Strings need to be in some kind of gigacage
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
2
3         Strings need to be in some kind of gigacage
4         https://bugs.webkit.org/show_bug.cgi?id=174924
5
6         Reviewed by Oliver Hunt.
7
8         * runtime/JSString.cpp:
9         (JSC::JSRopeString::resolveRopeToAtomicString const):
10         (JSC::JSRopeString::resolveRope const):
11         * runtime/JSString.h:
12         (JSC::JSString::create):
13         (JSC::JSString::createHasOtherOwner):
14         * runtime/JSStringBuilder.h:
15         * runtime/VM.h:
16         (JSC::VM::gigacageAuxiliarySpace):
17
18 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
19
20         [ESNext] Async iteration - Implement async iteration statement: for-await-of
21         https://bugs.webkit.org/show_bug.cgi?id=166698
22
23         Reviewed by Yusuke Suzuki.
24
25         Implementation of the for-await-of statement.
26
27         * bytecompiler/BytecodeGenerator.cpp:
28         (JSC::BytecodeGenerator::emitEnumeration):
29         (JSC::BytecodeGenerator::emitIteratorNext):
30         * bytecompiler/BytecodeGenerator.h:
31         * parser/ASTBuilder.h:
32         (JSC::ASTBuilder::createForOfLoop):
33         * parser/NodeConstructors.h:
34         (JSC::ForOfNode::ForOfNode):
35         * parser/Nodes.h:
36         (JSC::ForOfNode::isForAwait const):
37         * parser/Parser.cpp:
38         (JSC::Parser<LexerType>::parseForStatement):
39         * parser/Parser.h:
40         (JSC::Scope::setSourceParseMode):
41         (JSC::Scope::setIsFunction):
42         (JSC::Scope::setIsAsyncGeneratorFunction):
43         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
44         * parser/SyntaxChecker.h:
45         (JSC::SyntaxChecker::createForOfLoop):
46
47 2017-08-29  Commit Queue  <commit-queue@webkit.org>
48
49         Unreviewed, rolling out r221317.
50         https://bugs.webkit.org/show_bug.cgi?id=176090
51
52         "It broke a testing mode because we will never FTL compile a
53         function that repeatedly throws" (Requested by saamyjoon on
54         #webkit).
55
56         Reverted changeset:
57
58         "Throwing an exception in the DFG/FTL should not be a
59         jettison-able OSR exit"
60         https://bugs.webkit.org/show_bug.cgi?id=176060
61         http://trac.webkit.org/changeset/221317
62
63 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
64
65         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
66         https://bugs.webkit.org/show_bug.cgi?id=175895
67
68         Reviewed by Saam Barati.
69
70         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
71         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
72         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
73         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
74         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
75         if one side of the children is constant non String cell.
76
77         This slightly optimizes map/set iteration.
78
79         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
80         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
81         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
82         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
83         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
84
85         * dfg/DFGAbstractInterpreterInlines.h:
86         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
87         * dfg/DFGConstantFoldingPhase.cpp:
88         (JSC::DFG::ConstantFoldingPhase::foldConstants):
89         * dfg/DFGNode.h:
90         (JSC::DFG::Node::convertToCompareEqPtr):
91
92 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
93
94         [JSC] Use reifying system for "name" property of builtin JSFunction
95         https://bugs.webkit.org/show_bug.cgi?id=175260
96
97         Reviewed by Saam Barati.
98
99         Currently builtin JSFunction uses direct property for "name", which is different
100         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
101         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
102         JSFunction::createBuiltinFunction.
103
104         We would like to store the "correct" name in FunctionExecutable. For example,
105         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
106         instead of specifying name when creating JSFunction. To do so, we add a new
107         annotations, @getter and @overriddenName. When @getter is specified, the name of
108         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
109         the name of the function becomes "xxx".
110
111         * Scripts/builtins/builtins_generate_combined_header.py:
112         (generate_section_for_code_table_macro):
113         * Scripts/builtins/builtins_generate_combined_implementation.py:
114         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
115         * Scripts/builtins/builtins_generate_separate_header.py:
116         (generate_section_for_code_table_macro):
117         * Scripts/builtins/builtins_generate_separate_implementation.py:
118         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
119         * Scripts/builtins/builtins_model.py:
120         (BuiltinFunction.__init__):
121         (BuiltinFunction.fromString):
122         * Scripts/builtins/builtins_templates.py:
123         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
124         (overriddenName.string_appeared_here.match):
125         (intrinsic.RegExpTestIntrinsic.test):
126         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
127         (overriddenName.string_appeared_here.match):
128         (intrinsic.RegExpTestIntrinsic.test):
129         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
130         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
131         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
132         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
133         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
134         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
135         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
136         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
137         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
138         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
139         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
140         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
141         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
142         * builtins/BuiltinExecutables.cpp:
143         (JSC::BuiltinExecutables::BuiltinExecutables):
144         * builtins/BuiltinExecutables.h:
145         * builtins/FunctionPrototype.js:
146         (symbolHasInstance): Deleted.
147         * builtins/GlobalOperations.js:
148         (globalPrivate.speciesGetter): Deleted.
149         * builtins/IteratorPrototype.js:
150         (symbolIteratorGetter): Deleted.
151         * builtins/RegExpPrototype.js:
152         (match): Deleted.
153         (replace): Deleted.
154         (search): Deleted.
155         (split): Deleted.
156         * jsc.cpp:
157         (functionCreateBuiltin):
158         * runtime/FunctionPrototype.cpp:
159         (JSC::FunctionPrototype::addFunctionProperties):
160         * runtime/IteratorPrototype.cpp:
161         (JSC::IteratorPrototype::finishCreation):
162         * runtime/JSFunction.cpp:
163         (JSC::JSFunction::getOwnNonIndexPropertyNames):
164         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
165         (JSC::JSFunction::createBuiltinFunction): Deleted.
166         * runtime/JSFunction.h:
167         * runtime/JSGlobalObject.cpp:
168         (JSC::JSGlobalObject::init):
169         * runtime/JSObject.cpp:
170         (JSC::JSObject::putDirectBuiltinFunction):
171         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
172         * runtime/JSTypedArrayViewPrototype.cpp:
173         (JSC::JSTypedArrayViewPrototype::finishCreation):
174         * runtime/Lookup.cpp:
175         (JSC::reifyStaticAccessor):
176         * runtime/RegExpPrototype.cpp:
177         (JSC::RegExpPrototype::finishCreation):
178
179 2017-08-29  Saam Barati  <sbarati@apple.com>
180
181         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
182         https://bugs.webkit.org/show_bug.cgi?id=176060
183
184         Reviewed by Michael Saboff.
185
186         OSR exitting when we throw an exception is expected behavior. We should
187         not count these exits towards our jettison OSR exit threshold.
188
189         * bytecode/ExitKind.cpp:
190         (JSC::exitKindToString):
191         (JSC::exitKindMayJettison):
192         * bytecode/ExitKind.h:
193         * dfg/DFGSpeculativeJIT32_64.cpp:
194         (JSC::DFG::SpeculativeJIT::compile):
195         * dfg/DFGSpeculativeJIT64.cpp:
196         (JSC::DFG::SpeculativeJIT::compile):
197         * ftl/FTLLowerDFGToB3.cpp:
198         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
199
200 2017-08-29  Chris Dumez  <cdumez@apple.com>
201
202         Add initial support for dataTransferItem.webkitGetAsEntry()
203         https://bugs.webkit.org/show_bug.cgi?id=176038
204         <rdar://problem/34121095>
205
206         Reviewed by Wenson Hsieh.
207
208         Add CommonIdentifier needed by [EnabledAtRuntime].
209
210         * runtime/CommonIdentifiers.h:
211
212 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
213
214         Web Inspector: Record actions performed on WebGLRenderingContext
215         https://bugs.webkit.org/show_bug.cgi?id=174483
216         <rdar://problem/34040722>
217
218         Reviewed by Matt Baker.
219
220         * inspector/protocol/Recording.json:
221         * inspector/scripts/codegen/generator.py:
222         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
223
224 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
225
226         Unreviewed, suppress warnings in GTK port
227
228         The "block" variable hides the argument variable.
229
230         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
231         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
232
233 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
234
235         Merge WeakMapData into JSWeakMap and JSWeakSet
236         https://bugs.webkit.org/show_bug.cgi?id=143919
237
238         Reviewed by Darin Adler.
239
240         This patch changes WeakMapData from JSCell to JSDestructibleObject,
241         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
242         it instead of separately allocating WeakMapData. This reduces memory
243         consumption and allocation times.
244
245         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
246         field. Since this class is always embedded in WeakMapBase, we can calculate
247         WeakMapBase address from the address of DeadKeyCleaner.
248
249         This patch does not include the optimization changing WeakMapData to Set
250         for JSWeakSet.
251
252         * CMakeLists.txt:
253         * JavaScriptCore.xcodeproj/project.pbxproj:
254         * inspector/JSInjectedScriptHost.cpp:
255         (Inspector::JSInjectedScriptHost::weakMapSize):
256         (Inspector::JSInjectedScriptHost::weakMapEntries):
257         (Inspector::JSInjectedScriptHost::weakSetSize):
258         (Inspector::JSInjectedScriptHost::weakSetEntries):
259         * runtime/JSWeakMap.cpp:
260         (JSC::JSWeakMap::finishCreation): Deleted.
261         (JSC::JSWeakMap::visitChildren): Deleted.
262         * runtime/JSWeakMap.h:
263         (JSC::JSWeakMap::createStructure): Deleted.
264         (JSC::JSWeakMap::create): Deleted.
265         (JSC::JSWeakMap::weakMapData): Deleted.
266         (JSC::JSWeakMap::JSWeakMap): Deleted.
267         * runtime/JSWeakSet.cpp:
268         (JSC::JSWeakSet::finishCreation): Deleted.
269         (JSC::JSWeakSet::visitChildren): Deleted.
270         * runtime/JSWeakSet.h:
271         (JSC::JSWeakSet::createStructure): Deleted.
272         (JSC::JSWeakSet::create): Deleted.
273         (JSC::JSWeakSet::weakMapData): Deleted.
274         (JSC::JSWeakSet::JSWeakSet): Deleted.
275         * runtime/VM.cpp:
276         (JSC::VM::VM):
277         * runtime/VM.h:
278         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
279         (JSC::WeakMapBase::WeakMapBase):
280         (JSC::WeakMapBase::destroy):
281         (JSC::WeakMapBase::estimatedSize):
282         (JSC::WeakMapBase::visitChildren):
283         (JSC::WeakMapBase::set):
284         (JSC::WeakMapBase::get):
285         (JSC::WeakMapBase::remove):
286         (JSC::WeakMapBase::contains):
287         (JSC::WeakMapBase::clear):
288         (JSC::WeakMapBase::DeadKeyCleaner::target):
289         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
290         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
291         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
292         (JSC::WeakMapBase::size const):
293         * runtime/WeakMapPrototype.cpp:
294         (JSC::getWeakMap):
295         (JSC::protoFuncWeakMapDelete):
296         (JSC::protoFuncWeakMapGet):
297         (JSC::protoFuncWeakMapHas):
298         (JSC::protoFuncWeakMapSet):
299         (JSC::getWeakMapData): Deleted.
300         * runtime/WeakSetPrototype.cpp:
301         (JSC::getWeakSet):
302         (JSC::protoFuncWeakSetDelete):
303         (JSC::protoFuncWeakSetHas):
304         (JSC::protoFuncWeakSetAdd):
305         (JSC::getWeakMapData): Deleted.
306
307 2017-08-25  Daniel Bates  <dabates@apple.com>
308
309         Demarcate code added due to lack of NSDMI for aggregates
310         https://bugs.webkit.org/show_bug.cgi?id=175990
311
312         Reviewed by Andy Estes.
313
314         * domjit/DOMJITEffect.h:
315         (JSC::DOMJIT::Effect::Effect):
316         (JSC::DOMJIT::Effect::forWrite):
317         (JSC::DOMJIT::Effect::forRead):
318         (JSC::DOMJIT::Effect::forReadWrite):
319         (JSC::DOMJIT::Effect::forPure):
320         (JSC::DOMJIT::Effect::forDef):
321         * runtime/HasOwnPropertyCache.h:
322         (JSC::HasOwnPropertyCache::Entry::Entry):
323         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
324         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
325         make some comments read well.
326         (JSC::Wasm::CallableFunction::CallableFunction):
327         * wasm/js/WebAssemblyFunction.cpp:
328         (JSC::WebAssemblyFunction::WebAssemblyFunction):
329         * wasm/js/WebAssemblyWrapperFunction.cpp:
330         (JSC::WebAssemblyWrapperFunction::create):
331
332 2017-08-25  Saam Barati  <sbarati@apple.com>
333
334         Unreviewed. Fix 32-bit after r221196
335
336         * jit/JITOpcodes32_64.cpp:
337         (JSC::JIT::emit_op_catch):
338
339 2017-08-25  Chris Dumez  <cdumez@apple.com>
340
341         Land stubs for File and Directory Entries API interfaces
342         https://bugs.webkit.org/show_bug.cgi?id=175993
343         <rdar://problem/34087477>
344
345         Reviewed by Ryosuke Niwa.
346
347         Add CommonIdentifiers needed for [EnabledAtRuntime].
348
349         * runtime/CommonIdentifiers.h:
350
351 2017-08-25  Brian Burg  <bburg@apple.com>
352
353         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
354         https://bugs.webkit.org/show_bug.cgi?id=175563
355         <rdar://problem/33734492>
356
357         Reviewed by Joseph Pecoraro.
358
359         Add macros for new capability protocol string names. Let's use a reverse
360         domain name notification for these capabilities so we know whether they are
361         intended for a particular client/port or any WebKit client, and what feature they
362         are related to (i.e., webrtc).
363
364         * inspector/remote/RemoteInspectorConstants.h:
365
366 2017-08-24  Brian Burg  <bburg@apple.com>
367
368         Web Automation: use automation session configurations to propagate per-session settings
369         https://bugs.webkit.org/show_bug.cgi?id=175562
370         <rdar://problem/30853362>
371
372         Reviewed by Joseph Pecoraro.
373
374         Add a Cocoa-specific code path to forward capabilities when requesting
375         a new session from the remote inspector (i.e., automation) client.
376
377         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
378
379         * inspector/remote/RemoteInspector.h:
380         * inspector/remote/RemoteInspectorConstants.h:
381         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
382         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
383
384 2017-08-25  Saam Barati  <sbarati@apple.com>
385
386         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
387         https://bugs.webkit.org/show_bug.cgi?id=175893
388
389         Reviewed by Mark Lam.
390
391         * dfg/DFGJITCode.cpp:
392         (JSC::DFG::JITCode::finalizeOSREntrypoints):
393         * dfg/DFGJITCode.h:
394         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
395         * dfg/DFGSpeculativeJIT.cpp:
396         (JSC::DFG::SpeculativeJIT::linkOSREntries):
397
398 2017-08-25  Saam Barati  <sbarati@apple.com>
399
400         Support compiling catch in the DFG
401         https://bugs.webkit.org/show_bug.cgi?id=174590
402         <rdar://problem/34047845>
403
404         Reviewed by Filip Pizlo.
405
406         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
407         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
408         
409         To implement catch in the DFG, this patch introduces the concept of multiple
410         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
411         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
412         patch contains many straight forward changes generalizing the code to handle more than
413         one entrypoint.
414         
415         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
416         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
417         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
418         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
419         and SSANaturalLoops vs CPSNaturalLoops.
420         
421         The way we compile the catch entrypoint is by bootstrapping the state
422         of the program by loading all live bytecode locals from a buffer. The OSR
423         entry code will store all live values into that buffer before jumping to
424         the entrypoint. The OSR entry code is also responsible for performing type
425         proofs of the arguments before doing an OSR entry. If there is a type
426         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
427         each catch entrypoint knows the argument type proofs it must perform to enter
428         into the DFG. Currently, all entrypoints' arguments flush format are unified
429         via ArgumentPosition, but this is just an implementation detail. The code is
430         written more generally to assume that each entrypoint may perform its own distinct
431         proof.
432         
433         op_catch now performs value profiling for all live bytecode locals in the
434         LLInt and baseline JIT. This information is then fed into the DFG via the
435         ExtractCatchLocal node in the prediction propagation phase.
436         
437         This patch also changes how we generate op_catch in bytecode. All op_catches
438         are now split out at the end of the program in bytecode. This ensures that
439         no op_catch is inside a try block. This is needed to ensure correctness in
440         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
441         before SetLocals inside a try block. If an op_catch were in a try block, this
442         would cause the phase to insert a Flush before one of the state bootstrapping
443         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
444         its own at the end of a bytecode stream seemed like the most elegant solution since
445         it better represents that we treat op_catch as an entrypoint. This is true
446         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
447         via normal control flow. Because op_catch cannot throw, this will not break
448         any previous semantics of op_catch. Logically, it'd be valid to split try
449         blocks around any non-throwing bytecode operation.
450
451         * CMakeLists.txt:
452         * JavaScriptCore.xcodeproj/project.pbxproj:
453         * bytecode/BytecodeDumper.cpp:
454         (JSC::BytecodeDumper<Block>::dumpBytecode):
455         * bytecode/BytecodeList.json:
456         * bytecode/BytecodeUseDef.h:
457         (JSC::computeUsesForBytecodeOffset):
458         * bytecode/CodeBlock.cpp:
459         (JSC::CodeBlock::finishCreation):
460         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
461         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
462         (JSC::CodeBlock::validate):
463         * bytecode/CodeBlock.h:
464         * bytecode/ValueProfile.h:
465         (JSC::ValueProfile::ValueProfile):
466         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
467         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
468         (JSC::ValueProfileAndOperandBuffer::forEach):
469         * bytecompiler/BytecodeGenerator.cpp:
470         (JSC::BytecodeGenerator::generate):
471         (JSC::BytecodeGenerator::BytecodeGenerator):
472         (JSC::BytecodeGenerator::emitCatch):
473         (JSC::BytecodeGenerator::emitEnumeration):
474         * bytecompiler/BytecodeGenerator.h:
475         * bytecompiler/NodesCodegen.cpp:
476         (JSC::TryNode::emitBytecode):
477         * dfg/DFGAbstractInterpreterInlines.h:
478         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
479         * dfg/DFGBackwardsCFG.h:
480         (JSC::DFG::BackwardsCFG::BackwardsCFG):
481         * dfg/DFGBasicBlock.cpp:
482         (JSC::DFG::BasicBlock::BasicBlock):
483         * dfg/DFGBasicBlock.h:
484         (JSC::DFG::BasicBlock::findTerminal const):
485         * dfg/DFGByteCodeParser.cpp:
486         (JSC::DFG::ByteCodeParser::setDirect):
487         (JSC::DFG::ByteCodeParser::flush):
488         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
489         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
490         (JSC::DFG::ByteCodeParser::parseBlock):
491         (JSC::DFG::ByteCodeParser::parseCodeBlock):
492         (JSC::DFG::ByteCodeParser::parse):
493         * dfg/DFGCFG.h:
494         (JSC::DFG::CFG::root):
495         (JSC::DFG::CFG::roots):
496         (JSC::DFG::CPSCFG::CPSCFG):
497         (JSC::DFG::selectCFG):
498         * dfg/DFGCPSRethreadingPhase.cpp:
499         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
500         * dfg/DFGCSEPhase.cpp:
501         * dfg/DFGClobberize.h:
502         (JSC::DFG::clobberize):
503         * dfg/DFGControlEquivalenceAnalysis.h:
504         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
505         * dfg/DFGDCEPhase.cpp:
506         (JSC::DFG::DCEPhase::run):
507         * dfg/DFGDisassembler.cpp:
508         (JSC::DFG::Disassembler::createDumpList):
509         * dfg/DFGDoesGC.cpp:
510         (JSC::DFG::doesGC):
511         * dfg/DFGDominators.h:
512         (JSC::DFG::Dominators::Dominators):
513         (JSC::DFG::ensureDominatorsForCFG):
514         * dfg/DFGEdgeDominates.h:
515         (JSC::DFG::EdgeDominates::EdgeDominates):
516         (JSC::DFG::EdgeDominates::operator()):
517         * dfg/DFGFixupPhase.cpp:
518         (JSC::DFG::FixupPhase::fixupNode):
519         (JSC::DFG::FixupPhase::fixupChecksInBlock):
520         * dfg/DFGFlushFormat.h:
521         * dfg/DFGGraph.cpp:
522         (JSC::DFG::Graph::Graph):
523         (JSC::DFG::unboxLoopNode):
524         (JSC::DFG::Graph::dumpBlockHeader):
525         (JSC::DFG::Graph::dump):
526         (JSC::DFG::Graph::determineReachability):
527         (JSC::DFG::Graph::invalidateCFG):
528         (JSC::DFG::Graph::blocksInPreOrder):
529         (JSC::DFG::Graph::blocksInPostOrder):
530         (JSC::DFG::Graph::ensureCPSDominators):
531         (JSC::DFG::Graph::ensureSSADominators):
532         (JSC::DFG::Graph::ensureCPSNaturalLoops):
533         (JSC::DFG::Graph::ensureSSANaturalLoops):
534         (JSC::DFG::Graph::ensureBackwardsCFG):
535         (JSC::DFG::Graph::ensureBackwardsDominators):
536         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
537         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
538         (JSC::DFG::Graph::clearCPSCFGData):
539         (JSC::DFG::Graph::ensureDominators): Deleted.
540         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
541         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
542         * dfg/DFGGraph.h:
543         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
544         (JSC::DFG::Graph::isEntrypoint const):
545         * dfg/DFGInPlaceAbstractState.cpp:
546         (JSC::DFG::InPlaceAbstractState::initialize):
547         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
548         * dfg/DFGJITCode.cpp:
549         (JSC::DFG::JITCode::shrinkToFit):
550         * dfg/DFGJITCode.h:
551         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
552         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
553         (JSC::DFG::JITCode::appendCatchEntrypoint):
554         * dfg/DFGJITCompiler.cpp:
555         (JSC::DFG::JITCompiler::compile):
556         (JSC::DFG::JITCompiler::compileFunction):
557         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
558         (JSC::DFG::JITCompiler::noticeOSREntry):
559         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
560         * dfg/DFGJITCompiler.h:
561         * dfg/DFGLICMPhase.cpp:
562         (JSC::DFG::LICMPhase::run):
563         (JSC::DFG::LICMPhase::attemptHoist):
564         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
565         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
566         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
567         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
568         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
569         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
570         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
571         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
572         (JSC::DFG::createPreHeader):
573         (JSC::DFG::LoopPreHeaderCreationPhase::run):
574         * dfg/DFGMaximalFlushInsertionPhase.cpp:
575         (JSC::DFG::MaximalFlushInsertionPhase::run):
576         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
577         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
578         * dfg/DFGMayExit.cpp:
579         * dfg/DFGNaturalLoops.h:
580         (JSC::DFG::NaturalLoops::NaturalLoops):
581         * dfg/DFGNode.h:
582         (JSC::DFG::Node::isSwitch const):
583         (JSC::DFG::Node::successor):
584         (JSC::DFG::Node::catchOSREntryIndex const):
585         (JSC::DFG::Node::catchLocalPrediction):
586         (JSC::DFG::Node::isSwitch): Deleted.
587         * dfg/DFGNodeType.h:
588         * dfg/DFGOSREntry.cpp:
589         (JSC::DFG::prepareCatchOSREntry):
590         * dfg/DFGOSREntry.h:
591         * dfg/DFGOSREntrypointCreationPhase.cpp:
592         (JSC::DFG::OSREntrypointCreationPhase::run):
593         * dfg/DFGOSRExitCompilerCommon.cpp:
594         (JSC::DFG::handleExitCounts):
595         * dfg/DFGObjectAllocationSinkingPhase.cpp:
596         * dfg/DFGPlan.cpp:
597         (JSC::DFG::Plan::compileInThreadImpl):
598         * dfg/DFGPrePostNumbering.cpp:
599         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
600         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
601         (WTF::printInternal): Deleted.
602         * dfg/DFGPrePostNumbering.h:
603         (): Deleted.
604         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
605         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
606         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
607         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
608         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
609         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
610         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
611         * dfg/DFGPredictionInjectionPhase.cpp:
612         (JSC::DFG::PredictionInjectionPhase::run):
613         * dfg/DFGPredictionPropagationPhase.cpp:
614         * dfg/DFGPutStackSinkingPhase.cpp:
615         * dfg/DFGSSACalculator.cpp:
616         (JSC::DFG::SSACalculator::nonLocalReachingDef):
617         (JSC::DFG::SSACalculator::reachingDefAtTail):
618         * dfg/DFGSSACalculator.h:
619         (JSC::DFG::SSACalculator::computePhis):
620         * dfg/DFGSSAConversionPhase.cpp:
621         (JSC::DFG::SSAConversionPhase::run):
622         (JSC::DFG::performSSAConversion):
623         * dfg/DFGSafeToExecute.h:
624         (JSC::DFG::safeToExecute):
625         * dfg/DFGSpeculativeJIT.cpp:
626         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
627         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
628         (JSC::DFG::SpeculativeJIT::createOSREntries):
629         (JSC::DFG::SpeculativeJIT::linkOSREntries):
630         * dfg/DFGSpeculativeJIT32_64.cpp:
631         (JSC::DFG::SpeculativeJIT::compile):
632         * dfg/DFGSpeculativeJIT64.cpp:
633         (JSC::DFG::SpeculativeJIT::compile):
634         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
635         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
636         * dfg/DFGStrengthReductionPhase.cpp:
637         (JSC::DFG::StrengthReductionPhase::handleNode):
638         * dfg/DFGTierUpCheckInjectionPhase.cpp:
639         (JSC::DFG::TierUpCheckInjectionPhase::run):
640         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
641         * dfg/DFGTypeCheckHoistingPhase.cpp:
642         (JSC::DFG::TypeCheckHoistingPhase::run):
643         * dfg/DFGValidate.cpp:
644         * ftl/FTLLink.cpp:
645         (JSC::FTL::link):
646         * ftl/FTLLowerDFGToB3.cpp:
647         (JSC::FTL::DFG::LowerDFGToB3::lower):
648         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
649         (JSC::FTL::DFG::LowerDFGToB3::isValid):
650         * jit/JIT.h:
651         * jit/JITInlines.h:
652         (JSC::JIT::callOperation):
653         * jit/JITOpcodes.cpp:
654         (JSC::JIT::emit_op_catch):
655         * jit/JITOpcodes32_64.cpp:
656         (JSC::JIT::emit_op_catch):
657         * jit/JITOperations.cpp:
658         * jit/JITOperations.h:
659         * llint/LLIntSlowPaths.cpp:
660         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
661         * llint/LLIntSlowPaths.h:
662         * llint/LowLevelInterpreter32_64.asm:
663         * llint/LowLevelInterpreter64.asm:
664
665 2017-08-25  Keith Miller  <keith_miller@apple.com>
666
667         Explore increasing max JSString::m_length to UINT_MAX.
668         https://bugs.webkit.org/show_bug.cgi?id=163955
669         <rdar://problem/32001499>
670
671         Reviewed by JF Bastien.
672
673         This can cause us to release assert on some code paths. I don't
674         see a reason to maintain this restriction.
675
676         * runtime/JSString.h:
677         (JSC::JSString::length const):
678         (JSC::JSString::setLength):
679         (JSC::JSString::isValidLength): Deleted.
680         * runtime/JSStringBuilder.h:
681         (JSC::jsMakeNontrivialString):
682
683 2017-08-24  Commit Queue  <commit-queue@webkit.org>
684
685         Unreviewed, rolling out r221119, r221124, and r221143.
686         https://bugs.webkit.org/show_bug.cgi?id=175973
687
688         "I think it regressed JSBench by 20%" (Requested by saamyjoon
689         on #webkit).
690
691         Reverted changesets:
692
693         "Support compiling catch in the DFG"
694         https://bugs.webkit.org/show_bug.cgi?id=174590
695         http://trac.webkit.org/changeset/221119
696
697         "Unreviewed, build fix in GTK port"
698         https://bugs.webkit.org/show_bug.cgi?id=174590
699         http://trac.webkit.org/changeset/221124
700
701         "DFG::JITCode::osrEntry should get sorted since we perform a
702         binary search on it"
703         https://bugs.webkit.org/show_bug.cgi?id=175893
704         http://trac.webkit.org/changeset/221143
705
706 2017-08-24  Michael Saboff  <msaboff@apple.com>
707
708         Enable moving fixed character class terms after fixed character terms for BMP only character classes
709         https://bugs.webkit.org/show_bug.cgi?id=175958
710
711         Reviewed by Saam Barati.
712
713         Currently we don't perform the reordering optimiaztion of fixed character terms that
714         follow fixed character class terms for Unicode patterns.
715
716         This change allows that reordering when the character class contains only BMP
717         characters.
718
719         This fix is covered by existing tests.
720
721         * yarr/YarrJIT.cpp:
722         (JSC::Yarr::YarrGenerator::optimizeAlternative):
723
724 2017-08-24  Michael Saboff  <msaboff@apple.com>
725
726         Add support for RegExp "dotAll" flag
727         https://bugs.webkit.org/show_bug.cgi?id=175924
728
729         Reviewed by Keith Miller.
730
731         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
732         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
733         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
734         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
735         used for '.' processing, to DotClassID.  The selection of which builtin character class
736         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
737         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
738         the WebCore content extensions code in the PatternParser class.
739
740         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
741         any character CharacterClass, it merely reads the character.  There is another optimization
742         in our DotStart enclosure processing where a non-capturing regular expression in the form
743         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
744         expression and then look for the extents of the surrounding .*'s.  When used with the
745         dotAll flag, that processing alwys results with the beinning of the string and the end
746         of the string.  Therefore we short circuit the finding the beginning and end of the line
747         or string with dotAll patterns.
748
749         * bytecode/BytecodeDumper.cpp:
750         (JSC::regexpToSourceString):
751         * runtime/CommonIdentifiers.h:
752         * runtime/RegExp.cpp:
753         (JSC::regExpFlags):
754         (JSC::RegExpFunctionalTestCollector::outputOneTest):
755         * runtime/RegExp.h:
756         * runtime/RegExpKey.h:
757         * runtime/RegExpPrototype.cpp:
758         (JSC::RegExpPrototype::finishCreation):
759         (JSC::flagsString):
760         (JSC::regExpProtoGetterDotAll):
761         * yarr/YarrInterpreter.cpp:
762         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
763         * yarr/YarrInterpreter.h:
764         (JSC::Yarr::BytecodePattern::dotAll const):
765         * yarr/YarrJIT.cpp:
766         (JSC::Yarr::YarrGenerator::optimizeAlternative):
767         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
768         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
769         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
770         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
771         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
772         * yarr/YarrParser.h:
773         (JSC::Yarr::Parser::parseTokens):
774         * yarr/YarrPattern.cpp:
775         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
776         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
777         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
778         (JSC::Yarr::YarrPattern::YarrPattern):
779         (JSC::Yarr::PatternTerm::dump):
780         (JSC::Yarr::anycharCreate):
781         * yarr/YarrPattern.h:
782         (JSC::Yarr::YarrPattern::reset):
783         (JSC::Yarr::YarrPattern::anyCharacterClass):
784         (JSC::Yarr::YarrPattern::dotAll const):
785
786 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
787
788         Reduce Gigacage sizes
789         https://bugs.webkit.org/show_bug.cgi?id=175920
790
791         Reviewed by Mark Lam.
792
793         Teach all of the code generators to use the right gigacage masks.
794
795         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
796         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
797
798         * ftl/FTLLowerDFGToB3.cpp:
799         (JSC::FTL::DFG::LowerDFGToB3::caged):
800         * jit/AssemblyHelpers.h:
801         (JSC::AssemblyHelpers::cage):
802         (JSC::AssemblyHelpers::cageConditionally):
803         * llint/LowLevelInterpreter64.asm:
804         * runtime/Options.h:
805
806 2017-08-24  Saam Barati  <sbarati@apple.com>
807
808         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
809         https://bugs.webkit.org/show_bug.cgi?id=175893
810
811         Reviewed by Mark Lam.
812
813         * dfg/DFGJITCode.cpp:
814         (JSC::DFG::JITCode::finalizeOSREntrypoints):
815         * dfg/DFGJITCode.h:
816         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
817         * dfg/DFGSpeculativeJIT.cpp:
818         (JSC::DFG::SpeculativeJIT::linkOSREntries):
819
820 2017-08-23  Keith Miller  <keith_miller@apple.com>
821
822         Fix Titzer bench on iOS.
823         https://bugs.webkit.org/show_bug.cgi?id=175917
824
825         Reviewed by Ryosuke Niwa.
826
827         Currently, Titzer bench doesn't run on iOS since the benchmark
828         allocates lots of physical pages that it never actually writes
829         to. We limited the total number wasm physical pages to the ram
830         size of the phone, which caused us to fail a memory
831         allocation. This patch changes it so we will allocate up to 3x ram
832         size, which seems to fix the problem.
833
834         * wasm/WasmMemory.cpp:
835
836 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
837
838         Unreviewed, fix for test262
839         https://bugs.webkit.org/show_bug.cgi?id=175915
840
841         * runtime/MapPrototype.cpp:
842         (JSC::MapPrototype::finishCreation):
843         * runtime/SetPrototype.cpp:
844         (JSC::SetPrototype::finishCreation):
845
846 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
847
848         Unreviewed, build fix in GTK port
849         https://bugs.webkit.org/show_bug.cgi?id=174590
850
851         * bytecompiler/BytecodeGenerator.cpp:
852         (JSC::BytecodeGenerator::emitCatch):
853         * bytecompiler/BytecodeGenerator.h:
854
855 2017-08-23  Saam Barati  <sbarati@apple.com>
856
857         Support compiling catch in the DFG
858         https://bugs.webkit.org/show_bug.cgi?id=174590
859
860         Reviewed by Filip Pizlo.
861
862         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
863         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
864         
865         To implement catch in the DFG, this patch introduces the concept of multiple
866         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
867         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
868         patch contains many straight forward changes generalizing the code to handle more than
869         one entrypoint.
870         
871         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
872         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
873         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
874         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
875         and SSANaturalLoops vs CPSNaturalLoops.
876         
877         The way we compile the catch entrypoint is by bootstrapping the state
878         of the program by loading all live bytecode locals from a buffer. The OSR
879         entry code will store all live values into that buffer before jumping to
880         the entrypoint. The OSR entry code is also responsible for performing type
881         proofs of the arguments before doing an OSR entry. If there is a type
882         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
883         each catch entrypoint knows the argument type proofs it must perform to enter
884         into the DFG. Currently, all entrypoints' arguments flush format are unified
885         via ArgumentPosition, but this is just an implementation detail. The code is
886         written more generally to assume that each entrypoint may perform its own distinct
887         proof.
888         
889         op_catch now performs value profiling for all live bytecode locals in the
890         LLInt and baseline JIT. This information is then fed into the DFG via the
891         ExtractCatchLocal node in the prediction propagation phase.
892         
893         This patch also changes how we generate op_catch in bytecode. All op_catches
894         are now split out at the end of the program in bytecode. This ensures that
895         no op_catch is inside a try block. This is needed to ensure correctness in
896         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
897         before SetLocals inside a try block. If an op_catch were in a try block, this
898         would cause the phase to insert a Flush before one of the state bootstrapping
899         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
900         its own at the end of a bytecode stream seemed like the most elegant solution since
901         it better represents that we treat op_catch as an entrypoint. This is true
902         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
903         via normal control flow. Because op_catch cannot throw, this will not break
904         any previous semantics of op_catch. Logically, it'd be valid to split try
905         blocks around any non-throwing bytecode operation.
906
907         * CMakeLists.txt:
908         * JavaScriptCore.xcodeproj/project.pbxproj:
909         * bytecode/BytecodeDumper.cpp:
910         (JSC::BytecodeDumper<Block>::dumpBytecode):
911         * bytecode/BytecodeList.json:
912         * bytecode/BytecodeUseDef.h:
913         (JSC::computeUsesForBytecodeOffset):
914         * bytecode/CodeBlock.cpp:
915         (JSC::CodeBlock::finishCreation):
916         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
917         (JSC::CodeBlock::validate):
918         * bytecode/CodeBlock.h:
919         * bytecode/ValueProfile.h:
920         (JSC::ValueProfile::ValueProfile):
921         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
922         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
923         (JSC::ValueProfileAndOperandBuffer::forEach):
924         * bytecompiler/BytecodeGenerator.cpp:
925         (JSC::BytecodeGenerator::generate):
926         (JSC::BytecodeGenerator::BytecodeGenerator):
927         (JSC::BytecodeGenerator::emitCatch):
928         (JSC::BytecodeGenerator::emitEnumeration):
929         * bytecompiler/BytecodeGenerator.h:
930         * bytecompiler/NodesCodegen.cpp:
931         (JSC::TryNode::emitBytecode):
932         * dfg/DFGAbstractInterpreterInlines.h:
933         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
934         * dfg/DFGBackwardsCFG.h:
935         (JSC::DFG::BackwardsCFG::BackwardsCFG):
936         * dfg/DFGBasicBlock.cpp:
937         (JSC::DFG::BasicBlock::BasicBlock):
938         * dfg/DFGBasicBlock.h:
939         (JSC::DFG::BasicBlock::findTerminal const):
940         * dfg/DFGByteCodeParser.cpp:
941         (JSC::DFG::ByteCodeParser::setDirect):
942         (JSC::DFG::ByteCodeParser::flush):
943         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
944         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
945         (JSC::DFG::ByteCodeParser::parseBlock):
946         (JSC::DFG::ByteCodeParser::parseCodeBlock):
947         (JSC::DFG::ByteCodeParser::parse):
948         * dfg/DFGCFG.h:
949         (JSC::DFG::CFG::root):
950         (JSC::DFG::CFG::roots):
951         (JSC::DFG::CPSCFG::CPSCFG):
952         (JSC::DFG::selectCFG):
953         * dfg/DFGCPSRethreadingPhase.cpp:
954         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
955         * dfg/DFGCSEPhase.cpp:
956         * dfg/DFGClobberize.h:
957         (JSC::DFG::clobberize):
958         * dfg/DFGControlEquivalenceAnalysis.h:
959         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
960         * dfg/DFGDCEPhase.cpp:
961         (JSC::DFG::DCEPhase::run):
962         * dfg/DFGDisassembler.cpp:
963         (JSC::DFG::Disassembler::createDumpList):
964         * dfg/DFGDoesGC.cpp:
965         (JSC::DFG::doesGC):
966         * dfg/DFGDominators.h:
967         (JSC::DFG::Dominators::Dominators):
968         (JSC::DFG::ensureDominatorsForCFG):
969         * dfg/DFGEdgeDominates.h:
970         (JSC::DFG::EdgeDominates::EdgeDominates):
971         (JSC::DFG::EdgeDominates::operator()):
972         * dfg/DFGFixupPhase.cpp:
973         (JSC::DFG::FixupPhase::fixupNode):
974         (JSC::DFG::FixupPhase::fixupChecksInBlock):
975         * dfg/DFGFlushFormat.h:
976         * dfg/DFGGraph.cpp:
977         (JSC::DFG::Graph::Graph):
978         (JSC::DFG::unboxLoopNode):
979         (JSC::DFG::Graph::dumpBlockHeader):
980         (JSC::DFG::Graph::dump):
981         (JSC::DFG::Graph::determineReachability):
982         (JSC::DFG::Graph::invalidateCFG):
983         (JSC::DFG::Graph::blocksInPreOrder):
984         (JSC::DFG::Graph::blocksInPostOrder):
985         (JSC::DFG::Graph::ensureCPSDominators):
986         (JSC::DFG::Graph::ensureSSADominators):
987         (JSC::DFG::Graph::ensureCPSNaturalLoops):
988         (JSC::DFG::Graph::ensureSSANaturalLoops):
989         (JSC::DFG::Graph::ensureBackwardsCFG):
990         (JSC::DFG::Graph::ensureBackwardsDominators):
991         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
992         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
993         (JSC::DFG::Graph::clearCPSCFGData):
994         (JSC::DFG::Graph::ensureDominators): Deleted.
995         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
996         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
997         * dfg/DFGGraph.h:
998         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
999         (JSC::DFG::Graph::isEntrypoint const):
1000         * dfg/DFGInPlaceAbstractState.cpp:
1001         (JSC::DFG::InPlaceAbstractState::initialize):
1002         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1003         * dfg/DFGJITCode.cpp:
1004         (JSC::DFG::JITCode::shrinkToFit):
1005         * dfg/DFGJITCode.h:
1006         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
1007         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
1008         (JSC::DFG::JITCode::appendCatchEntrypoint):
1009         * dfg/DFGJITCompiler.cpp:
1010         (JSC::DFG::JITCompiler::compile):
1011         (JSC::DFG::JITCompiler::compileFunction):
1012         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1013         (JSC::DFG::JITCompiler::noticeOSREntry):
1014         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1015         * dfg/DFGJITCompiler.h:
1016         * dfg/DFGLICMPhase.cpp:
1017         (JSC::DFG::LICMPhase::run):
1018         (JSC::DFG::LICMPhase::attemptHoist):
1019         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1020         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1021         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1022         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1023         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1024         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1025         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1026         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1027         (JSC::DFG::createPreHeader):
1028         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1029         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1030         (JSC::DFG::MaximalFlushInsertionPhase::run):
1031         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1032         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1033         * dfg/DFGMayExit.cpp:
1034         * dfg/DFGNaturalLoops.h:
1035         (JSC::DFG::NaturalLoops::NaturalLoops):
1036         * dfg/DFGNode.h:
1037         (JSC::DFG::Node::isSwitch const):
1038         (JSC::DFG::Node::successor):
1039         (JSC::DFG::Node::catchOSREntryIndex const):
1040         (JSC::DFG::Node::catchLocalPrediction):
1041         (JSC::DFG::Node::isSwitch): Deleted.
1042         * dfg/DFGNodeType.h:
1043         * dfg/DFGOSREntry.cpp:
1044         (JSC::DFG::prepareCatchOSREntry):
1045         * dfg/DFGOSREntry.h:
1046         * dfg/DFGOSREntrypointCreationPhase.cpp:
1047         (JSC::DFG::OSREntrypointCreationPhase::run):
1048         * dfg/DFGOSRExitCompilerCommon.cpp:
1049         (JSC::DFG::handleExitCounts):
1050         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1051         * dfg/DFGPlan.cpp:
1052         (JSC::DFG::Plan::compileInThreadImpl):
1053         * dfg/DFGPrePostNumbering.cpp:
1054         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1055         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1056         (WTF::printInternal): Deleted.
1057         * dfg/DFGPrePostNumbering.h:
1058         (): Deleted.
1059         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1060         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1061         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1062         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1063         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1064         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1065         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1066         * dfg/DFGPredictionInjectionPhase.cpp:
1067         (JSC::DFG::PredictionInjectionPhase::run):
1068         * dfg/DFGPredictionPropagationPhase.cpp:
1069         * dfg/DFGPutStackSinkingPhase.cpp:
1070         * dfg/DFGSSACalculator.cpp:
1071         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1072         (JSC::DFG::SSACalculator::reachingDefAtTail):
1073         * dfg/DFGSSACalculator.h:
1074         (JSC::DFG::SSACalculator::computePhis):
1075         * dfg/DFGSSAConversionPhase.cpp:
1076         (JSC::DFG::SSAConversionPhase::run):
1077         (JSC::DFG::performSSAConversion):
1078         * dfg/DFGSafeToExecute.h:
1079         (JSC::DFG::safeToExecute):
1080         * dfg/DFGSpeculativeJIT.cpp:
1081         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1082         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1083         (JSC::DFG::SpeculativeJIT::createOSREntries):
1084         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1085         * dfg/DFGSpeculativeJIT32_64.cpp:
1086         (JSC::DFG::SpeculativeJIT::compile):
1087         * dfg/DFGSpeculativeJIT64.cpp:
1088         (JSC::DFG::SpeculativeJIT::compile):
1089         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1090         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1091         * dfg/DFGStrengthReductionPhase.cpp:
1092         (JSC::DFG::StrengthReductionPhase::handleNode):
1093         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1094         (JSC::DFG::TierUpCheckInjectionPhase::run):
1095         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1096         * dfg/DFGTypeCheckHoistingPhase.cpp:
1097         (JSC::DFG::TypeCheckHoistingPhase::run):
1098         * dfg/DFGValidate.cpp:
1099         * ftl/FTLLink.cpp:
1100         (JSC::FTL::link):
1101         * ftl/FTLLowerDFGToB3.cpp:
1102         (JSC::FTL::DFG::LowerDFGToB3::lower):
1103         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1104         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1105         * jit/JIT.h:
1106         * jit/JITInlines.h:
1107         (JSC::JIT::callOperation):
1108         * jit/JITOpcodes.cpp:
1109         (JSC::JIT::emit_op_catch):
1110         * jit/JITOpcodes32_64.cpp:
1111         (JSC::JIT::emit_op_catch):
1112         * jit/JITOperations.cpp:
1113         * jit/JITOperations.h:
1114         * llint/LLIntSlowPaths.cpp:
1115         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1116         * llint/LLIntSlowPaths.h:
1117         * llint/LowLevelInterpreter32_64.asm:
1118         * llint/LowLevelInterpreter64.asm:
1119
1120 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1121
1122         Unreviewed, debug build fix
1123         https://bugs.webkit.org/show_bug.cgi?id=174355
1124
1125         * ftl/FTLLowerDFGToB3.cpp:
1126         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1127
1128 2017-08-23  Michael Saboff  <msaboff@apple.com>
1129
1130         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
1131         https://bugs.webkit.org/show_bug.cgi?id=175903
1132
1133         Reviewed by Saam Barati.
1134
1135         In generateCharacterClassGreedy we were incrementing the "count" register before checking
1136         for the end of the input string.  The at-end-of-input check is the final check before
1137         knowing that the current character matched.  In this case, the end of input check
1138         indicates that we ran out of prechecked characters and therefore should fail the match of
1139         the current character.  The backtracking code uses the value in the "count" register as
1140         the number of character that successfully matched, which shouldn't include the current
1141         character.  Therefore we need to move the incrementing of "count" to after the
1142         at end of input check.
1143
1144         Through code inspection of the expectations of other backtracking code, I determined that 
1145         the non greedy character class matching code had a similar issue.  I fixed that as well
1146         and added a new test case.
1147
1148         * yarr/YarrJIT.cpp:
1149         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1150         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1151
1152 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1153
1154         [JSC] Optimize Map iteration with intrinsic
1155         https://bugs.webkit.org/show_bug.cgi?id=174355
1156
1157         Reviewed by Saam Barati.
1158
1159         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
1160         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
1161         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
1162         setIteratorNext functions which should be inlined. This leads significant performance boost
1163         when they are inlined in for-of iteration.
1164
1165         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
1166         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
1167         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
1168         to any hash maps. And its key and value fields are filled with Undefined. By returning this
1169         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
1170         code.
1171
1172         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
1173         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
1174
1175         Existing microbenchmarks shows performance improvements.
1176
1177         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
1178         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
1179         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
1180         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
1181         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
1182
1183         * CMakeLists.txt:
1184         * DerivedSources.make:
1185         * builtins/ArrayPrototype.js:
1186         (globalPrivate.createArrayIterator):
1187         * builtins/BuiltinNames.h:
1188         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1189         (globalPrivate.mapIteratorNext):
1190         (next):
1191         * builtins/MapPrototype.js:
1192         (globalPrivate.createMapIterator):
1193         (values):
1194         (keys):
1195         (entries):
1196         (forEach):
1197         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1198         (globalPrivate.setIteratorNext):
1199         (next):
1200         * builtins/SetPrototype.js:
1201         (globalPrivate.createSetIterator):
1202         (values):
1203         (entries):
1204         (forEach):
1205         * bytecode/BytecodeIntrinsicRegistry.cpp:
1206         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1207         * bytecode/BytecodeIntrinsicRegistry.h:
1208         * bytecode/SpeculatedType.h:
1209         * dfg/DFGAbstractInterpreterInlines.h:
1210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1211         * dfg/DFGByteCodeParser.cpp:
1212         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1213         * dfg/DFGClobberize.h:
1214         (JSC::DFG::clobberize):
1215         * dfg/DFGDoesGC.cpp:
1216         (JSC::DFG::doesGC):
1217         * dfg/DFGFixupPhase.cpp:
1218         (JSC::DFG::FixupPhase::fixupNode):
1219         * dfg/DFGHeapLocation.cpp:
1220         (WTF::printInternal):
1221         * dfg/DFGHeapLocation.h:
1222         * dfg/DFGNode.h:
1223         (JSC::DFG::Node::hasHeapPrediction):
1224         (JSC::DFG::Node::hasBucketOwnerType):
1225         (JSC::DFG::Node::bucketOwnerType):
1226         (JSC::DFG::Node::OpInfoWrapper::as const):
1227         * dfg/DFGNodeType.h:
1228         * dfg/DFGOperations.cpp:
1229         * dfg/DFGPredictionPropagationPhase.cpp:
1230         * dfg/DFGSafeToExecute.h:
1231         (JSC::DFG::safeToExecute):
1232         * dfg/DFGSpeculativeJIT.cpp:
1233         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
1234         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1235         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
1236         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
1237         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
1238         * dfg/DFGSpeculativeJIT.h:
1239         * dfg/DFGSpeculativeJIT32_64.cpp:
1240         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1241         (JSC::DFG::SpeculativeJIT::compile):
1242         * dfg/DFGSpeculativeJIT64.cpp:
1243         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1244         (JSC::DFG::SpeculativeJIT::compile):
1245         * ftl/FTLAbstractHeapRepository.h:
1246         * ftl/FTLCapabilities.cpp:
1247         (JSC::FTL::canCompile):
1248         * ftl/FTLLowerDFGToB3.cpp:
1249         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1250         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1251         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
1252         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1253         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
1254         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
1255         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
1256         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
1257         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
1258         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
1259         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
1260         * inspector/JSInjectedScriptHost.cpp:
1261         (Inspector::JSInjectedScriptHost::subtype):
1262         (Inspector::JSInjectedScriptHost::getInternalProperties):
1263         (Inspector::cloneMapIteratorObject):
1264         (Inspector::cloneSetIteratorObject):
1265         (Inspector::JSInjectedScriptHost::iteratorEntries):
1266         * runtime/HashMapImpl.h:
1267         (JSC::HashMapBucket::createSentinel):
1268         (JSC::HashMapBucket::offsetOfNext):
1269         (JSC::HashMapBucket::offsetOfDeleted):
1270         (JSC::HashMapImpl::offsetOfHead):
1271         * runtime/Intrinsic.cpp:
1272         (JSC::intrinsicName):
1273         * runtime/Intrinsic.h:
1274         * runtime/JSGlobalObject.cpp:
1275         (JSC::JSGlobalObject::init):
1276         * runtime/JSGlobalObject.h:
1277         * runtime/JSMap.h:
1278         * runtime/JSMapIterator.cpp:
1279         (JSC::JSMapIterator::clone): Deleted.
1280         * runtime/JSMapIterator.h:
1281         (JSC::JSMapIterator::iteratedValue const):
1282         * runtime/JSSet.h:
1283         * runtime/JSSetIterator.cpp:
1284         (JSC::JSSetIterator::clone): Deleted.
1285         * runtime/JSSetIterator.h:
1286         (JSC::JSSetIterator::iteratedValue const):
1287         * runtime/MapConstructor.cpp:
1288         (JSC::mapPrivateFuncMapBucketHead):
1289         (JSC::mapPrivateFuncMapBucketNext):
1290         (JSC::mapPrivateFuncMapBucketKey):
1291         (JSC::mapPrivateFuncMapBucketValue):
1292         * runtime/MapConstructor.h:
1293         * runtime/MapIteratorPrototype.cpp:
1294         (JSC::MapIteratorPrototype::finishCreation):
1295         (JSC::MapIteratorPrototypeFuncNext): Deleted.
1296         * runtime/MapPrototype.cpp:
1297         (JSC::MapPrototype::finishCreation):
1298         (JSC::mapProtoFuncValues): Deleted.
1299         (JSC::mapProtoFuncEntries): Deleted.
1300         (JSC::mapProtoFuncKeys): Deleted.
1301         (JSC::privateFuncMapIterator): Deleted.
1302         (JSC::privateFuncMapIteratorNext): Deleted.
1303         * runtime/MapPrototype.h:
1304         * runtime/SetConstructor.cpp:
1305         (JSC::setPrivateFuncSetBucketHead):
1306         (JSC::setPrivateFuncSetBucketNext):
1307         (JSC::setPrivateFuncSetBucketKey):
1308         * runtime/SetConstructor.h:
1309         * runtime/SetIteratorPrototype.cpp:
1310         (JSC::SetIteratorPrototype::finishCreation):
1311         (JSC::SetIteratorPrototypeFuncNext): Deleted.
1312         * runtime/SetPrototype.cpp:
1313         (JSC::SetPrototype::finishCreation):
1314         (JSC::setProtoFuncSize):
1315         (JSC::setProtoFuncValues): Deleted.
1316         (JSC::setProtoFuncEntries): Deleted.
1317         (JSC::privateFuncSetIterator): Deleted.
1318         (JSC::privateFuncSetIteratorNext): Deleted.
1319         * runtime/SetPrototype.h:
1320         * runtime/VM.cpp:
1321         (JSC::VM::VM):
1322         * runtime/VM.h:
1323
1324 2017-08-23  David Kilzer  <ddkilzer@apple.com>
1325
1326         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
1327         <https://webkit.org/b/175889>
1328         <rdar://problem/33667497>
1329
1330         Reviewed by Mark Lam.
1331
1332         * API/ObjCCallbackFunction.mm:
1333         (JSC::objCCallbackFunctionCallAsConstructor): Use
1334         const_cast<JSObjectRef>() since JSValueRef is const while
1335         JSObjectRef is not.
1336         * API/tests/CurrentThisInsideBlockGetterTest.mm:
1337         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
1338         const_cast<void*>() since JSObjectMake() takes a void*, but
1339         CFBridgingRetain() returns const void*.
1340
1341 2017-08-23  Robin Morisset  <rmorisset@apple.com>
1342
1343         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
1344         https://bugs.webkit.org/show_bug.cgi?id=175738
1345
1346         Reviewed by Saam Barati.
1347
1348         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
1349         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
1350         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
1351
1352         * dfg/DFGByteCodeParser.cpp:
1353         (JSC::DFG::makeDynamicVarOpInfo):
1354         (JSC::DFG::ByteCodeParser::parseBlock):
1355         * dfg/DFGNode.h:
1356         (JSC::DFG::Node::getPutInfo):
1357         (JSC::DFG::Node::hasHeapPrediction):
1358         * dfg/DFGPredictionPropagationPhase.cpp:
1359
1360 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
1361
1362         [ESNext] Async iteration - Implement Async Generator - runtime
1363         https://bugs.webkit.org/show_bug.cgi?id=175240
1364
1365         Reviewed by Yusuke Suzuki.
1366
1367         Current implementation is draft version of Async Iteration. 
1368         Link to spec https://tc39.github.io/proposal-async-iteration/
1369        
1370         To implement async generator added new states that show reason why async generator was suspended:
1371         # yield - return promise with result
1372         # await - wait until promise will be resolved and then continue
1373        
1374         The main difference between async function and async generator is that, 
1375         async function returns promise but async generator returns
1376         object with methods (next, throw and return) that return promise that 
1377         can be resolved with pair of properties value and done.
1378         Async generator functions are similar to generator functions, with the following differences:
1379         # When called, async generator functions return an object, an async generator 
1380         whose methods (next, throw, and return) return promises for { value, done }, 
1381         instead of directly returning { value, done }. 
1382         This automatically makes the returned async generator objects async iterators.
1383         # await expressions and for-await-of statements are allowed.
1384         # The behavior of yield* is modified to support 
1385           delegation to sync and async iterables
1386
1387         * CMakeLists.txt:
1388         * DerivedSources.make:
1389         * JavaScriptCore.xcodeproj/project.pbxproj:
1390         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
1391         (next.try):
1392         (next):
1393         (return.try):
1394         (return):
1395         (throw.try):
1396         (throw):
1397         (globalPrivate.createAsyncFromSyncIterator):
1398         (globalPrivate.AsyncFromSyncIteratorConstructor):
1399         * builtins/AsyncGeneratorPrototype.js: Added.
1400         (globalPrivate.createAsyncGeneratorQueue):
1401         (globalPrivate.asyncGeneratorQueueIsEmpty):
1402         (globalPrivate.asyncGeneratorQueueCreateItem):
1403         (globalPrivate.asyncGeneratorQueueEnqueue):
1404         (globalPrivate.asyncGeneratorQueueDequeue):
1405         (globalPrivate.asyncGeneratorQueueGetFirstValue):
1406         (globalPrivate.asyncGeneratorDequeue):
1407         (globalPrivate.isExecutionState):
1408         (globalPrivate.isSuspendYieldState):
1409         (globalPrivate.asyncGeneratorReject):
1410         (globalPrivate.asyncGeneratorResolve):
1411         (asyncGeneratorYieldAwaited):
1412         (globalPrivate.asyncGeneratorYield):
1413         (const.onRejected):
1414         (globalPrivate.awaitValue):
1415         (const.onFulfilled):
1416         (globalPrivate.doAsyncGeneratorBodyCall):
1417         (globalPrivate.asyncGeneratorResumeNext.):
1418         (globalPrivate.asyncGeneratorResumeNext):
1419         (globalPrivate.asyncGeneratorEnqueue):
1420         (next):
1421         (return):
1422         (throw):
1423         * builtins/AsyncIteratorPrototype.js: Added.
1424         (symbolAsyncIteratorGetter):
1425         * builtins/BuiltinNames.h:
1426         * bytecode/BytecodeDumper.cpp:
1427         (JSC::BytecodeDumper<Block>::dumpBytecode):
1428         * bytecode/BytecodeIntrinsicRegistry.cpp:
1429         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1430         * bytecode/BytecodeIntrinsicRegistry.h:
1431         * bytecode/BytecodeList.json:
1432         * bytecode/BytecodeUseDef.h:
1433         (JSC::computeUsesForBytecodeOffset):
1434         (JSC::computeDefsForBytecodeOffset):
1435         * bytecompiler/BytecodeGenerator.cpp:
1436         (JSC::BytecodeGenerator::BytecodeGenerator):
1437         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
1438         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1439         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1440         (JSC::BytecodeGenerator::emitNewFunction):
1441         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1442         (JSC::BytecodeGenerator::emitIteratorClose):
1443         (JSC::BytecodeGenerator::emitYieldPoint):
1444         (JSC::BytecodeGenerator::emitYield):
1445         (JSC::BytecodeGenerator::emitCallIterator):
1446         (JSC::BytecodeGenerator::emitAwait):
1447         (JSC::BytecodeGenerator::emitGetIterator):
1448         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1449         (JSC::BytecodeGenerator::emitDelegateYield):
1450         * bytecompiler/BytecodeGenerator.h:
1451         * bytecompiler/NodesCodegen.cpp:
1452         (JSC::ReturnNode::emitBytecode):
1453         (JSC::FunctionNode::emitBytecode):
1454         (JSC::YieldExprNode::emitBytecode):
1455         (JSC::AwaitExprNode::emitBytecode):
1456         * dfg/DFGAbstractInterpreterInlines.h:
1457         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1458         * dfg/DFGByteCodeParser.cpp:
1459         (JSC::DFG::ByteCodeParser::parseBlock):
1460         * dfg/DFGCapabilities.cpp:
1461         (JSC::DFG::capabilityLevel):
1462         * dfg/DFGClobberize.h:
1463         (JSC::DFG::clobberize):
1464         * dfg/DFGClobbersExitState.cpp:
1465         (JSC::DFG::clobbersExitState):
1466         * dfg/DFGDoesGC.cpp:
1467         (JSC::DFG::doesGC):
1468         * dfg/DFGFixupPhase.cpp:
1469         (JSC::DFG::FixupPhase::fixupNode):
1470         * dfg/DFGMayExit.cpp:
1471         * dfg/DFGNode.h:
1472         (JSC::DFG::Node::convertToPhantomNewFunction):
1473         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
1474         (JSC::DFG::Node::hasCellOperand):
1475         (JSC::DFG::Node::isFunctionAllocation):
1476         (JSC::DFG::Node::isPhantomFunctionAllocation):
1477         (JSC::DFG::Node::isPhantomAllocation):
1478         * dfg/DFGNodeType.h:
1479         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1480         * dfg/DFGPredictionPropagationPhase.cpp:
1481         * dfg/DFGSafeToExecute.h:
1482         (JSC::DFG::safeToExecute):
1483         * dfg/DFGSpeculativeJIT.cpp:
1484         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1485         * dfg/DFGSpeculativeJIT32_64.cpp:
1486         (JSC::DFG::SpeculativeJIT::compile):
1487         * dfg/DFGSpeculativeJIT64.cpp:
1488         (JSC::DFG::SpeculativeJIT::compile):
1489         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1490         * dfg/DFGValidate.cpp:
1491         * ftl/FTLCapabilities.cpp:
1492         (JSC::FTL::canCompile):
1493         * ftl/FTLLowerDFGToB3.cpp:
1494         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1495         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1496         * ftl/FTLOperations.cpp:
1497         (JSC::FTL::operationPopulateObjectInOSR):
1498         (JSC::FTL::operationMaterializeObjectInOSR):
1499         * jit/JIT.cpp:
1500         (JSC::JIT::privateCompileMainPass):
1501         * jit/JIT.h:
1502         * jit/JITOpcodes.cpp:
1503         (JSC::JIT::emitNewFuncCommon):
1504         (JSC::JIT::emit_op_new_async_generator_func):
1505         (JSC::JIT::emit_op_new_async_func):
1506         (JSC::JIT::emitNewFuncExprCommon):
1507         (JSC::JIT::emit_op_new_async_generator_func_exp):
1508         * jit/JITOperations.cpp:
1509         * jit/JITOperations.h:
1510         * llint/LLIntSlowPaths.cpp:
1511         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1512         * llint/LLIntSlowPaths.h:
1513         * llint/LowLevelInterpreter.asm:
1514         * parser/ASTBuilder.h:
1515         (JSC::ASTBuilder::createFunctionMetadata):
1516         * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
1517         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
1518         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
1519         (JSC::AsyncFromSyncIteratorPrototype::create):
1520         * runtime/AsyncFromSyncIteratorPrototype.h: Added.
1521         (JSC::AsyncFromSyncIteratorPrototype::createStructure):
1522         * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
1523         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1524         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1525         (JSC::callAsyncGeneratorFunctionConstructor):
1526         (JSC::constructAsyncGeneratorFunctionConstructor):
1527         (JSC::AsyncGeneratorFunctionConstructor::getCallData):
1528         (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
1529         * runtime/AsyncGeneratorFunctionConstructor.h: Added.
1530         (JSC::AsyncGeneratorFunctionConstructor::create):
1531         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1532         * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
1533         (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
1534         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1535         * runtime/AsyncGeneratorFunctionPrototype.h: Added.
1536         (JSC::AsyncGeneratorFunctionPrototype::create):
1537         (JSC::AsyncGeneratorFunctionPrototype::createStructure):
1538         * runtime/AsyncGeneratorPrototype.cpp: Added.
1539         (JSC::AsyncGeneratorPrototype::finishCreation):
1540         * runtime/AsyncGeneratorPrototype.h: Added.
1541         (JSC::AsyncGeneratorPrototype::create):
1542         (JSC::AsyncGeneratorPrototype::createStructure):
1543         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
1544         * runtime/AsyncIteratorPrototype.cpp: Added.
1545         (JSC::AsyncIteratorPrototype::finishCreation):
1546         * runtime/AsyncIteratorPrototype.h: Added.
1547         (JSC::AsyncIteratorPrototype::create):
1548         (JSC::AsyncIteratorPrototype::createStructure):
1549         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
1550         * runtime/CommonIdentifiers.h:
1551         * runtime/FunctionConstructor.cpp:
1552         (JSC::constructFunctionSkippingEvalEnabledCheck):
1553         * runtime/FunctionConstructor.h:
1554         * runtime/FunctionExecutable.h:
1555         * runtime/JSAsyncGeneratorFunction.cpp: Added.
1556         (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
1557         (JSC::JSAsyncGeneratorFunction::createImpl):
1558         (JSC::JSAsyncGeneratorFunction::create):
1559         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1560         * runtime/JSAsyncGeneratorFunction.h: Added.
1561         (JSC::JSAsyncGeneratorFunction::allocationSize):
1562         (JSC::JSAsyncGeneratorFunction::createStructure):
1563         * runtime/JSFunction.cpp:
1564         (JSC::JSFunction::getOwnPropertySlot):
1565         * runtime/JSGlobalObject.cpp:
1566         (JSC::JSGlobalObject::init):
1567         (JSC::JSGlobalObject::visitChildren):
1568         * runtime/JSGlobalObject.h:
1569         (JSC::JSGlobalObject::asyncIteratorPrototype const):
1570         (JSC::JSGlobalObject::asyncGeneratorPrototype const):
1571         (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
1572         (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
1573         * runtime/Options.h:
1574
1575 2017-08-22  Michael Saboff  <msaboff@apple.com>
1576
1577         Implement Unicode RegExp support in the YARR JIT
1578         https://bugs.webkit.org/show_bug.cgi?id=174646
1579
1580         Reviewed by Filip Pizlo.
1581
1582         This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
1583         for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
1584         register usage to reduce the number of callee save registers used for non-Unicode expressions.
1585         For Unicode expressions, there are several more registers used to store constants values for
1586         processing surrogate pairs as well as discerning whether a character belongs to the Basic
1587         Multilingual Plane (BMP) or one of the Supplemental Planes.
1588
1589         This implements JIT support for Unicode expressions very similar to how the interpreter works.
1590         Just like in the interpreter, backtracking code uses more space on the stack to save positions.
1591         Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
1592         functions to each of these to simplify how the JIT code reads and writes the structure fields.
1593
1594         Given that reading surrogate pairs and transforming them into a single code point takes a
1595         little processing, the code that implements reading a Unicode character is implemented as a
1596         leaf function added to the end of the JIT'ed code.  The calling convention for
1597         "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
1598         that argument values stay in argument registers for most of the generated code.
1599         That helper takes the starting character address in one register, regUnicodeInputAndTrail,
1600         and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
1601         returned in regT0.  If another return register is requested, we'll create an inline copy of
1602         that function.
1603
1604         Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
1605         is used in optimizeAlternative() where we swap the order of a fixed character class term with
1606         a fixed character term that immediately follows it.  Since the non-BMP character class may
1607         increment "index" when matching, that must be done first before trying to match a fixed
1608         character term later in the string.
1609
1610         Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
1611         base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
1612         function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
1613         on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
1614
1615         (JSC::MacroAssemblerARM64::load16Unaligned):
1616         (JSC::MacroAssemblerARM64::getEffectiveAddress64):
1617         * assembler/MacroAssemblerX86Common.h:
1618         (JSC::MacroAssemblerX86Common::load16Unaligned):
1619         (JSC::MacroAssemblerX86Common::load16):
1620         * assembler/MacroAssemblerX86_64.h:
1621         (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
1622         * create_regex_tables:
1623         * runtime/RegExp.cpp:
1624         (JSC::RegExp::compile):
1625         * yarr/YarrInterpreter.cpp:
1626         * yarr/YarrJIT.cpp:
1627         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1628         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1629         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1630         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1631         (JSC::Yarr::YarrGenerator::readCharacter):
1632         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1633         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
1634         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
1635         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1636         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1637         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
1638         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
1639         (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
1640         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
1641         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1642         (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
1643         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1644         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1645         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1646         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1647         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1648         (JSC::Yarr::YarrGenerator::generate):
1649         (JSC::Yarr::YarrGenerator::backtrack):
1650         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
1651         (JSC::Yarr::YarrGenerator::generateEnter):
1652         (JSC::Yarr::YarrGenerator::generateReturn):
1653         (JSC::Yarr::YarrGenerator::YarrGenerator):
1654         (JSC::Yarr::YarrGenerator::compile):
1655         * yarr/YarrJIT.h:
1656         * yarr/YarrPattern.cpp:
1657         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1658         (JSC::Yarr::CharacterClassConstructor::reset):
1659         (JSC::Yarr::CharacterClassConstructor::charClass):
1660         (JSC::Yarr::CharacterClassConstructor::addSorted):
1661         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1662         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1663         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1664         * yarr/YarrPattern.h:
1665         (JSC::Yarr::CharacterClass::CharacterClass):
1666         (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
1667         (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
1668         (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
1669         (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
1670         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
1671         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
1672         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1673         (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
1674         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1675         (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
1676
1677 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1678
1679         Implement 64-bit MacroAssembler::probe support for Windows.
1680         https://bugs.webkit.org/show_bug.cgi?id=175724
1681
1682         Reviewed by Mark Lam.
1683
1684         This is needed to enable the DFG. MSVC does no longer support inline assembly
1685         for 64-bit, which means we have to put the code in an asm file.
1686
1687         * assembler/MacroAssemblerX86Common.cpp:
1688         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
1689         * jit/JITStubsMSVC64.asm:
1690
1691 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
1692
1693         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
1694         https://bugs.webkit.org/show_bug.cgi?id=175400
1695
1696         Reviewed by Matt Baker.
1697
1698         * inspector/protocol/Canvas.json:
1699         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
1700         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
1701         `drawElements` when that program is in use will have no effect.
1702
1703 2017-08-22  Keith Miller  <keith_miller@apple.com>
1704
1705         Unriviewed, fix windows build... for realz.
1706
1707         * CMakeLists.txt:
1708
1709 2017-08-22  Saam Barati  <sbarati@apple.com>
1710
1711         We are using valueProfileForBytecodeOffset when there may not be a value profile
1712         https://bugs.webkit.org/show_bug.cgi?id=175812
1713
1714         Reviewed by Michael Saboff.
1715
1716         This patch uses the type system to aid the code around CodeBlock's ValueProfile
1717         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
1718         so there were callers of this that thought it could return nullptr when there
1719         was no such ValueProfile. This was not the case, it always returned a non-null
1720         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
1721         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
1722         and does the right thing if there is no such ValueProfile.
1723         
1724         This patch also changes the other ValueProfile accessors on CodeBlock to
1725         return ValueProfile& instead of ValueProfile*. Some callers handled the null
1726         case unnecessarily, and using the type system to specify the result can't be
1727         null removes these useless branches.
1728
1729         * bytecode/CodeBlock.cpp:
1730         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1731         (JSC::CodeBlock::dumpValueProfiles):
1732         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1733         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1734         (JSC::CodeBlock::validate):
1735         * bytecode/CodeBlock.h:
1736         (JSC::CodeBlock::valueProfileForArgument):
1737         (JSC::CodeBlock::valueProfile):
1738         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1739         (JSC::CodeBlock::getFromAllValueProfiles):
1740         * dfg/DFGByteCodeParser.cpp:
1741         (JSC::DFG::ByteCodeParser::handleInlining):
1742         * dfg/DFGGraph.cpp:
1743         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1744         * dfg/DFGPredictionInjectionPhase.cpp:
1745         (JSC::DFG::PredictionInjectionPhase::run):
1746         * jit/JIT.h:
1747         * jit/JITInlines.h:
1748         (JSC::JIT::emitValueProfilingSite):
1749         * profiler/ProfilerBytecodeSequence.cpp:
1750         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1751         * tools/HeapVerifier.cpp:
1752         (JSC::HeapVerifier::validateJSCell):
1753
1754 2017-08-22  Keith Miller  <keith_miller@apple.com>
1755
1756         Unreviewed, fix windows build... maybe.
1757
1758         * CMakeLists.txt:
1759
1760 2017-08-22  Keith Miller  <keith_miller@apple.com>
1761
1762         Unreviewed, fix cloop build.
1763
1764         * JavaScriptCore.xcodeproj/project.pbxproj:
1765
1766 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1767
1768         [Win][Release] Crash when running testmasm executable.
1769         https://bugs.webkit.org/show_bug.cgi?id=175772
1770
1771         Reviewed by Mark Lam.
1772
1773         We need to save and restore the modified registers in case one or more registers are callee saved
1774         on the relevant platforms.
1775
1776         * assembler/testmasm.cpp:
1777         (JSC::testProbeReadsArgumentRegisters):
1778         (JSC::testProbeWritesArgumentRegisters):
1779
1780 2017-08-21  Mark Lam  <mark.lam@apple.com>
1781
1782         Change probe code to use static_assert instead of COMPILE_ASSERT.
1783         https://bugs.webkit.org/show_bug.cgi?id=175762
1784
1785         Reviewed by JF Bastien.
1786
1787         * assembler/MacroAssemblerARM.cpp:
1788         * assembler/MacroAssemblerARM64.cpp:
1789         (JSC::MacroAssembler::probe): Deleted.
1790         * assembler/MacroAssemblerARMv7.cpp:
1791         * assembler/MacroAssemblerX86Common.cpp:
1792
1793 2017-08-21  Keith Miller  <keith_miller@apple.com>
1794
1795         Make generate_offset_extractor.rb architectures argument more robust
1796         https://bugs.webkit.org/show_bug.cgi?id=175809
1797
1798         Reviewed by Joseph Pecoraro.
1799
1800         It turns out that some of our builders pass their architectures as
1801         space separated lists.  I decided to just make the splitting of
1802         our list robust to any reasonable combination of spaces and
1803         commas.
1804
1805         * offlineasm/generate_offset_extractor.rb:
1806
1807 2017-08-21  Keith Miller  <keith_miller@apple.com>
1808
1809         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
1810         https://bugs.webkit.org/show_bug.cgi?id=175690
1811
1812         Reviewed by Michael Saboff.
1813
1814         This should reduce some of the time we spend building offline asm
1815         in our builds (except for linux since they already did this).
1816
1817         * CMakeLists.txt:
1818         * JavaScriptCore.xcodeproj/project.pbxproj:
1819         * offlineasm/backends.rb:
1820         * offlineasm/generate_offset_extractor.rb:
1821
1822 2017-08-20  Mark Lam  <mark.lam@apple.com>
1823
1824         Gardening: fix CLoop build.
1825         https://bugs.webkit.org/show_bug.cgi?id=175688
1826         <rdar://problem/33436870>
1827
1828         Not reviewed.
1829
1830         Make these files dependent on ENABLE(MASM_PROBE).
1831
1832         * assembler/ProbeContext.cpp:
1833         * assembler/ProbeContext.h:
1834         * assembler/ProbeStack.cpp:
1835         * assembler/ProbeStack.h:
1836
1837 2017-08-20  Mark Lam  <mark.lam@apple.com>
1838
1839         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
1840         https://bugs.webkit.org/show_bug.cgi?id=175688
1841         <rdar://problem/33436870>
1842
1843         Reviewed by JF Bastien.
1844
1845         With this patch, the clients of the MacroAssembler::probe() can now change
1846         stack values without having to worry about whether there is enough room in the
1847         current stack frame for it or not.  This is done using the Probe::Context's stack
1848         member like so:
1849
1850             jit.probe([] (Probe::Context& context) {
1851                 auto cpu = context.cpu;
1852                 auto stack = context.stack();
1853                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
1854
1855                 // Get a value at the current stack pointer location.
1856                 auto value = stack.get<uintptr_t>(currentSP);
1857
1858                 // Set a value above the current stack pointer (within current frame).
1859                 stack.set<uintptr_t>(currentSP + 10, value);
1860
1861                 // Set a value below the current stack pointer (out of current frame).
1862                 stack.set<uintptr_t>(currentSP - 10, value);
1863
1864                 // Set the new stack pointer.
1865                 cpu.sp() = currentSP - 20;
1866             });
1867
1868         What happens behind the scene:
1869
1870         1. the generated JIT probe code will now call Probe::executeProbe(), and
1871            Probe::executeProbe() will in turn call the client's probe function.
1872
1873            Probe::executeProbe() receives the Probe::State on the machine stack passed
1874            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
1875            Probe::Context to be passed to the client's probe function.  The client will
1876            no longer see the Probe::State directly.
1877
1878         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
1879            stack pages.  Currently, each page is 1K in size.
1880            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
1881
1882         3. Invoking get() of set() on Probe::Stack with an address will lead to the
1883            following:
1884
1885            a. the address will be decoded to a baseAddress that points to the 1K page
1886               that contains that address.
1887
1888            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
1889               If so, go to step (f).  Else, continue with step (c).
1890
1891            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
1892               for that specified baseAddress to this mirror page.
1893
1894            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
1895               keyed on the baseAddress.
1896
1897            e. the ProbeStack will also cache the last baseAddress and its corresponding
1898               mirror page in use.  With memory accesses tending to be localized, this
1899               will save us from having to look up the page in the HashMap.
1900
1901            f. get() will map the requested address to a physical address in the mirror
1902               page, and return the value at that location.
1903
1904            g. set() will map the requested address to a physical address in the mirror
1905               page, and set the value at that location in the mirror page.
1906
1907               set() will also set a dirty bit corresponding to the "cache line" that
1908               was modified in the mirror page.
1909
1910         4. When the client's probe function returns, Probe::executeProbe() will check if
1911            there are stack changes that need to be applied.  If stack changes are needed:
1912
1913            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
1914               space is available to flush the dirty stack pages.  It will also register a
1915               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
1916               Probe::executeProbe() returns to the probe trampoline.
1917
1918            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
1919               a safe place if needed, and then calls the flushStackDirtyPages callback
1920               if needed.
1921
1922            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
1923               HashMap and flush all dirty "cache lines" to the machine stack.
1924               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
1925
1926            d. lastly, the probe trampoline will restore all register values and return
1927               to the pc set in the Probe::State.
1928
1929         To make this patch work, I also had to do the following work:
1930
1931         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
1932            Mainly, this means moving the code over to ProbeContext.h.
1933            I also added some convenience accessor methods for spr registers. 
1934
1935            Moved Probe::Context over to its own file ProbeContext.h/cpp.
1936
1937         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
1938            addition to the client's probe function and arg.
1939
1940            I also took this opportunity to optimize the generated JIT probe code to
1941            minimize the amount of memory stores needed. 
1942
1943         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
1944            either lr or pc (or neither), but not both at in the same probe invocation.
1945            The ARM64 probe trampoline used to have to check for this invariant in the
1946            assembly trampoline code.  With the introduction of Probe::executeProbe(),
1947            we can now do it there and simplify the trampoline.
1948
1949         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
1950            changes lr.  That code path never worked before, but has now been fixed.
1951
1952         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
1953            MacroAssemblerARMv7.
1954
1955            We can now use move() with TrustedImmPtr, and it does the same thing but in a
1956            more generic way.
1957
1958        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
1959            the same semantics as movs (according to the Thumb spec).  This means these
1960            instructions may trash the APSR flags before we have a chance to preserve them.
1961
1962            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
1963            early on.  This entails adding support for the mrs instruction in the
1964            ARMv7Assembler.
1965
1966        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
1967            the easy way.
1968
1969            Also fixed testmasm tests which check flag registers to only compare the
1970            portions that are modifiable by the client i.e. some masking is applied.
1971
1972         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
1973
1974         * CMakeLists.txt:
1975         * JavaScriptCore.xcodeproj/project.pbxproj:
1976         * assembler/ARMv7Assembler.h:
1977         (JSC::ARMv7Assembler::mrs):
1978         * assembler/AbstractMacroAssembler.h:
1979         * assembler/MacroAssembler.cpp:
1980         (JSC::stdFunctionCallback):
1981         (JSC::MacroAssembler::probe):
1982         * assembler/MacroAssembler.h:
1983         (JSC::MacroAssembler::CPUState::gprName): Deleted.
1984         (JSC::MacroAssembler::CPUState::sprName): Deleted.
1985         (JSC::MacroAssembler::CPUState::fprName): Deleted.
1986         (JSC::MacroAssembler::CPUState::gpr): Deleted.
1987         (JSC::MacroAssembler::CPUState::spr): Deleted.
1988         (JSC::MacroAssembler::CPUState::fpr): Deleted.
1989         (JSC:: const): Deleted.
1990         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
1991         (JSC::MacroAssembler::CPUState::pc): Deleted.
1992         (JSC::MacroAssembler::CPUState::fp): Deleted.
1993         (JSC::MacroAssembler::CPUState::sp): Deleted.
1994         (JSC::MacroAssembler::CPUState::pc const): Deleted.
1995         (JSC::MacroAssembler::CPUState::fp const): Deleted.
1996         (JSC::MacroAssembler::CPUState::sp const): Deleted.
1997         (JSC::Probe::State::gpr): Deleted.
1998         (JSC::Probe::State::spr): Deleted.
1999         (JSC::Probe::State::fpr): Deleted.
2000         (JSC::Probe::State::gprName): Deleted.
2001         (JSC::Probe::State::sprName): Deleted.
2002         (JSC::Probe::State::fprName): Deleted.
2003         (JSC::Probe::State::pc): Deleted.
2004         (JSC::Probe::State::fp): Deleted.
2005         (JSC::Probe::State::sp): Deleted.
2006         * assembler/MacroAssemblerARM.cpp:
2007         (JSC::MacroAssembler::probe):
2008         * assembler/MacroAssemblerARM.h:
2009         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
2010         * assembler/MacroAssemblerARM64.cpp:
2011         (JSC::MacroAssembler::probe):
2012         (JSC::arm64ProbeError): Deleted.
2013         * assembler/MacroAssemblerARMv7.cpp:
2014         (JSC::MacroAssembler::probe):
2015         * assembler/MacroAssemblerARMv7.h:
2016         (JSC::MacroAssemblerARMv7::armV7Condition):
2017         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
2018         * assembler/MacroAssemblerPrinter.cpp:
2019         (JSC::Printer::printCallback):
2020         * assembler/MacroAssemblerPrinter.h:
2021         * assembler/MacroAssemblerX86Common.cpp:
2022         (JSC::ctiMasmProbeTrampoline):
2023         (JSC::MacroAssembler::probe):
2024         * assembler/Printer.h:
2025         (JSC::Printer::Context::Context):
2026         * assembler/ProbeContext.cpp: Added.
2027         (JSC::Probe::executeProbe):
2028         (JSC::Probe::handleProbeStackInitialization):
2029         (JSC::Probe::probeStateForContext):
2030         * assembler/ProbeContext.h: Added.
2031         (JSC::Probe::CPUState::gprName):
2032         (JSC::Probe::CPUState::sprName):
2033         (JSC::Probe::CPUState::fprName):
2034         (JSC::Probe::CPUState::gpr):
2035         (JSC::Probe::CPUState::spr):
2036         (JSC::Probe::CPUState::fpr):
2037         (JSC::Probe:: const):
2038         (JSC::Probe::CPUState::fpr const):
2039         (JSC::Probe::CPUState::pc):
2040         (JSC::Probe::CPUState::fp):
2041         (JSC::Probe::CPUState::sp):
2042         (JSC::Probe::CPUState::pc const):
2043         (JSC::Probe::CPUState::fp const):
2044         (JSC::Probe::CPUState::sp const):
2045         (JSC::Probe::Context::Context):
2046         (JSC::Probe::Context::gpr):
2047         (JSC::Probe::Context::spr):
2048         (JSC::Probe::Context::fpr):
2049         (JSC::Probe::Context::gprName):
2050         (JSC::Probe::Context::sprName):
2051         (JSC::Probe::Context::fprName):
2052         (JSC::Probe::Context::pc):
2053         (JSC::Probe::Context::fp):
2054         (JSC::Probe::Context::sp):
2055         (JSC::Probe::Context::stack):
2056         (JSC::Probe::Context::hasWritesToFlush):
2057         (JSC::Probe::Context::releaseStack):
2058         * assembler/ProbeStack.cpp: Added.
2059         (JSC::Probe::Page::Page):
2060         (JSC::Probe::Page::flushWrites):
2061         (JSC::Probe::Stack::Stack):
2062         (JSC::Probe::Stack::hasWritesToFlush):
2063         (JSC::Probe::Stack::flushWrites):
2064         (JSC::Probe::Stack::ensurePageFor):
2065         * assembler/ProbeStack.h: Added.
2066         (JSC::Probe::Page::baseAddressFor):
2067         (JSC::Probe::Page::chunkAddressFor):
2068         (JSC::Probe::Page::baseAddress):
2069         (JSC::Probe::Page::get):
2070         (JSC::Probe::Page::set):
2071         (JSC::Probe::Page::hasWritesToFlush const):
2072         (JSC::Probe::Page::flushWritesIfNeeded):
2073         (JSC::Probe::Page::dirtyBitFor):
2074         (JSC::Probe::Page::physicalAddressFor):
2075         (JSC::Probe::Stack::Stack):
2076         (JSC::Probe::Stack::lowWatermark):
2077         (JSC::Probe::Stack::get):
2078         (JSC::Probe::Stack::set):
2079         (JSC::Probe::Stack::newStackPointer const):
2080         (JSC::Probe::Stack::setNewStackPointer):
2081         (JSC::Probe::Stack::isValid):
2082         (JSC::Probe::Stack::pageFor):
2083         * assembler/testmasm.cpp:
2084         (JSC::testProbeReadsArgumentRegisters):
2085         (JSC::testProbeWritesArgumentRegisters):
2086         (JSC::testProbePreservesGPRS):
2087         (JSC::testProbeModifiesStackPointer):
2088         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2089         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2090         (JSC::testProbeModifiesProgramCounter):
2091         (JSC::testProbeModifiesStackValues):
2092         (JSC::run):
2093         (): Deleted.
2094         (JSC::fillStack): Deleted.
2095         (JSC::testProbeModifiesStackWithCallback): Deleted.
2096
2097 2017-08-19  Andy Estes  <aestes@apple.com>
2098
2099         [Payment Request] Add interface stubs
2100         https://bugs.webkit.org/show_bug.cgi?id=175730
2101
2102         Reviewed by Youenn Fablet.
2103
2104         * runtime/CommonIdentifiers.h:
2105
2106 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
2107
2108         Implement 32-bit MacroAssembler::probe support for Windows.
2109         https://bugs.webkit.org/show_bug.cgi?id=175449
2110
2111         Reviewed by Mark Lam.
2112
2113         This is needed to enable the DFG.
2114
2115         * assembler/MacroAssemblerX86Common.cpp:
2116         * assembler/testmasm.cpp:
2117         (JSC::run):
2118         (dllLauncherEntryPoint):
2119         * shell/CMakeLists.txt:
2120         * shell/PlatformWin.cmake:
2121
2122 2017-08-18  Mark Lam  <mark.lam@apple.com>
2123
2124         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
2125         https://bugs.webkit.org/show_bug.cgi?id=175725
2126         <rdar://problem/33965477>
2127
2128         Rubber-stamped by JF Bastien.
2129
2130         This is purely a refactoring patch (in preparation for the introduction of a
2131         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
2132         later).  This patch does not change any semantics / behavior.
2133
2134         * assembler/AbstractMacroAssembler.h:
2135         * assembler/MacroAssembler.cpp:
2136         (JSC::stdFunctionCallback):
2137         (JSC::MacroAssembler::probe):
2138         * assembler/MacroAssembler.h:
2139         (JSC::ProbeContext::gpr): Deleted.
2140         (JSC::ProbeContext::spr): Deleted.
2141         (JSC::ProbeContext::fpr): Deleted.
2142         (JSC::ProbeContext::gprName): Deleted.
2143         (JSC::ProbeContext::sprName): Deleted.
2144         (JSC::ProbeContext::fprName): Deleted.
2145         (JSC::ProbeContext::pc): Deleted.
2146         (JSC::ProbeContext::fp): Deleted.
2147         (JSC::ProbeContext::sp): Deleted.
2148         * assembler/MacroAssemblerARM.cpp:
2149         (JSC::MacroAssembler::probe):
2150         * assembler/MacroAssemblerARM.h:
2151         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2152         * assembler/MacroAssemblerARM64.cpp:
2153         (JSC::arm64ProbeError):
2154         (JSC::MacroAssembler::probe):
2155         * assembler/MacroAssemblerARMv7.cpp:
2156         (JSC::MacroAssembler::probe):
2157         * assembler/MacroAssemblerARMv7.h:
2158         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
2159         * assembler/MacroAssemblerPrinter.cpp:
2160         (JSC::Printer::printCallback):
2161         * assembler/MacroAssemblerPrinter.h:
2162         * assembler/MacroAssemblerX86Common.cpp:
2163         (JSC::MacroAssembler::probe):
2164         * assembler/Printer.h:
2165         (JSC::Printer::Context::Context):
2166         * assembler/testmasm.cpp:
2167         (JSC::testProbeReadsArgumentRegisters):
2168         (JSC::testProbeWritesArgumentRegisters):
2169         (JSC::testProbePreservesGPRS):
2170         (JSC::testProbeModifiesStackPointer):
2171         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2172         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2173         (JSC::testProbeModifiesProgramCounter):
2174         (JSC::fillStack):
2175         (JSC::testProbeModifiesStackWithCallback):
2176         (JSC::run):
2177         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
2178
2179 2017-08-17  JF Bastien  <jfbastien@apple.com>
2180
2181         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
2182         https://bugs.webkit.org/show_bug.cgi?id=175693
2183         <rdar://problem/33952443>
2184
2185         Reviewed by Saam Barati.
2186
2187         64-bit constants in an unreachable context were being decoded as
2188         32-bit constants. This is pretty benign because unreachable code
2189         shouldn't occur often. The effect is that 64-bit constants which
2190         can't be encoded as 32-bit constants would cause the binary to be
2191         rejected.
2192
2193         At the same time, 32-bit integer constants should be decoded as signed.
2194
2195         * wasm/WasmFunctionParser.h:
2196         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2197
2198 2017-08-17  Robin Morisset  <rmorisset@apple.com>
2199
2200         Teach DFGFixupPhase.cpp that the current scope is always a cell
2201         https://bugs.webkit.org/show_bug.cgi?id=175610
2202
2203         Reviewed by Keith Miller.
2204
2205         Also teach it that the argument to with can usually be speculated to be an object,
2206         since toObject() is called on it.
2207
2208         * dfg/DFGFixupPhase.cpp:
2209         (JSC::DFG::FixupPhase::fixupNode):
2210         * dfg/DFGSpeculativeJIT.cpp:
2211         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2212         * dfg/DFGSpeculativeJIT.h:
2213         (JSC::DFG::SpeculativeJIT::callOperation):
2214         * ftl/FTLLowerDFGToB3.cpp:
2215         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2216         * jit/JITOperations.cpp:
2217         * jit/JITOperations.h:
2218
2219 2017-08-17  Matt Baker  <mattbaker@apple.com>
2220
2221         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
2222         https://bugs.webkit.org/show_bug.cgi?id=175644
2223
2224         Reviewed by Brian Burg.
2225
2226         * inspector/agents/InspectorScriptProfilerAgent.h:
2227
2228 2017-08-17  Mark Lam  <mark.lam@apple.com>
2229
2230         Only use 16 VFP registers if !CPU(ARM_NEON).
2231         https://bugs.webkit.org/show_bug.cgi?id=175514
2232
2233         Reviewed by JF Bastien.
2234
2235         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
2236         says that there are only 16 128-bit NEON registers.  This change is merely to
2237         correct the code documentation of these registers.  The FPQuadRegisterID are
2238         currently unused.
2239
2240         * assembler/ARMAssembler.h:
2241         (JSC::ARMAssembler::lastFPRegister):
2242         (JSC::ARMAssembler::fprName):
2243         * assembler/ARMv7Assembler.h:
2244         (JSC::ARMv7Assembler::lastFPRegister):
2245         (JSC::ARMv7Assembler::fprName):
2246         * assembler/MacroAssemblerARM.cpp:
2247         * assembler/MacroAssemblerARMv7.cpp:
2248
2249 2017-08-17  Andreas Kling  <akling@apple.com>
2250
2251         Disable CSS regions at compile time
2252         https://bugs.webkit.org/show_bug.cgi?id=175630
2253
2254         Reviewed by Antti Koivisto.
2255
2256         * Configurations/FeatureDefines.xcconfig:
2257
2258 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
2259
2260         [WPE][GTK] Ensure proper casting of data in gvariants
2261         https://bugs.webkit.org/show_bug.cgi?id=175667
2262
2263         Reviewed by Michael Catanzaro.
2264
2265         g_variant_new requires data to have the correct width for their types, using
2266         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
2267         types without explicit casting, leading to undefined behavior in some platforms.
2268
2269         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2270         (Inspector::RemoteInspector::listingForInspectionTarget const):
2271         (Inspector::RemoteInspector::listingForAutomationTarget const):
2272         (Inspector::RemoteInspector::sendMessageToRemote):
2273
2274 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2275
2276         [JSC] Avoid code bloating for iteration if block does not have "break"
2277         https://bugs.webkit.org/show_bug.cgi?id=173228
2278
2279         Reviewed by Keith Miller.
2280
2281         Currently, we always emit code for breaked path when emitting for-of iteration.
2282         But we can know that this breaked path can be used when emitting the bytecode.
2283
2284         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
2285         the break label may be bound. We emit a breaked path only when it returns
2286         true. This reduces bytecode bloating when using for-of iteration.
2287
2288         * bytecompiler/BytecodeGenerator.cpp:
2289         (JSC::Label::setLocation):
2290         (JSC::BytecodeGenerator::newLabel):
2291         (JSC::BytecodeGenerator::emitLabel):
2292         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2293         (JSC::BytecodeGenerator::breakTarget):
2294         (JSC::BytecodeGenerator::continueTarget):
2295         (JSC::BytecodeGenerator::emitEnumeration):
2296         * bytecompiler/BytecodeGenerator.h:
2297         * bytecompiler/Label.h:
2298         (JSC::Label::bind const):
2299         (JSC::Label::hasOneRef const):
2300         (JSC::Label::isBound const):
2301         (JSC::Label::Label): Deleted.
2302         * bytecompiler/LabelScope.h:
2303         (JSC::LabelScope::hasOneRef const):
2304         (JSC::LabelScope::breakTargetMayBeBound const):
2305         * bytecompiler/NodesCodegen.cpp:
2306         (JSC::ContinueNode::trivialTarget):
2307         (JSC::ContinueNode::emitBytecode):
2308         (JSC::BreakNode::trivialTarget):
2309         (JSC::BreakNode::emitBytecode):
2310
2311 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
2312
2313         ARM build fix after r220807 and r220834.
2314         https://bugs.webkit.org/show_bug.cgi?id=175617
2315
2316         Unreviewed typo fix.
2317
2318         * assembler/MacroAssemblerARM.cpp:
2319
2320 2017-08-17  Mark Lam  <mark.lam@apple.com>
2321
2322         Gardening: build fix for ARM_TRADITIONAL after r220807.
2323         https://bugs.webkit.org/show_bug.cgi?id=175617
2324
2325         Not reviewed.
2326
2327         * assembler/MacroAssemblerARM.cpp:
2328
2329 2017-08-16  Mark Lam  <mark.lam@apple.com>
2330
2331         Add back the ability to disable MASM_PROBE from the build.
2332         https://bugs.webkit.org/show_bug.cgi?id=175656
2333         <rdar://problem/33933720>
2334
2335         Reviewed by Yusuke Suzuki.
2336
2337         This is needed for ports that the existing MASM_PROBE implementation doesn't work
2338         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
2339         default if !ENABLE(MASM_PROBE).
2340
2341         * assembler/AbstractMacroAssembler.h:
2342         * assembler/MacroAssembler.cpp:
2343         * assembler/MacroAssembler.h:
2344         * assembler/MacroAssemblerARM.cpp:
2345         * assembler/MacroAssemblerARM64.cpp:
2346         * assembler/MacroAssemblerARMv7.cpp:
2347         * assembler/MacroAssemblerPrinter.cpp:
2348         * assembler/MacroAssemblerPrinter.h:
2349         * assembler/MacroAssemblerX86Common.cpp:
2350         * assembler/testmasm.cpp:
2351         (JSC::run):
2352         * b3/B3LowerToAir.cpp:
2353         * b3/air/AirPrintSpecial.cpp:
2354         * b3/air/AirPrintSpecial.h:
2355
2356 2017-08-16  Dan Bernstein  <mitz@apple.com>
2357
2358         [Cocoa] Older-iOS install name symbols are being exported on other platforms
2359         https://bugs.webkit.org/show_bug.cgi?id=175654
2360
2361         Reviewed by Tim Horton.
2362
2363         * API/JSBase.cpp: Define the symbols only when targeting iOS.
2364
2365 2017-08-16  Matt Baker  <mattbaker@apple.com>
2366
2367         Web Inspector: capture async stack trace when workers/main context posts a message
2368         https://bugs.webkit.org/show_bug.cgi?id=167084
2369         <rdar://problem/30033673>
2370
2371         Reviewed by Brian Burg.
2372
2373         * inspector/agents/InspectorDebuggerAgent.h:
2374         Add `PostMessage` async call type.
2375
2376 2017-08-16  Mark Lam  <mark.lam@apple.com>
2377
2378         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
2379         https://bugs.webkit.org/show_bug.cgi?id=175617
2380         <rdar://problem/33912104>
2381
2382         Reviewed by JF Bastien.
2383
2384         This patch adds a new feature to MacroAssembler::probe() where the probe function
2385         can provide a ProbeFunction callback to fill in stack values after the stack
2386         pointer has been adjusted.  The probe function can use this feature as follows:
2387
2388         1. Set the new sp value in the ProbeContext's CPUState.
2389
2390         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
2391            which will do the work of filling in the stack values after the probe
2392            trampoline has adjusted the machine stack pointer.
2393
2394         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
2395            to pass to the initializeStackFunction callback.
2396
2397         4. Return from the probe function.
2398
2399         Upon returning from the probe function, the probe trampoline will adjust the
2400         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
2401         is not set, the probe trampoline will restore registers and return to its caller.
2402
2403         If initializeStackFunction is set, the trampoline will move the ProbeContext
2404         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
2405         an address lower than where CPUState.sp() points.  This ensures that the
2406         ProbeContext will not be trashed by the initializeStackFunction when it writes to
2407         the stack.  Then, the trampoline will call back to the initializeStackFunction
2408         ProbeFunction to let it fill in the stack values as desired.  The
2409         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
2410         the new location.
2411
2412         initializeStackFunction may now write to the stack at addresses greater or
2413         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
2414         not allowed to change CPUState.sp().  If the initializeStackFunction does not
2415         abide by these rules, then behavior is undefined, and bad things may happen.
2416
2417         For future reference, some implementation details that this patch needed to
2418         be mindful of:
2419
2420         1. When the probe trampoline allocates stack space for the ProbeContext, it
2421            should include OUT_SIZE as well.  This ensures that it doesn't have to move
2422            the ProbeContext on exit if the probe function didn't change the sp.
2423
2424         2. If the trampoline has to move the ProbeContext, it needs to point the machine
2425            sp to new ProbeContext first before copying over the ProbeContext data.  This
2426            protects the new ProbeContext from possibly being trashed by interrupts.
2427
2428         3. When computing the new address of ProbeContext to move to, we need to make
2429            sure that it is properly aligned in accordance with stack ABI requirements
2430            (just like we did when we allocated the ProbeContext on entry to the
2431            probe trampoline).
2432
2433         4. When copying the ProbeContext to its new location, the trampoline should
2434            always copy words from low addresses to high addresses.  This is because if
2435            we're moving the ProbeContext, we'll always be moving it to a lower address.
2436
2437         * assembler/MacroAssembler.h:
2438         * assembler/MacroAssemblerARM.cpp:
2439         * assembler/MacroAssemblerARM64.cpp:
2440         * assembler/MacroAssemblerARMv7.cpp:
2441         * assembler/MacroAssemblerX86Common.cpp:
2442         * assembler/testmasm.cpp:
2443         (JSC::testProbePreservesGPRS):
2444         (JSC::testProbeModifiesStackPointer):
2445         (JSC::fillStack):
2446         (JSC::testProbeModifiesStackWithCallback):
2447         (JSC::run):
2448
2449 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
2450
2451         Fix JSCOnly ARM buildbots after r220047 and r220184
2452         https://bugs.webkit.org/show_bug.cgi?id=174993
2453
2454         Reviewed by Carlos Alberto Lopez Perez.
2455
2456         * CMakeLists.txt: Generate only one backend on Linux to save build time.
2457
2458 2017-08-16  Andy Estes  <aestes@apple.com>
2459
2460         [Payment Request] Add an ENABLE flag and an experimental feature preference
2461         https://bugs.webkit.org/show_bug.cgi?id=175622
2462
2463         Reviewed by Tim Horton.
2464
2465         * Configurations/FeatureDefines.xcconfig:
2466
2467 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2468
2469         We are too conservative about the effects of PushWithScope
2470         https://bugs.webkit.org/show_bug.cgi?id=175584
2471
2472         Reviewed by Saam Barati.
2473
2474         PushWithScope converts its argument to an object (this can throw a type error,
2475         but has no other observable effect), and allocates a new scope, that it then
2476         makes the new current scope. We were a bit too
2477         conservative in saying that it clobbers the world.
2478
2479         * dfg/DFGAbstractInterpreterInlines.h:
2480         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2481         * dfg/DFGClobberize.h:
2482         (JSC::DFG::clobberize):
2483         * dfg/DFGDoesGC.cpp:
2484         (JSC::DFG::doesGC):
2485
2486 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2487
2488         Make DataTransferItemList work with plain text entries
2489         https://bugs.webkit.org/show_bug.cgi?id=175596
2490
2491         Reviewed by Wenson Hsieh.
2492
2493         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
2494
2495         * runtime/CommonIdentifiers.h:
2496
2497 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2498
2499         Support the 'with' keyword in FTL
2500         https://bugs.webkit.org/show_bug.cgi?id=175585
2501
2502         Reviewed by Saam Barati.
2503
2504         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
2505         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
2506         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
2507         that takes its parentScope argument first.
2508
2509         * bytecompiler/BytecodeGenerator.cpp:
2510         (JSC::BytecodeGenerator::emitPushWithScope):
2511         * debugger/DebuggerCallFrame.cpp:
2512         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2513         * dfg/DFGByteCodeParser.cpp:
2514         (JSC::DFG::ByteCodeParser::parseBlock):
2515         * dfg/DFGFixupPhase.cpp:
2516         (JSC::DFG::FixupPhase::fixupNode):
2517         * dfg/DFGSpeculativeJIT.cpp:
2518         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2519         * ftl/FTLCapabilities.cpp:
2520         (JSC::FTL::canCompile):
2521         * ftl/FTLLowerDFGToB3.cpp:
2522         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2523         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2524         * jit/JITOperations.cpp:
2525         * runtime/CommonSlowPaths.cpp:
2526         (JSC::SLOW_PATH_DECL):
2527         * runtime/Completion.cpp:
2528         (JSC::evaluateWithScopeExtension):
2529         * runtime/JSWithScope.cpp:
2530         (JSC::JSWithScope::create):
2531         * runtime/JSWithScope.h:
2532
2533 2017-08-15  Saam Barati  <sbarati@apple.com>
2534
2535         Make VM::scratchBufferForSize thread safe
2536         https://bugs.webkit.org/show_bug.cgi?id=175604
2537
2538         Reviewed by Geoffrey Garen and Mark Lam.
2539
2540         I want to use the VM::scratchBufferForSize in another patch I'm writing.
2541         The use case for my other patch is to call it from the compiler thread.
2542         When reading the code, I saw that this API was not thread safe. This patch
2543         makes it thread safe. It actually turns out we were calling this API from
2544         the compiler thread already when we created FTL::State for an FTL OSR entry
2545         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
2546         is now correct with this patch.
2547
2548         * runtime/VM.cpp:
2549         (JSC::VM::VM):
2550         (JSC::VM::~VM):
2551         (JSC::VM::gatherConservativeRoots):
2552         (JSC::VM::scratchBufferForSize):
2553         * runtime/VM.h:
2554         (JSC::VM::scratchBufferForSize): Deleted.
2555
2556 2017-08-15  Keith Miller  <keith_miller@apple.com>
2557
2558         JSC named bytecode offsets should use references rather than pointers
2559         https://bugs.webkit.org/show_bug.cgi?id=175601
2560
2561         Reviewed by Saam Barati.
2562
2563         * dfg/DFGByteCodeParser.cpp:
2564         (JSC::DFG::ByteCodeParser::parseBlock):
2565         * jit/JITOpcodes.cpp:
2566         (JSC::JIT::emit_op_overrides_has_instance):
2567         (JSC::JIT::emit_op_instanceof):
2568         (JSC::JIT::emitSlow_op_instanceof):
2569         (JSC::JIT::emitSlow_op_instanceof_custom):
2570         * jit/JITOpcodes32_64.cpp:
2571         (JSC::JIT::emit_op_overrides_has_instance):
2572         (JSC::JIT::emit_op_instanceof):
2573         (JSC::JIT::emitSlow_op_instanceof):
2574         (JSC::JIT::emitSlow_op_instanceof_custom):
2575
2576 2017-08-15  Keith Miller  <keith_miller@apple.com>
2577
2578         Enable named offsets into JSC bytecodes
2579         https://bugs.webkit.org/show_bug.cgi?id=175561
2580
2581         Reviewed by Mark Lam.
2582
2583         This patch adds the ability to add named offsets into JSC's
2584         bytecodes.  In the bytecode json file, instead of listing a
2585         length, you can now list a set of names and their types. Each
2586         opcode with an offsets property will have a struct named after the
2587         opcode by in our C++ naming style. For example,
2588         op_overrides_has_instance would become OpOverridesHasInstance. The
2589         struct has the same memory layout as the instruction list has but
2590         comes with handy named accessors.
2591
2592         As a first cut I converted the various instanceof bytecodes to use
2593         named offsets.
2594
2595         As an example op_overrides_has_instance produces the following struct:
2596
2597         struct OpOverridesHasInstance {
2598         public:
2599             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
2600             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
2601             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
2602             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
2603             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
2604             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
2605             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
2606             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
2607
2608         private:
2609             friend class LLIntOffsetsExtractor;
2610             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
2611             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
2612             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
2613             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
2614         };
2615
2616         * CMakeLists.txt:
2617         * DerivedSources.make:
2618         * JavaScriptCore.xcodeproj/project.pbxproj:
2619         * bytecode/BytecodeList.json:
2620         * dfg/DFGByteCodeParser.cpp:
2621         (JSC::DFG::ByteCodeParser::parseBlock):
2622         * generate-bytecode-files:
2623         * jit/JITOpcodes.cpp:
2624         (JSC::JIT::emit_op_overrides_has_instance):
2625         (JSC::JIT::emit_op_instanceof):
2626         (JSC::JIT::emitSlow_op_instanceof):
2627         (JSC::JIT::emitSlow_op_instanceof_custom):
2628         * jit/JITOpcodes32_64.cpp:
2629         (JSC::JIT::emit_op_overrides_has_instance):
2630         (JSC::JIT::emit_op_instanceof):
2631         (JSC::JIT::emitSlow_op_instanceof):
2632         (JSC::JIT::emitSlow_op_instanceof_custom):
2633         * llint/LLIntOffsetsExtractor.cpp:
2634         * llint/LowLevelInterpreter.asm:
2635         * llint/LowLevelInterpreter32_64.asm:
2636         * llint/LowLevelInterpreter64.asm:
2637
2638 2017-08-15  Mark Lam  <mark.lam@apple.com>
2639
2640         Update testmasm to use new CPUState APIs.
2641         https://bugs.webkit.org/show_bug.cgi?id=175573
2642
2643         Reviewed by Keith Miller.
2644
2645         1. Applied convenience CPUState accessors to minimize casting.
2646         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
2647            messages.
2648         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
2649            casting is (mostly) no longer an issue.
2650         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
2651            to make it clear that we're comparing against the bit values of testWord64(id).
2652         5. Added a "Completed N tests" message at the end of running all tests.
2653            This makes it easy to tell at a glance that testmasm completed successfully
2654            versus when it crashed midway in a test.  The number of tests also serves as
2655            a quick checksum to confirm that we ran the number of tests we expected.
2656
2657         * assembler/testmasm.cpp:
2658         (WTF::printInternal):
2659         (JSC::testSimple):
2660         (JSC::testProbeReadsArgumentRegisters):
2661         (JSC::testProbeWritesArgumentRegisters):
2662         (JSC::testProbePreservesGPRS):
2663         (JSC::testProbeModifiesStackPointer):
2664         (JSC::testProbeModifiesProgramCounter):
2665         (JSC::run):
2666
2667 2017-08-14  Keith Miller  <keith_miller@apple.com>
2668
2669         Add testing tool to lie to the DFG about profiles
2670         https://bugs.webkit.org/show_bug.cgi?id=175487
2671
2672         Reviewed by Saam Barati.
2673
2674         This patch adds a new bytecode identity_with_profile that lets
2675         us lie to the DFG about what profiles it has seen as the input to
2676         another bytecode. Previously, there was no reliable way to force
2677         a given profile when we tired up.
2678
2679         * bytecode/BytecodeDumper.cpp:
2680         (JSC::BytecodeDumper<Block>::dumpBytecode):
2681         * bytecode/BytecodeIntrinsicRegistry.h:
2682         * bytecode/BytecodeList.json:
2683         * bytecode/BytecodeUseDef.h:
2684         (JSC::computeUsesForBytecodeOffset):
2685         (JSC::computeDefsForBytecodeOffset):
2686         * bytecode/SpeculatedType.cpp:
2687         (JSC::speculationFromString):
2688         * bytecode/SpeculatedType.h:
2689         * bytecompiler/BytecodeGenerator.cpp:
2690         (JSC::BytecodeGenerator::emitIdWithProfile):
2691         * bytecompiler/BytecodeGenerator.h:
2692         * bytecompiler/NodesCodegen.cpp:
2693         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2694         * dfg/DFGAbstractInterpreterInlines.h:
2695         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2696         * dfg/DFGByteCodeParser.cpp:
2697         (JSC::DFG::ByteCodeParser::parseBlock):
2698         * dfg/DFGCapabilities.cpp:
2699         (JSC::DFG::capabilityLevel):
2700         * dfg/DFGClobberize.h:
2701         (JSC::DFG::clobberize):
2702         * dfg/DFGDoesGC.cpp:
2703         (JSC::DFG::doesGC):
2704         * dfg/DFGFixupPhase.cpp:
2705         (JSC::DFG::FixupPhase::fixupNode):
2706         * dfg/DFGMayExit.cpp:
2707         * dfg/DFGNode.h:
2708         (JSC::DFG::Node::getForcedPrediction):
2709         * dfg/DFGNodeType.h:
2710         * dfg/DFGPredictionPropagationPhase.cpp:
2711         * dfg/DFGSafeToExecute.h:
2712         (JSC::DFG::safeToExecute):
2713         * dfg/DFGSpeculativeJIT32_64.cpp:
2714         (JSC::DFG::SpeculativeJIT::compile):
2715         * dfg/DFGSpeculativeJIT64.cpp:
2716         (JSC::DFG::SpeculativeJIT::compile):
2717         * dfg/DFGValidate.cpp:
2718         * jit/JIT.cpp:
2719         (JSC::JIT::privateCompileMainPass):
2720         * jit/JIT.h:
2721         * jit/JITOpcodes.cpp:
2722         (JSC::JIT::emit_op_identity_with_profile):
2723         * jit/JITOpcodes32_64.cpp:
2724         (JSC::JIT::emit_op_identity_with_profile):
2725         * llint/LowLevelInterpreter.asm:
2726
2727 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2728
2729         Remove Proximity Events and related code
2730         https://bugs.webkit.org/show_bug.cgi?id=175545
2731
2732         Reviewed by Daniel Bates.
2733
2734         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
2735         and other related code.
2736
2737         * Configurations/FeatureDefines.xcconfig:
2738
2739 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2740
2741         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
2742         https://bugs.webkit.org/show_bug.cgi?id=175504
2743
2744         Reviewed by Sam Weinig.
2745
2746         * Configurations/FeatureDefines.xcconfig:
2747
2748 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2749
2750         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
2751         https://bugs.webkit.org/show_bug.cgi?id=175557
2752
2753         Reviewed by Jon Lee.
2754
2755         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
2756
2757         * Configurations/FeatureDefines.xcconfig:
2758
2759 2017-08-14  Robin Morisset  <rmorisset@apple.com>
2760
2761         Support the 'with' keyword in DFG
2762         https://bugs.webkit.org/show_bug.cgi?id=175470
2763
2764         Reviewed by Saam Barati.
2765
2766         Not particularly optimized at the moment, the goal is just to avoid
2767         the DFG bailing out of any function with this keyword.
2768
2769         * dfg/DFGAbstractInterpreterInlines.h:
2770         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2771         * dfg/DFGByteCodeParser.cpp:
2772         (JSC::DFG::ByteCodeParser::parseBlock):
2773         * dfg/DFGCapabilities.cpp:
2774         (JSC::DFG::capabilityLevel):
2775         * dfg/DFGClobberize.h:
2776         (JSC::DFG::clobberize):
2777         * dfg/DFGDoesGC.cpp:
2778         (JSC::DFG::doesGC):
2779         * dfg/DFGFixupPhase.cpp:
2780         (JSC::DFG::FixupPhase::fixupNode):
2781         * dfg/DFGNodeType.h:
2782         * dfg/DFGPredictionPropagationPhase.cpp:
2783         * dfg/DFGSafeToExecute.h:
2784         (JSC::DFG::safeToExecute):
2785         * dfg/DFGSpeculativeJIT.cpp:
2786         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2787         * dfg/DFGSpeculativeJIT.h:
2788         (JSC::DFG::SpeculativeJIT::callOperation):
2789         * dfg/DFGSpeculativeJIT32_64.cpp:
2790         (JSC::DFG::SpeculativeJIT::compile):
2791         * dfg/DFGSpeculativeJIT64.cpp:
2792         (JSC::DFG::SpeculativeJIT::compile):
2793         * jit/JITOperations.cpp:
2794         * jit/JITOperations.h:
2795
2796 2017-08-14  Mark Lam  <mark.lam@apple.com>
2797
2798         Add some convenience utility accessor methods to MacroAssembler::CPUState.
2799         https://bugs.webkit.org/show_bug.cgi?id=175549
2800         <rdar://problem/33884868>
2801
2802         Reviewed by Saam Barati.
2803
2804         Previously, in order to read ProbeContext CPUState registers, we used to need to
2805         do it this way:
2806
2807             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
2808             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
2809             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
2810             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
2811
2812         With this patch, we can now read them this way instead:
2813         
2814             ExecState* exec = cpu.fp<ExecState*>();
2815             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
2816             void* p = cpu.gpr<void*>(GPRInfo::regT1);
2817             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
2818
2819         * assembler/MacroAssembler.h:
2820         (JSC:: const):
2821         (JSC::MacroAssembler::CPUState::fpr const):
2822         (JSC::MacroAssembler::CPUState::pc const):
2823         (JSC::MacroAssembler::CPUState::fp const):
2824         (JSC::MacroAssembler::CPUState::sp const):
2825         (JSC::ProbeContext::pc):
2826         (JSC::ProbeContext::fp):
2827         (JSC::ProbeContext::sp):
2828
2829 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2830
2831         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
2832         https://bugs.webkit.org/show_bug.cgi?id=174921
2833
2834         Reviewed by Mark Lam.
2835         
2836         Uses CagedUniquePtr<> to cage the ScopeOffset array.
2837
2838         * dfg/DFGSpeculativeJIT.cpp:
2839         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2840         * ftl/FTLLowerDFGToB3.cpp:
2841         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2842         * jit/JITPropertyAccess.cpp:
2843         (JSC::JIT::emitScopedArgumentsGetByVal):
2844         * runtime/ScopedArgumentsTable.cpp:
2845         (JSC::ScopedArgumentsTable::create):
2846         (JSC::ScopedArgumentsTable::setLength):
2847         * runtime/ScopedArgumentsTable.h:
2848
2849 2017-08-14  Mark Lam  <mark.lam@apple.com>
2850
2851         Gardening: fix Windows build.
2852         https://bugs.webkit.org/show_bug.cgi?id=175446
2853
2854         Not reviewed.
2855
2856         * assembler/MacroAssemblerX86Common.cpp:
2857         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
2858         (JSC::ctiMasmProbeTrampoline):
2859
2860 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2861
2862         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
2863         https://bugs.webkit.org/show_bug.cgi?id=175512
2864         <rdar://problem/33863584>
2865
2866         Reviewed by Mark Lam.
2867
2868         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
2869         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
2870
2871 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2872
2873         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
2874         https://bugs.webkit.org/show_bug.cgi?id=175513
2875
2876         Reviewed by Mark Lam.
2877
2878         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
2879
2880 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2881
2882         FTL's compileGetTypedArrayByteOffset needs to do caging
2883         https://bugs.webkit.org/show_bug.cgi?id=175366
2884
2885         Reviewed by Saam Barati.
2886         
2887         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
2888         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
2889
2890         * dfg/DFGSpeculativeJIT.cpp:
2891         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2892         * ftl/FTLLowerDFGToB3.cpp:
2893         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2894         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
2895         * runtime/ArrayBuffer.h:
2896         * runtime/ArrayBufferView.h:
2897         * runtime/JSArrayBufferView.h:
2898
2899 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
2900
2901         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
2902         https://bugs.webkit.org/show_bug.cgi?id=175474
2903         <rdar://problem/33844628>
2904
2905         Reviewed by Wenson Hsieh.
2906
2907         * Configurations/FeatureDefines.xcconfig:
2908         * runtime/CommonIdentifiers.h:
2909
2910 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2911
2912         Caging shouldn't have to use a patchpoint for adding
2913         https://bugs.webkit.org/show_bug.cgi?id=175483
2914
2915         Reviewed by Mark Lam.
2916
2917         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
2918         constants and associative operations dictate that you always want to sink constants. For example,
2919         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
2920         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
2921         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
2922         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
2923         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
2924         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
2925         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
2926         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
2927         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
2928         hacks for just stopping B3's reassociation only in this specific case.
2929         
2930         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
2931         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
2932         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
2933         that if we cage the same pointer in two places, both places will compute the same value.
2934         
2935         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
2936         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
2937         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
2938         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
2939         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
2940         enough scale to warrant new opcodes.)
2941         
2942         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
2943         makes the code a bit less ugly.
2944
2945         * b3/B3LowerToAir.cpp:
2946         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
2947         (JSC::B3::Air::LowerToAir::lower):
2948         * b3/B3Opcode.cpp:
2949         (WTF::printInternal):
2950         * b3/B3Opcode.h:
2951         * b3/B3ReduceStrength.cpp:
2952         * b3/B3Validate.cpp:
2953         * b3/B3Value.cpp:
2954         (JSC::B3::Value::effects const):
2955         (JSC::B3::Value::key const):
2956         (JSC::B3::Value::isFree const):
2957         (JSC::B3::Value::typeFor):
2958         * b3/B3Value.h:
2959         * b3/B3ValueKey.cpp:
2960         (JSC::B3::ValueKey::materialize const):
2961         * ftl/FTLLowerDFGToB3.cpp:
2962         (JSC::FTL::DFG::LowerDFGToB3::caged):
2963         * ftl/FTLOutput.cpp:
2964         (JSC::FTL::Output::opaque):
2965         * ftl/FTLOutput.h:
2966
2967 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2968
2969         ScopedArguments overflow storage needs to be in the JSValue gigacage
2970         https://bugs.webkit.org/show_bug.cgi?id=174923
2971
2972         Reviewed by Saam Barati.
2973         
2974         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
2975         object into the JSValue gigacage.
2976
2977         * dfg/DFGSpeculativeJIT.cpp:
2978         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2979         * ftl/FTLLowerDFGToB3.cpp:
2980         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2981         * jit/JITPropertyAccess.cpp:
2982         (JSC::JIT::emitScopedArgumentsGetByVal):
2983         * runtime/ScopedArguments.h:
2984         (JSC::ScopedArguments::subspaceFor):
2985         (JSC::ScopedArguments::overflowStorage const):
2986
2987 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2988
2989         JSLexicalEnvironment needs to be in the JSValue gigacage
2990         https://bugs.webkit.org/show_bug.cgi?id=174922
2991
2992         Reviewed by Michael Saboff.
2993         
2994         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
2995         the only random accesses use pointer caging.
2996         
2997         We don't need to do anything to normal lexical environment accesses.
2998
2999         * dfg/DFGSpeculativeJIT.cpp:
3000         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3001         * ftl/FTLLowerDFGToB3.cpp:
3002         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3003         * runtime/JSEnvironmentRecord.h:
3004         (JSC::JSEnvironmentRecord::subspaceFor):
3005         (JSC::JSEnvironmentRecord::variables):
3006
3007 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3008
3009         DirectArguments should be in the JSValue gigacage
3010         https://bugs.webkit.org/show_bug.cgi?id=174920
3011
3012         Reviewed by Michael Saboff.
3013         
3014         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
3015         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
3016         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
3017         required to use fixed offsets, and you can only store JSValues.
3018
3019         * dfg/DFGSpeculativeJIT.cpp:
3020         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3021         * ftl/FTLLowerDFGToB3.cpp:
3022         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3023         * jit/JITPropertyAccess.cpp:
3024         (JSC::JIT::emitDirectArgumentsGetByVal):
3025         * runtime/DirectArguments.h:
3026         (JSC::DirectArguments::subspaceFor):
3027         (JSC::DirectArguments::storage):
3028         * runtime/VM.cpp:
3029         (JSC::VM::VM):
3030         * runtime/VM.h:
3031
3032 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3033
3034         Unreviewed, add a FIXME.
3035
3036         * ftl/FTLLowerDFGToB3.cpp:
3037         (JSC::FTL::DFG::LowerDFGToB3::caged):
3038
3039 2017-08-10  Sam Weinig  <sam@webkit.org>
3040
3041         WTF::Function does not allow for reference / non-default constructible return types
3042         https://bugs.webkit.org/show_bug.cgi?id=175244
3043
3044         Reviewed by Chris Dumez.
3045
3046         * runtime/ArrayBuffer.cpp:
3047         (JSC::ArrayBufferContents::transferTo):
3048         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3049         destroy call needed to be a no-op anyway, since the data is being moved.
3050
3051 2017-08-11  Mark Lam  <mark.lam@apple.com>
3052
3053         Gardening: fix CLoop build.
3054         https://bugs.webkit.org/show_bug.cgi?id=175446
3055         <rdar://problem/33836545>
3056
3057         Not reviewed.
3058
3059         * assembler/MacroAssemblerPrinter.cpp:
3060
3061 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3062
3063         DFG should do caging
3064         https://bugs.webkit.org/show_bug.cgi?id=174918
3065
3066         Reviewed by Saam Barati.
3067         
3068         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
3069         the conditional caging with a watchpoint.
3070         
3071         This might be a 1% SunSpider slow-down, but it's not clear.
3072
3073         * dfg/DFGSpeculativeJIT.cpp:
3074         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3075         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3076         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3077         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3078         (JSC::DFG::SpeculativeJIT::compileSpread):
3079         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3080         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3081         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3082         * dfg/DFGSpeculativeJIT.h:
3083         * dfg/DFGSpeculativeJIT64.cpp:
3084         (JSC::DFG::SpeculativeJIT::compile):
3085
3086 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3087
3088         Unreviewed, build fix for x86 GTK port
3089         https://bugs.webkit.org/show_bug.cgi?id=175446
3090
3091         Use pushfl/popfl instead of pushfd/popfd.
3092
3093         * assembler/MacroAssemblerX86Common.cpp:
3094
3095 2017-08-10  Mark Lam  <mark.lam@apple.com>
3096
3097         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
3098         https://bugs.webkit.org/show_bug.cgi?id=175446
3099         <rdar://problem/33836545>
3100
3101         Reviewed by Saam Barati.
3102
3103         * assembler/AbstractMacroAssembler.h:
3104         * assembler/MacroAssembler.cpp:
3105         (JSC::MacroAssembler::probe):
3106         * assembler/MacroAssembler.h:
3107         * assembler/MacroAssemblerARM.cpp:
3108         (JSC::MacroAssembler::probe):
3109         * assembler/MacroAssemblerARM.h:
3110         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
3111         * assembler/MacroAssemblerARM64.cpp:
3112         (JSC::MacroAssembler::probe):
3113         * assembler/MacroAssemblerARMv7.cpp:
3114         (JSC::MacroAssembler::probe):
3115         * assembler/MacroAssemblerARMv7.h:
3116         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
3117         * assembler/MacroAssemblerPrinter.cpp:
3118         * assembler/MacroAssemblerPrinter.h:
3119         * assembler/MacroAssemblerX86Common.cpp:
3120         * assembler/testmasm.cpp:
3121         (JSC::isSpecialGPR):
3122         (JSC::testProbeModifiesProgramCounter):
3123         (JSC::run):
3124         * b3/B3LowerToAir.cpp:
3125         (JSC::B3::Air::LowerToAir::print):
3126         * b3/air/AirPrintSpecial.cpp:
3127         * b3/air/AirPrintSpecial.h:
3128
3129 2017-08-10  Mark Lam  <mark.lam@apple.com>
3130
3131         Apply the UNLIKELY macro to some unlikely things.
3132         https://bugs.webkit.org/show_bug.cgi?id=175440
3133         <rdar://problem/33834767>
3134
3135         Reviewed by Yusuke Suzuki.
3136
3137         * bytecode/CodeBlock.cpp:
3138         (JSC::CodeBlock::~CodeBlock):
3139         (JSC::CodeBlock::jettison):
3140         * dfg/DFGByteCodeParser.cpp:
3141         (JSC::DFG::ByteCodeParser::handleCall):
3142         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3143         (JSC::DFG::ByteCodeParser::handleGetById):
3144         (JSC::DFG::ByteCodeParser::handlePutById):
3145         (JSC::DFG::ByteCodeParser::parseBlock):
3146         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3147         * dfg/DFGJITCompiler.cpp:
3148         (JSC::DFG::JITCompiler::JITCompiler):
3149         (JSC::DFG::JITCompiler::linkOSRExits):
3150         (JSC::DFG::JITCompiler::link):
3151         (JSC::DFG::JITCompiler::disassemble):
3152         * dfg/DFGJITFinalizer.cpp:
3153         (JSC::DFG::JITFinalizer::finalizeCommon):
3154         * dfg/DFGOSRExit.cpp:
3155         (JSC::DFG::OSRExit::compileOSRExit):
3156         * dfg/DFGPlan.cpp:
3157         (JSC::DFG::Plan::Plan):
3158         * ftl/FTLJITFinalizer.cpp:
3159         (JSC::FTL::JITFinalizer::finalizeCommon):
3160         * ftl/FTLLink.cpp:
3161         (JSC::FTL::link):
3162         * ftl/FTLOSRExitCompiler.cpp:
3163         (JSC::FTL::compileStub):
3164         * jit/JIT.cpp:
3165         (JSC::JIT::privateCompileMainPass):
3166         (JSC::JIT::compileWithoutLinking):
3167         (JSC::JIT::link):
3168         * runtime/ScriptExecutable.cpp:
3169         (JSC::ScriptExecutable::installCode):
3170         * runtime/VM.cpp:
3171         (JSC::VM::VM):
3172
3173 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3174
3175         [WTF] ThreadSpecific should not introduce additional indirection
3176         https://bugs.webkit.org/show_bug.cgi?id=175187
3177
3178         Reviewed by Mark Lam.
3179
3180         * runtime/Identifier.cpp:
3181
3182 2017-08-10  Tim Horton  <timothy_horton@apple.com>
3183
3184         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
3185         https://bugs.webkit.org/show_bug.cgi?id=175436
3186         <rdar://problem/33667497>
3187
3188         Reviewed by Simon Fraser.
3189
3190         * interpreter/Interpreter.cpp:
3191         (JSC::Interpreter::Interpreter):
3192
3193 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
3194
3195         Remove ENABLE_GAMEPAD_DEPRECATED
3196         https://bugs.webkit.org/show_bug.cgi?id=175361
3197
3198         Reviewed by Carlos Garcia Campos.
3199
3200         * Configurations/FeatureDefines.xcconfig:
3201
3202 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
3203
3204         [JSC] Create JSSet constructor that accepts it's size as parameter
3205         https://bugs.webkit.org/show_bug.cgi?id=173297
3206
3207         Reviewed by Saam Barati.
3208
3209         This patch is adding a new constructor to JSSet that gives its
3210         expected initial size. It is important to avoid re-hashing and mutiple
3211         allocations when we know the final size of JSSet, such as in
3212         CodeBlock::setConstantIdentifierSetRegisters.
3213
3214         * bytecode/CodeBlock.cpp:
3215         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3216         * runtime/HashMapImpl.h:
3217         (JSC::HashMapImpl::HashMapImpl):
3218         * runtime/JSSet.h:
3219
3220 2017-08-09  Commit Queue  <commit-queue@webkit.org>
3221
3222         Unreviewed, rolling out r220466, r220477, and r220487.
3223         https://bugs.webkit.org/show_bug.cgi?id=175411
3224
3225         This change broke existing API tests and follow up fixes did
3226         not resolve all the issues. (Requested by ryanhaddad on
3227         #webkit).
3228
3229         Reverted changesets:
3230
3231         https://bugs.webkit.org/show_bug.cgi?id=175244
3232         http://trac.webkit.org/changeset/220466
3233
3234         "WTF::Function does not allow for reference / non-default
3235         constructible return types"
3236         https://bugs.webkit.org/show_bug.cgi?id=175244
3237         http://trac.webkit.org/changeset/220477
3238
3239         https://bugs.webkit.org/show_bug.cgi?id=175244
3240         http://trac.webkit.org/changeset/220487
3241
3242 2017-08-09  Caitlin Potter  <caitp@igalia.com>
3243
3244         Early error on ANY operator before new.target
3245         https://bugs.webkit.org/show_bug.cgi?id=157970
3246
3247         Reviewed by Saam Barati.
3248
3249         Instead of throwing if any unary operator precedes new.target, only
3250         throw if the unary operator updates the reference.
3251
3252         The following become legal in JSC:
3253
3254         ```
3255         !new.target
3256         ~new.target
3257         typeof new.target
3258         delete new.target
3259         void new.target
3260         ```
3261
3262         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
3263
3264         * parser/Parser.cpp:
3265         (JSC::Parser<LexerType>::parseUnaryExpression):
3266
3267 2017-08-09  Sam Weinig  <sam@webkit.org>
3268
3269         WTF::Function does not allow for reference / non-default constructible return types
3270         https://bugs.webkit.org/show_bug.cgi?id=175244
3271
3272         Reviewed by Chris Dumez.
3273
3274         * runtime/ArrayBuffer.cpp:
3275         (JSC::ArrayBufferContents::transferTo):
3276         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3277         destroy call needed to be a no-op anyway, since the data is being moved.
3278
3279 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
3280
3281         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
3282         https://bugs.webkit.org/show_bug.cgi?id=175392
3283         <rdar://problem/33783207>
3284
3285         Reviewed by Tim Horton and Megan Gardner.
3286
3287         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
3288
3289         * Configurations/FeatureDefines.xcconfig:
3290
3291 2017-08-09  Robin Morisset  <rmorisset@apple.com>
3292
3293         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
3294         https://bugs.webkit.org/show_bug.cgi?id=175358
3295
3296         Reviewed by Mark Lam.
3297
3298         * jit/JITOperations.cpp:
3299         * runtime/JSObjectInlines.h:
3300         (JSC::JSObject::putInlineForJSObject):
3301
3302 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
3303
3304         Unreviewed, rolling out r220457.
3305
3306         This change introduced API test failures.
3307
3308         Reverted changeset:
3309
3310         "WTF::Function does not allow for reference / non-default
3311         constructible return types"
3312         https://bugs.webkit.org/show_bug.cgi?id=175244
3313         http://trac.webkit.org/changeset/220457
3314
3315 2017-08-09  Sam Weinig  <sam@webkit.org>
3316
3317         WTF::Function does not allow for reference / non-default constructible return types
3318         https://bugs.webkit.org/show_bug.cgi?id=175244
3319
3320         Reviewed by Chris Dumez.
3321
3322         * runtime/ArrayBuffer.cpp:
3323         (JSC::ArrayBufferContents::transferTo):
3324         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3325         destroy call needed to be a no-op anyway, since the data is being moved.
3326
3327 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3328
3329         REGRESSION: 2 test262/test/language/statements/async-function failures
3330         https://bugs.webkit.org/show_bug.cgi?id=175334
3331
3332         Reviewed by Yusuke Suzuki.
3333
3334         Switch off useAsyncIterator by default
3335
3336         * runtime/Options.h:
3337
3338 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3339
3340         ICs should do caging
3341         https://bugs.webkit.org/show_bug.cgi?id=175295
3342
3343         Reviewed by Saam Barati.
3344         
3345         Adds the appropriate cage() calls in our inline caches.
3346
3347         * bytecode/AccessCase.cpp:
3348         (JSC::AccessCase::generateImpl):
3349         * bytecode/InlineAccess.cpp: