc):
2938         (JSC::VMInspector::edenGC):
2939         (JSC::VMInspector::isInHeap):
2940         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2941         (JSC::CellAddressCheckFunctor::operator() const):
2942         (JSC::VMInspector::isValidCell):
2943         (JSC::VMInspector::isValidCodeBlock):
2944         (JSC::VMInspector::codeBlockForFrame):
2945         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2946         (JSC::PrintFrameFunctor::operator() const):
2947         (JSC::VMInspector::printCallFrame):
2948         (JSC::VMInspector::printStack):
2949         (JSC::VMInspector::printValue):
2950         * tools/VMInspector.h:
2951
2952 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2953
2954         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
2955         https://bugs.webkit.org/show_bug.cgi?id=179640
2956         <rdar://problem/35517361>
2957
2958         Reviewed by Devin Rousso.
2959
2960         * CMakeLists.txt:
2961         * DerivedSources.make:
2962         Gate the ServiceWorker domain on the ENABLE feature flag.
2963
2964         * inspector/protocol/ServiceWorker.json: Added.
2965         New domain to be made available inside of a ServiceWorker target.
2966
2967 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2968
2969         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2970         https://bugs.webkit.org/show_bug.cgi?id=179594
2971
2972         Reviewed by Saam Barati.
2973
2974         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
2975         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
2976         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
2977         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
2978         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
2979
2980         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
2981         accept this type, and emit optimized code compared to Array::Generic case.
2982
2983         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
2984         exit instead of ExoticObjectMode.
2985
2986         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
2987         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
2988
2989             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
2990
2991         * dfg/DFGArgumentsEliminationPhase.cpp:
2992         * dfg/DFGArrayMode.cpp:
2993         (JSC::DFG::ArrayMode::refine const):
2994         * dfg/DFGClobberize.h:
2995         (JSC::DFG::clobberize):
2996         * dfg/DFGSpeculativeJIT.cpp:
2997         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2998         * ftl/FTLLowerDFGToB3.cpp:
2999         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3000         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3001
3002 2017-11-14  Saam Barati  <sbarati@apple.com>
3003
3004         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3005         https://bugs.webkit.org/show_bug.cgi?id=179639
3006         <rdar://problem/35513018>
3007
3008         Reviewed by JF Bastien.
3009
3010         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
3011         walk the stack for ShadowChicken (and maybe other things). We weren't updating
3012         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
3013         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
3014         this bug by giving Wasm::Instance a lambda that is called when we need to store
3015         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
3016         Currently, JSWebAssemblyInstance passes in a lambda that stores to
3017         VM.topCallFrame.
3018
3019         * wasm/WasmB3IRGenerator.cpp:
3020         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3021         * wasm/WasmInstance.cpp:
3022         (JSC::Wasm::Instance::Instance):
3023         (JSC::Wasm::Instance::create):
3024         * wasm/WasmInstance.h:
3025         (JSC::Wasm::Instance::storeTopCallFrame):
3026         * wasm/js/JSWebAssemblyInstance.cpp:
3027         (JSC::JSWebAssemblyInstance::create):
3028         * wasm/js/JSWebAssemblyInstance.h:
3029         * wasm/js/WasmToJS.cpp:
3030         (JSC::Wasm::wasmToJSException):
3031         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3032         (JSC::constructJSWebAssemblyInstance):
3033         * wasm/js/WebAssemblyPrototype.cpp:
3034         (JSC::instantiate):
3035
3036 2017-11-13  Saam Barati  <sbarati@apple.com>
3037
3038         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
3039         https://bugs.webkit.org/show_bug.cgi?id=179203
3040
3041         Reviewed by Yusuke Suzuki.
3042
3043         This patch only removes the pointer caging for the described types in the title.
3044         These types still allocate out of the gigacage. This is a just a cost vs benefit
3045         tradeoff of performance vs security.
3046
3047         * dfg/DFGSpeculativeJIT.cpp:
3048         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3049         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3050         * ftl/FTLLowerDFGToB3.cpp:
3051         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3052         * jit/JITPropertyAccess.cpp:
3053         (JSC::JIT::emitDirectArgumentsGetByVal):
3054         (JSC::JIT::emitScopedArgumentsGetByVal):
3055         * runtime/DirectArguments.h:
3056         (JSC::DirectArguments::storage):
3057         * runtime/HashMapImpl.cpp:
3058         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3059         * runtime/HashMapImpl.h:
3060         * runtime/JSLexicalEnvironment.h:
3061         (JSC::JSLexicalEnvironment::variables):
3062         * runtime/ScopedArguments.h:
3063         (JSC::ScopedArguments::overflowStorage const):
3064
3065 2017-11-08  Keith Miller  <keith_miller@apple.com>
3066
3067         Async iteration should only fetch the next method once and add feature flag
3068         https://bugs.webkit.org/show_bug.cgi?id=179451
3069
3070         Reviewed by Geoffrey Garen.
3071
3072         Add feature flag for Async iteration. Also, change async iteration to match
3073         the expected behavior of the proposal.
3074
3075         * Configurations/FeatureDefines.xcconfig:
3076         * builtins/AsyncFromSyncIteratorPrototype.js:
3077         (globalPrivate.createAsyncFromSyncIterator):
3078         (globalPrivate.AsyncFromSyncIteratorConstructor):
3079         * builtins/BuiltinNames.h:
3080         * bytecompiler/BytecodeGenerator.cpp:
3081         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3082         * runtime/Options.h:
3083
3084 2017-11-13  Mark Lam  <mark.lam@apple.com>
3085
3086         Add more overflow check book-keeping for MarkedArgumentBuffer.
3087         https://bugs.webkit.org/show_bug.cgi?id=179634
3088         <rdar://problem/35492517>
3089
3090         Reviewed by Saam Barati.
3091
3092         * runtime/ArgList.h:
3093         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
3094         * runtime/JSJob.cpp:
3095         (JSC::JSJobMicrotask::run):
3096         * runtime/ObjectConstructor.cpp:
3097         (JSC::defineProperties):
3098         * runtime/ReflectObject.cpp:
3099         (JSC::reflectObjectConstruct):
3100
3101 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
3102
3103         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
3104         https://bugs.webkit.org/show_bug.cgi?id=179542
3105
3106         Reviewed by Alex Christensen.
3107
3108         * assembler/MacroAssemblerARM.h:
3109         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
3110
3111 2017-11-13  Mark Lam  <mark.lam@apple.com>
3112
3113         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3114         https://bugs.webkit.org/show_bug.cgi?id=179619
3115         <rdar://problem/35492518>
3116
3117         Reviewed by Saam Barati.
3118
3119         * jsc.cpp:
3120         (functionLoadGetterFromGetterSetter):
3121
3122 2017-11-12  Darin Adler  <darin@apple.com>
3123
3124         More is<> and downcast<>, less static_cast<>
3125         https://bugs.webkit.org/show_bug.cgi?id=179600
3126
3127         Reviewed by Chris Dumez.
3128
3129         * runtime/JSString.h:
3130         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
3131         (JSC::jsSubstringOfResolved): Ditto.
3132
3133 2017-11-12  Mark Lam  <mark.lam@apple.com>
3134
3135         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3136         https://bugs.webkit.org/show_bug.cgi?id=179562
3137         <rdar://problem/35467022>
3138
3139         Reviewed by Saam Barati.
3140
3141         * dfg/DFGFixupPhase.cpp:
3142         (JSC::DFG::FixupPhase::fixupNode):
3143         * dfg/DFGOperations.cpp:
3144         * dfg/DFGSafeToExecute.h:
3145         (JSC::DFG::SafeToExecuteEdge::operator()):
3146         * dfg/DFGSpeculativeJIT.cpp:
3147         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
3148         (JSC::DFG::SpeculativeJIT::speculate):
3149         * dfg/DFGSpeculativeJIT.h:
3150         * dfg/DFGUseKind.cpp:
3151         (WTF::printInternal):
3152         * dfg/DFGUseKind.h:
3153         (JSC::DFG::typeFilterFor):
3154         * ftl/FTLCapabilities.cpp:
3155         (JSC::FTL::canCompile):
3156         * ftl/FTLLowerDFGToB3.cpp:
3157         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3158         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
3159
3160 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
3161
3162         Web Inspector: Canvas tab: show detailed status during canvas recording
3163         https://bugs.webkit.org/show_bug.cgi?id=178185
3164         <rdar://problem/34939862>
3165
3166         Reviewed by Brian Burg.
3167
3168         * inspector/protocol/Canvas.json:
3169         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
3170         payloads since the last Canvas.recordingProgress event and the current buffer usage.
3171
3172         * inspector/protocol/Recording.json:
3173         Remove the required `frames` parameter from the Recording protocol object, as they will be
3174         sent in batches via the Canvas.recordingProgress event.
3175
3176 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
3177
3178         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
3179         https://bugs.webkit.org/show_bug.cgi?id=179543
3180
3181         Reviewed by Antoine Quint.
3182
3183         * inspector/protocol/Network.json:
3184         Use a better type for the status code.
3185
3186 2017-11-10  Robin Morisset  <rmorisset@apple.com>
3187
3188         The memory consumption of DFG::BasicBlock can be easily reduced a bit
3189         https://bugs.webkit.org/show_bug.cgi?id=179528
3190
3191         Reviewed by Saam Barati.
3192
3193         A few changes here:
3194         - Reordering some fields of DFG::BasicBlock to reduce padding
3195         - Making the enum fields that are glorified booleans fit into a u8
3196         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
3197           This change works because we never increase the number of arguments after allocating an Operands object.
3198           It lets us avoid one extra capacity field and one extra pointer field per Operands,
3199           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
3200           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
3201           we have a chance to avoid an allocation.
3202         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
3203
3204         * bytecode/Operands.h:
3205         (JSC::Operands::Operands):
3206         (JSC::Operands::numberOfArguments const):
3207         (JSC::Operands::numberOfLocals const):
3208         (JSC::Operands::argument):
3209         (JSC::Operands::argument const):
3210         (JSC::Operands::local):
3211         (JSC::Operands::local const):
3212         (JSC::Operands::ensureLocals):
3213         (JSC::Operands::setLocal):
3214         (JSC::Operands::getLocal):
3215         (JSC::Operands::setArgumentFirstTime):
3216         (JSC::Operands::setLocalFirstTime):
3217         (JSC::Operands::operand):
3218         (JSC::Operands::setOperand):
3219         (JSC::Operands::size const):
3220         (JSC::Operands::at const):
3221         (JSC::Operands::at):
3222         (JSC::Operands::isArgument const):
3223         (JSC::Operands::isVariable const):
3224         (JSC::Operands::virtualRegisterForIndex const):
3225         (JSC::Operands::fill):
3226         (JSC::Operands::operator== const):
3227         (JSC::Operands::argumentForIndex const): Deleted.
3228         (JSC::Operands::variableForIndex const): Deleted.
3229         (JSC::Operands::indexForOperand const): Deleted.
3230         * dfg/DFGBasicBlock.cpp:
3231         (JSC::DFG::BasicBlock::BasicBlock):
3232         * dfg/DFGBasicBlock.h:
3233         * dfg/DFGBranchDirection.h:
3234         * dfg/DFGStructureClobberState.h:
3235
3236 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3237
3238         [JSC] Retry module fetching if previous request fails
3239         https://bugs.webkit.org/show_bug.cgi?id=178168
3240
3241         Reviewed by Saam Barati.
3242
3243         According to the latest spec, the failed fetching operation can be retried if it is requested again.
3244         For example,
3245
3246             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
3247             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
3248
3249         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
3250         But when loading the second module, we do not use the cached failure result in the first module loading.
3251         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
3252         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
3253
3254         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
3255         like to cache modules based on their URLs. As a result,
3256
3257             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
3258             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
3259
3260         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
3261         instantiation are cached in the module pipeline.
3262
3263         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
3264         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
3265         if the previous one fails. As an overview of our change,
3266
3267         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
3268            be unified. But if currently executing one fails, other attempts should retry fetching.
3269
3270         2. Instantiation should be cached if fetching succeeds.
3271
3272         3. Satisfying should be cached if it succeeds.
3273
3274         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
3275
3276         * builtins/ModuleLoaderPrototype.js:
3277         (requestFetch):
3278         (requestInstantiate):
3279         (requestSatisfy):
3280         (link):
3281         (loadModule):
3282         * runtime/JSGlobalObject.cpp:
3283         (JSC::JSGlobalObject::init):
3284
3285 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
3286
3287         Web Inspector: support undo/redo of insertAdjacentHTML
3288         https://bugs.webkit.org/show_bug.cgi?id=179283
3289
3290         Reviewed by Joseph Pecoraro.
3291
3292         * inspector/protocol/DOM.json:
3293         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
3294         on the given node.
3295
3296 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
3297
3298         Web Inspector: Make domain availability a list of types instead of a single type
3299         https://bugs.webkit.org/show_bug.cgi?id=179457
3300
3301         Reviewed by Brian Burg.
3302
3303         * inspector/scripts/codegen/generate_js_backend_commands.py:
3304         (JSBackendCommandsGenerator.generate_domain):
3305         Update output of `InspectorBackend.activateDomain` to include the list.
3306
3307         * inspector/scripts/codegen/models.py:
3308         (Protocol.parse_domain):
3309         Parse `availability` as a list and include a new supported value of "service-worker".
3310
3311         * inspector/protocol/ApplicationCache.json:
3312         * inspector/protocol/CSS.json:
3313         * inspector/protocol/Canvas.json:
3314         * inspector/protocol/DOM.json:
3315         * inspector/protocol/DOMDebugger.json:
3316         * inspector/protocol/DOMStorage.json:
3317         * inspector/protocol/Database.json:
3318         * inspector/protocol/IndexedDB.json:
3319         * inspector/protocol/LayerTree.json:
3320         * inspector/protocol/Memory.json:
3321         * inspector/protocol/Network.json:
3322         * inspector/protocol/Page.json:
3323         * inspector/protocol/Timeline.json:
3324         * inspector/protocol/Worker.json:
3325         Update `availability` to be a list.
3326
3327         * inspector/scripts/tests/generic/domain-availability.json:
3328         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3329         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
3330         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
3331         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
3332         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
3333         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
3334         Update tests to include a test for the type and an invalid value.
3335
3336 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3337
3338         [JSC][JIT] Clean up SlowPathCall stubs
3339         https://bugs.webkit.org/show_bug.cgi?id=179247
3340
3341         Reviewed by Saam Barati.
3342
3343         We have bunch of duplicate functions that just call a slow path function.
3344         This patch cleans up the above duplication.
3345
3346         * jit/JIT.cpp:
3347         (JSC::JIT::emitSlowCaseCall):
3348         (JSC::JIT::privateCompileSlowCases):
3349         * jit/JIT.h:
3350         * jit/JITArithmetic.cpp:
3351         (JSC::JIT::emitSlow_op_unsigned): Deleted.
3352         (JSC::JIT::emitSlow_op_inc): Deleted.
3353         (JSC::JIT::emitSlow_op_dec): Deleted.
3354         (JSC::JIT::emitSlow_op_bitand): Deleted.
3355         (JSC::JIT::emitSlow_op_bitor): Deleted.
3356         (JSC::JIT::emitSlow_op_bitxor): Deleted.
3357         (JSC::JIT::emitSlow_op_lshift): Deleted.
3358         (JSC::JIT::emitSlow_op_rshift): Deleted.
3359         (JSC::JIT::emitSlow_op_urshift): Deleted.
3360         (JSC::JIT::emitSlow_op_div): Deleted.
3361         * jit/JITArithmetic32_64.cpp:
3362         (JSC::JIT::emitSlow_op_unsigned): Deleted.
3363         (JSC::JIT::emitSlow_op_inc): Deleted.
3364         (JSC::JIT::emitSlow_op_dec): Deleted.
3365         * jit/JITOpcodes.cpp:
3366         (JSC::JIT::emitSlow_op_create_this): Deleted.
3367         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
3368         (JSC::JIT::emitSlow_op_to_this): Deleted.
3369         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
3370         (JSC::JIT::emitSlow_op_not): Deleted.
3371         (JSC::JIT::emitSlow_op_stricteq): Deleted.
3372         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
3373         (JSC::JIT::emitSlow_op_to_number): Deleted.
3374         (JSC::JIT::emitSlow_op_to_string): Deleted.
3375         (JSC::JIT::emitSlow_op_to_object): Deleted.
3376         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
3377         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
3378         * jit/JITOpcodes32_64.cpp:
3379         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
3380         (JSC::JIT::emitSlow_op_not): Deleted.
3381         (JSC::JIT::emitSlow_op_stricteq): Deleted.
3382         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
3383         (JSC::JIT::emitSlow_op_to_number): Deleted.
3384         (JSC::JIT::emitSlow_op_to_string): Deleted.
3385         (JSC::JIT::emitSlow_op_to_object): Deleted.
3386         (JSC::JIT::emitSlow_op_create_this): Deleted.
3387         (JSC::JIT::emitSlow_op_to_this): Deleted.
3388         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
3389         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
3390         * jit/JITPropertyAccess.cpp:
3391         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
3392         * jit/JITPropertyAccess32_64.cpp:
3393         (JSC::JIT::emit_op_resolve_scope):
3394         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
3395         * jit/SlowPathCall.h:
3396         (JSC::JITSlowPathCall::JITSlowPathCall):
3397         * runtime/CommonSlowPaths.cpp:
3398         (JSC::SLOW_PATH_DECL):
3399         * runtime/CommonSlowPaths.h:
3400
3401 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
3402
3403         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
3404         https://bugs.webkit.org/show_bug.cgi?id=179446
3405
3406         Reviewed by Žan Doberšek.
3407
3408         The trunc.w.d mips instruction should give a 0x7fffffff result when
3409         the source value is Infinity, NaN, or rounds to an integer outside the
3410         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
3411         branchTruncateDoubleToUInt32() have been relying on. It turns out that
3412         this assumption is not true on some CPUs, including on the ci20 on
3413         which we run the testbot (we get 0x80000000 instead). We should the
3414         invalid operation cause bit instead to check whether the source value
3415         could be properly truncated. This requires the addition of the cfc1
3416         instruction, as well as the special registers that can be used with it
3417         (control registers of CP1).
3418
3419         * assembler/MIPSAssembler.h:
3420         (JSC::MIPSAssembler::firstSPRegister):
3421         (JSC::MIPSAssembler::lastSPRegister):
3422         (JSC::MIPSAssembler::numberOfSPRegisters):
3423         (JSC::MIPSAssembler::sprName):
3424         Added control registers of CP1.
3425         (JSC::MIPSAssembler::cfc1):
3426         Added.
3427         * assembler/MacroAssemblerMIPS.h:
3428         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
3429         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3430         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
3431         Use fcsr to check if the value could be properly truncated.
3432
3433 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
3434
3435         HTMLMediaElement should not use element fullscreen on iOS
3436         https://bugs.webkit.org/show_bug.cgi?id=179418
3437         rdar://problem/35409277
3438
3439         Reviewed by Eric Carlson.
3440
3441         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
3442
3443         * Configurations/FeatureDefines.xcconfig:
3444
3445 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3446
3447         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
3448         https://bugs.webkit.org/show_bug.cgi?id=179276
3449
3450         Reviewed by Andy Estes.
3451
3452         * inspector/InjectedScriptHost.h:
3453         * inspector/JSInjectedScriptHost.cpp:
3454         (Inspector::JSInjectedScriptHost::getInternalProperties):
3455         Call through to virtual implementation so that WebCore can provide custom
3456         internal properties for Web / DOM objects.
3457
3458 2017-11-08  Saam Barati  <sbarati@apple.com>
3459
3460         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3461         https://bugs.webkit.org/show_bug.cgi?id=177792
3462
3463         Reviewed by Yusuke Suzuki.
3464
3465         Before this patch, if a JSFunction's rare data initialized its allocation profile
3466         before its backing Executable's poly proto watchpoint was invalidated, that
3467         JSFunction would continue to allocate non-poly proto objects until its allocation
3468         profile was cleared (which essentially never happens in practice). This patch
3469         improves on this pathology. A JSFunction's rare data will now watch the poly
3470         proto watchpoint if it's still valid and clear its allocation profile when we
3471         detect that we should go poly proto.
3472
3473         * bytecode/ObjectAllocationProfile.h:
3474         * bytecode/ObjectAllocationProfileInlines.h:
3475         (JSC::ObjectAllocationProfile::initializeProfile):
3476         * runtime/FunctionRareData.cpp:
3477         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3478         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
3479         * runtime/FunctionRareData.h:
3480         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
3481         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
3482         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
3483
3484 2017-11-08  Keith Miller  <keith_miller@apple.com>
3485
3486         Add super sampler begin and end bytecodes.
3487         https://bugs.webkit.org/show_bug.cgi?id=179376
3488
3489         Reviewed by Filip Pizlo.
3490
3491         This patch adds a way to measure a narrow range of bytecodes for
3492         performance. This is done using the same infrastructure as the
3493         super sampler. I also added a class that helps do the bytecode
3494         checking with RAII. One problem with the current way this is done
3495         is that we don't handle decrementing early exits, either from
3496         branches or exceptions. So, when using this API users need to
3497         ensure that there are no early exits or that those exits don't
3498         occur on the measure code.
3499
3500         * JavaScriptCore.xcodeproj/project.pbxproj:
3501         * bytecode/BytecodeDumper.cpp:
3502         (JSC::BytecodeDumper<Block>::dumpBytecode):
3503         * bytecode/BytecodeList.json:
3504         * bytecode/BytecodeUseDef.h:
3505         (JSC::computeUsesForBytecodeOffset):
3506         (JSC::computeDefsForBytecodeOffset):
3507         * bytecompiler/BytecodeGenerator.cpp:
3508         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
3509         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
3510         * bytecompiler/BytecodeGenerator.h:
3511         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
3512         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
3513         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
3514         * dfg/DFGAbstractInterpreterInlines.h:
3515         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3516         * dfg/DFGByteCodeParser.cpp:
3517         (JSC::DFG::ByteCodeParser::parseBlock):
3518         * dfg/DFGClobberize.h:
3519         (JSC::DFG::clobberize):
3520         * dfg/DFGClobbersExitState.cpp:
3521         (JSC::DFG::clobbersExitState):
3522         * dfg/DFGDoesGC.cpp:
3523         (JSC::DFG::doesGC):
3524         * dfg/DFGFixupPhase.cpp:
3525         (JSC::DFG::FixupPhase::fixupNode):
3526         * dfg/DFGMayExit.cpp:
3527         * dfg/DFGNodeType.h:
3528         * dfg/DFGPredictionPropagationPhase.cpp:
3529         * dfg/DFGSafeToExecute.h:
3530         (JSC::DFG::safeToExecute):
3531         * dfg/DFGSpeculativeJIT.cpp:
3532         * dfg/DFGSpeculativeJIT32_64.cpp:
3533         (JSC::DFG::SpeculativeJIT::compile):
3534         * dfg/DFGSpeculativeJIT64.cpp:
3535         (JSC::DFG::SpeculativeJIT::compile):
3536         * ftl/FTLCapabilities.cpp:
3537         (JSC::FTL::canCompile):
3538         * ftl/FTLLowerDFGToB3.cpp:
3539         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3540         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
3541         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
3542         * jit/JIT.cpp:
3543         (JSC::JIT::privateCompileMainPass):
3544         * jit/JIT.h:
3545         * jit/JITOpcodes.cpp:
3546         (JSC::JIT::emit_op_super_sampler_begin):
3547         (JSC::JIT::emit_op_super_sampler_end):
3548         * llint/LLIntSlowPaths.cpp:
3549         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3550         * llint/LLIntSlowPaths.h:
3551         * llint/LowLevelInterpreter.asm:
3552
3553 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3554
3555         Turn recursive tail calls into loops
3556         https://bugs.webkit.org/show_bug.cgi?id=176601
3557
3558         Reviewed by Saam Barati.
3559
3560         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3561
3562         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
3563         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
3564         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
3565         We do this part through modifying the computation of the jump targets.
3566         Importantly, we only do this splitting for functions that have tail calls.
3567         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
3568
3569         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
3570         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
3571
3572         * bytecode/CodeBlock.h:
3573         (JSC::CodeBlock::hasTailCalls const):
3574         * bytecode/PreciseJumpTargets.cpp:
3575         (JSC::getJumpTargetsForBytecodeOffset):
3576         (JSC::computePreciseJumpTargetsInternal):
3577         * bytecode/UnlinkedCodeBlock.cpp:
3578         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3579         * bytecode/UnlinkedCodeBlock.h:
3580         (JSC::UnlinkedCodeBlock::hasTailCalls const):
3581         (JSC::UnlinkedCodeBlock::setHasTailCalls):
3582         * bytecompiler/BytecodeGenerator.cpp:
3583         (JSC::BytecodeGenerator::emitEnter):
3584         (JSC::BytecodeGenerator::emitCallInTailPosition):
3585         * dfg/DFGByteCodeParser.cpp:
3586         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
3587         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
3588         (JSC::DFG::ByteCodeParser::handleCall):
3589         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3590         (JSC::DFG::ByteCodeParser::parseBlock):
3591         (JSC::DFG::ByteCodeParser::parse):
3592
3593 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3594
3595         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
3596         https://bugs.webkit.org/show_bug.cgi?id=179407
3597
3598         Reviewed by Matt Baker.
3599
3600         * inspector/protocol/Page.json:
3601         Remove unused protocol type.
3602
3603 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
3604
3605         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
3606         https://bugs.webkit.org/show_bug.cgi?id=173619
3607
3608         Reviewed by Alex Christensen and Brian Burg.
3609
3610         Eventually all classes used for our JSON-RPC message passing should be outside
3611         of the Inspector namespace since the protocol is used outside of Inspector code.
3612         This will also allow us to unify the primitive JSON types with parameteric types
3613         like Inspector::Protocol::Array<T> and other protocol-related types which don't
3614         need to be in the Inspector namespace.
3615
3616         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
3617         patches, other clients will move to use JSON::Value and friends. When all uses are
3618         changed, the actual implementation will be renamed. This patch just focuses on the typedef
3619         and making changes in generated protocol code.
3620
3621         Original patch by Brian Burg, rebased and updated by me.
3622
3623         * inspector/InspectorValues.cpp:
3624         * inspector/InspectorValues.h:
3625         * inspector/scripts/codegen/cpp_generator.py:
3626         (CppGenerator.cpp_protocol_type_for_type):
3627         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3628         (CppGenerator.cpp_type_for_type_with_name):
3629         (CppGenerator.cpp_type_for_stack_in_parameter):
3630         * inspector/scripts/codegen/cpp_generator_templates.py:
3631         (void):
3632         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3633         (_generate_class_for_object_declaration):
3634         (_generate_forward_declarations_for_binding_traits):
3635         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3636         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
3637         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
3638         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3639         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3640         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3641         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3642         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3643         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3644         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3645         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3646         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3647         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3648         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3649         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3650         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3651         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3652
3653 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
3654
3655         Get rid of unsightly hex numbers from unified build object files
3656         https://bugs.webkit.org/show_bug.cgi?id=179410
3657
3658         Reviewed by Saam Barati.
3659
3660         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
3661
3662 2017-11-07  Saam Barati  <sbarati@apple.com>
3663
3664         Only cage double butterfly accesses
3665         https://bugs.webkit.org/show_bug.cgi?id=179202
3666
3667         Reviewed by Mark Lam.
3668
3669         This patch removes caging from all butterfly accesses except double loads/stores.
3670         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
3671         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
3672         by caging. The other load/stores we are no longer caging to get back performance on
3673         various benchmarks.
3674
3675         * bytecode/AccessCase.cpp:
3676         (JSC::AccessCase::generateImpl):
3677         * bytecode/InlineAccess.cpp:
3678         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3679         (JSC::InlineAccess::generateSelfPropertyAccess):
3680         (JSC::InlineAccess::generateSelfPropertyReplace):
3681         (JSC::InlineAccess::generateArrayLength):
3682         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
3683         * dfg/DFGSpeculativeJIT.cpp:
3684         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3685         (JSC::DFG::SpeculativeJIT::compileSpread):
3686         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3687         * dfg/DFGSpeculativeJIT64.cpp:
3688         (JSC::DFG::SpeculativeJIT::compile):
3689         * ftl/FTLLowerDFGToB3.cpp:
3690         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3691         * jit/JITPropertyAccess.cpp:
3692         (JSC::JIT::emitContiguousLoad):
3693         (JSC::JIT::emitArrayStorageLoad):
3694         (JSC::JIT::emitGenericContiguousPutByVal):
3695         (JSC::JIT::emitArrayStoragePutByVal):
3696         (JSC::JIT::emit_op_get_from_scope):
3697         (JSC::JIT::emit_op_put_to_scope):
3698         * llint/LowLevelInterpreter64.asm:
3699         * runtime/AuxiliaryBarrier.h:
3700         (JSC::AuxiliaryBarrier::operator-> const):
3701         * runtime/Butterfly.h:
3702         (JSC::Butterfly::caged):
3703         (JSC::Butterfly::contiguousDouble):
3704         * runtime/JSArray.cpp:
3705         (JSC::JSArray::setLength):
3706         (JSC::JSArray::pop):
3707         (JSC::JSArray::shiftCountWithAnyIndexingType):
3708         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3709         (JSC::JSArray::fillArgList):
3710         (JSC::JSArray::copyToArguments):
3711         * runtime/JSArrayInlines.h:
3712         (JSC::JSArray::pushInline):
3713         * runtime/JSObject.cpp:
3714         (JSC::JSObject::heapSnapshot):
3715         (JSC::JSObject::createInitialIndexedStorage):
3716         (JSC::JSObject::createArrayStorage):
3717         (JSC::JSObject::convertUndecidedToInt32):
3718         (JSC::JSObject::ensureLengthSlow):
3719         (JSC::JSObject::reallocateAndShrinkButterfly):
3720         (JSC::JSObject::allocateMoreOutOfLineStorage):
3721         * runtime/JSObject.h:
3722         (JSC::JSObject::canGetIndexQuickly):
3723         (JSC::JSObject::getIndexQuickly):
3724         (JSC::JSObject::tryGetIndexQuickly const):
3725         (JSC::JSObject::canSetIndexQuickly):
3726         (JSC::JSObject::butterfly const):
3727         (JSC::JSObject::butterfly):
3728
3729 2017-11-07  Mark Lam  <mark.lam@apple.com>
3730
3731         Introduce a default RegisterSet constructor so that we can use { } notation.
3732         https://bugs.webkit.org/show_bug.cgi?id=179389
3733
3734         Reviewed by Saam Barati.
3735
3736         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
3737         does not add any code documentation value.
3738
3739         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
3740         * b3/air/AirCode.cpp:
3741         (JSC::B3::Air::Code::setRegsInPriorityOrder):
3742         * b3/air/AirPrintSpecial.cpp:
3743         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
3744         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
3745         * b3/air/testair.cpp:
3746         * bytecode/PolymorphicAccess.h:
3747         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3748         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
3749         * dfg/DFGJITCode.cpp:
3750         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3751         * ftl/FTLJITCode.cpp:
3752         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3753         * jit/JITCode.cpp:
3754         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3755         * jit/RegisterSet.cpp:
3756         (JSC::RegisterSet::reservedHardwareRegisters):
3757         (JSC::RegisterSet::runtimeRegisters):
3758         (JSC::RegisterSet::macroScratchRegisters):
3759         * jit/RegisterSet.h:
3760         (JSC::RegisterSet::RegisterSet):
3761         * wasm/WasmB3IRGenerator.cpp:
3762         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3763
3764 2017-11-07  Mark Lam  <mark.lam@apple.com>
3765
3766         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3767         https://bugs.webkit.org/show_bug.cgi?id=179355
3768         <rdar://problem/35263053>
3769
3770         Reviewed by Saam Barati.
3771
3772         In the Transition case in AccessCase::generateImpl(), we were restoring registers
3773         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
3774         where we previously stashed the reallocated butterfly.  If the generated code is
3775         under heavy register pressure, scratchGPR could have been from the set of preserved
3776         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
3777         As a result, the restoration would trash the butterfly result we stored there.
3778         This patch fixes the issue by excluding the scratchGPR in the restoration.
3779
3780         * bytecode/AccessCase.cpp:
3781         (JSC::AccessCase::generateImpl):
3782
3783 2017-11-06  Robin Morisset  <rmorisset@apple.com>
3784
3785         CodeBlock::usesOpcode() is dead code
3786         https://bugs.webkit.org/show_bug.cgi?id=179316
3787
3788         Reviewed by Yusuke Suzuki.
3789
3790         Remove CodeBlock::usesOpcode which is dead code
3791
3792         * bytecode/CodeBlock.cpp:
3793         * bytecode/CodeBlock.h:
3794
3795 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3796
3797         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3798         https://bugs.webkit.org/show_bug.cgi?id=144458
3799
3800         Reviewed by Saam Barati.
3801
3802         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
3803         InternalFunction calls are not cached and they always go to the slow path. This is not good because
3804
3805         1. We need to query getCallData/getConstructData every time in the slow path.
3806         2. CallLinkInfo tells nothing in the higher tier JITs.
3807
3808         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
3809         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
3810         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
3811
3812         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
3813         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
3814         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
3815         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
3816
3817         Attached microbenchmarks show performance improvement.
3818
3819                                                            baseline                  patched
3820
3821         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
3822         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
3823         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
3824         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
3825
3826         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3827
3828         * API/JSCallbackFunction.cpp:
3829         (JSC::JSCallbackFunction::JSCallbackFunction):
3830         (JSC::JSCallbackFunction::getCallData): Deleted.
3831         * API/JSCallbackFunction.h:
3832         (JSC::JSCallbackFunction::createStructure):
3833         * API/ObjCCallbackFunction.h:
3834         (JSC::ObjCCallbackFunction::createStructure):
3835         * API/ObjCCallbackFunction.mm:
3836         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3837         (JSC::ObjCCallbackFunction::getCallData): Deleted.
3838         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
3839         * bytecode/BytecodeDumper.cpp:
3840         (JSC::BytecodeDumper<Block>::printCallOp):
3841         * bytecode/BytecodeList.json:
3842         * bytecode/CallLinkInfo.cpp:
3843         (JSC::CallLinkInfo::setCallee):
3844         (JSC::CallLinkInfo::callee):
3845         (JSC::CallLinkInfo::setLastSeenCallee):
3846         (JSC::CallLinkInfo::lastSeenCallee):
3847         (JSC::CallLinkInfo::visitWeak):
3848         * bytecode/CallLinkInfo.h:
3849         * bytecode/CallLinkStatus.cpp:
3850         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3851         * bytecode/LLIntCallLinkInfo.h:
3852         * jit/JITOperations.cpp:
3853         * jit/JITThunks.cpp:
3854         (JSC::JITThunks::ctiInternalFunctionCall):
3855         (JSC::JITThunks::ctiInternalFunctionConstruct):
3856         * jit/JITThunks.h:
3857         * jit/Repatch.cpp:
3858         (JSC::linkFor):
3859         (JSC::linkPolymorphicCall):
3860         * jit/Repatch.h:
3861         * jit/ThunkGenerators.cpp:
3862         (JSC::virtualThunkFor):
3863         (JSC::nativeForGenerator):
3864         (JSC::nativeCallGenerator):
3865         (JSC::nativeTailCallGenerator):
3866         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3867         (JSC::nativeConstructGenerator):
3868         (JSC::internalFunctionCallGenerator):
3869         (JSC::internalFunctionConstructGenerator):
3870         * jit/ThunkGenerators.h:
3871         * llint/LLIntSlowPaths.cpp:
3872         (JSC::LLInt::setUpCall):
3873         * llint/LowLevelInterpreter.asm:
3874         * llint/LowLevelInterpreter32_64.asm:
3875         * llint/LowLevelInterpreter64.asm:
3876         * runtime/ArrayConstructor.cpp:
3877         (JSC::ArrayConstructor::ArrayConstructor):
3878         (JSC::ArrayConstructor::getConstructData): Deleted.
3879         (JSC::ArrayConstructor::getCallData): Deleted.
3880         * runtime/ArrayConstructor.h:
3881         (JSC::ArrayConstructor::createStructure):
3882         * runtime/AsyncFunctionConstructor.cpp:
3883         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
3884         (JSC::AsyncFunctionConstructor::finishCreation):
3885         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
3886         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
3887         * runtime/AsyncFunctionConstructor.h:
3888         (JSC::AsyncFunctionConstructor::createStructure):
3889         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3890         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
3891         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
3892         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
3893         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
3894         * runtime/AsyncGeneratorFunctionConstructor.h:
3895         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
3896         * runtime/BooleanConstructor.cpp:
3897         (JSC::callBooleanConstructor):
3898         (JSC::BooleanConstructor::BooleanConstructor):
3899         (JSC::BooleanConstructor::finishCreation):
3900         (JSC::BooleanConstructor::getConstructData): Deleted.