6f9b046a0873951188382361f2c5b1a429773c4d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Cleanup Protocol JSON files
4         https://bugs.webkit.org/show_bug.cgi?id=173934
5
6         Reviewed by Matt Baker.
7
8         * inspector/protocol/ApplicationCache.json:
9         * inspector/protocol/CSS.json:
10         * inspector/protocol/Console.json:
11         * inspector/protocol/DOM.json:
12         * inspector/protocol/DOMDebugger.json:
13         * inspector/protocol/Debugger.json:
14         * inspector/protocol/LayerTree.json:
15         * inspector/protocol/Network.json:
16         * inspector/protocol/Page.json:
17         * inspector/protocol/Runtime.json:
18         Be more consistent about placement of `description` property.
19
20 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
21
22         Web Inspector: Remove unused Inspector domain events
23         https://bugs.webkit.org/show_bug.cgi?id=173905
24
25         Reviewed by Matt Baker.
26
27         * inspector/protocol/Inspector.json:
28
29 2017-06-28  JF Bastien  <jfbastien@apple.com>
30
31         Ensure that computed new stack pointer values do not underflow.
32         https://bugs.webkit.org/show_bug.cgi?id=173700
33         <rdar://problem/32926032>
34
35         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
36
37         Patch by Mark Lam, with the following fix:
38
39         Re-apply this patch, it originally broke the ARM build because the llint code
40         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
41         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
42         and operands to emit valid code (because the second operand can be SP).
43
44         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
45            m_numCalleeLocals is sane.
46
47         2. Added underflow checks in LLInt code and VarargsFrame code.
48
49         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
50            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
51            Ensure that Options::softReservedZoneSize() is at least greater than
52            Options::reservedZoneSize() by minimumReservedZoneSize.
53
54         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
55            and only if the max size of the frame is greater than Options::reservedZoneSize().
56
57            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
58            of memory at the bottom (end) of the stack.  This means that, at any time, the
59            frame pointer must be at least Options::reservedZoneSize() bytes away from the
60            end of the stack.  Hence, if the max frame size is less than
61            Options::reservedZoneSize(), there's no way that frame pointer - max
62            frame size can underflow, and we can elide the underflow check.
63
64            Note that we use Options::reservedZoneSize() instead of
65            Options::softReservedZoneSize() for determine if we need an underflow check.
66            This is because the softStackLimit that is used for stack checks can be set
67            based on Options::reservedZoneSize() during error handling (e.g. when creating
68            strings for instantiating the Error object).  Hence, the guaranteed minimum of
69            distance between the frame pointer and the end of the stack is
70            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
71
72            Note also that we ensure that Options::reservedZoneSize() is at least
73            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
74            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
75            instead of minimumReservedZoneSize gives us more chances to elide underflow
76            checks.
77
78         * JavaScriptCore.xcodeproj/project.pbxproj:
79         * bytecompiler/BytecodeGenerator.cpp:
80         (JSC::BytecodeGenerator::generate):
81         * dfg/DFGGraph.cpp:
82         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
83         * dfg/DFGJITCompiler.cpp:
84         (JSC::DFG::emitStackOverflowCheck):
85         (JSC::DFG::JITCompiler::compile):
86         (JSC::DFG::JITCompiler::compileFunction):
87         * ftl/FTLLowerDFGToB3.cpp:
88         (JSC::FTL::DFG::LowerDFGToB3::lower):
89         * jit/JIT.cpp:
90         (JSC::JIT::compileWithoutLinking):
91         * jit/SetupVarargsFrame.cpp:
92         (JSC::emitSetupVarargsFrameFastCase):
93         * llint/LLIntSlowPaths.cpp:
94         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
95         * llint/LowLevelInterpreter.asm:
96         * llint/LowLevelInterpreter32_64.asm:
97         * llint/LowLevelInterpreter64.asm:
98         * runtime/MinimumReservedZoneSize.h: Added.
99         * runtime/Options.cpp:
100         (JSC::recomputeDependentOptions):
101         * runtime/VM.cpp:
102         (JSC::VM::updateStackLimits):
103         * wasm/WasmB3IRGenerator.cpp:
104         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
105         * wasm/js/WebAssemblyFunction.cpp:
106         (JSC::callWebAssemblyFunction):
107
108 2017-06-28  Chris Dumez  <cdumez@apple.com>
109
110         Unreviewed, rolling out r218869.
111
112         Broke the iOS build
113
114         Reverted changeset:
115
116         "Ensure that computed new stack pointer values do not
117         underflow."
118         https://bugs.webkit.org/show_bug.cgi?id=173700
119         http://trac.webkit.org/changeset/218869
120
121 2017-06-28  Chris Dumez  <cdumez@apple.com>
122
123         Unreviewed, rolling out r218873.
124
125         Broke the iOS build
126
127         Reverted changeset:
128
129         "Gardening: CLoop build fix."
130         https://bugs.webkit.org/show_bug.cgi?id=173700
131         http://trac.webkit.org/changeset/218873
132
133 2017-06-28  Mark Lam  <mark.lam@apple.com>
134
135         Gardening: CLoop build fix.
136         https://bugs.webkit.org/show_bug.cgi?id=173700
137         <rdar://problem/32926032>
138
139         Not reviewed.
140
141         * llint/LLIntSlowPaths.cpp:
142         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
143
144 2017-06-28  Mark Lam  <mark.lam@apple.com>
145
146         Ensure that computed new stack pointer values do not underflow.
147         https://bugs.webkit.org/show_bug.cgi?id=173700
148         <rdar://problem/32926032>
149
150         Reviewed by Filip Pizlo and Saam Barati.
151
152         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
153            m_numCalleeLocals is sane.
154
155         2. Added underflow checks in LLInt code and VarargsFrame code.
156
157         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
158            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
159            Ensure that Options::softReservedZoneSize() is at least greater than
160            Options::reservedZoneSize() by minimumReservedZoneSize.
161
162         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
163            and only if the max size of the frame is greater than Options::reservedZoneSize().
164
165            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
166            of memory at the bottom (end) of the stack.  This means that, at any time, the
167            frame pointer must be at least Options::reservedZoneSize() bytes away from the
168            end of the stack.  Hence, if the max frame size is less than
169            Options::reservedZoneSize(), there's no way that frame pointer - max
170            frame size can underflow, and we can elide the underflow check.
171
172            Note that we use Options::reservedZoneSize() instead of
173            Options::softReservedZoneSize() for determine if we need an underflow check.
174            This is because the softStackLimit that is used for stack checks can be set
175            based on Options::reservedZoneSize() during error handling (e.g. when creating
176            strings for instantiating the Error object).  Hence, the guaranteed minimum of
177            distance between the frame pointer and the end of the stack is
178            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
179
180            Note also that we ensure that Options::reservedZoneSize() is at least
181            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
182            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
183            instead of minimumReservedZoneSize gives us more chances to elide underflow
184            checks.
185
186         * JavaScriptCore.xcodeproj/project.pbxproj:
187         * bytecompiler/BytecodeGenerator.cpp:
188         (JSC::BytecodeGenerator::generate):
189         * dfg/DFGGraph.cpp:
190         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
191         * dfg/DFGJITCompiler.cpp:
192         (JSC::DFG::JITCompiler::compile):
193         (JSC::DFG::JITCompiler::compileFunction):
194         * ftl/FTLLowerDFGToB3.cpp:
195         (JSC::FTL::DFG::LowerDFGToB3::lower):
196         * jit/JIT.cpp:
197         (JSC::JIT::compileWithoutLinking):
198         * jit/SetupVarargsFrame.cpp:
199         (JSC::emitSetupVarargsFrameFastCase):
200         * llint/LLIntSlowPaths.cpp:
201         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
202         * llint/LowLevelInterpreter.asm:
203         * llint/LowLevelInterpreter32_64.asm:
204         * llint/LowLevelInterpreter64.asm:
205         * runtime/MinimumReservedZoneSize.h: Added.
206         * runtime/Options.cpp:
207         (JSC::recomputeDependentOptions):
208         * runtime/VM.cpp:
209         (JSC::VM::updateStackLimits):
210         * wasm/WasmB3IRGenerator.cpp:
211         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
212         * wasm/js/WebAssemblyFunction.cpp:
213         (JSC::callWebAssemblyFunction):
214
215 2017-06-27  JF Bastien  <jfbastien@apple.com>
216
217         WebAssembly: running out of executable memory should throw OoM
218         https://bugs.webkit.org/show_bug.cgi?id=171537
219         <rdar://problem/32963338>
220
221         Reviewed by Saam Barati.
222
223         Both on first compile with BBQ as well as on tier-up with OMG,
224         running out of X memory shouldn't cause the entire program to
225         terminate. An exception will do when compiling initial code (since
226         we don't have any other fallback at the moment), and refusal to
227         tier up will do as well (it'll just be slower).
228
229         This is useful because programs which generate huge amounts of
230         code simply look like crashes, which developers report to
231         us. Getting a JavaScript exception instead is much clearer.
232
233         * jit/ExecutableAllocator.cpp:
234         (JSC::ExecutableAllocator::allocate):
235         * llint/LLIntSlowPaths.cpp:
236         (JSC::LLInt::shouldJIT):
237         * runtime/Options.h:
238         * wasm/WasmBBQPlan.cpp:
239         (JSC::Wasm::BBQPlan::prepare):
240         (JSC::Wasm::BBQPlan::complete):
241         * wasm/WasmBinding.cpp:
242         (JSC::Wasm::wasmToJs):
243         (JSC::Wasm::wasmToWasm):
244         * wasm/WasmBinding.h:
245         * wasm/WasmOMGPlan.cpp:
246         (JSC::Wasm::OMGPlan::work):
247         * wasm/js/JSWebAssemblyCodeBlock.cpp:
248         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
249         * wasm/js/JSWebAssemblyCodeBlock.h:
250         * wasm/js/JSWebAssemblyInstance.cpp:
251         (JSC::JSWebAssemblyInstance::finalizeCreation):
252
253 2017-06-27  Saam Barati  <sbarati@apple.com>
254
255         JITStubRoutine::passesFilter should use isJITPC
256         https://bugs.webkit.org/show_bug.cgi?id=173906
257
258         Reviewed by JF Bastien.
259
260         This patch makes JITStubRoutine use the isJITPC abstraction defined
261         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
262         hardcoded platform size constant. This means it'd do the wrong thing
263         if Options::jitMemoryReservationSize() was larger than the defined
264         constant for that platform. This patch also removes a bunch of
265         dead code in that file.
266
267         * jit/ExecutableAllocator.cpp:
268         * jit/ExecutableAllocator.h:
269         * jit/JITStubRoutine.h:
270         (JSC::JITStubRoutine::passesFilter):
271         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
272         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
273         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
274
275 2017-06-27  Saam Barati  <sbarati@apple.com>
276
277         Fix some stale comments in Wasm code base
278         https://bugs.webkit.org/show_bug.cgi?id=173814
279
280         Reviewed by Mark Lam.
281
282         * wasm/WasmBinding.cpp:
283         (JSC::Wasm::wasmToJs):
284         * wasm/WasmOMGPlan.cpp:
285         (JSC::Wasm::runOMGPlanForIndex):
286
287 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
288
289         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
290         https://bugs.webkit.org/show_bug.cgi?id=167962
291
292         Reviewed by Saam Barati.
293
294         Object Rest/Spread Destructing proposal is in stage 3[1] and this
295         Patch is a prototype implementation of it. A simple change over the
296         parser was necessary to support the new '...' token on Object Pattern
297         destruction rule. In the bytecode generator side, We changed the
298         bytecode generated on ObjectPatternNode::bindValue to store in an
299         set the identifiers of already destructured properties, following spec draft
300         section[2], and then pass it as excludedNames to CopyDataProperties.
301         The rest destructuring calls copyDataProperties to perform the
302         copy of rest properties in rhs.
303
304         We also implemented CopyDataProperties as private JS global operation
305         on builtins/GlobalOperations.js following it's specification on [3].
306         It is implemented using Set object to verify if a property is on
307         excludedNames to keep this algorithm with O(n + m) complexity, where n
308         = number of source's own properties and m = excludedNames.length.
309
310         In this implementation we aren't using excludeList as constant if
311         destructuring pattern contains computed property, i.e. we can
312         just determine the key to be excluded at runtime. If we can define all
313         identifiers in the pattern in compile time, we then create a
314         constant JSSet. This approach gives a good performance improvement,
315         since we allocate the excludeSet just once, reducing GC pressure.
316
317         [1] - https://github.com/tc39/proposal-object-rest-spread
318         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
319         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
320
321         * builtins/BuiltinNames.h:
322         * builtins/GlobalOperations.js:
323         (globalPrivate.copyDataProperties):
324         * bytecode/CodeBlock.cpp:
325         (JSC::CodeBlock::finishCreation):
326         * bytecompiler/NodesCodegen.cpp:
327         (JSC::ObjectPatternNode::bindValue):
328         * parser/ASTBuilder.h:
329         (JSC::ASTBuilder::appendObjectPatternEntry):
330         (JSC::ASTBuilder::appendObjectPatternRestEntry):
331         (JSC::ASTBuilder::setContainsObjectRestElement):
332         * parser/Nodes.h:
333         (JSC::ObjectPatternNode::appendEntry):
334         (JSC::ObjectPatternNode::setContainsRestElement):
335         * parser/Parser.cpp:
336         (JSC::Parser<LexerType>::parseDestructuringPattern):
337         (JSC::Parser<LexerType>::parseProperty):
338         * parser/SyntaxChecker.h:
339         (JSC::SyntaxChecker::operatorStackPop):
340         * runtime/JSGlobalObject.cpp:
341         (JSC::JSGlobalObject::init):
342         * runtime/JSGlobalObject.h:
343         (JSC::JSGlobalObject::asyncFunctionStructure):
344         (JSC::JSGlobalObject::setStructure): Deleted.
345         * runtime/JSGlobalObjectFunctions.cpp:
346         (JSC::privateToObject):
347         * runtime/JSGlobalObjectFunctions.h:
348         * runtime/ObjectConstructor.cpp:
349         (JSC::ObjectConstructor::finishCreation):
350         * runtime/SetPrototype.cpp:
351         (JSC::SetPrototype::finishCreation):
352
353 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
354
355         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
356         https://bugs.webkit.org/show_bug.cgi?id=173888
357
358         Reviewed by Saam Barati.
359
360         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
361         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
362         This causes occasional SEGV / assertion failures in workers/bomb test.
363
364         * dfg/DFGWorklist.cpp:
365
366 2017-06-27  Saam Barati  <sbarati@apple.com>
367
368         Remove an inaccurate comment inside DFGClobberize.h
369         https://bugs.webkit.org/show_bug.cgi?id=163874
370
371         Reviewed by Filip Pizlo.
372
373         The comment said that Clobberize may or may not be sound if run prior to
374         doing type inference. This is not correct, though. Clobberize *must* be sound
375         prior do doing type inference since we use it inside the BytecodeParser, which
376         is the very first thing the DFG does.
377
378         * dfg/DFGClobberize.h:
379         (JSC::DFG::clobberize):
380
381 2017-06-27  Saam Barati  <sbarati@apple.com>
382
383         Function constructor needs to follow the spec and validate parameters and body independently
384         https://bugs.webkit.org/show_bug.cgi?id=173303
385         <rdar://problem/32732526>
386
387         Reviewed by Keith Miller.
388
389         The Function constructor must check the arguments and body strings
390         independently for syntax errors. People rely on this specified behavior
391         to verify that a particular string is a valid function body. We used
392         to check these things strings concatenated together, instead of
393         independently. For example, this used to be valid: `Function("/*", "*/){")`.
394         However, we should throw a syntax error here since "(/*)" is not a valid
395         parameter list, and "*/){" is not a valid body.
396         
397         To implement the specified behavior, we check the syntax independently of
398         both the body and the parameter list. To check that the parameter list has
399         valid syntax, we check that it is valid if in a function with an empty body.
400         To check that the body has valid syntax, we check it is valid in a function
401         with an empty parameter list.
402
403         * runtime/FunctionConstructor.cpp:
404         (JSC::constructFunctionSkippingEvalEnabledCheck):
405
406 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
407
408         Add missing includes to fix compilation error on FreeBSD
409         https://bugs.webkit.org/show_bug.cgi?id=172919
410
411         Reviewed by Mark Lam.
412
413         * API/JSRemoteInspector.h:
414         * API/tests/GlobalContextWithFinalizerTest.cpp:
415         * API/tests/TypedArrayCTest.cpp:
416
417 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
418
419         Web Inspector: Crash generating object preview for ArrayIterator
420         https://bugs.webkit.org/show_bug.cgi?id=173754
421         <rdar://problem/32859012>
422
423         Reviewed by Saam Barati.
424
425         When Inspector generates an object preview for an ArrayIterator instance it made
426         a "clone" of the original ArrayIterator instance by constructing a new object with
427         the instance's structure. However, user code could have modified that instance's
428         structure, such as adding / removing properties. The `return` property had special
429         meaning, and our clone did not fill that slot. This approach is brittle in that
430         we weren't satisfying the expectations of an object with a particular Structure,
431         and the original goal of having Web Inspector peek values of built-in Iterators
432         was to avoid observable behavior.
433
434         This tightens Web Inspector's Iterator preview to only peek values if the
435         Iterators would actually be non-observable. It also builds an ArrayIterator
436         clone like a regular object construction.
437
438         * inspector/JSInjectedScriptHost.cpp:
439         (Inspector::cloneArrayIteratorObject):
440         Build up the Object from scratch with a new ArrayIterator prototype.
441
442         (Inspector::JSInjectedScriptHost::iteratorEntries):
443         Only clone and peek iterators if it would not be observable.
444         Also update iteration to be more in line with IterationOperations, such as when
445         we call iteratorClose.
446
447         * runtime/JSGlobalObject.cpp:
448         (JSC::JSGlobalObject::JSGlobalObject):
449         (JSC::JSGlobalObject::init):
450         * runtime/JSGlobalObject.h:
451         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
452         * runtime/JSGlobalObjectInlines.h:
453         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
454         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
455
456         * runtime/JSMap.cpp:
457         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
458         (JSC::JSMap::canCloneFastAndNonObservable):
459         * runtime/JSMap.h:
460         * runtime/JSSet.cpp:
461         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
462         (JSC::JSSet::canCloneFastAndNonObservable):
463         * runtime/JSSet.h:
464         Promote isIteratorProtocolFastAndNonObservable to a method.
465
466         * runtime/JSObject.cpp:
467         (JSC::canDoFastPutDirectIndex):
468         * runtime/JSTypeInfo.h:
469         (JSC::TypeInfo::isArgumentsType):
470         Helper to detect if an Object is an Arguments type.
471
472 2017-06-26  Saam Barati  <sbarati@apple.com>
473
474         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
475         https://bugs.webkit.org/show_bug.cgi?id=173740
476
477         Reviewed by Mark Lam.
478
479         The builtin was using for-of iteration to iterate over an internal
480         list in its algorithm. For-of iteration is observable via user code
481         in the global object, so this approach was wrong as it would break if
482         a user changed the Array iteration protocol in some way.
483
484         * builtins/RegExpPrototype.js:
485         (replace):
486
487 2017-06-26  Mark Lam  <mark.lam@apple.com>
488
489         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
490         https://bugs.webkit.org/show_bug.cgi?id=173848
491
492         Reviewed by JF Bastien.
493
494         This functor only dumps the return VirtualPC.
495
496         * interpreter/Interpreter.cpp:
497         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
498         (JSC::Interpreter::dumpRegisters):
499         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
500         (JSC::DumpRegisterFunctor::operator()): Deleted.
501
502 2017-06-26  Saam Barati  <sbarati@apple.com>
503
504         Crash in JSC::Lexer<unsigned char>::setCode
505         https://bugs.webkit.org/show_bug.cgi?id=172754
506
507         Reviewed by Mark Lam.
508
509         The lexer was asking one of its buffers to reserve initial space that
510         was O(text size in bytes). For large sources, this would end up causing
511         the vector to overflow and crash. This patch changes this code be like
512         the Lexer's other buffers and to only reserve a small starting buffer.
513
514         * parser/Lexer.cpp:
515         (JSC::Lexer<T>::setCode):
516
517 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
518
519         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
520         https://bugs.webkit.org/show_bug.cgi?id=173825
521
522         Reviewed by Saam Barati.
523
524         * jsc.cpp:
525         (startTimeoutThreadIfNeeded):
526         (timeoutThreadMain): Deleted.
527
528 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
529
530         Unreviewed, add missing header for CLoop
531
532         * runtime/SymbolTable.cpp:
533
534 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
535
536         Unreviewed, add missing header icncludes
537
538         * parser/Lexer.h:
539
540 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
541
542         Remove excessive headers from JavaScriptCore
543         https://bugs.webkit.org/show_bug.cgi?id=173812
544
545         Reviewed by Darin Adler.
546
547         * API/APIUtils.h:
548         * assembler/LinkBuffer.cpp:
549         * assembler/MacroAssemblerCodeRef.cpp:
550         * b3/air/AirLiveness.h:
551         * b3/air/AirLowerAfterRegAlloc.cpp:
552         * bindings/ScriptValue.cpp:
553         * bindings/ScriptValue.h:
554         * bytecode/AccessCase.cpp:
555         * bytecode/AccessCase.h:
556         * bytecode/ArrayProfile.h:
557         * bytecode/BytecodeDumper.h:
558         * bytecode/BytecodeIntrinsicRegistry.cpp:
559         * bytecode/BytecodeKills.h:
560         * bytecode/BytecodeLivenessAnalysis.h:
561         * bytecode/BytecodeUseDef.h:
562         * bytecode/CallLinkStatus.h:
563         * bytecode/CodeBlock.h:
564         * bytecode/CodeOrigin.h:
565         * bytecode/ComplexGetStatus.h:
566         * bytecode/GetByIdStatus.h:
567         * bytecode/GetByIdVariant.h:
568         * bytecode/InlineCallFrame.h:
569         * bytecode/InlineCallFrameSet.h:
570         * bytecode/Instruction.h:
571         * bytecode/InternalFunctionAllocationProfile.h:
572         * bytecode/JumpTable.h:
573         * bytecode/MethodOfGettingAValueProfile.h:
574         * bytecode/ObjectPropertyConditionSet.h:
575         * bytecode/Operands.h:
576         * bytecode/PolymorphicAccess.h:
577         * bytecode/PutByIdStatus.h:
578         * bytecode/SpeculatedType.cpp:
579         * bytecode/StructureSet.h:
580         * bytecode/StructureStubInfo.h:
581         * bytecode/UnlinkedCodeBlock.h:
582         * bytecode/UnlinkedFunctionExecutable.h:
583         * bytecode/ValueProfile.h:
584         * bytecompiler/BytecodeGenerator.cpp:
585         * bytecompiler/BytecodeGenerator.h:
586         * bytecompiler/Label.h:
587         * bytecompiler/StaticPropertyAnalysis.h:
588         * debugger/DebuggerCallFrame.cpp:
589         * dfg/DFGAbstractInterpreter.h:
590         * dfg/DFGAdjacencyList.h:
591         * dfg/DFGArgumentsUtilities.h:
592         * dfg/DFGArrayMode.h:
593         * dfg/DFGArrayifySlowPathGenerator.h:
594         * dfg/DFGBackwardsPropagationPhase.h:
595         * dfg/DFGBasicBlock.h:
596         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
597         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
598         * dfg/DFGCapabilities.h:
599         * dfg/DFGCommon.h:
600         * dfg/DFGCommonData.h:
601         * dfg/DFGDesiredIdentifiers.h:
602         * dfg/DFGDesiredWatchpoints.h:
603         * dfg/DFGDisassembler.cpp:
604         * dfg/DFGDominators.h:
605         * dfg/DFGDriver.cpp:
606         * dfg/DFGDriver.h:
607         * dfg/DFGEdgeDominates.h:
608         * dfg/DFGFinalizer.h:
609         * dfg/DFGGenerationInfo.h:
610         * dfg/DFGJITCompiler.cpp:
611         * dfg/DFGJITCompiler.h:
612         * dfg/DFGJITFinalizer.h:
613         * dfg/DFGLivenessAnalysisPhase.h:
614         * dfg/DFGMinifiedNode.h:
615         * dfg/DFGMultiGetByOffsetData.h:
616         * dfg/DFGNaturalLoops.cpp:
617         * dfg/DFGNaturalLoops.h:
618         * dfg/DFGNode.h:
619         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
620         * dfg/DFGOSRExit.h:
621         * dfg/DFGOSRExitCompilationInfo.h:
622         * dfg/DFGOSRExitCompiler.cpp:
623         * dfg/DFGOSRExitCompiler.h:
624         * dfg/DFGOSRExitJumpPlaceholder.h:
625         * dfg/DFGOperations.cpp:
626         * dfg/DFGOperations.h:
627         * dfg/DFGPlan.h:
628         * dfg/DFGPreciseLocalClobberize.h:
629         * dfg/DFGPromotedHeapLocation.h:
630         * dfg/DFGRegisteredStructure.h:
631         * dfg/DFGRegisteredStructureSet.h:
632         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
633         * dfg/DFGSlowPathGenerator.h:
634         * dfg/DFGSnippetParams.h:
635         * dfg/DFGSpeculativeJIT.h:
636         * dfg/DFGToFTLDeferredCompilationCallback.h:
637         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
638         * dfg/DFGValidate.h:
639         * dfg/DFGValueSource.h:
640         * dfg/DFGVariableEvent.h:
641         * dfg/DFGVariableEventStream.h:
642         * dfg/DFGWorklist.h:
643         * domjit/DOMJITCallDOMGetterSnippet.h:
644         * domjit/DOMJITEffect.h:
645         * ftl/FTLLink.cpp:
646         * ftl/FTLLowerDFGToB3.cpp:
647         * ftl/FTLPatchpointExceptionHandle.h:
648         * heap/AllocatorAttributes.h:
649         * heap/CodeBlockSet.h:
650         * heap/DeferGC.h:
651         * heap/GCSegmentedArray.h:
652         * heap/Heap.cpp:
653         * heap/Heap.h:
654         * heap/IncrementalSweeper.h:
655         * heap/ListableHandler.h:
656         * heap/MachineStackMarker.h:
657         * heap/MarkedAllocator.h:
658         * heap/MarkedBlock.cpp:
659         * heap/MarkedBlock.h:
660         * heap/MarkingConstraint.h:
661         * heap/SlotVisitor.cpp:
662         * heap/SlotVisitor.h:
663         * inspector/ConsoleMessage.cpp:
664         * inspector/ConsoleMessage.h:
665         * inspector/InjectedScript.h:
666         * inspector/InjectedScriptHost.h:
667         * inspector/InjectedScriptManager.cpp:
668         * inspector/JSGlobalObjectInspectorController.cpp:
669         * inspector/JavaScriptCallFrame.h:
670         * inspector/ScriptCallStack.h:
671         * inspector/ScriptCallStackFactory.cpp:
672         * inspector/ScriptDebugServer.h:
673         * inspector/agents/InspectorConsoleAgent.h:
674         * inspector/agents/InspectorDebuggerAgent.cpp:
675         * inspector/agents/InspectorDebuggerAgent.h:
676         * inspector/agents/InspectorHeapAgent.cpp:
677         * inspector/agents/InspectorHeapAgent.h:
678         * inspector/agents/InspectorRuntimeAgent.h:
679         * inspector/agents/InspectorScriptProfilerAgent.cpp:
680         * inspector/agents/InspectorScriptProfilerAgent.h:
681         * inspector/agents/JSGlobalObjectConsoleAgent.h:
682         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
683         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
684         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
685         * inspector/augmentable/AlternateDispatchableAgent.h:
686         * interpreter/CLoopStack.h:
687         * interpreter/CachedCall.h:
688         * interpreter/CallFrame.h:
689         * interpreter/Interpreter.cpp:
690         * interpreter/Interpreter.h:
691         * jit/AssemblyHelpers.cpp:
692         * jit/AssemblyHelpers.h:
693         * jit/CCallHelpers.h:
694         * jit/CallFrameShuffler.h:
695         * jit/ExecutableAllocator.h:
696         * jit/GCAwareJITStubRoutine.h:
697         * jit/HostCallReturnValue.h:
698         * jit/ICStats.h:
699         * jit/JIT.cpp:
700         * jit/JIT.h:
701         * jit/JITAddGenerator.h:
702         * jit/JITCall32_64.cpp:
703         * jit/JITCode.h:
704         * jit/JITDisassembler.cpp:
705         * jit/JITExceptions.cpp:
706         * jit/JITMathIC.h:
707         * jit/JITOpcodes.cpp:
708         * jit/JITOperations.cpp:
709         * jit/JITOperations.h:
710         * jit/JITThunks.cpp:
711         * jit/JITThunks.h:
712         * jit/JSInterfaceJIT.h:
713         * jit/PCToCodeOriginMap.h:
714         * jit/PolymorphicCallStubRoutine.h:
715         * jit/RegisterSet.h:
716         * jit/Repatch.h:
717         * jit/SetupVarargsFrame.h:
718         * jit/Snippet.h:
719         * jit/SnippetParams.h:
720         * jit/ThunkGenerators.h:
721         * jsc.cpp:
722         * llint/LLIntCLoop.h:
723         * llint/LLIntEntrypoint.h:
724         * llint/LLIntExceptions.h:
725         * llint/LLIntOfflineAsmConfig.h:
726         * llint/LLIntSlowPaths.cpp:
727         * parser/NodeConstructors.h:
728         * parser/Nodes.cpp:
729         * parser/Nodes.h:
730         * parser/Parser.cpp:
731         * parser/Parser.h:
732         * parser/ParserTokens.h:
733         * parser/SourceProviderCacheItem.h:
734         * profiler/ProfilerBytecodeSequence.h:
735         * profiler/ProfilerDatabase.cpp:
736         * profiler/ProfilerDatabase.h:
737         * profiler/ProfilerOrigin.h:
738         * profiler/ProfilerOriginStack.h:
739         * profiler/ProfilerProfiledBytecodes.h:
740         * profiler/ProfilerUID.h:
741         * runtime/AbstractModuleRecord.h:
742         * runtime/ArrayConstructor.h:
743         * runtime/ArrayConventions.h:
744         * runtime/ArrayIteratorPrototype.h:
745         * runtime/ArrayPrototype.h:
746         * runtime/BasicBlockLocation.h:
747         * runtime/Butterfly.h:
748         * runtime/CallData.cpp:
749         * runtime/CodeCache.h:
750         * runtime/CommonSlowPaths.cpp:
751         * runtime/CommonSlowPaths.h:
752         * runtime/CommonSlowPathsExceptions.cpp:
753         * runtime/Completion.cpp:
754         * runtime/ControlFlowProfiler.h:
755         * runtime/DateInstanceCache.h:
756         * runtime/ErrorConstructor.h:
757         * runtime/ErrorInstance.h:
758         * runtime/ExceptionHelpers.cpp:
759         * runtime/ExceptionHelpers.h:
760         * runtime/ExecutableBase.h:
761         * runtime/FunctionExecutable.h:
762         * runtime/HasOwnPropertyCache.h:
763         * runtime/Identifier.h:
764         * runtime/InternalFunction.h:
765         * runtime/IntlCollator.cpp:
766         * runtime/IntlCollatorPrototype.h:
767         * runtime/IntlDateTimeFormatPrototype.h:
768         * runtime/IntlNumberFormat.cpp:
769         * runtime/IntlNumberFormatPrototype.h:
770         * runtime/IteratorOperations.cpp:
771         * runtime/JSArray.h:
772         * runtime/JSArrayBufferPrototype.h:
773         * runtime/JSCJSValue.h:
774         * runtime/JSCJSValueInlines.h:
775         * runtime/JSCell.h:
776         * runtime/JSFunction.cpp:
777         * runtime/JSFunction.h:
778         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
779         * runtime/JSGlobalObject.cpp:
780         * runtime/JSGlobalObject.h:
781         * runtime/JSGlobalObjectDebuggable.cpp:
782         * runtime/JSGlobalObjectDebuggable.h:
783         * runtime/JSGlobalObjectFunctions.cpp:
784         * runtime/JSGlobalObjectFunctions.h:
785         * runtime/JSJob.cpp:
786         * runtime/JSLock.h:
787         * runtime/JSModuleLoader.cpp:
788         * runtime/JSModuleNamespaceObject.h:
789         * runtime/JSModuleRecord.h:
790         * runtime/JSObject.cpp:
791         * runtime/JSObject.h:
792         * runtime/JSRunLoopTimer.h:
793         * runtime/JSTemplateRegistryKey.h:
794         * runtime/JSTypedArrayPrototypes.cpp:
795         * runtime/JSTypedArrayPrototypes.h:
796         * runtime/JSTypedArrays.h:
797         * runtime/LiteralParser.h:
798         * runtime/MatchResult.h:
799         * runtime/MemoryStatistics.h:
800         * runtime/PrivateName.h:
801         * runtime/PromiseDeferredTimer.h:
802         * runtime/ProxyObject.h:
803         * runtime/RegExp.h:
804         * runtime/SamplingProfiler.cpp:
805         * runtime/SmallStrings.h:
806         * runtime/StringPrototype.cpp:
807         * runtime/StringRecursionChecker.h:
808         * runtime/Structure.h:
809         * runtime/SymbolConstructor.h:
810         * runtime/SymbolPrototype.cpp:
811         * runtime/SymbolPrototype.h:
812         * runtime/TypeProfiler.h:
813         * runtime/TypeProfilerLog.h:
814         * runtime/TypedArrayType.h:
815         * runtime/VM.cpp:
816         * runtime/VM.h:
817         * runtime/VMEntryScope.h:
818         * runtime/WeakMapData.h:
819         * runtime/WriteBarrier.h:
820         * tools/FunctionOverrides.cpp:
821         * tools/FunctionOverrides.h:
822         * wasm/WasmBinding.cpp:
823         * wasm/js/JSWebAssemblyCodeBlock.h:
824         * wasm/js/WebAssemblyPrototype.cpp:
825         * yarr/Yarr.h:
826         * yarr/YarrJIT.cpp:
827         * yarr/YarrJIT.h:
828         * yarr/YarrParser.h:
829
830 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
831
832         [JSC] Clean up Object.entries implementation
833         https://bugs.webkit.org/show_bug.cgi?id=173759
834
835         Reviewed by Sam Weinig.
836
837         This patch cleans up Object.entries implementation.
838         We drop unused private functions. And we merge the
839         implementation into Object.entries.
840
841         It slightly speeds up Object.entries speed.
842
843                                      baseline                  patched
844
845             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
846
847
848         * builtins/BuiltinNames.h:
849         * builtins/ObjectConstructor.js:
850         (entries):
851         (globalPrivate.enumerableOwnProperties): Deleted.
852         * runtime/JSGlobalObject.cpp:
853         (JSC::JSGlobalObject::init):
854         * runtime/ObjectConstructor.cpp:
855         (JSC::ownEnumerablePropertyKeys): Deleted.
856         * runtime/ObjectConstructor.h:
857
858 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
859
860         Remove Reflect.enumerate
861         https://bugs.webkit.org/show_bug.cgi?id=173806
862
863         Reviewed by Yusuke Suzuki.
864
865         * CMakeLists.txt:
866         * JavaScriptCore.xcodeproj/project.pbxproj:
867         * inspector/JSInjectedScriptHost.cpp:
868         (Inspector::JSInjectedScriptHost::subtype):
869         (Inspector::JSInjectedScriptHost::getInternalProperties):
870         (Inspector::JSInjectedScriptHost::iteratorEntries):
871         * runtime/JSGlobalObject.cpp:
872         (JSC::JSGlobalObject::init):
873         (JSC::JSGlobalObject::visitChildren):
874         * runtime/JSPropertyNameIterator.cpp: Removed.
875         * runtime/JSPropertyNameIterator.h: Removed.
876         * runtime/ReflectObject.cpp:
877         (JSC::reflectObjectEnumerate): Deleted.
878
879 2017-06-23  Keith Miller  <keith_miller@apple.com>
880
881         Switch VMTraps to use halt instructions rather than breakpoint instructions
882         https://bugs.webkit.org/show_bug.cgi?id=173677
883         <rdar://problem/32178892>
884
885         Reviewed by JF Bastien.
886
887         Using the breakpoint instruction for VMTraps caused issues with lldb.
888         Since we only need some way to stop execution we can, in theory, use
889         any exceptioning instruction we want. I went with the halt instruction
890         on X86 since that is the only one byte instruction that does not
891         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
892         On ARM we use the data cache clearing instruction with the zero register,
893         which triggers a segmentation fault.
894
895         Also, update the platform code to only use signaling VMTraps
896         on where we have an appropriate instruction (x86 and ARM64).
897
898         * API/tests/ExecutionTimeLimitTest.cpp:
899         (testExecutionTimeLimit):
900         * assembler/ARM64Assembler.h:
901         (JSC::ARM64Assembler::replaceWithVMHalt):
902         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
903         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
904         * assembler/ARMAssembler.h:
905         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
906         * assembler/ARMv7Assembler.h:
907         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
908         * assembler/MIPSAssembler.h:
909         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
910         * assembler/MacroAssemblerARM.h:
911         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
912         * assembler/MacroAssemblerARM64.h:
913         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
914         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
915         * assembler/MacroAssemblerARMv7.h:
916         (JSC::MacroAssemblerARMv7::storeFence):
917         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
918         * assembler/MacroAssemblerMIPS.h:
919         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
920         * assembler/MacroAssemblerX86Common.h:
921         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
922         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
923         * assembler/X86Assembler.h:
924         (JSC::X86Assembler::replaceWithHlt):
925         (JSC::X86Assembler::replaceWithInt3): Deleted.
926         * dfg/DFGJumpReplacement.cpp:
927         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
928         * runtime/VMTraps.cpp:
929         (JSC::SignalContext::SignalContext):
930         (JSC::installSignalHandler):
931         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
932         * wasm/WasmFaultSignalHandler.cpp:
933         (JSC::Wasm::enableFastMemory):
934
935 2017-06-22  Saam Barati  <sbarati@apple.com>
936
937         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
938         https://bugs.webkit.org/show_bug.cgi?id=173743
939         <rdar://problem/32932536>
940
941         Reviewed by Mark Lam.
942
943         The code always manually speculates, however, we weren't specifying
944         ManualOperandSpeculation when creating a JSValueOperand. This would
945         fire an assertion in JSValueOperand construction for a node like:
946         Identity(String:@otherNode)
947         
948         I spent about 45 minutes trying to craft a test and came up
949         empty. However, this fixes a debug assertion on an internal
950         Apple website.
951
952         * dfg/DFGSpeculativeJIT32_64.cpp:
953         (JSC::DFG::SpeculativeJIT::compile):
954         * dfg/DFGSpeculativeJIT64.cpp:
955         (JSC::DFG::SpeculativeJIT::compile):
956
957 2017-06-22  Saam Barati  <sbarati@apple.com>
958
959         ValueRep(DoubleRep(@v)) can not simply convert to @v
960         https://bugs.webkit.org/show_bug.cgi?id=173687
961         <rdar://problem/32855563>
962
963         Reviewed by Mark Lam.
964
965         Consider this IR:
966          block#x
967           p: Phi() // int32 and double flows into this phi from various control flow
968           d: DoubleRep(@p)
969           some uses of @d here
970           v: ValueRep(DoubleRepUse:@d)
971           a: NewArrayWithSize(Int32:@v)
972           some more nodes here ...
973         
974         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
975         AI proves that the Int32 check will fail. Constant folding phase removes
976         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
977         
978         The IR then looks like this:
979         block#x
980           p: Phi() // int32 and double flows into this phi from various control flow
981           d: DoubleRep(@p)
982           some uses of @d here
983           v: ValueRep(DoubleRepUse:@d)
984           a: NewArrayWithSize(Int32:@v)
985           Unreachable
986         
987         However, there was a strength reduction rule that tries eliminate redundant
988         conversions. It used to convert the program to:
989         block#x
990           p: Phi() // int32 and double flows into this phi from various control flow
991           d: DoubleRep(@p)
992           some uses of @d here
993           a: NewArrayWithSize(Int32:@p)
994           Unreachable
995         
996         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
997         and we'll crash. This patch removes this strength reduction rule since it
998         does not maintain what would have happened if we executed the program before
999         the rule.
1000         
1001         This rule is also wrong for other types of programs (I'm not sure we'd
1002         actually emit this code, but if such IR were generated, we would previously
1003         optimize it incorrectly):
1004         @a: Constant(JSTrue)
1005         @b: DoubleRep(@a)
1006         @c: ValueRep(@b)
1007         @d: use(@c)
1008         
1009         However, the strength reduction rule would've transformed this into:
1010         @a: Constant(JSTrue)
1011         @d: use(@a)
1012         
1013         And this would be wrong because node @c before the transformation would
1014         have produced the JSValue jsNumber(1.0).
1015         
1016         This patch was neutral in the benchmark run I did.
1017
1018         * dfg/DFGStrengthReductionPhase.cpp:
1019         (JSC::DFG::StrengthReductionPhase::handleNode):
1020
1021 2017-06-22  JF Bastien  <jfbastien@apple.com>
1022
1023         ARM64: doubled executable memory limit from 32MiB to 64MiB
1024         https://bugs.webkit.org/show_bug.cgi?id=173734
1025         <rdar://problem/32932407>
1026
1027         Reviewed by Oliver Hunt.
1028
1029         Some WebAssembly programs stress the amount of memory we have
1030         available, especially when we consider tiering (BBQ never dies,
1031         and is bigger that OMG). Tiering to OMG just piles on more memory,
1032         and we're also competing with JavaScript.
1033
1034         * jit/ExecutableAllocator.h:
1035
1036 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1037
1038         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
1039         https://bugs.webkit.org/show_bug.cgi?id=173698
1040
1041         Reviewed by Matt Baker.
1042
1043         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
1044         when preparing Inspector pause information is spent generating object previews for
1045         the `thisObject` of each of the call frames. In some cases, this could be more
1046         than 95% of the time generating pause information. In the common case, only one of
1047         these (the top frame) will ever be seen by users. This change avoids eagerly
1048         generating object previews up front and let the frontend request previews if they
1049         are needed.
1050
1051         This introduces the `Runtime.getPreview` protocol command. This can be used to:
1052
1053             - Get a preview for a RemoteObject that did not have a preview but could.
1054             - Update a preview for a RemoteObject that had a preview.
1055
1056         This patch only uses it for the first case, but the second is valid and may be
1057         something we want to do in the future.
1058
1059         * inspector/protocol/Runtime.json:
1060         A new command to get an up to date preview for an object.
1061
1062         * inspector/InjectedScript.h:
1063         * inspector/InjectedScript.cpp:
1064         (Inspector::InjectedScript::getPreview):
1065         * inspector/agents/InspectorRuntimeAgent.cpp:
1066         (Inspector::InspectorRuntimeAgent::getPreview):
1067         * inspector/agents/InspectorRuntimeAgent.h:
1068         Plumbing for the new command.
1069
1070         * inspector/InjectedScriptSource.js:
1071         (InjectedScript.prototype.getPreview):
1072         Implementation just uses the existing helper.
1073
1074         (InjectedScript.CallFrameProxy):
1075         Do not generate a preview for the this object as it may not be shown.
1076         Let the frontend request a preview if it wants or needs one.
1077
1078 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1079
1080         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
1081         https://bugs.webkit.org/show_bug.cgi?id=173686
1082
1083         Reviewed by Mark Lam.
1084
1085         * inspector/InjectedScript.cpp:
1086         (Inspector::InjectedScript::functionDetails):
1087         * inspector/InjectedScriptSource.js:
1088         (InjectedScript.prototype.functionDetails):
1089         * inspector/JSInjectedScriptHost.cpp:
1090         (Inspector::JSInjectedScriptHost::functionDetails):
1091
1092 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1093
1094         [JSC] Object.values should be implemented in C++
1095         https://bugs.webkit.org/show_bug.cgi?id=173703
1096
1097         Reviewed by Sam Weinig.
1098
1099         As the same to Object.assign, Object.values() is also inherently polymorphic.
1100         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
1101         result is costly.
1102
1103         In this patch, we implement Object.values() in C++. It can avoid above allocations.
1104         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
1105         non-observable JSObject::get() calls.
1106
1107         This improves performance by 2.49x. And also now Object.values() beats
1108         Object.keys(object).map(key => object[key]) implementation.
1109
1110                                              baseline                  patched
1111
1112             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
1113             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
1114
1115         * builtins/ObjectConstructor.js:
1116         (values): Deleted.
1117         * runtime/ObjectConstructor.cpp:
1118         (JSC::objectConstructorValues):
1119
1120 2017-06-21  Saam Barati  <sbarati@apple.com>
1121
1122         ArrayPrototype.map builtin declares a var it does not use
1123         https://bugs.webkit.org/show_bug.cgi?id=173685
1124
1125         Reviewed by Keith Miller.
1126
1127         * builtins/ArrayPrototype.js:
1128         (map):
1129
1130 2017-06-21  Saam Barati  <sbarati@apple.com>
1131
1132         eval virtual call is incorrect in the baseline JIT
1133         https://bugs.webkit.org/show_bug.cgi?id=173587
1134         <rdar://problem/32867897>
1135
1136         Reviewed by Michael Saboff.
1137
1138         When making a virtual call for call_eval, e.g, when the thing
1139         we're calling isn't actually eval, we end up calling the caller
1140         instead of the callee. This is clearly wrong. The code ends up
1141         issuing a load for the Callee in the callers frame instead of
1142         the callee we're calling. The fix is simple, we just need to
1143         load the real callee. Only the 32-bit baseline JIT had this bug.
1144
1145         * jit/JITCall32_64.cpp:
1146         (JSC::JIT::compileCallEvalSlowCase):
1147
1148 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
1149
1150         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
1151         https://bugs.webkit.org/show_bug.cgi?id=172432
1152         <rdar://problem/29870873>
1153
1154         Reviewed by Saam Barati.
1155
1156         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
1157         We will proceed to improve debugging of these cases in the follow-up bugs.
1158
1159         * debugger/Debugger.cpp:
1160         (JSC::Debugger::exception):
1161         Ignore pausing on these errors.
1162
1163         * runtime/ErrorInstance.h:
1164         (JSC::ErrorInstance::setStackOverflowError):
1165         (JSC::ErrorInstance::isStackOverflowError):
1166         (JSC::ErrorInstance::setOutOfMemoryError):
1167         (JSC::ErrorInstance::isOutOfMemoryError):
1168         * runtime/ExceptionHelpers.cpp:
1169         (JSC::createStackOverflowError):
1170         * runtime/Error.cpp:
1171         (JSC::createOutOfMemoryError):
1172         Mark these kinds of errors.
1173
1174 2017-06-21  Saam Barati  <sbarati@apple.com>
1175
1176         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
1177         https://bugs.webkit.org/show_bug.cgi?id=173609
1178
1179         Reviewed by Keith Miller.
1180
1181         This patch makes many of the IC generating functions require a locker as
1182         a parameter. We do this in other places in JSC to indicate that
1183         a particular API is only valid while a particular lock is held.
1184         This is the case when generating ICs. This patch just makes it
1185         explicit in the IC generating interface.
1186
1187         * bytecode/PolymorphicAccess.cpp:
1188         (JSC::PolymorphicAccess::addCases):
1189         (JSC::PolymorphicAccess::addCase):
1190         (JSC::PolymorphicAccess::commit):
1191         (JSC::PolymorphicAccess::regenerate):
1192         * bytecode/PolymorphicAccess.h:
1193         * bytecode/StructureStubInfo.cpp:
1194         (JSC::StructureStubInfo::addAccessCase):
1195         (JSC::StructureStubInfo::initStub): Deleted.
1196         * bytecode/StructureStubInfo.h:
1197         * jit/Repatch.cpp:
1198         (JSC::tryCacheGetByID):
1199         (JSC::repatchGetByID):
1200         (JSC::tryCachePutByID):
1201         (JSC::repatchPutByID):
1202         (JSC::tryRepatchIn):
1203         (JSC::repatchIn):
1204
1205 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
1206
1207         Disable font variations on macOS Sierra and iOS 10
1208         https://bugs.webkit.org/show_bug.cgi?id=173618
1209         <rdar://problem/32879164>
1210
1211         Reviewed by Jon Lee.
1212
1213         * Configurations/FeatureDefines.xcconfig:
1214
1215 2017-06-20  Keith Miller  <keith_miller@apple.com>
1216
1217         Fix leak of ModuleInformations in BBQPlan constructors.
1218         https://bugs.webkit.org/show_bug.cgi?id=173577
1219
1220         Reviewed by Saam Barati.
1221
1222         This patch fixes a leak in the BBQPlan constructiors. Previously,
1223         the plans were calling makeRef on the newly constructed objects.
1224         This patch fixes the issue and uses adoptRef instead. Additionally,
1225         an old, incorrect, attempt to fix the leak is removed.
1226
1227         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1228         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1229         * jit/JITWorklist.cpp:
1230         (JSC::JITWorklist::Thread::Thread):
1231         * runtime/PromiseDeferredTimer.cpp:
1232         (JSC::PromiseDeferredTimer::addPendingPromise):
1233         * runtime/VM.cpp:
1234         (JSC::VM::VM):
1235         * wasm/WasmBBQPlan.cpp:
1236         (JSC::Wasm::BBQPlan::BBQPlan):
1237         * wasm/WasmPlan.cpp:
1238         (JSC::Wasm::Plan::Plan):
1239
1240 2017-06-20  Devin Rousso  <drousso@apple.com>
1241
1242         Web Inspector: Send context attributes for tracked canvases
1243         https://bugs.webkit.org/show_bug.cgi?id=173327
1244
1245         Reviewed by Joseph Pecoraro.
1246
1247         * inspector/protocol/Canvas.json:
1248         Add ContextAttributes object type that is optionally used for WebGL canvases.
1249
1250 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
1251
1252         Remove excessive include directives from WTF
1253         https://bugs.webkit.org/show_bug.cgi?id=173553
1254
1255         Reviewed by Saam Barati.
1256
1257         * profiler/ProfilerDatabase.cpp: Added missing include directive.
1258         * runtime/SamplingProfiler.cpp: Ditto.
1259
1260 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
1261
1262         Revert changes in bug#160417 about extending `null` not being a derived class
1263         https://bugs.webkit.org/show_bug.cgi?id=169293
1264
1265         Reviewed by Saam Barati.
1266
1267         Reverted changes in bug#160417 about extending `null` not being a derived class 
1268         according to changes in spec:
1269         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
1270
1271         * builtins/BuiltinNames.h:
1272         * bytecompiler/BytecodeGenerator.cpp:
1273         (JSC::BytecodeGenerator::BytecodeGenerator):
1274         (JSC::BytecodeGenerator::emitReturn):
1275         * bytecompiler/NodesCodegen.cpp:
1276         (JSC::ClassExprNode::emitBytecode):
1277
1278 2017-06-20  Saam Barati  <sbarati@apple.com>
1279
1280         repatchIn needs to lock the CodeBlock's lock
1281         https://bugs.webkit.org/show_bug.cgi?id=173573
1282
1283         Reviewed by Yusuke Suzuki.
1284
1285         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
1286         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
1287         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
1288         with the marking thread. repatchIn was not grabbing the lock. I haven't been
1289         able to get it to crash, but this is needed for the same reasons that get and put IC
1290         regeneration grab the lock.
1291
1292         * jit/Repatch.cpp:
1293         (JSC::repatchIn):
1294
1295 2017-06-19  Devin Rousso  <drousso@apple.com>
1296
1297         Web Inspector: create canvas content view and details sidebar panel
1298         https://bugs.webkit.org/show_bug.cgi?id=138941
1299         <rdar://problem/19051672>
1300
1301         Reviewed by Joseph Pecoraro.
1302
1303         * inspector/protocol/Canvas.json:
1304          - Add an optional `nodeId` attribute to the `Canvas` type.
1305          - Add `requestNode` command for getting the node id of the backing canvas element.
1306          - Add `requestContent` command for getting the current image content of the canvas.
1307
1308 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1309
1310         Unreviewed, build fix for ARM
1311
1312         * assembler/MacroAssemblerARM.h:
1313         (JSC::MacroAssemblerARM::internalCompare32):
1314
1315 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1316
1317         [DFG] More ArrayIndexOf fixups for various types
1318         https://bugs.webkit.org/show_bug.cgi?id=173176
1319
1320         Reviewed by Saam Barati.
1321
1322         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
1323
1324         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
1325         never contains the given search value.
1326
1327         2. We support Symbol and Other specialization additionally. Especially, Other is
1328         useful because null/undefined can be used as a sentinel value.
1329
1330         One interesting thing is that Array.prototype.indexOf does not consider holes as
1331         undefineds. Thus,
1332
1333             var array = [,,,,,,,];
1334             array.indexOf(undefined); // => -1
1335
1336         This can be trivially achieved in JSC because Empty and Undefined are different values.
1337
1338         * dfg/DFGFixupPhase.cpp:
1339         (JSC::DFG::FixupPhase::fixupNode):
1340         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
1341         * dfg/DFGSpeculativeJIT.cpp:
1342         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1343         (JSC::DFG::SpeculativeJIT::speculateOther):
1344         * dfg/DFGSpeculativeJIT.h:
1345         * ftl/FTLLowerDFGToB3.cpp:
1346         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1347
1348 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
1349
1350         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
1351         https://bugs.webkit.org/show_bug.cgi?id=172972
1352
1353         Reviewed by Mark Lam.
1354
1355         We are changing internalCompare32 implementation in ARM
1356         MacroAssembler to emit "cmp" when the "right.value" is 0.
1357         It is generating wrong comparison cases, since the
1358         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
1359         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
1360         resulting in following assembly code:
1361
1362         ```
1363         cmn $r0, #0
1364         bhi <address>
1365         ```
1366
1367         However, as cmn is similar to "adds", it will never take the branch
1368         when $r0 > 0. In that case, the correct opcode is "cmp". With this
1369         patch we will fix current broken tests that uses
1370         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
1371         such as ForwardVarargs, Spread and GetRestLength.
1372
1373         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
1374
1375         * assembler/MacroAssemblerARM.h:
1376         (JSC::MacroAssemblerARM::internalCompare32):
1377
1378 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1379
1380         test262: Completion values for control flow do not match the spec
1381         https://bugs.webkit.org/show_bug.cgi?id=171265
1382
1383         Reviewed by Saam Barati.
1384
1385         * bytecompiler/BytecodeGenerator.h:
1386         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1387         When we care about having proper completion values (global code
1388         in programs, modules, and eval) insert undefined results for
1389         control flow statements.
1390
1391         * bytecompiler/NodesCodegen.cpp:
1392         (JSC::SourceElements::emitBytecode):
1393         Reduce writing a default `undefined` value to the completion result to
1394         only once before the last statement we know will produce a value.
1395
1396         (JSC::IfElseNode::emitBytecode):
1397         (JSC::WithNode::emitBytecode):
1398         (JSC::WhileNode::emitBytecode):
1399         (JSC::ForNode::emitBytecode):
1400         (JSC::ForInNode::emitBytecode):
1401         (JSC::ForOfNode::emitBytecode):
1402         (JSC::SwitchNode::emitBytecode):
1403         Insert an undefined to handle cases where code may break out of an
1404         if/else or with statement (break/continue).
1405
1406         (JSC::TryNode::emitBytecode):
1407         Same handling for break cases. Also, finally block statement completion
1408         values are always ignored for the try statement result.
1409
1410         (JSC::ClassDeclNode::emitBytecode):
1411         Class declarations, like function declarations, produce an empty result.
1412
1413         * parser/Nodes.cpp:
1414         (JSC::SourceElements::lastStatement):
1415         (JSC::SourceElements::hasCompletionValue):
1416         (JSC::SourceElements::hasEarlyBreakOrContinue):
1417         (JSC::BlockNode::lastStatement):
1418         (JSC::BlockNode::singleStatement):
1419         (JSC::BlockNode::hasCompletionValue):
1420         (JSC::BlockNode::hasEarlyBreakOrContinue):
1421         (JSC::ScopeNode::singleStatement):
1422         (JSC::ScopeNode::hasCompletionValue):
1423         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1424         The only non-trivial cases need to loop through their list of statements
1425         to determine if this has a completion value or not. Likewise for
1426         determining if there is an early break / continue, meaning a break or
1427         continue statement with no preceding statement that has a completion value.
1428
1429         * parser/Nodes.h:
1430         (JSC::StatementNode::next):
1431         (JSC::StatementNode::hasCompletionValue):
1432         Helper to check if a statement nodes produces a completion value or not.
1433
1434 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
1435
1436         Missing <functional> includes make builds fail with GCC 7.x
1437         https://bugs.webkit.org/show_bug.cgi?id=173544
1438
1439         Unreviewed gardening.
1440
1441         Fix compilation with GCC 7.
1442
1443         * API/tests/CompareAndSwapTest.cpp:
1444         * runtime/VMEntryScope.h:
1445
1446 2017-06-17  Keith Miller  <keith_miller@apple.com>
1447
1448         ArrayBuffer constructor needs to create subclass structures before its buffer
1449         https://bugs.webkit.org/show_bug.cgi?id=173510
1450
1451         Reviewed by Yusuke Suzuki.
1452
1453         * runtime/JSArrayBufferConstructor.cpp:
1454         (JSC::constructArrayBuffer):
1455
1456 2017-06-17  Keith Miller  <keith_miller@apple.com>
1457
1458         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
1459         https://bugs.webkit.org/show_bug.cgi?id=173506
1460
1461         Reviewed by Ryosuke Niwa.
1462
1463         This patch changes the result of unshift if old length +
1464         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
1465         the getLength function, which was always incorrect to use, has
1466         been removed. Additionally, some cases where we were using a
1467         constant for (2 ** 53) - 1 have been replaced with
1468         maxSafeInteger()
1469
1470         * interpreter/Interpreter.cpp:
1471         (JSC::sizeOfVarargs):
1472         * runtime/ArrayPrototype.cpp:
1473         (JSC::arrayProtoFuncToLocaleString):
1474         (JSC::arrayProtoFuncPop):
1475         (JSC::arrayProtoFuncPush):
1476         (JSC::arrayProtoFuncReverse):
1477         (JSC::arrayProtoFuncShift):
1478         (JSC::arrayProtoFuncSlice):
1479         (JSC::arrayProtoFuncSplice):
1480         (JSC::arrayProtoFuncUnShift):
1481         (JSC::arrayProtoFuncIndexOf):
1482         (JSC::arrayProtoFuncLastIndexOf):
1483         * runtime/JSArrayInlines.h:
1484         (JSC::getLength): Deleted.
1485         * runtime/JSCJSValue.cpp:
1486         (JSC::JSValue::toLength):
1487         * runtime/NumberConstructor.cpp:
1488         (JSC::numberConstructorFuncIsSafeInteger):
1489
1490 2017-06-16  Matt Baker  <mattbaker@apple.com>
1491
1492         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1493         https://bugs.webkit.org/show_bug.cgi?id=172623
1494         <rdar://problem/32415986>
1495
1496         Reviewed by Devin Rousso and Joseph Pecoraro.
1497
1498         This patch adds a basic Canvas protocol. It includes Canvas and related
1499         types and events for monitoring the lifetime of canvases in the page.
1500
1501         * CMakeLists.txt:
1502         * DerivedSources.make:
1503         * inspector/protocol/Canvas.json: Added.
1504
1505         * inspector/scripts/codegen/generator.py:
1506         (Generator.stylized_name_for_enum_value):
1507         Add special handling for Canvas.ContextType protocol enumeration,
1508         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1509
1510 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
1511
1512         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
1513         https://bugs.webkit.org/show_bug.cgi?id=173366
1514         <rdar://problem/32767014>
1515
1516         Reviewed by Tim Horton.
1517
1518         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
1519
1520         * Configurations/FeatureDefines.xcconfig:
1521
1522 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1523
1524         [JSC] Add fast path for Object.assign
1525         https://bugs.webkit.org/show_bug.cgi?id=173416
1526
1527         Reviewed by Mark Lam.
1528
1529         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
1530         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
1531         check in the face of Proxy. Proxy can observe that this check is done correctly.
1532
1533         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
1534         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
1535         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
1536         value by calling `slot.getValue()`.
1537
1538         This further improves performance of Object.assign.
1539
1540                                         baseline                  patched
1541
1542             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
1543
1544         * runtime/ObjectConstructor.cpp:
1545         (JSC::objectConstructorAssign):
1546
1547 2017-06-16  Michael Saboff  <msaboff@apple.com>
1548
1549         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
1550         https://bugs.webkit.org/show_bug.cgi?id=173488
1551
1552         Reviewed by Filip Pizlo.
1553
1554         ClonedArguments lazily sets its callee and interator properties and it used its own inline
1555         code to initialize its butterfly.  This means that these lazily set properties can have
1556         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
1557         to create the butterfly as it clears out of line properties.
1558
1559         * runtime/ClonedArguments.cpp:
1560         (JSC::ClonedArguments::createEmpty):
1561
1562 2017-06-16  Mark Lam  <mark.lam@apple.com>
1563
1564         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
1565         https://bugs.webkit.org/show_bug.cgi?id=173491
1566
1567         Reviewed by Keith Miller.
1568
1569         The implementation are based on static data. There's no need to get the
1570         interpreter instance. Hence, we can make these methods static and avoid doing
1571         unnecessary work to compute the interpreter this pointer.
1572
1573         Also removed the unused isCallBytecode method.
1574
1575         * bytecode/BytecodeBasicBlock.cpp:
1576         (JSC::BytecodeBasicBlock::computeImpl):
1577         * bytecode/BytecodeDumper.cpp:
1578         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1579         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1580         (JSC::BytecodeDumper<Block>::dumpBytecode):
1581         (JSC::BytecodeDumper<Block>::dumpBlock):
1582         * bytecode/BytecodeLivenessAnalysis.cpp:
1583         (JSC::BytecodeLivenessAnalysis::dumpResults):
1584         * bytecode/BytecodeLivenessAnalysisInlines.h:
1585         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1586         * bytecode/BytecodeRewriter.cpp:
1587         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1588         * bytecode/CallLinkStatus.cpp:
1589         (JSC::CallLinkStatus::computeFromLLInt):
1590         * bytecode/CodeBlock.cpp:
1591         (JSC::CodeBlock::finishCreation):
1592         (JSC::CodeBlock::propagateTransitions):
1593         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1594         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1595         (JSC::CodeBlock::usesOpcode):
1596         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1597         (JSC::CodeBlock::arithProfileForPC):
1598         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1599         * bytecode/PreciseJumpTargets.cpp:
1600         (JSC::getJumpTargetsForBytecodeOffset):
1601         (JSC::computePreciseJumpTargetsInternal):
1602         (JSC::findJumpTargetsForBytecodeOffset):
1603         * bytecode/PreciseJumpTargetsInlines.h:
1604         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1605         * bytecode/UnlinkedCodeBlock.cpp:
1606         (JSC::UnlinkedCodeBlock::applyModification):
1607         * dfg/DFGByteCodeParser.cpp:
1608         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1609         (JSC::DFG::ByteCodeParser::parseBlock):
1610         * dfg/DFGCapabilities.cpp:
1611         (JSC::DFG::capabilityLevel):
1612         * interpreter/Interpreter.cpp:
1613         (JSC::Interpreter::Interpreter):
1614         (JSC::Interpreter::isOpcode):
1615         (): Deleted.
1616         * interpreter/Interpreter.h:
1617         (JSC::Interpreter::getOpcode): Deleted.
1618         (JSC::Interpreter::getOpcodeID): Deleted.
1619         (JSC::Interpreter::isCallBytecode): Deleted.
1620         * interpreter/InterpreterInlines.h:
1621         (JSC::Interpreter::getOpcode):
1622         (JSC::Interpreter::getOpcodeID):
1623         * jit/JIT.cpp:
1624         (JSC::JIT::privateCompileMainPass):
1625         (JSC::JIT::privateCompileSlowCases):
1626         * jit/JITOpcodes.cpp:
1627         (JSC::JIT::emitNewFuncCommon):
1628         (JSC::JIT::emitNewFuncExprCommon):
1629         * jit/JITPropertyAccess.cpp:
1630         (JSC::JIT::emitSlow_op_put_by_val):
1631         (JSC::JIT::privateCompilePutByVal):
1632         * jit/JITPropertyAccess32_64.cpp:
1633         (JSC::JIT::emitSlow_op_put_by_val):
1634         * llint/LLIntSlowPaths.cpp:
1635         (JSC::LLInt::llint_trace_operand):
1636         (JSC::LLInt::llint_trace_value):
1637         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1638         * profiler/ProfilerBytecodeSequence.cpp:
1639         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1640
1641 2017-06-16  Matt Lewis  <jlewis3@apple.com>
1642
1643         Unreviewed, rolling out r218376.
1644
1645         The patch cause multiple Layout Test Crashes.
1646
1647         Reverted changeset:
1648
1649         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
1650         backend"
1651         https://bugs.webkit.org/show_bug.cgi?id=172623
1652         http://trac.webkit.org/changeset/218376
1653
1654 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
1655
1656         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
1657         https://bugs.webkit.org/show_bug.cgi?id=173470
1658
1659         Reviewed by Joseph Pecoraro.
1660
1661         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
1662         const char* overload of StringBuilder::append() that assummes Latin1
1663         encoding, not UTF8.
1664
1665         * runtime/ConsoleClient.cpp:
1666         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1667
1668 2017-06-15  Mark Lam  <mark.lam@apple.com>
1669
1670         Add a JSRunLoopTimer registry in VM.
1671         https://bugs.webkit.org/show_bug.cgi?id=173429
1672         <rdar://problem/31287961>
1673
1674         Reviewed by Filip Pizlo.
1675
1676         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
1677         need to change their run loop (e.g. when setting to the WebThread's run loop).
1678
1679         * heap/Heap.cpp:
1680         (JSC::Heap::Heap):
1681         (JSC::Heap::setRunLoop): Deleted.
1682         * heap/Heap.h:
1683         (JSC::Heap::runLoop): Deleted.
1684         * runtime/JSRunLoopTimer.cpp:
1685         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1686         (JSC::JSRunLoopTimer::setRunLoop):
1687         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
1688         * runtime/VM.cpp:
1689         (JSC::VM::VM):
1690         (JSC::VM::registerRunLoopTimer):
1691         (JSC::VM::unregisterRunLoopTimer):
1692         (JSC::VM::setRunLoop):
1693         * runtime/VM.h:
1694         (JSC::VM::runLoop):
1695
1696 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
1697
1698         [Cocoa] Modernize some internal initializers to use instancetype instead of id
1699         https://bugs.webkit.org/show_bug.cgi?id=173112
1700
1701         Reviewed by Wenson Hsieh.
1702
1703         * API/JSContextInternal.h:
1704         * API/JSWrapperMap.h:
1705         * API/JSWrapperMap.mm:
1706         (-[JSObjCClassInfo initForClass:]):
1707         (-[JSWrapperMap initWithGlobalContextRef:]):
1708
1709 2017-06-15  Matt Baker  <mattbaker@apple.com>
1710
1711         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1712         https://bugs.webkit.org/show_bug.cgi?id=172623
1713         <rdar://problem/32415986>
1714
1715         Reviewed by Devin Rousso.
1716
1717         This patch adds a basic Canvas protocol. It includes Canvas and related
1718         types and events for monitoring the lifetime of canvases in the page.
1719
1720         * CMakeLists.txt:
1721         * DerivedSources.make:
1722         * inspector/protocol/Canvas.json: Added.
1723
1724         * inspector/scripts/codegen/generator.py:
1725         (Generator.stylized_name_for_enum_value):
1726         Add special handling for Canvas.ContextType protocol enumeration,
1727         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1728
1729 2017-06-15  Keith Miller  <keith_miller@apple.com>
1730
1731         Add logging to MachineStackMarker to try to diagnose crashes in the wild
1732         https://bugs.webkit.org/show_bug.cgi?id=173427
1733
1734         Reviewed by Mark Lam.
1735
1736         This patch adds some logging to the MachineStackMarker constructor
1737         to help figure out where we are seeing crashes. Since macOS does
1738         not support os_log_info my hope is that if we set all the callee
1739         save registers before making any calls in the C++ code we can
1740         figure out which calls is the source of the crash. We also, set
1741         all the caller save registers before returning in case some
1742         weirdness is happening in the Heap constructor.
1743
1744         This logging should not matter from a performance perspective. We
1745         only create MachineStackMarkers when we are creating a new VM,
1746         which is already expensive.
1747
1748         * heap/MachineStackMarker.cpp:
1749         (JSC::MachineThreads::MachineThreads):
1750
1751 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1752
1753         [JSC] Implement Object.assign in C++
1754         https://bugs.webkit.org/show_bug.cgi?id=173414
1755
1756         Reviewed by Saam Barati.
1757
1758         Implementing Object.assign in JS is not so good compared to C++ version because,
1759
1760         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
1761         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
1762
1763         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
1764         So JS's type profile doesn't help well.
1765
1766         3. We have a chance to introduce various fast path for Object.assign in C++.
1767
1768         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
1769
1770         We can see 1.65x improvement in SixSpeed object-assign.es6.
1771
1772                                     baseline                  patched
1773
1774         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
1775
1776         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
1777
1778         * builtins/ObjectConstructor.js:
1779         (entries):
1780         (assign): Deleted.
1781         * runtime/JSCJSValueInlines.h:
1782         (JSC::JSValue::putInline):
1783         * runtime/JSCell.h:
1784         * runtime/JSCellInlines.h:
1785         (JSC::JSCell::putInline):
1786         * runtime/JSObject.cpp:
1787         (JSC::JSObject::put):
1788         * runtime/JSObject.h:
1789         * runtime/JSObjectInlines.h:
1790         (JSC::JSObject::putInlineForJSObject):
1791         (JSC::JSObject::putInline): Deleted.
1792         * runtime/ObjectConstructor.cpp:
1793         (JSC::objectConstructorAssign):
1794
1795 2017-06-14  Dan Bernstein  <mitz@apple.com>
1796
1797         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
1798         https://bugs.webkit.org/show_bug.cgi?id=168578
1799
1800         Reviewed by Geoff Garen.
1801
1802         * API/JSWrapperMap.mm:
1803         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
1804         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
1805         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
1806           it defines conformance to a JSExport-derived protocol and if so, avoid using the
1807           superclass as a substitute as we’d normally do.
1808
1809         * API/ObjcRuntimeExtras.h:
1810         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
1811           bail out.
1812
1813         * API/tests/JSExportTests.mm:
1814         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
1815         (runJSExportTests): Run new test.
1816
1817 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1818
1819         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
1820         https://bugs.webkit.org/show_bug.cgi?id=172421
1821
1822         * dfg/DFGSpeculativeJIT.cpp:
1823         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1824
1825 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
1826
1827         REGRESSION: 15 new jsc failures in WPE and GTK+
1828         https://bugs.webkit.org/show_bug.cgi?id=173349
1829
1830         Reviewed by JF Bastien.
1831
1832         Recent changes to generateWasm.py are not accounted for from
1833         CMake, which leads to WasmOps.h not being regenerated in partial
1834         builds. Make generateWasm.py an additional dependency.
1835         * CMakeLists.txt:
1836
1837 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
1838
1839         Debugger has unexpected effect on program correctness
1840         https://bugs.webkit.org/show_bug.cgi?id=172683
1841
1842         Reviewed by Saam Barati.
1843
1844         * inspector/InjectedScriptSource.js:
1845         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1846         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
1847         (BasicCommandLineAPI):
1848         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
1849         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
1850
1851 2017-06-13  JF Bastien  <jfbastien@apple.com>
1852
1853         WebAssembly: fix erroneous signature comment
1854         https://bugs.webkit.org/show_bug.cgi?id=173334
1855
1856         Reviewed by Keith Miller.
1857
1858         * wasm/WasmSignature.h:
1859
1860 2017-06-13  Michael Saboff  <msaboff@apple.com>
1861
1862         Refactor AbsenceOfSetter to AbsenceOfSetEffects
1863         https://bugs.webkit.org/show_bug.cgi?id=173322
1864
1865         Reviewed by Filip Pizlo.
1866
1867         * bytecode/ObjectPropertyCondition.h:
1868         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
1869         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
1870         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
1871         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
1872         * bytecode/ObjectPropertyConditionSet.cpp:
1873         (JSC::generateConditionsForPropertySetterMiss):
1874         (JSC::generateConditionsForPropertySetterMissConcurrently):
1875         * bytecode/PropertyCondition.cpp:
1876         (JSC::PropertyCondition::dumpInContext):
1877         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
1878         (JSC::PropertyCondition::isStillValid):
1879         (WTF::printInternal):
1880         * bytecode/PropertyCondition.h:
1881         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1882         (JSC::PropertyCondition::absenceOfSetEffect):
1883         (JSC::PropertyCondition::hasPrototype):
1884         (JSC::PropertyCondition::hash):
1885         (JSC::PropertyCondition::operator==):
1886         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
1887         (JSC::PropertyCondition::absenceOfSetter): Deleted.
1888
1889 2017-06-13  JF Bastien  <jfbastien@apple.com>
1890
1891         WebAssembly: import updated spec tests
1892         https://bugs.webkit.org/show_bug.cgi?id=173287
1893         <rdar://problem/32725975>
1894
1895         Reviewed by Saam Barati.
1896
1897         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
1898         with a few modifications so things work.
1899
1900         Fix a bunch of bugs found through this process, and punt a few tests (which I
1901         marked as blocked by this bug).
1902
1903         Fixes:
1904
1905         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
1906         instead of byte alignment. It was also missing memory-alignment.js despite it
1907         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
1908         pass.
1909
1910         Tables can be imported or in a section. There can be only one, but sections can
1911         be empty. An Elements section can exist if there's no Table, as long as it is
1912         also empty.
1913
1914         Memories can be imported or in a section. There can be only one, but sections
1915         can be empty. A Data section can exist if there's no Memory, as long as it is
1916         also empty.
1917
1918         Prototypes: stringify without .prototype. in the string.
1919
1920         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
1921         not a final size, and throws a RangeError on failure, not a TypeError.
1922
1923         Fix compile / instantiate so the reject the promise if given an argument of the
1924         wrong type (instead of failing instantly).
1925
1926         Fix async on neuter test.
1927
1928         Element section shouldn't affect any Table if any of the elements are out of
1929         bounds. We need to process it in two passes.
1930
1931         Segment section shouldn't affect any Data if any of the segments are out of
1932         bounds. We need to process it in two passes.
1933
1934         Empty data segments are valid, but only when there is no memory. Their index
1935         still gets validated, and has to be zero.
1936
1937         Punts:
1938
1939         Error messages with context, the test seems overly restrictive but this is
1940         minor.
1941
1942         compile/instantiate/validate property descriptors.
1943
1944         UTF-8 bugs.
1945
1946         Temporarily disable NaN tests. We need to go back and implement the following
1947         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
1948         much as getting all the other tests passing.
1949
1950         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
1951         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
1952         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
1953         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
1954         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
1955         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
1956         why they're not allowed.
1957
1958         * wasm/WasmB3IRGenerator.cpp:
1959         * wasm/WasmFunctionParser.h:
1960         * wasm/WasmModuleParser.cpp:
1961         * wasm/WasmModuleParser.h:
1962         * wasm/WasmParser.h:
1963         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
1964         * wasm/generateWasm.py:
1965         (memoryLog2Alignment):
1966         * wasm/js/JSWebAssemblyTable.cpp:
1967         (JSC::JSWebAssemblyTable::grow):
1968         * wasm/js/JSWebAssemblyTable.h:
1969         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1970         * wasm/js/WebAssemblyInstancePrototype.cpp:
1971         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1972         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1973         * wasm/js/WebAssemblyModulePrototype.cpp:
1974         * wasm/js/WebAssemblyModuleRecord.cpp:
1975         (JSC::WebAssemblyModuleRecord::evaluate):
1976         * wasm/js/WebAssemblyPrototype.cpp:
1977         (JSC::webAssemblyCompileFunc):
1978         (JSC::resolve):
1979         (JSC::instantiate):
1980         (JSC::compileAndInstantiate):
1981         (JSC::webAssemblyInstantiateFunc):
1982         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1983         * wasm/js/WebAssemblyTablePrototype.cpp:
1984         (JSC::webAssemblyTableProtoFuncGrow):
1985
1986 2017-06-13  Michael Saboff  <msaboff@apple.com>
1987
1988         DFG doesn't properly handle a property that is change to read only in a prototype
1989         https://bugs.webkit.org/show_bug.cgi?id=173321
1990
1991         Reviewed by Filip Pizlo.
1992
1993         We need to check for ReadOnly as well as a not being a Setter when checking
1994         an AbsenceOfSetter.
1995
1996         * bytecode/PropertyCondition.cpp:
1997         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
1998
1999 2017-06-13  Daniel Bates  <dabates@apple.com>
2000
2001         Implement W3C Secure Contexts Draft Specification
2002         https://bugs.webkit.org/show_bug.cgi?id=158121
2003         <rdar://problem/26012994>
2004
2005         Reviewed by Brent Fulgham.
2006
2007         Part 4
2008
2009         Adds isSecureContext to the list of common identifiers as needed to support
2010         toggling its exposure from a runtime enabled feature flag.
2011
2012         * runtime/CommonIdentifiers.h:
2013
2014 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
2015
2016         [JSC] Remove redundant includes in config.h
2017         https://bugs.webkit.org/show_bug.cgi?id=173294
2018
2019         Reviewed by Alex Christensen.
2020
2021         * config.h:
2022
2023 2017-06-12  Saam Barati  <sbarati@apple.com>
2024
2025         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
2026         https://bugs.webkit.org/show_bug.cgi?id=172957
2027         <rdar://problem/32602704>
2028
2029         Reviewed by Filip Pizlo.
2030
2031         Consider this program:
2032         ```
2033         block#1:
2034         n: GetClosureVar(..., |this|) // this will load empty JSValue()
2035         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
2036         Branch(#2, #3)
2037         
2038         Block#3:
2039         x: GetLocal(locFoo)
2040         y: CheckNotEmpty(@x)
2041         ```
2042         
2043         If we claim that a cell check filters out the empty value, we will
2044         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
2045         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
2046         
2047         On 64 bit platforms:
2048         - Cell use kind *now allows* the empty value to pass through.
2049         - CellOrOther use kind *now allows* for the empty value to pass through
2050         - NotCell use kind *no longer allows* the empty value to pass through.
2051
2052         * assembler/CPU.h:
2053         (JSC::isARMv7IDIVSupported):
2054         (JSC::isARM64):
2055         (JSC::isX86):
2056         (JSC::isX86_64):
2057         (JSC::is64Bit):
2058         (JSC::is32Bit):
2059         (JSC::isMIPS):
2060         Make these functions constexpr so we can use them in static variable assignment.
2061
2062         * bytecode/SpeculatedType.h:
2063         * dfg/DFGSpeculativeJIT.cpp:
2064         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2065         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2066         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2067         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2068         (JSC::DFG::SpeculativeJIT::speculateCell):
2069         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2070         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2071         (JSC::DFG::SpeculativeJIT::speculateString):
2072         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2073         (JSC::DFG::SpeculativeJIT::speculateSymbol):
2074         (JSC::DFG::SpeculativeJIT::speculateNotCell):
2075         * dfg/DFGSpeculativeJIT32_64.cpp:
2076         * dfg/DFGSpeculativeJIT64.cpp:
2077         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2078         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2079         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2080         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2081         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2082         * dfg/DFGUseKind.h:
2083         (JSC::DFG::typeFilterFor):
2084         * ftl/FTLLowerDFGToB3.cpp:
2085         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2086         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2087         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2088         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2089         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2090         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2091         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
2092         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2093         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
2094         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
2095         (JSC::FTL::DFG::LowerDFGToB3::isCell):
2096         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2097         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
2098         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
2099         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2100         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
2101
2102 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2103
2104         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
2105         https://bugs.webkit.org/show_bug.cgi?id=172421
2106
2107         * dfg/DFGSpeculativeJIT.cpp:
2108         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2109
2110 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
2111
2112         We incorrectly allow escaped characters in keyword tokens
2113         https://bugs.webkit.org/show_bug.cgi?id=171310
2114
2115         Reviewed by Yusuke Suzuki.
2116
2117         According spec it is not allow to use escaped characters in 
2118         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
2119         Current patch implements this requirements.
2120
2121
2122         * parser/Lexer.cpp:
2123         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2124         * parser/Parser.cpp:
2125         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2126         * parser/ParserTokens.h:
2127
2128 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2129
2130         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
2131         https://bugs.webkit.org/show_bug.cgi?id=172421
2132
2133         * assembler/MacroAssemblerARM64.h:
2134         (JSC::MacroAssemblerARM64::branch64):
2135         (JSC::MacroAssemblerARM64::branchPtr):
2136
2137 2017-06-12  Commit Queue  <commit-queue@webkit.org>
2138
2139         Unreviewed, rolling out r218093.
2140         https://bugs.webkit.org/show_bug.cgi?id=173259
2141
2142         Break builds (Requested by yusukesuzuki on #webkit).
2143
2144         Reverted changeset:
2145
2146         "Unreviewed, build fix for ARM64"
2147         https://bugs.webkit.org/show_bug.cgi?id=172421
2148         http://trac.webkit.org/changeset/218093
2149
2150 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2151
2152         Unreviewed, build fix for ARM64
2153         https://bugs.webkit.org/show_bug.cgi?id=172421
2154
2155         * dfg/DFGSpeculativeJIT.cpp:
2156         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2157
2158 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2159
2160         [DFG] Add ArrayIndexOf intrinsic
2161         https://bugs.webkit.org/show_bug.cgi?id=172421
2162
2163         Reviewed by Saam Barati.
2164
2165         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
2166         We emit array check and go fast path if the array is Array::Int32, Array::Double
2167         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
2168         we have inlined fast paths.
2169
2170         With updated ARES-6 Babylon,
2171
2172         Before
2173             firstIteration:     45.76 +- 3.87 ms
2174             averageWorstCase:   24.41 +- 2.17 ms
2175             steadyState:        8.01 +- 0.22 ms
2176         After
2177             firstIteration:     45.64 +- 4.23 ms
2178             averageWorstCase:   23.03 +- 3.34 ms
2179             steadyState:        7.33 +- 0.34 ms
2180
2181         In SixSpeed.
2182                                          baseline                  patched
2183
2184             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
2185             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
2186             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
2187
2188         * dfg/DFGAbstractInterpreterInlines.h:
2189         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2190         * dfg/DFGByteCodeParser.cpp:
2191         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2192         * dfg/DFGClobberize.h:
2193         (JSC::DFG::clobberize):
2194         * dfg/DFGDoesGC.cpp:
2195         (JSC::DFG::doesGC):
2196         * dfg/DFGFixupPhase.cpp:
2197         (JSC::DFG::FixupPhase::fixupNode):
2198         * dfg/DFGNode.h:
2199         (JSC::DFG::Node::hasArrayMode):
2200         * dfg/DFGNodeType.h:
2201         * dfg/DFGOperations.cpp:
2202         * dfg/DFGOperations.h:
2203         * dfg/DFGPredictionPropagationPhase.cpp:
2204         * dfg/DFGSafeToExecute.h:
2205         (JSC::DFG::safeToExecute):
2206         * dfg/DFGSpeculativeJIT.cpp:
2207         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2208         (JSC::DFG::SpeculativeJIT::speculateObject):
2209         * dfg/DFGSpeculativeJIT.h:
2210         (JSC::DFG::SpeculativeJIT::callOperation):
2211         * dfg/DFGSpeculativeJIT32_64.cpp:
2212         (JSC::DFG::SpeculativeJIT::compile):
2213         * dfg/DFGSpeculativeJIT64.cpp:
2214         (JSC::DFG::SpeculativeJIT::compile):
2215         (JSC::DFG::SpeculativeJIT::speculateInt32):
2216         * ftl/FTLCapabilities.cpp:
2217         (JSC::FTL::canCompile):
2218         * ftl/FTLLowerDFGToB3.cpp:
2219         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2220         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2221         * jit/JITOperations.h:
2222         * runtime/ArrayPrototype.cpp:
2223         (JSC::ArrayPrototype::finishCreation):
2224         * runtime/Intrinsic.cpp:
2225         (JSC::intrinsicName):
2226         * runtime/Intrinsic.h:
2227
2228 2017-06-11  Keith Miller  <keith_miller@apple.com>
2229
2230         TypedArray constructor with string shouldn't throw
2231         https://bugs.webkit.org/show_bug.cgi?id=173181
2232
2233         Reviewed by JF Bastien.
2234
2235         We should be coercing primitive arguments to numbers in the various
2236         TypedArray constructors.
2237
2238         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2239         (JSC::constructGenericTypedArrayViewWithArguments):
2240
2241 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2242
2243         [WTF] Make ThreadMessage portable
2244         https://bugs.webkit.org/show_bug.cgi?id=172073
2245
2246         Reviewed by Keith Miller.
2247
2248         * runtime/MachineContext.h:
2249         (JSC::MachineContext::stackPointer):
2250         * tools/CodeProfiling.cpp:
2251         (JSC::profilingTimer):
2252
2253 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2254
2255         [JSC] Shrink Structure size
2256         https://bugs.webkit.org/show_bug.cgi?id=173239
2257
2258         Reviewed by Mark Lam.
2259
2260         We find that the size of our Structure is slightly enlarged due to paddings.
2261         By changing the order of members, we can reduce the size from 120 to 112.
2262         This is good because 120 and 112 are categorized into different size classes.
2263         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
2264         We now save 16 bytes per Structure for free.
2265
2266         * runtime/ConcurrentJSLock.h:
2267         * runtime/Structure.cpp:
2268         (JSC::Structure::Structure):
2269         * runtime/Structure.h:
2270
2271 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
2272
2273         Unreviewed, attempt to fix JSC tests on Win after r217771
2274
2275         * jsc.cpp:
2276         (currentWorkingDirectory): buffer is not NULL-terminated
2277
2278 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2279
2280         [WTF] Add RegisteredSymbolImpl
2281         https://bugs.webkit.org/show_bug.cgi?id=173230
2282
2283         Reviewed by Mark Lam.
2284
2285         * runtime/SymbolConstructor.cpp:
2286         (JSC::symbolConstructorKeyFor):
2287
2288 2017-06-10  Dan Bernstein  <mitz@apple.com>
2289
2290         Reverted r218056 because it made the IDE reindex constantly.
2291
2292         * Configurations/DebugRelease.xcconfig:
2293
2294 2017-06-10  Dan Bernstein  <mitz@apple.com>
2295
2296         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
2297         https://bugs.webkit.org/show_bug.cgi?id=173223
2298
2299         Reviewed by Sam Weinig.
2300
2301         The rebuilds were happening due to a difference in the compiler options that the IDE and
2302         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
2303         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
2304         specify an appropriate path in CLANG_INDEX_STORE_PATH.
2305
2306         * Configurations/DebugRelease.xcconfig:
2307
2308 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2309
2310         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
2311         https://bugs.webkit.org/show_bug.cgi?id=173227
2312
2313         Reviewed by Mark Lam.
2314
2315         The latest spec introduces slight change to RegExp.prototype.[@@search].
2316         This patch applies this change. Basically, this change is done in the slow path of
2317         the RegExp.prototype[@@search].
2318         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
2319
2320         * builtins/RegExpPrototype.js:
2321         (search):
2322
2323 2017-06-09  Chris Dumez  <cdumez@apple.com>
2324
2325         Update Thread::create() to take in a WTF::Function instead of a std::function
2326         https://bugs.webkit.org/show_bug.cgi?id=173175
2327
2328         Reviewed by Mark Lam.
2329
2330         * API/tests/CompareAndSwapTest.cpp:
2331         (testCompareAndSwap):
2332
2333 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2334
2335         [DFG] Add verboseDFGOSRExit
2336         https://bugs.webkit.org/show_bug.cgi?id=173156
2337
2338         Reviewed by Saam Barati.
2339
2340         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
2341
2342         * dfg/DFGOSRExitCompiler.cpp:
2343         * runtime/Options.h:
2344
2345 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
2346
2347         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
2348         https://bugs.webkit.org/show_bug.cgi?id=173170
2349
2350         Reviewed by Yusuke Suzuki.
2351
2352         MIPS does not build since r217711 because it is missing this
2353         implementation. This patch fixes the build.
2354
2355         * assembler/MacroAssemblerMIPS.h:
2356         (JSC::MacroAssemblerMIPS::xor32):
2357
2358 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2359
2360         [JSC] FTL does not require dlfcn
2361         https://bugs.webkit.org/show_bug.cgi?id=173143
2362
2363         Reviewed by Darin Adler.
2364
2365         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
2366         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
2367
2368         * ftl/FTLLowerDFGToB3.cpp:
2369
2370 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2371
2372         [DFG] Add --verboseDFGFailure
2373         https://bugs.webkit.org/show_bug.cgi?id=173155
2374
2375         Reviewed by Sam Weinig.
2376
2377         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
2378
2379         * dfg/DFGCapabilities.cpp:
2380         (JSC::DFG::verboseCapabilities):
2381         (JSC::DFG::debugFail):
2382         * runtime/Options.cpp:
2383         (JSC::recomputeDependentOptions):
2384         * runtime/Options.h:
2385
2386 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2387
2388         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
2389         https://bugs.webkit.org/show_bug.cgi?id=173147
2390
2391         Reviewed by JF Bastien.
2392
2393         Because this value becomes -1 in non-Darwin environments.
2394         Thus, we do not need to use OS(DARWIN) here.
2395
2396         * wasm/WasmMemory.cpp:
2397
2398 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
2399
2400         Reduce compiler warnings
2401         https://bugs.webkit.org/show_bug.cgi?id=172078
2402
2403         Reviewed by Yusuke Suzuki.
2404
2405         * runtime/IntlDateTimeFormat.h:
2406
2407 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
2408
2409         [Cocoa] JSWrapperMap leaks for all JSContexts
2410         https://bugs.webkit.org/show_bug.cgi?id=173110
2411         <rdar://problem/32602198>
2412
2413         Reviewed by Geoffrey Garen.
2414
2415         * API/JSContext.mm:
2416         (-[JSContext ensureWrapperMap]):
2417         Ensure this allocation gets released.
2418
2419 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
2420
2421         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
2422         https://bugs.webkit.org/show_bug.cgi?id=161156
2423
2424         Reviewed by Saam Barati.
2425         
2426         Since LLInt does not register impure property watchpoints for self property accesses, it
2427         shouldn't try to cache accesses that require a watchpoint.
2428         
2429         This manifested as a flaky failure because the test would fire the watchpoint after we had
2430         usually already tiered up. Without concurrent JIT, we would have always tiered up before
2431         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
2432         also adds a test that deterministically failed in LLInt without this change; it does so by just
2433         running a lot shorter.
2434
2435         * llint/LLIntSlowPaths.cpp:
2436         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2437
2438 2017-06-08  Keith Miller  <keith_miller@apple.com>
2439
2440         WebAssembly: We should only create wrappers for functions that can be exported
2441         https://bugs.webkit.org/show_bug.cgi?id=173088
2442
2443         Reviewed by Saam Barati.
2444
2445         This patch makes it so we only create wrappers for WebAssembly functions that
2446         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
2447
2448         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
2449         Most of the tests were duplicates of ones in the spec-tests directory. The others I
2450         have converted to use the normal API.
2451
2452         * jsc.cpp:
2453         (GlobalObject::finishCreation):
2454         (valueWithTypeOfWasmValue): Deleted.
2455         (box): Deleted.
2456         (callWasmFunction): Deleted.
2457         (functionTestWasmModuleFunctions): Deleted.
2458         * wasm/WasmB3IRGenerator.cpp:
2459         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2460         (JSC::Wasm::createJSToWasmWrapper):
2461         (JSC::Wasm::parseAndCompile):
2462         * wasm/WasmB3IRGenerator.h:
2463         * wasm/WasmBBQPlan.cpp:
2464         (JSC::Wasm::BBQPlan::prepare):
2465         (JSC::Wasm::BBQPlan::compileFunctions):
2466         (JSC::Wasm::BBQPlan::complete):
2467         * wasm/WasmBBQPlan.h:
2468         * wasm/WasmBBQPlanInlines.h:
2469         (JSC::Wasm::BBQPlan::initializeCallees):
2470         * wasm/WasmCodeBlock.cpp:
2471         (JSC::Wasm::CodeBlock::CodeBlock):
2472         * wasm/WasmCodeBlock.h:
2473         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2474         * wasm/WasmFormat.h:
2475         * wasm/WasmOMGPlan.cpp:
2476         (JSC::Wasm::OMGPlan::work):
2477
2478 2017-06-07  JF Bastien  <jfbastien@apple.com>
2479
2480         WebAssembly: test imports and exports with 16-bit characters
2481         https://bugs.webkit.org/show_bug.cgi?id=165977
2482         <rdar://problem/29760130>
2483
2484         Reviewed by Saam Barati.
2485
2486         Add the missing UTF-8 conversions. Improve import failure error
2487         messages, otherwise it's hard to figure out which import is wrong.
2488
2489         * wasm/js/JSWebAssemblyInstance.cpp:
2490         (JSC::JSWebAssemblyInstance::create):
2491         * wasm/js/WebAssemblyModuleRecord.cpp:
2492         (JSC::WebAssemblyModuleRecord::finishCreation):
2493         (JSC::WebAssemblyModuleRecord::link):
2494
2495 2017-06-07  Devin Rousso  <drousso@apple.com>
2496
2497         Web Inspector: Add ContextMenu item to log WebSocket object to console
2498         https://bugs.webkit.org/show_bug.cgi?id=172878
2499
2500         Reviewed by Joseph Pecoraro.
2501
2502         * inspector/protocol/Network.json:
2503         Add resolveWebSocket command.
2504
2505 2017-06-07  Jon Davis  <jond@apple.com>
2506
2507         Update feature status for features Supported In Preview
2508         https://bugs.webkit.org/show_bug.cgi?id=173071
2509
2510         Reviewed by Darin Adler.
2511
2512         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
2513         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
2514
2515         * features.json:
2516
2517 2017-06-07  Saam Barati  <sbarati@apple.com>
2518
2519         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
2520         https://bugs.webkit.org/show_bug.cgi?id=172673
2521         <rdar://problem/32250144>
2522
2523         Reviewed by Mark Lam.
2524
2525         This patch simply removes this assertion. It's faulty because it
2526         races with the main thread when doing concurrent compilation.
2527         
2528         Consider a program with:
2529         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
2530         - Structure S2
2531         
2532         The DFG IR is like so:
2533           a: JSConstant(O) // FrozenValue {O, S1}
2534           b: CheckStructure(@a, S2)
2535           c: ToThis(@a)
2536           d: CheckEq(@c, nullConstant)
2537           Branch(@d)
2538         
2539         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
2540         When running AI, we'll notice that node @b will OSR exit, so nodes after
2541         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
2542         Now, when running AI, @a will have Top for its structure set. No longer will
2543         we think @b exits.
2544         
2545         The DFG backend asserts that under such a situation, we should have simplified
2546         the CheckEq to false. However, this is a racy thing to assert, since the
2547         transition from dfgWatchable() to !dfgWatchable() can happen right before we
2548         enter the backend. Hence, this assertion is not valid.
2549         
2550         (Note, the generated code for the above program will never actually execute.
2551         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
2552         S1 not transitioning. S1 transitions, so we won't actually run the code that
2553         gets compiled.)
2554
2555         * dfg/DFGSpeculativeJIT64.cpp:
2556         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2557
2558 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2559
2560         [JSC] has_generic_property never accepts non-String
2561         https://bugs.webkit.org/show_bug.cgi?id=173057
2562
2563         Reviewed by Darin Adler.
2564
2565         We never pass non-String value to has_generic_property bytecode.
2566
2567         * runtime/CommonSlowPaths.cpp:
2568         (JSC::SLOW_PATH_DECL):
2569
2570 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
2571
2572         [Win][x86-64] Some callee saved registers aren't preserved
2573         https://bugs.webkit.org/show_bug.cgi?id=171266
2574
2575         Reviewed by Saam Barati.
2576
2577         * jit/RegisterSet.cpp:
2578         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
2579
2580 2017-06-06  Mark Lam  <mark.lam@apple.com>
2581
2582         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
2583         https://bugs.webkit.org/show_bug.cgi?id=173035
2584         <rdar://problem/32554593>
2585
2586         Reviewed by Geoffrey Garen and Filip Pizlo.
2587
2588         Also added and fixed up some assertions.
2589
2590         * runtime/ArrayConventions.h:
2591         * runtime/JSArray.cpp:
2592         (JSC::JSArray::setLength):
2593         * runtime/JSObject.cpp:
2594         (JSC::JSObject::createInitialIndexedStorage):
2595         (JSC::JSObject::ensureLengthSlow):
2596         (JSC::JSObject::reallocateAndShrinkButterfly):
2597         * runtime/JSObject.h:
2598         (JSC::JSObject::ensureLength):
2599         * runtime/RegExpObject.cpp:
2600         (JSC::collectMatches):
2601         * runtime/RegExpPrototype.cpp:
2602         (JSC::regExpProtoFuncSplitFast):
2603
2604 2017-06-06  Saam Barati  <sbarati@apple.com>
2605
2606         Make sure we restore SP when doing calls that could be to JS
2607         https://bugs.webkit.org/show_bug.cgi?id=172946
2608         <rdar://problem/32579026>
2609
2610         Reviewed by JF Bastien.
2611
2612         I was worried that there was a bug where we'd call JS, JS would tail call,
2613         and we'd end up with a bogus SP. However, this bug does not exist since wasm
2614         always calls to JS through a stub, and the stub treats SP as a callee save.
2615         
2616         I wrote a test for this, and also made a note that this is the needed ABI.
2617
2618         * wasm/WasmBinding.cpp:
2619         (JSC::Wasm::wasmToJs):
2620
2621 2017-06-06  Keith Miller  <keith_miller@apple.com>
2622
2623         OMG tier up checks should be a patchpoint
2624         https://bugs.webkit.org/show_bug.cgi?id=172944
2625
2626         Reviewed by Saam Barati.
2627
2628         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
2629         In order to reduce code generated out of line in each function. We generate a single stub
2630         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
2631
2632         * wasm/WasmB3IRGenerator.cpp:
2633         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2634         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2635         (JSC::Wasm::B3IRGenerator::addLoop):
2636         * wasm/WasmThunks.cpp:
2637         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2638         * wasm/WasmThunks.h:
2639
2640 2017-06-06  Darin Adler  <darin@apple.com>
2641
2642         Cut down use of WTF_ARRAY_LENGTH
2643         https://bugs.webkit.org/show_bug.cgi?id=172997
2644
2645         Reviewed by Chris Dumez.
2646
2647         * parser/Lexer.cpp:
2648         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
2649
2650         * runtime/NumberPrototype.cpp:
2651         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
2652
2653 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
2654
2655         Add missing <functional> includes
2656         https://bugs.webkit.org/show_bug.cgi?id=173017
2657
2658         Patch by Thiago Macieira <thiago.macieira@intel.com>
2659         Reviewed by Yusuke Suzuki.
2660
2661         This patch fixes compilation with GCC 7.
2662
2663         * inspector/InspectorBackendDispatcher.h:
2664
2665 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2666
2667         Unreviewed, fix 32-bit build.
2668
2669         * jit/JITOpcodes.cpp:
2670         (JSC::JIT::emit_op_unreachable):
2671
2672 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
2673
2674         Unreviewed rollout r217807. Caused a test to crash.
2675
2676         * heap/HeapSnapshotBuilder.cpp:
2677         (JSC::HeapSnapshotBuilder::buildSnapshot):
2678         (JSC::HeapSnapshotBuilder::json):
2679         (): Deleted.
2680         * heap/HeapSnapshotBuilder.h:
2681         * runtime/JSObject.cpp:
2682         (JSC::JSObject::calculatedClassName):
2683
2684 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2685
2686         index out of bound in bytecodebasicblock
2687         https://bugs.webkit.org/show_bug.cgi?id=172963
2688
2689         Reviewed by Saam Barati and Mark Lam.
2690         
2691         We were leaving an unterminated basic block when generating CodeForCall for a class
2692         constructor. This was mostly benign since that unterminated block was not reachable, but it
2693         does cause an ASSERT.
2694         
2695         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
2696         this really is the cleanest and most idiomatic way to solve this problem, so even though it
2697         makes the change bigger it's probabably worth it.
2698
2699         * bytecode/BytecodeDumper.cpp:
2700         (JSC::BytecodeDumper<Block>::dumpBytecode):
2701         * bytecode/BytecodeList.json:
2702         * bytecode/BytecodeUseDef.h:
2703         (JSC::computeUsesForBytecodeOffset):
2704         (JSC::computeDefsForBytecodeOffset):
2705         * bytecode/Opcode.h:
2706         (JSC::isTerminal):
2707         * bytecompiler/BytecodeGenerator.cpp:
2708         (JSC::BytecodeGenerator::generate):
2709         (JSC::BytecodeGenerator::emitUnreachable):
2710         * bytecompiler/BytecodeGenerator.h:
2711         * dfg/DFGByteCodeParser.cpp:
2712         (JSC::DFG::ByteCodeParser::parseBlock):
2713         * dfg/DFGCapabilities.cpp:
2714         (JSC::DFG::capabilityLevel):
2715         * ftl/FTLLowerDFGToB3.cpp:
2716         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
2717         * jit/JIT.cpp:
2718         (JSC::JIT::privateCompileMainPass):
2719         * jit/JIT.h:
2720         * jit/JITOpcodes.cpp:
2721         (JSC::JIT::emit_op_unreachable):
2722         * llint/LowLevelInterpreter.asm:
2723         * runtime/CommonSlowPaths.cpp:
2724         (JSC::SLOW_PATH_DECL):
2725         * runtime/CommonSlowPaths.h:
2726
2727 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
2728
2729         Unreviewed, rolling out r217812.
2730
2731         This change caused test failures on arm64.
2732
2733         Reverted changeset:
2734
2735         "OMG tier up checks should be a patchpoint"
2736         https://bugs.webkit.org/show_bug.cgi?id=172944
2737         http://trac.webkit.org/changeset/217812
2738
2739 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2740
2741         [WPE] Enable remote inspector
2742         https://bugs.webkit.org/show_bug.cgi?id=172971
2743
2744         Reviewed by Žan Doberšek.
2745
2746         We can just build the current glib remote inspector, without adding a frontend implementation and using a
2747         WebKitGTK+ browser as frontend for now.
2748
2749         * PlatformWPE.cmake: Add remote inspector files to compilation.
2750         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2751         (Inspector::backendCommands): Load the inspector resources library.
2752
2753 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2754
2755         [GLIB] Make remote inspector DBus protocol common to all glib based ports
2756         https://bugs.webkit.org/show_bug.cgi?id=172970
2757
2758         Reviewed by Žan Doberšek.
2759
2760         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
2761         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
2762         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
2763         debug WPE, without having to implement the frontend part in WPE yet.
2764
2765         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
2766         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
2767
2768 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2769
2770         [GTK] Web Process deadlock when closing the remote inspector frontend
2771         https://bugs.webkit.org/show_bug.cgi?id=172973
2772
2773         Reviewed by Žan Doberšek.
2774
2775         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
2776         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
2777         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
2778         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
2779
2780         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2781         (Inspector::RemoteInspector::receivedCloseMessage):
2782
2783 2017-06-05  Saam Barati  <sbarati@apple.com>
2784
2785         Try to fix features.json by adding an ESNext section.
2786
2787         Unreviewed.
2788
2789         * features.json:
2790
2791 2017-06-05  David Kilzer  <ddkilzer@apple.com>
2792
2793         Follow-up: Update JSC's features.json
2794         https://bugs.webkit.org/show_bug.cgi?id=172942
2795
2796         Rubber-stamped by Jon Davis.
2797
2798         * features.json: Change "Supported in preview" to
2799         "Supported" to try to fix <https://webkit.org/status/>.
2800
2801 2017-06-05  Saam Barati  <sbarati@apple.com>
2802
2803         We don't properly parse init_expr when the opcode is an unexpected opcode
2804         https://bugs.webkit.org/show_bug.cgi?id=172945
2805
2806         Reviewed by JF Bastien.
2807
2808         The bug is a simple typo. It should use the constant
2809         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
2810         macro. This failure is already caught by spec tests that fail
2811         on arm64 devices.
2812
2813         * wasm/WasmModuleParser.cpp:
2814
2815 2017-06-05  Keith Miller  <keith_miller@apple.com>
2816
2817         OMG tier up checks should be a patchpoint
2818         https://bugs.webkit.org/show_bug.cgi?id=172944
2819
2820         Reviewed by Saam Barati.
2821
2822         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
2823         In order to reduce code generated out of line in each function. We generate a single stub
2824         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
2825
2826         * wasm/WasmB3IRGenerator.cpp:
2827         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2828         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2829         (JSC::Wasm::B3IRGenerator::addLoop):
2830         * wasm/WasmThunks.cpp:
2831         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2832         * wasm/WasmThunks.h:
2833
2834 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
2835
2836         Remove unused VM members
2837         https://bugs.webkit.org/show_bug.cgi?id=172941
2838
2839         Reviewed by Mark Lam.
2840
2841         * runtime/HashMapImpl.h:
2842         (JSC::HashMapImpl::selectStructure): Deleted.
2843         * runtime/VM.cpp:
2844         (JSC::VM::VM):
2845         * runtime/VM.h:
2846
2847 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
2848
2849         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
2850         https://bugs.webkit.org/show_bug.cgi?id=172848
2851         <rdar://problem/25709212>
2852
2853         Reviewed by Saam Barati.
2854
2855         * heap/HeapSnapshotBuilder.h:
2856         * heap/HeapSnapshotBuilder.cpp:
2857         Update the snapshot version. Change the node's 0 | 1 internal value
2858         to be a 32bit bit flag. This is nice in that it is both compatible
2859         with the previous snapshot version and the same size. We can use more
2860         flags in the future.
2861
2862         (JSC::HeapSnapshotBuilder::json):
2863         In cases where the classInfo gives us "Object" check for a better
2864         class name by checking (o).__proto__.constructor.name. We avoid this
2865         check in cases where (o).hasOwnProperty("constructor") which is the
2866         case for most Foo.prototype objects. Otherwise this would get the
2867         name of the Foo superclass for the Foo.prototype object.
2868
2869         * runtime/JSObject.cpp:
2870         (JSC::JSObject::calculatedClassName):
2871         Handle some possible edge cases that were not handled before. Such
2872         as a JSObject without a GlobalObject, and an object which doesn't
2873         have a default getPrototype. Try to make the code a little clearer.
2874
2875 2017-06-05  Saam Barati  <sbarati@apple.com>
2876
2877         Update JSC's features.json
2878         https://bugs.webkit.org/show_bug.cgi?id=172942
2879
2880         Rubber stamped by Mark Lam.
2881
2882         * features.json:
2883
2884 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
2885
2886         Fix build of Windows-specific code with ICU 59.1
2887         https://bugs.webkit.org/show_bug.cgi?id=172729
2888
2889         Reviewed by Darin Adler.
2890
2891         Fix conversions from WTF::String to wchar_t* and vice versa.
2892
2893         * jsc.cpp:
2894         (currentWorkingDirectory):
2895         (fetchModuleFromLocalFileSystem):
2896         * runtime/DateConversion.cpp:
2897         (JSC::formatDateTime):
2898
2899 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2900
2901         [JSC] Drop unnecessary USE(CF) guard for getenv
2902         https://bugs.webkit.org/show_bug.cgi?id=172903
2903
2904         Reviewed by Sam Weinig.
2905
2906         getenv is not related to USE(CF) and OS(UNIX). It seems that this
2907         ifdef only hits in WinCairo, but WinCairo can use getenv.
2908         Moreover, in VM::VM, we already use getenv without any ifdef guard.
2909
2910         This patch just drops it.
2911
2912         * runtime/VM.cpp:
2913         (JSC::enableAssembler):
2914
2915 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2916
2917         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
2918         https://bugs.webkit.org/show_bug.cgi?id=172904
2919
2920         Reviewed by Sam Weinig.
2921
2922         In non-Darwin environment, uintptr_t may have the same type
2923         to uint64_t. We avoided the compile error by using OS(DARWIN).
2924         But, since it depends on cstdint implementaion rather than OS, it is flaky.
2925         Instead, we just use template parameter IntegralType.
2926         And we describe the type constraint in a SFINAE manner.
2927
2928         * dfg/DFGOpInfo.h:
2929         (JSC::DFG::OpInfo::OpInfo):
2930
2931 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
2932
2933         [ARM] Unreviewed buildfix after r217711.
2934
2935         * assembler/MacroAssemblerARM.h:
2936         (JSC::MacroAssemblerARM::xor32):
2937
2938 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2939
2940         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
2941         https://bugs.webkit.org/show_bug.cgi?id=168844
2942
2943         Reviewed by Saam Barati.
2944
2945         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
2946
2947         * parser/Parser.cpp:
2948         (JSC::DepthManager::DepthManager):
2949         (JSC::Parser<LexerType>::parseExportDeclaration):
2950         * parser/Parser.h:
2951         (JSC::Parser::DepthManager::DepthManager): Deleted.
2952         (JSC::Parser::DepthManager::~DepthManager): Deleted.
2953
2954 2017-06-02  Keith Miller  <keith_miller@apple.com>
2955
2956         Defer installing mach breakpoint handler until watchdog is actually called
2957         https://bugs.webkit.org/show_bug.cgi?id=172885
2958
2959         Reviewed by Saam Barati.
2960
2961         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
2962         This hides the issue, so it won't occur as often.
2963
2964         * runtime/VMTraps.cpp:
2965         (JSC::VMTraps::SignalSender::send):
2966         (JSC::VMTraps::VMTraps): Deleted.
2967         * runtime/VMTraps.h:
2968
2969 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
2970
2971         Atomics.load and Atomics.store need to be fully fenced
2972         https://bugs.webkit.org/show_bug.cgi?id=172844
2973
2974         Reviewed by Keith Miller.
2975         
2976         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
2977         AtomicXchg(value, ptr) for the store.
2978         
2979         DFG needed no changes because it implements all atomics using a CAS loop.
2980         
2981         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
2982         
2983         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
2984         is not correct according to my current understanding of the SAB memory model, which requires
2985         that atomic operations are SC with respect to everything not just other atomics.
2986
2987         * ftl/FTLLowerDFGToB3.cpp:
2988         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
2989         * ftl/FTLOutput.cpp:
2990         (JSC::FTL::Output::atomicWeakCAS):
2991         * ftl/FTLOutput.h:
2992         * runtime/AtomicsObject.cpp:
2993
2994 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
2995
2996         Unreviewed, attempt to fix the iOS build after r217711.
2997
2998         * assembler/MacroAssemblerARM64.h:
2999         (JSC::MacroAssemblerARM64::xor32):
3000         (JSC::MacroAssemblerARM64::xor64):
3001
3002 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
3003
3004         GC should use scrambled free-lists
3005         https://bugs.webkit.org/show_bug.cgi?id=172793
3006
3007         Reviewed by Mark Lam.
3008         
3009         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
3010         The linked-list would be threaded through free memory, as is the usual convention.
3011         
3012         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
3013         this leads to a more natural fast-path structure and saves one register on ARM64.
3014         
3015         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
3016         every time they do a sweep-to-pop.
3017         
3018         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
3019         quite a bit. Previously, there were four copies of the allocator fast path: two in
3020         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
3021         was obviously different-looking, but the other three were almost identical. This moves all of
3022         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
3023         AssemblyHelpers.h.
3024         
3025         This appears to be just as fast as our previously allocator.
3026
3027         * JavaScriptCore.xcodeproj/project.pbxproj:
3028         * heap/FreeList.cpp:
3029         (JSC::FreeList::FreeList):
3030         (JSC::FreeList::~FreeList):
3031         (JSC::FreeList::clear):
3032         (JSC::FreeList::initializeList):
3033         (JSC::FreeList::initializeBump):
3034         (JSC::FreeList::contains):
3035         (JSC::FreeList::dump):
3036         * heap/FreeList.h:
3037         (JSC::FreeList::allocationWillFail):
3038         (JSC::FreeList::originalSize):
3039         (JSC::FreeList::addressOfList):
3040         (JSC::FreeList::offsetOfBlock):
3041         (JSC::FreeList::offsetOfList):
3042         (JSC::FreeList::offsetOfIndex):
3043         (JSC::FreeList::offsetOfPayloadEnd):
3044         (JSC::FreeList::offsetOfRemaining):
3045         (JSC::FreeList::offsetOfOriginalSize):
3046         (JSC::FreeList::FreeList): Deleted.
3047         (JSC::FreeList::list): Deleted.
3048         (JSC::FreeList::bump): Deleted.
3049         (JSC::FreeList::operator==): Deleted.
3050         (JSC::FreeList::operator!=): Deleted.
3051         (JSC::FreeList::operator bool): Deleted.
3052         * heap/FreeListInlines.h: Added.
3053         (JSC::FreeList::addFreeCell):
3054         (JSC::FreeList::allocate):
3055         (JSC::FreeList::forEach):
3056         (JSC::FreeList::toOffset):
3057         (JSC::FreeList::fromOffset):
3058         * heap/IncrementalSweeper.cpp:
3059         (JSC::IncrementalSweeper::sweepNextBlock):
3060         * heap/MarkedAllocator.cpp:
3061         (JSC::MarkedAllocator::MarkedAllocator):
3062         (JSC::MarkedAllocator::didConsumeFreeList):
3063         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3064         (JSC::MarkedAllocator::tryAllocateIn):
3065         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3066         (JSC::MarkedAllocator::stopAllocating):
3067         (JSC::MarkedAllocator::prepareForAllocation):
3068         (JSC::MarkedAllocator::resumeAllocating):
3069         (JSC::MarkedAllocator::sweep):
3070         (JSC::MarkedAllocator::setFreeList): Deleted.
3071         * heap/MarkedAllocator.h:
3072         (JSC::MarkedAllocator::freeList):
3073         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
3074         * heap/MarkedAllocatorInlines.h:
3075         (JSC::MarkedAllocator::isFreeListedCell):
3076         (JSC::MarkedAllocator::tryAllocate):
3077         (JSC::MarkedAllocator::allocate):
3078         * heap/MarkedBlock.cpp:
3079         (JSC::MarkedBlock::Handle::stopAllocating):
3080         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3081         (JSC::MarkedBlock::Handle::resumeAllocating):
3082         (JSC::MarkedBlock::Handle::zap):
3083         (JSC::MarkedBlock::Handle::sweep):
3084         (JSC::MarkedBlock::Handle::isFreeListedCell):
3085         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
3086         * heap/MarkedBlock.h:
3087         * heap/MarkedBlockInlines.h:
3088         (JSC::MarkedBlock::Handle::specializedSweep):
3089         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3090         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
3091         * heap/Subspace.cpp:
3092         (JSC::Subspace::finishSweep):
3093         * heap/Subspace.h:
3094         * jit/AssemblyHelpers.h:
3095         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3096         * runtime/JSDestructibleObjectSubspace.cpp:
3097         (JSC::JSDestructibleObjectSubspace::finishSweep):
3098         * runtime/JSDestructibleObjectSubspace.h:
3099         * runtime/JSSegmentedVariableObjectSubspace.cpp:
3100         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
3101         * runtime/JSSegmentedVariableObjectSubspace.h:
3102         * runtime/JSStringSubspace.cpp:
3103         (JSC::JSStringSubspace::finishSweep):
3104         * runtime/JSStringSubspace.h:
3105         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
3106         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
3107         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
3108
3109 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3110
3111         [JSC] Use @globalPrivate for concatSlowPath
3112         https://bugs.webkit.org/show_bug.cgi?id=172802
3113
3114         Reviewed by Darin Adler.
3115
3116         Use @globalPrivate instead of manually putting it to JSGlobalObject.
3117
3118         * builtins/ArrayPrototype.js:
3119         (concatSlowPath): Deleted.
3120         * runtime/JSGlobalObject.cpp:
3121         (JSC::JSGlobalObject::init):
3122
3123 2017-06-01  Andy Estes  <aestes@apple.com>
3124
3125         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
3126         https://bugs.webkit.org/show_bug.cgi?id=172828
3127
3128         Reviewed by Beth Dakin.
3129
3130         * Configurations/FeatureDefines.xcconfig:
3131
3132 2017-06-01  Keith Miller  <keith_miller@apple.com>
3133
3134         Undo rollout in r217638 with bug fix
3135         https://bugs.webkit.org/show_bug.cgi?id=172824
3136
3137         Unreviewed, reland patch with unused set_state code removed.
3138
3139         * API/tests/ExecutionTimeLimitTest.cpp:
3140         (dispatchTermitateCallback):
3141         (testExecutionTimeLimit):
3142         * runtime/JSLock.cpp:
3143         (JSC::JSLock::didAcquireLock):
3144         * runtime/Options.cpp:
3145         (JSC::overrideDefaults):
3146         (JSC::Options::initialize):
3147         * runtime/Options.h:
3148         * runtime/VMTraps.cpp:
3149         (JSC::SignalContext::SignalContext):
3150         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3151         (JSC::installSignalHandler):
3152         (JSC::VMTraps::SignalSender::send):
3153         * tools/SigillCrashAnalyzer.cpp:
3154         (JSC::SignalContext::SignalContext):
3155         (JSC::SignalContext::dump):
3156         (JSC::installCrashHandler):
3157         * wasm/WasmBBQPlan.cpp:
3158         (JSC::Wasm::BBQPlan::compileFunctions):
3159         * wasm/WasmFaultSignalHandler.cpp:
3160         (JSC::Wasm::trapHandler):
3161         (JSC::Wasm::enableFastMemory):
3162         * wasm/WasmMachineThreads.cpp:
3163         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3164
3165 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
3166
3167         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
3168         https://bugs.webkit.org/show_bug.cgi?id=172800
3169
3170         Reviewed by Saam Barati.
3171
3172         This fixes a static_cast<uint64_t> by making it a cast to int64_t
3173         instead, which looks like the original intent. This fixes the
3174         sampling-profiler tests in JSTests/stress.
3175
3176         * runtime/SamplingProfiler.cpp:
3177         (JSC::SamplingProfiler::timerLoop):
3178
3179 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
3180
3181         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
3182         https://bugs.webkit.org/show_bug.cgi?id=170945
3183
3184         Reviewed by Mark Lam.
3185
3186         Re-define PutByIdFlags as a int32_t enum explicitly because it is
3187         stored as an int32_t value in UnlinkedInstruction.  This prevents
3188         a bug on 64-bit big endian architectures where the word order is
3189         inverted (when we convert the UnlinkedInstruction into a CodeBlock
3190         Instruction), resulting in the PutByIdFlags value not being stored in
3191         the 32-bit word that the rest of the code expects it to be in.
3192
3193         * bytecode/PutByIdFlags.h:
3194
3195 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3196
3197         [JSC] Implement String.prototype.concat in JS builtins
3198         https://bugs.webkit.org/show_bug.cgi?id=172798
3199
3200         Reviewed by Sam Weinig.
3201
3202         Since we have highly effective + operation for strings,
3203         implementing String.prototype.concat in JS simplifies the
3204         implementation and improves performance by using speculated
3205         types.
3206
3207         Added microbenchmarks show performance improvement.
3208
3209         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
3210         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
3211         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
3212         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
3213
3214         * builtins/StringPrototype.js:
3215         (globalPrivate.stringConcatSlowPath):
3216         (concat):
3217         * runtime/StringPrototype.cpp:
3218         (JSC::StringPrototype::finishCreation):
3219         (JSC::stringProtoFuncConcat): Deleted.
3220
3221 2017-05-31  Mark Lam  <mark.lam@apple.com>
3222
3223         Remove overrides of visitChildren() that do not add any functionality.
3224         https://bugs.webkit.org/show_bug.cgi?id=172789
3225         <rdar://problem/32500865>
3226
3227         Reviewed by Andreas Kling.
3228
3229         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3230         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
3231         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3232         * bytecode/UnlinkedProgramCodeBlock.cpp:
3233         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
3234         * bytecode/UnlinkedProgramCodeBlock.h:
3235         * wasm/js/WebAssemblyFunction.cpp:
3236         (JSC::WebAssemblyFunction::visitChildren): Deleted.
3237         * wasm/js/WebAssemblyFunction.h:
3238         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3239         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
3240         * wasm/js/WebAssemblyInstanceConstructor.h:
3241         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3242         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
3243         * wasm/js/WebAssemblyMemoryConstructor.h:
3244         * wasm/js/WebAssemblyModuleConstructor.cpp:
3245         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
3246         * wasm/js/WebAssemblyModuleConstructor.h:
3247         * wasm/js/WebAssemblyTableConstructor.cpp:
3248         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
3249         * wasm/js/WebAssemblyTableConstructor.h:
3250
3251 2017-05-31  Commit Queue  <commit-queue@webkit.org>
3252
3253         Unreviewed, rolling out r217611 and r217631.
3254         https://bugs.webkit.org/show_bug.cgi?id=172785
3255
3256         "caused wasm-hashset-many.html to become flaky." (Requested by
3257         keith_miller on #webkit).
3258
3259         Reverted changesets:
3260
3261         "Reland r216808, underlying lldb bug has been fixed."
3262         https://bugs.webkit.org/show_bug.cgi?id=172759
3263         http://trac.webkit.org/changeset/217611
3264
3265         "Use dispatch queues for mach exceptions"
3266         https://bugs.webkit.org/show_bug.cgi?id=172775
3267         http://trac.webkit.org/changeset/217631
3268
3269 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
3270
3271         Rolling out: Prevent async methods named 'function'
3272         https://bugs.webkit.org/show_bug.cgi?id=172776
3273
3274         Reviewed by Mark Lam.
3275
3276         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
3277         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
3278         PR to spec was closed, so changes need to roll out. See
3279         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
3280
3281         * parser/Parser.cpp:
3282         (JSC::Parser<LexerType>::parseClass):
3283         (JSC::Parser<LexerType>::parsePropertyMethod):
3284
3285 2017-05-31  Andy Estes  <aestes@apple.com>
3286
3287         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
3288         https://bugs.webkit.org/show_bug.cgi?id=172366
3289
3290         Reviewed by Daniel Bates.
3291
3292         * Configurations/FeatureDefines.xcconfig:
3293
3294 2017-05-31  Keith Miller  <keith_miller@apple.com>
3295
3296         Reland r216808, underlying lldb bug has been fixed.
3297         https://bugs.webkit.org/show_bug.cgi?id=172759
3298
3299
3300         Unreviewed, relanding old patch. See: rdar://problem/31183352
3301
3302         * API/tests/ExecutionTimeLimitTest.cpp:
3303         (dispatchTermitateCallback):
3304         (testExecutionTimeLimit):
3305         * runtime/JSLock.cpp:
3306         (JSC::JSLock::didAcquireLock):
3307         * runtime/Options.cpp:
3308         (JSC::overrideDefaults):
3309         (JSC::Options::initialize):
3310         * runtime/Options.h:
3311         * runtime/VMTraps.cpp:
3312         (JSC::SignalContext::SignalContext):
3313         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3314         (JSC::installSignalHandler):
3315         (JSC::VMTraps::SignalSender::send):
3316         * tools/SigillCrashAnalyzer.cpp:
3317         (JSC::SignalContext::SignalContext):
3318         (JSC::SignalContext::dump):
3319         (JSC::installCrashHandler):
3320         * wasm/WasmBBQPlan.cpp:
3321         (JSC::Wasm::BBQPlan::compileFunctions):
3322         * wasm/WasmFaultSignalHandler.cpp:
3323         (JSC::Wasm::trapHandler):
3324         (JSC::Wasm::enableFastMemory):
3325         * wasm/WasmMachineThreads.cpp:
3326         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3327
3328 2017-05-31  Keith Miller  <keith_miller@apple.com>
3329
3330         Fix leak in PromiseDeferredTimer
3331         https://bugs.webkit.org/show_bug.cgi?id=172755
3332
3333         Reviewed by JF Bastien.
3334
3335         We were not properly freeing the list of dependencies if we were already tracking the promise before.
3336         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
3337         where we were already tracking the promise we append the provided dependency list to the existing list.
3338         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
3339         contents.
3340
3341         * runtime/PromiseDeferredTimer.cpp:
3342         (JSC::PromiseDeferredTimer::addPendingPromise):
3343
3344 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3345
3346         Prevent async methods named 'function' in Object literal
3347         https://bugs.webkit.org/show_bug.cgi?id=172660
3348
3349         Reviewed by Saam Barati.
3350
3351         Prevent async method named 'function' in object.
3352         https://github.com/tc39/ecma262/pull/884
3353
3354         * parser/Parser.cpp:
3355         (JSC::Parser<LexerType>::parsePropertyMethod):
3356
3357 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3358
3359         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
3360         https://bugs.webkit.org/show_bug.cgi?id=171274
3361
3362         Reviewed by Saam Barati.
3363
3364         Current patch allow to use async arrow function within constructor,
3365         and allow to access to `this`. Current patch force load 'this' from 
3366         virtual scope each time as we access to `this` in async arrow function
3367         within constructor it is neccessary because async function can be 
3368         suspended and `superCall` can be called and async function resumed. 
3369    
3370         * bytecompiler/BytecodeGenerator.cpp:
3371         (JSC::BytecodeGenerator::emitPutGeneratorFields):
3372         (JSC::BytecodeGenerator::ensureThis):
3373         * bytecompiler/BytecodeGenerator.h:
3374         (JSC::BytecodeGenerator::makeFunction):
3375
3376 2017-05-30  Ali Juma  <ajuma@chromium.org>
3377
3378         [CredentialManagement] Incorporate IDL updates from latest spec
3379         https://bugs.webkit.org/show_bug.cgi?id=172011
3380
3381         Reviewed by Daniel Bates.
3382
3383         * runtime/CommonIdentifiers.h:
3384
3385 2017-05-30  Alex Christensen  <achristensen@webkit.org>
3386
3387         Update libwebrtc configuration
3388         https://bugs.webkit.org/show_bug.cgi?id=172727
3389
3390         Reviewed by Geoffrey Garen.
3391
3392         * Configurations/FeatureDefines.xcconfig:
3393
3394 2017-05-28  Dan Bernstein  <mitz@apple.com>
3395
3396         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
3397         https://bugs.webkit.org/show_bug.cgi?id=172691
3398
3399         Reviewed by Tim Horton.
3400
3401         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
3402         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
3403
3404 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3405
3406         [JSC] Provide better type information of toLength and tighten bytecode
3407         https://bugs.webkit.org/show_bug.cgi?id=172690
3408
3409         Reviewed by Sam Weinig.
3410
3411         In this patch, we carefully leverage operator + in order to
3412
3413         1. tighten bytecode
3414
3415         operator+ emits to_number bytecode. What this bytecode does is the same
3416         to @Number() call. It is more efficient, and it is smaller bytecode
3417         than @Number() call (load global variable @Number, set up arguments, and
3418         call it).
3419
3420         2. offer better type prediction data
3421
3422         Now, we have code like
3423
3424             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
3425
3426         This is not good because DFG prediction propagation phase predicts as Double
3427         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
3428         Usually, the result becomes Int32. This patch leverages to_number in a bit
3429         interesting way: to_number has value profiling to offer better type prediction.
3430         This value profiling can offer a chance to change the prediction to Int32 efficiently.
3431         It is a bit tricky. But it is worth doing to speed up our builtin functions,
3432         which should leverage all the JSC's tricky things to be optimized.
3433
3434         Related microbenchmarks show performance improvement.
3435
3436                                                   baseline                  patched
3437
3438             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
3439             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
3440             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
3441             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
3442             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
3443             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
3444
3445
3446         * builtins/GlobalOperations.js:
3447         (globalPrivate.toInteger):
3448         (globalPrivate.toLength):
3449
3450 2017-05-28  Sam Weinig  <sam@webkit.org>
3451
3452         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
3453         https://bugs.webkit.org/show_bug.cgi?id=172684
3454
3455         Reviewed by Yusuke Suzuki.
3456
3457         * runtime/IteratorOperations.cpp:
3458         (JSC::iteratorMethod):
3459         (JSC::iteratorForIterable):
3460         * runtime/IteratorOperations.h:
3461         (JSC::forEachInIterable):
3462         Add additional iterator helpers to allow union + sequence conversion code
3463         to check for iterability by getting the iterator method, and iterate using
3464         that method later on.
3465
3466 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3467
3468         Unreviewed, build fix for Windows
3469         https://bugs.webkit.org/show_bug.cgi?id=172413
3470
3471         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
3472
3473         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
3474
3475         * runtime/JSMap.h:
3476         (JSC::isJSMap):
3477         (JSC::jsDynamicCast): Deleted.
3478         (JSC::>): Deleted.
3479         * runtime/JSSet.h:
3480         (JSC::isJSSet):
3481         (JSC::jsDynamicCast): Deleted.
3482         (JSC::>): Deleted.
3483         * runtime/MapConstructor.cpp:
3484         (JSC::constructMap):
3485         * runtime/SetConstructor.cpp:
3486         (JSC::constructSet):
3487
3488 2017-05-28  Mark Lam  <mark.lam@apple.com>
3489
3490         Implement a faster Interpreter::getOpcodeID().
3491         https://bugs.webkit.org/show_bug.cgi?id=172669
3492
3493         Reviewed by Saam Barati.
3494
3495         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
3496         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
3497         handler code that executes each opcode.  getOpcodeID() can therefore just read
3498         the 32-bits before the opcode address to get its OpcodeID.
3499
3500         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
3501         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
3502         well, but I'll let the Linux folks turn that on after they have verified that it
3503         works on linux too.
3504
3505         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
3506         1. we only need to initialize it once per process, not once per VM / interpreter
3507            instance.
3508         2. we can initialize it in the Interpreter constructor instead of requiring a
3509            separate call to an initialize() function.
3510
3511         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
3512         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
3513
3514         * bytecode/BytecodeList.json:
3515         * generate-bytecode-files:
3516         * interpreter/Interpreter.cpp:
3517         (JSC::Interpreter::Interpreter):
3518         (JSC::Interpreter::opcodeIDTable):
3519         (JSC::Interpreter::initialize): Deleted.
3520         * interpreter/Interpreter.h:
3521         (JSC::Interpreter::getOpcode):
3522         (JSC::Interpreter::getOpcodeID):
3523         * llint/LowLevelInterpreter.cpp:
3524         * runtime/VM.cpp:
3525         (JSC::VM::VM):
3526
3527 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3528
3529         [JSC] Map and Set constructors should have fast path for cloning
3530         https://bugs.webkit.org/show_bug.cgi?id=172413
3531
3532         Reviewed by Saam Barati.
3533
3534         In this patch, we add a fast path for cloning in Set and Map constructors.
3535
3536         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
3537         At that time, our generic path just iterates the given set object and add
3538         it to the newly created one. It is quite slow because we need to follow
3539         the iterator protocol inside C++ and we need to call set.add() repeatedly
3540         while the given set guarantees the elements are unique.
3541
3542         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
3543         and JSSet are done really fast without invoking any observable JS functions.
3544         To check whether we can use this clone() function in Set and Map constructors,
3545         we set several watchpoints.
3546
3547         In the case of Set,
3548
3549         1. Set.prototype[Symbol.iterator] is not changed.
3550         2. SetIterator.prototype.next is not changed.
3551         3. Set.prototype.add is not changed.
3552         4. The given Set does not have [Symbol.iterator] function in its instance.
3553         5. The given Set's [[Prototype]] is Set.prototype.
3554         6. Newly created set's [[Prototype]] is Set.prototype.
3555
3556         If the above requirements are met, cloning the given Set is not observable to users.
3557         Thus we can take a fast path.
3558
3559         Currently, we do not integrate this optimization into DFG and FTL.
3560         And we do not optimize other iterables. For example, we can optimize Set
3561         constructor taking Int32 Array. And we should optimize generic iterator cases too.
3562         They are planned as part of a separate bug[1].
3563
3564         This change improves ARES-6 Air by 5.3% in steady state.
3565
3566         Baseline:
3567             Running... Air ( 1  to go)
3568             firstIteration:     76.41 +- 15.60 ms
3569             averageWorstCase:   40.63 +- 7.54 ms
3570             steadyState:        9.13 +- 0.51 ms
3571
3572
3573         Patched:
3574             Running... Air ( 1  to go)
3575             firstIteration:     75.00 +- 22.54 ms
3576             averageWorstCase:   39.18 +- 8.45 ms
3577             steadyState:        8.67 +- 0.28 ms
3578
3579         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
3580
3581         * CMakeLists.txt:
3582         * JavaScriptCore.xcodeproj/project.pbxproj:
3583         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
3584         * runtime/HashMapImpl.h:
3585         (JSC::HashMapBucket::extractValue):
3586         (JSC::HashMapImpl::finishCreation):
3587         (JSC::HashMapImpl::add):
3588         (JSC::HashMapImpl::setUpHeadAndTail):
3589         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
3590         (JSC::HashMapImpl::addNormalizedInternal):
3591         * runtime/InternalFunction.cpp:
3592         (JSC::InternalFunction::createSubclassStructureSlow):
3593         (JSC::InternalFunction::createSubclassStructure): Deleted.
3594         * runtime/InternalFunction.h:
3595         (JSC::InternalFunction::createSubclassStructure):
3596         * runtime/JSGlobalObject.cpp:
3597         (JSC::JSGlobalObject::JSGlobalObject):
3598         (JSC::JSGlobalObject::init):
3599         (JSC::JSGlobalObject::visitChildren):
3600         * runtime/JSGlobalObject.h:
3601         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
3602         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
3603         (JSC::JSGlobalObject::mapSetWatchpoint):
3604         (JSC::JSGlobalObject::setAddWatchpoint):
3605         (JSC::JSGlobalObject::mapPrototype):
3606         (JSC::JSGlobalObject::jsSetPrototype):
3607         (JSC::JSGlobalObject::setStructure):
3608         * runtime/JSGlobalObjectInlines.h:
3609         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
3610         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
3611         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
3612         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
3613         * runtime/JSMap.cpp:
3614         (JSC::JSMap::clone):
3615         (JSC::JSMap::canCloneFastAndNonObservable):
3616         * runtime/JSMap.h:
3617         (JSC::jsDynamicCast):
3618         (JSC::>):
3619         (JSC::JSMap::createStructure): Deleted.
3620         (JSC::JSMap::create): Deleted.
3621         (JSC::JSMap::set): Deleted.
3622         (JSC::JSMap::JSMap): Deleted.
3623         * runtime/JSSet.cpp:
3624         (JSC::JSSet::clone):
3625         (JSC::JSSet::canCloneFastAndNonObservable):
3626         * runtime/JSSet.h:
3627         (JSC::jsDynamicCast):
3628         (JSC::>):
3629         (JSC::JSSet::createStructure): Deleted.
3630         (JSC::JSSet::create): Deleted.
3631         (JSC::JSSet::JSSet): Deleted.
3632         * runtime/MapConstructor.cpp:
3633         (JSC::constructMap):
3634         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
3635         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
3636         * runtime/SetConstructor.cpp:
3637         (JSC::constructSet):
3638
3639 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3640
3641         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
3642         https://bugs.webkit.org/show_bug.cgi?id=172260
3643
3644         Reviewed by Filip Pizlo.
3645
3646         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
3647         to be used as a general-purpose injectable compiler over all the JIT tiers.
3648
3649         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
3650
3651         * CMakeLists.txt:
3652         * JavaScriptCore.xcodeproj/project.pbxproj:
3653         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
3654         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3655         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
3656         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
3657         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
3658         * bytecode/GetterSetterAccessCase.cpp:
3659         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3660         * dfg/DFGAbstractInterpreterInlines.h:
3661         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3662         * dfg/DFGByteCodeParser.cpp:
3663         (JSC::DFG::blessCallDOMGetter):
3664         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3665         * dfg/DFGClobberize.h:
3666         (JSC::DFG::clobberize):
3667         * dfg/DFGFixupPhase.cpp:
3668         (JSC::DFG::FixupPhase::fixupNode):
3669         * dfg/DFGGraph.h:
3670         * dfg/DFGNode.h:
3671         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
3672         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
3673         (JSC::DFG::SnippetParams::SnippetParams):
3674         * dfg/DFGSpeculativeJIT.cpp:
3675         (JSC::DFG::allocateTemporaryRegistersForSnippet):
3676         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3677         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3678         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
3679         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
3680         (JSC::DOMJIT::CallDOMGetterSnippet::create):
3681         * domjit/DOMJITGetterSetter.h:
3682         * domjit/DOMJITSignature.h:
3683         * domjit/DOMJITValue.h: Removed.
3684         * ftl/FTLLowerDFGToB3.cpp:
3685         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3686         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3687         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
3688         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
3689         (JSC::FTL::SnippetParams::SnippetParams):
3690         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
3691         (JSC::Snippet::create):
3692         (JSC::Snippet::setGenerator):
3693         (JSC::Snippet::generator):
3694         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
3695         (JSC::SnippetParams::~SnippetParams):
3696         (JSC::SnippetParams::Value::Value):
3697         (JSC::SnippetParams::Value::isGPR):
3698         (JSC::SnippetParams::Value::isFPR):
3699         (JSC::SnippetParams::Value::isJSValueRegs):
3700         (JSC::SnippetParams::Value::gpr):
3701         (JSC::SnippetParams::Value::fpr):
3702         (JSC::SnippetParams::Value::jsValueRegs):
3703         (JSC::SnippetParams::Value::reg):
3704         (JSC::SnippetParams::Value::value):
3705         (JSC::SnippetParams::SnippetParams):
3706         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
3707         (JSC::SnippetReg::SnippetReg):
3708         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
3709         * jsc.cpp:
3710         (WTF::DOMJITNode::checkSubClassSnippet):
3711         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
3712         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
3713         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
3714         * runtime/ClassInfo.h:
3715
3716 2017-05-26  Keith Miller  <keith_miller@apple.com>
3717
3718         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
3719         https://bugs.webkit.org/show_bug.cgi?id=172654
3720
3721         Reviewed by Mark Lam.
3722
3723         The test's intent is to assert that an exception has not been
3724         thrown (as indicated by the message string), but the test was
3725         erroneously checking for ! the right condition. This is now fixed.
3726
3727         * API/tests/JSExportTests.mm:
3728         (wrapperForNSObjectisObject):
3729
3730 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
3731
3732         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
3733         https://bugs.webkit.org/show_bug.cgi?id=172664
3734         <rdar://problem/32362933>
3735
3736         Reviewed by Matt Baker.
3737
3738         Automatically pause on connection was triggering a pause before the
3739         frontend may have initialized. Often during frontend initialization
3740         the frontend may perform an action that clears the pause state requested
3741         by the developer. This change defers the pause until after the frontend
3742         has initialized, right before returning to the application's code.
3743
3744         * inspector/remote/RemoteControllableTarget.h:
3745         * inspector/remote/RemoteInspectionTarget.h:
3746         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3747         (Inspector::RemoteConnectionToTarget::setup):
3748         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
3749         (Inspector::RemoteConnectionToTarget::setup):
3750         * runtime/JSGlobalObjectDebuggable.cpp:
3751         (JSC::JSGlobalObjectDebuggable::connect):
3752         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
3753         * runtime/JSGlobalObjectDebuggable.h:
3754         Pass an immediatelyPause boolean on to the controller. Remove
3755         the current path that invokes a pause before initialization.
3756
3757         * inspector/JSGlobalObjectInspectorController.h:
3758         * inspector/JSGlobalObjectInspectorController.cpp:
3759         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3760         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
3761         Manage should immediately pause state.
3762
3763         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3764         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
3765         When initialized, trigger a pause if requested.
3766
3767 2017-05-26  Mark Lam  <mark.lam@apple.com>
3768
3769         Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
3770         https://bugs.webkit.org/show_bug.cgi?id=172655
3771
3772         Reviewed by Saam Barati.
3773
3774         * API/tests/JSExportTests.mm:
3775         (wrapperForNSObjectisObject):
3776
3777 2017-05-26  Mark Lam  <mark.lam@apple.com>
3778
3779         REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
3780         https://bugs.webkit.org/show_bug.cgi?id=172651
3781
3782         Reviewed by Saam Barati.
3783
3784         This is because the assertion utility functions used in testCFStrings() expects
3785         to get the JSGlobalContextRef from the global context variable.  However,
3786         testCFStrings() creates its own JSGlobalContextRef but does not set the global
3787         context variable to it.
3788
3789         The fix is to make testCFStrings() initialize the global context variable properly.
3790
3791         * API/tests/testapi.c:
3792         (testCFStrings):
3793
3794 2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3795
3796         Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
3797         https://bugs.webkit.org/show_bug.cgi?id=167805
3798
3799         Reviewed by Saam Barati.
3800
3801         Since ModuleProgramExecutable is executed only once, we can skip compiling
3802         code unreachable from the current program count. This can skip massive
3803         initialization code.
3804
3805         We already do this for global code in bug#167725. This patch extends it to
3806         module code.
3807
3808         * interpreter/Interpreter.cpp:
3809         (JSC::Interpreter::executeModuleProgram):
3810         * interpreter/Interpreter.h:
3811         * jit/JIT.cpp:
3812         (JSC::JIT::privateCompileMainPass):
3813         * runtime/JSModuleRecord.cpp:
3814         (JSC::JSModuleRecord::evaluate):
3815         * runtime/JSModuleRecord.h:
3816         (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
3817
3818 2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>
3819
3820         Prevent async methods named 'function'
3821         https://bugs.webkit.org/show_bug.cgi?id=172598
3822
3823         Reviewed by Mark Lam.
3824
3825         Prevent async method named 'function' in class.
3826         Link to change in ecma262 specification
3827         https://github.com/tc39/ecma262/pull/884
3828
3829         * parser/Parser.cpp:
3830         (JSC::Parser<LexerType>::parseClass):
3831
3832 2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3833
3834         Unreviewed, build fix for GCC
3835
3836         std::tuple does not have implicit constructor.
3837         Thus, we cannot use implicit construction with initializer brace.
3838         We should specify the name like `GetInst { }`.
3839
3840         * bytecompiler/BytecodeGenerator.h:
3841         (JSC::StructureForInContext::addGetInst):
3842
3843 2017-05-25  Keith Miller  <keith_miller@apple.com>
3844
3845         Cleanup tests after r217240
3846         https://bugs.webkit.org/show_bug.cgi?id=172466
3847
3848         Reviewed by Mark Lam.
3849
3850         I forgot to make my test an actual test. Also, remove second call runJSExportTests()
3851
3852         * API/tests/JSExportTests.mm:
3853         (wrapperForNSObjectisObject):
3854         * API/tests/testapi.mm:
3855         (testObjectiveCAPIMain):
3856
3857 2017-05-25  Michael Saboff  <msaboff@apple.com>
3858
3859         The default setting of Option::criticalGCMemoryThreshold is too high for iOS
3860         https://bugs.webkit.org/show_bug.cgi?id=172617
3861
3862         Reviewed by Mark Lam.
3863
3864         Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
3865         when tested running JetStream.
3866
3867         * runtime/Options.h:
3868
3869 2017-05-25  Saam Barati  <sbarati@apple.com>
3870
3871         Our for-in optimization in the bytecode generator does its static analysis incorrectly
3872         https://bugs.webkit.org/show_bug.cgi?id=172532
3873         <rdar://problem/32369452>
3874
3875         Reviewed by Mark Lam.
3876
3877         Our static analysis for when a for-in induction variable
3878         is written to tried to its analysis as we generate
3879         bytecode. This has issues, since it does not account for
3880         the dynamic execution path of the program. Let's consider
3881         a program where our old analysis worked:
3882         
3883         ```
3884         for (let p in o) {
3885             o[p]; // We can transform this into a fast get_direct_pname
3886             p = 20;
3887             o[p]; // We cannot transform this since p has been changed.
3888         }
3889         ```
3890         
3891         However, our static analysis did not account for loops, which exist
3892         in JavaScript. e.g, it would incorrectly compile this program as:
3893         ```
3894         for (let p in o) {
3895             for (let i = 0; i < 20; ++i) {
3896                 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
3897                 p = 20;
3898                 o[p]; // We correctly do not transform this.
3899             } 
3900         }
3901         ```
3902         
3903         Because of this flaw, I've made the optimization more conservative.
3904         We now optimistically emit code for the optimized access. However,
3905         if a for-in context is *ever* invalidated, before we pop it off
3906         the stack, we rewrite the program's optimized accesses to no longer
3907         be optimized. To do this, each context keeps track of its optimized
3908         accesses.
3909         
3910         This patch also adds a new bytecode, op_nop, which is just a no-op.
3911         It was helpful to add this because reverting get_direct_pname to get_by_val
3912         will leave us with an extra instruction word because get_direct_pname is
3913         has a length of 7 where get_by_val has a length of 6. This leaves us with
3914         an extra slot that we fill with an op_nop.
3915
3916         * bytecode/BytecodeDumper.cpp:
3917         (JSC::BytecodeDumper<Block>::dumpBytecode):
3918         * bytecode/BytecodeList.json:
3919         * bytecode/BytecodeUseDef.h:
3920         (JSC::computeUsesForBytecodeOffset):
3921         (JSC::computeDefsForBytecodeOffset):
3922         * bytecompiler/BytecodeGenerator.cpp:
3923         (JSC::BytecodeGenerator::emitGetByVal):
3924         (JSC::BytecodeGenerator::popIndexedForInScope):
3925         (JSC::BytecodeGenerator::popStructureForInScope):
3926         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3927         (JSC::StructureForInContext::pop):
3928         (JSC::IndexedForInContext::pop):
3929         * bytecompiler/BytecodeGenerator.h:
3930         (JSC::StructureForInContext::addGetInst):
3931         (JSC::IndexedForInContext::addGetInst):
3932         * dfg/DFGByteCodeParser.cpp:
3933         (JSC::DFG::ByteCodeParser::parseBlock):
3934         * dfg/DFGCapabilities.cpp:
3935         (JSC::DFG::capabilityLevel):
3936         * jit/JIT.cpp:
3937         (JSC::JIT::privateCompileMainPass):
3938         * jit/JIT.h:
3939         * jit/JITOpcodes.cpp:
3940         (JSC::JIT::emit_op_nop):
3941         * llint/LowLevelInterpreter.asm:
3942
3943 2017-05-25  Mark Lam  <mark.lam@apple.com>
3944
3945         ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
3946         https://bugs.webkit.org/show_bug.cgi?id=172548
3947         <rdar://problem/31458393>
3948
3949         Reviewed by Filip Pizlo.
3950
3951         Consider the following scenario:
3952
3953         1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
3954            structure transitions, e.g. structure S2 transitioning to structure S3.
3955            In this case, O1 would be installed in S2's watchpoint set.
3956         2. When the structure transition happens, structure S2 will fire watchpoint O1.
3957         3. O1's handler will normally re-install itself in the watchpoint set of the new
3958            "transitioned to" structure S3.
3959         4. "Installation" here requires writing into the StructureRareData SD3 of the new
3960            structure S3.  If SD3 does not exist yet, the installation process will trigger
3961            the allocation of StructureRareData SD3.
3962         5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
3963            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
3964            by the GC, and therefore will be collected soon.
3965         6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
3966            SD1.  This, in turn, triggers the deletion of the
3967            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
3968
3969         After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
3970         AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
3971         structure S3's watchpoint set.  This is obviously incorrect because O1 is already
3972         deleted.  The result is that badness happens later when S3's watchpoint set fires
3973         its watchpoints and accesses the deleted O1.